…finally after three months of inactivity (exams, parties and so) I made some time to write this virus and this article… so for the ones who read this series… ENjOY =)
The Old School Virus
Yeah, I gave up writting infant-b because even the [a] version was full of bugs, and had to logicaly restructure the code so I could implement the things I promised for this virus, which bears the name Old School (oldskl)…
A mutant?
I said that in this virus I’m going to implement and encryption scheme, xor based one and mutational (this I forgot to mention). The basics of the XOR is that when comparing two bits, if there are the same the result is 0 (zero) and if different (1).
0 xor 0 = 0
0 xor 1 = 1
1 xor 0 = 1
1 xor 1 = 0
Well also you could use other functions as rotate (left or right), increase/decrease, and, or, not and any other variation of these… The mutation of the virus happens before every infection. It simply adds 1 to the key (which is of dimension byte maxvalue = 255) until it reaches 0FFh (255), moment when it resets the key to 1, not 00 because then the virus would be no more encrypted. So it has 253 posible states (255 and 00 are out)…
The famous transversal infection (.. or Dot Dot)
I had to implement a multi-directory infector. Not all the files are in one single directory, so I implemented the dotdot technique, nothing fancy it works as a simple cd .. command… it’s a clasic …
Multiple infections per run
Simple implementation, but heavy
result…
Some info on how it works… I used a tree type infection, just to make it funkier…
]The first infection wave infects 5 files, including itself (the first)…
]]The second file infects other 4 files
]]]The third file infects other 3
]]]]The fourth other 2
]]]]]The fifth just 1
When these infected files are executed, the above scheme starts over again, but decreasing from the number the have. So after another infection wave the second infected files infects other 4 files which infect as follows:
]The first 3 files
]The second 2 files
]The third 1 file
]The fourth 1 file
I think you got the idea… After going to 1 infections per run it stays there and infect just 1 file per run…
Stealth
Actually semy stealth because it only saves the time and date of the file and save the attributes of the files (because it resets them)… Why does it reset the attributes of the files? Because this way it can infect read-only files…
COM’s
You need some COM files to play with this baby… so I created a batch file which will automatically create you ten COM files per run (5 normal, 5 read-only)… Here is the code for the createCOM.bat:
@echo off
debug < gencom.file > nul
copy com.com 1.com > nul
copy com.com 2.com > nul
copy com.com 3.com > nul
copy com.com 4.com > nul
copy com.com 5.com > nul
copy com.com 6.com > nul
copy com.com 7.com > nul
copy com.com 8.com > nul
copy com.com 9.com > nul
copy com.com 10.com > nul
del com.com > nul
attrib +R 1.com
attrib +R 3.com
attrib +R 5.com
attrib +R 7.com
attrib +R 9.com
@echo off
Besides of this BAT file you also need the following file named gencom without any extension:
a100
mov ah, 4C
int 21h
nop
nop
nop
nop
nop
nop
n com.com
rcx
A
w
q
I advice you to make 2 directories: one Virus and a subfolder Start… Place the virus you assemble in start, where you also run createCOM.bat, and also run createCOM.bat in the folder Virus… Atention if the file gencom isn’t in the same directory with the bat, then no com files will be created..
Give me the virus
Again don’t spread this virus… It would an ok virus about 20 years ago, but not it’s god damn old for these times…
Oldskl by backbone: oldskl.asm
The ending of 03…
If you understand everything until now than you know the basics of computer viruses… If not don’t panic (i didn’t also understand viruses at the beginning) the following article will be a fully detailed one about every function we used… for the ones that have learned a bit of assembly… for the others: check my first article and get a good assembly book to learn…
EOF
Minor nitpick. Your virus has 254 possible states, not 253.