This is the part which conceals the program from notice by the everyday user and virus scanner. The simplest form of concealment is the encryptor. The code for a simple XOR encryption system follows:
encrypt_val db ?
decrypt:
encrypt:
mov ah, encrypt_val
mov cx, part_to_encrypt_end - part_to_encrypt_start
mov si, part_to_encrypt_start
mov di, si
xor_loop:
lodsb ; DS:[SI] -> AL
xor al, ah
stosb ; AL -> ES:[DI]
loop xor_loop
ret
Note the encryption and decryption procedures are the same. This is due to the weird nature of XOR. You can CALL these procedures from anywhere in the program, but make sure you do not call it from a place within the area
to be encrypted, as the program will crash. When writing the virus, set the encryption value to 0. part_to_encrypt_start and part_to_encrypt_end sandwich the area you wish to encrypt. Use a CALL decrypt in the beginning of V2 to unencrypt the file so your program can run. When infecting a file, first change the encrypt_val, then CALL encrypt, then write V2 to the end of the file, and CALL decrypt. MAKE SURE THIS PART DOES NOT LIE IN THE AREA TO BE ENCRYPTED!!!
This is how V2 would look with the concealer:
V2_Start:
Concealer_Start:
.
.
.
Concealer_End:
Replicator_Start:
.
.
.
Replicator_End:
Part_To_Encrypt_Start:
.
.
.
Part_To_Encrypt_End:
V2_End:
Alternatively, you could move parts of the unencrypted stuff between Part_To_Encrypt_End and V2_End.
The value of encryption is readily apparent. Encryption makes it harder for virus scanners to locate your virus. It also hides some text strings located in your program. It is the easiest and shortest way to hide your
virus.
Encryption is only one form of concealment. At least one other virus hooks into the DOS interrupts and alters the output of DIR so the file sizes appear normal. Another concealment scheme (for TSR virii) alters DOS so
memory utilities do not detect the virus. Loading the virus in certain parts of memory allow it to survive warm reboots. There are many stealth techniques, limited only by the virus writer's imagination.
So now all the boring stuff is over. The nastiness is contained here. The bomb part of the virus does all the deletion/slowdown/etc which make virii so annoying. Set some activation conditions of the virus. This can be
anything, ranging from when it's your birthday to when the virus has infected 100 files. When these conditions are met, then your virus does the good stuff. Some suggestions of possible bombs:
1) System slowdown - easily handled by trapping an interrupt and causing a delay when it activates.
2) File deletion - Delete all ZIP files on the drive.
3) Message display - Display a nice message saying something to the effect of "You are fucked."
4) Killing/Replacing the Partition Table/Boot Sector/FAT of the hard drive - This is very nasty, as most dimwits cannot fix this.
This is, of course, the fun part of writing a virus, so be original!
skip to main |
skip to sidebar
Just for EDUCATIONAL purpose only.
Favourites
Total Pageviews
Followers
Archives
-
▼
2008
(25)
-
▼
March
(23)
- Installment II: The Replicator
- Freebies " Ebook Secret of Ebay Marketing"
- Concealer and the BOMB!
- The Replicator
- Going Through the Virus
- Function of INT
- Free Assembly Compilers to You!
- Understanding the STACK
- The Registers (Continued)
- Top P-T-C system in the world!
- The Registers (AX)
- New affiliates
- Segments and Offsets
- Assembly Tutorial (Continued)
- Assembly Tutorial (As Requested)
- Stealth Viruses Method 2
- Stealth Viruses
- Time for make money for bloggers
- EXE Infections: Part 2
- EXE Infections: Part 1 "Infection Process"
- Disinfecting an Infected File
- Introduction
- Creating A Virus?
-
▼
March
(23)
Subscribe
RSS Feed (xml)Credits
No comments:
Post a Comment