Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Permission to infect, sir?

MidNyte
Final Chaos [1]
September 1999

[Back to index] [Comments]

Introduction.

Following various posts in alt.comp.virus I decided to revamp one of my old piece of code that I wrote a while back. It is basically just a snippet that checks for permission to do something before it does, in this case a virus checks for permission to infect other files. If this is incorporated into viruses, you have a way of ensuring that the virus does not escape into the wild. (ok, there are ways this could be got round with batch files etc, but why bother? if someone malicious gets to have a batch file run they could just include a line to format a drive.)

Permission for the virus to infect under this particular system is given by the line 'rem WARNING: virus infection permission granted' being present in the c:\autoexec.bat file. It must be the first line, and must be exactly as above (ie, all capitalisation, spaces etc). The line is designed to convey its purpose to the casual user so that its function cannot be hidden to someone who is unaware of what is going on. Upon not finding the line, the virus should return control to the user, this being the default condition. Anything other than permission being granted results in no infection. A mistake on the line will leave users protected.

Because this works without interupting the user with an actual request, it can be said to work transparently. The user need do nothing except set it up the first time. This system has recently been scrutinised by Kurt Wisemer and Randy Abrams (amongst others) in the alt.comp.virus newsgroup. While they approved of the attempt to provide control, they both stated that it would be better to have a system that provided warning, rather than silent operation. I am currently trying to find a solution that will alert the user without causing disruption, until then, this is a step towards that solution. It's better than nothing.

The example below will check for the presence of the line in the autoexec.bat file and will let the user know whether permission was granted or denied. Compile with Tasm & Tlink. Enjoy.

				- MidNyte

As always, I welcome ANY feedback, good or bad, as long as it is reasonable.

code segment
     assume cs:code,ds:code
     org 100h
    
start:
   mov ax,3D00h			;open file
   mov dx,offset autoexec_mask	;c:\autoexec.bat
   int 21h

   mov bx,ax			;move file handle

   mov ah,3fh			;read from file
   mov dx,offset autoexec_line	;store in variable
   mov cx,47d			;number of bytes to read
   int 21h

   mov ax,3e00h			;close autoexec.bat
   int 21h

find_granted_message:
   mov si,offset autoexec_line
   mov di,offset granted
   mov cx,46d			;length of granted line

loop1:
   lodsb
   cmp al, byte ptr [di]
   jnz fix_copy_in_memory	;will jump on any difference
   inc di
   loop loop1

   jmp infect

fix_copy_in_memory:
   mov ah,009h
   mov dx,offset no_permission_msg
   int 21h
   int 20h			;in practicle use we should
				;return control to the host
				;program, not just quit.

infect:
   mov ah,009h			;in practice, if we have
   mov dx,offset permission_msg ;reached this point, we
   int 21h			;have the users permission
   int 20h			;to function normally (ie spread)

autoexec_mask db 'c:\autoexec.bat',0
autoexec_line db 47d dup (0)
granted db 'rem WARNING: virus infection permission granted',0
permission_msg db 'Granted',10,13,'$'
no_permission_msg db 'Denied',10,13,'$'

code ends
     end start
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua