Virus Labs & Distribution
VLAD #3 - Fooling TBScan

   A brand new way to fool TBScan 
   +----------------------------+       by Automag/VLAD

   Today I worked on some features for Antipode:
   I wanted it to infect a file during a scan by AV software so I added
   the usual int 21h 3Dh (open) infection.  It already infected the files
   under McAfee's SCAN so I added the 21h 6Ch (extended open) infection and
   F-PROT became a vector but I was surprised that TBSCAN didn't infect my 
   test files (5 byte .COM just 3 NOPs and an int 20h).  I took SoftICE and
   traced some code and was really surprised as TBSCAN didn't open any file
   in my directory!

   I thought that Frans had found a brand new way to open files ?  Taking
   int 21h as a breakpoint I found that TBSCAN just used the Find-Next
   function.  I was dispirited, how would I use TBSCAN as a vector ?
   Scanning another directory I was suprised to find TBSCAN used Int 21h 3Dh!

   Rebooting, I tried to scan my directory again and now TBSCAN only opened
   two files, both were infected (627 bytes long) while the others were
   skipped (5 bytes long).

   So here is the trick:
   TBSCAN does not 'waste' any time with tiny files, it just skips them.
   Let's imagine an algorithm...

      Int 21 4Bh entry point:
	   if (file_to_be_executed='TBSCAN.EXE')
	   then TBSCAN_FLAG=1

      int 21 4E entry point:
	   if (TBSCAN_FLAG=1)
	   then DTA.SIZE=0

      int 21 4C entry point:

   with such an int 21h, TBSCAN won't scan any COM file :)

   That's done and tested and TBSCAN doesn't scan any file :)
   The scanning is just a bit too fast as it scanned 726 executables in six
   seconds :)  Now Frans can say that TBSCAN is the fastest scanner ever !

   But anyway TBAV is the best AV program I have ever used...
   So greets to Frans Veldman...



ARTICLE.1_2       Aims and Policies
ARTICLE.1_3       Greets
ARTICLE.1_4       Members/Joining
ARTICLE.1_5       Dist/Contact Info
ARTICLE.1_6       Hidden Area Info
ARTICLE.1_7       Coding the Mag


The Press
ARTICLE.2_2       Fooling TBScan
ARTICLE.2_3       Backdoors
ARTICLE.2_4       Tracing Int21
ARTICLE.2_5       Replication
ARTICLE.2_6       VSUM denial
ARTICLE.2_7       Proview


TBTSR Checking
ARTICLE.3_2       TBScan Flags
ARTICLE.3_3       HD Port Reading
ARTICLE.3_4       HD Port Writing
ARTICLE.3_5       TBAV Monitor
ARTICLE.3_6       Micro128 Disasm
ARTICLE.3_7       Aust403 Disasm


Virus Descriptions
ARTICLE.4_2       Hemlock
ARTICLE.4_3       Antipode
ARTICLE.4_4       Insert
ARTICLE.4_6       Quantum Magick
ARTICLE.4_7       Mon Ami La Pendule


ARTICLE.5_2       Small Virus
ARTICLE.5_3       Catch-22
ARTICLE.5_4       ART Engine
ARTICLE.5_5       Megastealth
ARTICLE.5_6       Virus Scripts
ARTICLE.5_7       What's Next ?

About VLAD - Links - Contact Us - Main