OS/400 Alert: Virus Programming for the Novice

March 31, 2004 Shannon O'Donnell

Viruses spread so fast, it’s a wonder that all computers are not infected all the time. If you’ve ever wondered how viruses are created with such alarming regularity, you will want to read this week’s “OS/400 Alert” on writing your own viruses. I’ll also share some of the more outrageous programming practices IT professionals have reported. Read this tongue-in-cheek article and see how many of these “techniques” are used in your own shop.

WRITING VIRUSES HAS NEVER BEEN EASIER

Ever wondered how there can be so many viruses dancing around the Web? There are dozens of new viruses found each and every day. Some are innocuous; others are downright destructive. So are there college courses that teach students how to write viruses? Or are there software programs that allow you to create your own viruses? The answer to both questions is yes. The University of Calgary in Canada teaches students how to write viruses. Their purpose is to teach students how to write viruses so they can understand how to prevent them. In any event, if you are interested in sending little Johnny to university so that he can grow up to be the world’s most annoying IT specialist, check out this article on the IT AsiaOne news site.

If you don’t have the time or the money to attend the University of Calgary for this course, you can learn to create viruses on the cheap by using one of the many “virus-generating kits,” which have become rather easy to find on the Internet. There’s a variety of virus generation kits, which are as easy to use as a point and a click. Most appear to be based on the Visual Basic language and will generate some rather simplistic mass-mailing worms, which, even though they’re easy for an antivirus tool to find, may still cause a lot of annoyance or damage. For example, there is the Access Macro Generator, which will, among other things, delete all files on the C: drive of an infected computer. Also available from the same “vendor” are MUCK and UCK. If you are looking for a wildly popular virus generation tool, check out the Visual Basic Virus. This tool was used to create the “Anna Kournikova” worm, which was so ubiquitous just a few years ago. The author of this virus-generation kit, a 19-year-old, self-taught Argentinian programmer, offers both the kit and a complete tutorial on how to use it on his Web site.

The next time you are downloading the latest antivirus definitions for you computer, and you are wondering how so many viruses appear so often, take a moment to visit the sites mentioned in this article. At the very least, you’ll be armed with the knowledge of how some of these viruses come to exist.

THIS WEEK’S NASTY WINDOWS WORRIES

The following information is from www.symantec.com.

W32.Sober.E@mm is a variant of W32.Sober.D@mm that spreads by sending itself as an e-mail attachment, using its own SMTP engine. The subject and body of the e-mail vary, and are written in English. The worm also attempts to download and execute a file from a remote Web site.

W32.Beagle.U@mm is a variant of W32.Beagle.T@mm. The worm sends itself as an e-mail with a blank subject and body and a randomly named attachment. It also opens a backdoor on TCP port 4751.The attachment name is a random string of letters with an .exe extension.

W32.Timese.AG is a worm that displays the date and time on an active window’s title bar. It sets itself to run at startup and attempts to copy itself to the floppy disk drive.

W32.Hesi.Worm is a Visual Basic worm that copies itself to remote drives.

Swaffer.Exploit is a cross-site scripting exploit for Internet Explorer.

Trojan.Noupdate.B is a Trojan horse that attempts to prevent users from updating their computer with the latest Microsoft Windows patches and antivirus updates.

W32.Snapper.A@mm is a worm that spreads to all contacts in a Windows address book. It does not send itself as an e-mail attachment, but rather exploits the Internet Explorer object tag vulnerability, described in Microsoft Security Bulletin MS03-032. This vulnerability allows W32.Snapper.A@mm to automatically download and install the worm when the e-mail has been opened.

Backdoor.IRC.Aladinz.N is a program that installs a backdoor Trojan horse, which uses malicious scripts in mIRC client software, allowing unauthorized remote access.

WANT TO WRITE CODE NO ONE CAN MAINTAIN?

If your goal as a programmer is obfuscation, check out the article “How to Write Unmaintainable Code.” This article pokes fun at some of the more outrageous code blunders programmers have been putting into production for years. Although it’s meant as humorous look at bad techniques, the article also serves as a great reminder of what not to do when coding that next great application. This piece might even be a good one to print and tack up on the bulletin board for everyone in your shop to reference. Who knows? The application you save may be your own!

PTF’s AND FIXES FOR OS/400 AND RELATED PROGRAMS

IBM released the latest cumulative package for V5R2 customers on January 21.

The latest HIPER package was released March 3.

The Database Group PTF was updated February 26.