--==< Retro the easy way. >==-- By MidNyte, February 2000 What is a Retro-virus? ------------------------- A Retro-virus is any virus that attacks antivirus programs, whether generically or just specific programs. It is generally used to disable or fool one or more of the popular antivirus programs. For instance, a certain virus will detect if a certain on-access scanner is in memory, and will issue the correct call to shut it down if it is. Another will patch the resident part of the scanner that decides whether to scan a file or not and makes it decide not to in all cases. These are very useful functions, but if you're not of the ability to be able to work out these methods for yourself, you are left with the choice of: leaving retro-functions out of your virus, using other peoples routines (which are therefor not new) or trying something different. That is what this tutorial is about, a few simple ideas that will give basic retro-functionality without the need to be too far advanced in coding. All you need is some basic anti-emulation skills. What's the theory? --------------------- So how do we get Retro without learning it all? Basically we find ways to annoy the user so much that he does the job of disabling the antivirus program for us. If we slow him down when he scans he will probably eventually only scan overnight, giving us a day to spread. If we make the program crash he probably won't bother scanning it again, he'll just add it to the ignore list. (It's not that uncommon to find a file that can't be scanned without crashing on a Microsoft machine :) How do we implement it? -------------------------- You remember reading that a good emulator will save it's place when it finds a decision-based jump? That way, if the code does a check of something and then quits if the condition is met, the emulator can just go back and pretend the condition wasn't met and see what it can find down the other branch of the program. This is to defeat the technique of quitting when finding an emulator. How about we stop that? How about we do our anti-emulation bit and then test it, but if we're being emulated instead of just quitting, we crash the program? Or better still, if we're on a pentium, why not just hang the machine? It's what the 'foof' bug is there for :) If the machine hangs, the antivirus program has no chance to return to the jump and try the other branch and the user will probably not bother scanning it again. If he does, the same thing will happen again and again, the user will never get a complete scan. Here's a rough guide to the code needed, assuming that you have in place a suitable emulation-detection routine: cmp ax,028h ;our test for emulation je not_emulated ;jump if equal db 0F0h,00Fh,0C7h,0C8h ;this will hang most pentium machines, it's ;known as the 'foof bug' for obvious reasons. not_emulated: ;here we are safe from the AV program How many end users are going to restart the computer and try scanning that file again when the last time it hung the computer? In the Microsoft age of idiot-friendly operating systems, not many. If they don't know what's going on and the machine hangs, they just won't do it again. If they do once, they won't twice. Take the virus hoax emails that constantly do the rounds, most people know better to respond and forward the mail, but the fact that they carry on spreading shows just how many idiots there are out there who are capable (just about) of using a computer. These are the people who will not scan your file but simply add it to the ignore list, leaving it to go about it's business. Another method is the time wasted method. Again it's down to annoying the user so much they don't bother scanning. If you can go round enough loops when you find emulation that the scanner takes minutes just to scan one file, the scanner will probably only be run overnight and taken off constant background monitoring. That gives you a day to spread, and spread un-noticed. Contact ---------- Comments/questions/suggestions/bug reports/etc. are welcomed as always, as long as it is kept reasonable. - MidNyte As always, I welcome ANY feedback, good or bad, as long as it is reasonable. | midnyte01@excite.com | www.coderz.org/midnyte | www.shadowvx.com/midnyte |