Loki is a .net C# virus that will infect all the executables found in the current directory. The file infection is unique as it has the advantage to be able to decrypt/encrypt the virus body based on Rijandel or Triple DES. Both encryptions generate their keys dynamically

How is it able to encrypt itself and still work? Well Loki can build a decryptor at runtime! duh! :) this is something I haven't seen yet so I might be the first

It basically works like this

  1. generate decryptor
  2. generate encrypted virus
  3. Infect file

The file structure of an infected file looks like this.

Note: The decryptor gets put in first so it gets executed first.

The decryptor that we generate on the fly has 2 responsibilities

  1. Extract host program from itself and run it
  2. Then once the host program has finished running decrypt the virus and execute it.

since we build it from source we can change variable names in the decryptor making it even more harder to find!

The other cool part is the payload. If Loki hasn't ran before or the reg key gets deleted it will create a screensaver and dump it into the startup directory. So the next time the user restarts their computer their screen will turn black and a Red message saying "You have been infected with MSIL.Loki by free0n" will bounce across the screen muwhahaha it's pretty funny.

Note: Yes this looks like a console application which would have a command prompt or dos box open but with Loki you create the Console application then change the output type to windows form (its in project properties). This makes it so it still runs like a console app but no dos box opens making it a little more sneaky Use VC# express to build...

