Copy Link
Add to Bookmark
Report
29A Issue 01 03 01
Deactivations
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ>
Blade Runner
The deactivation of a virus in memory is a standard process, and very ea-
sy in deed. Anyway, i'm conscious that many of you aren't that intelli-
igent, so i'll explain it clearly *step_by_step*; this is, those of you
who have a bit more knowledge may just give it a look, or skip the whole
article.
Mmmh... let's see... first thing is the virus to be resident... :) Let's
introduce this briefly :)
A virus, in order to stay resident, has to change interrupt vectors so
these point to it. In other words, a virus that hangs off int 21h, will
change ES and BX when calling int 21h func 35h, or otherwise it will do
this directly on 0000:(int#*4).
Knowing the virus keeps the old vector addresses in its code, it is ob-
vious that we'll have to look where it keeps them and replace them on the
interrupt vector table.
Once we know the theory, let's see it practically. Above all, we'll have
to find a tool for our job. I personally use debug (as you can see, i use
it for everything) :) but you'll prefer AVPUtil or some other new color-
ful user friendly debugger. I even sometimes use a little program written
by myself which is very useful for these kinda situations.
Well, then we start. First step is to know the memory status, by means of
int 21h function 35h (get interruption vector). Here it is, done with de-
bug:
C:\29A>debug
-a100
1649:0100 mov ax,3521
1649:0103 int 21
1649:0105
-p
AX=3521BX=0000CX=0000DX=0000SP=FFEEBP=0000SI=0000DI=0000
DS=1560ES=0000SS=1560CS=1560IP=0103 NV UP EI PL NZ NA PO NC
1560:0103 CD21 INT 21
-p
AX=3521BX=410DCX=0000DX=0000SP=FFEEBP=0000SI=0000DI=0000
DS=1560ES=0011SS=1560CS=1560IP=0105 NV UP EI PL NZ NA PO NC
1560:0105 8BFF MOV DI,DI
-q
Then we look the values into ES and BX, which are segment and the offset
of the interrupt vector. These are, in this case, 0011:410d. Ok, note it
down or remember it and keep going :-)
Now we have to pick a virus for our experiment. We'll use any of the Ba-
rrotes family, the typical lame viruses mutated with PCTewls ;-) For ins-
tance, Barrotes.1310.d... let's have a look at its payload and at what
does Mr.Kaspersky tell us about it:
Virus MIKELON por MSoft°±² °±² °±² °±² °±²373k] °±²
ÉÍ[þ°±²ÍÍÍÍÍÍÍ°±²ÍÍÍÍÍÍ°±²ÍÍÍÍÍÍ°±²Topic °±²ÍÍÍÍÍÍ°±²ÍÍÍÍÍÍ°±²ÍÍÍÍÍÍ°±²
º B°±²otes fa°±²y °±² °±² °±² °±² °±² °±²
º Í°±²ÍÍÍÍÍÍÍ°±²Í °±² °±² °±² °±² °±² °±²
º Th°±² are da°±²rous m°±²y resi°±² paras°±² virus°±²On exe°±²on the°±²
º in°±²t C:\CO°±²ND.COM°±²e Then°±²ey hoo°±²T 21h °±²infect°±² COM- °±²
º EX°±²iles ar°±²xecute°±²hey co°±²n the °±²rnal t°±²string°±² °±²
º "c°±²ommand.°±²". On °±²ary, 5°±²hey er°±²MBR se°±², hook°±² 1Ch, °±²
º di°±²ay the °±²sage "°±²s BARR°±² por O°±²" and °±²ral ve°±²al lin°±²
º °±² °±² °±² °±² °±² °±² °±² °±²
º "B°±²otes.84°±²hits C°±²iles o°±² °±² °±² °±² °±²
º °±² °±² °±² °±² °±² °±² °±² °±²
º "B°±²otes.13°±²d" doe°±²t corr°±²MBR. O°±²stalla°±² it us°±²386 °±²
º in°±²uction.°±² displ°±²the me°±²e: "Vi°±²MIKELO°±²r MSof°±² °±²
º °±² °±² °±² °±² °±² °±² °±² °±²
º °±² °±² °±² °±² °±² °±² °±² °±²
º B°±²otes.Te°±².1303 °±² °±² °±² °±² °±² °±²
º Ä°±²ÄÄÄÄÄÄÄ°±²ÄÄÄÄÄ °±² °±² °±² °±² °±² °±²
º It°±²not dan°±²ous me°±² resid°±²encryp°±²parasi°±²virus.°±²hooks °±²
º 21°±²nd writ°±²itself°±²the en°±² COM- °±²EXE-fi°±²are ex°±²ed. On°±²
º in°±²llation°±²ts C:C°±²ND.COM°±²e. On °±²ember,°±²h it h°±² INT 1°±²
º al°±²and cha°±²s the °±²codes °±²eys ar°±²tered.°±²s viru°±²ntains°±²
ÈÍ<þ°±²±±±±±±±°±²±±±±±±°±²±±±±±±°±²±±±±±±°±²±±±±±±°±²±±±±±±°±²±±±±±±°±²
Test mode: Analyzer Warnings CRC
ßßßßßßßßßßßßßßßßßßß C:\29A (Programs) ßßßßßßßßßßßßßßßßßßßß
C:\29A
bar1310d.com : virus Barrotes.1310.d detected.
Once we've seen the virus, we may start our work. For make it easier, we
will use that little program i told you i sometimes use (CrackVir), writ-
ten by myself... it's a program which intercepts int 21h function 4bh on-
ce a virus is memory resident; this is, the virus won't be able to infect
though it will be completely operational. This is quite easy to do... my
program saves the original int 21h vector values, and, after running the
virus, it intercepts function 4bh, so the virus, if it uses 4b00h for in-
fecting, won't be able to hit any file.
What we're left with now is easy. We run AVPUtil, or even debug, and look
into the contents of int 21h, which is occupied by the virus. This time
we're left with 9f9c:017b (segment will vary). Then we'll have to dump
from the beginning (9f9c:0000), and search 0011:410d, which was the ori-
ginal int 21h value (hex: 0D 41 11 00). With debug, we'll have to look
ourselves for it, whilst with AVPUtil we can leave him look for it:
Memory Dump: F2-save F3-text mode F4-HEX/ASCII F5-edit F7-find
ÉÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
º9F9C:0103³[0D*41*11*00]55 01 18 D6 D0 0E D4 00 00 00 80 00 ³
º9F9C:0113³ D0 0E 5C 00 D0 0E 6C 00 D0 0E 94 B4 06 00 4D 5A ³
º9F9C:0123³ D4 01 0C 00 06 00 20 00 75 02 FF FF A8 00 54 0B ³
º9F9C:0133³ 89 19 58 08 A8 00 1E 00 00 00 06 00 00 00 50 31 ³
º9F9C:0143³ 2E 03 00 01 00 41 43 41 44 2E 45 58 45 10 00 00 ³
º9F9C:0153³ 02 43 4F 4D 4D 41 4E 44 2E 43 4F 4D 2E 43 4F 4D ³
º9F9C:0163³ 2E 45 58 45 43 6F 70 79 72 69 67 68 74 20 28 43 ³
º9F9C:0173³ 29 20 31 39 38 38 2C 20 31 39 38 39 20 62 79 20 ³
º9F9C:0183³ 41 42 54 20 47 72 6F 75 70 2E 20 E3 08 00 00 EB ³
The search result is up there: int 21h is kept in 9f9c:0103 (103 the off-
set, 105, the segment). Now we have enough information so as to create a
generic memory remover for this virus, which is rather easy to code.
Blade Runner/29A
Los Angeles, 2019
