Date: Fri, 22 Dec 1995 20:10:23 From: "Alaric B. Williams" Reply-To: DJGPP AT abwillms DOT demon DOT co DOT uk To: smcdonal AT pcug DOT org DOT au, DJGPP AT sun DOT soe DOT clarkson DOT edu Subject: Re: Natas Lines: 43 In your message dated Wednesday 20, December 1995 you wrote : > Hmmm, virus people are shit. But.... Does anybody have code for one (no, > i'm not the sack that does it, I just wanna know how it's done, I will > leave it at code)? I'd like to know how they work. If anybody could send > me some code/explain how they work i'd be much obliged. Weeelll, I don't have any code, but I've read tonnes about 'em. They generally have to be in assembler for PCs, because an EXE file is a very 'secretive' format (hard to hack apart, as opposed to Acorn Archimedes programs, which are directories full of various executables to do different things, and thus you can write Arc viruses in BASIC!). The general plot for infection is thus: (At this point in time, the virus has alloced a block of memory and is living in it, hooking the exec interrupt. When a request to execute an .EXE appears...) The virus first of all takes the first few bytes of the program and remembers them. Next, it overwrites said bytes with a JUMP instruction to the end of the program. Next, it appends itself to the executable image, where the JUMP points to. This is a direct copy of the code in memory. The first part of the virus writes the stored bytes back to the front of the program image in memory - when the program is executed, it jumps straight to the virus code, and this step puts the program back as it was. The virus code allocates some memory, puts itself in there, hooks the exec interrupt, and JUMPs to the beginning of the program, which executes as normal... Extensions to this involve having the first thing the virus does is to decrypt the rest of itself with a key stored inside itself - when it infects a new .EXE, it randomly chooses a key, encrypts with it as it writes itself to disk, and stores the key in the .EXE. And it gets a lot more ingenious (Stealth, etc...) Regards, ABW -- Alaric B. Williams (alaric AT abwillms DOT demon DOT co DOT uk) "A man walks into a bar, right, and he goes 'ouch' coz it's an iron bar"