Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Lil' Devil - Virus for Windows by Bumblebee

Virus for Windows

Bumblebee
Show all viruses by this author

2002-03-00

Comments
Download lildevil.zip (12944 bytes) or browse online

Released in 29A#6

Author's comments

1. Introduction

This is a little research virus that infects both PE EXE and DOC files from ms word, including normal.dot template. Not optimized at all, and with very lame vbs/wm code :/ I'm mainly ASM coder! The idea is to add macro spreading to a average PE infector trying to do it making the PE form of the virus as small as possible. For this issue i'm going to use vbs to infect normal.dot, due this wsh is required for dot infection (not for PE drop if there is a doc infected, and of coz PE infection has nothing to be with vbs).

Even you've seen some part of this virus into Yonggary!, there are some interesting

2. Features

Has a runtime part that will infect current and windows folder.

Infects PE files with at least 8000h bytes with EXE and SCR exts.

Infects appending virus body to the end of the last section. It takes care of virtual size and phys size data in the header, that is why the size of infected files increases more than other virii that doesn't take care of this. In other hand it makes the virus infection more stable. It uses size padding as infection sign. It won't infect already infected files even size padding check fails.

Avoids infect files that contains in body the strings: 'tractor' (self extractor archives) or 'ntivir' (antivirus software).

Per-process resident by hooking CreateFileA. It checks the folder used in the calls (not file). It will infect all the PE files in this folder.

Self CRC32 checksum implemented. Encrypts saved host EP with this value. Since CRC32 is not stored, avers will need to calc CRC32 of virus is order to clean the infected files. Self integrity check will work also as kinda anti-debug feature.

Has Softice detection for win9x/win2k that will halt the process with a stack fault.

Contains a RLE compressed PE dropper and a vbs script that will install word macros in the normal template. The word macro part is full working macro virus that will infect DOC files and will dump and execute the PE dropper. The wm is generated on the fly. things i'm sure you wanna check :) (like bug fix)

3. Item Infection

Virus working scheme:

      PE --- PE dropper, infect, vbs dropper --> DOT
        \--> PE

      DOT --> DOC

      DOC --> PE dropper --> PE

The dropper is uncompressed into /ldevrtl.dll and infected. After that the vbs dropper will be dumped into the file /ldevwm.vbs. Then the macros will be generated into c:\ldev.sys. This wm will be used to infect all docs and the normal.dot. At last the vbs dropper will be executed to install the macros inside normal.dot. This won't happen again while the ldevrtl.dll exists. The dropper into the wm won't infect the normal.dot, just infect PE into windows and current folder. The virus samples from this copy will be able to infect word again.

Even i've tried to not overload the system, the virus is not 100% perfect. Just think what happens if word is running when we try to infect normal.dot...

Thanx once again to Perikles for his tests. This virus was quite hard to test :) Nice work. He found a stupid bug i've incuded in two old viruses: the way to low-case (don't rely in my previous lame 'or ,202020h'). Also he helped a lot providing with infected samples to Balck Jack for the following tests. Thanx you friend!

After i released the bin Black Jack did some tests under Win NT with SP 5. He noticed infected prodump 'is not a valid win32 app' even it runs nice under win98. Later he tested infected mlink32 and it run without problems. procdump has a quite uncommon last section attribute: discardable. We didn't get a good reason to say why infected procdump didn't work under BJ's nt. As 2nd infected sample shown, last section huge virtual size is not the problem. Sigh... i need to install win nt :/ Thanx Black Jack! After speaking with Vecna we found the way i calc image size is kinda unstable hehehe. So this is the reason :) Keep this in mind when reading the PE infection routine.

Another thing you should know is some av detect it as Yonggary modification, and some detect it as Yonggary itself. It's my fault coz i didn't tested av before releasing this virus. Indeed this is at date of release. I spect after av ppl get a infected sample they will fix it (even detect it as Yonggary variant, at least they will detect it as the right variant). This is a research virus, not spected to be itw.

The way of the bee

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org