40hex nº1:(40HEX-1.002):26/06/1991 << Back To 40hex nº 1
40H Vmag Issue 1 Volume 1 00002 - HOW TO MODIFY A VIRUS SO SCAN WON'T CATCH IT - OR HOW TO CREATE NEW VIRUS STRAINS The problem with most viruses is that this dickhead who lives in California named John Mcafee gets his greedy hands on them and turns them into big bucks -- for him. John boy is the reason there are over 500 viruses out there, and I wouldn't doubt if he weren't resposible for writing at least ten of them. So the best thing to do to some Mcafee dependant sucker, or lame board is this. Say you have a copy of a played out virus, lets say an older one like Armstand or Jerusalem. Almost every virus scanner can detect these viruses cause they been around so long. Now heres a quick way to modify viruses so the scanners wont catch them, in turn making them new strains. The tools you need are -- Norton Utilites Debug and/or Turbo Debugger by Borland Now heres what you do. Step A ------ Make a target file like this with Debug Copy the below file with your editor to a file called SAMPLE.USR ------------------------------------------------------------------------------- n sample.com a int 20 rcx 2 w q ------------------------------------------------------------------------------ Then uses Debug to make the file SAMPLE.COM executing this command -- DEBUG < SAMPLE.USR This will make a two byte called SAMPLE.COM STEP B ------ Infect the file with the virus. If this is a boot sector virus your on your own. Do whatever you have to to infect the two byte file. Make a copy of the file and keep it for safe keeping. STEP C ------ Load up DISKEDIT, which comes with Norton 6.0 (I'm not sure if its in the lower versions) PCTOOLS Hex Editor will work too but it takes more work. Now have DISKEDIT Hex-edit the infected file. Now figure out where the middle of the file is. Next put block on and go to the end of the file. At the end of the file go to the edit screen and select fill. Fill the lower half of the file will nonsense characters, its good to select 255d (FFh) the blank character. Now save your changes and go to DOS Now use SCAN to scan the file for viruses. If it detects the virus you didnt delete the search string that SCAN is searching for. Get it??? You see all SCAN does is search files for strings that are related to viruses. For example if SCAN was looking for CASCADE it look for something like this- EB1DAD1273D1FF121F In every file you specify. So what we are doing is narrowing down where that string is in the virus that SCAN keeps finding. So what you have to do is keep deleting parts of the virus with DISKEDIT untill you finally narrow down the string. Keep this in mind, search strings are in the first 150 bytes of the file about 75% of the time. Ok lets say you narrowed down the search string and lets say it's - B8 92 19 B7 21 CD It will most likly be longer but this an example. Now back to DEBUG - Do the following-- DEBUG E 0100 b8 92 19 b7 21 cd -- this is the string you found Then type -- U This will give you a unassembled look at what the id-string is. In this example it was mov ax,1992h mov bx,21h int 21h Now this is what you have to do, and keep in mind the following --- THE FOLLOWING TAKES A SOMEWHAT KNOWING OF ASSEMBLER AND HOW IT WORKS!!!!!! Uses Turbo Debugger to find the string, you can use DEBUG but I don't know how to do this from debug. Ok say you got the string on the screen -- mov ax,1992h mov bh,21h int 21h Write down the locations in the file where these strings are. Ex 0100h etc.. Now rearrange the AX mov with the BX mov like this --- mov bh,21h mov ax,1992h int 21h You see? You didn't change the way the code functions (THATS IF YOU KNOW WHAT YOUR DOING!) but you changed the codes id-string for SCAN. Now since Turbo Debugger dosent let you save the changes you must do it via - Debug. DEBUG virus.com a 0122 - This is the address of the string Now enter the assembler instructions -- mov bh,21 mov ax,1992h int 21h w q Save it and SCAN it, if SCAN doesn't catch it Congrats. If it does --- back to the lab. Oh well you get the point. One warning, this only works with un-encrypting viruses, or on the encryption mechanism of encrypting files (which will most likely be Scanned). With that in mind, have fun. HR