D„eM†ˆn Virus ³ ~~~~~~~~~~~~~ ³ ³ This virus took me a while to write (about two weeks), because I was ³ writing a lot of it for the first time. Some of the code is a bit ³ overboard, like I don't think the SYS entry has to be quite that complex ³ in order to work... but never mind. At least it works and it's quite ³ well-behaved. ³ ³ This virus is my first boot/file virus, and that also works perfectly. ³ I worked all my own routines from scratch (my virus collection is ³ extremely small, and I don't want to be influenced by other ³ implementations unless they're better). ³ ³ It infects both floppy boot sectors, moving the original boot sector to ³ the 5th last sector of the disk and writing the virus code on the last ³ four. It also infects the Master Boot Record (partition table) on the ³ first physical hard disk. Booting off an infected floppy will infect ³ the MBR, as will the execution of an infected file. However, trying to ³ read the partition table results in the redirection of the call, ³ resulting in the original partition table (prior to infection) being ³ read/written. ³ ³ Floppies are infected on read/write access, and won't be infected if the ³ drive is still spinning (ie. no disk change). It will take the boot ³ sector and use the BPB to calculate the last sectors of the disk, no ³ matter what format, be it 160k, 1.44meg, or even a 20meg floptical disk. ³ It makes sure it's a valid BPB by checking the OEM name to see if it's ³ valid alphanumeric characters, but I was a bit selfish in that I overwrite ³ the last word of OEM to mark infection. ³ ³ Files ending with the extensions .COM, .EXE, .BIN, .OVL and .SYS will be ³ infected on every possible file handle access I could find, ie. they ³ will be infected on Open (3D), Close (3E), Attrib Change (43), Execution ³ (4B), Handle Rename/Move (56), and Extended Open (6C). It manages to ³ infect on file close by recording the filename by intercepting Create ³ (3C) call, and the handle if it was created successfully. ³ ³ If resident off infected file, it will not hook int 13h directly, ³ instead searching segment 70h for DOS's call to the original interrupt ³ handler, then putting our address in there instead and using the old ³ address for our calls. It would have been possible to search the ROM ³ BIOS for the correct handler, but that would circumvent future ³ generations of boot/file viruses. ³ ³ D„eM†ˆn employs a small decryption algorythm, however it is not variable ³ mutation, since a few registers have to be saved in order for the SYS ³ infection to work. The code is thoroughly encrypted, and McAfee and ³ friends will have to write a new disinfection engine for this baby. ³ However, disk infections are not encrypted, although it would have been ³ easily done. ³ ³ The routine to load the virus off the disk has been altered to avoid ³ detection as Generic Boot Sector/Generic Partition virus. The changes ³ are trivial, and it makes it look as if I don't know what I'm doing. ³ The fact that I'm avoiding detection isn't readily apparent. Here is ³ a code comparison, take a look for yourself. ³ ³ Generic D„eM†ˆn ³ mov si, 413h mov si, 412h ³ sub word ptr [si], 3 add word ptr [si+1], -3 ; take 3k ³ int 12h lodsb ³ lodsw ³ mov cl, 6 mov cl, 6 ³ shl ax, cl shl ax, cl ³ mov es, ax mov es, ax ³ xor bx, bx xor bx, bx ³ ³ The one on the left will be detected by SCAN, the one on the right will ³ not. The differences are trivial. SCAN is such a stupid program, it's ³ just ridiculous that millions of PC users rely on it utterly for total ³ virus protection. That's great... ³ ³ D„eM†ˆn is partially selective in which files it infects. Firstly, it ³ will scan the filename for the characters SC, VS, CL and F-, which ³ excludes a lot of scanners (eg SCAN, TBSCAN etc), VSHIELD, CLEAN and ³ F-PROT. ³ ³ Nor will it infect programs which have internal overlays. This is a ³ great advantage since people running WinDoze won't have their favourite ³ XYZ program fuck up because a virus infected it. D„eM†ˆn simply will ³ not infect programs with internal overlays. Here is the code to detect ³ them: ³ ³ chkovl: call file_end ³ push ax ; check for internal overlays ³ push dx ³ mov ax, word ptr [page_cnt] ³ mov cx, 512 ³ mul cx ³ pop cx ³ pop bp ³ cmp ax, bp ³ jb done ³ cmp dx, cx ³ jb done ³ [...] ³ done: ret ³ ³ Pretty simple routine, huh? ³ ³ The beauty of this beast is that one small mistake, like trying to boot ³ an infected disk by accident, or perhaps running an infected file, is ³ that next time you boot up your system, EVERY file in your CONFIG.SYS, ³ AUTOEXEC.BAT and everything henceforth will become infected! It is very ³ easy to expose a large number of files to the virus in a very short ³ space of time. Again, SCAN will probably help the spread of this virus ³ immensely, by stupid users scanning their HD habitually, with the virus ³ in memory... of course, EVERY file will then be infected. ³ ³ As if that weren't enough for one virus, D„eM†ˆn will also hide the ³ increase of file size on the DOS directory. However, like most other ³ viruses which employ this stealth method, CHKDSK will not report any ³ allocation errors on these files. File size increase will be only 2048 ³ bytes, or 4096 bytes for SYS files. It will account for the different ³ increase of the SYS. ³ ³ To hide the increase, D„eM†ˆn employs a little-exploited method, which ³ is by adding 100 years to the date of the file. This way, other ³ over-exploited methods (like setting the seconds field to a certain ³ value) will not interfere with D„eM†ˆn's stealth operation, and ³ vice-versa. ³ ³ D„eM†ˆn also includes a number of text strings: ³ ³ "[D„eM†ˆn] by T„L”N-{N–Kä}" 25 bytes ³ "Hugs to Sara Gordon" 19 bytes ³ "Hey John! If this is bad, wait for [VCL20]!" 43 bytes ³ "For Dudley" 11 bytes ³ "[VCL20á]/T„L”N" 15 bytes ³ total 113 bytes ³ ³ (That stuff about VCL20á is áogus, just to make McAsshole shit his ³ pants. But AV researchers be warned: a fair few of the routines ³ contained in D„eM†ˆn will also appear in VCL 2.0, like the boot/file ³ infect capability!) ³ ³ Virus Length = 2048 ³ Message Length = 113 ³ ...Code Length = 1935 bytes!!! ³ ³ Totally unheard of! ³ ³ I seriously doubt anybody can beat that, at least not for a while yet. ³ ³ For a quick rehash of what this virus does... ³ ³ COM/EXE/BIN/OVL/SYS/MBR/BS Parasitic Self-Encrypting Stealth virus, a ³ mere 2048 bytes long... but I can say Patricia Hoffman will totally fuck ³ up her description of this virus, she is so pathetically brain-dead. ³ ³ Anyway, look out for a FULL STEALTH, WILDLY POLYMORPHIC COM/EXE/MBR ³ INFECTOR coming soon to a computer installation near you! From T„L”N of ³ course! And another one minus the polymorphism, under 800 bytes! ³ ³ Have fun! And good night, John! ³ ³ T„L”N/NuKE ³