    _________ SWAT MAGAZINE ISSUE FOURTEEN: FEBRUARY 1999 __________
   /         \___________________________________________/          \
  /            === The simple facts of virus renewal ===             \
 /                - The Creation of a viral variant -                 \
/            Written by /<-CruZ of SWAT Team UK - H/P/C/V/A.           \
------------------------------------------------------------------------

                               
Introduction
~~~~~~~~~~~~
 I could puke up some boring muthafucka of an intro, all about virus 
history
and capabilities... but I can't be fucked, and you probably couldn't be
fucked to read it anyway. So I'll get right to it after you know a 
little about myself.

Name: n0p3, but maybe you already know.
Alias: /<-CruZ -/0r/- sLICE_n_dYCE
Location: South West England, United Kingdom
Skills: Virus construction, *NIX hacking, DoS, bIATCH bLUDGEONING!
Important Shit: 'pUTER, 'nIVEZ, 'gUNZ, 'n mAD sKILLZ.

The Bad Shit
~~~~~~~~~~~~
As you will know, on the net there are whole ranges of virus creation 
labs available to any h4x0r wh0r3 who can be fucked to go look for the 
things.
The stupid thing is EVERY lab available on your standard site is years 
old. You simply can't create a virus that is any use to you because the 
instant it touches a system with even the most basic anti-virus software,
the piece of crusty shit is detected, disabled, and destroyed before it
has the chance to spit out the words "iAM dA mASTA' vIRUS!!! pHEAR 
bIATCHEZ"! So the threat of viruses from most h4x0r wh0r3 lab-uZeRz is
very small. However, there is a small group of people who can use these
labs to create some extremely powerful viruses. All a wh0r3 has to do 
in order to know how to create a new completely undetectable (and so 
automatically extremely dangerous) virus is a little reading. The 
amount of havoc and destruction someone with this simple knowledge 
could cause is close to unimaginable.

How it works - Bad Shit in action
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The idea is very simple: h4x0r wh0r3 gets a virus lab, such as NRLG 
(Nuke Randomic Life Generator), and proceeds to create an extremely 
destructive memory resident, floppy infecting virus with the simple 
menu driven system of the lab. So now the wh0r3 has the .ASM (assembly)
source for the virus.

If it was a new unknown virus that could not be detected, something of 
this power could easily spread around a network, and to all its user's 
floppies, home computers, friend's computers, relatives computers in a
matter of weeks, even days.

If the virus was compiled to the executable .COM at this point, every 
virus scanner out there could instantly detect the virus using the scan
string already in the virus scanners data file.
On case you don't understand - every virus scanner has a database full 
of scan strings, these are basically small parts of an already known 
virus's code. When the scanner checks a file it searches it for any of 
the scan strings it has in its database - if it finds a match then its 
very likely that the scanned file contains the virus linked to that 
particular scan string, and so the scanner goes w0rp4l (mAD.. pIcKz Up 
Da ViRuS)!

What our slightly well read wh0r3 does, is open the lab-created .ASM 
source in for example DOS EDIT or notepad, and then proceed to search
for every command which is not effected by the command above it, and 
does not effect the command below it - and then swap that command with 
either of the command above it or below it - You'll understand in a 
moment!

               An example:
               (Grab a few lines out of an .ASM file...)

               1) JMP
               2) 
               3) MOV AX, 01h
               4) MOV BX, 02h
               5) ADD AX, BX
               6) JNZ

The hex translation of this set of commands could be the scan string,
or part of the scan string that a virus scanner looks for in the 
.EXE/.COM it scans - If its not, it doesn't matter - as long as we use
the re-arrange technique (which is explained below) on every possible 
command we are sure to modify the scan string and so have an new 
stealth variant of the original virus.

Above we have the end of a previous group of commands (line 1), and the 
next group of commands (3-6), we can easily see that it does not matter
which order commands 3 and 4 are in, so it is quite safe to swap them 
with each other. 
- In case you don't understand: 3 and 4 are commands which put a value
into a variable, 01h into the AX register, and 02h into the BX register.
It does not matter if a value is given to AX before BX, or BX before AX
- they are independent of each other - although AX and BX must be given
values before the ADD command is used to add the values together - so we
couldn't place the ADD command before either or both the MOV commands.
The other commands can not be swapped however because they are either
effected by the command above them, or they effect the command below 
them.

               So now we have:
               (After rearranging...)

               1) JMP
               2)  
               3) MOV BX, 02h
               4) MOV AX, 01h
               5) ADD AX, BX
               6) JNZ

When this set of commands is translated into a hex string it will be 
slightly different to when we hadn't changed the order of the commands.
Meaning if this was part of the scan string it will no longer match with
the virus scanner's string, and the scanner will not recognise the 
program as a virus.
As long as we re-arrange every possible set of commands in the .ASM 
source we are sure to change the part of the virus that is searched for
using the scanners scan string.

Once all the re-arranging is complete, simply compile like normal.

Normally, you can get away with only swapping around groups of MOV 
commands throughout the entire virus (as demonstrated above). Which 
takes literally minutes, and requires absolutely no skill whatsoever.
Although occasionally you may have to take a look at an assembler 
reference book, and swap a few other commands around - like groups of 
two ADD commands etc. - That is if your scanner still detects the virus
once you have re-arranged all the MOV commands.

Well there it is.

Disclaimer:
I hope you hAVE pHUN with your variant creation, but I take no 
responsibility for your actions, any damage you do to yourselves or your
victims. Just remember these viruses can be extremely dangerous 
- Be Carefull, and dont get yourself caught like a mate of mine who got
himself taped infecting a PC!

/<-CruZ

Greets to:
-=Firestarter=-, n3tw0rk bug, on1on, and the rest of SWAT TEAM U.K.
So1o of the Codezero - pHEAR dEM mAD sKILLZ!
Tattooman - because your site is w0rp4l!
All hackers wit' w34p0nry - not just 'puterz.
The BlackHand - l33t & fOrmidable knowledge.
4ny0n3 wh0 r34dz d1s t3x7! - Cuz you now got a bit of mAD sKILL!

/<1lx0r1n'z to:
tHe EnEmYz Of SWAT... j0o Kn0w Wh0 j0o 4r3!
G.  / Double H.D.D. / GiMP - d4 biggezt b1ATCHEz of dem 'awl.
VB c0d1n' kidd13Z - eAT dEM f0R bReAkFaSt !!!
4ny0n3 wh0 1 3v3r k4wl3d : n1gg0r, b1ATCH, wh0r3, fux0r...