Parasitic COM Infector

INTRO.  These studies of computer viruses are based on The Giant Black Book of Computer 
Viruses by Mark Ludwig.  These viruses are used for discussion and study.  They are not meant
to be used in any way other than academic.   It is a part of the Academic Underground student
organization to further understand and prevent computer viruses.  This is mainly an outline for
the panel discussions at the meeting. 

Parasitic Virus - Humper
 
A parasitic virus must append itself to its host.  Writing yourself to the end of a file causes to major problems.  The first being How do you execute?  This is actually fairly simple to solve.  We have to record the initial bytes of the host to the virus and then write a jump to the start of the host that jumps up to our virus.  When our virus is done it will replace the original bytes back (in memory) and execute it.

The second problem can cause a little more headache at first.  A normal application can assume that if you point to a section of code that code will be in the same spot the next time you point to it, but unfortunately we can't do that.  If we originally pointed to a string that was 210 bytes down from are initial starting point (OFFSET) it will later be HOST_SIZE+210.  We have to use relative addressing to point to our code.

Basically to accomplish this feet what we need to do is this little trick in the beginning of our code:

                            call GET_START
GET_START:    pop di
                            sub di, offset GET_START

That's it!  Now we can use di as a reference point.  So instead of:
        mov dx, offset MSG
we'll use:
        lea dx, [di+offset MSG]

Notice I used LEA and not MOV, you'll need to do that so the compiler knows to use the relative addresses.

The jump in the beginning is simple.  We write an E8h (JMP) our HOST_EOF and then a signature.  We'll write the word HUMPER on the file for easy identification.  Any infected COM file can be pulled into DEBUG and type D.  You should see the word HUMPER printed within the first 9 bytes.  This doesn't not affect the virus nor the host it is only used for identification.  In memory we replace these 9 bytes with the original and then issue a RET to execute code at offset 100h (In Memory).

The Humper virus will stay in it's own directory so it is easy to play and experiment with without worry.

The Holmes Strain

This is a slightly modified HUMPER virus with some added routines for traversing the entire directory tree.  This virus gets around.  There are a few things to keep in mind when infecting an entire hard drive.  Mainly ... It's fairly time consuming.  If a virus has to scan through every directory in a filled 9 Gig drive it could take a lot longer for the host program to execute with enough hard drive activity to alert the user.  So, I've stolen the ideas from Mark Ludwig's Giant Black Book and implemented them as follows:

  1. It restricts how many COM files it infects with a MAX_INFECT constant
  2. It will only enter the DEPTH of one sub directory layer in it's search.
  3. It will however search the sub directories of both it's Current Dir. and off the Root Directory.
Two procedures need to be modified to accomplish this: LOCATE_HOSTS and FIND_FILES.  The changes to LOCATE_HOSTS are mainly to add the ability to change to the root directory to scan and also make it aware of our new restrictions.

The changes to FIND_FILES is modifying the jmp if directory to call GET_DIR.  All that this procedure does is changes to the target directory and recursively cause itself to search for the files.

And that's all there is to it!

Scans
ThunderByte (DOS) '95  - Detected! Cleaned!!!
ThunderByte (95) '98 - Failed! (But will detect in High Sensitivity Mode)
Norton AntiVirus 4.0 '98 -  Failed!
Norton AntiVirus 5.0 '98 -  Detected! Could not Clean
F-Prot (95) '98 - Failed! (Logs do show a suspected virus though...strange)
ViruSafe 95 v2.7 - Failed!
McAfee VirusScan '98 -  Failed!
Inoculan '98 -  Failed!

Holmes Strain
ThunderByte (DOS) '95  - Detected! Cleaned!!!
ThunderByte (95) '98 - Failed! (But will detect in High Sensitivity Mode)
Norton AntiVirus 4.0 '98 -  Failed!
Norton AntiVirus 5.0 '98 -  Detected! Could not Clean
F-Prot (95) '98 - Failed! (Logs do show a suspected virus though...strange)
ViruSafe 95 v2.7 - Failed!
McAfee VirusScan '98 -  Failed!
Inoculan '98 -  Failed!
 
 Exercises

  1. Modify Holmes so that the MAX_INFECT is not a constant but a variable that it can randomly add and subtract from.  For example:  Grab the seconds, if under 10 subtract if over 50 add otherwise don't modify the MAX_INFECT.
  2. Get rid of the blatant HUMPER written to the begging of the host file and use a different method to detect yourself.  Try seeking to the EOF-SIZE_OF_VIRUS and compare Humper's initial bytes to the targets to see if it has already infected it.
  3. Change the virus so it put's itself Before the host file.  Note this way you don't have to use ANY relative addressing but the obstacle is you need to move the entire host back to the beginning not just the initial bytes.