81 lines
4.3 KiB
Plaintext
81 lines
4.3 KiB
Plaintext
Documentation for the Itti-Bitty Virus
|
||
--------------------------------------
|
||
|
||
|
||
I. Introduction
|
||
|
||
The Itti-Bitty virus started as a challenge to myself to see how small I
|
||
could make a fully-functional virus. The one to beat was Tiny, an appending
|
||
virus with a size of 163 bytes. Tiny didn't change directories, didn't affect
|
||
read-only files, didn't reset file date and times of infected files, didn't
|
||
do anything destructive, and was easily flagged down by Virex-PC or Flu-Shot+,
|
||
as well as the fact that McAfee SCANned it. First, I settled on an overwriting
|
||
virus. Either way the checksum of a file is going to change, and overwriting
|
||
aren't as noticeable from the DIR point-of-view, and overwriting would require
|
||
fewer bytes of code to do the job. Then I coded the thing and started
|
||
optimizing. The result was the 161-byte Itti-Bitty virus, strain A. Then I
|
||
ripped out extraneous code, the "bells and whistles," if you will, and ended
|
||
up with the 99-byte Itti-Bitty strain B. Both virii are non-encrypting, and
|
||
both have the same effect: they overwrite the first 256 sectors of C: with
|
||
random garbage, making the disk unrecoverable by normal means. Since I figured
|
||
it would only be a few weeks before someone disassembled my virii, I decided
|
||
to distribute the original source, so that others can learn from my code.
|
||
|
||
|
||
II. Strain A
|
||
|
||
Strain A of the Itti-Bitty virus is 161 bytes in length. It detects the
|
||
presence of Virex-PC and Flu-Shot+ by calling interrupt 21h with AX set to
|
||
FF0Fh. If either of these TSR virus-protectors are loaded, then Itti-Bitty
|
||
aborts, stopping premature detection and allowing the victim to (doubtfully)
|
||
spread the infected file. Then it tries to infect any uninfected .COM file in
|
||
the current directory by overwriting the start of it with itself. Read-only,
|
||
etc. files ARE affected, and their attributes are reset after the infection
|
||
is complete. File date and time are also preserved for better stealth.
|
||
Finally, a bogus error message, "EXEC failure," is displayed and control is
|
||
returned to DOS. ("EXEC failure" was the shortest fatal error message I could
|
||
find in COMMAND.COM. I've never seen anyone get it, but it is legit, and
|
||
it's obscure enough to scare novice users.) If all files are infected, then
|
||
as I stated above, their C: disk is trashed and the computer is locked up. No
|
||
message, no fanfare, no nothing; their just plain fucked. That's it. Only
|
||
161 bytes, too.
|
||
|
||
|
||
III. Strain B
|
||
|
||
Strain B of Itti-Bitty is simply Strain A with the Virex check, the
|
||
attribute alteration, and the date/time preservation removed. It still trashes
|
||
C:, but is far more noticeable, since, like I said, file date and time aren't
|
||
preserved. Also, no error message is displayed. (You'd be surprised how
|
||
many lozers will keep running the thing over and over because nothing seems
|
||
to happen.) All under one-hundred bytes. That's damn small.
|
||
|
||
|
||
IV. Miscellaneous comments from Nowhere Man
|
||
|
||
I'd like to use this space to say a few things to everyone. First, I'd
|
||
like to announce that I'm now affiliated with [NuKE] and [NuKE] WaErZ, a fine
|
||
Canadian hacking/phreaking/carding group. Look for other fine [NuKE] warez,
|
||
such as the infamous Parasite virus and the Telegard Bypass trojan, at a
|
||
respectable h/p board near you.
|
||
Secondly, I'd like to say Hi to Software Spartan, Murdak and Leeking Virus
|
||
at the Pirate's Guild, and The DarkMan and all the other great guys at [NuKE].
|
||
I also want to challenge all of the other virus-writing groups (F<>S,
|
||
RABID, etc.) out there to come up with a smaller virus with the same features
|
||
(or better ones); I think we can use some friendly competition, and besides,
|
||
competitiveness leads to better virii for all.
|
||
If anyone can find a way to make Itti-Bitty Strain A or B smaller while
|
||
still keeping in all of the features, or if you have a question, comment, or
|
||
complaint about Itti-Bitty, C-Virus, or any other fine product from Nowhere
|
||
Man, I can be reached at either the Pirate's Guild (708-541-1069) or Hell Pit
|
||
(708-459-7267). Hell Pit is now an official [NuKE] WaReZ distribution site,
|
||
and all of the other fine [NuKE] warez, as well as literally hundreds of virii,
|
||
can be found there. Any questions about [NuKE] and/or [NuKE] WaErZ can be
|
||
directed there.
|
||
|
||
Once again, happy virusing,
|
||
|
||
Nowhere Man, [NuKE] '91
|
||
|
||
|