Maximize
Bookmark

VX Heavens

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

The Art of Virii Collecting

Tally
VDAT
December 1999

[Back to index] [Comments (0)]

Revised December 1999, Minor Link Revision April 2000 - Cicatrix

Introduction

Why in the world would anyone collect virii, viruses, viren, viry or any other self-replicating program? I don't know! Why collect stamps? Why collect cars, parking tickets or rejection slips? That is, why collect at all?

Well, there is a certain amount of joy in the hunt for one thing. After hearing of a new and particularly deadly virus (CIH for instance) I want a copy. Getting a full collection of those golden oldies is fun too. It is electronic history.

Another reason is the environment! Virus authors, collectors, groups, etc. have their own scene. It is interesting to get to know the people. I have made more Internet friends by collecting viruses than almost anywhere else on the net.

Viruses are fascinating programs. Since I programmed for a living, writing database applications and other less exciting works, the "electronic life" seemed fascinating by comparison. Watching a virus move about a hard drive is fun.

But ultimately, I can't say there is any one good reason. I just find myself fascinated with them. While it makes better sense than collecting furbies, I don't pretend it has any clear, useful and defensible reason. It is just cool.

One proviso: This is just a hobby. These are just viruses, binary organizations of bytes with a particular purpose behind the programming. Don't get obsessed with it, don't lose sleep or friends over it. If the power gets disconnected you've got nothing left (maybe a disk or a CD, but it can't do anything). A simple test: if this keeps you up at night - it's probably an obsession or addiction of some kind. If this hobby is causing you social, personal or emotional problems - quit and seek professional help!

Present State

The present state of virus collecting is a bit disturbing. There was a long time when virus groups greatly outnumbered virus traders. In fact, virus collectors were looked upon unfavorably. It is an odd turn of events that the popularity and acceptance of virus collecting is leading to its disintegration. Oh, sure, there are still many collectors who continue to amass large quantities of samples. But for many traders/collectors, the fun has gone out of the hobby.

There are more fights and groups breaking up all the time. Pettiness and obsession seem to be more popular than comradery. There are more virus collection groups that hate each other than coding groups fighting. What was once a group of interested onlookers has become a turmoil of confusion.

Perhaps the collecting scene is undergoing change. If this is a time of metamorphosis, then it is welcome - all things are subject to change. One can only hope that whatever grows up next will be as enjoyable as the collecting scene once was.

It would be unfair to suppose that the state of trading is unrelated to the VX scene as a whole. It may well be that the changes experienced in collecting are a result of the changing face of virus coding. If the IRC channels devoted to viruses are any indication, the VX scene has changed a lot over the past few years.

But keeping in mind my own admonition not to take this too seriously, this article will focus on what exists now in the trading scene. This is not an attempt to change or dictate how trading should be done. This article is a reflection of what goes on in the virus collecting circles. It is a guide for those interested, in order that they may enter into this strange, yet fascinating hobby.

Related Hobbies/Vocations

There are several things that are related to but not equivalent to virus collecting. A virus collector is not necessarily a virus researcher. Virus research is a more involved process taking a hobby into more of a vocation. Some do enjoy research in addition to collecting. But for some of us, research is too much like work. One only needs to look at the belabored attempts of Sung Yang ( http://www.sungyang.org/) to see just how hard some people make it!

Virus writing is obviously a different endeavor as well. But there are some who do both. But don't assume that everyone who collects viruses is also an author. I laugh when I get requests to write somebody a custom virus. Some of us collectors are at best marginal programmers. I have considered writing a virus in Clipper, though - just for laughs.

Collectors are also not necessarily hackers, crackers, nukers, or even 37337 in any way. Most collectors I have met are not interested in those areas at all. Those who dabble in those activities tend not to be the most serious collectors.

Collection Purity

Being a hobby of some involvement, collectors naturally develop some standards along the way. Some collectors do not collect macro viruses or trojans. There are several reasons why they do not collect macro viruses. Some do not consider them as skillful, advanced or involved as assembler based viruses. Trojans are so simple and foolish that many do not even pay attention to them. I have heard from several collectors that they draw the line at replication. If it doesn't replicate, they don't collect it. After your collection grows up over 30,000 viruses you may not pay much attention anymore. If you collect based on a virus scanner, you may end up adding some trojans to your collection (although VirusKeeper gives you the option to exclude trojans and other type of files).

Sometimes the size of the sample is an issue. If a 500K EXE file is infected with a 312 byte virus, there is obviously a lot of waste! Some will get involved with replication in those instances. Replication is the process of getting viruses to infect small "goat" files. A "goat" file is simply a tiny program whose only purpose is to be sacrificed in order to catch a virus. If the size of samples is an issue, get some goat file utilities and find a spare machine to work with. Run the infected executable to get it to infect the "goat" files. Once a goat is infected, you will have much smaller sample.

It is always a good idea to check files to see what kind of goat file they were replicated onto. There are several people who find it necessary to use marked goat files. Often those marks contain the identity of the sender or the recipient. While this is certainly an odd practice, it does happen.

The quality of a sample is important. Files that had no stack segment yet were not converted to .COM are a continual annoyance. F-Prot often detects these files as "droppers" thus causing some collection systems to recognize them as separate samples. This has caused some to process everything they receive to determine its quality. Others do not worry about the issue since it would take a lot of time to process several hundred EXE files to check for problems.

Further, many files are compressed with PK-Lite, ICE or other executable compression programs. That may change the way different AV programs see the virus. It might be a good idea to unpack the executables to ensure proper ID, although most reputable AV programs now see past the compression. For the most technically "pure" collection, unpack the files whenever possible.

Object files (.OBJ) are one more issue. Some people collect them as they are. However, if they are linked, they often show up as a different virus. If real, executable viruses are your interest, you may wish to develop a batch file to link any object files you receive. It isn't very hard to properly link them before scanning!

Variants and unknowns are yet another issue. Variants can sometimes be created simply by assembling a virus a different way. Suddenly, with one source file you've got two or three viruses. Unknowns are probably variants that a certain anti virus program doesn't recognize yet. These can be a problem for collectors at times. You may trade for an unknown variant only to discover later that it is a repeat of one you already have.

It is also important to watch how the AV identifies the virus. Anti-virus programs such as AVP use various words to indicate the certainty of the virus infection. AVP uses "infected," "warning," and "suspicious." If you do not separate those, your sample may not be the virus you thought it was. It is best to separate the partially Ided ("warning" or F-Prot's ".unknown") from the fully IDed.

There are also a few folks who create junk just to try and get more out of a trade. Renaming .OBJ files to .COM files, they hope to bypass batch systems that check for the .OBJ extension. F-Prot is a big help in this instance. F-Prot will add the extension " - object file" to the end of the virus name. The only utility I have seen that accurately solves these problems is renexts by Phage. As of this writing, it is not yet released. However, this program renames accurately - resulting in a much cleaner scan, avoiding problems with F-Prot mis-IDing a virus due to the file extension.

From a collection without proper renaming, you may generate dozens of requests for new viruses. Then when you receive them, rename them and scan them in - you get nothing. Proper renaming is very important for accurate scanning. The renexts program should be available on Phage's website sometime soon: http://www.ultimatechaos.org/phage

A final consideration, though not terribly important, is the "constructor." Several AV programs now detect virus creation kits giving them the prefix "constructor." These are not really viruses, but only programs that create them. You may wish to keep these separate if this bothers you. Many of us just sort them in with the rest.

Getting Started!

Everybody has to start sometime. (Come on, you know you all want to have a virus collection!) It wasn't that long ago that I started. I think the first thing to remember is that you are dealing with people! Make friends and contacts, but don't use people. They will figure it out!

Here are the top ten things NOT to do to get started in virus collecting.

  1. Write 100 batch viruses and send them to your favorite Anti Virus company (and wait).
  2. Wait for viruses to infect you as you download games from questionable web sites.
  3. Buy one of those "Greatest Virus CD of all time" offers for $999.00 (U.S. dollars).
  4. Take out a loan and advertise to buy any viruses that you do not have.
  5. Loan your diskettes to all your friends, hoping a boot virus will get on it.
  6. Infect your system with Back Orifice or Netbus and hope somebody will put a virus on your system.
  7. Hang out on IRC waiting for somebody to try and DCC you a mIRC worm.
  8. Post a message in the news group, ALT.COMP.VIRUS, stating "I need a virus urgently, please send them to me!"
  9. Contact AV companies and tell them "I am a virus researcher, can you send me some viruses?"
  10. Write e-mail to a collector with 30,000 viruses and ask them to "Send me all you have!"

Okay, the list is a little silly, but you get the idea. There are a lot of good ways to add to your virus collection. Here are few ideas to begin your collection.

  1. Download all you can. There are still a lot of sites with virus binaries for download. Go get them. A good place to begin your surfing is my Virus Link Reference page: http://www.coderz.net/tally/
  2. Use the search engines on the net like Yahoo and Northern Light. Yahoo's web site: http://www.yahoo.com/ and Northern Light's: http://www.northernlight.com/ are but a sample of the many available. You CAN find viruses and related sites by using them!
  3. Download VDAT right now if you haven't already. VDAT is THE encyclopedia for the virus world. You can get a copy at Cicatrix's VDAT web page: http://vdat.cjb.net/
  4. Now you have to organize your collection. If you plan to have more than 10 viruses, get a virus collection program now. There are several. I recommend either my program, VirusKeeper (free) or VS2000 (free). VirusKeeper is the system management approach to virus collecting. Once set up, it will do nearly everything for you. Get your copy at my web site: http://www.coderz.net/tally/vk.html
  5. Start trading. Post your web page somewhere with your intent to trade viruses. Post your logs for people to check. Get an e-mail you feel comfortable posting out there for the whole world to see. Then post your site on some of the popular virus sites. Once your collection gets to a certain size, you won't expand it much without trading. You might want to stop by http://www.virusexchange.org/ , http://sok4ever.zone.ne.jp/ or http://www.coderz.net/ and visit with the webmasters about getting a site there.
  6. Get to know the people. Spend some time at the author's, group's and collector's sites. Learn what they do, who is in the group. This isn't just about executable programs - it is about people. You will have a lot more fun if you get to know them. You can find most author's and group's sites at my virus link reference page: http://www.coderz.net/tally/
  7. Get an IRC program and visit the virus world's chat rooms. Those are #vir, #virus and #vxtrader on UNDERNET. Have some respect and get to know the people. A lot of trades of viruses happen right in those chatrooms. This is a wonderful place to meet creative people from all over the world. Stop in and join the crowd! Get IRC information and a program to access it at: http://www.geocities.com/~mirc/
  8. Write them yourself! Hey, if you are a programmer, especially in Assembler, maybe you'll enjoy writing. Some of the most creative programmers are out there in the VX world. The challenge is exciting - try it! An excellent link for beginning assembly programming is an tutor called "Art of Assembly Language." It can be found at http://webster.cs.ucr.edu/
  9. Collect every single virus zine, utility, generator, kits, source code, engine, and tutorial. Be creative and learn everything you can. If you don't know how to compile and link programs - learn it. You will definitely gain a lot by doing that.
  10. Grab every binary from the news groups. Many viruses and trojans are spread around "warez" and "pron" newsgroups. You will undoubtedly download a lot of junk, but occasionally you will find a new virus or trojan. At this time I have no reliable newsgroup access so I cannot list good utilities for grabbing binaries. But there are automated utilities that will grab all the binary attachments from specified newsgroups.

Collection Organization

There are several ideas about how collections should be organized. One early article about collection organization is Vesselin Bontchev's "Analysis and Maintenance of a Clean Virus Library." A more recent (and more tailored toward virus collectors) one is Cicatrix's "Computer Virus Collecting: Fun or Folly." I will attempt to outline some of the popular methods being used by virus collectors (not necessarily by AV researchers).

1. Infected user.

This person has a virus on his/her system because of an accidental infection. Don't laugh! You (as a trader) might get a new sample in process of helping this person get rid of the virus. It is not unheard of for a person to have several viruses/trojans infecting their system at one time!

2. Dabbler.

The dabbler doesn't collect viruses seriously but does like to have a few around. This collection is probably not managed with sorting/trading/archival utilities. If you have less than 100 viruses, you are probably a dabbler. Unless you plan to seriously increase the size of your collection (and the time you will spend), don't go any further.

3. Original zips.

I call this method the original zips method because these collectors keep everything the way they download it. Often they have several copies of the same thing, sometimes by accident, but often because the same virus is found in several different places.

The downloads are sorted by author, web site, virus type or any combination of these and other categories. Often they do sort their files by zines, engines, kits, etc. as well. The files are scanned with an AV scanner, then some utility is used to sort the log file and determine how many unique viruses are found.

While this method provides good coverage, and insurance that potential variants are not lost, it is also very difficult to manage. Getting viruses out of the collection is slow and tedious. This is not an effective method for active traders.

4. Hand Sorted.

This means the virus trading program does not handle the sorting. It does not necessarily mean the viruses are actually put in directories by hand, although some collectors do that.

One program being used to sort viruses is called BULK. This program copies viruses to BULK into subdirectories based on the CRC32 of the file. The files are renamed to this CRC32 value, keeping the original extension. This program is fast, and checks for dupes. One drawback of this method is the reliance on CRC32 calculation. It is possible to have two different files with the same CRC value. Also, viruses are difficult to find without a trading utility that handles finding virus requests. A bonus is that the file names do not have to change if the virus ID changes.

That is not the case with collections stored by renaming the file name to the virus name. There are several utilities which attempt to do this. There are several problems with storing viruses this way. The first is the most obvious: Virus names change. What is Intended.Federation.Fighter may turn out to be Win95.Naboo.Fighter on the next update. Scrolling through 99 directories to find the one virus is not all that enjoyable either. It does look nice to see the files sorted by virus type, then virus name. Again, storing files in this manner requires a good utility for filling virus requests.

Another method, which can be combined with any other is that of removing all the virus extensions for safety. Admittedly, this is safer than storing executable files. However, it also removes important information about the file. It is not necessary if one uses a storing utility that automatically zips files or moves them to a virus directory. Removing the file extension will cause some Antivirus programs, such as F-Prot, to ID the file differently or miss it completely.

5. VirusKeeper.

Since I write the virus management system called VirusKeeper, it is obvious I would consider it a good way to store, sort, and trade viruses. But I will also outline my entire virus collection system.

First, sort out all your zips into categories. The way I have done it is as follows: AV, Authors, Collections, Engines, Kits, Reference, Simulators, Source, Tools, Tutors, Traded, Utilities, Zines. This sounds like a lot of directories but once you start downloading everything you find, you will soon have an unmanageable set of files. The directories store these items: AV - anti virus programs and updates, Authors - Source code and viruses according to author (e.g. EVUL\Malice.zip, Knowdeth\Sheep.zip), Collections - various collections you download and receive (e.g. WCIVR.ZIP, JOHNDOE.ZIP), Engines - virus engines of all types (organize with subdirectories for Macro, DOS, Win, etc. if you like), Kits - Virus construction kits (again, organize by type if you like), Reference - virus reference programs and texts such as VDAT and AVPVE, Simulators - virus simulators, Source - source code not already stored by author nickname, Tools - virus tools such as virus droppers and infectors and VVSC, Tutors - various tutorial and help texts on virus related topics, traded - zips of viruses you received via trades, utilities - assemblers, dissassemblers, archive utilities, etc., Zines - Virus and related zines.

Once I got all my files carefully sorted and categorized, I found it much easier to scan the sections for new viruses and to check to see what I already had. Currently under development is a program called "FileKeeper" which helps automate the task of sorting and finding these files. It sorts files into the correct directory and creates HTML access to all of them. It is not yet available for any sort of release (BETA or otherwise).

An active trader should develop some means of keeping various files for the purpose of rescanning them from time to time. I keep one directory that is simply sorted into directories by author name. In each directory I keep all the viruses, source code and other work by that author. Each time the anti-virus programs are updated, I rescan this directory for new viruses.

Of course, there are always those odd files that don't scan in, but are definitely viruses. For that group of files, I simply use the NOSCAN directory managed by VirusKeeper. If a file does not scan in as a virus, VK will (during normal CHECK operation) move the file into a zip in the NOSCAN directory.

I strongly recommend that you also keep a BULK directory. The BULK utility (as described above) is an excellent utility for keeping what some call a "slush" directory. This consists of all known viruses, additional samples, unknown files and undetected viruses. The advantage is that you do not throw away ANY files. Each time the AV definitions are updated, many collectors find new viruses in their slush directories. This directory will grow quickly (mine is currently at 53,188 files using about 558 megabytes).

To avoid duplicates (like 0F3489EE.EXE and 0F3489EE.COM which are renamed duplicate of each other) use a file weeding utility. A very fast and accurate program that I recommend is Nome Weeder. It is available in both a command line and a GUI version. Get this fine program at: http://ggnome.cjb.net/

The final directory in this method is of course - VIRII (or viruses). In this directory VirusKeeper (VK) is running, keeping track of all the viruses. VK works by reading scanner logs of new viruses, checking that data against its database and storing those viruses that are new. It automatically determines trade ratios, makes zips of files to send to other traders and archives all new viruses. There are never any files laying about that could potentially be run.

VK has a browser system that allows you to view the virus names, compare names, search for viruses and even output single viruses. Finding viruses is simple, even though the viruses are stored in zips. There are no complicated directory trees to traverse. File names are generated by VK so it finds them easily, without hard work on your part.

The zip files created by VK to store your collection house as close to a completely unique collection as possible. As scanner definition files are updated, you will develop some duplicates. VK has routines to remove those dupes when you decide to remove them.

I realize this section has become a bit of an advertisement for VK, but it's free. Furthermore, the method VK employs is not really used in any other virus collection program to date. VK attempts to do total management of your core collection safely and easily.

VK combines the best of each of the other methods. It stores files uniquely, similar to the way BULK does (except VK just sequentially numbers them). It allows you to view the virus names, but in a handy browser instead of in cumbersome directories. It easily handles changing virus Ids in the database, without changing the file names. Combined with the suggested storage method (separate directories for zines, etc) it allows one to keep the original zips without having huge logs and multiple copies of the same virus. The virus logs from VK's managed set of viruses is as compact as possible.

As noted above, some keep object code of viruses, some do not. VK now has the option to choose whether to keep object code, partially Ided viruses, trojans and damaged viruses. It is a new standard in virus collection systems, one that was greatly needed. Hopefully other programs will follow VK's humble example. If at all possible, choose a utility that allows you this kind of control.

Some have complained that VirusKeeper generates requests erroneously. This is usually due to a failure to properly set the parameters, use of older log file, failure to update the database and a misunderstanding of VK's concept. As you can see, one must be careful when using this more powerful trading system. However, with a small amount of initial set up and regular updating, VK will provide easier and more accurate virus trading than many other utilities.

Before running VK Check for new viruses, I run renexts first to ensure that I have correct file extensions. Then I run BULK to keep a copy of everything I am scanning. Finally, I run VK CHECK, to add the new, unique viruses into my collection. All this is handled by one batch file.

The advantages of my plan for collecting is that everything is batch-able. There is no slow, tedious renaming, re-filing, re-checking viruses. Everything is easily managed by typing a few batch commands. This leaves time for the fun parts of this hobby!

Whatever method you choose, make sure it is easy for you to manage. Nothing ruins a fun hobby more than spending too much time on the work part of it. Spending hours looking to see if you have a particular zine takes the fun out of it. And if you have to hand-create a directory for new viruses every day - it is too much work.

An example directory setup

          VIRUS--
                |-----AUTHORS--
                |             |--ASMHEAD
                |             |--JACKTWO
                |             |-KNOWDETH
                |-----AV
                |-----BULK--
                |          |-----0--
                |                  |-00
                |                  |-01
                |                  |-02
                |-----COLLECT
                |-----ENGINES
                |-----KITS
                |-----REF
                |-----SIMUL
                |-----SOURCE
                |-----TOOLS
                |-----TRADED
                |-----TUTORS
                |-----UTIL
                |-----VIRII--
                |           |----ARCHIVES
                |           |----NEW
                |           |----NOSCAN
                |-----ZINES

Trading

Virus trading is one of the most productive ways to increase your collection and meet new people. The number of virus collectors has increased (or publicized web pages for them has) over the past year. There are a few areas you should pay attention to in getting started trading viruses:

Utilities - The utilities you use to handle your virus trading will either help or hinder your work. Choose a utility that is accurate - otherwise you will trade for viruses that you didn't need.

Log files - I recommend that you use only the original log files produced by the anti-virus programs. Simulated logs often introduce errors or variances that cause incorrect trades. For instance, one virus log comparison program strips the extra information from F-Prot logs. It removes the "(exact)" and other information when it stores the virus data. While this saves space, it also reduces the accuracy of the pseudo-logs it produces.

Contacts - there are several good ways to make contacts for virus trades. Many trades take place through e-mail. When you get your trading web page up, people will eventually contact you through your e-mail. Another excellent place to make virus trades is on IRC (Internet Relay Chat). In Undernet there are two chatrooms for virus related discussions: #vir and #virus. There is also a chatroom specifically for virus trading: #vxtrader. You might also get some response by posting your trading information in newsgroups such as alt.comp.virus and others. However, the newsgroups are often filled with flames more than useful messages.

AV programs - The most popular anti-virus programs for trading are AVP and F-Prot. Most traders use the DOS versions of those Avs.

AV parameters - The parameters you choose will greatly affect the accuracy and effectiveness of your trading. Suggested parameters are as follows:

	
	F-PROT /DUMB /ARCHIVE /NOMEM /COLLECT /REPORT=FPROT.LOG C:\VIRII
	AVPDOS32 /O- /S /Y /* /M /B /P /V /W+=AVP.LOG C:\VIRII

If you scan others' logs that do not use these parameters you will often find you request files from them that you do not need.

Private Viruses - one of the silliest notions in the virus trading circles is the idea of private viruses. These are viruses that are not to be traded/shared with anyone. It is recommended that if you trade for these viruses, you do your best not to share them. But it is probably a better idea not to deal with them at all. The real problem with them is once you have several thousand viruses that you can't share, you are limited in your freedom to trade. Furthermore, if those viruses are released by someone else - you will likely receive all the blame and aggravation for their release.

It often seems that in VX circles private viruses are a sort of goad that some use to exert their superiority. Many collectors complain (and rightly so) about keeping some viruses private. If you find that it is necessary for you to keep viruses private, it is best not to brag about them. You will not make many friends that way.

The exception is, of course, when you receive a virus directly from an author or group. In this instance you should never share this virus, code, etc. Some authors write their viruses for their own study and use, never intending for them to be released. Many don't want their work to be spread or go into "the wild." Respect the authors above all else, as they are the ones that create the very things you collect!

Within AV circles, there are of course private viruses. Their reasons for keeping them private are quite different. How you deal with AV people is your own choice. Just recognize that there is great tension between Avers and Vxers. Vxers that associate closely with Avers are sometimes "wanna-be Avers." Be careful which way you choose, as it will affect how many Vxers deal with you. Since this article focuses primarily on the VX side, I will leave it at that.

Groups

As with every other hobby, virus collectors sometimes form into groups. This can provide benefits, but can also bring many problems. There are many virus trading groups currently in existence as well as several that have died out. It would be best to study them carefully before making a decision to join.

Tightly controlled groups tend to flare up quickly, bring in viruses for a while, then die out as the dictatorship becomes tiresome for the other members. It is not recommended that you join a group where one member controls the others whether by arrangement or by attitude.

Many groups have had problems sharing viruses. Whether due to secret trades or just plain greed, one or more members ends up taking the lion's share. It is always a risk that you will end up in a group with a member like this, so choose carefully if you decide to join a group.

Virus authors have often changed groups, joined more than one group and gone independent when it suited them. There is no reason to expect that collectors will be any different. Don't be afraid to make a change if things don't work out.

People that tend to be controlling and manipulative in real life will usually turn out to be the same in their online dealings. Dealing with people like that in a collecting group will only cause you grief. If you find yourself in such a situation - go independent. Don't worry about the loss of viruses and connections. This is a free hobby - nobody controls who trades with whom. You do not need to be in a group to effectively trade viruses and have fun.

Some of the newer groups are not really groups. They are best described as a cooperative collective. The "members" simply have free trade with each other. The members are allowed to trade with other people as they see fit. Typically, this type of "group" has less stress and more fun. What is meant to be a hobby is made more enjoyable by the cooperation and sharing.

Remember that hobbies are supposed to bring enjoyment to your life, not make it worse. A group formed around a hobby is supposed to be fun, not treated like a business. If you decide to join, find one like the collectives described above.

Ethics

The study of ethics has always been of great interest to me. So it is natural to ask the question "What are the ethics of virus collecting?" I intend only to touch the surface of this issue here.

The first question to be asked is the obvious one. "Are viruses evil?" This has been debated for quite some time now with varying results. People tend to look at the intent of the author, the effect of the virus or the way a person uses viruses as the means to determine the answer. These approaches really only examine the surrounding issues and not the existence of viruses themselves. It is a bit like asking, "Are land mines evil." One could argue that they are not if they aren't used to hurt people. Another could argue that they are because they were created to hurt people. Yet another could say that since they only cause destruction they are inherently evil.

I think a much more appropriate question is, "Are viruses good?" Although this is dependent on your definition of "good," I think clear answers (using philosophical logic) can be found. I will leave this to the reader to determine, but ask yourself honestly if a real argument can be found to prove that viruses are intrinsically good.

A collector might disagree based on his or her love for viruses. However, that is not an absolute moral/ethical good, but a relative good. That is, it is based solely on the collector's desires, not on intrinsic qualities of the virus.

Another might argue that viruses increase the awareness of anti-virus researchers (and the quality of av programs) thus they are good. But this is a cyclical reasoning. After all, without viruses there would be no need for anti-virus programs. Some have argued that without viruses creating the need for Avs, the users would be more vulnerable than if they didn't know about viruses. But the user is actually more vulnerable now, since authors work harder and harder to avoid detection. Either way, this argument is cyclical and thus begs the question.

There have even been those who argue that viruses are a sort of digital life and deserve protection. The issues of self-awareness, what actually constitutes life and whether all life must be preserved are beyond this short essay. However, this argument appears weak at best.

My concern here is with collectors, not with authors, anti-virus folks or with people wanting a virus to kill their boss's computer. Collectors ensure survival of many strains which might otherwise completely die out. Whatever the ultimate reality is, collectors are not immune to the ethical/moral considerations.

Recently, some one suggested that philosophical logic could not really come to a clear answer. If one is given to relativism this would certainly be true. However, there are certain truths about viruses that are not arguable. From those truths one can come to some conclusions. The idea that all truth is relative is a juvenile assumption.

Clearly, this discussion could quickly grow to be its own essay. That is not the purpose of this short section. The point is, there are ethical considerations. One must consider the ethical issues if one intends to be involved. One should not be unaware of ethical issues.

A final area of ethical concern lies within the VX collector/trader community itself. It would seem that collecting and trading would be a carefree, enjoyable hobby. Indeed, it usually is. However, there are always those who seek to gain without concern or respect for others. I have seen the very worst of controlling, obsessed, and hysterical collectors. Be very careful who you associate yourself with. Suffice it to say - this is an issue far beyond the ability of this article to solve. Be warned.

More Information

If you need more information then you must not have gotten a copy of VDAT! It really is the place to begin. The above 10 steps to getting into collecting will put you into contact with some of the best resources and people. VDAT 1.9 (and newer) includes a wonderful article by Cicatrix on virus collecting. Read it for more information also. Otherwise, don't expect to have a 30,000+ virus collection overnight. It takes hard work and persistence.

Warnings

I hope you don't really need to read this section. If you haven't already realized the dangers of collecting viruses, you probably shouldn't continue. But if you insist, I will outline some of the dangers.

The first is the most obvious. You are collecting programs that can erase files, reformat your hard drive, corrupt data, erase flash roms, send your PGP keys to someone, and give people direct access to your machine. Running any of those programs may result in unhappy results. Watch what you are doing! Getting VirusKeeper and using it can help greatly to avoid mistakes.

The second is also pretty simple - running programs related to the virus scene or even opening word documents can get you into trouble. Some virus construction kits are themselves infected with viruses. Documents purporting to teach you all about programming viruses may instead give you a virus.

The third is an area you will have to research on your own. It may not be legal where you live to own viruses and other "malware." Check up on your local and national laws or regulations if you are concerned. VDAT has some information regarding this issue.

Conclusion

There are a lot of benefits to virus collecting. I mean beyond the glamour, fame, girls and great pay. You will probably learn how to find a virus on your own system. And eventually you will learn how to reload your entire system. Your collection won't take up much shelf space. Your collection will naturally increase in size if you run it once in a while. But seriously, collecting is its own reward. Enjoy it!

This short article is really just start. I continue to learn as I go. My thanks to all the VX folks for all your hard work. I have learned things, both good and bad, from a number of people. I especially recognize collectors like Buddy, Cicatrix, Foxz, HomeS|ice, Knowdeth, Pax, Phage, ShadowSeeker, SlageHammer, Spooky, Urgo and others.

This will hopefully be the final version of this article. As I read over it, I see that I have taken this all very seriously. Perhaps it is natural, when one has a hobby to apply all of ones abilities to that hobby. Or perhaps, I have worked too hard at having fun. Who knows what the future will hold - but I do know I was not created solely for collecting viruses.

Glossary of Terms

Collection
A group of viruses intentionally organized for the purpose of keeping and enjoying the files.
ID
The virus name that an anti virus program gives to a virus. For example: AVP might call it "Murphy.Bhak" while F-Prot calls it "Murphy.1250.B (exact)."
Malware
Programs that do something unwanted to your system. This includes viruses, worms, trojans, backdoors, and maybe some major operating systems.
New virus
A virus that you do not have in your collection. It may not necessarily be a newly developed or released virus. (e.g. for many of us, Uruguay #10 is a new virus, but it is not newly developed or released).
Noscan
A potential virus, but was not detected by the anti-virus programs used. Usually kept for later re-scanning in hopes that it will be detected.
Requesting
Processing another's log file to determine which viruses are new for you. Some do this by hand, most use a utility (such as VirusKeeper) to generate their requests.
Sorting
Some method by which you process and analyze the anti-virus logs of your viruses. (e.g. VirusKeeper stores the AV information in a database, then updates it according to the AV logs.)
Storing
Some method by which you keep a copy of a virus. This may include programs like BULK which copy viruses to a unique name, archive programs, or programs which rename the file to the virus name (and create directories to store them). (e.g. VirusKeeper uses file renaming (to guarantee a unique name) and archiving (currently ZIP)).
Trading
Swapping viruses you have for ones that you do not. Most traders now use some utility to read other's log files to see which viruses they need. Many also use trade ratios to help keep trading going.
Unique virus
A virus that at least one antivirus program gives a completely different ID name and thus recognizes as a different virus.
[Back to index] [Comments (0)]
deenesitfrplruua