                             Windows Grab-Bag
                                    By
                                Horny Toad


	For the longest time, I abated on how and what to write on the subject of windows 
infection.  There is no question that windows needs to be discussed in greater detail than has been 
in the past couple years.  Therefore, I have decided to conglomerate many issues that are on my 
mind about windows and present them to you.  For the first issue, I will keep the concepts on the 
easy side. (If windows does have an easy side!)  If you are a beginner to the virus field, maybe 
you should read this article at a later time.  Learn basic assembly first, then work on 32-bit 
programming.  Actually, beginners should read this article too so that they can put in perspective 
what is out there and what lies ahead.
	
Windows 95, 98, 99...

	Ok, do you want the good news or the bad news first?  Yes, there is both good and bad 
news about the future operating systems that Microsoft is providing us to infect.  I have had a 
chance to mess around with Windows 98 beta.  The good news:  For all of you that adapted to the 
new techniques of 32-bit programming, whether it be assembly, C++, VBA,... not much has 
changed in the integration of the new OS.  The bad news:  Firstly, it will be that much harder to 
create a unique W98 virus.  A close evaluation of changes in memory allocation and new 
applications will be necessary to find exploitable vulnerabilities in the system.  Secondly, for all 
of those pure DOS-based virus writers, you're going to have to advance with the times and learn 
windows programming.  Yes, there will still be a need for traditional DOS virii, but to fully 
exploit the new file formats and system design, you are going to need to go back school and 
research.  Unfortunately, there isn't much out there concerning PE and windows infections.  Calm 
down...I know that there are "some" articles out there on PE infection and techniques of using 
the 32-bit API, but there really isn't much in relation to the vast encyclopedias that exist 
describing DOS virii writing.  And even some of the information out there isn't very reliable.  I 
have had the opportunity to view confidential reports from the AV community on their opinions 
of the "progress" of virus writers in adapting to the new OS.  Frankly, they are laughing at us.  
Many of the virii out there that infect PE's no longer work due to compatibility problems with 
new software updates.
	What am I hinting at?  I would like to challenge virus writers to begin researching W95 
apps and start submitting articles on your progress.  Only then, once we have educated the masses 
in the changes in infecting 32-bit systems, will the virus community begin to have the strength 
that we once had several years ago.  
	
Concepts to Consider:

1. FAT 32 - The File Allocation Tool in Windows 98 is called FAT32, upgraded from the 16-
bit FAT.  Many of you might have already upgraded to FAT32 with the W95 updates, 
otherwise, there is a conversion utility in Windows 98 that allows you to convert your 
existing setup to FAT32.  So the fuck what?  For the normal computer geek, FAT32 will 
allow smaller clusters of information to be stored, larger hard drives to be formatted as a 
single drive, and in general, better disk memory storage.  Well, what does this mean for the 
virus programmer?  In order to implement the new FAT32 changes, Microsoft has given us 
new unique API to infect and memory allocation.  Unfortunately, I haven't seen examples of 
all of the new API, but in the upcoming releases of the developer's guides, more and more 
documentation will be released.  So, are we going to wait?  Hell no!  A number of the 
Windows 95 SPY programs shouldn't have much difficulty in identifying the new calls.  So 
what am I getting at?  The first Windows 98 virii!  We needed to find something specific to 
the new OS...this is one exploitable feature.

2. As mentioned before, in the design of Windows 98, Microsoft intended their new OS to be 
fully compatable with the previous Windows 95 OS.  What this means for the virus 
programmer is that the jump to the next level of OS infecting will not be as major as we 
might have expected.  Don't be afraid to begin studying Windows 95, it is essentially the 
same thing.  MS's main goal was to increase the hardware and internet support of the OS, 
while only slightly upgrading the software architecture of Windows 95.  

3. The Ring 0 and 3 protection systems are still in place from the previous OS.  So when you are 
looking at manipulating many low level system operations, alternative methods will have to 
be looked at, such as VxD's, which we are already seeing show up in virus writing.  
Unfortunately, writing the VxD's is only half of the problem.  You are still faced with 
developing a concrete infection method of the new file types.  In the next edition of the mag, 
I will be devoting more time and resources into opening up windows infection methods.  I 
will also be discussing 32-bit programming methods along with introducing the concept an 
method of calling the API's.


If you are stuck in the development phase in Windows infection, don't fret.  If you are still having 
problems infecting new file types, consider the DLL's and VxD's that you can infect which in 
turn will infect only normal EXE and COM files.  The definition that we are sticking with as to 
Windows infection, comprises of both the virii that can infect the new file types, plus the ones 
that are still DOS based that can survive in the new environment.

In the next editions, we will also be discussing the CryptoAPI and other encryption systems that 
we can exploit.  Remember, this is not only a virus writing mag, but also a general hacking mag 
too.  The breaking down of the new Windows system is a complete necessity in both fields.  The 
more that you can know about your environment, the better.

Good Luck! 
