Assignment 4 Introduction

Assembly TA Wei-Yen Day

Computer Virus Basic

• A program attaches itself to another program

• Reproduces itself

• Executed later and create more copies

– 1.COM-> 2.COM 3.COM …

• It can certainly dig into your computer and do things you don’t want

Structure of Virus

• 2 basic routine!

– Search

– Copy itself

• More routine are a bit more complex

– Anti-detection

– Anti-anti-virus

Virus Classification

• According to the types of programs they infect

– They may infect COM, EXE, or SYS files

• Note that a virus can be written to infect any kind of code

– C, Basic, a batch file, a Paradox or Dbase program

COM File Structure

• When one enters the name of program,

– DOS begins looking for COM, EXE, and BAT

• COM files are much simpler

– They have predefined segment format

– EXE files’ format are defined by programmer

– COM file is a direct binary image of what should be put into memory and executed by CPU

Assignment 4: Justin Virus

Goal

• Infect all .COM programs under the same folder and print some mischievous lines

Overview

Virus Symbol

• Retain 5 bytes– 3 bytes for jmp

– 2 bytes for mark of virus

• Infect a ?? program when the virus is executed– nop

– nop

– nop

– nop

– nop

More About Virus

Checking Memory

• Compute the size from normal program to “here”

• Actually program size

– We call it “si”

– pop si ;si is p1+p2

– sub si, offset here ;then si is p2

• All the memory address about virus should add “si”

Recover Original Program

• Due to the first execution, we should add 5 nop to allocate space (see p.7)

• Recover original program to memory (P1)– mov ax, word ptr ds:FIRST_5_BYTE[si]

– mov ds:[100h], ax

– mov ax, word ptr ds:FIRST_5_BYTE[si+2]

– mov ds:[100h+2], ax

– mov al, word ptr ds:FIRST_5_BYTE[si+4]

– mov ds:[100h+4], al

Write Back P1

Print Mischievous Word

• Print some mischievous words

• When the infected file is executed, it would print the words virus produced first

• Infect others

Search Next File(1)

• FIND_FILE– mov dx,OFFSET COM_MASK ;search for COM files

– mov ah,4EH ;DOS find first file function

– xor cx,cx ;CX holds all file attributes

• FIND_LOOP– int 21h

– jc FIND_EXIT ;Exit if no files found

– call FILE_OK ;file OK to infect?

– jc FIND_NEXT ;nope, look for another

Search Next File (2)

• FIND_EXIT

– ret ;else return with z set

• FIND_NEXT

– mov ah,4FH ;DOS find next file function

– jmp FIND_LOOP ;Try finding another file

• COM_MASK BYTE '*.COM',0

• FILE_OK

– Check if the virus pattern exist

File OK, Infect It

• Back up the first 5 bytes from original program

• Copy virus itself to the program

• Move the pointer to head, and write first 5 bytes

– Write v1

– 3 bytes are jmp

– 2 bytes are pattern

• Infect next file

The Infecting Mission is Done!

• Let’s take a over view again:

• 1. Check Memory (store p2 size)

• 2. Recover original program

• 3. Print Lines

• 4. Search File to Infect

• 5. Infect it

• 6. Loop 3. 4.

• 7. If no file cab be infected, then the mission completed

Procedure of Justin

DEMO

Assignment 4 Note

• The .COM files (files your virus must infect) is here

– http://wyday.csie.ntu.edu.tw/good_com.zip

• When you compile your code to produce a virus, the anti-virus software in your computer might alert

– Try to set your anti-virus software to not detect the folder your virus is in

Checking Scenario

• The following is the judgment of assignment 4:– If your virus can infect a .COM file (copy itself to

attach another), you can get basic score– If your virus can infect all .COM files under the same

folder, you can get a better score– If your virus can infect all .COM files under the same

folder, and when you open the infected file, it infects all other files, you get a nice score

• If your virus can do all of above, and can avoid infecting files repeatedly, you do a good job!– If your virus crash my computer, I would …

Now it’s your turn!

• Don’t just copy my code, think about it at first

• Actually it’s a simple virus, and it’s an easy work

• If you have any problem, google it! XD

• You can also discuss with me for sure

• Good luck to you guys!