VIRUS CONSTRUCTION KITS, Revision 2.0  13 February 1993

Virus construction kits are  computer  programs  which  allow people
with little or no programming experience to  produce new variants of
computer viruses.

Two popular methods are used in  virus construction kits.  The first
uses a menu driven user interface where the user is  lead through  a
series of menus where he 'designs' the replication method, infection
criteria  and  payload (what the virus does  when it activates). The
second method uses  a skeleton  configuration  file  (ASCII  file in
which virus configurations are placed) and  running a 'generator' to
produce the virus.

There is an  important  factor  to  consider. First generation virus
construction kits only produce assembled or compiled viruses without
source  code. Second  generation  kits  produce  virus  source  code
(sometimes even  commented) that can be changed and assembled by the
user. The danger in second generation kits is that someone with very
limited  programming  experience  can   potentially  produce  a  new
computer virus without knowing anything about  the internal workings
of a virus.

I would like to  stress that because virus construction kits to date
use  a fair amount  of constant code (instructions),  they  pose  no
threat  to  standard  virus  detection  techniques.  However, should
future kits make use of  mutation  engine principles, this situation
could change.



The following are descriptions of  virus construction kits  to date.
This is a factual description as the author has access to all of the
kits listed below :


GENVIR

GENVIR was the first attempt to release a  virus construction kit for
profit.  It is a  first  generation  virus construction  kit  which a
menu-driven interface. GENVIR is a French program  written in 1990 by
J.Struss  of Lochwiller, France. It is a  'Crippleware' program  that
lets you go through  all the  motions of creating  a virus, but stops
short of the compilation stage. To  receive a  working copy, one must
license the software  for a fee of 120 Frances. The latest version is
1.0 and it is believed that GENVIR was never released as a functional
virus construction kit.


VCS (Virus Construction Set)

VCS is a first generation virus kit written in 1991 by a German group
called  VDV  (Verband  Deutscher Virenliebhaber). VCS is a  primitive
program that requires a text file  of  maximum  512  bytes length and
incorporates this text into  a simple .COM file virus infector. After
a specified number  of replications, the  virus will display the text
message and delete AUTOEXEC.BAT and CONFIG.SYS. The latest release is
version 1.0. The program text is in German,although there is a hacked
version in English.


VCL (Virus Construction Laboratory)

VCL is a complex, second generation, menu  driven  virus construction
kit  written in  1992  by  Nowhere  Man  and  [NuKE] WaReZ. It allows
multiple, user selectable modules to be incorporated into the  virus,
together with the option of creating commented ASM (assembler) source
code files that can be manually modified. The danger with this option
is that a virus writer can create the  virus  kernel (without knowing
much about  the  internal workings of viruses) using VCL and then add
his own,custom code into the virus.The latest release is version 1.0.


PS-MPC (Phalcon / Skism - Mass Produced Code Generator)

PS-MPC is a second generation virus construction kit, written by Dark
Angel in July 1992. It is based heavily on the VCL virus construction
kit. It  was  distributed  including  source  code in the C language.
Although it is not  menu driven, (it uses a user  definable  skeleton
configuration file to produce viruses) it creates more compact,neater
commented ASM source code than VCL does. Two versions exist,the first
being version 0.90beta  released  together with 40Hex (an underground
electronic magazine) on 7 July 1992, and version 0.91beta released on
17 August 1992.  According to the  history  file in this release, the
following as been added to the second release : a) rudimentary memory
resident viruses may  be  created, b) improved optimization  of code,
c) fixed minor quirks and d) got rid of "unsigned  char" requirement.


IVP (Instant Virus Production Kit)

IVP is a second generation virus construction kit, written in 1992 by
Admiral Bailey a  member  of  the  YAM  (Youngsters  Against  McAfee)
underground group. According to the documentation, it was  written in
Turbo Pascal version 7.0. IVP  uses a skeleton configuration approach
and produces commented  source code. It  was the following features :
a) .EXE  and .COM file infection,  b) Trojan  support,  c)  Directory
changing, d) encryption, e) error handling, f) COMMAND.COM infection,
g) overwriting option and h) random nop generator. The latest release
is version 1.0.


G2 (G Squared)

G2 is a  second generation virus construction kit, written in 1993 by
Dark Angel of the Phalcon/Skism underground group.(Dark Angel is also
the author of the PS-MPC virus construction  kit). This kit makes use
of the skeleton configuration approach  and produces commented source
code.   According  to   Dark  Angel's  documentation,  G2  is  not  a
modification of the Phalcon/Skism PS-MPC kit, but a complete rewrite.
It  differs from other  virus construction kits in  that it  produces
easily upgradable and semi-polymorphic routines.  The  latest release
is version 0.70beta, dated January 1, 1993.



Oliver Steudler, DYNAMIC SOLUTIONS
Authorized McAfee Associates Anti Virus Agent
Mail       : P.O.Box 4397, Cape Town, 8000, South Africa
Internet   : Oliver.Steudler@f110.n7102.z5.fidonet.ORG
             or 100075.0200@compuserve.COM
Fidonet    : 5:7102/110
CompuServe : 100075,0200
Phone      : +27 (21) 24-9504 (GMT +2)
Fax        : +27 (21) 26-1911
BBS:       : +27 (21) 24-2208 [1200-14,400 bps]
