Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

CAPZLOQ TEKNIQ v2.0 - Virus for Linux by JPanic

Virus for Linux

JPanic
Show all viruses by this author

2013-04-29

Comments
Download clt20.zip (33865 bytes) or browse online

Author's description

CLT20 is a 2.8k infector of Win32 PE, Linux ELF, and OSX MACHO/FAT files. When viewing source, a TAB size of '8' is recommended.

The virus runs under 3 different platforms: Win32,Linux,OSX (i386).

The virus has some improvements of CLT10. Handling more error conditions, more virulent, more checks. Handling attributes/ permissions and datestamps too.

On execution under either Operating System the virus attempts to infect all PE,ELF,MACHO and FAT files in the current directory. If user is 'root' or administrator, it also infects all files in Windows+System32 dirs, or '/bin'+'/usr/bin' dirs depending on operating system.

Under Win32y he virus calls Kernel32.dll and also uses SFC.DLL. Under Linux the virus calls INT 0x80. Under OSX the virus calls INT 0x80, 32-bit BSD calls.

Infection of Win32 PE files is achieved by adding the virus to the last section. This is a fairly standard method. Checks are made for SFX's, drivers, digital certificates and so on.

When infecting Linux ELF files, the virus creates a cave after the PHdrs and before ".text". This causes the load address to be lowered by 0x1000 (1 page).

When infecting OSX MACHO files, the virus modifies __PAGEZERO and 'i386_NEW_THREAD_STATE' struct, appending itself to the end of the file.

When infecting FAT (OSX Universal Binaries), if the last MACHO module is i386, The MACHO is infected in the above manner.

The virus is written in TASM and assembles and links to a Win32 PE host. This host can be used to infect other PE/ELF/MACHO/FAT files. When building the makefile outputs the address of 'VHost' which tells you the zize of the virus.


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org