D„eM†ˆn Virus ³
~~~~~~~~~~~~~ ³
³
This virus took me a while to write (about two weeks), because I was ³
writing a lot of it for the first time. Some of the code is a bit ³
overboard, like I don't think the SYS entry has to be quite that complex ³
in order to work... but never mind. At least it works and it's quite ³
well-behaved. ³
³
This virus is my first boot/file virus, and that also works perfectly. ³
I worked all my own routines from scratch (my virus collection is ³
extremely small, and I don't want to be influenced by other ³
implementations unless they're better). ³
³
It infects both floppy boot sectors, moving the original boot sector to ³
the 5th last sector of the disk and writing the virus code on the last ³
four. It also infects the Master Boot Record (partition table) on the ³
first physical hard disk. Booting off an infected floppy will infect ³
the MBR, as will the execution of an infected file. However, trying to ³
read the partition table results in the redirection of the call, ³
resulting in the original partition table (prior to infection) being ³
read/written. ³
³
Floppies are infected on read/write access, and won't be infected if the ³
drive is still spinning (ie. no disk change). It will take the boot ³
sector and use the BPB to calculate the last sectors of the disk, no ³
matter what format, be it 160k, 1.44meg, or even a 20meg floptical disk. ³
It makes sure it's a valid BPB by checking the OEM name to see if it's ³
valid alphanumeric characters, but I was a bit selfish in that I overwrite ³
the last word of OEM to mark infection. ³
³
Files ending with the extensions .COM, .EXE, .BIN, .OVL and .SYS will be ³
infected on every possible file handle access I could find, ie. they ³
will be infected on Open (3D), Close (3E), Attrib Change (43), Execution ³
(4B), Handle Rename/Move (56), and Extended Open (6C). It manages to ³
infect on file close by recording the filename by intercepting Create ³
(3C) call, and the handle if it was created successfully. ³
³
If resident off infected file, it will not hook int 13h directly, ³
instead searching segment 70h for DOS's call to the original interrupt ³
handler, then putting our address in there instead and using the old ³
address for our calls. It would have been possible to search the ROM ³
BIOS for the correct handler, but that would circumvent future ³
generations of boot/file viruses. ³
³
D„eM†ˆn employs a small decryption algorythm, however it is not variable ³
mutation, since a few registers have to be saved in order for the SYS ³
infection to work. The code is thoroughly encrypted, and McAfee and ³
friends will have to write a new disinfection engine for this baby. ³
However, disk infections are not encrypted, although it would have been ³
easily done. ³
³
The routine to load the virus off the disk has been altered to avoid ³
detection as Generic Boot Sector/Generic Partition virus. The changes ³
are trivial, and it makes it look as if I don't know what I'm doing. ³
The fact that I'm avoiding detection isn't readily apparent. Here is ³
a code comparison, take a look for yourself. ³
³
Generic D„eM†ˆn ³
mov si, 413h mov si, 412h ³
sub word ptr [si], 3 add word ptr [si+1], -3 ; take 3k ³
int 12h lodsb ³
lodsw ³
mov cl, 6 mov cl, 6 ³
shl ax, cl shl ax, cl ³
mov es, ax mov es, ax ³
xor bx, bx xor bx, bx ³
³
The one on the left will be detected by SCAN, the one on the right will ³
not. The differences are trivial. SCAN is such a stupid program, it's ³
just ridiculous that millions of PC users rely on it utterly for total ³
virus protection. That's great... ³
³
D„eM†ˆn is partially selective in which files it infects. Firstly, it ³
will scan the filename for the characters SC, VS, CL and F-, which ³
excludes a lot of scanners (eg SCAN, TBSCAN etc), VSHIELD, CLEAN and ³
F-PROT. ³
³
Nor will it infect programs which have internal overlays. This is a ³
great advantage since people running WinDoze won't have their favourite ³
XYZ program fuck up because a virus infected it. D„eM†ˆn simply will ³
not infect programs with internal overlays. Here is the code to detect ³
them: ³
³
chkovl: call file_end ³
push ax ; check for internal overlays ³
push dx ³
mov ax, word ptr [page_cnt] ³
mov cx, 512 ³
mul cx ³
pop cx ³
pop bp ³
cmp ax, bp ³
jb done ³
cmp dx, cx ³
jb done ³
[...] ³
done: ret ³
³
Pretty simple routine, huh? ³
³
The beauty of this beast is that one small mistake, like trying to boot ³
an infected disk by accident, or perhaps running an infected file, is ³
that next time you boot up your system, EVERY file in your CONFIG.SYS, ³
AUTOEXEC.BAT and everything henceforth will become infected! It is very ³
easy to expose a large number of files to the virus in a very short ³
space of time. Again, SCAN will probably help the spread of this virus ³
immensely, by stupid users scanning their HD habitually, with the virus ³
in memory... of course, EVERY file will then be infected. ³
³
As if that weren't enough for one virus, D„eM†ˆn will also hide the ³
increase of file size on the DOS directory. However, like most other ³
viruses which employ this stealth method, CHKDSK will not report any ³
allocation errors on these files. File size increase will be only 2048 ³
bytes, or 4096 bytes for SYS files. It will account for the different ³
increase of the SYS. ³
³
To hide the increase, D„eM†ˆn employs a little-exploited method, which ³
is by adding 100 years to the date of the file. This way, other ³
over-exploited methods (like setting the seconds field to a certain ³
value) will not interfere with D„eM†ˆn's stealth operation, and ³
vice-versa. ³
³
D„eM†ˆn also includes a number of text strings: ³
³
"[D„eM†ˆn] by T„L”N-{N–Kä}" 25 bytes ³
"Hugs to Sara Gordon" 19 bytes ³
"Hey John! If this is bad, wait for [VCL20]!" 43 bytes ³
"For Dudley" 11 bytes ³
"[VCL20á]/T„L”N" 15 bytes ³
total 113 bytes ³
³
(That stuff about VCL20á is áogus, just to make McAsshole shit his ³
pants. But AV researchers be warned: a fair few of the routines ³
contained in D„eM†ˆn will also appear in VCL 2.0, like the boot/file ³
infect capability!) ³
³
Virus Length = 2048 ³
Message Length = 113 ³
...Code Length = 1935 bytes!!! ³
³
Totally unheard of! ³
³
I seriously doubt anybody can beat that, at least not for a while yet. ³
³
For a quick rehash of what this virus does... ³
³
COM/EXE/BIN/OVL/SYS/MBR/BS Parasitic Self-Encrypting Stealth virus, a ³
mere 2048 bytes long... but I can say Patricia Hoffman will totally fuck ³
up her description of this virus, she is so pathetically brain-dead. ³
³
Anyway, look out for a FULL STEALTH, WILDLY POLYMORPHIC COM/EXE/MBR ³
INFECTOR coming soon to a computer installation near you! From T„L”N of ³
course! And another one minus the polymorphism, under 800 bytes! ³
³
Have fun! And good night, John! ³
³
T„L”N/NuKE ³