💾 Archived View for spam.works › mirrors › textfiles › virus › deth001.rot captured on 2023-06-16 at 21:02:12.
View Raw
More Information
-=-=-=-=-=-=-
- ******************************************************************************
- *
- / Megadeth's Guide to Virus Researching \ *
- < Part I > *
- \ A .ROTing [DeTH] Text File / *
- *
- *******************************************************************************
By: Megadeth
I. What you need for virus Research
^^ ^^^^ ^^^ ^^^^ ^^^ ^^^^^ ^^^^^^^^
To do any research or testing on viruses it is wise to have the following:
? The Latest Version of VSUM
? The Latest Version of F-Prot
? Turbo Assembler (MASM will do though)
? Central Point Backup
? 40Hex Magazine, NukE Infojournals, And other virus publications
? Dark Angel's Phunky Virus Writing Guide (for virus writting)
? ASSIGN.EXE for MS-DOS 5.0 or SUBST.EXE for DR-DOS 6.0
? MIRROR.EXE - for use with trojans.
? Norton Utilities
? A Virus or Trojan
? X-Tree Pro Gold, or other DOS Shell that lets you see and edit Hex
Code.
Virus Research is vary risky. You can learn alot about programing and
the behavior of viruses, but you can also trash your system if your not careful.
here is how to research a virus.
][. Researching a Virus
^^^ ^^^^^^^^^^^ ^ ^^^^^
The First thing you do with a file thatt you belive is infected with
a virus is you scan the program with F-Prot. It's good for picking out the
individual strains of viruses. Use the Secure Scan and then the Heretic Scan
if the virus is not ideentified. Then after you have the name of the virus
you can look it up in VSUM. If it's not scaned as a virus then look at the
virus Hex code with a Hex Viewer. Look for strings in the end of the infected
file. The are sometimes messages, text with the name and author of the virus,
a string like *.COM and/or *.EXE. The *.COM and *.EXE are the files it infects.
If you see *.COM and not *.EXE in the file then you know the file only infects
.COM files. If you got the virus from a virus board, then there are sometimes
text files written by the author on what the virus does. If you don't see any
strings in the virus then there is a good chance that the virus is encrypted.
You can also see when the virus does when actived. Run ASSIGN.EXE to make
all calls to your hard drives goto a virus test floppy. make sure you have
the virus and some *.COM and *.EXE files for the virus to infect. Then run the
program with the virus. If the virus infects files only when an infected file
is run, then you know that the virus is not residednt iin memory. If the virus
infects files everytime an unifected program is run then you know that the virus
is active in memory. Look for file size changes and changes in the file times.
If you ever see the Hard Drive Light go on turn off the computer right away.
don't use CTR-ALT-DEL as it might have been disactivated. After you think other
files on the disk are infected take out the virus test disk, then turn the
computer off. This is important since some viruses may llive through a CTR-ALT-
DEL. Then when your system is booted from the clean hard drive scan the files
again, and take a look at he hex code and compare them to the origonal
uninfected files. Format the disk when done.
That is a quick explination of how to research a virus. There are more
ways then this and they will be covered in future text files. Another tip
is to Regularly back up your system and keep multiple backups in case
a set of backups is infected.
IV. In Future Files
^^^ ^^ ^^^^^^ ^^^^^
These are topics that will be covered in future text files:
? Researching Trojans.
? Researching Boot Sector Viruses.
? Recovery from a virus break out.
? Tips on how to keep systems from getting infected.
? Understanding the behavior of viruses.
? Researching Virus Creators like VCL, PS-MPC, and G?.
I can be contacted on many boards in the 708 area code, including the
Hell Pit. Any suggestions would be vary helpful. Greets to PHALCON/SKISM,
[NukE], Dark Angel of PHALCON/SKISM and The Nowhere Man of [NukE], and the
Dark Avenger, who are, in my opinion, the most talented virus writer's around.
�