the Art of Virology 03h

Use Netsparker


…finally after three months of inactivity (exams, parties and so) I made some time to write this virus and this article… so for the ones who read this series… ENjOY =)

The Old School Virus

Yeah, I gave up writting infant-b because even the [a] version was full of bugs, and had to logicaly restructure the code so I could implement the things I promised for this virus, which bears the name Old School (oldskl)…

A mutant?

I said that in this virus I’m going to implement and encryption scheme, xor based one and mutational (this I forgot to mention). The basics of the XOR is that when comparing two bits, if there are the same the result is 0 (zero) and if different (1).


0 xor 0 = 0
0 xor 1 = 1
1 xor 0 = 1
1 xor 1 = 0

Well also you could use other functions as rotate (left or right), increase/decrease, and, or, not and any other variation of these… The mutation of the virus happens before every infection. It simply adds 1 to the key (which is of dimension byte maxvalue = 255) until it reaches 0FFh (255), moment when it resets the key to 1, not 00 because then the virus would be no more encrypted. So it has 253 posible states (255 and 00 are out)…

The famous transversal infection (.. or Dot Dot)

I had to implement a multi-directory infector. Not all the files are in one single directory, so I implemented the dotdot technique, nothing fancy it works as a simple cd .. command… it’s a clasic …

Multiple infections per run

Simple implementation, but heavy result…
Some info on how it works… I used a tree type infection, just to make it funkier…

]The first infection wave infects 5 files, including itself (the first)…

]]The second file infects other 4 files

]]]The third file infects other 3

]]]]The fourth other 2

]]]]]The fifth just 1

When these infected files are executed, the above scheme starts over again, but decreasing from the number the have. So after another infection wave the second infected files infects other 4 files which infect as follows:

]The first 3 files

]The second 2 files

]The third 1 file

]The fourth 1 file

I think you got the idea… After going to 1 infections per run it stays there and infect just 1 file per run…

Stealth

Actually semy stealth because it only saves the time and date of the file and save the attributes of the files (because it resets them)… Why does it reset the attributes of the files? Because this way it can infect read-only files…

COM’s

You need some COM files to play with this baby… so I created a batch file which will automatically create you ten COM files per run (5 normal, 5 read-only)… Here is the code for the createCOM.bat:


@echo off
debug < gencom.file > nul
copy com.com 1.com > nul
copy com.com 2.com > nul
copy com.com 3.com > nul
copy com.com 4.com > nul
copy com.com 5.com > nul
copy com.com 6.com > nul
copy com.com 7.com > nul
copy com.com 8.com > nul
copy com.com 9.com > nul
copy com.com 10.com > nul
del com.com > nul
attrib +R 1.com
attrib +R 3.com
attrib +R 5.com
attrib +R 7.com
attrib +R 9.com
@echo off

Besides of this BAT file you also need the following file named gencom without any extension:


a100
mov ah, 4C
int 21h
nop
nop
nop
nop
nop
nop

n com.com
rcx
A
w
q

I advice you to make 2 directories: one Virus and a subfolder Start… Place the virus you assemble in start, where you also run createCOM.bat, and also run createCOM.bat in the folder Virus… Atention if the file gencom isn’t in the same directory with the bat, then no com files will be created..

Give me the virus
Again don’t spread this virus… It would an ok virus about 20 years ago, but not it’s god damn old for these times…

Oldskl by backbone: oldskl.asm

The ending of 03…

If you understand everything until now than you know the basics of computer viruses… If not don’t panic (i didn’t also understand viruses at the beginning) the following article will be a fully detailed one about every function we used… for the ones that have learned a bit of assembly… for the others: check my first article and get a good assembly book to learn…

EOF

Posted in: Virology

, , ,


Latest Posts:


Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.


One Response to the Art of Virology 03h

  1. Torvaun March 2, 2007 at 8:37 pm #

    Minor nitpick. Your virus has 254 possible states, not 253.