Copy Link
Add to Bookmark
Report
40Hex Issue 01 File 002
40H Vmag Issue 1 Volume 1 00002
- HOW TO MODIFY A VIRUS SO SCAN WON'T CATCH IT -
OR
HOW TO CREATE NEW VIRUS STRAINS
The problem with most viruses is that this dickhead who lives in California
named John Mcafee gets his greedy hands on them and turns them into big
bucks -- for him. John boy is the reason there are over 500 viruses out
there, and I wouldn't doubt if he weren't resposible for writing at least
ten of them.
So the best thing to do to some Mcafee dependant sucker, or lame board is
this.
Say you have a copy of a played out virus, lets say an older one like
Armstand or Jerusalem. Almost every virus scanner can detect these
viruses cause they been around so long. Now heres a quick way to modify
viruses so the scanners wont catch them, in turn making them new strains.
The tools you need are --
Norton Utilites
Debug and/or
Turbo Debugger by Borland
Now heres what you do.
Step A
------
Make a target file like this with Debug
Copy the below file with your editor to a file called SAMPLE.USR
-------------------------------------------------------------------------------
n sample.com
a
int 20
rcx
2
w
q
------------------------------------------------------------------------------
Then uses Debug to make the file SAMPLE.COM executing this command --
DEBUG < SAMPLE.USR
This will make a two byte called SAMPLE.COM
STEP B
------
Infect the file with the virus. If this is a boot sector virus your on
your own. Do whatever you have to to infect the two byte file.
Make a copy of the file and keep it for safe keeping.
STEP C
------
Load up DISKEDIT, which comes with Norton 6.0 (I'm not sure if its in the
lower versions) PCTOOLS Hex Editor will work too but it takes more work.
Now have DISKEDIT Hex-edit the infected file.
Now figure out where the middle of the file is. Next put block on and
go to the end of the file. At the end of the file go to the edit screen and
select fill. Fill the lower half of the file will nonsense characters, its
good to select 255d (FFh) the blank character.
Now save your changes and go to DOS
Now use SCAN to scan the file for viruses. If it detects the virus you
didnt delete the search string that SCAN is searching for. Get it???
You see all SCAN does is search files for strings that are related to viruses.
For example if SCAN was looking for CASCADE it look for something like this-
EB1DAD1273D1FF121F
In every file you specify. So what we are doing is narrowing down where that
string is in the virus that SCAN keeps finding.
So what you have to do is keep deleting parts of the virus with DISKEDIT
untill you finally narrow down the string.
Keep this in mind, search strings are in the first 150 bytes of the file
about 75% of the time.
Ok lets say you narrowed down the search string and lets say it's -
B8 92 19 B7 21 CD
It will most likly be longer but this an example.
Now back to DEBUG - Do the following--
DEBUG
E 0100 b8 92 19 b7 21 cd -- this is the string you found
Then type --
U
This will give you a unassembled look at what the id-string is. In this
example it was
mov ax,1992h
mov bx,21h
int 21h
Now this is what you have to do, and keep in mind the following ---
THE FOLLOWING TAKES A SOMEWHAT KNOWING OF ASSEMBLER AND HOW IT WORKS!!!!!!
Uses Turbo Debugger to find the string, you can use DEBUG but I don't know
how to do this from debug.
Ok say you got the string on the screen --
mov ax,1992h
mov bh,21h
int 21h
Write down the locations in the file where these strings are. Ex 0100h etc..
Now rearrange the AX mov with the BX mov like this ---
mov bh,21h
mov ax,1992h
int 21h
You see? You didn't change the way the code functions (THATS IF YOU KNOW
WHAT YOUR DOING!) but you changed the codes id-string for SCAN.
Now since Turbo Debugger dosent let you save the changes you must do it
via - Debug.
DEBUG virus.com
a 0122 - This is the address of the string
Now enter the assembler instructions --
mov bh,21
mov ax,1992h
int 21h
w
q
Save it and SCAN it, if SCAN doesn't catch it Congrats. If it does ---
back to the lab. Oh well you get the point.
One warning, this only works with un-encrypting viruses, or on the
encryption mechanism of encrypting files (which will most likely be Scanned).
With that in mind, have fun.
HR