VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Babylonia - Virus for Windows by Vecna

Virus for Windows

Show all viruses by this author


Download (27610 bytes) or browse online

Author's notes

I am of the opinion that asm talk by itself to the worthwhile reader, so, i will be brief...

This virus is a memory resident ring0/ring3 virus, infecting PE EXE files, HLP files, and WSOCK32.DLL. The virus use EPO features, but no encryption or poly at all, altought it can be updated via WWW. ;)

For much time, peoples where thinking about a virus upgradeable. Some attemps where made, as W95/SK, that was able to run special preparated data in RAR files. But how far the upgrade RAR packet can go? In this virus, i show my implementation of a plugin format, with the modules(plug-ins) online at a a WWW page.

The virus is also a advanced email worm, attaching itself to all outgoing e-mails(no sending a new one as happy99), can deal with attachments already in e-mail body, have BASE64 and uu-encode routines, and, more important, the icon of the infected dropper sended by email change with the current date.

When a infected app(or dropper) is executed, the virus dont get control at this moment. The virus patch a JMP or CALL, and wait be called. When this happen, the virus load some APIs from KERNEL32.DLL memory image(using CRC32), then jump to ring0 using a callgate. The infamous DESCRIPTOR 0 is used to store the temporary data, breaking the pmode tabu ;)

While in ring0, the virus alloc some memory, and install a hook in IFS handler and wait for access to PE EXE files, HLP files, and WSOCK32.DLL. The memory is also scanned for presence of SPIDER.VXD(DrWeb) and AVP.VXD(Z0MBiE's lib). If they're found, their code is patched in a way that it lose the ability of open files. After returning control to the host, if the virus has just installed memory resident, it drop the www updater to disk and spawn it. More about the www updater below.

PE files when accessed are infected by having the virus appended to last section, or overwrited if is was relocs, and with the CODE sections scanned for a suitable place for a CALL VIRUS. HLP files have added a script that pass control immediatly to virus code by using the callback features of the API of USER32 EnumWindows().

When WSOCK32.DLL is accessed, the send() export is redirected to a chunk of code in top of relocation info. This code get a ring0 memory pointer to the new send() handler, by new added functionality to the GetFileAttibute() API ;)

The code in new send() scan the outgoing data by e-mail info, and add a infected dropper at the end of it. The virus support both MIME and non-MIME email clients, and can add the dropper in both uu-encoded and BASE64 format. The icon of this dropper change together with the name, to reflect some dates.

All data carried with the virus is compressed using aPLib v0.22b library. I change my old LZW scheme by this routines due the immense gain in speed, compressed size, and code size. Is the same algorithm i used in Fabi.9608.

When the www updater is executed, it register itself, with the fake name of KERNEL32.EXE, in registry, to run always, and copy itself to /winsys directory to avoid easy detection. The updater hide himself in the CTRL+ALT+DEL task list, and stay in background waiting for the user connect to the internet.

Always in background, without any user notice, the www updater then connect to my www page, download the virus plug-ins(that have a special format, and can be expanded, to have full compatibility with future versions). If these modules complain with the version and features requeried to run, it is executed. The power of this is obvious. By adding new plugins, i can make the virus a irc-worm, infect remote drives, or even a poly engine. The problem of the possible take down of my URL is bypassed with the smart use of forwarders (not implemented in the public source version of the updater).

The first module online are the greetz to the peoples that helped me in this virus, be with betatesting, be with ideas, be with moral support. Currently i am working in new modules, with new ideas that i think will be worth of be coded.

If you arent a d0rk, you can contact me at [email protected], but idiot questions about how compile and like will be ignored... and your soul can be lost in the attempt of contact me ;)

Questions about where's the entrypoint will be ignored too... ;>

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka