Virus Programming

computer virus

Everybody is scared of computer ‘virus’ as it does harmful actions on our computer. But when we look into the virus programming, we may certainly come out with the conclusion that it requires intelligence to code a it hought i pen down an article about basics of virus programing.

It is easy to mess-up the right program. For example, if you remove even a single byte from an EXE file, that EXE file won’t be usable! Virus program don’t have any specific rules. But it’s a common practice to include ‘signatures’ by virus creators. The main idea is to force the innocent user to run the programs. So certain viruses come along with so called ‘programmer utilities’ or ‘free tools’. Another thing is, it is easy to hang-up a working system using some ‘bad’ interrupts. Viruses use this logic too!

TSR viruses
When TSR got its popularity, crackers started using TSR concepts for virus programming. There was a time when people who knew TSR started writing their own TSR viruses. But when Windows operating system was introduced, TSR viruses lost their “popularity”.

I have written the following program. This is actually a TSR virus. It is not much harmful; it just changes the attribute (color) byte of the existing characters present on screen.

#ifndef __SMALL__
#error Compile with Small memory model

int i = 1;
char far *Vid_RAM = (char far *)0xb8000000;

void interrupt (*Int9)( void );
void interrupt MyInt9( void );

void interrupt MyInt9( void )
*( Vid_RAM + i ) = i;
if ( i>4000 )
i = 1;
i += 2;
(*Int9)( );
} /*--interrupt MyInt9-----*/

int main(void)
Int9 = getvect( 9 );
setvect( 9, MyInt9 );
keep( 0, 500 );
} /*--main( )----*/


Though the program might not be that efficient , i've tried my level best. I do not have a stronghold programming myself.

Windows viruses
When Windows operating system was introduced, much of the DOS based viruses lost their “popularity”. Under Windows operating system, only certain viruses like “Boot sector virus” and “Disk formatting viruses” can do harmful actions. So crackers went for exploiting Windows. Windows based viruses exploit Internet ‘loopholes’. As VB Script even has access to Windows Registry, VB Script is commonly used for Windows or Internet based “spreading viruses”.

As I said earlier, many virus programmers add signature to their program. So by checking the signature, we can find the name of the virus. Most of the anti-virus packages use this logic! The following table shows few viruses and their signatures. Let us see some of the standard viruses and their signatures :

Einstein - 0042CD217231B96E0333D2B440CD2172193BC17515B80042
Phoenix - 927 E800005E81C6????BF0001B90400F3A4E8
Spanz - E800005E81EE????8D94????B41ACD21C784
Necropolis - 50FCAD33C2AB8BD0E2F8
Trivial-25 -B44EFEC6CD21B8??3DBA??00CD2193B440CD
Trivial-46 - B44EB120BA????CD21BA????B80?3DCD21%2BA0001%4B440CD
SK - CD20B80300CD1051E800005E83EE09

you can find that writing anti-virus package is not a tough job. But understand the fact that checking out the signature is not 100% foolproof. You may find many of the buggy antivirus packages even point out the right programs as virus programs and vice-versa.

Top 5 viruses

Which viruses are the most successful ever? Here i present a selection of those that travelled furthest, infected most computers ... or survived the longest.

1) Love Bug (VBS/LoveLet-A)

The Love Bug is probably the best-known virus. By pretending to be a love letter, it played on users’ curiosity, spreading around the world in hours. The original version sends an email with the subject line ‘I LOVE YOU’ and the text ‘kindly check the attached love letter coming from me’. Opening the attachment allows the virus to run. If Microsoft Outlook is installed, the virus tries to forward itself to all addresses in the Outlook address book. It can also distribute itself to other newsgroup users, steal user information and overwrite certain files.

2) Kakworm (VBS/Kakworm)

Kakworm made it possible for users to become infected just by viewing infected email. The worm arrives embedded in an email message. If you are using Outlook or Outlook Express with Internet Explorer 5, the machine can be infected when you open or preview the infected email. The virus changes the Outlook Express settings so that the virus code is automatically included with all outgoing mail. On the 1st of any month after 5 pm, it displays the message ‘Kagou-Anti_Kro$oft says not today’ and shuts down Windows.

3) Melissa (WM97/Melissa)

Melissa is an email virus that uses psychological subtlety to spread rapidly. It appears to come from someone you know and to include a document you would definitely want to read. As a result, Melissa spread worldwide within a single day. Sends a message to the first fifty addresses in all the address books accessible by Microsoft Outlook, using the current user’s name in the subject line. There is an attachment containing a copy of the infected document. If the minute and day are the same when the document is opened (e.g. 10.05 am on the 5th), the virus adds text about the game Scrabble to the document.

4) Concept (WM/Concept)

Concept achieved instant success by being shipped accidentally on official Microsoft software. It was the first macro virus found in the wild and one of the commonest viruses in 1996-1998. The virus takes control with its AutoOpen macro, which Word runs automatically, and carries out infection with its FileSaveAs macro, which runs when Word saves a document. Many variants exist. When you open an infected document, a dialog box titled ‘Microsoft Word’ and containing the figure 1 appears. The virus includes the text ‘That’s enough to prove my point’ but this is never displayed.

5) Parity Boot

Parity Boot spreads on the boot sectors of floppy disks. Its success shows that boot sector viruses, which were commonest in the 1980s and early 1990s, can still thrive. This virus was still among the most commonly reported as recently as 1998. It was particularly common in Germany, where it was distributed on a magazine cover-disk in 1994. Displays the message ‘PARITY CHECK’ and freezes the computer. This mimics a genuine memory error. As a result, users often think that there is a problem with their computer’s RAM (Random Access Memory).