VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

HIV - Virus for Windows by Benny

Virus for Windows

Show all viruses by this author


Download (21861 bytes) or browse online

Author's notes

Finally I finished this virus... it took me more than 8 months to code it. I hope you will like it and enjoy the new features it presents. Here comes a deep description of Win32.HIV...

Kernel32 searching engine

The virus can remember the last used base address of Kernel32.DLL. If the last one is not valid, it can check the standard addresses, used under Win95/98/NT/2k. Even if none of these addresses r valid, it can search thru address space of current process and find the library. Everything of this is protected by Structured Exception Handling.

API searching mechanism

For Kernel32's APIz virus uses its own searching engine, using CRC32 instead of stringz. For APIz from other libraries it uses GetProcAddress from K32.

Encryption of virus code

The virus is encrypted by simple XOR mechanism, the encryption constant is generated from the host code (the checksum). My idea for next viruses is to code slow-polymorphic engine, where the shape of virus will depend on host code checksum - something like "virus code depends on hosts DNA" :) AVerz will have again some problems, becoz they will need to have enough different victim filez to create valid pattern (for the scanner).

Direct action

The virus infects ALL PE filez (also inside MSI filez) in current directory. Infection of PE filez is done by appending to the last section. Infection of PE filez inside MSIs is done by cavity algorithm:

Into these PE filez not whole virus will be copied, but only a small chunk of code, which will after execution display message and jump back to host. This can be called as a payload.

The message loox like: "[Win32.HIV] by Benny/29A"

"This cell has been infected by HIV virus, generation: " + 10-char number of virus generation in decimal format.

EntryPoint Obscuring

Yeah, this virus also uses EPO, which means: virus doesn't modify entrypoint, it is executed "in-the-middle" of execution of host program. Again, this is trick to fuck heuristic analysis :) It overwrites procedure's epilog by instruction. The epilog loox like:

pop edi         05Fh
pop esi         05Eh
pop ebx         05Bh
leave           0C9h
ret             0C3h

Even if the sequence couldn't be found it infects the file - this will take AVerz some time to understand :)

Multi-process residency

This virus is multi-process resident, which means it can become resident in ALL process in the system, not only in the current one. Virus does:

Very efficent! Imagine - you have executed WinCommander and accidently you will execute virus. The virus become resident in ALL process, including WinCommander, so every file manipulation will be caught by virus. If you will open any file under WinCommander, virus will infect it! :)

The infection runs in separated thread and execution is passed to host code, so you should not recognize any system slow down. Also, the ExitProcess API is hooked, so the process can be terminated only when the infection is finished.

Per-process residency - hooking Internet

Ah, yeah, this is really tricky stuff. The virus tries to hook InternetConnectA API from WININET.DLL. If the host program will establish FTP connection, virus will transfer itself by FTP to the root directory. And this really worx! :)

SFC stuff

All Win2k compatbile infectorz used SfcIsFileProtected API to check if victim files r protected by system and if so, they didn't infect them. This infector can disable SFC under Win98/2k/ME, so ALL filez (even the system ones) can be infected! I would like to thank Darkman for his ideaz and SFC code.

Mail spreading

The virus finds in registry the location of default address book file of Outlook Express, gets 5 mail addresses from there and sends there infected XML document (see bellow).

HTML infection (XML stuff)

Here I would like to thank Rajaat for his XSL idea (see XML stuff in 29A4). The algorithm of HTML infection loox like:

press.txt is XSL - XML stylesheet, which is loaded together with XML file and can be placed anywhere on the internet. This XSL contains VBScript which will infect computer. XML loox like clean - in fact, it is, but it uses template, which is infected. I l0ve this stuff...:-)

NTFS stuff

The virus compresses infected filez placed on NTFS, so the infected filez are usually smaller than the clean copies...user should not recognize any space eating...;) Also, it contains next payload - using file streamz on NTFS. Every infected file on NTFS will have new stream ":HIV" containing message: "This cell has been infected by HIV virus, generation: " + 10-char number of virus generation in decimal format.

All of this does not work with MSI filez.


Yeah, the virus uses some anti-* featurez, against debuggerz (check "debug_stuff" procedure), heuristics (SALC opcode, non-suspicious code, EPO) and AVerz (infected PE files grows by 16384 bytes, about 6,5 kb of virus code, the rest is data from the end of host - if you will open the file and go to EOF, you will not find any virus :)

Other features

The virus doesn't check extensions of victim files, it just opens the file and chex the internal format, if the file is suitable for infection. Also, the bug can correct the checksum of infected file (if it is needed), so there should not be any problem with infection of some files under WinNT/2k.

Known bugz

Here I would like to thank Perikles and Paddingx for beta-testing Win32.HIV. I tried to fix all possible bugz, but no program is bug-free, right? :P

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka