
               _.:[ Worms and Viruses ]:._

                     A little essay
  
                      by SnakeByte

 
 Hello to this little essay... I want to discuss here a the relationship
 between worms and viruses.  I will presend some ideas, which may help
 to let us set some rules for the game between us and the AV-community :)

 First some definitions, for those who haven't a clue about viruses and worm
 the more advanced reader may skip this section ;)

 Ok what is a virus ?  A virus is a small program, that appends to files and infects
 them this way. It is only able to spread to another computer if an infected file
 gets copied by the user. An example for a widely known virus is CIH or Yankee Doodle ;)

 And what is a worm ? A worm spreads over the internet or a LAN by changing
 some running programs and exploits weaknesses in them. The worm is a single file which
 is send over the network. Examples for this are Happy99, DMSetup or the good old 
 Internetworm.

 Ok one of those two 'lifeforms' multiplies by infecting files and needs to be copied
 to other PC's and the other is able to jump from one PC to another,.. 
 So let's use our evil brain... Why don't we connect both ways of spreading ?
 This would make our viruses and worms much more powerful and lets them spread much faster.
 A worm would be much harder to remove, because a lot of files will be infected with it,
 possibly also the backups ;). And the viruses will spread faster, which sets the
 AV players a very close deadline between the release of the virus and the infection of
 a lot of peoples, in which they have to release a scan strin and a way to remove the
 worm and virus. With this in mind you can also offer your worm several of the interesting
 abilities that viruses have, just think about polymorphism <eg>. A slow polymorphic and
 very fast spreading combination between worm and virus. You could make the polymorphism
 depend on values, which are individual for a computer. This would mean, as they will have
 to set up a network, to be able to see several forms of the virus. This would make the
 AV's loose several points in this game. 

 How could we implement this into our viruses ? I will speak for non-macro viruses only
 because i never coded a macro virus (sorry giga ;). I think we have 2 possibilities to
 do this. On the one hand we could infect a file with our virus, which is not too huge 
 so that we can send it fast, with our virus. But this file has to be on the most computers,
 otherwise the thing would stop here. Whats up with files like that black-screen screen saver ?
 Just infect it, rename it and send it out to the world. It is only 10kb, to my mind,
 thats not too large. There are several small files, that get installed with windows which we
 could use to reach our goals. The second way to transform a virus to a worm is as simple as
 the first one. What about carrying a do-nothing PE-Executable in our virus. Sure it would make
 the combination round about 4kb larger which is not that well, but then we do not rely on other 
 files and hope that they are installed. (Ok we can compress this PE-File with one of the various
 utilities or do this by our own by changing the dropper for this file). As you see both of
 the variants have advantages and disadvantages, choose on your own which one you prefer.
 
 What kind of virus should it be ? It should be a Win32 infector, 'cause DOS is dead. I liked the
 old times of DOS, but now Win rules the market. And Windows also offer us several new ways to
 spread our worms. I think Macro viruses are also ok, (just take a look at Melissa ;) because
 more users are aware of EXE files and open every doc they can get. The only virus I saw which 
 used both forms of spreading was a macrovirus (as far as I remember) which used mIRC for
 his own purposes. 

 How to worm ? There are several ways to send your virus away to new PCs. The explored ones 
 are with E-Mail and IRC (mIRC, Virc and Pirch). But there are still more to come.
 Have you ever thought of patching an ftp client ? What about all these other Chat-programs like
 AOL Instant Messenger and ICQ ? I think there is a lot to explore when we look at this direction,
 so come on, write a combination between worm and virus. The AV's will thank you. 

 Ok thats all for now, I want to sleep at least a bit this night. Hope you enjoied sharing
 my thoughts about a possibly nice evolution of our programs..
 For comments, criticism or whatever send me a little mail: SnakeByte@Kefrens.de

           Cu in the next essay/tutorial 
                 SnakeByte