Miscellaneous - The virus career of Masud Khafir

The virus career of Masud Khafir
(by M. muthafuckin' K.)

So this is the end of the TridenT virus research group. This article is a last goodbye from me to you, the reader. I will tell you some more about myself and my career in the virus community.

Like many other virus writers, my interrest in these little creatures arose when I encountered one on my own computer. This happened in the spring of 1991. Fortunatly it wasn't a really desctructive one, and it didn't infect many of my files before I was able to track it down and clean it. Thanks to McAfee's stuff. I kept one copy of this little program because I was very fascinated by it. I had heard many wonderful stories about these viruses in the past so I was eager to learn more about it. I started disassembling it and so its mysteries were revieled to me.

Soon after that I wondered if I would be able to write such a program too. I decided to just try it. I started building piece after piece. First there was only a program that installed itself resident in memory and wrote "GOTCHA!" to the screen when a program was executed. Then I learned how to read from and write to files, so I changed the program so that it would write a copy of itself after programs (*.COM). The last part of it was to make it able to first execute itself and after that execute the infected program. This was the hardest part, but when that was finnished, the circle was round! I added some other features like attribute-circumvention, file-time preservation and EXE-infection (this was quite tough). Then my very own virus was finnished and I felt very proud about it!

At that time I was unsure about what to do with my virus. I didn't like the idea of spreading it in the wild because I had seen that viruses could be quite annoying and I didn't want to harm anybody. But I thought it would be nice if the virus got some attention. I was afraid of telling other people that I had written a virus, because the general attitude to viruses was very negative and I was afraid that a lot of people were gonna hate me and that I would be banned from BBS's etc, if it became known that I had written a virus. So I decided to anonymously send it to some anti-virus BBS's, hoping that it would get some attention. When after several months my virus appeared in VSUM and SCAN, I felt very proud again.

At the same time that I wrote my virus I started reading the VIRUS echomail on fidonet. There I discovered, to my surpise, that the centre of the virus scene was located in Bulgaria. I read stories about a virus exchange BBS run by a guy named Todor Todorov, who had been banned from fidonet just some time before. I wanted to know more about this, so although the telephone rates were *very* high, I decided to take a look at it. I downloaded a few viruses there and I gave him mine in return. This was how I got involved in the virus scene.

From that time the ball started rolling. I studied the viruses that I got from Todor's board and tried to write other kinds of viruses like non-resident viruses, spawning viruses, bootsector viruses and tiny viruses. One special virus got more attention than the others. In august 1991 the Dark Avenger wrote a message on fidonet about a so called 'mutation engine', a piece of code that would help to encrypt a virus in such a way that no scanner would be able to find it. I downloaded this file from Todor's Virus eXchange BBS, and I used it in one of my viruses. This one was called 'Pogue Mahone', because it played music from the Irish band the Pogues.

About a year after that I found that the time was right to try to write a polymorphic virus myself. This took quite a lot of work but the result was satisfactory. The decryptors did not contain any constant code and it was fully polymorphic. The polymorphic routine was first included in one of my viruses. At about the same time I had joined the TridenT group. The group was still very unknown at that time and we felt that we should do something about it, like putting out a magazine (how original.. ;-) or some virus tool. After some discussions we decided to take my polymorphic routine and put it out under the name 'TridenT Polymorphic Engine'. This is probably my most well known product.

During the past years I have written many different kinds of viruses. I started with some ordinairy rather unremarkable viruses, but I didn't like the idea of writing these kind of viruses over and over again. My goal became to write viruses that were special in some way or another. This resulted in viruses like WinVir, Cruncher and Jiskefet. In the end I had written almost any kind of viruses I could think of. Now, almost 4 years have passed from the moment that I started writing viruses. I'm not as fascinated by viruses anymore as I was in the beginning. And I think the same is true for many other people that have been active in the virus scene in all those years. So perhaps this is a good moment for us to put an end to it. It has been great fun.

Farewell and peace to you all.