******************************************************************************* * * * / Megadeth's Guide to Virus Researching \ * * < Part I > * * \ A .ROTing [DeTH] Text File / * * * ******************************************************************************** By: Megadeth I. What you need for virus Research ^^ ^^^^ ^^^ ^^^^ ^^^ ^^^^^ ^^^^^^^^ To do any research or testing on viruses it is wise to have the following: þ The Latest Version of VSUM þ The Latest Version of F-Prot þ Turbo Assembler (MASM will do though) þ Central Point Backup þ 40Hex Magazine, NukE Infojournals, And other virus publications þ Dark Angel's Phunky Virus Writing Guide (for virus writting) þ ASSIGN.EXE for MS-DOS 5.0 or SUBST.EXE for DR-DOS 6.0 þ MIRROR.EXE - for use with trojans. þ Norton Utilities þ A Virus or Trojan þ X-Tree Pro Gold, or other DOS Shell that lets you see and edit Hex Code. Virus Research is vary risky. You can learn alot about programing and the behavior of viruses, but you can also trash your system if your not careful. here is how to research a virus. ][. Researching a Virus ^^^ ^^^^^^^^^^^ ^ ^^^^^ The First thing you do with a file thatt you belive is infected with a virus is you scan the program with F-Prot. It's good for picking out the individual strains of viruses. Use the Secure Scan and then the Heretic Scan if the virus is not ideentified. Then after you have the name of the virus you can look it up in VSUM. If it's not scaned as a virus then look at the virus Hex code with a Hex Viewer. Look for strings in the end of the infected file. The are sometimes messages, text with the name and author of the virus, a string like *.COM and/or *.EXE. The *.COM and *.EXE are the files it infects. If you see *.COM and not *.EXE in the file then you know the file only infects .COM files. If you got the virus from a virus board, then there are sometimes text files written by the author on what the virus does. If you don't see any strings in the virus then there is a good chance that the virus is encrypted. You can also see when the virus does when actived. Run ASSIGN.EXE to make all calls to your hard drives goto a virus test floppy. make sure you have the virus and some *.COM and *.EXE files for the virus to infect. Then run the program with the virus. If the virus infects files only when an infected file is run, then you know that the virus is not residednt iin memory. If the virus infects files everytime an unifected program is run then you know that the virus is active in memory. Look for file size changes and changes in the file times. If you ever see the Hard Drive Light go on turn off the computer right away. don't use CTR-ALT-DEL as it might have been disactivated. After you think other files on the disk are infected take out the virus test disk, then turn the computer off. This is important since some viruses may llive through a CTR-ALT- DEL. Then when your system is booted from the clean hard drive scan the files again, and take a look at he hex code and compare them to the origonal uninfected files. Format the disk when done. That is a quick explination of how to research a virus. There are more ways then this and they will be covered in future text files. Another tip is to Regularly back up your system and keep multiple backups in case a set of backups is infected. IV. In Future Files ^^^ ^^ ^^^^^^ ^^^^^ These are topics that will be covered in future text files: þ Researching Trojans. þ Researching Boot Sector Viruses. þ Recovery from a virus break out. þ Tips on how to keep systems from getting infected. þ Understanding the behavior of viruses. þ Researching Virus Creators like VCL, PS-MPC, and Gý. I can be contacted on many boards in the 708 area code, including the Hell Pit. Any suggestions would be vary helpful. Greets to PHALCON/SKISM, [NukE], Dark Angel of PHALCON/SKISM and The Nowhere Man of [NukE], and the Dark Avenger, who are, in my opinion, the most talented virus writer's around.