Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

BeGemot - Virus for Windows by Benny

Virus for Windows

Benny
Show all viruses by this author

1999-00-00

Comments
Download begemot.zip (20125 bytes) or browse online

Author's notes

I'm very proud to introduce my best virus. I wanted to show ya in this virus, what everything I can. There aren't all my favourite techniques (such as Memory Mapped Files), nevertheless I think this is a good virus. I tried to optimize it as much as I could, but there is still for sure something, that could be optimized much more than it is. But that's a life... I call it Win98 infector coz I tested it only on my Win98 machine. It should work on Win95 also, but devil never sleeps. I'm not sure, so that's why I call it Win98. Hmmmm, okay, that was the foreword, and now here is that promised description...

This virus is the Win98 resident/semi-stealth/compressed/slow poly/Pentium+/ multithreaded/Ring3/Ring0/PE/RAR/fast infector. It also deletes some AV databases/killin some AV monitors/uses VxDCall0 backdoor to call DOS services/usin' undocumented opcode and can infect EXE/SCR/RAR/SFX/CPL/DAT/BAK files. It appends to last section in PE files/inserts Win9X dropper into RAR files and enlarge files with constant size, that's 8192 bytes. (I decided, this is perfect number, noone will mind.) It uses BPE32 (Benny's Polymorphic Engine for Win32, published in DDT#1) and BCE32 (published in 29A#4) engines. BPE32 has perfect SEH trick (it fools many AVs) and BCE32 saves about 1,9kB of virus code (!!!). Combination of these engines is my virus, that is (in this time - summer 1999) undetectable by any heuristic methods (only first generation of virus is detectable). I tested it with DrWeb (IMO the best AV), NODICE32 (IMO the second best), AVP (perfect scanner, but...) and many otherz.

But that's not all. If virus will get resident in memory, virus will jump to Ring0, it create VMM thread (system thread) which will patch Ring3 code and so allow Ring3 code execution and leave Ring0. Ring3 code will run on, while thread will run in memory on the background. Thread will allocate 1kB of shared memory (memory accesible to all processes) and slowly check for changes in it. If any change will appear, thread will do property action, dependin' on change. Why? I coded next to BG communication console, called BGVCC (BeGemot Virus Communication Console), so if virus is resident in memory, u can easily communicate with virus thread by it. Look at BGVCC source and u will see, how can u easily communicate with/control virus. This is the first virus with communication interface.

It also uses many trix to fool AVs, e.g. SEH, spec. thread, RETF etc...


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org