VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

4096 - Virus for Linux by badCRC

Virus for Linux

Show all viruses by this author


Download (3832 bytes) or browse online

Released in 29A#7

Author's notes


First of all, I have to say my english is not very good, so I'm sorry if you don't understand all I write. I'll try to explain me in the best way I can ;)

This is my first released virus and I want to dedicate it to a girl who is very special for me (she knows who she is :) On the other hand, I also want to thank Wintermute for his virus course and all the people in the scene who write or wrote interesting things.


I'm not responsible for what you do with this virus and if you spread it, it will be your fault and not mine. So, be careful. In any case, this virus is less dangerous than the Windows OS as you'll see xD


It's about a runtime mid-file virus that infects executable ELF files. Every time it is executed, it will try to infect 3 files and then, it will return control to host. These files can be in any directory that belong to the virus path. For example, if the the virus resides in /tools/bin/, it will look for files in bin, tools and /, that is, the root dir.

I think the most interesting thing in this virus is the infection method, so I'm going to explain it a little :)

When the virus finds a file suitable for infection, it will search in the PHT for the first loadable segment, usually the text segment. Now, we have to check for free space in the last memory page that this segment occupies because we want to copy us there. How? It's easy: subtract from 1000h the last 3 hex digits in p_memsz (I assume 4 KB pages). Let's see an example. Suppose p_memsz = 12AF9h. So, how much space is free in the last page? 1000h - AF9h = 507h = 1287 bytes. Why are we limited in this way? Because we copy us in the first loadable segment, and if there is another one, its first page will be next ours and we don't want to be overwritten when the program is loaded into memory.

Next step is increase file size and copy the virus into the file. We'll have to fix the offsets of some entries in the PHT because of we are going to copy us where the first loadable segment ends, that is, p_offset + p_filesz. The file size will be increased in 1000h bytes because file offsets (p_offset) and virtual addresses (p_vaddr) must be congruent modulo the page size (1000h), that is, if you divide p_offset or p_vaddr by 1000h, the remainder will be the same. For better understanding, imagine there is another loadable segment next ours and we have to fix its offset. Suppose p_offset = 2BF00h, p_vaddr = 8074F00h and virus length = 100h. If we increase file size in 100h bytes, we'll have to add 100h to p_offset (2C000h) and then, p_offset and p_vaddr won't be congruent modulo 1000h. So, the minimum value in order they continue being congruent is 1000h.

I hope you have understood it. If not, take a look at the code, ok? Good luck!


Every 30 November the virus will print a message on the screen. The way I use to compute the date is not precise, so the virus will activate a day before or after sometimes.

To assemble

  nasm 4096.asm -o 4096.tmp -f elf
  ld 4096.tmp -o 4096 -s
  dwarf.exec 4096

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka