
All
of the information contained in this document reflects the
thoughts and ideas of the author, not his actions. The sole
purpose of this document is to educate and spread information.
The author does not endorse any illegal or illicit action. The
author is not responsible for any information, which may present
itself as old or misinterpreted, and actions by the reader. The
sample code is provided solely for the purpose of explaining some
of the more obscure concepts discussed in prose within this
document. Any other use is neither proscribed nor encouraged by
the author of this document, or any individual or organization
that is even remotely connected with this web site. This page is
authored and maintained by Pranav Mehta
______________________________________________
There are two kinds of people - those who have suffered a virus attack and those who will.
After spending many years fiddling around with computers, I realised that there is an incredible lack of information available on the subject and misconceptions about viruses are as common as the viruses themselves. I've came across many people who for the fear of viruses wouldn't switch on their computers for a whole day; people who feared that a virus may cause their monitors to blow up; people who wouldn't go close to computers infected with viruses fearing they might catch it.
Then there is a plethora of Anti-Virus companies trying to make a quick buck - all at the expense of the ignorant user.
Hence the guide.
The objective of this guide is to educate and broaden people's view on the subject. To clear the myths and the realities and to provide a deeper understanding on how viruses actually work. This guide will take you right from what is a virus to how to write one and its anti program.
This guide is written in the hope that it will relieve the agony of those unfortunates who have had the experience of a virus attack.
So let's get on to business. First a few definitions.
A computer virus is merely a computer program that behaves much like the biological virus. It copies itself (and thus all its qualities) from one host to another so that both, the previous host and the future host get infected with the virus. The victim now becomes a potential hunter itself. The virus may or may not have a destructive payload. But it spreads.
Before we move on further, let me clear the myths first.
"Viruses Appear and Spread by Themselves"
Computer viruses as explained earlier are not living creatures. They are born in the minds of a computer programmer. Its people who write viruses. They cannot run by themselves and they cannot spread spontaneously, either. A virus cannot do anything until an infected program is executed or the computer is booted from an infected diskette.
"Viruses Can Infect Also Write-Protected Disks"
This is simply not true. Nothing can be written to on a disk that has been manually write protected either by using a tape or by using the write protect switch. Not even a virus can write to such a disk.
"Viruses Can Damage Computer Hardware"
Every now and then there are rumors about viruses which blow up monitors or break hard disks, but not a single one of these cases has been verified. Although they may cause the display to go awry or cause the computer to behave differently when some command is carried out. Viruses cannot even damage disks; just what's stored on them.
"Some Viruses Are Completely Harmless"
Most of the viruses are not designed to destroy data on purpose. Most of the viruses simply replicate themselves or may display a message occasionally. However all of them do take up disk estate without the knowledge of the user.
"Anti-Virus Programs Provide Total Protection Against Viruses"
If this is what
you believe, you're in for a big surprise. A lot claims are made
by anti viral products of being able to remove 100 % of the
viruses. Prey how? How are they going to be able to detect the
new and unknown viruses of tomorrow? what about the
"comprehensive virus protection, detection and
elemination" software that is able to "stop viruses
dead in their tracks" ? Short of performaing magic, I would
really like to know how it would stop a boot sector virus from
infecting a system; ulnless ofcourse it has found out a way to
load itself even before the partition table and the boot loader.
and if so, I would really like to know how ? 99 % of the time
maybe. But not 100 %. It is always a good idea to have the latest
copies of at least two anti virus programs.
Lets now get back to the definitions....
The FAT or the File Allocation Table, which is perhaps the most important part of the disk, contains vital information regarding the data stored on it. Any corruption in the FAT area will most likely prevent you from accessing your data properly; and as you might have guessed it, two copies of the FAT are maintained on a disk in case one of the copies gets damaged. More specifically, the FAT contains information such as what files are located on what part of the disk. It is a road map of how the operating system will locate data on a disk. Essentially, it is a series of pointers.
The BOOT SECTOR also called as the boot
record contains information that enables the computer to load an
operating system. The boot sector is the first track on diskettes
and logical disks. The information on the boot sector is always
executed every time the computer is booted.
The Master Boot Record (MBR) is located on the track zero of physical hard disks. It contains the main boot program and the partition table. Main boot record is independent of operating systems and is always executed first after the computer has performed the Power-On-Self-Test (POST). The size of a main boot record is 512 bytes. The main boot program translates the partition table, which contains information on how the physical disk is divided (partitioned) into logical entities. After this, the main boot program executes the boot sector of the active partition.
The partition table is that part of the MBR that contains information on how physical disks are divided (partitioned) into logical entities.
A Terminate and Stay Resident (TSR) program is the one, which stays active in memory after being executed.
A Trojan Horse program masquerades as a
useful utility or product but is designed to carry out some other
tasks without the knowledge of the user when you run it. If
anything software can
do, a Trojan horse can do. These are usually designed (but not
limited) to steal passwords and other such stuff. What makes a
Trojan horse different from a virus is that unlike viruses, a
Trojan horse does not replicate.
A DIRECTORY is a list of files and sub-directories. There is one primary directory called the root directory on a disk. It contains the entries for files, and other directories (called sub-directories, or folders). Sub-directories (folders) may contain entries of other sub-directories, files, or both. Every file has one entry in the disk directory (or in some sub-directory). That entry contains, among other things, the file name, date and time of creation, length, and the address of the first entry in the File Allocation Table (FAT) for the file.
Now that you have a fair grasp of the basic terms, I'll give you some information on the different types/qualities of viruses. Detailed information regarding these will be presented at a later stage.
Boot sector virus
As the name suggests, a boot sector virus copies itself onto the boot sector of disks. It replaces the original boot sector with a copy of itself and stores the original boot sector elsewhere on the disk. When a computer is started from such a disk, the virus gains the control and loads itself in the RAM. It then loads the original boot sector and everything appears normal. Note that even a non-bootable disk can have a boot sector virus on it and will get installed if you try booting from such a disk.
File viruses
These viruses
usually infect executable files with extension .exe or .com .
However as new file formats and technologies are developed,
viruses may tend to infect executable files of other types as
well. Viruses that infect overlay files like .ovl, .ovr, .sys,
.bin and .vxd are already known. Viruses that infect .bat files
are also known; though they have limited capabilities. However
the key point here is that viruses infect those files which in
some way the computer executes.
Macro viruses
These are the newest kinds of viruses to appear. Macro viruses are written with the macro "language" of application programs, such as Microsoft Word or Microsoft Excel. These are comparatively simple to create and modify. These viruses typically spread when documents are opened or saved.
I will now describe some of the methods adopted by viruses, which makes them difficult to detect and eradicate. But before that, I will explain the common methods adopted by anti virus programs to detect viruses.
Just as we all have unique fingerprints and signatures, so do viruses. A virus signature is merely a part of the virus program code that is unique to it. A typical virus scanner or more accurately a virus signature scanner scans for virus signatures that are stored in its database. If a match occurs, the virus is identified and removed. This is the oldest and also the most popular method of detection and removal. One drawback of this method is that it can only be used to detect viruses that are already known to the scanner. It cannot detect newer viruses whose signature is not stored in the virus database. If may even fail to detect modified versions of already known viruses. This requires that the user always keep his virus definitions (signature) files up to date.
Just a few years ago anti virus developers thought that they have developed the ultimate weapon to detect viruses; the method of CRC (Cyclic Redundancy Check). One inevitable feature of viral infection is that in some way or other, the victim gets modified. This fact is the key to programs that use this method. Such programs calculate a unique value (checksum) based on all the bytes or bits in a file. Although the methods to calculate the checksum are different, the general idea is the same. Every time the program scans, it re-calculates the checksum and compares it with the previously stored results. A mismatch means a that the file has been tampered with. Although this methods is not fool proof, in the sense that it possible that a file has been tampered without causing a change in the checksum, the chances of such a coincidence due to a viral infection are perfectly negligible. This method also has its own drawbacks. First, the system is required to be virus free when the checksum are being calculated for the first time. Second, such a program will detect a viral infection only after the virus has already infected the system. However the biggest blow to this method came with the advent of stealth viruses (explained later).
The third in the line of detection is the method of Heuristic scans which instead of scanning for specific viruses, scans files for "virus like behavior". Using such a method it is possible to detect modified versions of existing viruses or perhaps new viruses altogether. The problem with such a method is the chances of "false positives". This is because, if there is something a virus can do, so can a perfectly legitimate software. One advantage of heuristic scanning is that the software need not be updated as frequently.
Now, there are two methods, the above mentioned scanning techniques are implemented -- using standalone scanners and resident scanners. Resident scanners stay active in memory and continuously monitor all data. The advantage here is that it can stop a virus right in its tracks - even before it can enter the system and cause any potential damage. Such scanners take up a sizeable portion of the RAM and also degrade system performance. A Standalone scanner on the other hand, requires a manual intervention start to initiate a scan. The disadvantage of such products, however, is that, unlike prevention products, the system must actually become infected before the warning is raised.
A more detailed explanation on these is in order.
Let's start with the infection prevention products. These products are all memory resident programs that re-direct system interrupts so that I/O and other selected system activities can be monitored. The programs then filter all activity that could indicate the presence of a virus and they notify the user of a potential infection. Attempts to modify the boot sector, write to an executable program or replace a hidden file are examples of activities that would be intercepted and flagged by such programs. Generally, any activity that appears to be an attempted modification of an executable segment of the system, such as a device driver, operating system module or application program, would be filtered. These programs are the first line of defense against viruses, and if properly designed and implemented, can prevent a virus from ever getting into a system. Since they can catch a virus before it can replicate, no removal or disinfection procedure is required and the virus usually has no time to do any damage to the system. These programs are also generic in their operation - that is, they can in theory catch viruses that have not yet been developed. This is because all viruses must replicate, and it is the generic replication process (i.e. attaching to an executable segment of the system) that is monitored by such products. In general then, we can say that infection prevention products provide the advantage of stopping a virus before it can infect your system and thereby prevent the virus from spreading. They also are effective against a large class of generic viruses.
Infection Identification
Infection detection products rely on the assumption that it is advantageous to discover an infection as soon as possible after it occurs. Viruses remain in systems for months or even years prior to activating and causing system damage. During this time their only activity is replication, and they take every precaution to remain undetected. Viruses require this "unobtrusive" phase in order to have the opportunity to duplicate themselves onto other systems - a necessary step in the process of spreading. Infection detection products, then, attempt to identify an infection as soon as possible after it has occurred, thereby limiting the spread of the virus within the organization and avoiding the virus destructive phase.
Identification products are designed to identify and, in some cases, counteract specific strains of existing viruses. They are not generic in function, that is - they cannot detect or remove viruses that are not commonly known. Identification products perform two distinct functions: First, they can be used to scan a system and determine if it is infected with a given virus. Using multiple identification products (or a single product capable of identifying multiple viruses), a user can determine whether any of the more common viruses have already infected the system. This will provide a higher probability that the system is clean prior to implementing a prevention or generic detection product. Second, they are invaluable in helping to remove an existing infection from an organization.
It must be understood that each method is designed for different purpose, and is intended to be applied to different virus problem areas.
Now that you know
how scanners detect virii, I will discuss some of the methods
used by viruses to prevent detection
Encryption / Polymorphism
This method is used to beat scanners that search for virus signatures. Although the methods adopted to accomplish these vary in length and complexity, the general idea is to change the virus code with each infection so that signature detection techniques cannot be used to detect the virus.
Stealth
Stealth viruses uses a number of methods (again varying in complexity) to hide their presence. These viruses stay active in memory and usually hide their presence by falsifying the information read from the disk so that the program reading the disk receives incorrect data. It is (almost) impossible to detect or remove these viruses while they are active in memory and in most cases requires a clean boot.
It would now be a
good idea to describe in some detail some of the viruses that
made it big.
Note that the information presented here have been collected from
various sources and may be copyrighted material. They have
neither been verified for accuracy either. The copyright is
acknowledged.
Virus Name : Brain
Infects : Boot
Analysis : Data Fellows
This is the oldest PC virus known, first detected in January '86. Several variants of this virus are known, but most of them are fairly harmless. This virus is rather large and most of it is located in sectors that are marked as "bad" in the FAT.
Before this virus infects diskettes, it looks for a "signature". This makes it possible to "inoculate" against it, just by putting the signature in the correct place in the boot sector.
The Brain virus tries to hide from detection by hooking into INT 13. When an attempt is made to read an infected boot sector, Brain will just show you the original boot sector instead. This means that if you look at the boot sector using DEBUG or any similar program, everything will look normal, if the virus is active in memory. This means the virus is the first "stealth" virus as well.
The major effect of this virus is a (fairly harmless) change of the volume label. It usually becomes
(c) Brain
but one variant of the virus changes the text into
(c) ashar
One of the most interesting details regarding the Brain virus is the following text, which appears inside it:
Welcome to the
Dungeon
(c) 1986 Basit & Amjad (pvt) Ltd.
BRAIN COMPUTER SERVICES
730 NIZAB BLOCK ALLAMA IQBAL TOWN
LAHORE-PAKISTAN
PHONE :430791,443248,280530.
Beware of this VIRUS....
Contact us for vaccination............ $#@%$@!!
In another version of the virus, the text looks like this:
Welcome to the
Dungeon
(c) 1986 Brain & Amjads (pvt) Ltd.
VIRUS_SHOE RECORD v9.0
Dedicated to the dynamic memories of millions of virus who are no
longer with us today - Thanks GOODNESS!!
BEWARE OF THE er..VIRUS :This program is catching program follows
after these messeges..... $#@%$@!!
These messages
have led to considerable speculation regarding the possible
author(s) of the virus.
Virus Name : Murphy (Goblin)
Infects : EXE COM
Size : 1277 bytes
Signature : BE26018BFE8B0E08018B160201B8
Murphy's Goblin is A memory resident .EXE infector that does not change dates or times on the files it infects. Some scanners scan the files as 'Black Death'.The authors of this virus are known. They are Lubomir Mateev Mateev and Iani Lubomirov Brankov, both in Bulgaria. Murphy is partially based on the 'Eddie' virus, but is not harmful. Inside it the following message can be found.
Hello, I'm Murphy. Nice to meet you friend. I'm written since Nov/Dec. Copywrite (c)1989 by Lubo & Ian, Sofia, USM Laboratory.
There are a number
of known variants.
Virus Name : Iron Maiden (August 16th)
Infects : COM EXE
Size : 636 bytes
Signature : 8CC6060B01C3EBF8B8D9C8D9BADF
Iron Maiden will infect two files in the current directory and then go to drive C: to infect the first two files in the root directory. If you are running A infected file from the A: and do not have a hard disk, your machine will lock. If there is a hard disk the virus will infect two files in the root dir of your C: and let the infected file continue running.
This Virus adds
636 Bytes to infected files, and does not change the
date or time.
Virus Name : Dark Avenger (Eddie)
Infects : COM EXE
Size : 1800 bytes
Analysis : Data Fellows
This virus contains two interesting text strings:
"Eddie
lives...somewhere in time"
and
"This program was written in the city of Sofia (C) 1988-89
Dark Avenger"
The "Eddie" mentioned above is probably the skeleton mascot of the heavy metal band "Iron Maiden". This was the first virus reported to have originated in Bulgaria, but it was soon followed by many other.
There is only one thing unusual about this virus. It remains resident, just as many other viruses, but it will not only infect a program when it is run, but also when the program file is read. This means that a harmless program that opened each .EXE and .COM file in turn, for example to check them for infection, could easily cause an "epidemic".
The virus will infect .EXE and .COM files, adding 1800 bytes to the length. COMMAND.COM will be one of the first programs to become infected.
When an infected program is run, there is a 1-in-16 chance that the virus will trash a random disk sector.
There are a number
of known variants.
Virus Name : Ping-Pong (Bouncing Ball)
Size : N/A
Infects : Boot
Analysis : Data Fellows
The Ping-Pong virus (also called "Bouncing Ball" or "Italian") was probably the most common and best known boot sector virus for a while, although the Stoned virus now outnumbers it.
An infected diskette will contain 1K in "bad clusters".
When this virus
activates, a small "ball" starts bouncing around the
screen, but in most cases no serious damage occurs.
Virus Name : One_Half (Slovak Bomber,
Explosion-II, Freelove)
Size : 3544 bytes
Infects : MBR COM EXE
Analysis : Mikko Hypponen, Data Fellows
One_Half, which is also known as Slovak Bomber, Freelove or Explosion-II, was first discovered in May 1994. The virus has been found both in USA and Europe. One_Half is a destructive virus: its removal may cause files to be damaged.
One_Half is a multipartite virus. It infects hard disk MBRs and COM and EXE files. Infected files grow by 3544 bytes. The virus is also polymorphic, so its appearance changes between every infection. One_Half attempts to infect COM and EXE files only on floppy (and possibly network) drives.
Besides the aforementioned features, One_Half employs stealth virus techniques. When the MBR of an infected hard disk is examined, the virus shows the original contents of the MBR. It makes the other sectors on the zero track seem empty, although in truth they contain a part of the virus code and the original MBR.
The following, unencrypted texts can be found inside the viruse's code:
Dis is one half.
Press any key to continue ...
Did you leave the room ?
One_Half is a destructive virus. Every time an infected computer is booted, the virus encrypts the last two unencrypted cylinders on the hard disk. This way, the encrypted area slowly creeps toward the disk's beginning. When information is retrieved from the encrypted area, the virus decrypts it on the way, so the user doesn't notice anything out of the ordinary.
Do note that the stealth routines of the virus do not work correctly under Windows 95, and the encryption is directly visible.
The encrypted
information stays encrypted while the virus is not resident, so
the true nature of things is revealed only after the computer is
booted from a diskette or after the virus is removed. If One_Half
is removed from a hard disk's MBR without first making a backup
copy of the computer's data, it is almost impossible to restore
the encrypted information on the hard disk; the virus stores both
the encryption key and information about the location and extent
of the encrypted area inside its own code in the MBR.
Virus Name : DIR-II (Creeping Death)
Size : 1024
Infects : COM EXE
This virus is written by the same authors as the Shake, MG and DIR viruses. It uses a unique method to infect files, as it does not change the files, but only the directory entries.
DIR-II is a full stealth virus. If you analyze your hard drive after booting clean, you will see that all infected executables are cross-linked. Don't try to correct this.
DIR-II can be
disinfected by renaming all executables to non-executable
extensions while the virus is active, then booting clean and
renaming them back. After this, run chkdsk.
Virus Name : Joshi
Infects : MBR Boot
Joshi is reported to have originated in India. It infects the partition boot sector of hard disks, storing the original, as well as the rest of the virus code elsewhere on track 0, head 0. Just like the Brain virus, Joshi redirects attempts to read the virus code while it is active in memory.
The virus activates on January 5th of any year and displays the message:
type Happy Birthday Joshi
Unless the user
obeys and types "Happy Birthday Joshi", the system will
hang.
We now move on to uncharted waters. The stuff that follows is of highly technical nature and unless you are a programmer with a reasonable knowledge of computers, you may not want to continue.
Addressing a controversial topic is sure to generate some strong responses, and this one is no exception. I am not attempting to aid in the spread of viruses, but in your own understanding of them, and ability to defend yourself. I know many would consider it unethical and even illegal to teach someone how to write a virus. I appreciate your concern. But I have reasons to believe the otherwise.
1. The right to
information
It is important to realise that it the general user who is affected by viruses the most; and he has all the right in to world to know what is holding his system or business to ransom. I've seen months and months to labor go down in drain because of viruses. In fact I'll say it would be foolish not to understand the enemy very well.
2. Half knowledge
is dangerous
A very ancient proverb but very true. Can you save a drowning person unless you yourself know how to swim? For that matter, in such a case, can you help yourself out? Or would you rather depend on a stranger to bail you out? The choice is yours. After all, its your system and its your business. In short, you cannot claim to have even a reasonable knowledge on viruses unless you understand the internal workings of a virus.
3. Use v/s misuse
In general, you'll agree with me that the numbers of "good guys" easily outnumber the "bad guys". I believe that the benefit of the knowledge to potential victims outweighs that risk of this being used for malicious purposes. I don't believe that you can stop someone (who wishes to) from creating a virus by withholding information. After all, has the death penalty caused people to stop committing crime?
4. It's an art!
Yes, it takes time, effort and gray cells to write that tin piece of code; and then enhance it further. I am not trying to lobby a case for writing viruses. I don't even think it is illegal or unethical to write a virus either. However I strongly believe it would be very unethical and illegal to spread them. Many would argue that it may makes no difference whether I my would spread a virus or teach someone else who would in turn spread them and that I am responsible for it. This is not true. Let us draw an analogy; who is responsible if someone gets a gun and shoots somebody? Is it the person who misused the gun or the person who invented the gun? You decide.
Lets start at the very beginning...
The
structure of a COM file.
The
COM file is a binary image if a program as it would me in the
memory while running. It cannot (normally) have a file size
greater than 1 segment i.e. 64K. if there are three file in a
directory namely xyz.com, xyz.exe and xyz.bat, and if you simply
type xyz at the dos prompt followed by enter, DOS would first
look for xyz.com and if found, execute it. If the file is not
found, DOS would then search for xyz.exe and finally xyz.bat.
whenever, DOS executes a COM file, it loads it at offset 100H
from the top of free memory and give all the control to it. This
is the basic information you will need.
The
anatomy of a virus.
Before we infect a file, we should keep the following things in
mind:
1. So as to keep
the virus "alive", we need to keep the host
"alive"
2. Whenever the host executes, it is our virus that should
execute first which would then hand over the control to the
original program.
Suppose our virus V wants to infect a program P, then (theoretically) let us split up the two as follows:
Virus V:
V1 |
V2 |
Program P:
P1 |
P2 |
One important thing to remember here is that, the size of V1 must be equal to P1. The sizes of V2 and P2 however need not be equal; in fact they very rarely ever are. Now the question is what does V1 and V2 do? Part V1 only transfers the control to V2. V2 does all other stuff - the infection, execution, replication and finally handling over the control back to P1. In theory, what we will do is, store the first three bytes of the victim program in a buffer in the virus. We then overwrite the original three bytes in the program by a three-byte jump instruction. We will then append to rest of the virus code at the end of the program. Since the original three bytes are stored in a buffer, it will also get appended along with the virus. After the virus has infected the program, the resulting infected file would like this:
V1 |
P2 |
V2 |
P1 |
Typically V1 is only three bytes in lengths. Is has a jump instruction which transfers the control to V2. One major problem here is the calculation of the offset of V2. But we will discuss this later. In theory, our virus would look like this after infection
Jmp
VirusStart
;
;
; The program part P2 will be here
;
VirusStart:
;
;
;
; Virus code V2 begins here
;
Another important
thing is the calculation on the offsets, since the offsets of the
Variables will change with each infection - relative to the size
of P2. We will need this offset every time we access a variable.
But this calculation is simple as shown below:
jmp CalculateOffset
CalculateOffset
pop bp
sub bp, OFFSET CalculateOffset ; store current instruction
pointer in bp
At first this
seems absurd ! We are making a call to the immediately next
instruction and could well do without it! Think twice! Of course
the offset will be zero in our original virus code, but after
infection it will change with every infection.
So far so good.... But how do we calculate the actual value of the jump offset which we need for the V1 part of the virus ? This calculation is also not difficult and can be achieved as follows. Since a COM program in memory is the binary image of a file on disk, the jump offset is the size of the file minus the length of V1
add
si, OFFSET VirusDTA+1Ah ; get the file length (low word)
mov cx, [si] ; save the length in CX
sub cx, 5 ; substract 5 bytes for the JUMP
; plus 2 for the NOPs
Once this is done we use FindFirst & FindNext to search for possible victims. It would be a good idea to create a buffer for FindFirst & FindNext to store the DTA (Disk Transfer Area). If we dont do this, it would destroy the original command line paramaters passed to the program. The DTA as you know is a 43 byte structure created by dos before making these calls. We will need to use this many times. The structure of the DTA is given below:
Offset |
Length |
Purpose |
0h |
21 BYTES |
Reserved, varies as per DOS version |
15h |
BYTE |
File attribute |
16h |
WORD |
File time |
18h |
WORD |
File date |
1Ah |
DWORD |
File size |
1Eh |
13 BYTES |
ASCIIZ filename + extension |
Once we find a possible victim, we check to see if it is already infected by our virus or not. The method used here is to check the presence of two NOP's at the begining of the program. Note that this is not a fool proof method. But then this again is questionable as not many files have two NOP's as its begining. Another thing here is that this trick can be used to innoculate against it. Simply put two NOP's at the begining of a file and our virus will not infect it ! this also means that our V1 part will be five bytes instead of the usual three.
Once the virus gets control, the real action starts. The code that follows this is supposed to do all the dirty work i.e. store the first five bytes of the victim somewhare in the virus data space to begin with. The virus then moves the file pointer to the end of the victim file and append the rest of the virus code to it. Note that since the original first five bytes of the victim were stored into a data buffer in the virus, it also gets appended. Viruses usually continue looking for more victims at this point and repeats the infection process. Care should be taken not to infect too many files in one go or it becomes too easy to be noticed. Once he infection process is over, we need to restore the first five bytes to the begining of the file in the memory and pass control to it. This will execute the original program as if nothing had happened. This again is not to difficult as shown below.
mov
di,100h ; offset of the program start
push cs di ; push the SEGMENT and the
; OFFSET value onto the stack
; control will be tranferred here
; address when we do a far return
add si,OFFSET DataSpace ; offset of the original code
movsb ; shift the required bytes
movsw ; shift the required bytes
movsw ; shift the required bytes
retf ; do a far return to transfer
; control to the original program
These are the basics you will need to wite a virus. Note that the code presented here is by itself not enough to write a working virus. You cannot simply put all the code together and compile to make a live virus. Code is needed infect multiple files, check for previrous infections etc. But this is fairly trivial and any programmer worth his salt should be able to do this. I leave this for you as an excercise. You may also try to improve the code by taking care of the following precautions :
Finally, please donot misuse the information presented here. And remember to mail your comments.