Documentation for Nowhere Man's ²²²²²²² ²²²²²²² ²²²²²²²²²²²²²²²²²² ²²²²²²²²² ²²²²²²² ²²²²²²² ²²²²²²²²²²²²²²²²²²²² ²²²²²²² ²²²²²²² ²²²²²²² ²²²²²² ²²²²²² ²²²²²²² ²²²²²²² ²²²²²²² ²²²²²² ²²²²²²² ²²²²²²² ²²²²²²² ²²²²²² ²²²²²²² ²²²²²²² ²²²²²²² ²²²²²² ²²²²²²² ²²²²²²² ²²²²²²² ²²²²²² ²²²²²²² ²²²²²²² ²²²²²²² ²²²²²² ²²²²²²² ²²²²²²² ²²²²²²² ²²²²²² ²²²²²²² ²²²² ²²²²²²²²²²²²² ²²²²²² ²²²²²² ²²²²²²² ²²²²² ²²²²²²²²²²² ²²²²²²²²²²²²²²²²²²²² ²²²²²²²²²²²²²²²²² ²²²²²²²²² ²²²²²²²²²²²²²²²²²² ²²²²²²²²²²²²²²²²²² Virus Creation Laboratory Version 1.00 Copyright (c) 1992 Nowhere Man and [NuKE] WaReZ V.C.L. and all documentation written by Nowhere Man ------------------------------------------------------------------------------ "And did you exchange a walk-on part in the war for a lead role in a cage?" - Roger Waters ------------------------------------------------------------------------------ Trademarks ---------- [NuKE] and [NuKE] WaReZ are trademarks of [NuKE] International Software Development Corperation. Borland C++, Turbo Assembler, and Turbo Linker are registered trademarks of Borland International. Microsoft is a registered trademark of Microsoft Corporation. Microsoft: Proud to bring you ten years of the 640k limit. Legalese -------- Nowhere Man and [NuKE] WaReZ are hereby not responsible for any damages caused by the use or misuse of Nowhere Man's Virus Creation Laboratory (V.C.L.) nor by the use or misuse of any program produced, in whole or in part, by V.C.L. The author, Nowhere Man, will not be held responsible for any losses incurred, either directly or indirectly, by the use of this product or by the use of any program generated, in whole or in part, by this product. This product is distributed "as is" with no warranties expressed or implied. Use this product entirely at your own risk. The author makes no guarantees as to the correct functioning of this product. The author reserves the right to make modifications at any time without prior notice. All code produced, in whole or in part, by Nowhere Man's Virus Creation Laboratory (V.C.L.) automatically becomes the sole property of Nowhere Man and [NuKE] WaReZ. All binary code produced from assembler source code generated in whole or in part by V.C.L. likewise becomes the sole property of Nowhere Man and [NuKE] WaReZ. Any use of such code, in whole or in part, for the purpose of inclusion in a product, commerical or otherwise, designed to detect or eliminate said code on an electronic medium is expressly forbidden without the full written consent of Nowhere Man and [NuKE] WaReZ. This includes, but is not limited to, virus detection and removal programs, CHK4BMB-type products or other products designed to detect potentially damaging code within programs, and programs designed to detect the presence of a sequence of binary data within a computer program. Source and binary code produced by V.C.L. may be freely distributed and studied, so long as such distribution and research is not for the purpose of examining said code to determine weaknesses and/or methods of detection and/or removal on an electronic medium. Any reverse-engineering, disassembly, or other attempts to determine the nature of code known to be produced by V.C.L. for purposes such as those enumerated above is likewise expressly forbidden without the full written consent of Nowhere Man and [NuKE] WaReZ. Notices ------- V.C.L. is a potentially dangerous program, and great care should be using when experimenting with *any* virii, trojans, or logic bombs produced by it. When you format your hard disk or infect every file you've ever accessed don't say we didn't warn you. When distributing this program please carefully consider whether or not the person to whom you are giving it will be responsible enough to use it properly. Please be careful. When distributing virii, trojans, or logic bombs created with V.C.L., please give credit to Nowhere Man's Virus Creation Laboratory. Editing out the [VCL] marker in virii is a no-no. It's five lousy bytes. I spent months on this project, the least you can do is give me some credit. Introduction ------------ Welcome to Nowhere Man's Virus Creation Laboratory, a product to re-define the virus-writing community. No longer does one need to spend weeks writing and debugging assembly language to produce a working, competitive virus. With V.C.L. all of the work is done for you -- you just choose the options and effects of the virus, and it does the rest, leaving you free to experiment with different effects and concentrate on creativity. What was once a matter of hours, days, or even weeks is reduced to a few minutes in the slick V.C.L. IDE. Some of the key features of V.C.L.: o Professional-quality Integrated Development Environment (IDE). Modeled after Borland's award-winning Turbo Languages' IDEs, this easy to use shell is menu- driven and features context-sensitive on-line help and full mouse support. Menuing system is CUA-compliant. o Creates appending, overwriting, and spawning virii, as well as trojan horses and logic bombs. The fully- commented assembler output is optimized when possible. V.C.L. can also shell out to an assembler (not included) of your choice to automatically assemble and link the virus/trojan/logic bomb. o Ability to change the virus's virulence (rate of infection), method of file search (PATH search, directory tree, etc.), and/or add code to prevent tracing and disassembly. Virii and trojans may also be encrypted. o Customizable. All colors are re-definable, and other aspects of the IDE are changeable. New procedures may be added to the effects/conditions list (or old ones may be deleted). As you can see, V.C.L. is *the* way to produce virii. The fully-commented assembler output is great for learning the trade, and more experienced programmers will enjoy the ability to add to V.C.L. and use the output as a staring point for a custom-made virus. Requirements ------------ V.C.L. requires the following to operate: o an 80286 processor or better o 512k or more of free memory o MS-DOS v3.0 or higher (v4.0 or higher recommended) And optionally: o A Microsoft-compatible mouse o A MASM-compatible assembler (preferably TASM) Note that the DOS utilities LINK.EXE and EXE2BIN.EXE, as well as your assembler, must be in your path if you want to produce .COM and/or .OBJ files. All files needed for V.C.L. should be located in the same directory. File List --------- The following files should be present in the .ZIP you received. If any files are missing or appear to be changed please delete V.C.L. and get an guaranteed-genuine copy from any authorized [NuKE] site. Installation files ------------------ INSTALL.EXE Installation program for V.C.L. INSTALL.DOC Documenatation for INSTALL NMVCL.ZIP .ZIP containing remaining files (Note: These files can be deleted once V.C.L. is installed) Essential files --------------- VCL.EXE Main executable VCL.CFG Configuration file VCL.DAT Routine data VCL.HLP On-line help Other files ----------- VCL.PIF Windows program information file for V.C.L. VCL.ICO Windows icon for V.C.L. FILE2DB.COM File to data utility (see FILE2DB.DOC) TESTBOMB.C C logic bomb test module TESTBOMB.PAS Pascal logic bomb test module Documentation ------------- VCL.DOC Main documentation (this file) ROUTINES.DOC Description of included routines EXAMPLES.DOC Description of example creations FILE2DB.DOC Documentation for FILE2DB Examples -------- KINISON.VCL Kinison Virus CODEZERO.VCL Code Zero Virus PEARLHBR.VCL Pearl Harbor Virus EARTHDAY.VCL Earth Day Virus VMESSIAH.VCL Viral Messiah Virus DONTELLO.VCL Dontatello Virus YANKEE-2.VCL Yankee-Doodle ][ Virus RICHARDS.VCL Richard Simmons Trojan (Note: Each example also has one or two data files, an assembler file, and a .COM file. The data file(s) are neccessary to re-create the virus or trojan; the other files may be deleted if desired.) How to Use V.C.L. ----------------- V.C.L. has extensive on-line help that can guide you every step of the way; therefore it is unnecessary to go into detail about how to use the environment here. To call up context- sensative help at any time press F1. More information about the help system is available by choosing the Help command from the main menu bar. To run V.C.L., just type VCL (no command-line arguments) and press Enter. To exit you can either press Escape from the main menu bar or select the Quit command from the File menu. Adding Routines to V.C.L. ------------------------- Adding routines to V.C.L. is a rather straightforward process. However some elaboration is needed as far as the type of assembler code that V.C.L. expects. A new effect should be standard assembler code, fully commented whenever possible. It should contain no proc/endp commands and should not have a RETurn. Any time that your routine needs to exit it should JuMP to a label to be located after the final statement. For example: xor ax,ax kill_time: inc ax cmp ax,0FFFFh je exit_kill_time jmp short kill_time exit_kill_time: (Ok, this code is poorly written, but it is made to demonstrate how to exit a routine, not how to write tight assembler) A new condition should be standard assembler code, again fully commented (comments are extremely important in assembler). It should contain no proc/enp commands, but SHOULD have a near return at the end. The condtion should return a value in AX. Both types of routines should be indented two columns (sixteen spaces) and be in lower-case, to better fit with other V.C.L. code. The segment registers (CS, DS, ES, and SS), BP, and DI should be preserved; all other registers can be exploited at whim. Assembling Code --------------- Assembling code produced by V.C.L. can either be done from within the environment or from the DOS prompt. Naturally, you must have a MASM-compatible assembler (which is not included with V.C.L.) do assemble any code; things like DEBUG and A86 just won't cut it. If you are assembling from within the environment you must also have DOS's LINK and EXE2BIN utilities (included with most MS- and PC-DOS configurations) in your PATH string (if you don't know what that is then you shouldn't be playing with V.C.L.) or in the current directory. V.C.L. will shell out to your assembler using the command line that you set under the Configuration³Assembler command. V.C.L. is shipped with the command-line configured for use with Turbo Assembler (TASM), Borland's assembler, which I highly recommend; using V.C.L. with MASM or other assemblers will probably require some changes. After you assembler produces an .OBJ file, V.C.L. will call LINK, then EXE2BIN the resulting .EXE into a .COM -- V.C.L. automatically deletes unneeded files. Please note that when you are creating a logic bomb this step is skipped, and you will be left with an .OBJ for linking with your main program. The Assembler Command Line set within V.C.L. should (if possible) contain switches for case-sensitivity on PUBLICs, multiple passes, and no .MAP file. Single pass assemblers such as MASM will produces unneeded NOP fixups. If possible, set any switches required so that the assembler will not display output. Assembling from DOS can be done however you wish. See your assembler's documentation for more information. Linking Logic Bombs ------------------- When V.C.L. create a logic bomb it is actually producing an .OBJ file that must be linked with your main program. A logic bomb is basically a routine which will do certain things (usually harmful) under a certain condition. For example, you could generate a logic bomb to format all hard drives on January 1st. A logic bomb is not a virus; it does not spread. It is a delayed- action trojan hidden within an otherwise fully-functioning piece of software. To use the logic bomb you must call it from another program and link it with that program. Depending on which language your main program is written in, different methods will be used to call your routine. Therefore V.C.L. must know which language you will be using; this is set with the Configuration³Call Format command. See the on-line help for more specifics. Then you must call the logic bomb. Logic bombs take no parameters and return nothing. In C they are void; in Pascal they are procedures. (BASIC is highly variable. Consult your compiler's documentation for details on how to call an assembler procedure.) Finally you must link the logic bomb with your program; see your linker's documentation for specifics. One other nice use for logic bombs is to include them in libraries (.LIB files). You can call the bomb from a routine in the library that will be commonly used; then when anyone uses that routine from your library they are also calling your bomb. If the library proves popular you can have hundreds of unknowing carriers. Muhahahaha. Revision Information -------------------- Version 1.00 (July 5, 1992) o Initial Release. Version 0.75 (April 23, 1992) o Beta test version for [NuKE] members and selected friends. If you somehow have a copy of this version please delete it, as it doen't fully work, contains many bugs, and isn't compatible with this and future releases. Program Information ------------------- V.C.L. was written in Borland C++ v3.0 small memory model, with optimizations made for size. All viral code and external routines included with this package were developed and tested using Turbo Assembler v3.0 and Turbo Linker v5.0. V.C.L. incorporates three separate source files, totaling over 4,000 lines of code. The CXL programming library v5.1, written by Mike Smedley, was used in development of V.C.L. V.C.L. is self-checking, and will wipe itself from disk if any essential executable or data file is corrupted or altered in any way. Virus Creation Laboratory will only work on the computer upon which it was installed. If you wish to distribute V.C.L. to others, feel free to do so, but you must re-install from the original .ZIP using INSTALL.EXE. Technical Support ----------------- If you have any questions, comments, suggestions, bug reports, etc. concerning this or any other product written by myself, Nowhere Man, I can be reached at The Hell Pit BBS (708-459-7267). If you are reporting a bug, please tell me the following information: the undesired effect (crash, failure to produce a working virus, etc.), the conditions under which it occurred (which options were set, etc.), the amount of free memory at the time of the failure, and any special conditions we should know about (running under Windows, using a non-standard video adapter, and so on). This and all future versions of V.C.L. will be available at all official [NuKE] distribution sites. Upgrades to V.C.L. will be released irregularly over time (ie: no promises as to when they come out and what they will include). Your Suggestions Count ---------------------- Your suggestions count. Any good suggestions by users will be highly appreciated and will be noted if applied to future versions. If you develop any good virii with V.C.L. I would be interested in checking them out. Particularly good ones will be included as examples in future versions. The same applies to add-on assembler routines; if you develop any new routines for use with V.C.L. please upload them to me, with comments and description, and they will be included in subsequent versions. Any suggestions regarding assembler code produced by V.C.L. will also be highly appriciated. Coming in future versions of Virus Creation Laboratory: o Appending .EXE virii o More effects and conditions o Boot sector virii o Terminate and Stay Resident (TSR) virii o Virex-Protection(C) -- defeats all TSR anti-virus products! o Cryptex(C) encryption scheme -- every virus produced has its own special encryption method! No two are alike! o Improved environment (maybe even a Windows IDE, too) Acknowledgments --------------- Nowhere Man would like to thank the following people for their help in the creation of V.C.L.: Rock Steady, Kato, Rigor Mortis, Hades, Leeking Virus, The DarkMan, Dark Angel, Mirage, Doomgiver, Ender, and any one else I forgot to mention. Thanks for all of your assistance and suggestions. Greets go out to all [NuKE] members, Southern Corrupted Programming, Phalcon/SKISM, and all virus-writers and -lovers everywhere. Jeers go out to John, Ross, Pat, Aryeh, Vesselin, Dennis, Paul, and any others who profit off our work. This should more than keep you busy for a while... A special "Fuck You" to James Dahan, a.k.a Fat Cat (must be pretty fat since he's a one-man "vigilante" group!). Go back to the litter box that you crawled out of. Conclusion ---------- Well, here it is, Virus Creation Laboratory, a program to change forever the way virii are made. Have fun with it, but remember to always be careful with anything your produce with it, and be responsible in your treatment of viruses and other potentially harmful programs. After working on this project for so long I'm sorta' sick of all of this, so these docs are a bit smaller than I was hoping to make them; if you have any questions not answered by the documentation or on-line help I can be reached at the sites listed above; I'm always willing to help. I hope you like this program; if you do, you'll be interested in other fine products produced by Nowhere Man and [NuKE], available at a respectable h/p/v board near you. Thanks for your continuing support, and enjoy! -- Nowhere Man, [NuKE] '92 ------------------------------------------------------------------------------ Look (and look out) for these fine warez by Nowhere Man: ** C-Virus My first virus, the program that proves that C *can* be used to write good virii. With full C source, automated creation files, and docs. Version 3.0. Available now. ** Itii-Bitti The world's smallest virus for it's abilities, Itti-Bitti has all of the bells and whistles of the fancier virii, but Strain A is only 161 bytes (two less than Tiny) and Strain B is only 99. With full assembler source and docs. Available now. ** DeathCow-B A lame virus based on the original DeathCow, a Minimal-46 variant. Made smaller, it measures only fourty-two bytes. With full assembler source and docs. Available Now. ** Miniscule The world's smallest functional virus, Miniscule is only thirty-one bytes long! Comes with fully-commented assembler source (great for learning the tricks of the trade). Available now. ** Nowhere Utilities A group of fine utilities to assist you in the development and distribution of trojans and virii. Also great for just having around when you need them. Check it out. Version 1.0. Available now. ** Version 2.0 arriving late summer '92 ** ** Code Zero A nice little appending .COM infector I wrote with V.C.L. to show off it's capabilities. Somehow Patricia Hoffman got her hands on it, and the rest is history. Available now. ** Kinison Another .COM appender created with V.C.L. dedicated to the memory of Sam Kinison. On the anniversary of his tragic death in an auto accident Kinison "screams" at your hard disk with devistating results. Available now. ** Succubus One of the Undead series of [NuKE] virii, Succubus is a non-overwriting .COM infector written using V.C.L. When all files are infected it gives your hard drive the Kiss of Death then plays a funeral march in rememberance. Cute. Available Now. ** V.C.L. Virus Creation Laboratory, the ultimate virus utility. You choose the options, the effects of the virus, infection rate and type, etc. and it does the rest! No more messy assembler coding or tedious debugging. Also produces trojans and logic bombs. Full professional-quality IDE, too. A major work to redefine the virus world. Version 1.0. THIS PRODUCT.