Psychmartianmuntopia “MUNIR NJIRU”

Introduction:

This book has been produced by Munir Njiru (also known as “psychmartianmuntopia” by
the black hat hackers in the internet underground) it’s for educational purposes only. It is
Psychmartianmuntopia “MUNIR NJIRU”
not intended to make you a virus programmer at all it should help you understand the
workings of malicious code. I am no longer with the underground black hat hackers so
please be useful with this knowledge, don’t be the threat…..

Any questions or comments may be passed to muntopia4@yahoo.com or

skilledsoftsystems@gmail.com
Psychmartianmuntopia “MUNIR NJIRU”

MALICIOUS CODE:
What is malicious code?
In the underground of the internet where true malicious hackers live you’ll probably ask
this question and be replied with “AAM” (ask a minor) but I won’t do that. Well
malicious code is code that is meant to interfere with normal operation of your computer
and at its worst it crashes it, you’ll soon know how.
Malicious code may come in various ways and I think it would be easier to put taxonomy
here because it’s easier to understand diagrams. It’s called the malware taxonomy
Malware is “malicious software”
Malware
Malware

Needs
Needs No
Host
Host Host

Trapdoor/ Logic Trojan Virus Bacteria Worm

Back door Bomb Horse

 Resident
 Direct action
 Multipartite
 File infectors
 Overwrite
 Companion
 Boot
 FAT
 Macro
 Directory
 Polymorphic
 Hoax
 Non resident
 metamorphic

As you have seen among these I’ll try elaborating the difference
By host I mean a program to work on usually an exe or com program.
Psychmartianmuntopia “MUNIR NJIRU”

Trapdoor- these are programs to bypass authentication.

Logic bomb- also known as time bombs i.e. code that executes when certain conditions
are met.
Trojan-it’s code that appears to be harmless and enters the computer through any channel
and installs programs when it tricks the user to install them. E.g. sub seven, cattivik ftp,
Virus- a piece of code that attaches itself onto another program and spreads itself to other
computers. It has ability to make copies of itself. E.g. the rising.exe n redem.exe virus
found in a folder called recycle or the metamorphic virus W32/Simile which had 14000
lines of assembly language n 90% was the metamorphic engine
Bacteria-
Worm- a piece of code that doesn’t need to attach itself to replicate and once executed it
can replicate over networks at terrific speeds. E.g. the sing along virus killed 6.5 million
computers in the world and is still rated the worst in the world.

How they spread:

 Transmission media or hosts e.g. flash disks, binary executable files, MBR,
application specific script files, general purpose script files like vbs, cross site
scripting
 Emails
 Pictures for double extensions
 Stealth- mostly use the 21H hook to map n give details of an uninfected file
 Virus and Trojan propagators

Hooking functions may include:

 FCB- Based file search functions (11H , 12H)

 Handle-|Based File Search Functions (4EH, 4FH)
 Handle Based read function (3FH)
 FCB- Based read functions (14H, 21H, 27H)
 Move file pointer function (42H)
 Exec function (4BH)
 File date/time function(57H)
 File size Function(23H)

How they stay unknown:

 Stealth e.g. 21H technique
 Using encryptors e.g spirits polymorphic executable file encryptor
Psychmartianmuntopia “MUNIR NJIRU”

Countering malicious code:

 Following policies
 Filtering
 Input validation
 Cookie security
 Eliminating scripts
 Avoiding bait files
 Using antiviruses and antispyware.
 Strong passwords
 Installing security patches
 Treat IM suspiciously
 spam

Conclusion
This documentation is just an overview for more information on how to remove
viruses and the likes contact me on the address given above.