Compiling and Testing the Virus

To compile the virus code, you'll need the FASM translator, the free Windows version of which can be found at http://flatassembler.net/ . Other translators, such as MASM and TASM, are not suitable here, because they use a different Assembly syntax.

Download FASM, unpack the archive, and enter the following command from the command line: fasm.exe xcode.asm . If everything was done correctly, the xcode.exe file must appear on the disk. Start it for execution with the --* command-line option, followed by the name of the target file. For example, to infect notepad.exe, issue the following command: xcode.exe --*- notepad.exe . The next dialog pops up reporting the successful insertion (Fig. 22.3). If this doesn't happen, the attempt at infection has failed. It is necessary to make sure that the access rights required for infection have been obtained. The virus is not going to capture them on its own, at least for now.

Figure 22.3: The file has been infected successfully

Start the infected notepad.exe file for execution. To prove its existence, the virus immediately displays the dialog and, after you press OK , passes control to the original program code (Fig. 22.4).

Figure 22.4: Reaction of the infected file when started for execution

It is better to remove this dialog from the final version of the virus, replacing it with a custom payload. Everything depends on the intentions and imagination of the virus writer. For example, it is possible to turn the screen upside down.

The infected file has all required self-reproduction capabilities and can infect other executable files, for example, notepad.exe --* sol.exe . No sane user will infect files using the command line, and this virus doesn't contain a procedure for searching for the next "victim." The virus writer must add such a procedure to the virus body independently. If you decide to do so, just remember that writing viruses like the one presented here is not a crime (it doesn't carry out any destructive activity and doesn't infect files on its own; therefore, cannot be considered a malicious program). However, adding a malicious payload and a procedure that would allow the virus to search targets of attack on its own will make it malicious program, which is a crime.

Therefore, it would be better to find another direction for improving the virus. When the file is reinfected, the current version irreversibly overwrites the original code with its body and the file ceases to operate . Is it possible to overcome this problem? It is possible to add a check for infection before copying the virus into the file. Call the CreateFile function; pass the file name, along with the stream, to it (for example, notepad.exe:eatthis ); and consider the result. If the file couldn't be opened, it doesn't contain the eatthis stream, which means it hasn't been infected yet. If the file was opened successfully, it has already been infected, in which case it is necessary to either abandon the idea of infection or choose another stream: eatthis_01, eatthis_02, eatthis_03 , etc.

Another problem is that the virus doesn't correct the length of the target file, and after insertion it will be decreased to 4 KB (the size of the current version of xcode.exe). That's too bad! The dirty trick will be immediately noticed by the user (explorer.exe taking 4 KB looks suspicious). After that, the user will certainly start the antivirus. However, what could be simpler than saving the length of the target file that it had before insertion, copying the virus body there, then opening the file for writing and calling the SetFilePointer function to set the pointer to the original size, thus increasing the size of the target file to original value?

These are minor details. The main issue is that the virus has been written. Now the virus writer can improve the code by extending its functionality. After all, viruses exist for more than dumb self-reproduction. Each one has its own mission and its own goal, such as creating a back door or eavesdropping on the password.

The suggested insertion strategy, naturally, is not ideal. However, it is better than registering the virus in the system registry, which is controlled by lots of monitors , doctors , etc. By the way, clever virus writers, to avoid damage from their own creations, must always have an antidote close at hand. The following batch file retrieves the original file contents from the eatthis stream and writes it into the reborn.exe file (Listing 22.2).

Listing 22.2: Batch file for recovery of infected files

 more < %1:eatthis > reborn.exe ECHO I'm reborn now!