VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Virus Payloads - History and Payload Mentality

DCA E-zine #1 (html)
September 2004

[Back to index] [Comments]

Damage is not the single way to provoke pain!


Through time, virii had been designed for a purpose. This purpose has been often fullfilled by their payloads,ranging from an annoying system notice to destructive,high damage provoking data losses. One thing is certain: payloads many times are a symbol of the coder's attitude versus virii and regarding coding technique itself. There is no good purpose to format 1000 innocent hdds, neither good purpose to submit your hard study and work to AV, to give them more money.

History? Nah..

It all started in 1986. Basit and Amjad had realised that a floppy disk contains a boot sector where certain instructions in the format of executable code could be inserted and they would be run at every system startup if the disk was inside drive A(the default floppy drive). They tried to take advantage of this and created code that upon startup copied itself to every disk in the system. The called this a "virus". It could spread only on 360kb floppy disks.

This virus was first discovered in 1987 when the University of Delaware realised they where infected with this virus, as all their disks had the volume label "Brain", harmless yet truly confirmed as one of the first virus payloads. This is all it did - copy itself and put a label on all floppy disks.

Also in 1986, Ralf Burger discovered that files could be in such a whay crafted to copy themselves and "infect" other files. His demonstration code of this concept was named "VIRDEM" and was first publish in the Chaos Computer Club meeting that took in the same year, December. VIRDEM had been programmed to copy itself to any COM file. Again. the payload is pretty much harmless.

Meanwhile, in Viena, the world's first mentioned virus to be dissasembled was starting to spread. Franz Swoboda became aware of this and made a lot of media fuss about it. This came back at him. "The COM Infector" Ralf Burger declared he had a copy from the "Charlie Virus" from Swoboda, ofcourse wich Franz denied. Media wars arround virus writing and spreading where starting to take birth.

Not at all "unimportant", in the US, Fred Cohen had programmed the first recognised worm, wich spread further and faster than even he could imagine at that time. While at the university of Lehigh, Cohen met Ken van Wyk, the author of a very unsuccessfull and damaging virus: "Lehigh"(yes, its the name of that place :) The virus didnt manage to spread very far because it did a lot of damage to its host only after 4 infections, beeing designed to spread only by COMMAND.COM.

Same year, in Tel Aviv, Israel a programmer had experimented Suriv-1 (virus spelled backwards), a memory resident com-infector. unlike the Viena virus wich used a non-TSR technique, Suriv-1 had much more chance of spreading because of its capability of infecting any .COM from all disks and directories. Shortly after Suriv-1 came Suriv-2 wich was the world's first .EXE infector. Ofcourse, Suriv-3 was coded and could handle both COM and EXE infections. After gathering all this experience, Suriv series author coded the Jerusalem virus wich made it pretty much into the wild. Its payload was pretty original: every friday the 13th, instead of infecting files that are run it deleted them. Ofcourse, friday the 13th are not a common day so most of the time it was a non-destructive virus.

While all this was going on, a young student at the University of Wellington, New Zealand, had found a very simple way to create a very effective virus. One time in eight, when booting from an infected floppy, it also displayed the message 'Your PC is now Stoned', hence the name of the virus -> "Stoned".

But also in 1987, a German programmer was writing a very competent virus, the Cascade, so called after the falling letters display that it gave. Cascade used a new idea - most of the virus was encrypted, leaving only a small stub of code in clear for decrypting the rest of the virus. The reason for this was not clear, but it certainly made it more difficult to repair infected files, and it restricted the choice of search string to the first couple of dozen bytes. This idea was later extended by Mark Washburn when he wrote the first polymorphic virus, 1260 (Chameleon). Washburn based Chameleon on a virus that he found in a book - the Vienna, published by Burger.

1988 was fairly quiet, as far as virus writing went. Mostly, it was the year that anti-virus vendors started appearing, making a fuss about what was at that time only a potential problem, and not selling very much anti-virus software.

In March of 1989, a minor event happened that was to trigger an avalanche. A new virus was written in Holland. A Dutchman calling himself Fred Vogel contacted a UK virus researcher, and said that he had found this virus all over his hard disk. He also said that it was called Datacrime,and that he was worried that it would trigger on the 13th of the next month.

From the diassembly of the virus, it was found that on any day after October 12th, it would trigger a low level format of cylinder zero of the hard disk, which would, on most hard disks, wipe out the File Allocation Table, and leave the user effectively without any data.

It would also display the virus's name, Datacrime virus. A straightforward write-up of the effect of this virus was published, but it was another non-memory-resident virus, and so highly unlikely to spread. This, after the very hard to fullfill day of payloads trigger from the Jerusalem virus, was again a very destructive piece of code.

The most interesting thing that I must write at this step of the article is that I am actually making a study on stuff that started to happen the year I was born, so damn it, I dont have the exact experience from those days. Also, on thing was rather funny in those days: while western Europe and the State where striving for fighting with a couple of virii, in Bulgaria and Russia big things where happening :)

So, by 1990, it was no longer a matter of running a couple of dozen search strings down each file. Hehe... the game was getting a bit(or byte) more complex. To detect this virus, it was necessary to write an algorithm that would apply logical tests to the file, and decide whether the bytes it was looking at were one of the possible decryptors.

Ah.. and good old Virus Buleting was up and running at that time as a newsletter, mostly representing a rather uptodate and reliable scan-string source for major companies.

1990 was the time for "Dark-Avenger" viruses. They introduced the concept of "fast spreading" i.e. the simple opening of a file for reading would trigger the viral infection of that specific file, rendering the entire hard disk very soon infected. Also 1990 was the time for the first virus exchange BBS (NO, it was NOT named blackgate hehehe ... ). This BBS was hosted in Bulgaria. The rules where simple: upload a virus and you can download one. Upload a new virus and you had full access to the whole BBS file system and messaging boards.

1991 brought polymorphism. Symatec shit launched NAV crap in December 1990 and this was soon followed by many more AV products wich die as fast as they appeared. in April of 1991, Tequila burst upon the world like a comet. It was written in Switzerland, and was not intended to spread. But it was stolen from the author by a friend, who planted it on his father's master disks. Father was a shareware vendor, and soon Tequila was very widespread. This virus used full stealth when it installed itself on the partition sector, and in files it used partial stealth, and was fully polymorphic. (for those in need -> A full polymorphic virus in one for which no search string can be written down, even if you allow the use of wild cards).

As a great technique, january 1992 was the time for MtE (self mutating engine). Its author was Dark Avenger, Bulgaria. Dark Avenger was the man that released many other code examples on BBS with the hope to get virus writing on the whay, code that often had inovative tehcniques, combined with great ease of use.

Probably the greatest event of 1992 was the great Michelangelo scare (muhahaha). One of the American anti-virus vendors forecast that five million computers would go down on March the 6th, and many other US vendors climbed on to the bandwagon. On March the 6th, between 5,000 and 10,000 machines went down and people could see the first large scale virus damage effect. Its payload was a complete success! The reaction to the Michelangelo hype did a lot of damage to the credibility of people advicating sensible antivirus strategies, and outweighed any possible benefits from the gains in awareness.

In August 1992, we saw the first serious virus authoring packages. First the VCL (Virus Creation Laboratory) from Nowhere Man, and then Dark Angel's Phalcon/Skism Mass-Produced Code Generator. These packages made it possible for anyone who could use a computer, to write a virus. Within twelve months, dozens of viruses had been created using these tools. (maiby this is how kiddies appeared, who knows!?)

one of the first organised groups of coders was ARCV in England. (Association of Really Cruel Viruses) was tracked down during 1992 and its members busted. During 3 months of activity they coded a few dozen virii and attracted some skilled members.

Towards the end of 1992, the US Government was offering viruses to people who called the relevant BBS. (Hello? is this the president's office ? Yeah! Can i have a copy of MtE? Tks! :)

Phalcon/Skism was not to be left out. Dark Angel released DAME (Dark Angel's Multiple Encyptor) in an issue of 40hex; a virus called Trigger uses this. Trident released version 1.4 of TPE (again, this is more complex and difficult than previous versions) and released a virus called Bosnia that uses it.

The most important thing is that the main events of 1993, were the emergence of an increasing number of polymorphic engines, which will make it easier and easier to write viruses that scanners find difficult to detect.


That was just a piece of history to show all of the new commers how it was back then. I never caught that time, but I like to speak of it from what the "old coderz" say.

In the present..humm... in the present we can see many new virii each day, mostly rip-offs and rarely some "good work" that can be credited. First of all, it is clear that the payload mentality has drastically changed. We do not have any more "Gimme cookie" - type viruses (where you had to type "cookie" severeal times in order to save another file from infection/deletion) and so on. It is really sad. Why? First of all because not every virus writer knows how that age was.Today mostly there are 15-17 year olds that study programming and start coding. But GOD! They dont know nothing about the ethics of it, about the thrill and excitement and about the mentality!

Heh, now I am thinking about Knowdeth's BBS. Yes! That is the kind of stuff the scene needs : united coderz, a motivation (knowledge sharing) and tons of productive work, in a really underground style (aka fuck IRC damn it!).

Ofcoure, the old times where also full of destructive paylods wich cant be used any more today because of... too much destruction criteria. Just think about a worm like Blaster or Sasser.. what if they dropped some time bomb that formatted your disk in Hard Drive Killer style ha ? Pretty simple.. Also if such a virus was specially crafted to hit a specific network (Nuclear Power Stations or Aiport Control towers).

This type of stuff can cause havoc, serious damage and can even lead to loss of human lifes (affected emergency services etc)

So for the present : people should learn to code and then as a must-have for their skills database ... please understand what a code of honour is all about, what hacking is all about, what coding is all about and what is it like to explore and to wish to get past even through the last of the digital blocades! :)

Its all about knowledge in the end... once a good friend said : "Change your thought and the world arround you changes." I say to him now: Study, code, and live your life! If you take it too seriusly, you will never get out of it alive!


I dont want to talk about future. At the speed when today you need 512RAM and tomorow 1GB is slim I think it pretty much dull to be thinking of digital future. I hope to be able to see how media opinion will develop and how it will be like for security concerned people (hackers,phreakers,coderz etc you name it). Hehe... damn this all reminds me of this:

("You mays top this individual, but you cant stop us all... after all, we're all alike.")

(+++The Mentor+++)

Thats it for now. Dont forget to not change your attitude after reading this. I dont wanna change nobody. Just get to know some things and maiby you will just... act accordingly! Nothing much... ;) Peace!

                              |           |\       
                              |           | \        
                              |           |__\    I give peace to all the people
                              |               |   that know me and supported my
                              |File infected  |   work through hard times.
                              |               |   You know who you are, I will
                              | by Rott_En /  |   always be there for you!
                              |               |
                              | Dark Coderz   |
                              |  Alliance     |   rottenvx [at] phreaker [dot] net
                              |               |
                              |               |   Cheers!
[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka