Mail Archives: djgpp/1995/12/22/18:05:16
> > Hmmm, virus people are shit. But.... Does anybody have code for one (no,
> > i'm not the sack that does it, I just wanna know how it's done, I will
> > leave it at code)? I'd like to know how they work. If anybody could send
> > me some code/explain how they work i'd be much obliged.
I think viruses are pretty shitty ways of expressing one's
thoughts. However, it just so happens that I do have the asm source
for the Michaelangelo virus (you know.. the one that reformats your HD
or messes with the partition table or something on like April 18th). I've
been trying to teach myself assembly, and was told that looking at virus
source is actually a very educational process. Email me if you want it..
I'd really rather not send it out over the whole list, A) because it's
rather long, and B) it isn't a good idea to send around virus code, just
because you never know..
> Weeelll, I don't have any code, but I've read tonnes about
> 'em. They generally have to be in assembler for PCs, because an EXE
> file is a very 'secretive' format (hard to hack apart, as opposed to
> Acorn Archimedes programs, which are directories full of various
> executables to do different things, and thus you can write Arc
> viruses in BASIC!).
This is true, although there have been plenty viruses that were written
in other languages.. I mean the AIDS virus was written in Turbo Pascal.
Then again it's 12K and hooks int 0x21, which is like holding up a bright
red flashing sign saying "I AM A VIRUS!" BUT, writing a virus with a
protected-mode compiler would be quite a trick, I gotta say.. Chances
are (although I could be totally wrong), it's damn near impossible.
> The general plot for infection is thus: (At this
> point in time, the virus has alloced a block of memory and is living
> in it, hooking the exec interrupt. When a request to execute an .EXE
> appears...) The virus first of all takes the first few bytes of the
> program and remembers them. Next, it overwrites said bytes with a
> JUMP instruction to the end of the program. Next, it appends itself
> to the executable image, where the JUMP points to. This is a direct
> copy of the code in memory. The first part of the virus writes the
> stored bytes back to the front of the program image in memory - when
> the program is executed, it jumps straight to the virus code, and
> this step puts the program back as it was. The virus code allocates
> some memory, puts itself in there, hooks the exec interrupt, and
> JUMPs to the beginning of the program, which executes as normal...
> Extensions to this involve having the first thing the virus does is
> to decrypt the rest of itself with a key stored inside itself - when
> it infects a new .EXE, it randomly chooses a key, encrypts with it
> as it writes itself to disk, and stores the key in the .EXE. And it
> gets a lot more ingenious (Stealth, etc...)
There are lots of other ways viruses work as well. Some just entirely
overwrite the file, which makes them easy to get rid of, but their
damage is unreversable. Others find .EXE's and copy themselves into a
file with the same 8 character base and .COM, because dos will always
execute the .COM if it finds, say, program.exe and program.com. Again,
these are easy to detect and destroy. But even these "simpler" viruses
which don't actually modify an executable file but rather overwrite it
or just create an entirely new file can't really be written in
protected mode. Besides, anybody who tries to right a virus in any
language with any compiler for any platform or any OS deserves to get
dragged out at three in the morning and shoved onto a bed of hot coals.
Justin
- Raw text -