INTRO. These studies of computer viruses are based on The Giant
Black Book of Computer
Viruses by Mark Ludwig. These viruses are used for discussion
and study. They are not meant
to be used in any way other than academic. It is a part
of the Academic Underground student
organization to further understand and prevent computer viruses.
This is mainly an outline for
the panel discussions at the meeting.
Parasitic Virus - Humper
A parasitic virus must append itself to its host. Writing yourself
to the end of a file causes to major problems. The first being How
do you execute? This is actually fairly simple to solve. We
have to record the initial bytes of the host to the virus and then write
a jump to the start of the host that jumps up to our virus. When
our virus is done it will replace the original bytes back (in memory) and
execute it.
The second problem can cause a little more headache at first. A normal application can assume that if you point to a section of code that code will be in the same spot the next time you point to it, but unfortunately we can't do that. If we originally pointed to a string that was 210 bytes down from are initial starting point (OFFSET) it will later be HOST_SIZE+210. We have to use relative addressing to point to our code.
Basically to accomplish this feet what we need to do is this little trick in the beginning of our code:
call GET_START
GET_START: pop di
sub di, offset GET_START
That's it! Now we can use di as a reference point. So instead
of:
mov dx, offset MSG
we'll use:
lea dx, [di+offset MSG]
Notice I used LEA and not MOV, you'll need to do that so the compiler knows to use the relative addresses.
The jump in the beginning is simple. We write an E8h (JMP) our HOST_EOF and then a signature. We'll write the word HUMPER on the file for easy identification. Any infected COM file can be pulled into DEBUG and type D. You should see the word HUMPER printed within the first 9 bytes. This doesn't not affect the virus nor the host it is only used for identification. In memory we replace these 9 bytes with the original and then issue a RET to execute code at offset 100h (In Memory).
The Humper virus will stay in it's own directory so it is easy to play and experiment with without worry.
The Holmes Strain
This is a slightly modified HUMPER virus with some added routines for traversing the entire directory tree. This virus gets around. There are a few things to keep in mind when infecting an entire hard drive. Mainly ... It's fairly time consuming. If a virus has to scan through every directory in a filled 9 Gig drive it could take a lot longer for the host program to execute with enough hard drive activity to alert the user. So, I've stolen the ideas from Mark Ludwig's Giant Black Book and implemented them as follows:
The changes to FIND_FILES is modifying the jmp if directory to call GET_DIR. All that this procedure does is changes to the target directory and recursively cause itself to search for the files.
And that's all there is to it!
Scans
ThunderByte (DOS) '95 - Detected! Cleaned!!!
ThunderByte (95) '98 - Failed! (But will
detect in High Sensitivity Mode)
Norton AntiVirus 4.0 '98 - Failed!
Norton AntiVirus 5.0 '98 - Detected! Could not Clean
F-Prot (95) '98 - Failed! (Logs do show
a suspected virus though...strange)
ViruSafe 95 v2.7 - Failed!
McAfee VirusScan '98 - Failed!
Inoculan '98 - Failed!
Holmes Strain
ThunderByte (DOS) '95 - Detected! Cleaned!!!
ThunderByte (95) '98 - Failed! (But will
detect in High Sensitivity Mode)
Norton AntiVirus 4.0 '98 - Failed!
Norton AntiVirus 5.0 '98 - Detected! Could not Clean
F-Prot (95) '98 - Failed! (Logs do show
a suspected virus though...strange)
ViruSafe 95 v2.7 - Failed!
McAfee VirusScan '98 - Failed!
Inoculan '98 - Failed!
Exercises