Well, dear virus friends, this article may be a little bit unfriendly, but, our mag is an open forum. And besides, we do not have CDA (now after couple of week i don't know what stands this for). The main goal of this article is just to show our vx community, how easy can be our viruses removed, when necessary.
AV Companies
There is a shitload of viruses and virus strains around, and many of
them are "In the wild". Estimated virus count is about 20000+ and we also
have more than 3500+ macroviruses. It is not likely any AV software can
succesfully detect all the viruses. Nor they can remove it all. But they
are at least trying it.
A. Overwriting viruses
These viruses are basically uncleanable.
No doubt. This category of viruses is lame. And lameness of this
virus type is also the reason, why the infected files cannot be
cleaned to their original state. They can be deleted, renamed, but
the only way to restore infected files to their original state is
the use of backup copies (if they exist).
B. Non overwriting viruses.
This type of viruses can be removed in up to 100 per cent of
cases. The reason is the virus of this category has to launch
the host in some monent. In this specific point of time, the
host file is rebuilt in that way, as if it was not infected, or better
the file is executed as not infected.
But, let's take a closer look on every type of non-overwriting viruses.
B1. FILE VIRUSES
Companion viruses
This type of viruses takes advantage of priority of launching
executable files with the same name but different extension.
Sorted from highest to lowest priority, the files are launched
in following order:
The virus simply creates file with the same name, but with
extension having higher priority, containing the copy of virus,
or changes the file extension to one with lower priority and
writes the viral into the file with original name and extension.
As the virus doesn't modify the infected file in any way, it is
trivial to remove the virus. The structure of the file can help
to determine the original file extension. Any file, starting with
obvious 'MZ' or 'ZM' is handles as EXE file by the system, when
having specific minimal lenght. This limit seems to be 26 bytes.
Following code
db 'MZ'
db 21 dup ('A')
int 20h
exits without any problems, but when you replace second line with
db 22 dup ('A')
you get nice message "Program too big to fit in memory".
Thus, first remove the file with viral body. Then check the file structure and of the file with the same name and rename it back to original extension. And bingo.
Linking viruses (DIR II and its kind)
This type of viruses takes doesn't change anything in infected file. It
just link the starting cluster of the file to the viral body located
somewhere on the disk.
Main symptom one can see if lot of cross-linked files all around the disk drive. To "clean" this kind of virus one need to link back the strating cluster of the file to the original. And do not forget to remove the virus body from the harddisk.
For information considering FAT 32 take a look at great article A fool named FAT 32 by flush.
Com viruses
Basically, there are two types of COM viruses. The first type uses the
"classic" way to receive the controll. It writes to the beginning of the
file jump to the virus body and saves the original bytes somewhere in
virus body.
JMP virus |
Rest of them program |
virus: |
To remove virus of this kind, is necessary to locate in virus body original bytes form the file start and restore the start of the file. Then the file is it was before infection (but still contains the viral body). Last step in the process of removing virus is to cut the viral body. In most cases can be used as the best for cutting the (xx xx)+3 position, where xx xx stands for the size of initial jump. In most typical case whole body of the virus is removed. In some rare exceptions the file will contain some bytes of viral body.
Second approach is more complex. The virus body is written to the beginning of the file and the rest of the file is just moved behind the virus body. On execution the virus moves the file to its "normal" position and launches it.
Program moved up |
The solution of infection is very handy is this case. All the Averz have to do is to move the program to the beginning of the file. Nothing less, nothing more.
As possible "D-fence" can be used combination of both infection methods above. But the removal still will be very easy.
Exe viruses
Typically, exe infecting viruses appends the viral body to the end of
the file and then virus modifies EXE header in order to launch virus
before the infected file.
CS:IP |
Program |
It is sure somewhere in the virus is stored at least original value of
Exe_CS and Exe_IP, optionally also Relo_SS and/or Relo_SP or even the
whole original EXE header. Virus is removed in following steps. At very
beginning the Exe_CS and Exe_IP are located and their values are
restored. Optionally are restored also Relo_SS and Relo_SP. Then is
necessary to compute values of size of the file in pages and store this
two words to offsets 2 and 4 in the header. Now it is possible to save
restored file header to the file. And last step is the cutting the file
to its original size.
If the virus contains whole original header (as most of the steatlh
viruses do) is the removal of the virus easier as described above. All
the cleaning is about is to locate the original header inside the virus
and save it to the offset 0 in the file. Then naturally Avers cut the
virus body and .... Done !
Well, exe files, the above stuph was all about the DOS times. Now is the PE file the target. And removing of virus infections here can be even easier. If the bad Aver is really lazy, all he need to do is to skip the virus. In other words, he has to set original RVA entrypoint on the file. He doesn't need to care with viral body or added section.
So dudes, in order to make their task harder, do some unusual operation with the saved bytes necessary to hand over the code flow to the infected host.
Sys viruses
Device drivers are the rarest target for viruses. Since Dark Angel
published his tutes, everyone can infect *.sys files. The trick is simple
as hell - it uses the feature of SYS philes - chaining of the SYS files.
All we need do infect a SYS file is to add the necessary code to the host
and just change the first dword of the file to point to the header
of our new character device. So easy it is.
So is the cleaning. Very lazy Aver can assume something in the way there is always only once driver in SYS file. The procedure of cleaning is then
They could also take a more optimised way: to transverse all the headers, till they found a last one. This is beginning of the virus, so cleaning is easy then.
B2. Boot viruses
Boot virus occupies MBR of the hard disc or boot sector of the drive. In
most typical case, the virus stores "somewhere" on the infected media
also the original, uninfected MBR or boot sector. To wipe boot virus is
very efficient to use the sector with stored MBR/boot sector and to
restore its original location. Another method is to use of some kind of
generic MBR/boot sector, when original in not available.
To try to fuck up with the averz, all you have to do is not to allow a
clean boot. Could be arranget with a little bit phantasy and code ...
B3. Macroviruses
As for the macroviruses, there is a very simple workaround - all you have to
do is to delete macros. Sure, this is not the best solution, but quit
reliable. You have no macros, viral as well as non viral. Non viral macros
are let's say casulities of the war.
B4. Multipartite viruses
Basically these viruses have multiple targets of infection. Therefore cleaning
such a thing is more complex - you have to clear e.g. boot sector and the files
or documents and philes. Lot of possibilities AVers can do some errors :)))
B5. Special viruses
Requires special methods of removing, if the removing is possible. Here
belongs also the viruses with some kind of "life insurance", like
One_half with its hard disk encryption or Griyo s Implant with its cyclic
partition. If some AVer doesn't pay atention to this special method of
infection can await a lot of hot line traffic.
C. Closing words
AVers due the increasing number of viruses doen't have time to clean all of
them. But they are at least trying - so do their job as much time costing as
it will be not worth the money.