Miss Lexotan 6mg, garota... - Virus for Windows by Vecna

Virus for Windows

Released in 29A#6

The virus is formed by 3 parts: CODE, DATA and GENOTYPE. These block are inserted in already existing sections, and all RVAs and structures(import, export,resources,etc) are fixed, if relocations exists. If relocations dont exists, all data added go to last section.

CODE is always changed via the metamorphic engine: mixed, garbling added, instructions changed, and then optimized. Then CODE is added to the existing .code section(1st section).

DATA is the read-only/read-write data used by the virus. CRCs of API names, search mask, copyrights, variables, all these shits are here. It is added to any section that have read/write attributes, encrypted.

GENOTYPE is the data that the metamorphic engine use to rebuild the 'plain' virus from the metamorphic copy. It is a zcode compressed list of relatives distances, plus register/flag using info. It can be added to any existing section.

When virus run, it decrypt its DATA, unpack GENOTYPE and use it to rebuild 'plain' virus from CODE. Then 'plain' virus is processed by the engine, and new GENOTYPE is extracted from new generated CODE.

'Plain' virus, extracted from CODE, is not fixed: base instructions are changed by synonymous. So, there are 2 mutations: garbling/mixing is local, and changes are discarted when generationg new virus, but synonymous changes are mantained in base code.

Thus, virus have no fixed base form, evoluting from previous changes.

