Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Etymo-Crypt - Virus for Windows by Black Jack

Virus for Windows

Black Jack
Show all viruses by this author

2000-07-00

Comments
Download etymo-crypt.zip (7389 bytes) or browse online

Released in Matrix#2

Author's notes

Description

When an infected file is run, the virus gets control. It gains ring0 by the standart IDT modifying trick. But it doesn't stay resident in ring0 (hooking VxD calls), but it just uses its ring0 privilege to write to the write-protected kernel32 memory: it copies itself into a gap in kernel32 in memory (between the header and the start of the first section, like nigr0's Win95.K32 virus) and hooks the CreateFileA API.

Whenever the virus intercepts a file open now, it checks if the opened file is an infectable, uninfected PE EXE and infects it if all is ok. The infection process is a bit unusual: The virus creates a new section called ".vdata" (with standart data section attributes) and saves there the code from the entrypoint, after it has been encrypted against the virusbody. Then the entrypoint is overwritten with virus code, most of it encrypted again. The attributes of the code section are not modified, the virus doesn't need the write attribute set, because it only modifies its data when it is in ring0. The pro of this infection method is that there are no sections with unusual attributes.

Known bugs

Since the virus needs to be resident to restore control to the host, there is no need for checking the OS or preventing errors with SEH, because infected files will crash under WinNT anyways, there's no way to prevent that.

Because of that unbound import stuff, the virus only catches very few file opens. In a kernel32.dll infector this would be easy to prevent by changing the timedate stamp of kernel32.dll. In this case this doesn't work, because the system checks this stamp after the kernel32 has been loaded into memory and will give error messages if it has been changed each times the user tries to start a program. Another possible solution, patching the entry point of the hooked API with the JMP_virus instruction, like nigr0 and Bumblebee do, won't work too, because with my residency method the kernel memory stays write protected. And so this virus is a slow infector, but it still catches enough file opens to replicate successfully.

Assemble with

  tasm32 /mx /m etymo.asm
  tlink32 /Tpe /aa etymo.obj,,, import32.lib

there's no need for PEWRSEC or a similar tool, because the virus code is supposed to run in a read-only section anyways.


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org