Stealth Viruses Method 2

Some May notice that when they use PCTOOLs (aka PCSHELL) or Peter Norton Utilities, or *SOME* File Managing systems like DOS-Shell, the File increase of infected files is know visable. There is no doubt about it, if you only put Method #1 in your virus you will encounter times were the file increase shows. Its not because your Routine isn't good! But due to the fact that there is another way to Read the Dir Listing by DOS. An this method is Call File-find by ASCIIZ format.

We just learned how to edit File-Find by FCB. Which is used by MS-DOS PC-DOS and some other programs. But unlike the others, they use the ASCIIZ file-Find method as it is EASIER to open, close, edite, and any other file access routine is ALOT easier with the ASCIIZ or (File Handle) system. So we will make our Virus Stealth to Method #2! Making us 100% Stealth from file-finds...

The Function we have to Intecept is Interrupt 21h, with Functions AH=4Eh (Find First Matching File) and AH=4F (Find Next Matching File) The Way to go about it is Very much ALIKE to the first one, so just understand the thoery, and you'll be able to program it within seconds.

When this function is called, it will fill the current DTA with 12 entries totally 43 bytes. The DTA will be set up as follows: (below)
BTW: DTA is only a place DOS uses to do Disk Transfer Areas! It ISN'T
like the FCB, or PSP that is anyways the same! You can play with
this as you wish. You also use this DTA to read the Command Line
Parameters...etc...

Offset Size Description
ÄÄÄÄÄÅÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
00h ³ 1 ³ Drive Letter
01h ³ 11 ³ Seach Template
0Ch ³ 1 ³ Attribute Search
0Dh ³ 2 ³ Entry count within Directory
0Fh ³ 2 ³ Cluster Number of start of parent directory
11h ³ 4 ³ Reserved (Atleast Undocumented)
15h ³ 1 ³ Attribute of File FOUND
@ 16h ³ 2 ³ File's Time (Bits : SSSS-SMMM-MMMH-HHHH) Sec/2:Month:Year
18h ³ 2 ³ File's Date (Bits : DDDD-DMMM-MYYY-YYYY) Day:Month:Year
* 1Ah ³ 4 ³ File's Size (Word Reverse Order, Dah!!?!)
1Eh ³ 13 ³ ASCIIZ File name & Extension
* = Must be Edited by Virus is File Infected
@ = Needed to Check if File is Infected. (Seconds Field)

%Algorthm%
~~~~~~~~~~
CONDISTION: DS:DX points to ASCIIZ of file search.
CX: Contains File Attributes

Step 1. Call Dos so it fills the DTA with its findings
Step 2. Test for CF=1 (Carry Flag) as error happened
errors happen if File not found, no more files etc...
Step 3. Get Seconds Field And UnMask Seconds
Step 4. Check if seconds = 58 (What ever your using) Quit if NOT
Notice we use `XOR AL,1Dh' rather than `CMP AL,1Dh'
Check in your ASM Bible, which is Faster? Size?
Remember speed & size is EVERYTHING, That is why
My lastest are quite small viriis for stealthness!!
Step 5. If Infected Subtract Virus Size from File
Step 6. Quit

If you want all the information about this post, kindly email me. Do some effort guys! :-)