Compiled HTML
by roy g biv
                                Compiled HTML
                               roy g biv / 29A

Former  DOS/Win16  virus writer, author of several virus  families,  including
Ginger  (see Coderz #1 zine for terrible buggy example, contact me for  better
sources  ;),  and Virus Bulletin 9/95 for a description of what   they  called
Rainbow.   Co-author  of  world's first virus using circular  partition  trick
(Orsam, coded with Prototype in 1993).  Designer of world's first XMS swapping
virus  (John Galt, coded by RT Fishel in 1995, only 30 bytes stub, the rest is
swapped  out).   Author of world's first virus using Thread Local Storage  for
replication  (Shrug, see Virus Bulletin 6/02 for a description, but they  call
it Chiton), world's first virus using Visual Basic 5/6 language extensions for
replication  (OU812), world's first Native executable virus (Chthon),  world's
first  virus  using process co-operation to prevent termination  (Gemini,  see
Virus  Bulletin 9/02 for a description), world's first virus using polymorphic
SMTP  headers (JunkMail, see Virus Bulletin 11/02 for a description),  world's
first viruses that can convert any data files to infectable objects (Pretext),
world's  first  32/64-bit  parasitic  EPO .NET  virus  (Croissant,  see  Virus
Bulletin  11/04  for a description, but they call it Impanate), world's  first
virus  using  self-executing HTML (JunkHTMaiL, see Virus Bulletin 7/03  for  a
description), world's first virus for Win64 on Intel Itanium (Shrug, see Virus
Bulletin 6/04 for a description, but they call it Rugrat), world's first virus
for  Win64 on AMD AMD64 (Shrug), world's first cross-infecting virus for Intel
IA32  and  AMD  AMD64  (Shrug),  world's  first  viruses  that  infect  Office
applications  and  script  files using the same code (Macaroni),  and  world's
first viruses that can infect both VBS and JScript using the same code (ACDC).
Author  of  various retrovirus articles (eg see Vlad #7 for the  strings  that
make  your  code invisible to TBScan).  Went to sleep for a number  of  years.
This  is  my eighth virus for Win32.  It is the world's first virus  that  can
infect CHM files.

What are CHM files?

Microsoft  like  to produce new file formats with more and more content.   CHM
files  allow  a  single  file to contain HTML pages,  including  graphics  and
scripts,  something like an archive.  They are very careful, though, to  avoid
documenting anything, so to create such files generally relies on their tools.
CHMs  carry  all  of  the content in a single stream, compressed  by  the  LZX
algorithm.  It is almost a solid archive, but contains a periodic state reset,
to  make  the decompression faster (because it is not necessary to  decompress
the entire archive to reach the last file, but start from the last reset point
and decompress from there).

How do we infect them?

When  I  first considered to infect CHM files, I did not want to rely  on  any
other DLL to do the work, because I like to code to the lowest level, but that
requires  working with the compression.  To make it easier, I thought to carry
a  compressed version of myself and create my own reset point, but how to  get
control?   It  turns out that the first page to load is not the first file  in
the  table  of contents, but is loaded by a reference in one of  the  internal
(compresed)  streams.  I didn't want to carry the LZX decompressor as well, so
I started to look at the Help Helper (HH.EXE).  Everyone knows that HH.EXE can
decompile  CHM files, and it is done by calling into ITSS.DLL.  Who knew  that
ITSS.DLL  can compile CHM files, too?  Amazingly, it contains the  compressor,
which means that the only question was how to use it.

So how do we use it?

Even  more amazing is that the interface is simply the IStorage interface from
OLE2, exposed by a different DLL.  The IStorage implementation in the ITSS.DLL
supports  the Read and Write methods, including transparent decompression  and
compression.   Note  that I do not say "recompression", because writing to  an
existing  CHM  file is not allowed.  Instead, it is necessary to create a  new
file and write to that, then replace the old file with the new file.

Let's load ITSS

We  load  the ITSS DLL by calling CoCreateInstance(), with the ITSS  interface
parameters.  This assumes that you are familiar with COM programming.
The CLSID is {5D02926A-212E-11D0-9DF9-00A0C922E6EC}.
The RIID is  {88CC31DE-27AB-11D0-9DF9-00A0C922E6EC}.
The  returned interface pointer can be passed to StgOpenStorage() to open  any
CHM  file.  The EnumElements and Next methods can be used to see the  storages
and  streams, the OpenStream and OpenStorage methods can be used to open them,
and  the  Read method can be used to read streams.  For the destination  file,
there  is  the  StgCreateDocfile()  to create a  new  file,  CreateStream  and
CreateStorage methods to create them, and the Write method to write streams.

How to get control?

The  method that I chose to get control was to alter the HTM files to  include
my  code.  Initially, I tried to package my entire code within the HTM  files,
but  there  were  many problems with that idea.  One problem was the  need  to
script an ActiveX control to create a file, which triggers a security warning.
The  next  problem was how to deliver a binary from a text-only  file  format.
Many people seem to rely on the chr() function to convert ASCII to binary, but
this is unreliable on DBCS systems whenever the 8th bit is set.  To solve that
problem,  I  created a new executable-ASCII engine which is much smaller  than
the  one in Junkmail, but functionally equivalent.  This created a new problem
because  it  drops  an executable-ASCII com file which relies  on  the  16-bit
subsystem to run, so it was very slow and noticeable.  I'll find a use for it.

Finally, I decided to be scriptless and use an additional file, this way:

<object classid='clsid:1baddeed'codebase=.exe'></object>

and .exe is the name of the file that I add after all files are infected.

The  problem with that is the table of contents now contains a unique filename
that  could be used as a heuristic detection, but you can always change it  in
the code.

Greets to friendly people (A-Z):

Active - Benny - Obleak - Prototype - Ratter - Ronin - RT Fishel -
sars - The Gingerbread Man - Ultras - uNdErX - Vecna - VirusBuster -

rgb/29A apr 2005