Self-Executing PIF roy g biv / defjam -= defjam =- since 1992 bringing you the viruses of tomorrow today! Former DOS/Win16 virus writer, author of several virus families, including Ginger (see Coderz #1 zine for terrible buggy example, contact me for better sources ;), and Virus Bulletin 9/95 for a description of what they called Rainbow. Co-author of world's first virus using circular partition trick (Orsam, coded with Prototype in 1993). Designer of world's first XMS swapping virus (John Galt, coded by RT Fishel in 1995, only 30 bytes stub, the rest is swapped out). Author of world's first virus using Thread Local Storage for replication (Shrug, see Virus Bulletin 6/02 for a description, but they call it Chiton), world's first virus using Visual Basic 5/6 language extensions for replication (OU812), world's first Native executable virus (Chthon), world's first virus using process co-operation to prevent termination (Gemini, see Virus Bulletin 9/02 for a description), world's first virus using polymorphic SMTP headers (JunkMail, see Virus Bulletin 11/02 for a description), world's first viruses that can convert any data files to infectable objects (Pretext), world's first 32/64-bit parasitic EPO .NET virus (Croissant, see Virus Bulletin 11/04 for a description, but they call it Impanate), world's first virus using self-executing HTML (JunkHTMaiL, see Virus Bulletin 7/03 for a description), world's first virus for Win64 on Intel Itanium (Shrug, see Virus Bulletin 6/04 for a description, but they call it Rugrat), world's first virus for Win64 on AMD AMD64 (Shrug), world's first cross-infecting virus for Intel IA32 and AMD AMD64 (Shrug), world's first viruses that infect Office applications and script files using the same code (Macaroni, see Virus Bulletin 11/05 for a description, but they call it Macar), world's first viruses that can infect both VBS and JScript using the same code (ACDC, see Virus Bulletin 11/05 for a description, but they call it Cada), world's first virus that can infect CHM files (Charm, see Virus Bulletin 10/06 for a description, but they call it Chamb), world's first IDA plugin virus (Hidan, see Virus Bulletin 3/07 for a description), world's first viruses that use the Microsoft Script Encoder to dynamically encrypt the virus body (Screed), world's first virus for StarOffice and OpenOffice (Starbucks), world's first virus IDC virus (ID10TiC), world's first polymorphic virus for Win64 on AMD AMD64 (Boundary, see Virus Bulletin 12/06 for a description, but they call it Bounds), world's first virus that can infect Intel-format and PowerPC-format Mach-O files (MachoMan, see Virus Bulletin 01/07 for a description, but they call it Macarena), and world's first virus that uses Unicode escapes to dynamically encrypt the virus body. Author of various retrovirus articles (eg see Vlad #7 for the strings that make your code invisible to TBScan). Went to sleep for a number of years. I am awake now. What are self-executing PIFs? This is an idea that I had more than four years ago by now. I thought that it would be funny if a PIF could carry and directly execute another file. It was almost ready for the entire time, but for some reason I never finished it. Now I have. First problem After some work, I found that it cannot be done very well. Of course it is possible to make a PIF/COM combination, but I wanted to execute possible big files, so if the PIF was too big, then the COM part would not run. First solution, second problem I had another idea, which was to use debug.exe to recreate my file. Then I found that this cannot be done directly, because stdin cannot be redirected. Second solution, new problem The solution to the debug problem was to execute %comspec% instead, and pass it a command-line that would run debug and redirect stdin from me file. Then I just have to encode myself as ASCII bytes and enter the data into memory. Now we have our Windows file ready to write, but debug cannot write files with .EXE in the name. We don't need to worry, because the name is not important. The next problem was that when debug is not passed an executable file as a parameter, it does not create a separate memory block. Instead, all memory is owned by debug, so there is no memory left to execute our file. That might sound strange, but it is true: even though the file is a Windows executable, it is DOS that sees it first, and execution will fail if there is not enough memory. New solution The solution to that problem was easy, though I had mostly forgotten details about DOS stuff. I just had to retrieve the owner segment from the MCB of the environment segment. That is debug.exe. Then I shrunk that segment to hold my code and free the rest of memory. I execute my code and I am in control. It opens the PIF, finds the host file, extracts it, runs it, then searches for another file to infect, and the cycle repeats. Greets to friendly people (A-Z): Active - Benny - Malum - Obleak - Prototype - Ratter - Ronin - RT Fishel - sars - SPTH - The Gingerbread Man - Ultras - uNdErX - Vallez - Vecna - VirusBuster - Whitehead rgb/defjam jun 2007 iam_rgb@hotmail.com