 |
 |
|||||
 |
 |
 |
 |
 |
 |
|
 |
 |
 |
||||
Compiled HTML
by roy g biv
Compiled HTML
roy g biv / 29A
Former DOS/Win16 virus writer, author of several virus families, including
Ginger (see Coderz #1 zine for terrible buggy example, contact me for better
sources ;), and Virus Bulletin 9/95 for a description of what they called
Rainbow. Co-author of world's first virus using circular partition trick
(Orsam, coded with Prototype in 1993). Designer of world's first XMS swapping
virus (John Galt, coded by RT Fishel in 1995, only 30 bytes stub, the rest is
swapped out). Author of world's first virus using Thread Local Storage for
replication (Shrug, see Virus Bulletin 6/02 for a description, but they call
it Chiton), world's first virus using Visual Basic 5/6 language extensions for
replication (OU812), world's first Native executable virus (Chthon), world's
first virus using process co-operation to prevent termination (Gemini, see
Virus Bulletin 9/02 for a description), world's first virus using polymorphic
SMTP headers (JunkMail, see Virus Bulletin 11/02 for a description), world's
first viruses that can convert any data files to infectable objects (Pretext),
world's first 32/64-bit parasitic EPO .NET virus (Croissant, see Virus
Bulletin 11/04 for a description, but they call it Impanate), world's first
virus using self-executing HTML (JunkHTMaiL, see Virus Bulletin 7/03 for a
description), world's first virus for Win64 on Intel Itanium (Shrug, see Virus
Bulletin 6/04 for a description, but they call it Rugrat), world's first virus
for Win64 on AMD AMD64 (Shrug), world's first cross-infecting virus for Intel
IA32 and AMD AMD64 (Shrug), world's first viruses that infect Office
applications and script files using the same code (Macaroni), and world's
first viruses that can infect both VBS and JScript using the same code (ACDC).
Author of various retrovirus articles (eg see Vlad #7 for the strings that
make your code invisible to TBScan). Went to sleep for a number of years.
This is my eighth virus for Win32. It is the world's first virus that can
infect CHM files.
What are CHM files?
Microsoft like to produce new file formats with more and more content. CHM
files allow a single file to contain HTML pages, including graphics and
scripts, something like an archive. They are very careful, though, to avoid
documenting anything, so to create such files generally relies on their tools.
CHMs carry all of the content in a single stream, compressed by the LZX
algorithm. It is almost a solid archive, but contains a periodic state reset,
to make the decompression faster (because it is not necessary to decompress
the entire archive to reach the last file, but start from the last reset point
and decompress from there).
How do we infect them?
When I first considered to infect CHM files, I did not want to rely on any
other DLL to do the work, because I like to code to the lowest level, but that
requires working with the compression. To make it easier, I thought to carry
a compressed version of myself and create my own reset point, but how to get
control? It turns out that the first page to load is not the first file in
the table of contents, but is loaded by a reference in one of the internal
(compresed) streams. I didn't want to carry the LZX decompressor as well, so
I started to look at the Help Helper (HH.EXE). Everyone knows that HH.EXE can
decompile CHM files, and it is done by calling into ITSS.DLL. Who knew that
ITSS.DLL can compile CHM files, too? Amazingly, it contains the compressor,
which means that the only question was how to use it.
So how do we use it?
Even more amazing is that the interface is simply the IStorage interface from
OLE2, exposed by a different DLL. The IStorage implementation in the ITSS.DLL
supports the Read and Write methods, including transparent decompression and
compression. Note that I do not say "recompression", because writing to an
existing CHM file is not allowed. Instead, it is necessary to create a new
file and write to that, then replace the old file with the new file.
Let's load ITSS
We load the ITSS DLL by calling CoCreateInstance(), with the ITSS interface
parameters. This assumes that you are familiar with COM programming.
The CLSID is {5D02926A-212E-11D0-9DF9-00A0C922E6EC}.
The RIID is {88CC31DE-27AB-11D0-9DF9-00A0C922E6EC}.
The returned interface pointer can be passed to StgOpenStorage() to open any
CHM file. The EnumElements and Next methods can be used to see the storages
and streams, the OpenStream and OpenStorage methods can be used to open them,
and the Read method can be used to read streams. For the destination file,
there is the StgCreateDocfile() to create a new file, CreateStream and
CreateStorage methods to create them, and the Write method to write streams.
How to get control?
The method that I chose to get control was to alter the HTM files to include
my code. Initially, I tried to package my entire code within the HTM files,
but there were many problems with that idea. One problem was the need to
script an ActiveX control to create a file, which triggers a security warning.
The next problem was how to deliver a binary from a text-only file format.
Many people seem to rely on the chr() function to convert ASCII to binary, but
this is unreliable on DBCS systems whenever the 8th bit is set. To solve that
problem, I created a new executable-ASCII engine which is much smaller than
the one in Junkmail, but functionally equivalent. This created a new problem
because it drops an executable-ASCII com file which relies on the 16-bit
subsystem to run, so it was very slow and noticeable. I'll find a use for it.
Finally, I decided to be scriptless and use an additional file, this way:
<object classid='clsid:1baddeed'codebase=.exe'></object>
and .exe is the name of the file that I add after all files are infected.
The problem with that is the table of contents now contains a unique filename
that could be used as a heuristic detection, but you can always change it in
the code.
Greets to friendly people (A-Z):
Active - Benny - Obleak - Prototype - Ratter - Ronin - RT Fishel -
sars - The Gingerbread Man - Ultras - uNdErX - Vecna - VirusBuster -
Whitehead
rgb/29A apr 2005
iam_rgb@hotmail.com