VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Leon - Virus for Windows by kaze

Virus for Windows

Show all viruses by this author


Download (253869 bytes) or browse online

Released in EOF#2 magazine

Author's comments

I'm happy to introduce to you win32.leon, a nearly original poly virus. This virus is mainly focused on AV-detection evading, so don't expect ultral33t spreading. The main technique of this is virus is "decryption via APIS", i.e the decryptor is (with a probability of 4/5) 100% api based. Some random fake api calls are also used in the decryptor: those apis are called with random arguments, but won't disturb the virus's excecution: they just return an error code (except when being debugged where they sometimes throw exceptions). Random api calls are also used in the virus body in order to avoid dynamic detection. A lot of little tricks are also used to fool emulators and scanners (like encryption through relocations, or decryptor fragementation) and are explained in the article stored at (french only for now).

OSWin2000 and WinXP. Successfully tested on both. Won't work on vista because of the fake apis thingie.
TYPEPE Appender.
TARGETSKaze*.exe PE files, with .code > ~10k and size (lastsection) < rawsize(lastsection)
INFECTIONInsert virus body into last section. The decryptor is cut into X part, where X=number of api calls in the decryptor. Those parts are written in the .code section at random locations. The first part is located on the EP. If the decryptor used is api-based, the IAT of the host will also be modified by the virus. If encryption via relocs is used, relocations are modified and the host is relocated by the virus.
SPREADINGInfect current directory and all physical drives. Avoid infection of SFC protected files.
POLY/METAPolymorphic, using a kpasm-generated poly engine (rules in regles.kpasm). Use two decryptors (one at a time): a cryptoapis-based one and a simple xor loop.
ANTIDBGYes. The decryptor and the virus body use a lot of "fake apis", i.e some apis with random arguments, that's won't do anything normally, but will throw some exception when debugged.
ANTIEMULYes. The decryptor is mainly composed of api calls. Most of the emulators don't emulate them all. Bogus api calls are also used (fake apis) in order to fool the emulator. The control flow in the decryptor is also a bit obfuscated: in order to jump from the K part to the K+1 part (in the decryptor), the emulator has to know the exact number of arguments of the api used in the K part. Up to 500 different fake apis could be used.
ANTISCANYes. Besides the poly, the virus sometimes uses encryption via relocations: the decryptor itself is encrypted by having some relocations pointing to the decryptor's code. The imagebase is modified to force windows to relocate the infected host (and so decrypt the decryptor). Relocations of the host are nulled and the host itsef is relocated by the virus.
ANTIDYNAMICYes. The sequence of the apis used by the virus body and the decryptor is random. Each virus api call is surrounded by up to 10 random fake apis calls.
ANTIHEURISTNo. It may fool some but no original trick used.
BUGSWill crash every ~50 infections (don't ask me why). When crashing, the virus try to restore control to infected program through SEH.

Well, this virus has been finished in hurry, so some things could be improved. The poly engine for example is good, but could be easily improved. The payload also is a simple MessageBox: I coded a nice one (some animated monkey playing around with desktop's icons :), but hadn't time to integrate it into the virus. Just look at the web site for the payload, it's quite fun :D. I sent it to AVers three weeks ago, and only 3 detect it, but with a bad ratio (<70%). I think that's because they just don't care, it's a PoC after all. Well, i'll publish it anyway.

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka