Insane Reality issue #8 - (c)opyright 1996 Immortal Riot/Genesis - REALITY.009 Article: Novell Compatibility Author: Rajaat [IRG] % Novell Compatible viruses article by Rajaat [IRG] % _____________________________________________________ This article delves into helping your viruses spread over a Novell network without causing any problems and raising any alarms. Read it, use it, spread, and infect. - _Sepultura_ ============================================================================= How to make your virus Novell Network aware =========================================== It is well known that a virus propagates best in a network environment, like Novell or Windows NT. Most viruses however don't deal properly with networks, and mainly because they don't take networks in account, the virus causes unexplainable errors, making their presence known. It's simple to implement Novell Network awareness in your viruses, with the obvious advantage that the virus will be as inconspiculous as possible and will spread successfully throughout networks. I will give you here some information and programming examples on how to infect on Novell networks. Other examples to make your virus a bit more stable are also included, like detection of device drivers. Detecting Novell ================ A very practical issue for your virus is detecting the presence of a Novell network. This is accomplished very easily if the network shell is NETX.EXE. The following piece of code will detect if you are dealing with a network: mov ax,0db00 int 21 or al,al jz no_novell is_novell: ; ... Novell NETX.EXE shell is loaded no_novell: ; ... Novell NETX.EXE shell is not loaded You will need this in your virus if it tunnels to the original DOS entry point (eventually residing in HMA) and hooks it directly. If your virus gets resident before NETX.EXE is loaded, it will unhook your virus, effectively disabling it. So if you want to use direct interrupt hooking in the DOS segment, you must look a little bit further in that segment. If you look at the first part of the DOS interrupt handler in HMA you will see something like this code: FDC7:40F8Þ FA CLI FDC7:40F9Þ 80 FC 6C CMP AH,6C FDC7:40FCÞ 77 D2 JA 40D0 FDC7:40FEÞ 80 FC 33 CMP AH,33 FDC7:4101Þ 72 18 JC 411B FDC7:4103Þ 74 A2 JZ 40A7 FDC7:4105Þ 80 FC 64 CMP AH,64 FDC7:4108Þ 77 11 JA 411B FDC7:410AÞ 74 B5 JZ 40C1 FDC7:410CÞ 80 FC 51 CMP AH,51 FDC7:410FÞ 74 A4 JZ 40B5 FDC7:4111Þ 80 FC 62 CMP AH,62 FDC7:4114Þ 74 9F JZ 40B5 You can place a hook at FDC7:410C for example, so your handler won't get overwritten by NETX (a direct takes only 5 bytes). Be aware that if you are making a fast infector that uses DOS function 6Ch, you must also place a hook on the address the jump after the CMP AH,6C points to, in this case FDC7:40D0. You must decide for yourself if you want to do this kind of interrupt hooking or using standard chaining if Novell is detected. Keep in mind that if you use standard chaining that Thunderbyte will detect it, but ofcourse you can circumvent it by patching out TBDRIVER in memory, a method already ancient en documented by several virus writers. Beware the rights ================= Novell has this great capability to give users certain rights, so they can't modify as much as they want to. Whatever right the user has, the virus has too. Whatever privilege is denied from the user also applies to the virus. Therefore, we must check extensively on errors while infecting files on a network. The rights that can be given to users for directories are in the list below: You have Supervisor Rights to Directory. (S) * May Read from File. (R) You can read files with this. * May Write to File. (W) You can write to files if you have this right. In most directories where common programs are, this is turned off and causes problems to a huge amount of viruses. May Create Subdirectories and Files. (C) You can create subdirectories and files if this right is set. May Erase Directory. (E) You can remove the directory. Be aware you might not have the rights in the parent to recreate the directory again. This is a common problem with users removing their home directory. May Modify Directory. (M) You can modify the attributes and name of the directory (and the files in this directory), making it hidden or renaming it to another fancy name. It's also comes in handy if you want to set a file to "eXecute only". May Scan for Files. (F) This is needed for getting the files located in this directory. May Change Access Control. (A) This means you can grant other users rights for this directory. * Has no effect on directory. If you want to check a file, you must determine if you have write access to the file, if it's locked because it's not shareable or set to execute only or some other reason that inhibits you writing to the file. Check on carry set after opening a file, writing to a file, setting file date/time and setting the file attributes (including clearing them!). This may seem like a waste of bytes to you, but it's really worth checking for it. Fast infectors ============== Fast infectors are very successful in networks, because if the speeds slows down a bit, it won't be detected as quickly as on a local workstation. There are some problems if you want to infect on DOS function 43h. I discovered it gave problems while running batch files on a network, so better discard it totally. Instead of using DOS function 43h you better take advantage of DOS function 41h, the unlink (delete) function. Normally it's quite a hassle to recover a file, but with Novell, it's so easy with SALVAGE.EXE. Because of this user tend to use it more for recovering files if the are accidentally deleted. If a directory is not set with the "Purge" flag, a file will be infected before it is deleted, so even if the virus is discovered and wiped out, a user might still be able introducing it again by salvaging a deleted file that is infected during the delete process.