Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

DOB - Virus for Windows by Benny

Virus for Windows

Benny
Show all viruses by this author

2001-09-00

Comments
Download dob.zip (9771 bytes) or browse online

Released in 29A#6 magazine

Author's comments

Hello dear reader,

here is my another Win2k infector. This one is multi-process resident and featurez some small kind of stealth and runtime SFP disabling! The main viral code worx with all processes in the system and tries to inflitrate them. IF the process in winlogon.exe, it createz remote thread which will overwrite code that handlez System File Protection in Windows 2000. There's no need to restart computer, from the execution ALL filez protected by SFP are now unprotected! I used the same method which is described in article about SFC disabling in 29A-6 magazine. I have to mentioned that this code is coded by me and also Ratter of 29A.

In the case the found process is not winlogon.exe it triez to create remote thread which will hook CloseHandle and CreateFileW APIZ there. The mentioned semi-stealth mechanism worx in this way - when infected program tries to open infected file with CreateFileW API, virus will disinfect it and pass the execution to the API and host. When host program tries to close file by CloseHandle API, virus will try to infect it by my favourite method - overwritting of relocation section. I had this semi-stealth mechanism (semi becoz infection via CloseHandle doesnt always work - file is not alwayz opened with all required access rightz so many timez the infection will fail - and for now I dont know how to recieve filename from HANDLE by Win2k compatible way. If anyone knows it, pleaz gimme know!) for long yearz in my head. Originaly I wanted to implement it in Win32.Vulcano, but I was so lazy... I decided to code it now, well I know its a bit later, but better later than never :)

Virus also chex its own integrity on the start (by CRC32) so in the case someone set some breakpointz in the viral code, virus will not run.

I didnt test Win2k.DOB very deeply, so it is possible that it has some bugz. However, again I didnt code it for spreading, but to show some new ideaz. I hope you will like this virus...

(c)oded in September, 2001
Czech Republic.


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org