roy g biv presents How to fool TBSCAN without changing code! Have you ever wondered why TBScan doesn't detect itself as a virus? The answer is that is has a list of signatures of files to skip These signatures are located at the entry point of the file in question ie. offset 100h for .COM files, CS:IP for .EXE files for .COM files, use '24h 21h' as the first 2 bytes; for .EXE files, use 'B8 8C D3 15 33 xx' as the first 6 bytes. for one string for both files, use '8B E8 8C F0 4F EB 06 D0 00 80 00 80 40' The only flags that will be set are the ones that were already set (excepting the 'p' (packed) flag, which is set wherever specified): c no checksum C checksum data does not match ; data = plural, 'does not' => 'do not' h hidden or system attribute set T invalid date/time stamp N .com file beginning with MZ, or ZM, or .exe file not beginning with MZ, or ZM (if you do this on purpose, all signatures become 'both', instead of 'com only' or 'exe only') ! .EXE relocation table offset >= 200h, or .EXE CS:IP > header filesize w windows or os/2 file K odd stack, or SS=CS ? .EXE header size >= file size, or .EXE maxalloc < minalloc, or .EXE header filesize > directory filesize, or .EXE header filesize + minalloc < stack segment + stack offset i .EXE header filesize+128 < directory filesize, and not a windows file And here is the list (from version 6.51): 'xx' is a single-byte wildcard 'checksum' uses the following algorithm: 1. set sum to 0 2. double sum 3. add byte to sum 4. if sum > 8000h, xor sum with A097h 5. decrement count 6. if count > 0, goto 2 This leaves a wide scope for potential code that will suffice. (hint: the only thing of interest is the sign bit in the lower byte.) eg. for the string '8B E8 8C' [checksum 0ah bytes] = 646E, (non-packed 'both') use 'F0 4F EB 06 D0 00 80 00 80 40' Signature: Affects: Flag set: 00 04 9A 68 com 06 0E 1F [checksum 0ah bytes] = 7F68 both packed 0D 0A com 0E 1F BA [sum 8 bytes] = 1C6D exe 1E 50 B8 [checksum 0bh bytes] = 59CA exe 20 20 com 24 21 com 24 20 com 2E 8C 1E B2 00 both 2E 8C 1E [checksum 0ah bytes] = 1CE6 both packed 2E C5 36 xx [scan 5 bytes for] 00 C7 44 12 81 00 exe 2E 8C 1E D0 02 both 2E FF 26 xx 01 xx xx 38 com 30 C9 90 74 03 FA exe 38 20 xx 2D 6C 68 35 com packed 4D 4A xx xx xx xx xx 00 20 00 com 50 4B com packed 50 9C FC [checksum 0ah bytes] = 649D com 50 06 8C [checksum 0ch bytes] = 1BA0 exe 53 5A 44 [checksum 6 bytes] = 1C3 com 53 5A both packed 58 5A 8F 06 06 exe 60 EA com packed 87 C0 EB 0B xx 01 02 exe 8B E8 8C [checksum 0ah bytes] = 646E both 8C C0 8C [checksum 6 bytes] = 1200 exe 8C C0 05 [checksum 0ah bytes] = 2384 exe packed 90 90 90 [checksum 0ch bytes] = 235C exe 9A xx xx xx xx 9A exe 9A 20 00 xx xx 9A 33 01 xx xx BA 15 xx CD 3F exe 9C 55 56 8C CD 83 C5 10 8D B6 xx xx 56 BE exe packed A8 00 30 [checksum 5 bytes] = 2D0 com B4 30 CD [checksum 0bh bytes] = 1872 exe B4 30 CD 21 [checksum 7 bytes] = B3A exe B4 30 CD 21 86 E0 2E A3 xx xx 3D 00 02 exe B8 8C D3 15 33 (this is tbscan) exe B8 xx xx BA xx xx 8C DB 03 D8 3B 1E 02 both packed B8 xx xx BA xx xx 3B C4 73 xx 8B C4 2D both packed B8 xx xx BA xx xx 05 00 00 3B 06 02 00 both packed BA xx xx 0E 1F B4 [checksum 7 bytes] = 1A19 exe BA xx xx 2E 89 16 xx xx B4 30 CD 21 8B exe BA 6C 00 [checksum 0ah bytes] = 5321 exe packed BB 02 00 B8 xx xx 8B 0F 2B [checksum 8 bytes] = 4167 exe BC 9C 17 8C C8 com BD xx xx 50 06 8C [checksum 8 bytes] = 6B53 exe packed BE xx xx 50 53 51 [checksum 0eh bytes] = 432D com packed BF xx xx A1 02 00 2E A3 xx xx 2B C7 3D 00 10 exe BF xx xx 8E DF FA 8E D7 81 C4 xx xx FB B4 30 CD 21 A2 xx 00 exe BF xx xx 8B 36 02 00 2B F7 81 FE xx xx 72 03 exe E8 53 00 [checksum 5 bytes] = 508 exe E8 xx 01 54 68 69 73 20 70 exe E8 xx xx 73 03 B8 [checksum 5 bytes] = 1CE exe E8 20 00 4D 5A xx xx xx xx 00 00 02 exe E8 8D 05 2E FF exe E9 FB 65 [checksum 6 bytes] = 5A8 com E9 1A 02 [checksum 7 bytes] = 13D both E9 70 21 [checksum 6 bytes] = 8BF com EB 44 xx xx xx xx 57 69 6E 64 exe EB 13 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx BB FF FF [checksum 6 bytes] = 1BF9 exe packed Eb 0A xx xx xx xx xx xx xx CA 04 00 exe EB 60 xx xx xx xx 4C 48 61 exe packed EB 78 xx 00 4C 48 27 exe packed EB 79 xx 00 4C 48 41 exe packed EB 10 C0 [checksum 5 bytes] = 90 exe EB 18 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx 58 4C 44 52 xx xx B4 30 exe EB 0C D4 0F FB 81 06 com F9 9C EB 09 xx xx 0A 00 both packed FA FC B8 xx xx 8E D8 8C 06 xx xx 26 8B exe FC 2E 8C [checksum 8 bytes] = 2C43 exe packed FC FA 2E [checksum 0ch byets] = DAD both FC 06 1E [checksum 8 bytes] = 20D0 exe FF 57 50 43 com FF FF FF FF exe FF FF [checksum 0dh bytes] = 52 F9 win FF FF FF 00 2B 20 com