Upper-level languages, such as Basic, C, and a multitude of others, are where most programmers these days feel at
home.
They provide users with an amazing amount of built-in functionality,
and allow the programmer to escape from having to deal with the machine
that is being programmed on, and instead focus on the details of the
program design. For viruses, this makes them easy languages to start in,
but there are several obstacles. The first is that most upper-level
languages simply were not made to program at a base systems level, even
in C this is not easy. As a result, most viruses that are in this genre
are primitive [usually overwriting] in their reproduction mechanism,
although their activation
routines
can be impressive. Another really important disadvantage is that
high-level languages often create files that are at the very LEAST 10k
and often much higher - not very efficient for a virus. With this
overhead, a
memory-resident virus is impractical as it would usually be noticed by the user when a rather large chunk of memory disappears for no apparent reason.
Another possibility with high-level languages, however, is a source-code virus. This kind of virus is quite rare (to the best of my knowledge) but could be very effective. What a source-code virus does, in short, is search for another source file in the same language - for example, it might search for all files with a ".C" extension for C. It would then add its own source code to the file (often by way of "including" a header with the routines
and placing a call to it in main()) which would execute once the
program was compiled. After compilation, the virus would be more or less
hidden inside the application,
and would be dormant until it found another ".C" file. The only
documented case of this that I know of is Mark Ludwig's virus presented
in Computer Virus Developments Quarterly, Volume 1, Number 2.
At any rate, all of these viruses have some basic steps in common. They are:
- Find a file to infect, be it an executable, source, or whatever (If none found, go to step 3)
- Place virus in file.
- Decide if any activation routines are met and, if so, activate.
- Return to host or terminate and return to DOS.
For overwriting viruses, the implementation of these is quite simple.
The only problem with these viruses is that they totally destroy any
program that they infect, making them quite obvious. The only way to
cure these is to find all of the infected files and delete them, restoring them from backups.
The following virus is an extremely simple overwriting virus written in
C. It will infect all .COM files within the current directory,
destroying them completely. As it infects each file, it will print
"Infecting [FILENAME]" on the screen as a warning. If you compile it to
test it, compile it once, then EXE2BIN it and check the resultant size.
If it does not equal 9504 bytes, change the line "x=9054;" to the
appropriate size value. Do be careful with this virus, because while it
is a primitive one, it will destroy any .COM files that it hits.
ادامه مطلب
+ نوشته شده توسط زیارانی در شنبه 29 بهمن1390 و ساعت
4:17 بعد از ظهر |
