Wallace Wang
November 1996
When most people find a computer virus lurking on their hard disk, the first reaction is to grab an anti-virus program such as The Norton AntiVirus or McAfee's VirusScan, and kill the virus as quickly as possible. The two common ways to kill a computer virus are to delete the infected file (which is like killing cancer by shooting the patient) or attempting a slightly riskier method of cleaning the infected file.
Cleaning an infected file means the anti-virus program tries to remove the computer virus program code from a file without harming the infected file. In many cases, a computer virus attaches itself so firmly to a file that removing the computer virus irreparably damages the infected file as well. When this happens, you have no choice but to delete the infected file.
But rather than delete an infected file or let an anti-virus program try to clean it, you might be interested in trying a third approach, if you like living dangerously - study the computer virus and dissect it.
Such amateur virus sleuthing can be interesting but dangerous, much like trying to make pipe bombs from plans you find on the Internet. Before attempting to isolate and dissect a virus, make backups of all your important files. That way if the virus gets loose and wipes out your hard disk, you won't lose everything for good. (Better yet, practice looking for a virus on a computer that you don't care about, such as an old computer or a computer belonging to your boss or disliked co-worker. That way if a virus gets loose and wipes everything out, at least your computer data will still be safe.)
Unless you have nothing better to do but look for all possible symptoms of a virus attacking your computer, your first line of defense should be an anti-virus program. Most anti-virus programs include a monitoring program that notifies you the moment a virus infects your computer. You can buy a commercial anti-virus program (such as The Norton AntiVirus), try a shareware version (such as McAfee's VirusScan), or use a free anti-virus program (such as F-Prot). To browse through links to the most popular anti-virus programs, visit the http://www.nha.com website.
Once you have a reliable anti-virus program that you trust, try capturing a virus using special virus bait files. Since computer viruses can only spread by infecting the boot sector of a hard disk, COM or EXE files, or any Microsoft Word documents on your computer, you can plant "dummy" EXE files on your hard disk. The moment a virus infects one of your "dummy" EXE files, you can safely start dissecting the virus. That way if you screw up completely and wreck the infected EXE file, you won't ruin any valuable programs in the process.
For a copy of a virus baiting program, download the VC50.ZIP file from ftp://boardwatch.com. This file contains an anti-virus program called Victor Charlie, which contains "dummy" COM and EXE files. Unlike more conventional anti-virus scanners that require constant updating to catch new viruses, Victor Charlie is a generic anti-virus program that never needs updating.
The main defense of an anti-virus program is its scanner. Most anti-virus scanners contain two parts: the actual scanner itself and a file containing virus "signatures," which are unique characteristics that identify specific viruses. Each time a new virus appears in the wilderness, the anti-virus company must create a new virus "signature" that tells the scanner how to recognize it. Because new viruses appear every month, anti-virus scanners will always risk missing a deadly new virus.
Victor Charlie is different though. Instead of scanning for viruses, Victor Charlie lets you plant its "dummy" COM and EXE files on your hard disk. The moment a virus infects one of these dummy files, Victor Charlie traps the virus's "signature" for future use. In this way, Victor Charlie constantly updates itself.
Victor Charlie does have two big flaws. A virus could attack and destroy important files before attacking one of Victor Charlie's "dummy" files. Until a virus infects a "dummy" file, Victor Charlie will never be able to detect that virus. Even worse, Victor Charlie can only bait viruses that attack COM or EXE files, not boot sector or macro viruses. Since the most common viruses are boot sector and macro viruses, don't rely on Victor Charlie alone to keep your hard disk virus-free.
Once you've caught a virus, the next step is to dissect it using a hex editor such as the DISKEDIT.EXE program found in the Norton Utilities,the Hex Workshop program (which is available at http://ourworld.compuserve.com./homepages/breakpoint/hexhome.htm) or the EditPro program (available at http://www.winsite.com/info/pc/win3/util/editpro.zip).
A hex editor lets you examine the sectors of a floppy or hard disk so you can see the internal guts of a computer virus. By using a hex editor, you can often find hidden messages buried inside of a computer virus without actually setting off the virus.
Besides letting you view the contents of a file, a hex editor also lets you modify that file. In the right hands, a hex editor could patch a faulty program, erase somebody's name or registration number from a program, or let you add your own name or message to a program. Many software pirates use hex editors to crack copy-protected games or hide obscene messages in ordinary programs such as Microsoft Word or Lotus 1-2-3.
If you're skilled enough with a hex editor, you can separate a computer virus from an infected file, such as one caught by Victor Charlie's bait files. Once you've isolated a computer virus, you can go one step further and use a disassembler to convert the computer virus from working program to raw assembly language source code.
If you've trapped one of the increasing common Windows-based viruses, you can download the W32DASM2.ZIP file from the Boardwatch ftp site. This demo version can disassemble 32-bit Windows programs that are in the Portable Executable Format (PE), so you can use it to examine other Windows programs besides viruses. Unfortunately, this Windows disassembler can't disassemble 16-bit programs and the demo version won't let you print or save any assembler source code.
In case you run across one of the more common DOS-based computer viruses, visit the http://rasi.lr.ttu.ee/teave/msdos/simtel/simtel_index_disasm.html site where you can download a variety of different disassembly programs.
A disassembler works by converting an EXE or COM file into assembly language source code so you can see how a program actually works. Unfortunately, disassemblers are never perfect, which means that the assembly language source code that a disassembler creates may require slight editing before you can assemble it using an assembler such as Borland's Turbo Assembler (the favorite assembler of virus programmers), Microsoft's Macro Assembler, or the shareware assembler A86.ZIP which you can download from http://lexitech.com/bobrich.
(Just in case you're wondering, disassemblers can only create assembly language source code. They can't convert an EXE or COM file into COBOL, C++, or Pascal source code. Since any program could have been written a million different ways using any programming language, a disassembler has no way of knowing which programming language someone may have used.)
After disassembling a computer virus and modifying the assembly source code, try assembling the virus back to its original form and run it to make sure it still works. (That way you can tell whether the disassembler worked correctly.)
By trapping, isolating, disassembling, and then assembling a computer virus, you can learn more about computer viruses than you could ever learn just by reading a book or using an anti-virus scanner. While virus hunting always runs the risk of letting a virus loose on your computer that wipes out your hard disk, it can be an amusing way to study a problem that will only continue growing as long as we rely on personal computers.
Since virus hunting is a skill that most computer science graduates never learn in college, any skills you pick up isolating real viruses could translate into a higher paying job, a new career working for an anti-virus company, or just plain fun, ripping apart computer viruses and witnessing the ongoing battle between virus writers and anti-virus programmers.
Then again, playing with live viruses could also translate into a wrecked hard disk or missing files so keep those anti-virus programs nearby in case a virus slips through your traps and starts shredding your data. Virus hunting isn't for everyone, but with the right tools, it can be another skill you can develop that can enhance your computer knowledge.
[Back to index] [Comments (0)]