roy g biv presents
How to fool TBSCAN
without changing code!
Have you ever wondered why TBScan doesn't detect itself as a virus?
The answer is that is has a list of signatures of files to skip
These signatures are located at the entry point of the file in question
ie. offset 100h for .COM files, CS:IP for .EXE files
for .COM files, use '24h 21h' as the first 2 bytes;
for .EXE files, use 'B8 8C D3 15 33 xx' as the first 6 bytes.
for one string for both files, use '8B E8 8C F0 4F EB 06 D0 00 80 00 80 40'
The only flags that will be set are the ones that were already set (excepting
the 'p' (packed) flag, which is set wherever specified):
c no checksum
C checksum data does not match ; data = plural, 'does not' => 'do not'
h hidden or system attribute set
T invalid date/time stamp
N .com file beginning with MZ, or ZM, or
.exe file not beginning with MZ, or ZM
(if you do this on purpose, all signatures become 'both', instead of 'com only'
or 'exe only')
! .EXE relocation table offset >= 200h, or
.EXE CS:IP > header filesize
w windows or os/2 file
K odd stack, or SS=CS
? .EXE header size >= file size, or
.EXE maxalloc < minalloc, or
.EXE header filesize > directory filesize, or
.EXE header filesize + minalloc < stack segment + stack offset
i .EXE header filesize+128 < directory filesize, and not a windows file
And here is the list (from version 6.51):
'xx' is a single-byte wildcard
'checksum' uses the following algorithm:
1. set sum to 0
2. double sum
3. add byte to sum
4. if sum > 8000h, xor sum with A097h
5. decrement count
6. if count > 0, goto 2
This leaves a wide scope for potential code that will suffice.
(hint: the only thing of interest is the sign bit in the lower byte.)
eg. for the string '8B E8 8C' [checksum 0ah bytes] = 646E, (non-packed 'both')
use 'F0 4F EB 06 D0 00 80 00 80 40'
Signature: Affects: Flag set:
00 04 9A 68 com
06 0E 1F [checksum 0ah bytes] = 7F68 both packed
0D 0A com
0E 1F BA [sum 8 bytes] = 1C6D exe
1E 50 B8 [checksum 0bh bytes] = 59CA exe
20 20 com
24 21 com
24 20 com
2E 8C 1E B2 00 both
2E 8C 1E [checksum 0ah bytes] = 1CE6 both packed
2E C5 36 xx [scan 5 bytes for] 00 C7 44 12 81 00 exe
2E 8C 1E D0 02 both
2E FF 26 xx 01 xx xx 38 com
30 C9 90 74 03 FA exe
38 20 xx 2D 6C 68 35 com packed
4D 4A xx xx xx xx xx 00 20 00 com
50 4B com packed
50 9C FC [checksum 0ah bytes] = 649D com
50 06 8C [checksum 0ch bytes] = 1BA0 exe
53 5A 44 [checksum 6 bytes] = 1C3 com
53 5A both packed
58 5A 8F 06 06 exe
60 EA com packed
87 C0 EB 0B xx 01 02 exe
8B E8 8C [checksum 0ah bytes] = 646E both
8C C0 8C [checksum 6 bytes] = 1200 exe
8C C0 05 [checksum 0ah bytes] = 2384 exe packed
90 90 90 [checksum 0ch bytes] = 235C exe
9A xx xx xx xx 9A exe
9A 20 00 xx xx 9A 33 01 xx xx BA 15 xx CD 3F exe
9C 55 56 8C CD 83 C5 10 8D B6 xx xx 56 BE exe packed
A8 00 30 [checksum 5 bytes] = 2D0 com
B4 30 CD [checksum 0bh bytes] = 1872 exe
B4 30 CD 21 [checksum 7 bytes] = B3A exe
B4 30 CD 21 86 E0 2E A3 xx xx 3D 00 02 exe
B8 8C D3 15 33 (this is tbscan) exe
B8 xx xx BA xx xx 8C DB 03 D8 3B 1E 02 both packed
B8 xx xx BA xx xx 3B C4 73 xx 8B C4 2D both packed
B8 xx xx BA xx xx 05 00 00 3B 06 02 00 both packed
BA xx xx 0E 1F B4 [checksum 7 bytes] = 1A19 exe
BA xx xx 2E 89 16 xx xx B4 30 CD 21 8B exe
BA 6C 00 [checksum 0ah bytes] = 5321 exe packed
BB 02 00 B8 xx xx 8B 0F 2B [checksum 8 bytes] = 4167 exe
BC 9C 17 8C C8 com
BD xx xx 50 06 8C [checksum 8 bytes] = 6B53 exe packed
BE xx xx 50 53 51 [checksum 0eh bytes] = 432D com packed
BF xx xx A1 02 00 2E A3 xx xx 2B C7 3D 00 10 exe
BF xx xx 8E DF FA 8E D7 81 C4 xx xx FB B4 30 CD 21 A2 xx 00 exe
BF xx xx 8B 36 02 00 2B F7 81 FE xx xx 72 03 exe
E8 53 00 [checksum 5 bytes] = 508 exe
E8 xx 01 54 68 69 73 20 70 exe
E8 xx xx 73 03 B8 [checksum 5 bytes] = 1CE exe
E8 20 00 4D 5A xx xx xx xx 00 00 02 exe
E8 8D 05 2E FF exe
E9 FB 65 [checksum 6 bytes] = 5A8 com
E9 1A 02 [checksum 7 bytes] = 13D both
E9 70 21 [checksum 6 bytes] = 8BF com
EB 44 xx xx xx xx 57 69 6E 64 exe
EB 13 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx BB FF FF [checksum 6 bytes] = 1BF9
exe packed
Eb 0A xx xx xx xx xx xx xx CA 04 00 exe
EB 60 xx xx xx xx 4C 48 61 exe packed
EB 78 xx 00 4C 48 27 exe packed
EB 79 xx 00 4C 48 41 exe packed
EB 10 C0 [checksum 5 bytes] = 90 exe
EB 18 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx 58 4C 44 52 xx xx B4 30
exe
EB 0C D4 0F FB 81 06 com
F9 9C EB 09 xx xx 0A 00 both packed
FA FC B8 xx xx 8E D8 8C 06 xx xx 26 8B exe
FC 2E 8C [checksum 8 bytes] = 2C43 exe packed
FC FA 2E [checksum 0ch byets] = DAD both
FC 06 1E [checksum 8 bytes] = 20D0 exe
FF 57 50 43 com
FF FF FF FF exe
FF FF [checksum 0dh bytes] = 52 F9 win
FF FF FF 00 2B 20 com
- VLAD #7 INDEX -