Introduction

• I have noticed, during my career (ehum?) as virus writer, that I tried to make my virus as undetectable as possible, by trying to remove as many flags that are possible. Unfortunately, we all try to do this TOO hard. We are wasting too much time on avoiding a stupid flag, have written dozens of documents on how to fool some heuristic scanner, without even reading the documents of the scanner. A very futile attempt was my DSA Virus, which used several tricks so that it couldn't be found by using heuristics, but since the virus didn't use any encryption, it could be spotted in files very easily. I hope I can help some virus writers with this document, so they can implement other neat things in their virus, instead of trying to avoid alarms which in fact won't alarm anyone anymore (in my opinions heuristics is the boy who cried "WOLF!" just one time too much).

F-PROT /PARANOID

• One of the useless things to do is trying to generate zero alarms with F-PROT using the /PARANOID switch. It's a very time consuming task to avoid alarms on this one, and isn't really necessary. If you take a look at the end of the file ANALYSE.DOC, included with the program, you'll see this message:

  We are not interested in receiving copies of false alarms that are only reported with /PARANOID, so don't waste your time sending them to us.

  This means that, should the user issue the /PARANOID option and is getting false alarms, he is on his own and can't send the samples to Datafellows. So this means trying to avoid /PARANOID is a waste of time, since Datafellows does not want to act on false alarms generated by the /PARANOID switch. Of course you must try to avoid being detected by the /ANALYSE switch at all costs, since this won't generate false alarms quickly, thus exposing your virus a little earlier. Use the /GURU parameter to see what flags your virus triggers so you can write code that avoids the virus being detected.

TbClean

• Another big waste of time is trying to fuck over TbClean, since it's absolutely useless to remove multiple infections on a system. You have to run TbClean for every single infection and even then TbClean shows flaws which makes it a very dangerous program to run (as demonstrated in TB_BUG.ZIP). No user will rely on TbClean for removing virus infections, so you don't need to add hostilities in your virus. Here is a part of the documentation (no courtesy of Frans) that shows the drawback of using TbClean:

  Cleaning Multiple Files

  TbClean has no provisions for cleaning multiple programs in one run. There are two reasons for this omission:

  1. TbClean cannot search for viruses automatically since it does not know any virus.
  2. We recommend that you clean the system on a file-by-file basis. Clean one file, verify the result, and go on to the next file. Again, this helps you keep track of which files are clean, which files are damaged and should be restored from a backup, and which files are still infected.

This page is copyrighted by Immortal Riot / Genesis. No part, including the documentation we ripped from the manuals of various products, may be used in other documents or any media which can contain this information. Ofcourse you are encouraged to add a link to the IR/G homepage. Please insert the "IRG-NOW!" logo in your homepage and provide the link to our homepage.