THE THE G GIANT G I A puter viruses N incompetent use of these T in this book for personal ontrolled and CB uses on any ol a m c k p ook on uB t o e BLACK BOOK o r k price! V o i ed to know rf -- ooff -- u simplest 44- s ndows, Unix e s programs s COMPUTER hese digital and poly- trip to the viruses. Will become the L of the 21st VIRUSES U for viruses, e a virus to r, and the D 39.95 W Second Edition 5 3 9 9 5 I MARK LUDWIG G 231 The GIANT BLACK BOOK of COMPUTER VIRUSES M L ark udwig American Eagle Publications, Inc. Post Office Box 1507 Show Low, Arizona 85902 —1998— Copyright 1995, 1998 by Mark A. Ludwig All rights reserved. No portion of this book or the accompanying companion disk may be reproduced in any manner without the express written permission of the publisher and the author. ISBN 0-929408-23-3 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 And God saw that it was good. And God blessed them, saying “Be fruitful and multiply, fill the earth and subdue it." Genesis 1:21,22 Table of Contents Preface to the Second Edition 1 1. Introduction 3 2. Computer Virus Basics 15 Part I: Self-Reproduction 3. The Simplest COM Infector 21 4. Companion Viruses 39 5. A Parasitic COM Infector 47 6. A Memory Resident Virus 63 7. Infecting EXE Files 71 8. An Advanced Resident Virus 81 9. An Introduction to Boot Sector Viruses 91 10. The Most Successful Virus 109 11. Advanced Boot Sector Techniques 123 12. Infecting Device Drivers 133 13. Source Code Viruses 143 14. Macro Viruses 159 15. A Windows Companion Virus 167 16. A Simple 32-Bit Windows Virus 179 17. A Multi-Section Windows Virus 207 18. A Section Expanding Virus 215 19. A Sophisticated Windows File Infector 237 20. A Unix Virus 253 21. Viruses and the Internet 261 22. Many New Techniques 269 Part II: Anti-Anti-Virus Techniques 23. How a Virus Detector Works 273 24. Stealth for Boot Sector Viruses 281 25. Stealth for DOS File Infectors 293 26. Windows Stealth Techniques 305 27. Polymorphic Viruses 317 28. Retaliating Viruses 341 29. Advanced Anti-Virus Techniques 353 Part III: Genetics and the Future 30. Genetic Polymorphic Viruses 363 31. Darwinian Evolution or De-Evolution? 371 32. The Future Threat 383 Part IV: Payloads for Viruses 33. Destructive Code 401 34. A Viral Unix Security Breach 427 35. Adding Functionality to a Windows Program 431 36. KOH: A Good Virus 435 Resources 455 Index 459 Preface to the Second Edition Welcome to the second edition of The Giant Black Book of Computer Viruses. I’ve made some important changes to this edition, in order to reflect new developments in computer viruses, as well as to provide a better value for your dollar. In the past three years, the most important new developments in computing have unquestionably been the introduction of Win- dows 95 and the growing popularity of the internet. While we have not seen a profusion of network-savvy viruses travelling over the internet, the potential threat is obvious to most people. This poten- tial has led to a growing phenomenon of internet-related virus hoaxes, the first of which was the phenomenally popular “Good Times Virus” hoax. We’re getting close to the point that hoaxes will be replaced by the real thing, though, and we’ll explore some of the possibilities here. In contrast to the potential of the internet, the introduction of Windows 95 has already profoundly influenced the direction of computer virus development. Firstly, Windows 95 has virtually stopped the development of DOS-based software, and is slowly but surely pushing DOS programs into oblivion. As a result, many viruses which assume a DOS environment are no longer threats in the real world. On the other hand, the ever-growing complexity of the operating environment and of applications programs has opened up all kinds of new possibilities for viruses. The most important category of viruses which have emerged in this new environment are the so-called macro viruses, which have been both popular among virus writers and successful at establishing populations in 2 The Giant Black Book of Computer Viruses the wild. At the same time, other largely unexplored possibilities abound. In this edition of The Giant Black Book, we’ll explore some of these new developments and possibilities in detail. At the same time, DOS viruses are still the best place to start learning about viruses. They can be simpler than their cousins for advanced operating systems, and they can teach all the basic techniques which viruses use. Add to this the fact that DOS viruses still make up the great bulk of all existing viruses, and it should be clear that their investigation still forms the foundation for any serious study of computer viruses. Another important change in this edition is the discussion of evolutionary viruses. In past books I’ve tried to grapple with the idea of open-ended Darwinian evolution. Over the years, however, I’ve found that this idea from the world of biology is practically worthless when it comes to writing potent viruses. Whatever its value for biology may be, when it comes to computer viruses, a completely different—and I dare say heretical—approach produces much more exciting results. Accordingly, my discussion of evolu- tion has been expanded and rewritten. In order to make room for all this new material, and still keep the cost of this book reasonable, we’ve decided to put all of the source code on the diskette (which is now included with the book at no extra charge) and stop printing listings in the book itself. The one exception to this is KOH, part of which is printed in the book because it is currently illegal to export from the United States on disk. By far the best way to use this book is to print both the ISR references and the virus source, and study each chapter with both right at your fingertips. (cid:77)ark (cid:76)udwig (cid:77)ay 15, 1998 Chapter 1 Introduction This book will simply and plainly teach you how to write computer viruses. It is not one of those all too common books that decry viruses and call for secrecy about the technology they em- ploy, while curiously giving you just enough technical details about viruses so you don’t feel like you’ve been cheated. Rather, this book is technical and to the point. Here you will find complete sources for viruses, as well as enough technical knowledge to become a proficient cutting-edge virus programmer or anti-virus program- mer. Now I am certain this book will be offensive to some people. Publication of so-called “inside information” always provokes the ire of those who try to control that information. Though it is not my intention to offend, I know that in the course of informing many I will offend some. In another age, this elitist mentality would be derided as a relic of monarchism. Today, though, many people seem all too ready to give up their God-given rights with respect to what they can own, to what they can know, and to what they can do for the sake of their personal and financial security. This is plainly the mentality of a slave, and it is rampant everywhere I look. I suspect that only the sting of a whip will bring this perverse love affair with slavery to an end. I, for one, will defend freedom, and specifically the freedom to learn technical information about computer viruses. As I see it, there are three reasons for making this kind of information public: 1. It can help people defend against malevolent viruses. 2. Viruses are of great interest for military purposes in an informa- tion-driven world.