DeMn Virus                                                                 
~~~~~~~~~~~~~                                                                 
                                                                              
This virus took me a while to write (about two weeks), because I was          
writing a lot of it for the first time. Some of the code is a bit             
overboard, like I don't think the SYS entry has to be quite that complex      
in order to work... but never mind. At least it works and it's quite          
well-behaved.                                                                 
                                                                              
This virus is my first boot/file virus, and that also works perfectly.        
I worked all my own routines from scratch (my virus collection is             
extremely small, and I don't want to be influenced by other                   
implementations unless they're better).                                       
                                                                              
It infects both floppy boot sectors, moving the original boot sector to       
the 5th last sector of the disk and writing the virus code on the last        
four. It also infects the Master Boot Record (partition table) on the         
first physical hard disk. Booting off an infected floppy will infect          
the MBR, as will the execution of an infected file. However, trying to        
read the partition table results in the redirection of the call,              
resulting in the original partition table (prior to infection) being          
read/written.                                                                 
                                                                              
Floppies are infected on read/write access, and won't be infected if the      
drive is still spinning (ie. no disk change). It will take the boot           
sector and use the BPB to calculate the last sectors of the disk, no          
matter what format, be it 160k, 1.44meg, or even a 20meg floptical disk.      
It makes sure it's a valid BPB by checking the OEM name to see if it's        
valid alphanumeric characters, but I was a bit selfish in that I overwrite    
the last word of OEM to mark infection.                                       
                                                                              
Files ending with the extensions .COM, .EXE, .BIN, .OVL and .SYS will be      
infected on every possible file handle access I could find, ie. they          
will be infected on Open (3D), Close (3E), Attrib Change (43), Execution      
(4B), Handle Rename/Move (56), and Extended Open (6C). It manages to          
infect on file close by recording the filename by intercepting Create         
(3C) call, and the handle if it was created successfully.                     
                                                                              
If resident off infected file, it will not hook int 13h directly,             
instead searching segment 70h for DOS's call to the original interrupt        
handler, then putting our address in there instead and using the old          
address for our calls. It would have been possible to search the ROM          
BIOS for the correct handler, but that would circumvent future                
generations of boot/file viruses.                                             
                                                                              
DeMn employs a small decryption algorythm, however it is not variable      
mutation, since a few registers have to be saved in order for the SYS         
infection to work. The code is thoroughly encrypted, and McAfee and           
friends will have to write a new disinfection engine for this baby.           
However, disk infections are not encrypted, although it would have been       
easily done.                                                                  
                                                                              
The routine to load the virus off the disk has been altered to avoid          
detection as Generic Boot Sector/Generic Partition virus. The changes         
are trivial, and it makes it look as if I don't know what I'm doing.          
The fact that I'm avoiding detection isn't readily apparent. Here is          
a code comparison, take a look for yourself.                                  
                                                                              
        Generic                    DeMn                                    
     mov si, 413h               mov si, 412h                                  
     sub word ptr [si], 3       add word ptr [si+1], -3         ; take 3k     
     int 12h                    lodsb                                         
                                lodsw                                         
     mov cl, 6                  mov cl, 6                                     
     shl ax, cl                 shl ax, cl                                    
     mov es, ax                 mov es, ax                                    
     xor bx, bx                 xor bx, bx                                    
                                                                              
The one on the left will be detected by SCAN, the one on the right will       
not. The differences are trivial. SCAN is such a stupid program, it's         
just ridiculous that millions of PC users rely on it utterly for total        
virus protection. That's great...                                             
                                                                              
DeMn is partially selective in which files it infects. Firstly, it         
will scan the filename for the characters SC, VS, CL and F-, which            
excludes a lot of scanners (eg SCAN, TBSCAN etc), VSHIELD, CLEAN and          
F-PROT.                                                                       
                                                                              
Nor will it infect programs which have internal overlays. This is a           
great advantage since people running WinDoze won't have their favourite       
XYZ program fuck up because a virus infected it. DeMn simply will          
not infect programs with internal overlays. Here is the code to detect        
them:                                                                         
                                                                              
chkovl:         call file_end                                                 
                push ax                       ; check for internal overlays   
                push dx                                                       
                mov ax, word ptr [page_cnt]                                   
                mov cx, 512                                                   
                mul cx                                                        
                pop cx                                                        
                pop bp                                                        
                cmp ax, bp                                                    
                jb done                                                       
                cmp dx, cx                                                    
                jb done                                                       
                [...]                                                         
done:           ret                                                           
                                                                              
Pretty simple routine, huh?                                                   
                                                                              
The beauty of this beast is that one small mistake, like trying to boot       
an infected disk by accident, or perhaps running an infected file, is         
that next time you boot up your system, EVERY file in your CONFIG.SYS,        
AUTOEXEC.BAT and everything henceforth will become infected! It is very       
easy to expose a large number of files to the virus in a very short           
space of time. Again, SCAN will probably help the spread of this virus        
immensely, by stupid users scanning their HD habitually, with the virus       
in memory... of course, EVERY file will then be infected.                     
                                                                              
As if that weren't enough for one virus, DeMn will also hide the           
increase of file size on the DOS directory. However, like most other          
viruses which employ this stealth method, CHKDSK will not report any          
allocation errors on these files. File size increase will be only 2048        
bytes, or 4096 bytes for SYS files. It will account for the different         
increase of the SYS.                                                          
                                                                             
To hide the increase, DeMn employs a little-exploited method, which        
is by adding 100 years to the date of the file. This way, other               
over-exploited methods (like setting the seconds field to a certain           
value) will not interfere with DeMn's stealth operation, and               
vice-versa.                                                                   
                                                                              
DeMn also includes a number of text strings:                               
                                                                              
        "[DeMn] by TLN-{NK}"                     25 bytes              
        "Hugs to Sara Gordon"                           19 bytes              
        "Hey John! If this is bad, wait for [VCL20]!"   43 bytes              
        "For Dudley"                                    11 bytes              
        "[VCL20]/TLN"                                15 bytes              
                                                total  113 bytes              
                                                                              
(That stuff about VCL20 is ogus, just to make McAsshole shit his            
pants. But AV researchers be warned: a fair few of the routines               
contained in DeMn will also appear in VCL 2.0, like the boot/file          
infect capability!)                                                           
                                                                              
Virus Length   = 2048                                                         
Message Length =  113                                                         
...Code Length = 1935 bytes!!!                                                
                                                                              
Totally unheard of!                                                           
                                                                              
I seriously doubt anybody can beat that, at least not for a while yet.        
                                                                              
For a quick rehash of what this virus does...                                 
                                                                              
COM/EXE/BIN/OVL/SYS/MBR/BS Parasitic Self-Encrypting Stealth virus, a         
mere 2048 bytes long... but I can say Patricia Hoffman will totally fuck      
up her description of this virus, she is so pathetically brain-dead.          
                                                                              
Anyway, look out for a FULL STEALTH, WILDLY POLYMORPHIC COM/EXE/MBR           
INFECTOR coming soon to a computer installation near you!  From TLN of      
course!  And another one minus the polymorphism, under 800 bytes!             
                                                                              
Have fun!  And good night, John!                                              
                                                                              
                        TLN/NuKE                                            
