Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Bonk32 - Virus for Windows by Vecna

Virus for Windows

Vecna
Show all viruses by this author

1998-00-00

Comments
Download bonk32.zip (4672 bytes) or browse online

Author's notes

This virus is the 2nd PE infector i wrote, and is a memory resident infector designed exclusively for win95/98. It shouldnt work neither in winNT or in w32s. It patches the IDT, that isnt protected in w95/98, modifies a vector to point code into the virus, and execute this interrupt. As the code is executed in ring0, the virus alloc memory and read from the host file the rest of the virus code. It then jump to this virus part, that hook IFS and restore the host.

Always a EXE file is open, the virus handler take control, and infect it. The virus body is appended as a overlay to the end of host, without any physical link to host, and a small loader is stored into the free space of the PE header.

If the host file dont have relocationz, the virus encript the original entrypoint and patch it with a jump to the virus loader. The key for the code encripted is not saved, but a CRC32 of it unencripted is stored. When the virus restore it, it must try all keyz, what can be time costly for AVerz.

As the original entrypoint dont change, and the virus code isnt linked to host, beside the loader, this work as a anti-heuristic feature.

Early versionz haved a bug, that cause a crash in everybody machine beside mine. This was because a non-fixed call to int 0x20. Some lines added and now it work fine.

W95.Bonk32 is written using NASM sintax, that showed very efficient for my viral needz, as provide more control over the generated code . To compile you will need NASM, LINK from Microsoft and PEWRSEC from Jacky Qwerty/29A. You also will need any MAKE utility (Borland, Microsoft and LCC ones work). then debug it using SOFT-ICE till u get the point that the virus open host at this point, change esi to point to a unused area (ECX hold one), then then edit this memory (D ESI;EB) and type the dir you are and \bonk32 at the end. Then make the virus go(BC *;G).

Or, better, run the pre-compiled file. It will execute and stay resident. All open files will be infected then. Remeber that the pre-compiled file must reside in root dir of C:, else it will crash.

I must thank 2 people: the AV that discovered the bug, and Alchemy, that gimme the EIP of the fault and make possible to me fix it.


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org