The followin' document is an education purpose only. Author isn't responsible for any misuse of the things written in this document.

Every good virus should be armoured. Armoured means have some features, by which will be harder to detect, harder to emulate, harder to disassemble, harder to trace, harder to monitor or harder to understand. I will discuss here all techniques, which has some special meaning in virus programming.

Actually, there r many ways, how to protect virus against AVs and Averz under so weird interface as Win32 is. Something is often used, something isn't. Here is a "short" list of techniques, which I will describe:

Anti-Emulator - fool AVs by some tricks
By heuristic analysis, AVs SHOULD be find every virus, even unknown one. It worx like coder, which debugging some program. Heuristic scanner passes thru the code and looking for some suspicious code. It may be procedure for searching APIs, procedure to jump to ring-0, working with wildcards of executable files, opening executable file for write etc... Heuristic analysis is very good idea, nevertheless, not very well realised. AVs have many bugs and "sometimes", they can't recognize viral code. Some heuristic scanners have problems with undocumented opcodes, another scanners can't work with selectors and almost every scanner can't handle stack properly. Here r the techniques, which r used by many viruses and which still seems to be problem for heuristic scanners:

Anti-Heuristics - fool AVs by advanced technologies
Anti-Emulator uses holes in heuristic scanners. But at Anti-Heuristic case, we uses more advanced technology to fool AVs. If AVerz were able to "patch" holes in AVs, here it won't be so easy. They will need to rebuild their emulator and add new features (e.g. support of SEH). In DOS-viruses beginnings, viruses tried to hook Int 0 (divide by zero) and then divided register by zero. This caused, that execution was redirected to another place. AVerz had to rebuild their heuristic analysis to support hooking of interrupt vectors. This is perfect example of anti-heuristic technology. Next good example is poly-layered polymorphic decryptor. Time didn't chang so much and we use similar techniques to cause AVs to support newer and newer techs. Here r some examples:

Some coderz call this technique as anti-emulator and previous as anti-heuristic. I don't know, which expresion is right (nobody knows :D) and I don't care. I think, that previous stuff was clear...

Anti-Analysis - fool disassemblers by some tricks
Good virus should use some tricks, by which some curious ppl (such as AVers) won't be able to analyse it much easy. Really, there ain't anything easier for AVer than open IDA or Sourcer and see whole code as it was original source. Static analysis is very frequently used to analyse virus, don't forget it. Those tricks r still same and some of them r also used as Anti-Debugging technique.

Anti-Debug - harder to analyse
In previous examples we tried to fool machines - emulators and disassemblers. But now, we will try to fool AVerz, and that's very hard. AVerz aren't dumb (mmm, ofcoz there r some exceptions :D), so it is very important to make analysis of your virus harder. As much as possible. If virus cannot be analysed by disassembler, AVerz uses debuggers. Debuggers r easily detectable (Win32 interface allows it to us), but their detection mechanism shouldn't be very visible (AVerz can simply jump over the code).

Anti-Monitor - killing watch-dogs
Resident shields (monitors) r resident programs used to catch viruses. Monitors r activated, when executable files (usually) r opened, closed, executed, etc... Virus can be cought by monitor not only when infected file is being executing, but also when file is being copying. This on-line virus security is very efficent and many stupid users have installed some monitor. That's a problem. If monitor is installed as standard Win32 application in memory, it won't be big problem to get rid of that. Bad stuff is that this code doesn't work on AVs, which use special driver (VxD, WDM, ...) to control file access.

Firstly we have to find window, which will we close. We will use FindWindowA API:

    wAVP    db  'AVP Monitor',0             ;window title
            mov eax, offset wAVP            ;window title
            push eax                        ;push parameter
            cdq                             ;EDX=0
            push edx                        ;window class - NULL
            call FindWindowA                ;find window
            xchg eax, ecx                   ;swap EAX with ECX
            jecxz quit                      ;if ECX=0, quit

If AVP monitor window exists, we have window handle in EAX register. Otherwise, EAX is NULL. We will use that handle to send close message:

            push edx                        ;NULL parameter
            push edx                        ;NULL parameter
            push 12h                        ;WM_QUIT message
            push ecx                        ;window handle
            call PostMessageA               ;send message!

Geee, and AVP monitor is away! I also tested it with NODICE and it also worked. U can close another monitors, if u know titles of their windows.

Anti-Antivirus - destroy your enemy!
If u wanna be sure, that stupid user won't find your virus, then correct that "problem" on AV side - erase or modify AV crc files and AV databases. Here r the most important files, which should be erased (mm, but don't forget that after u delete viral database, AV won't run) or in better case - only modified (e.g. delete virus from database):

Anti-Bait - don't infect AV files
Baits r mostly silly do-nothing programs and the only one purpose of their existency is to be infected by virus. That program can be easily analysed, easier than winword.exe, for example. And becoz we wanna make job to AVs as hard as possible, we r tryin' to not infect those shitty programs. Baits r usualy named as 00000000.EXE, 00000001.EXE, 00000002.EXE, etc. The first advice is don't infect files with digits in its name. But take care! Many normal programs has digits in its name, such as winrar95.exe or wincmd32.exe. So, if u don't wanna infect baits, but wanna infect standard applications, check, if filename contains digits at all 4, 6 or 8 positions. How easy...X-D

I hope this article will help u with coding under Win32 and u will find it useful. If u didn't understand everything, then read it again or cotact your netwerk supervisor :)). Don't forget to use some techniques from this article to be sure your virus will be better than average.

Benny / 29A, 1999