Self-Executing PIF
                              roy g biv / defjam
 
                                 -= defjam =-
                                  since 1992
                     bringing you the viruses of tomorrow
                                    today!


Former  DOS/Win16  virus writer, author of several virus  families,  including
Ginger  (see Coderz #1 zine for terrible buggy example, contact me for  better
sources  ;),  and Virus Bulletin 9/95 for a description of what   they  called
Rainbow.   Co-author  of  world's first virus using circular  partition  trick
(Orsam, coded with Prototype in 1993).  Designer of world's first XMS swapping
virus  (John Galt, coded by RT Fishel in 1995, only 30 bytes stub, the rest is
swapped  out).   Author of world's first virus using Thread Local Storage  for
replication  (Shrug, see Virus Bulletin 6/02 for a description, but they  call
it Chiton), world's first virus using Visual Basic 5/6 language extensions for
replication  (OU812), world's first Native executable virus (Chthon),  world's
first  virus  using process co-operation to prevent termination  (Gemini,  see
Virus  Bulletin 9/02 for a description), world's first virus using polymorphic
SMTP  headers (JunkMail, see Virus Bulletin 11/02 for a description),  world's
first viruses that can convert any data files to infectable objects (Pretext),
world's  first  32/64-bit  parasitic  EPO .NET  virus  (Croissant,  see  Virus
Bulletin  11/04  for a description, but they call it Impanate), world's  first
virus  using  self-executing HTML (JunkHTMaiL, see Virus Bulletin 7/03  for  a
description), world's first virus for Win64 on Intel Itanium (Shrug, see Virus
Bulletin 6/04 for a description, but they call it Rugrat), world's first virus
for  Win64 on AMD AMD64 (Shrug), world's first cross-infecting virus for Intel
IA32  and  AMD  AMD64  (Shrug),  world's  first  viruses  that  infect  Office
applications  and  script  files  using the same  code  (Macaroni,  see  Virus
Bulletin  11/05  for  a description, but they call it Macar),  world's   first
viruses  that  can infect both VBS and JScript using the same code (ACDC,  see
Virus  Bulletin 11/05 for a description, but they call it Cada), world's first
virus  that  can  infect  CHM files (Charm, see Virus  Bulletin  10/06  for  a
description,  but they call it Chamb), world's first IDA plugin virus  (Hidan,
see Virus Bulletin 3/07 for a description), world's first viruses that use the
Microsoft  Script  Encoder  to dynamically encrypt the  virus  body  (Screed),
world's  first virus for StarOffice and OpenOffice (Starbucks), world's  first
virus  IDC  virus (ID10TiC), world's first polymorphic virus for Win64 on  AMD
AMD64  (Boundary, see Virus Bulletin 12/06 for a description, but they call it
Bounds),  world's first virus that can infect Intel-format and  PowerPC-format
Mach-O  files  (MachoMan,  see  Virus Bulletin 01/07 for  a  description,  but
they  call it Macarena), and world's first virus that uses Unicode escapes  to
dynamically encrypt the virus body.  Author of various retrovirus articles (eg
see Vlad #7 for the strings that make your code invisible to TBScan).  Went to
sleep for a number of years.  I am awake now.


What are self-executing PIFs?

This is an idea that I had more than four years ago by now.  I thought that it
would   be  funny if a PIF could carry and directly execute another file.   It
was almost ready for the entire time, but for some reason I never finished it.
Now I have.


First problem

After  some work, I found that it cannot be done very well.  Of course  it  is
possible  to  make a PIF/COM combination, but I wanted to execute possible big
files, so if the PIF was too big, then the COM part would not run.


First solution, second problem

I  had  another idea, which was to use debug.exe to recreate my file.  Then  I
found that this cannot be done directly, because stdin cannot be redirected.


Second solution, new problem

The  solution to the debug problem was to execute %comspec% instead, and  pass
it  a command-line that would run debug and redirect stdin from me file.  Then
I just have to encode myself as ASCII bytes and enter the data into memory.

Now we have our Windows file ready to write, but debug cannot write files with
.EXE  in the name.  We don't need to worry, because the name is not important.
The  next  problem was that when debug is not passed an executable file  as  a
parameter, it does not create a separate memory block.  Instead, all memory is
owned  by  debug, so there is no memory left to execute our file.  That  might
sound  strange, but it is true: even though the file is a Windows  executable,
it  is DOS that sees it first, and execution will fail if there is not  enough
memory.


New solution

The  solution to that problem was easy, though I had mostly forgotten  details
about DOS stuff.  I just had to retrieve the owner segment from the MCB of the
environment  segment.  That is debug.exe.  Then I shrunk that segment to  hold
my code and free the rest of memory.

I execute my code and I am in control.  It opens the PIF, finds the host file,
extracts  it, runs it, then searches for another file to infect, and the cycle
repeats.


Greets to friendly people (A-Z):

Active - Benny - Malum - Obleak - Prototype - Ratter - Ronin - RT Fishel -
sars - SPTH - The Gingerbread Man - Ultras - uNdErX - Vallez - Vecna -
VirusBuster - Whitehead


rgb/defjam jun 2007
iam_rgb@hotmail.com