-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=                                                         =-=-=-=-
-=-=-=-=              An few ideas for viruses                   =-=-=-=-
-=-=-=-=                                                         =-=-=-=-
-=-=-=-=                     Kalkin/EViL                         =-=-=-=-
-=-=-=-=                                                         =-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


  These are difficult times for us, viruswriters. No, I don't mean
the cops, society or the press. I mean the process of writing a virus.
Yes, there are tons of materials about this subject and quite some
people who can help, but that's usually by a technical problems.
What if you want to do something radically new? It's actually not
so easy coz everything has already been done: polymorphic macroviruses,
ACCESS infection, LINUX-viruses. You can realize some parts of the
virus in a never-seen-before way, but these parts are mainly only some
solutions to some x technical problems. But you want to do something
NEW and INTERESTING, something like the spying virus from CodeBreakers
or the payload of CIH. Maybe this article will help you.


.LNK and/or .PIF infection

Maybe this has already been done, but I haven't heard about it (on the
other hand, I'm not too informed about what goes on in the scene).
Anyway, if it's so then the credit goes to the one who had this idea.

Like you all know .LNKs are small link files, so called shortcuts,
that were presented with Windows 95 (in Microsoft's OS world) and
should eliminate the need to copy one program into several folders.
.PIFs are basically the same, just they also contain usefull loading
information and are for DOS programs. Both formats contain the path of
the original program. It wouldn't be hard to replace this path with
the path to our infected file, which would execute after it's actions
the real program. This would be like some kind of companion virus. It
would be even better, coz how many AV programs check for changes in
.LNK/.PIF files? Another plus is that this infecting method basically
works on every OS where are .LNKs (LINUX for example). The only problem
is that a virus which uses just this method of infecting won't spread
to any other computer (it will "travel" only if somebody for some x
reason copys our file to another PC). But this method can be used to
increase the change of executing the virus, especially in the case of
runtime viruses.


Alias "infection"

This idea is based on the previous one and works on DOS (under 4DOS
and NDOS) and *NIX systems (I think). A virus could set some aliases
to itself and after infecting some files execute the original
program.


Name changing

What if a DOS virus hooks INT 21h, saves and then changes the name
(set by exec, found by findfirstfile) to the name of an infected file
(in memory)? The infected file would be executed, copied to disk,
included in a ZIP archive. If the proper code is included then this
viralized item wouldn'd be opend for editing (the real one would). The
same could do a WIN virus. And this method is better for spreading than
the above two.


Infection of format programs

This idea was originally by MiKE The Hacker/TPT Gang and describes
a hybrid virus, that infects formatting programs and modifies them
so that they put the same virus on the bootsector of formatted disk.
This would be better then just a bootsector-infector, coz you can't
get rid of the virus by re-formatting the disk (atleast with this
formatter). Reboot won't help eighter. This idea can be enhanced:
infecting of CD writing programs, so that an AUTORUN.INF and an infected
file would be written to CD. It should be a little bit easier (no need
for a hybrid virus) and also better, coz there's no way you can get rid
of the virus on CD (unless you're burning CD-RWs). Disadvanages: not
too few formatting/CD-burning programs exist.


Intel Pentium Pro fucking

I came to this idea when I was surfing through Ralf Browns Interrupt
List. There's written, that by using interrupt 15h and seting AX to
D042h it's possible to install a microcode patch into the Pentium
Pro processor. I haven't checked this and have no idea how much
can the patch effect the CPU, so I don't know if the proper code will
really fuck the processor or will it do nothing. It's too bad that
there aren't so many Pentium Pros around, coz there seems to be CIH
potetial.


"Collection" viruses

This idea was inspired by GriYo/29A's SIMBIOSIS project. If you don't
know what it is then: it outputted a polymorphing virus on an Internet
worm that contained SMTP engine. A so called collection-virus is a
virus (or worm) that contains several (let's say 5) viruses which will
be released in a random order.


"Part-upgrading" viruses

Those viruses would have a "serial number" about every part of itself:
the procedure of finding files, polymorphing engine, infecting part.
When now such a virus would "meet" another part-upgrading-virus, it
would check all serial numbers and if some of them are newer than it's
own, it would copy the updated procedure to itself. But when it finds
a part that it doesn't have then the virus would copy the part to itself
and add a call or jump to it. So basically those viruses expand themselves.
A direct action COM infector could for example add to itself parts to
go TSR and infect EXEs.


Quotating viruses

It's a lame and not new idea. Such a virus would as payload display
quotations of some famous person. For example Sokrates's. The good
thing is that there are MANY people who have said something (I never
said it should be something smart or meaningfull).


Intro/demo viruses

I don't mean here product demos, but graphics demos like they are
presented on demo-parties and compos (check http://www.hornet.org to
get the picture). Intro-viruses would play such videoeffects as
payload. Advantages: usually small size, nice, different (what do you
think, will people remember better a lame textmode "Infecto-ViruZ" in
black and white or a "IntroVirus" in 24 bit colours companioned
by breath-taking-beautiful moving clouds?)


Simulating anti anti-virus viruses

Most viruses today have retro abillities, but I'm talking about a virus,
that is specially coded to destroy anti-virus programs. It would turn
off resident AV monitors, install troyans in anti-viruses (*.AVC and
TBSCAN.DEF infection). It would also overwrite part of AV programs by
installing itself in them and then simulate that the AV scans. There
are several viruses that patched the "File system" status on TbScan's
output to hide the fact that it suddenly used DOS services to read the
disk. A SAAV virus would for example execute the graphics procedure to
display message "Scanning for known viruses in memory" by F-Prot/DOS
but then just wait for some time. It would use the necessary procedure
to bring up the scanning window, display filenames and instead of checking
infect them. Or for example display "Checking partition table" by
ThunderByte Partition (created by TbUtil) and check nothing. It could
be like the real AIDS, which doesn't kill, it just destroys the immunity
system and makes the way free for other deseases. It doesn't take much
code to do so, just some small patches. The problem is how the virus
finds what to patch coz AV companies would change the inner structure
of the program with every new version. At this moment the fact, that
most AV programs don't let to encrypt/compress themselves (coz of the
CRC check), comes real handy.


Simulating viruses

Based on the above idea these viruses would install themselves in some
specific programs and then simulate. One example could be PGP (so
that the signature is always GOOD, and goodbye to trustfull software). It
could also be one virus that patches several products.


"Expensive" viruses

It's actually a image of what happened here in Estonia: quite some
Internet users recived a file called Estonia.Exe This was a SFX ZIP
and contained a client program for some sex-server. Anyway, after
executing the program did also some other things and as a result
the PC began to connect to Net through a Malaysian (if I remember
correctly) server, which had quite high prices. Nobody knew it and
everyone was REALLY surprised when in the end of the month the telephone
bill was HUGE. There were talks that this was a virus, but most
(including specialists) don't think so. It seems that it was just a
troyan. But, this idea can be used in viruses (a good way to compromize
the lamest ISP near you).


Destroying the PC-speaker

As last a destructive payload from KUTT/TPT Gang. The idea is based on
the fact that speakers may get damaged when the music is too loud. KUTT
though that it would be interesting if a virus did that to PC-speaker:
generate a high and loud sound and play it quite some time. It's probably
technically impossible to realize, but who knows? An enhanced version of
this idea is to damage the speakers that are connected to the sound card.
This should actually be more realistic, coz usually the hardware of a
sound card is capable of that and the speakers aren't made for this
situation.

You are viewing proxied material from gopher.altexxanet.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.