Documentation for the Itti-Bitty Virus

--------------------------------------

I. Introduction

The Itti-Bitty virus started as a challenge to myself to see how small I

could make a fully-functional virus. The one to beat was Tiny, an appending
virus with a size of 163 bytes. Tiny didn't change directories, didn't affect
read-only files, didn't reset file date and times of infected files, didn't
do anything destructive, and was easily flagged down by Virex-PC or Flu-Shot+,
as well as the fact that McAfee SCANned it. First, I settled on an overwriting
virus. Either way the checksum of a file is going to change, and overwriting
aren't as noticeable from the DIR point-of-view, and overwriting would require
fewer bytes of code to do the job. Then I coded the thing and started
optimizing. The result was the 161-byte Itti-Bitty virus, strain A. Then I
ripped out extraneous code, the "bells and whistles," if you will, and ended
up with the 99-byte Itti-Bitty strain B. Both virii are non-encrypting, and
both have the same effect: they overwrite the first 256 sectors of C: with
random garbage, making the disk unrecoverable by normal means. Since I figured
it would only be a few weeks before someone disassembled my virii, I decided
to distribute the original source, so that others can learn from my code.

II. Strain A

Strain A of the Itti-Bitty virus is 161 bytes in length. It detects the

presence of Virex-PC and Flu-Shot+ by calling interrupt 21h with AX set to
FF0Fh. If either of these TSR virus-protectors are loaded, then Itti-Bitty
aborts, stopping premature detection and allowing the victim to (doubtfully)
spread the infected file. Then it tries to infect any uninfected .COM file in
the current directory by overwriting the start of it with itself. Read-only,
etc. files ARE affected, and their attributes are reset after the infection
is complete. File date and time are also preserved for better stealth.
Finally, a bogus error message, "EXEC failure," is displayed and control is
returned to DOS. ("EXEC failure" was the shortest fatal error message I could
find in COMMAND.COM. I've never seen anyone get it, but it is legit, and
it's obscure enough to scare novice users.) If all files are infected, then
as I stated above, their C: disk is trashed and the computer is locked up. No
message, no fanfare, no nothing; their just plain fucked. That's it. Only
161 bytes, too.

III. Strain B

Strain B of Itti-Bitty is simply Strain A with the Virex check, the

attribute alteration, and the date/time preservation removed. It still trashes
C:, but is far more noticeable, since, like I said, file date and time aren't
preserved. Also, no error message is displayed. (You'd be surprised how
many lozers will keep running the thing over and over because nothing seems
to happen.) All under one-hundred bytes. That's damn small.

IV. Miscellaneous comments from Nowhere Man

I'd like to use this space to say a few things to everyone. First, I'd
like to announce that I'm now affiliated with [NuKE] and [NuKE] WaErZ, a fine
Canadian hacking/phreaking/carding group. Look for other fine [NuKE] warez,
such as the infamous Parasite virus and the Telegard Bypass trojan, at a
respectable h/p board near you.
Secondly, I'd like to say Hi to Software Spartan, Murdak and Leeking Virus
at the Pirate's Guild, and The DarkMan and all the other great guys at [NuKE].
I also want to challenge all of the other virus-writing groups (FS,
RABID, etc.) out there to come up with a smaller virus with the same features
(or better ones); I think we can use some friendly competition, and besides,
competitiveness leads to better virii for all.
If anyone can find a way to make Itti-Bitty Strain A or B smaller while
still keeping in all of the features, or if you have a question, comment, or
complaint about Itti-Bitty, C-Virus, or any other fine product from Nowhere
Man, I can be reached at either the Pirate's Guild (708-541-1069) or Hell Pit
(708-459-7267). Hell Pit is now an official [NuKE] WaReZ distribution site,
and all of the other fine [NuKE] warez, as well as literally hundreds of virii,
can be found there. Any questions about [NuKE] and/or [NuKE] WaErZ can be
directed there.

Once again, happy virusing,

Nowhere Man, [NuKE] '91