156 lines
7.0 KiB
Plaintext
156 lines
7.0 KiB
Plaintext
Documentation for C-Virus v3.0
|
|
------------------------------
|
|
|
|
|
|
I. How to use
|
|
|
|
To use C-Virus, merely rename it to some innocent (or
|
|
not-so-innocent) sounding file name, such as ULTIMA7.EXE,
|
|
GIFVIEW.COM, or HOTSEX.EXE. Then let someone run it. It's that
|
|
simple. Just make sure that its extension is .EXE or .COM.
|
|
A better choice is to infect any specific .EXE or .COM file
|
|
(or, if you really wanted to, any file) with C-Virus. At the DOS
|
|
prompt type "CVIRUS (filename)" where filename is the name of the
|
|
victim. C-Virus will only spread to that file, not harming any
|
|
other file in the directory. For example, you could type "CVIRUS
|
|
WC2.EXE" and, although WC2.EXE would appear unchanged (same size,
|
|
date, time, etc.), it is now actually another copy of C-Virus.
|
|
Then feel free to show "Wing Commander II"
|
|
to all your friends (on their computers, of course). Be sure to
|
|
backup the file if you want to keep it, as CVIRUS will totally
|
|
obliterate it. This has the nice side effect of zapping files when
|
|
C-Virus replaces a utility (ie: C-Virus has infected LIST.COM; now
|
|
if you try to LIST KOOLWARE.EXE C-Virus infects the game you were
|
|
trying to view!).
|
|
|
|
|
|
II. Modifying C-Virus
|
|
|
|
C-Virus was written in Borland C++ v3.00, but will also
|
|
compile under Turbo C++ v1.00, and should port to other IBM-PC C
|
|
compilers with little modification.
|
|
A good area for modification is the function
|
|
hostile_activity(). This function is automatically called if there
|
|
are no files left to infect. The current version of C-Virus has
|
|
this function overwrite the victim's C:'s boot, FAT, and directory
|
|
sectors with garbage, then display a notice of C-Virus's presence
|
|
and lock up the computer. You may want to add to this a few select
|
|
calls to abswrite(), unlink(), and biosdisk(), or write your own,
|
|
more devious routines.
|
|
Other good expansions of C-Virus include adding support for
|
|
multiple-directory spreads (something I avoided because it would
|
|
take up too much space), changing the code so that C-Virus only
|
|
goes off on certain days, weeks, etc. Simple modifications to
|
|
C-Virus can easily create viruses just as good as the
|
|
"professionals."
|
|
Note: Try to avoid using printf() or related functions; they
|
|
can increase the size of C-Virus dramatically. Instead use the
|
|
function puts() or, better yet, use the _write() command, but this
|
|
is harder to use. In addition, note that TOO_SMALL is left defined
|
|
at 4.3k. If, when recompiling C-Virus, you see that the final
|
|
product is larger or smaller, change TOO_SMALL to a little over the
|
|
size of the .EXE file. This insures maximum effect without
|
|
alerting people via increase in file size. If this number is too
|
|
small, subsequent infections will crash because all of the virus
|
|
code won't be copied into the victim.
|
|
|
|
|
|
III. Recompiling C-Virus
|
|
|
|
To re-compile C-Virus, use the included batch file
|
|
MAKECVIR.BAT. This file assumes that you: (1) Have LZEXE.EXE, and
|
|
that it's in your path; (2) DEBUG is also in your path; and (3)
|
|
That MAKECVIR.SCR is in the current directory. If any of these
|
|
things are different on your computer, change the batch file
|
|
accordingly. If you use a compiler other than Turbo C++ or Turbo
|
|
C, you'll have to change the name of the compiler, as well
|
|
as the options it is invoked with. (I have it set for "fastcall"
|
|
of functions, maximum space optimizations, and duplicate string
|
|
removal [not that there are any though].) Although C-Virus will
|
|
work in any memory model, always use the small model to avoid
|
|
excess code generation.
|
|
A note about the "NMAN" signature: When creating new versions
|
|
of C-Virus, I suggest changing the signature to something else. IT
|
|
MUST BE FOUR BYTES LONG. Change MAKECVIR.SCR so the second line
|
|
reads "DB '(four bytes)'." Also change the definition of SIGNATURE
|
|
in the C source code to be the sum of the ASCII codes of each of the
|
|
four letters of the signature . I would appreciate that any modified
|
|
versions do not read "NMAN" - use some other bytes. These bytes not
|
|
only insure that there is a signature so that files aren't
|
|
re-infected, but they also stop people from UNLZEXEing your virus for
|
|
analysis (of course they could always change them back, but most
|
|
people are too stupid to think of this).
|
|
|
|
|
|
IV. Removing C-Virus
|
|
|
|
DO NOT accidentally infect yourself. Infected files are
|
|
unrecoverable. If you infect your files, the only way to get rid of
|
|
the virus is to erase them. Don't say you weren't warned.
|
|
By the way, no virus-scanner that I know of can identify *this
|
|
version* of C-Virus. Nothing can remove C-Virus either. Oh well.
|
|
A SPECIAL NOTE TO PATRICIA HOFFMAN: This virus's name is
|
|
C-Virus, *NOT* "Nowhere Man." That is my handle, fool!
|
|
If you have any questions, suggestions, or complaints, you can
|
|
leave E-Mail for me at The Hell Pit BBS at (708) 459-7267.
|
|
|
|
Happy virusing!
|
|
|
|
--Nowhere Man, [NuKE] '92
|
|
|
|
|
|
*****************************************************************
|
|
Look (and look out) for these fine warez by Nowhere Man:
|
|
|
|
** C-Virus -- My first virus, the program that proves
|
|
that C CAN be used to write good virii.
|
|
With full C source, automated creation
|
|
files, and docs. THIS PRODUCT.
|
|
|
|
** Itii-Bitti (A, B) -- The world's smallest virus for it's
|
|
abilities, Itti-Bitti has all of the bells
|
|
and whistles of the fancier virii, but
|
|
Strain A is only 161 bytes (two less than
|
|
Tiny) and Strain B is only 99. With full
|
|
assembler source and docs. Available now.
|
|
|
|
** DeathCow Strain B -- A lame virus based on the original
|
|
DeathCow, a Minimal-46 variant. Made
|
|
smaller, it measures only fourty-two bytes.
|
|
With full assembler source and docs.
|
|
Available Now.
|
|
|
|
** Miniscule -- The world's smallest functional virus,
|
|
Miniscule is only thirty-one bytes long!
|
|
Comes with fully-commented assembler source
|
|
(great for learning the tricks of the
|
|
trade). Available now.
|
|
|
|
** Nowhere Utilities -- A group of fine utilities to assist you in
|
|
the development and distribution of trojans
|
|
and virii. Also great for just having
|
|
around when you need them. Check it out.
|
|
Available now.
|
|
|
|
** Code Zero -- A nice little appending .COM infector I
|
|
wrote with V.C.L. to show off it's
|
|
capabilities. Somehow Patricia Hoffman
|
|
got her hands on it, and the rest is
|
|
history. Available now.
|
|
|
|
** Kinison -- Another .COM appender created with V.C.L.
|
|
dedicated to the memory of Sam Kinison.
|
|
On the anniversary of his tragic death
|
|
in an auto accident Kinison "screams" at
|
|
your hard disk with devistating results.
|
|
Available now.
|
|
|
|
** V.C.L. -- Virus Creation Laboratory, the ultimate
|
|
virus utility. You choose the options,
|
|
the effects of the virus, infection rate
|
|
and type, etc. and it does the rest! No
|
|
more messy assembler coding or tedious
|
|
debugging. Also produces trojans and
|
|
logic bombs. Full professional-quality
|
|
IDE, too. A major work to redefine the
|
|
virus world. Available Summer 1992. |