V I R U S – Vital Information & Resources Under Siege
Composition of Virus – Every Computer virus must have two parts
First - A Search Routine
Second - Routine to copy itself
The search routine searches for the targets on the disk in order to spread infection i.e. this routine decides what to infect?
The copy routine copies itself to the result of the search routine.
The size of the Virus depends on the target and the speed to spread infection
Viruses are written in assembly language because it provides all the necessary functionality to the program for jumping from one target to other. It does not mean that one cannot code a virus in High level languages such as C, Pascal, Basic, etc., but assembly language provides control over computer resources easily and hence we can use them our way.
Note: If you are not familiar with Assembly Language instructions then this and the next two or three articles are of no use for you.
The aim of this article is to just give you a feel of virus programming; No effort will be made to teach anyone full fledged virus programming.
In order to explain the process we are taking the example of a very simple virus which infects .COM files.
In order to understand the programming we must first learn some of the basic DOS functions i.e. how DOS works?
Open the DOS prompt and type anything in it which does not exist for e.g.: type “vedjhwe” you will get the following result “‘yedjhwe’ is not recognized as an internal or external command, operable program or batch file”.
This means that whenever a user enters a name of the program at the DOS prompt, DOS begins to look for that file - first for a “.com” extension (Command file), then “.exe” extension (Operable Program), then “.bat” extension (Batch File) and if it does not found any of these then it displays the above message OR “Bad Command or file name”.
In order to execute a COM file DOS first check whether there is enough memory to execute the program and if there is memory available DOS loads the program. Also, DOS records how much memory it is giving to the program so there isn’t any memory clash. Next DOS builds PSP at the offset 0 (Program Segment Prefix – a block of memory). Finally, the program is loaded into the memory just above the PSP, starting at the offset 100H. Some of the registers in the CPU must be set to a predetermined value for the COM program to run properly. After all this initial work is done DOS passes the control to the program.
Designing the Virus---------
In order for a virus to reside inside a COM file, it must get the controls passed to its own code. So, the easiest way to take control of the program will be at the very beginning of the program, because after the program is executed it’s very difficult to gain control over it.
To gain control over the program the virus must replace the first few bytes in the COM file with a jump instruction to the virus code, which can be attached at the end of the COM file. So, when the COM file is executed, it jumps to the virus code, which in turn starts looking for more similar type of files in order to spread the infection. When the virus is ready, it returns control to the host program (COM Program), restore the initial few bytes which it replaced, and then jump back to offset 100 Hex, where the original program begins.
………………..will continue
No comments:
Post a Comment