Google+ Badge

Thursday, 15 August 2013

A Basic Guide to the Internet

The Internet is a computer network made up of thousands of networks worldwide. No one knows exactly how many computers are connected to the Internet. It is certain, however, that these number in the millions.

No one is in charge of the Internet. There are organizations which develop technical aspects of this network and set standards for creating applications on it, but no governing body is in control. The Internet backbone, through which Internet traffic flows, is owned by private companies.

All computers on the Internet communicate with one another using the Transmission Control Protocol/Internet Protocol suite, abbreviated to TCP/IP. Computers on the Internet use a client/server architecture. This means that the remote server machine provides files and services to the user's local client machine. Software can be installed on a client computer to take advantage of the latest access technology.

An Internet user has access to a wide variety of services: electronic mail, file transfer, vast information resources, interest group membership, interactive collaboration, multimedia displays, real-time broadcasting, shopping opportunities, breaking news, and much more.

The Internet consists primarily of a variety of access protocols. Many of these protocols feature programs that allow users to search for and retrieve material made available by the protocol.




The World Wide Web (abbreviated as the Web or WWW) is a system of Internet servers that supports hypertext to access several Internet protocols on a single interface. Almost every protocol type available on the Internet is accessible on the Web. This includes e-mail, FTP, Telnet, and Usenet News. In addition to these, the World Wide Web has its own protocol: HyperText Transfer Protocol, or HTTP. These protocols will be explained later in this document.

The World Wide Web provides a single interface for accessing all these protocols. This creates a convenient and user-friendly environment. It is no longer necessary to be conversant in these protocols within separate, command-level environments. The Web gathers together these protocols into a single system. Because of this feature, and because of the Web's ability to work with multimedia and advanced programming languages, the Web is the fastest-growing component of the Internet.

The operation of the Web relies primarily on hypertext as its means of information retrieval. HyperText is a document containing words that connect to other documents. These words are called links and are selectable by the user. A single hypertext document can contain links to many documents. In the context of the Web, words or graphics may serve as links to other documents, images, video, and sound. Links may or may not follow a logical path, as each connection is programmed by the creator of the source document. Overall, the Web contains a complex virtual web of connections among a vast number of documents, graphics, videos, and sounds.

Producing hypertext for the Web is accomplished by creating documents with a language called HyperText Markup Language, or HTML. With HTML, tags are placed within the text to accomplish document formatting, visual features such as font size, italics and bold, and the creation of hypertext links. Graphics and multimedia may also be incorporated into an HTML document. HTML is an evolving language, with new tags being added as each upgrade of the language is developed and released. The World Wide Web Consortium (W3C), led by Web founder Tim Berners-Lee, coordinates the efforts of standardizing HTML. The W3C now calls the language XHTML and considers it to be an application of the XML language standard.

The World Wide Web consists of files, called pages or home pages, containing links to documents and resources throughout the Internet.

The Web provides a vast array of experiences including multimedia presentations, real-time collaboration, interactive pages, radio and television broadcasts, and the automatic "push" of information to a client computer. Programming languages such as Java, JavaScript, Visual Basic, Cold Fusion and XML are extending the capabilities of the Web. A growing amount of information on the Web is served dynamically from content stored in databases. The Web is therefore not a fixed entity, but one that is in a constant state of development and flux.

For more complete information about the World Wide Web, see Understanding The World Wide Web.

Electronic mail, or e-mail, allows computer users locally and worldwide to exchange messages. Each user of e-mail has a mailbox address to which messages are sent. Messages sent through e-mail can arrive within a matter of seconds.

A powerful aspect of e-mail is the option to send electronic files to a person's e-mail address. Non-ASCII files, known as binary files, may be attached to e-mail messages. These files are referred to as MIME attachments.MIME stands for Multimedia Internet Mail Extension, and was developed to help e-mail software handle a variety of file types. For example, a document created in Microsoft Word can be attached to an e-mail message and retrieved by the recipient with the appropriate e-mail program. Many e-mail programs, including Eudora, Netscape Messenger, and Microsoft Outlook, offer the ability to read files written in HTML, which is itself a MIME type.

Telnet is a program that allows you to log into computers on the Internet and use online databases, library catalogs, chat services, and more. There are no graphics in Telnet sessions, just text. To Telnet to a computer, you must know its address. This can consist of words ( or numbers ( Some services require you to connect to a specific port on the remote computer. In this case, type the port number after the Internet address. Example: telnet 185.

Telnet is available on the World Wide Web. Probably the most common Web-based resources available through Telnet have been library catalogs, though most catalogs have since migrated to the Web. A link to a Telnet resource may look like any other link, but it will launch a Telnet session to make the connection. A Telnet program must be installed on your local computer and configured to your Web browser in order to work.

With the increasing popularity of the Web, Telnet has become less frequently used as a means of access to information on the Internet.

FTP stands for File Transfer Protocol. This is both a program and the method used to transfer files between computers. Anonymous FTP is an option that allows users to transfer files from thousands of host computers on the Internet to their personal computer account. FTP sites contain books, articles, software, games, images, sounds, multimedia, course work, data sets, and more.

If your computer is directly connected to the Internet via an Ethernet cable, you can use one of several PC software programs, such as WS_FTP for Windows, to conduct a file transfer.

FTP transfers can be performed on the World Wide Web without the need for special software. In this case, the Web browser will suffice. Whenever you download software from a Web site to your local machine, you are using FTP. You can also retrieve FTP files via search engines such as FtpFind, located at / This option is easiest because you do not need to know FTP program commands.

One of the benefits of the Internet is the opportunity it offers to people worldwide to communicate via e-mail. The Internet is home to a large community of individuals who carry out active discussions organized around topic-oriented forums distributed by e-mail. These are administered by software programs. Probably the most common program is the listserv.

A great variety of topics are covered by listservs, many of them academic in nature. When you subscribe to a listserv, messages from other subscribers are automatically sent to your electronic mailbox. You subscribe to a listserv by sending an e-mail message to a computer program called a listserver. Listservers are located on computer networks throughout the world. This program handles subscription information and distributes messages to and from subscribers. You must have a e-mail account to participate in a listserv discussion group. Visit at / to see an example of a site that offers a searchablecollection of e-mail discussion groups.

Majordomo and Listproc are two other programs that administer e-mail discussion groups. The commands for subscribing to and managing your list memberships are similar to those of listserv.

Usenet News is a global electronic bulletin board system in which millions of computer users exchange information on a vast range of topics. The major difference between Usenet News and e-mail discussion groups is the fact that Usenet messages are stored on central computers, and users must connect to these computers to read or download the messages posted to these groups. This is distinct from e-mail distribution, in which messages arrive in the electronic mailboxes of each list member.

Usenet itself is a set of machines that exchanges messages, or articles, from Usenet discussion forums, called newsgroups. Usenet administrators control their own sites, and decide which (if any) newsgroups to sponsor and which remote newsgroups to allow into the system.

There are thousands of Usenet newsgroups in existence. While many are academic in nature, numerous newsgroups are organized around recreational topics. Much serious computer-related work takes place in Usenet discussions. A small number of e-mail discussion groups also exist as Usenet newsgroups.

The Usenet newsfeed can be read by a variety of newsreader software programs. For example, the Netscape suite comes with a newsreader program called Messenger. Newsreaders are also available as standalone products.

FAQ stands for Frequently Asked Questions. These are periodic postings to Usenet newsgroups that contain a wealth of information related to the topic of the newsgroup. Many FAQs are quite extensive. FAQs are available by subscribing to individual Usenet newsgroups. A Web-based collection of FAQ resources has been collected by The Internet FAQ Consortium and is available at /

RFC stands for Request for Comments. These are documents created by and distributed to the Internet community to help define the nuts and bolts of the Internet. They contain both technical specifications and general information.

FYI stands for For Your Information. These notes are a subset of RFCs and contain information of interest to new Internet users.

Links to indexes of all three of these information resources are available on the University Libraries Web site at /

Chat programs allow users on the Internet to communicate with each other by typing in real time. They are sometimes included as a feature of a Web site, where users can log into the "chat room" to exchange comments and information about the topics addressed on the site. Chat may take other, more wide-ranging forms. For example, America Online is well known for sponsoring a number of topical chat rooms.

Internet Relay Chat (IRC) is a service through which participants can communicate to each other on hundreds of channels. These channels are usually based on specific topics. While many topics are frivolous, substantive conversations are also taking place. To access IRC, you must use an IRC software program.

A variation of chat is the phenomenon of instant messenging. With instant messenging, a user on the Web can contact another user currently logged in and type a conversation. Most famous is America Online's Instant Messenger. ICQ, MSN and Yahoo are other commonly-used chat programs.

Other types of real-time communication are addressed in the tutorial Understanding the World Wide Web.

MUD stands for Multi User Dimension. MUDs, and their variations listed above, are multi-user virtual reality games based on simulated worlds. Traditionally text based, graphical MUDs now exist. There are MUDs of all kinds on the Internet, and many can be joined free of charge. For more information, read one of the FAQs devoted to MUDs available at the FAQ site at

Monday, 5 August 2013

Some Google Tricks, again

AA few things you might want to try with Google:

Hand type the following prefixes and note their utility:

link:url Shows other pages with links to that url.

related:url same as "what's related" on serps.

site:domain restricts search results to the given domain.

allinurl: shows only pages with all terms in the url.

inurl: like allinurl, but only for the next query word.

allintitle: shows only results with terms in title.

intitle: similar to allintitle, but only for the next word. "intitle:webmasterworld google" finds only pages with webmasterworld in the title, and google anywhere on the page.

cache:url will show the Google version of the passed url.

info:url will show a page containing links to related searches, backlinks, and pages containing the url. This is the same as typing the url into the search box.

spell: will spell check your query and search for it.

stocks: will lookup the search query in a stock index.

filetype: will restrict searches to that filetype. "-filetype:doc" to remove Microsoft word files.

daterange: is supported in Julian date format only. 2452384 is an example of a Julian date.

maps: If you enter a street address, a link to Yahoo Maps and to MapBlast will be presented.

phone: enter anything that looks like a phone number to have a name and address displayed. Same is true for something that looks like an address (include a name and zip code) "+www.somesite.+net"
(tells you how many pages of your site are indexed by google)

allintext: searches only within text of pages, but not in the links or page title

allinlinks: searches only within links, not text or title

I hope there is something new in here for you and maybe this infos will be helpfull for ya.

How To Find Serial Numbers On Google

ok, this is a little trick that i usually use to find cd keys with google.

if your looking for a serial number for nero (for example) goto and type nero 94FBR and it'll bring it up

this works great in google


Quite simple really. 94FBR is part of a Office 2000 Pro cd key that is widely distributed as it bypasses the activation requirements of Office 2K Pro. By searching for the product name and 94fbr, you guarantee two things.

1)The pages that are returned are pages dealing specifically with the product you're wantinga serial for.

2)Because 94FBR is part of a serial number, and only part of a serial number, you guarantee that any page being returned is a serial number list page.

I hope this trick help you finding your ccd keys easily

Enjoy :)

Google Tips & Tricks, (utilizing search engine)

Utilizing search engines

So much information is on the web, its mind boggling. Thankfully we have search
engines to sift through them and catagorize them for us. Unfortunatly, there is still so
much info that even with these search engines, its often a painstakingly slow process
(something comparable to death for a hacker) to find exactly what you're looking for.

Lets get right into it.

I use as my primary search engine because it presently tops the charts as far as
the sites that it indexes which means more pertinent info per search.

1. Page translation.
Just because someone speaks another language doesn't mean they dont have anything useful to say. I use translation tools like the ones found at
to translate a few key words I am searching for. Be specific and creative because these tools arent the most accurate things on the planet.

2. Directories.
These days everything is about $$$. We have to deal/w SEO (search engine optimization) which seems like a good idea on paper until you do a search for toys and get 5 pornsites in the first 10 results. Using a sites directory will eliminate that. You can narrow your search down easily by looking for the info in specific catagories. (PS google DOES have directories, they're at:

3. Here are some tips that google refers to as "advanced"

A. "xxxx" / will look for the exact phrase. (google isnt case sensitive)
B. -x / will search for something excluding a certain term
C. filetype:xxx / searches for a particular file extention (exe, mp3, etc)
D. -filetype:xxx / excludes a particular file extention
E. allinurl:x / term in the url
F. allintext:x / terms in the text of the page
G. allintitle:x / terms in the html title of that page
H. allinanchor:x / terms in the links

4. OR
Self explanatory, one or the other... (ie: binder OR joiner)

5. ~X
Synonyms/similar terms (in case you can't think of any yourself)

6. Numbers in a range.
Lets say you're looking for an mp3 player but only want to spend up to $90. Why swim through all the others? MP3 player $0..$90 The 2 periods will set a numeric range to search between. This also works with dates, weights, etc

7. +
Ever type in a search and see something like this:
"The following words are very common and were not included in your search:"
Well, what if those common words are important in your search? You can force google to search through even the common terms by putting a + in front of the denied word.

8. Preferences
It amazes me when I use other peoples PCs that they dont have their google search preferences saved. When you use google as much as I do, who can afford to not have preferences? They're located on the right of the search box, and have several options, though I only find 2 applicable for myself...
A. Open results in new browser
B. Display 10-100 results per page. (I currently use 50 per page, but thats a resolution preference, and 5X's the default)

9. *
Wildcard searches. Great when applied to a previously mentioned method. If you only know the name of a prog, or are looking for ALL of a particular file (ie. you're DLing tunes) something like *.mp3 would list every mp3.

10. Ever see this?
"In order to show you the most relevant results, we have omitted some entries very similar to the X already displayed. If you like, you can repeat the search with the omitted results included." The answer is YES. yes yes yes. Did I mention yes? I meant to.

Use the engine to its fullest. If you dont find your answer in the web section, try the group section. Hell, try a whole different search engine. Dont limit yourself, because sometimes engines seem to intentionally leave results out.
ex. use google, yahoo, and altavista. search the same terms... pretty close, right? Now search for disney death. Funny, altavista has plenty of disney, but no death...hmmm.

If you've read this far into this tutorial without saying, "Great, a guy that copied a few google help pages and thinks its useful info" then I will show you WHY (besides accuracy, speed, and consistancy finding info on ANYTHING) its nice to know how a search engine works. You combine it/w your knowledge of other protocol.

Want free music? Free games? Free software? Free movies? God bless FTP! Try this search:
intitle:"Index of music" "rolling stones" mp3
Substitute rolling stones/w your favorite band. No? Try the song name, or another file format. Play with it. Assuming SOMEONE made an FTP and uploaded it, you'll find it.

For example....I wanted to find some Sepultura. If you never heard them before, they're a Brazilian heavy metal band that kicks ass. I started with this:
intitle:"Index of music" "Sepultura" mp3 <-- nothing
intitle:"Index of música" "Sepultura" mp3 <-- nothing
intitle:"Index of musica" "Sepultura" mp3 <-- not good enough
intitle:"Index of music" "Sepultura" * <-- found great stuff, but not enough Sepultura

At this point it occurs to me that I may be missing something, so I try:
intitle:"index of *" "sepultura" mp3 <-- BANG!
(and thats without searching for spelling errors)
Also try inurl:ftp

I find that * works better for me than trying to guess other peoples mis-spellings.

The same method applies for ebooks, games, movies, SW, anything that may be on an FTP site.

I hope you enjoyed this tutorial, and I saw that recently a book and an article was written on the very same topic. I havn't read them as of yet, but check em out, and get back to me if you feel I missed something important and should include anything else.

intitle:"index of" "google hacks" ebook

Ps. I've said it before, I'll say it again... BE CREATIVE.
You'll be surprised what you can find.

Google Crack Search

just type crack: app name

example: crack: flashget 1.6a

getting movies, mp3,games using google

okay lets keep this tutorial short. you want movies and games/mp3 / games and dont' know where to get them, thank god there is

put this string in

"parent directory " /appz/ -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

"parent directory " DVDRip -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

"parent directory "Xvid -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

"parent directory " Gamez -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

"parent directory " Name of Singer or album -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

notice that iam only changing the word after the parent directory, change it to what you want and you will get lots of goods. i got plenty of movie sites heh.

Easily Find Serial Numbers On Google.., easy to do and works like a charm.

 let's pretend you need a serial number for windows xp pro.

in the search bar type in just like this - "Windows XP Professional" 94FBR

the key is the 94FBR code.. it was included with many MS Office registration codes so this will help you dramatically reduce the amount of 'fake' porn sites that trick you.

or if you want to find the serial for winzip 8.1 - "Winzip 8.1" 94FBR

just try it out, it's very quick and it works nicely..


here is another trick that works fairly decent for finding mp3's on the web (which is hard to do normally, to say the least)

say you want to get, for example, a Garth Brooks song. type this in the search bar - "index of/" "garth brooks" .mp3 the ones you want to check out first are the ones that say "Index of/" in the title of the search result. this technique allows you to easily pull up web folders with direct downloads. it will look the same as if you were logging into a ftp url.. i'm sure you can be pretty flexible on how you type that in, so long as you include "index of/"

i'm sure you can use this for more than just mp3's (it's not perfect but it has worked for me on a few occasions)

always make sure to use the quotations where i placed them. they help pinpoint the correct search results more accurately. just try it out, also if you want to learn how to do more with google look up "google hacks"

Virus-Trojan FAQ

23. What is a trojan/worm/virus/logic bomb?

This FAQ answer was written by Theora:

     Remember the Trojan Horse? Bad guys hid inside it until they could get
     into the city to do their evil deed. A trojan computer program is
     similar. It is a program which does an unauthorized function, hidden
     inside an authorized program. It does something other than what it
     claims to do, usually something malicious (although not necessarily!),
     and it is intended by the author to do whatever it does. If it's not
     intentional, its called a 'bug' or, in some cases, a feature :) Some
     virus scanning programs detect some trojans. Some virus scanning
     programs don't detect any trojans. No virus scanners detect all
     A virus is an independent program which reproduces itself. It may
     attach to other programs, it may create copies of itself (as in
     companion viruses). It may damage or corrupt data, change data, or
     degrade the performance of your system by utilizing resources such as
     memory or disk space. Some virus scanners detect some viruses. No
     virus scanners detect all viruses. No virus scanner can protect
     against "any and all viruses, known and unknown, now and forevermore".
     Made famous by Robert Morris, Jr. , worms are programs which reproduce
     by copying themselves over and over, system to system, using up
     resources and sometimes slowing down the systems. They are self
     contained and use the networks to spread, in much the same way viruses
     use files to spread. Some people say the solution to viruses and worms
     is to just not have any files or networks. They are probably correct.
     We would include computers.
Logic Bomb:
     Code which will trigger a particular form of 'attack' when a
     designated condition is met. For instance, a logic bomb could delete
     all files on Dec. 5th. Unlike a virus, a logic bomb does not make
     copies of itself.

User's Guide To Avoiding Virus Infections, Keeping an eye out for viruses

User's guide to avoiding virus infections
Keeping an eye out for viruses

Computer viruses are everywhere! This guide will show you how to stay alert and how to avoid getting infections on your computer. Having an updated virus scanner is only a small part of this, there are many ways that you can prevent having viruses other than a virus scanner, as it will not always save you.

Types of viruses
There are many type of viruses. Typical viruses are simply programs or scripts that will do various damage to your computer, such as corrupting files, copying itself into files, slowly deleting all your hard drive etc. This depends on the virus. Most viruses also mail themselves to other people in the address book. This way they spread really fast and appear at others' inboxes as too many people still fall for these. Most viruses will try to convince you to open the attachment, but I have never got one that tricked me. In fact, I found myself emailing people just to make sure they really did send me something. It does not hurt to be safe.

Worms are different type of viruses, but the same idea, but they are usually designed to copy themselves a lot over a network and usually try to eat up as much bandwidth as possible by sending commands to servers to try to get in. The code red worm is a good example of this. This worm breaks in a security hole in Microsoft IIS (Internet Information Server) in which is a badly coded http server that, despite the security risks, a lot of people use it. When the worm successfully gets in, it will try to go into other servers from there. When IceTeks was run on a dedicated server at my house, there was about 10 or so attempts per day, but because we ran Apache, the attempts did not do anything but waste bandwidth and not much as I had it fixed a special way. Some worms such as the SQL slammer will simply send themselves over and over so many times that they will clog up networks, and sometimes all of the internet. Worms usually affect servers more than home users, but again, this depends on what worm it is. It is suspected that most worms are efforts from the RIAA to try to stop piracy, so they try to clog up networks that could contain files. Unfortunately, the RIAA have the authority to do these damages and even if caught, nothing can be done.

Trojans are another type of virus. They are simply like a server in which enables hackers to get into and control the computer. A trojan such as Subseven can enable a hacker to do various things such as control the mouse, eject the cd-rom drive, delete/download/upload files and much more.

MBR virues
Boot sector viruses are another type, they are similar to file viruses, but instead they go in the boot sector and can cause serious damage when the computer is booted, some can easily format your drive simply by booting your computer. These are hard to remove.

Most viruses have various characteristics. For example, a worm can also be a trojan and also infect the boot sector. It all depends on how the virus is written and what it is designed to do. That's why there are not really strong structured categories, as they can easily mix one in the other.

Know the potentially dangerous files
Like any other files, viruses must be opened in order to do something. Most viruses come through e-mail as an attachment. Some will make it look like it's someone you know, and it will try to convince you to open an attachment. Never open attachments at any cost! Some viruses will infect files in programs, so opening a program will actually open the virus, maybe the same one, or another part of it.

All files have what is called an extension; This is the 3 last letters after the last period. For example, setup.exe has a file extension of .exe.

Extensions to watch out for are .exe .com .bat .scr .pif .vbs and others, but these are the most seen. .exe .com .bat .pif and .scr are valid extensions for executables. A virus writer will simply rename it to one of these and it will work the same way. .pif is a shortcut to an ms-dos program and will have the ms dos icon, but will still execute whatever code is in it, so an .exe can be renamed to .pif and be run the same way. .bat is a batch file, which can contain instructions to do various file activities, but again, a .exe can be renamed to .bat and it will execute it! .vbs is a visual basic script. For some reason, Microsoft provides this scripting language along with the scripting host to make it more convenient to design and write viruses quickly and easily, I've never seen another use for this scripting language other than for writing viruses. There are programs that are written with that language, but it is compiled into an exe. Exe is the usual extension for programs, you would not have a software CD install a bunch of vbs files all over!

Bottom line is, if you don't know what a file is just don't open it. Some viruses will sometimes be named a way as to mask the real file extension to make it look like a harmless file such as a image file. This is easily noticed, but can still be missed. Simply don't open unexpected files.

If you get something that appears like something legit, just ask the person it came from if they sent it. Most viruses use a friend's address to make it look like it comes from them. The virus does this by using the person's address when sending itself to the address book contacts.

Email is not the only way to get viruses; P2P (file sharing programs such as kazaa, winmx, direct connect etc) is also another way to get viruses.

When downloading programs, the main thing to watch out for is the file size. If you are downloading a program that you expect to be rather large such as a game, don't grab a file that is 10KB, since it's most likely a virus. However, I've been caught with a virus even with large files, so file size is not the only thing to watch, as an exe is still valid even if junk is added at the end, so a 64KB virus will still function even if it is turned into 650MB.

Icons are something to look for too, fortunately, virus writers don't take time to put icons. If your download should be a setup file, you should see the icon of a setup file. If it's just the blank icon that typical plain or corrupted exes have, don't open it.

Another thing to do, which should be obvious, is to scan the file for viruses using updated virus definitions. But don't rely on only your virus scanner, as they are not perfect, and if the virus has not been reported to them yet, they won't know to create a definition for it!

Changing settings to stay safe
If you do open a virus, you want to avoid it going to all your friends. The simplest thing to do is to NOT use the windows address book. It is easy for viruses to get through and Microsoft is not doing anything about it. Just don't use it. Put them in spreadsheet or even better write them down somewhere. Don't use the address book.

Another "feature" to avoid is the auto preview. Some viruses can attempt to open themselves just by opening the email. There are security holes in Microsoft mail programs that allow this. In Microsoft Outlook, click on the view menu and remove auto preview. You need to do this for every folder, but the inbox is most important. In Outlook Express, click on the view menu and go to layout. In the dialog box, you will see a check box for show preview pane. Uncheck it and click ok.

Another thing you should change, especially if you download a lot, is the option that allows you to view the file extension. In Win98, go in any folder, click on view then folder options and choose the view tab and where it says hide file extension for known types, uncheck it. In win2k, it is the same process, but instead, go in the control panel and open the folder options icon.

Avoiding server worms
Some viruses, mostly worms, can exploit through servers and affect other servers from servers that have been infected. A good example is the SQL slammer. This was a worm that affected SQL servers run by Microsoft IIS and Microsoft SQL Server. Once the worm gets in, that particular server starts trying to find more exploitable driving internet connections to a halt in the process. Servers running Apache were unaffected by that, except for the many hits to try to get in. IceTeks received about 100 hits per day when it was run on a dedicated home server. Most hits came from major ISPs and other big websites that had no clue they were still affected.

The simple solution to avoid these types of viruses is to NOT use Microsoft based server software for your server, especially if it is a public server. The operating system is also crucial, but the actual server software is much more. Apache, which is free, is much more secure than Microsoft based server programs such as IIS. IIS may be easier to understand and administer, but it saves a lot of hassle to learn how to use Apache. IIS has a large number of vulnerabilities, such as the ability to gain access to cmd.exe and basically delete the whole drive by doing a ../ request in the address bar. These don't require viruses, but simply commands, but there are worms written to automatically make these commands. The code red does this.

Removing a virus
The best way to do this is to do a clean install. However, depending on how bad the virus is, a simple clean install won't remove it. So to be extra sure, you'll want to do a low level format. This is especially true of you got a boot sector virus, as even repartitioning and formatting won't quite remove it, but sometimes you can get away with an fdisk /mbr, but not all the time. here are various removal tools for viruses, it is good to use them and see if they work, but proceeding with the clean install is recommended. You never know if the virus is completely removed by deleting files you suspect are infected. Some viruses such as the Bugbear will close anti virus programs and other programs to make it hard and annoying to figure out what to do. A clean install is the best way to ensure that it's gone for good.

Viruses are out there, don't be one of the many infected ones! Stay alert and stay safe! Don't open unexpected files, regularly update your virus definitions and scan downloaded files!

I hope this article was useful for you! 

Tip for shutdown windows - virus

 Try to open:

Run -> cmb -> shutdown -a

This prevent the shutdown.

 create a new shortcut.. then write;
shutdown -s -t 0 = this is for shut down in 0 seconds (t = time s=shutdown)
shutdown -r -t 0 = same but this is for restart comp. in 0 seconds..
(only for windows xp)
in win.98 this is different; we were wrote rundll32.exe -s or something like this..i couldnt remember right now..

Removing Norton Anti-virus 2004, How to remove the Registry Enteries

 Found this on the Norton Web site.

I finally got fed up with Norton 2004 AV and switched to Avast.

Had lots of problems removing Norton, lots of stuff left over in the registry.

After a few Google searches, I found this.

FYI, this is from the Site, so I am guessing it is nice and safe

If you scroll down to the "Removal instructions" the first option is "To remove Norton AntiVirus from the registry" Click on the Plus sign and you can down load the removal tool (it is a .reg file that removes all the keys for Norton.)

Direct Link for the file:

After I got done, Avast started working right and my system seemed to be running alot better. (after Avast found 14 virues that Norton did not find.) 

Evolution Of Computer Viruses History Of Viruses

part 1

Like any other field in computer science, viruses have evolved -a great deal indeed- over the years. In the series of press releases which start today, we will look at the origins and evolution of malicious code since it first appeared up to the present.

Going back to the origin of viruses, it was in 1949 that Mathematician John Von Neumann described self-replicating programs which could resemble computer viruses as they are known today. However, it was not until the 60s that we find the predecessor of current viruses. In that decade, a group of programmers developed a game called Core Wars, which could reproduce every time it was run, and even saturate the memory of other players’ computers. The creators of this peculiar game also created the first antivirus, an application named Reeper, which could destroy copies created by Core Wars.

However, it was only in 1983 that one of these programmers announced the existence of Core Wars, which was described the following year in a prestigious scientific magazine: this was actually the starting point of what we call computer viruses today.

At that time, a still young MS-DOS was starting to become the preeminent operating system worldwide. This was a system with great prospects, but still many deficiencies as well, which arose from software developments and the lack of many hardware elements known today. Even like this, this new operating system became the target of a virus in 1986: Brain, a malicious code created in Pakistan which infected boot sectors of disks so that their contents could not be accessed. That year also saw the birth of the first Trojan: an application called PC-Write.

Shortly after, virus writers realized that infecting files could be even more harmful to systems. In 1987, a virus called Suriv-02 appeared, which infected COM files and opened the door to the infamous viruses Jerusalem or Viernes 13. However, the worst was still to come: 1988 set the date when the “Morris worm” appeared, infecting 6,000 computers.

From that date up to 1995 the types of malicious codes that are known today started being developed: the first macro viruses appeared, polymorphic viruses … Some of these even triggered epidemics, such as MichaelAngelo. However, there was an event that changed the virus scenario worldwide: the massive use of the Internet and e-mail. Little by little, viruses started adapting to this new situation until the appearance, in 1999, of Melissa, the first malicious code to cause a worldwide epidemic, opening a new era for computer viruses.

part 2

This second installment of ‘The evolution of viruses’ will look at how malicious code used to spread before use of the Internet and e-mail became as commonplace as it is today, and the main objectives of the creators of those earlier viruses.
Until the worldwide web and e-mail were adopted as a standard means of communication the world over, the main mediums through which viruses spread were floppy disks, removable drives, CDs, etc., containing files that were already infected or with the virus code in an executable boot sector.

When a virus entered a system it could go memory resident, infecting other files as they were opened, or it could start to reproduce immediately, also infecting other files on the system. The virus code could also be triggered by a certain event, for example when the system clock reached a certain date or time.  In this case, the virus creator would calculate the time necessary for the virus to spread and then set a date –often with some particular significance- for the virus to activate. In this way, the virus would have an incubation period during which it didn’t visibly affect computers, but just spread from one system to another waiting for ‘D-day’ to launch its payload. This incubation period would be vital to the virus successfully infecting as many computers as possible.

One classic example of a destructive virus that lay low before releasing its payload was CIH, also known as Chernobyl. The most damaging version of this malicious code activated on April 26, when it would try to overwrite the flash-BIOS, the memory which includes the code needed to control PC devices. This virus, which first appeared in June 1998, had a serious impact for over two years and still continues to infect computers today.

Because of the way in which they propagate, these viruses spread very slowly, especially in comparison to the speed of today’s malicious code. Towards the end of the Eighties, for example, the Friday 13th (or Jerusalem) virus needed a long time to actually spread and continued to infect computers for some years. In contrast, experts reckon that in January 2003, SQLSlammer took just ten minutes to cause global communication problems across the Internet.

Notoriety versus stealth

For the most part, in the past, the activation of a malicious code triggered a series of on screen messages or images, or caused sounds to be emitted to catch the user’s attention.  Such was the case with the Ping Pong virus, which displayed a ball bouncing from one side of the screen to another. This kind of elaborate display was used by the creator of the virus to gain as much notoriety as possible. Nowadays however, the opposite is the norm, with virus authors trying to make malicious code as discreet as possible, infecting users’ systems without them noticing that anything is amiss.

pat 3

This third installment of ‘The evolution of viruses’ will look at how the Internet and e-mail changed the propagation techniques used by computer viruses.

Internet and e-mail revolutionized communications. However, as expected, virus creators didn’t take long to realize that along with this new means of communication, an excellent way of spreading their creations far and wide had also dawned. Therefore, they quickly changed their aim from infecting a few computers while drawing as much attention to themselves as possible, to damaging as many computers as possible, as quickly as possible. This change in strategy resulted in the first global virus epidemic, which was caused by the Melissa worm.

With the appearance of Melissa, the economic impact of a virus started to become an issue. As a result, users -above all companies- started to become seriously concerned about the consequences of viruses on the security of their computers. This is how users discovered antivirus programs, which started to be installed widely. However, this also brought about a new challenge for virus writers, how to slip past this protection and how to persuade users to run infected files.

The answer to which of these virus strategies was the most effective came in the form of a new worm: Love Letter, which used a simple but effective ruse that could be considered an early type of social engineering. This strategy involves inserting false messages that trick users into thinking that the message includes anything, except a virus. This worm’s bait was simple; it led users to believe that they had received a love letter.

This technique is still the most widely used. However, it is closely followed by another tactic that has been the center of attention lately: exploiting vulnerabilities in commonly used software. This strategy offers a range of possibilities depending on the security hole exploited. The first malicious code to use this method –and quite successfully- were the BubbleBoy and Kakworm worms. These worms exploited a vulnerability in Internet Explorer by inserting HTML code in the body of the e-mail message, which allowed them to run automatically, without needing the user to do a thing.

Vulnerabilities allow many different types of actions to be carried out. For example, they allow viruses to be dropped on computers directly from the Internet -such as the Blaster worm-. In fact, the effects of the virus depend on the vulnerability that the virus author tries to exploit.

part 4

In the early days of computers, there were relatively few PCs likely to contain “sensitive” information, such as credit card numbers or other financial data, and these were generally limited to large companies that had already incorporated computers into working processes.

In any event, information stored in computers was not likely to be compromised, unless the computer was connected to a network through which the information could be transmitted. Of course, there were exceptions to this and there were cases in which hackers perpetrated frauds using data stored in IT systems. However, this was achieved through typical hacking activities, with no viruses involved.

The advent of the Internet however caused virus creators to change their objectives, and, from that moment on, they tried to infect as many computers as possible in the shortest time. Also, the introduction of Internet services -like e-banking or online shopping- brought in another change. Some virus creators started writing malicious codes not to infect computers, but, to steal confidential data associated to those services.  Evidently, to achieve this, they needed viruses that could infect many computers silently.

Their malicious labor was finally rewarded with the appearance, in 1986, of a new breed of malicious code generically called “Trojan Horse”, or simply “Trojan”. This first Trojan was called PC-Write and tried to pass itself off as the shareware version of a text processor. When run, the Trojan displayed a functional text processor on screen. The problem was that, while the user wrote, PC-Write deleted and corrupted files on the computers’ hard disk.

After PC-Write, this type of malicious code evolved very quickly to reach the stage of present-day Trojans. Today, many of the people who design Trojans to steal data cannot be considered virus writers but simply thieves who, instead of using blowtorches or dynamite have turned to viruses to commit their crimes. Ldpinch.W or the Bancos or Tolger families of Trojans are examples of this

part 5

Even though none of them can be left aside, some particular fields of computer science have played a more determinant role than others with regard to the evolution of viruses. One of the most influential fields has been the development of programming languages.

These languages are basically a means of communication with computers in order to tell them what to do. Even though each of them has its own specific development and formulation rules, computers in fact understand only one language called "machine code".

Programming languages act as an interpreter between the programmer and the computer. Obviously, the more directly you can communicate with the computer, the better it will understand you, and more complex actions you can ask it to perform.

According to this, programming languages can be divided into "low and high level" languages, depending on whether their syntax is more understandable for programmers or for computers. A "high level" language uses expressions that are easily understandable for most programmers, but not so much for computers. Visual Basic and C are good examples of this type of language.

On the contrary, expressions used by "low level" languages are closer to machine code, but are very difficult to understand for someone who has not been involved in the programming process. One of the most powerful, most widely used examples of this type of language is "assembler".

In order to explain the use of programming languages through virus history, it is necessary to refer to hardware evolution. It is not difficult to understand that an old 8-bit processor does not have the power of modern 64-bit processors, and this of course, has had an impact on the programming languages used.

In this and the next installments of this series, we will look at the different programming languages used by virus creators through computer history:

- Virus antecessors: Core Wars

As was already explained in the first chapter of this series, a group of programs called Core Wars, developed by engineers at an important telecommunications company, are considered the antecessors of current-day viruses. Computer science was still in the early stages and programming languages had hardly developed. For this reason, authors of these proto-viruses used a language that was almost equal to machine code to program them.

Curiously enough, it seems that one of the Core Wars programmers was Robert Thomas Morris, whose son programmed -years later- the "Morris worm". This malicious code became extraordinarily famous since it managed to infect 6,000 computers, an impressive figure for 1988.

- The new gurus of the 8-bits and the assembler language.

The names Altair, IMSAI and Apple in USA and Sinclair, Atari and Commodore in Europe, bring memories of times gone by, when a new generation of computer enthusiasts "fought" to establish their place in the programming world. To be the best, programmers needed to have profound knowledge of machine code and assembler, as interpreters of high-level languages used too much run time. BASIC, for example, was a relatively easy to learn language which allowed users to develop programs simply and quickly. It had however, many limitations.

This caused the appearance of two groups of programmers: those who used assembler and those who turned to high-level languages (BASIC and PASCAL, mainly).

Computer aficionados of the time enjoyed themselves more by programming useful software than malware. However, 1981 saw the birth of what can be considered the first 8-bit virus. Its name was "Elk Cloner", and was programmed in machine code. This virus could infect Apple II systems and displayed a message when it infected a computer.

part 6

Computer viruses evolve in much the same way as in other areas of IT. Two of the most important factors in understanding how viruses have reached their current level are the development of programming languages and the appearance of increasingly powerful hardware.

In 1981, almost at the same time as Elk Kloner (the first virus for 8-bit processors) made its appearance, a new operating system was growing in popularity. Its full name was Microsoft Disk Operating System, although computer buffs throughout the world would soon refer to it simply as DOS.

DOS viruses

The development of MS DOS systems occurred in parallel to the appearance of new, more powerful hardware. Personal computers were gradually establishing themselves as tools that people could use in their everyday lives, and the result was that the number of PCs users grew substantially. Perhaps inevitably, more users also started creating viruses. Gradually, we witnessed the appearance of the first viruses and Trojans for DOS, written in assembler language and demonstrating a degree of skill on the part of their authors.

Far less programmers know assembler language than are familiar with high-level languages that are far easier to learn. Malicious code written in Fortran, Basic, Cobol, C or Pascal soon began to appear. The last two languages, which are well established and very powerful, are the most widely used, particularly in their TurboC and Turbo Pascal versions. This ultimately led to the appearance of “virus families”: that is, viruses that are followed by a vast number of related viruses which are slightly modified forms of the original code.

Other users took the less ‘artistic’ approach of creating destructive viruses that did not require any great knowledge of programming. As a result, batch processing file viruses or BAT viruses began to appear.

Win16 viruses

The development of 16-bit processors led to a new era in computing. The first consequence was the birth of Windows, which, at the time, was just an application to make it easier to handle DOS using a graphic interface.

The structure of Windows 3.xx files is rather difficult to understand, and the assembler language code is very complicated, as a result of which few programmers initially attempted to develop viruses for this platform. But this problem was soon solved thanks to the development of programming tools for high-level languages, above all Visual Basic. This application is so effective that many virus creators adopted it as their ‘daily working tool’. This meant that writing a virus had become a very straightforward task, and viruses soon appeared in their hundreds. This development was accompanied by the appearance of the first Trojans able to steal passwords. As a result, more than 500 variants of the AOL Trojan family -designed to steal personal information from infected computers-  were identified.

part 7

This seventh edition on the history of computer viruses will look at how the development of Windows and Visual Basic has influenced the evolution of viruses, as with the development of these, worldwide epidemics also evolved such as the first one caused by Melissa in 1999.

While Windows changed from being an application designed to make DOS easier to manage to a 32-bit platform and operating system in its own right, virus creators went back to using assembler as the main language for programming viruses.

Versions 5 and 6 of Visual Basic (VB) were developed, making it the preferred tool, along with Borland Delphi (the Pascal development for the Windows environment), for Trojan and worm writers. Then, Visual C, a powerful environment developed in C for Windows, was adopted for creating viruses, Trojans and worms. This last type of malware gained unusual strength, taking over almost all other types of viruses. Even though the characteristics of worms have changed over time, they all have the same objective: to spread to as many computers as possible, as quickly as possible.

With time, Visual Basic became extremely popular and Microsoft implemented part of the functionality of this language as an interpreter capable of running script files with a similar syntax.

At the same time as the Win32 platform was implemented, the first script viruses also appeared: malware inside a simple text file. These demonstrated that not only executable files (.EXE and .COM files) could carry viruses. As already seen with BAT viruses, there are also other means of propagation, proving the saying "anything that can be executed directly or through a interpreter can contain malware." To be specific, the first viruses that infected the macros included in Microsoft Office emerged. As a result, Word, Excel, Access and PowerPoint become ways of spreading ‘lethal weapons’, which destroyed information when the user simply opened a document.

Melissa and self-executing worms

The powerful script interpreters in Microsoft Office allowed virus authors to arm their creations with the characteristics of worms. A clear example is Melissa, a Word macro virus with the characteristics of a worm that infects Word 97 and 2000 documents. This worm automatically sends itself out as an attachment to an e-mail message to the first 50 contacts in the Outlook address book on the affected computer. This technique, which has unfortunately become very popular nowadays, was first used in this virus which, in 1999, caused one of the largest epidemics in computer history in just a few days. In fact, companies like Microsoft, Intel or Lucent Technologies had to block their connections to the Internet due to the actions of Melissa.

The technique started by Melissa was developed in 1999 by viruses like VBS/Freelink, which unlike its predecessor sent itself out to all the contacts in the address book on the infected PC. This started a new wave of worms capable of sending themselves out to all the contacts in the Outlook address book on the infected computer. Of these, the worm that most stands out from the rest is VBS/LoveLetter, more commonly known as ‘I love You’, which emerged in May 2000 and caused an epidemic that caused damage estimated at 10,000 million euros. In order to get the user’s attention and help it to spread, this worm sent itself out in an e-mail message with the subject ‘ILOVEYOU’ and an attached file called ‘LOVE-LETTER-FOR-YOU.TXT.VBS’. When the user opened this attachment, the computer was infected.

As well as Melissa, in 1999 another type of virus emerged that also marked a milestone in virus history. In November of that year, VBS/BubbleBoy appeared, a new type of Internet worm written in VB Script. VBS/BubbleBoy was automatically run without the user needing to click on an attached file, as it exploited a vulnerability in Internet Explorer 5 to automatically run when the message was opened or viewed. This worm was followed in 2000 by JS/Kak.Worm, which spread by hiding behind Java Script in the auto-signature in Microsoft Outlook Express, allowing it to infect computers without the user needing to run an attached file. These were the first samples of a series of worms, which were joined later on by worms capable of attacking computers when the user is browsing the Internet.

Dark Angel's Phunky Virus Writing Guide

    //==//  //  //  /||      //      //====  //==//  //|   //
   //  //  //  //  //||     //      //      //  //  //||  //
  //==//  //==//  //=||    //      //      //  //  // || //
 //      //  //  //  ||   //      //      //  //  //  ||//
//      //  //  //   ||  //====  //====  //==//  //   ||/

DISCLAIMER: The author hereby disclaims himself
DEDICATION: This was written to make the lives
  of scum such as Patty Hoffman, John McAffee,
  and Ross Greenberg a living hell.
OTHER STUFF:  Thanks go to The Shade of Sorrow,
  Demogorgon, and Orion Rouge on their comments
  (which I occasionally listened to!).   Thanks
  also to Hellraiser, who gave me an example of
  some virus source code (his own, of course).

Dark Angel's Phunky Virus Writing Guide
---- ------- ------ ----- ------- -----
Virii are  wondrous creations written for the sole purpose of spreading and
destroying the  systems of unsuspecting fools.  This eliminates the systems
of simpletons  who can't  tell that there is a problem when a 100 byte file
suddenly blossoms  into a  1,000 byte  file.   Duh.  These low-lifes do not
deserve to  exist, so  it is  our sacred duty to wipe their hard drives off
the face of the Earth.  It is a simple matter of speeding along survival of
the fittest.

Why did  I create  this guide?  After writing several virii, I have noticed
that virus  writers generally  learn how to write virii either on their own
or by  examining the  disassembled code  of  other  virii.    There  is  an
incredible lack  of information  on the  subject.   Even books published by
morons such as Burger are, at best, sketchy on how to create a virus.  This
guide will show you what it takes to write a virus and also will give you a
plethora of source code to include in your own virii.

Virus writing  is not  as hard  as you  might first  imagine.   To write an
effective virus,  however, you  *must*  know  assembly  language.    Short,
compact code  are hallmarks  of assembly  language and  these are desirable
characteristics of  virii.  However, it is *not* necessary to write in pure
assembly.   C may  also be  used, as  it allows almost total control of the
system while  generating relatively compact code (if you stay away from the
library functions).   However,  you still  must access  the interrupts,  so
assembly knowledge  is still  required.  However, it is still best to stick
with pure  assembly,  since  most  operations  are  more  easily  coded  in
assembly.  If you do not know assembly, I would recommend picking up a copy
of The Microsoft Macro Assembler Bible (Nabajyoti Barkakati, ISBN #: 0-672-
22659-6).   It is an easy-to-follow book covering assembly in great detail.
Also get yourself a copy of Undocumented DOS (Schulman, et al, ISBN #0-201-
57064-5), as it is very helpful.

The question  of which  compiler to  use arises  often.   I  suggest  using
Borland Turbo  Assembler and/or  Borland C++.   I  do not  have a  copy  of
Zortech C  (it was  too large  to download), but I would suspect that it is
also a good choice.  Stay away from Microsoft compilers, as they are not as
flexible nor as efficient as those of other vendors.

A few more items round out the list of tools helpful in constructing virii.
The latest version of Norton Utilities is one of the most powerful programs
available, and  is immeasurably  helpful.   MAKE SURE YOU HAVE A COPY!  You
can find  it on  any decent board.  It can be used during every step of the
process, from  the writing  to the testing.  A good debugger helps.  Memory
management  utilities   such  as   MAPMEM,  PMAP,   and  MARK/RELEASE,  are
invaluable, especially  when coding  TSR virii.   Sourcer,  the  commenting
disassembler, is  useful when  you wish  to examine the code of other virii
(this is a good place to get ideas/techniques for your virus).

Now that  you have  your tools,  you are  ready to  create a  work  of  art
designed to smash the systems of cretins.  There are three types of virii:

     1) Tiny virii (under 500 bytes) which are designed to be  undetectable
        due to their small size.   TINY  is  one  such  virus.    They  are
        generally very simple because their code length is so limited.
     2) Large  virii  (over 1,500 bytes)   which   are   designed   to   be
        undetectable because they cover their tracks very  well  (all  that
        code DOES have a use!).  The best example  of  this  is  the  Whale
        virus, which is perhaps the best 'Stealth' virus in existence.
     3) Other virii which are not designed to be hidden at all (the writers
        don't give  a  shit).    The  common  virus  is  like  this.    All
        overwriting virii are in this category.

You must  decide which  kind of  virus you wish to write.  I will mostly be
discussing  the  second  type  (Stealth  virii).    However,  many  of  the
techniques discribed  may be easily applied to the first type (tiny virii).
However, tiny  virii generally do not have many of the "features" of larger
virii, such  as  directory  traversal.    The  third  type  is  more  of  a
replicating trojan-type,  and will  warrant a  brief  (very,  very  brief!)
discussion later.

A virus may be divided into three parts: the replicator, the concealer, and
the bomb.   The  replicator part  controls the spread of the virus to other
files, the concealer keeps the virus from being detected, and the bomb only
executes when  the activation  conditions of the virus (more on that later)
are satisfied.

The job  of the  replicator is to spread the virus throughout the system of
the clod  who has caught the virus.  How does it do this without destroying
the file it infects?  The easiest type of replicator infects COM files.  It
first saves  the first  few bytes  of the  infected file.  It then copies a
small portion of its code to the beginning of the file, and the rest to the

  +----------------+      +------------+
  | P1 | P2        |      | V1 | V2    |
  +----------------+      +------------+
 The uninfected file     The virus code

In the  diagram, P1 is part 1 of the file, P2 is part 2 of the file, and V1
and V2  are parts 1 and 2 of the virus.  Note that the size of P1 should be
the same  as the size of V1, but the size of P2 doesn't necessarily have to
be the  same size  as V2.   The  virus first  saves P1 and copies it to the
either 1)  the end  of the  file or 2) inside the code of the virus.  Let's
assume it copies the code to the end of the file.  The file now looks like:

  | P1 | P2        | P1 |

Then, the  virus copies  the first  part of  itself to the beginning of the

  | V1 | P2        | P1 |

Finally, the virus copies the second part of itself to the end of the file.
The final, infected file looks like this:

  | V1 | P2        | P1 | V2    |

The question  is: What  the fuck  do V1 and V2 do?  V1 transfers control of
the program to V2.  The code to do this is simple.

     JMP FAR PTR Duh       ; Takes four bytes
Duh  DW  V2_Start          ; Takes two bytes

Duh is  a far pointer (Segment:Offset) pointing to the first instruction of
V2.   Note that  the value  of Duh must be changed to reflect the length of
the file  that is  infected.   For example,  if the  original size  of  the
program is  79 bytes,  Duh must  be changed  so  that  the  instruction  at
CS:[155h] is  executed.   The value of Duh is obtained by adding the length
of V1,  the original size of the infected file, and 256 (to account for the
PSP).  In this case, V1 = 6 and P1 + P2 = 79, so 6 + 79 + 256 = 341 decimal
(155 hex).

An alternate, albeit more difficult to understand, method follows:

     DB 1101001b              ; Code for JMP (2 byte-displacement)
Duh  DW V2_Start - OFFSET Duh ; 2 byte displacement

This inserts  the jump  offset directly  into the  code following  the jump
instruction.  You could also replace the second line with

     DW V2_Start - $

which accomplishes the same task.

V2 contains the rest of the code, i.e. the stuff that does everything else.
The last  part of  V2 copies  P1 over  V1 (in memory, not on disk) and then
transfers control  to the  beginning of the file (in memory).  The original
program will  then run happily as if nothing happened.  The code to do this
is also very simple.

     MOV SI, V2_START      ; V2_START is a LABEL marking where V2 starts
     SUB SI, V1_LENGTH     ; Go back to where P1 is stored
     MOV DI, 0100h         ; All COM files are loaded @ CS:[100h] in memory
     MOV CX, V1_LENGTH     ; Move CX bytes
     REP MOVSB             ; DS:[SI] -> ES:[DI]

     MOV DI, 0100h
     JMP DI

This code assumes that P1 is located just before V2, as in:


It also  assumes ES  equals CS.  If these assumptions are false, change the
code accordingly.  Here is an example:

     PUSH CS               ; Store CS
     POP  ES               ;  and move it to ES
                           ; Note MOV ES, CS is not a valid instruction
     MOV SI, P1_START      ; Move from whereever P1 is stored
     MOV DI, 0100h         ;  to CS:[100h]

     MOV DI, 0100h
     JMP DI

This code  first moves CS into ES and then sets the source pointer of MOVSB
to where  P1 is located.  Remember that this is all taking place in memory,
so you  need the  OFFSET of P1, not just the physical location in the file.
The offset  of P1  is 100h  higher than  the physical file location, as COM
files are loaded starting from CS:[100h].

So here's a summary of the parts of the virus and location labels:

     JMP FAR PTR Duh
Duh  DW  V2_Start


  ; First part of the program stored here for future use

  ; Real Stuff

V1_Length EQU V1_End - V1_Start

Alternatively, you could store P1 in V2 as follows:




That's all there is to infecting a COM file without destroying it!  Simple,
no?   EXE files,  however, are a little tougher to infect without rendering
them inexecutable - I will cover this topic in a later file.

Now let  us turn our attention back to the replicator portion of the virus.
The steps are outlined below:

     1) Find a file to infect
     2) Check if it is already infected
     3) If so, go back to 1
     4) Infect it
     5) If infected enough, quit
     6) Otherwise, go back to 1

Finding a  file to  infect is  a  simple  matter  of  writing  a  directory
traversal procedure  and issuing  FINDFIRST  and  FINDNEXT  calls  to  find
possible files  to infect.   Once  you find  the file, open it and read the
first few  bytes.   If they are the same as the first few bytes of V1, then
the file  is already  infected.  If the first bytes of V1 are not unique to
your virus,  change it  so that they are.  It is *extremely* important that
your virus  doesn't reinfect  the same  files, since that was how Jerusalem
was first  detected.   If the file wasn't already infected, then infect it!
Infection should take the following steps:

     1) Change the file attributes to nothing.
     2) Save the file date/time stamps.
     3) Close the file.
     4) Open it again in read/write mode.
     5) Save P1 and append it to the end of the file.
     6) Copy V1 to the beginning, but change the offset which it JMPs to so
        it transfers control correctly. See the previous part on infection.
     7) Append V2 to the end of the file.
     8) Restore file attributes/date/time.

You should  keep a counter of the number of files infected during this run.
If the number exceeds, say three, then stop.  It is better to infect slowly
then to give yourself away by infecting the entire drive at once.

You must  be sure  to cover  your tracks  when you infect a file.  Save the
file's  original   date/time/attributes  and  restore  them  when  you  are
finished.   THIS IS VERY IMPORTANT!  It takes about 50 to 75 bytes of code,
probably less,  to do  these few simple things which can do wonders for the
concealment of your program.

I will  include code for the directory traversal function, as well as other
parts of the replicator in the next installment of my phunky guide.

This is  the part  which conceals  the program  from notice by the everyday
user and virus scanner.  The simplest form of concealment is the encryptor.
The code for a simple XOR encryption system follows:

encrypt_val   db   ?

     mov ah, encrypt_val

     mov cx, part_to_encrypt_end - part_to_encrypt_start
     mov si, part_to_encrypt_start
     mov di, si

     lodsb                 ; DS:[SI] -> AL
     xor al, ah
     stosb                 ; AL -> ES:[DI]
     loop xor_loop

Note the encryption and decryption procedures are the same.  This is due to
the weird  nature of  XOR.   You can CALL these procedures from anywhere in
the program,  but make sure you do not call it from a place within the area
to be  encrypted, as  the program  will crash.  When writing the virus, set
the encryption  value to  0.  part_to_encrypt_start and part_to_encrypt_end
sandwich the area you wish to encrypt.  Use a CALL decrypt in the beginning
of V2  to unencrypt  the file  so your  program can  run.  When infecting a
file, first change the encrypt_val, then CALL encrypt, then write V2 to the
end of the file, and CALL decrypt.  MAKE SURE THIS PART DOES NOT LIE IN THE

This is how V2 would look with the concealer:





Alternatively, you  could move  parts  of  the  unencrypted  stuff  between
Part_To_Encrypt_End and V2_End.

The value  of encryption  is readily  apparent.  Encryption makes it harder
for virus  scanners to  locate your virus.  It also hides some text strings
located in  your program.   It is the easiest and shortest way to hide your

Encryption is only one form of concealment.  At least one other virus hooks
into the  DOS interrupts  and alters  the output  of DIR  so the file sizes
appear normal.   Another  concealment scheme  (for TSR virii) alters DOS so
memory utilities  do not  detect the  virus.   Loading the virus in certain
parts of  memory allow  it to survive warm reboots.  There are many stealth
techniques, limited only by the virus writer's imagination.

So now all the boring stuff is over.  The nastiness is contained here.  The
bomb part  of the virus does all the deletion/slowdown/etc which make virii
so annoying.   Set  some activation  conditions of  the virus.  This can be
anything, ranging  from when  it's your  birthday to  when  the  virus  has
infected 100  files.   When these  conditions are met, then your virus does
the good stuff.  Some suggestions of possible bombs:

     1) System slowdown - easily  handled  by  trapping  an  interrupt  and
        causing a delay when it activates.
     2) File deletion - Delete all ZIP files on the drive.
     3) Message display - Display a nice message saying  something  to  the
        effect of "You are fucked."
     4) Killing/Replacing the Partition Table/Boot Sector/FAT of  the  hard
        drive - This is very nasty, as most dimwits cannot fix this.

This is, of course, the fun part of writing a virus, so be original!

There is  one caveat  regarding calculation of offsets.  After you infect a
file, the  locations of  variables change.  You MUST account for this.  All
relative offsets  can stay  the same, but you must add the file size to the
absolute offsets  or your  program will  not work.  This is the most tricky
part of  writing virii  and taking  these into  account can  often  greatly
increase the  size of  a virus.   THIS  IS VERY IMPORTANT AND YOU SHOULD BE
If you  don't, you'll  get fucked  over and  your virus WILL NOT WORK!  One
entire part of the guide will be devoted to this subject.

Testing virii  is a  dangerous yet  essential part  of the  virus  creation
process.   This is  to make  certain that people *will* be hit by the virus
and, hopefully,  wiped out.   Test  thoroughly and  make sure  it activates
under the  conditions.  It would be great if everyone had a second computer
to test  their virii  out, but,  of course, this is not the case.  So it is
ESSENTIAL that  you keep BACKUPS of your files, partition, boot record, and
FAT.   Norton is  handy in  this doing  this.  Do NOT disregard this advice
(even though  I know  that you will anyway) because you WILL be hit by your
own virii.   When  I wrote my first virus, my system was taken down for two
days because I didn't have good backups.  Luckily, the virus was not overly
PIRATE BOARD!   I find a RamDrive is often helpful in testing virii, as the
damage is  not permanent.   RamDrives  are also useful for testing trojans,
but that is the topic of another file...

This is  another fun  part of  virus writing.   It  involves  sending  your
brilliantly-written  program   through  the  phone  lines  to  your  local,
unsuspecting bulletin  boards.   What you  should do  is infect a file that
actually does something (leech a useful utility from another board), infect
it, and upload it to a place where it will be downloaded by users all over.
The best  thing is  that it  won't be detected by puny scanner-wanna-bes by
McAffee, since it is new!  Oh yeah, make sure you are using a false account
(duh).   Better yet,  make a  false account  with the  name/phone number of
someone you  don't like  and upload  the infected  file under the his name.
You can  call back  from time to time and use a door such as ZDoor to check
the spread  of the virus.  The more who download, the more who share in the
experience of your virus!

I promised a brief section on overwriting virii, so here it is...
All these  virii do  is spread  throughout the  system.   They  render  the
infected files  inexecutable, so they are easily detected.  It is simple to
write one:

   +-------------+   +-----+   +-------------+
   | Program     | + |Virus| = |Virus|am     |
   +-------------+   +-----+   +-------------+

These virii are simple little hacks, but pretty worthless because of their
easy detectability.  Enuff said!

wraps it  up for  this installment  of Dark  Angel's Phunky  virus  writing
guide.   There will (hopefully) be future issues where I discuss more about
virii and  include much  more source  code (mo' source!).  Till then, happy

Caught A Virus

Caught A Virus?

If you've let your guard down--or even if you haven't--it can be hard to tell if your PC is infected. Here's what to do if you suspect the worst.

Heard this one before? You must run antivirus software and keep it up to date or else your PC will get infected, you'll lose all your data, and you'll incur the wrath of every e-mail buddy you unknowingly infect because of your carelessness.

You know they're right. Yet for one reason or another, you're not running antivirus software, or you are but it's not up to date. Maybe you turned off your virus scanner because it conflicted with another program. Maybe you got tired of upgrading after you bought Norton Antivirus 2001, 2002, and 2003. Or maybe your annual subscription of virus definitions recently expired, and you've put off renewing.

It happens. It's nothing to be ashamed of. But chances are, either you're infected right now, as we speak, or you will be very soon.

For a few days in late January, the Netsky.p worm was infecting about 2,500 PCs a day. Meanwhile the MySQL bot infected approximately 100 systems a minute (albeit not necessarily desktop PCs). As David Perry, global director of education for security software provider Trend Micro, puts it, "an unprotected [Windows] computer will become owned by a bot within 14 minutes."

Today's viruses, worms, and so-called bots--which turn your PC into a zombie that does the hacker's bidding (such as mass-mailing spam)--aren't going to announce their presence. Real viruses aren't like the ones in Hollywood movies that melt down whole networks in seconds and destroy alien spacecraft. They operate in the background, quietly altering data, stealing private operations, or using your PC for their own illegal ends. This makes them hard to spot if you're not well protected.

Is Your PC "Owned?"

I should start by saying that not every system oddity is due to a virus, worm, or bot. Is your system slowing down? Is your hard drive filling up rapidly? Are programs crashing without warning? These symptoms are more likely caused by Windows, or badly written legitimate programs, rather than malware. After all, people who write malware want to hide their program's presence. People who write commercial software put icons all over your desktop. Who's going to work harder to go unnoticed?

Other indicators that may, in fact, indicate that there's nothing that you need to worry about, include:

* An automated e-mail telling you that you're sending out infected mail. E-mail viruses and worms typically come from faked addresses.
* A frantic note from a friend saying they've been infected, and therefore so have you. This is likely a hoax. It's especially suspicious if the note tells you the virus can't be detected but you can get rid of it by deleting one simple file. Don't be fooled--and don't delete that file.

I'm not saying that you should ignore such warnings. Copy the subject line or a snippet from the body of the e-mail and plug it into your favorite search engine to see if other people have received the same note. A security site may have already pegged it as a hoax.

Sniffing Out an Infection

There are signs that indicate that your PC is actually infected. A lot of network activity coming from your system (when you're not actually using Internet) can be a good indicator that something is amiss. A good software firewall, such as ZoneAlarm, will ask your permission before letting anything leave your PC, and will give you enough information to help you judge if the outgoing data is legitimate. By the way, the firewall that comes with Windows, even the improved version in XP Service Pack 2, lacks this capability.

To put a network status light in your system tray, follow these steps: In Windows XP, choose Start, Control Panel, Network Connections, right-click the network connection you want to monitor, choose Properties, check "Show icon in notification area when connected," and click OK.

If you're interested in being a PC detective, you can sniff around further for malware. By hitting Ctrl-Alt-Delete in Windows, you'll bring up the Task Manager, which will show you the various processes your system is running. Most, if not all, are legit, but if you see a file name that looks suspicious, type it into a search engine and find out what it is.

Want another place to look? In Windows XP, click Start, Run, type "services.msc" in the box, and press Enter. You'll see detailed descriptions of the services Windows is running. Something look weird? Check with your search engine.

Finally, you can do more detective work by selecting Start, Run, and typing "msconfig" in the box. With this tool you not only see the services running, but also the programs that your system is launching at startup. Again, check for anything weird.

If any of these tools won't run--or if your security software won't run--that in itself is a good sign your computer is infected. Some viruses intentionally disable such programs as a way to protect themselves.

What to Do Next

Once you're fairly sure your system is infected, don't panic. There are steps you can take to assess the damage, depending on your current level of protection.

* If you don't have any antivirus software on your system (shame on you), or if the software has stopped working, stay online and go for a free scan at one of several Web sites. There's McAfee FreeScan, Symantec Security Check, and Trend Micro's HouseCall. If one doesn't find anything, try two. In fact, running a free online virus scan is a good way to double-check the work of your own local antivirus program. When you're done, buy or download a real antivirus program.
* If you have antivirus software, but it isn't active, get offline, unplug wires-- whatever it takes to stop your computer from communicating via the Internet. Then, promptly perform a scan with the installed software.
* If nothing seems to be working, do more research on the Web. There are several online virus libraries where you can find out about known viruses. These sites often provide instructions for removing viruses--if manual removal is possible--or a free removal tool if it isn't. Check out GriSOFT's Virus Encyclopedia, Eset's Virus Descriptions, McAffee's Virus Glossary, Symantec's Virus Encyclopedia, or Trend Micro's Virus Encyclopedia.

A Microgram of Prevention

Assuming your system is now clean, you need to make sure it stays that way. Preventing a breach of your computer's security is far more effective than cleaning up the mess afterwards. Start with a good security program, such Trend Micro's PC-Cillin, which you can buy for $50.

Don't want to shell out any money? You can cobble together security through free downloads, such as AVG Anti-Virus Free Edition, ZoneAlarm (a personal firewall), and Ad-Aware SE (an antispyware tool).

Just make sure you keep all security software up to date. The bad guys constantly try out new ways to fool security programs. Any security tool without regular, easy (if not automatic) updates isn't worth your money or your time.

Speaking of updating, the same goes for Windows. Use Windows Update (it's right there on your Start Menu) to make sure you're getting all of the high priority updates. If you run Windows XP, make sure to get the Service Pack 2 update. To find out if you already have it, right-click My Computer, and select Properties. Under the General tab, under System, it should say "Service Pack 2."

Here are a few more pointers for a virus-free life:

* Be careful with e-mail. Set your e-mail software security settings to high. Don't open messages with generic-sounding subjects that don't apply specifically to you from people you don't know. Don't open an attachment unless you're expecting it.
* If you have broadband Internet access, such as DSL or cable, get a router, even if you only have one PC. A router adds an extra layer of protection because your PC is not connecting directly with the Internet.
* Check your Internet ports. These doorways between your computer and the Internet can be open, in which case your PC is very vulnerable; closed, but still somewhat vulnerable; or stealthed (or hidden), which is safest. Visit Gibson Research's Web site and run the free ShieldsUP test to see your ports' status. If some ports show up as closed--or worse yet, open--check your router's documentation to find out how to hide them.