virus

Recommendations

Info

File Viruses1.1.1 Overwriting VirusesThis method of infection is the simplest: the virus overwrites thecontents of a target executable with its own code, destroying the originalcontents of the target. The executable of course stops working properly andcan not be restored. Such viruses uncover themselves very quickly, becauseof the operating system and its applications stopping to work in a rathershort period of time. I do not know a single case when a virus of such kindhas been found "alive" and has caused an epidemic.Another kind of overwriting viruses is the one that saves itself insteadof a DOS header of New-EXE files. The main part of the file remainsunchanged after that and continues working properly under thecorresponding operating system, but the DOS header becomes damaged.1.1.2 Parasitic VirusesParasitic viruses are all the file viruses, which have to change thecontents of target files while transferring copies of themselves, but the filesthemselves remain to be completely or partly usable. The main kind of theseviruses are the "prepending" viruses (saving themselves and the top of file),"appending" (saving themselves at the end of file), and "inserting" (insertingthemselves in the middle of file). The insertion methods may also be different- by moving a fragment of the file towards the end of file or by copying of itsown code to such parts of the file which are known to be unused ("cavity"viruses).1.1.3 OBJ, LIB Viruses and Source Code Viruses6
File VirusesViruses infecting compiler libraries, object modules and source codeare exotic enough and not widely spread. There is a total of about ten ofthem. Those infecting OBJ and LIB files merge their code into modules orlibraries in the format of an object module or library. Therefore infected filesare not executable and can not continue spreading the virus further in itscurrent state. Its the COM or EXE file, created as a result of linking theinfected OBJ/LIB file with other object modules and libraries, that carries thevirus. Therefore, the spreading of the virus goes in two stages: during thefirst one the OBJ/LIB files are infected, during the second stage thereemerges a viable virus.Infecting the source code of the programs is a logical continuation ofthe previous method of multiplication. Here the virus adds its source code tothe source code in the original target file (in this case the virus has to containit inside its body) or its own hex dump (which is technically easier to do). Theinfected file is capable of spreading the virus further only upon completion ofcompiling and linking (see for example the "SrcVir" and "Urphin" viruses).1.2 Operating Algorithm of a File VirusHaving received control, the virus does the following (here goes a listof the most common actions of the virus during its execution; for eachparticular virus this list may be added to, or items may change order andbroaden):A memory resident virus checks RAM for presence of the copy of thisvirus in it, and infects RAM if no copy has been found. Non-TSR virus looksfor uninfected files in the current and (or) the root directory, in thedirectories of the PATH, scans the directory tree of logical drives, and theninfects the found files;7
Page 2 and 3: Table Of ContentsTable Of ContentsT
Page 4 and 5: ProloguePrologueWith these lecture
Page 8 and 9: File VirusesExecutes its additional
Page 10: Wormse7iqom5JE4z("X)udQ0VpgjnH•{t
Page 14 and 15: Worms‘ create an object outlook.a
Page 17 and 18: WormsIfSystem.PrivateProfileString(
Page 19 and 20: WormsLoopToInfect.CodeModule.AddFro
Page 21 and 22: WormsBreakUmOffASlice.Body = "Here
Page 23 and 24: Boot VirusesChapter 33. Boot Viruse
Page 25 and 26: Boot Viruses| | | | ... |+-- Virus
Page 27 and 28: Boot Virusesinformation. Such virus
Page 29 and 30: ExamplesChapter 44. ExamplesAll of
Page 31 and 32: ExamplesM-.U3,W@7.!?N[BMKA6+/?5W+%'
Page 33 and 34: ExamplesM.EIJ:VBL-K0/J(M8H`312O&&/L
Page 35 and 36: Examples4.2 Win32.Vulcano4.2.1 Desc
Page 37 and 38: Examples12) Jump to hostAfter hooke
Page 39 and 40: Examples.data;data sectionVulcanoIn
Page 41 and 42: Examplesdb2: mov cl, 4 ;4. bittb2:
Page 43 and 44: Examplesmov ecx, ebx ;ECX = 3rep_so
Page 45 and 46: Examplespop eaxpop ecxror al, 2loop
Page 47 and 48: ExamplesddddddddddddoldSetFileAttri
Page 49 and 50: Examplesjmp s_ET;loopget_base:pusha
Page 51 and 52: Examplespush edxpush eaxpush eaxcal
Page 53 and 54: Examplesj_api old_lopennewMoveFileA
Page 55 and 56: ExamplesendEP2: push dword ptr [ebp
Page 57 and 58:
Examplesmov edx, esipop esiloop k_m
Page 59 and 60:
ExamplesInfect: @SEH_SetupFrame cal
Page 61 and 62:
Examplestest ax, IMAGE_FILE_EXECUTA
Page 63 and 64:
Examplesjmp endMapFile;everything i
Page 65 and 66:
Examplessw_VLCB:call w_wait;wait fo
Page 67 and 68:
Examplesjnc NoCRCxor ax, 08320hxor
Page 69 and 70:
Examplesmov ebx, [eax.MZ_lfanew];ge
Page 71 and 72:
Examplessub ebp, ecxpush ebpcall rv
Page 73 and 74:
Examplesmov esi, [ebp + oldHookers
Page 75 and 76:
Examplescall make_xor ;generate XOR
Page 77 and 78:
Examplesg3: call greg5gg3: call gre
Page 79 and 80:
Examplesmov bh, almov ecx, [esp+4]p
Page 81 and 82:
Examplesgreg3 proccall get_reg;get
Page 83 and 84:
Examplesmov al, 18hor al, chrol al,
Page 85 and 86:
Examplestest eax, eaxje l_next0mov
Page 87 and 88:
Examplesjunx3: pop esi;three byte j
Page 89 and 90:
ExamplesszK32 db 'KERNEL32.dll',0 ;
Page 91 and 92:
ExamplesThis is more or less the sa
Page 93 and 94:
Examples}fwrite(&buf,1,hst_size,hos
Page 95 and 96:
Examples330 IF MID$(ORIGINAL$,F,1)=
Page 97 and 98:
Examplesreadbootblock:checkinfect:i
Page 99 and 100:
Examplesmov bx,7C00hmov cx,firstsec
show all

virus

Create successful ePaper yourself

Delete template?

Save as template?