Hackers File

	Sign In Sign-Up

Home

I. Preface

A. Definitions of viruses and other forms of electronic "life".
1. What is a virus?
2. What is a worm?
3. What is a trojan horse?
4. What is an ANSI bomb?
B. Discussion of programming techniques.
1. Run-time .COM infecting viruses
2. Memory-resident .COM infecting viruses
3. Alternate infection methods
4. Other tips and tricks
5. FTP sites and IRC bots
C. Virus removal and anti-virus software.
1. The _Correct_ way to use FDISK /MBR
2. Removing Boot/MBR viruses
3. Removing Boot/MBR stealth viruses
4. Removing file viruses
5. Anti-virus software review
D. On-going debate of different views on viruses.
1. Debate on viruses made for the hell of it.
2. Debate on viruses as smart weapons.
3. Debate on "good" viruses

I. Preface There have been several posts in alt.comp.virus, asking why there wasn't an alt.comp.virus FAQ. I decided that was enough and set out to start writing it. As with all FAQs it is not complete and won't cover every question, but, that's why it's open for improvement. So any thing you would like to see added, including the debates, send to: danishm@iia.org.

A. Definitions of viruses and other types of electronic "life".
1. What is a virus?

A virus is a program that contains the ability to replicate. It has the ability to spread itself through many computers. It does this by using the DOS and BIOS interrupts, generally. (other types of disk access will be discussed later and are also found in VLAD#3) It requires other programs to be able to spread, which makes it different from a worm.
2. What is a worm?

A worm, like a virus, spreads itself by replication. A worm does not require third party programs to replicate and usually spread themselves through networks.
3. What is a trojan horse?

A trojan horse does not replicate, but is substituted for another program by a user. Generally they wreak havoc on the computer when they run.
4. What is an ANSI bomb?

An ANSI bomb does not replicate either like a trojan horse, and usually does damage by remapping the keyboard using ANSI.SYS (hence it's name) to damage the computer. An example would be, an ANSI bomb remaps the letter A to 'FORMAT C: /U /AUTOTEST' or 'ECHO Y:FORMAT C:'.
B. Discussion of programming techniques.

1. Run-time .COM infecting viruses.

In this FAQ I will only cover .COM file infection because it is very easy for the beginner. Run-time viruses are run before the program and search for new .COM files to infect. If they are of great size it can slow down the execution of a program and thus warn the user. In theory run-time viruses are extremely easy, but in practice occasionally will produce problems...depending on how you're doing it. Overwriters are simple and easy to spot, they overwrite the program:

Before infection:
{ Program }
After infection:
{ Virus }m }

Non-overwriters, or appenders, are a lot better in that they don't destroy programs that they infect:

Before infection:
{ Program }
After infection:
{ V rogram }{ irus P} ^----------------^

As you see the virus replaces the first few bytes with a jump to the virus code. After the jump the virus replaces the original code in it's proper spot, ONLY in memory. Then the virus does it's stuff and jumps back to the beginning of the program and the program runs as nothing had happened. At least that's what supposed to happen. Some programs may cause problems, but that is the exception, not the rule.

2. Memory-resident .COM infecting viruses.

Memory-resident viruses are much better than their run-time kin because:

1. They don't cause sluggish delays caused by searching and writing before the file is run. 2. They have a wider reach. 3. They can be smaller sometimes. 4. They can hide their code and increases in files in a DIR listing.

Plus much more. More knowledge is required however to write one, but that is obvious and I will attempt to write a guideline (no code) to go by when writing one.
First thing it should do is check for a previos installation. This can be accomplished by making up a value for AX and checking for it in your handler.
Next memory reservation is required, this involves freeing up some memory because .COM files get everything when run, then allocating some memory for your code. Changing the value in MCB:0001h to 0008h will make that memory resident. You can also decrease total conventional memory and put your code up th7ere.
Next you must move your code to that segment, wherever it may be, in a MCB-controlled segment or top of memory.
Next you must point your interrupts that you are hooking to your code in the segment that you reserved.
Then restore control to the host program. The interrupt handler is pretty straightforward, but for a better description, refer to another source.

3. Alternate infection methods.

The appending method of infection is not alone. Many other methods are available including putting the virus first:

Before:
{ Program } After:
{ Virus }{ Program }

Another is to put the jump in another location, such as to search for one in the program:

Before:
{ Program } After:
{ ProgVam }{ irus R} ^-----------^

4. Other tips & tricks.

Everyone wants their virus to be undetectable and efficient, so here are a few tricks I picked up, along with references from where I got them.

mov di,0101h ; If mov di,0100h TBSCAN detects it
dec di
push di
ret
; (from VLAD)
mov cx,word ptr [bp+old3] ; Alternate way of detecting .EXE files
add cl,ch
cmp cl,167
je close
; (from VLAD)
lea si,[bp+old3] ; Combines move of original 3 bytes and the
mov di,0101h ; jump back to 0100h
dec di
movsw
movsb
push di
ret
5. FTP sites and IRC bots.

Here are a few FTP sites that have virus-related stuff:
ftp.netcom.com/pub/br/bradleym
ftp.netcom.com/pub/sb/sbringer
aql.gatech.com
ftp.iia.org/pub/users/danishm (Contact me for access to virus area)
Here are a few IRC bots that carry virus stuff:
LamerBot Krauser MFM-II Bot_m
Most of the bots can be found on channel #virus
C. Virus removal and anti-virus software.

1. The _Correct_ way to use FDISK /MBR.

We've had people suggesting FDISK /MBR to people with MBR infections but often they don't mention the problems that can come about from using it. FDISK /MBR rewrites the Master Boot Record to the basic minimum the machine needs to operate. If you have DriveSpace, Stacker, or any other type of utility that installs itself in the MBR, and you FDISK /MBR your disk, you could lose all of your data because the proper programs are not loaded. If that is the case find a good AV program such as F-PROT and use it instead. In fact it always is a good idea to find a different alternative rather than FDISK /MBR.

2. Removing Boot/MBR viruses.

To determine that this is a virus that doesn't encrypt the original Boot/MBR, boot from a CLEAN floopy disk and try and access the hard disk. If you can't, it's a stealth virus and refer to the next section on Removing Boot/MBR stealth viruses. If you can and there is no programs like Stacker loaded in your original Boot/MBR then it is ok to use FDISK /MBR, SYS C:, though it is recommended that you use AV-software instead. If you do need get back the original, either extract and disassemble the Boot/MBR, contact the author of the virus, or if that frightens you, get some AV-software to remove it.

3. Removing Boot/MBR stealth viruses.

Refer to section 2 to find out if the virus is stealth. This method will NOT work with non-stealth viruses, and is not guarenteed to work. Make a program to extract the Boot/MBR. Then reboot your machine from the infected hard disk and run the program. It should return the original Boot/MBR. After this copy it to a disk that is NOT a boot disk. Now you have a copy of your original Boot/MBR and you now can replace the Boot/MBR of your hard disk with the original Boot/MBR. I will let you go about the coding by yourself though I will be glad to send you files to do it. If you are afraid of permanently destroying your hard disk, get some AV-software to do it for you.

4. Removing file viruses.

Before removing file viruses, boot from a clean disk. Now you may go through with DEBUG and see if there is a jump at the beginning to almost the end of the file it may be infected. Disassemble the point where it jumped to, and see if the code resembles virus code. If it does, attempt to look for the original few bytes. If that prospect frightens you or you don't want to bother searching each file, get AV-software to check them for you.

5. Anti-virus software review.

I have prepared a review of anti-virus software from what I have gathered in my journeys throughout the internet.
Central Point Anti-Virus (CPAV) - Isn't very good, but at least is original, MSAV rips off most of it.
Microsoft Anti-Virus (MSAV) - Is horrible, besides the fact it rips off CPAV.
Norton Anti-Virus (NAV) - Not very good, though it gets good ratings from magazines and stuff because of it's user interface, all graphical.
McAfee ViruScan (SCAN) - An ok scanner, better than CPAV, MSAV, and NAV, but not the best.
ThunderByte Anti-Virus (TBAV) - An awesome scanner, it's capabilites with unknown viruses are astounding.
F-Protect (F-PROT) - I have never seen a better scanner, it combines heuristic capability (detecting unknown viruses) with an excellent scanning and removal facility.

D. On-going debate on different views on viruses.

1. Debate on viruses made for the hell of it.

-Nothing-
2. Debate on viruses as smart weapons.

-Nothing-

3. Debate on "good" viruses.

-Nothing-

Subject: Alt.comp.virus FAQ From: danishm@iia.org () Date: 10 Feb 1995 12:38:32 GMT Message-ID: <3hfmo8$21f@ankh.iia.org>