Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Nanomites 2.0b - Virus for Windows by Deroko

Virus for Windows

Deroko
Show all viruses by this author

2005-07-18

Comments
Download nanomites.zip (41845 bytes) or browse online

Author's description

This virus uses nanomites so It won't have any jcc/jmps in the code, Nanomites are jcc/jmp changed by Armadilo to int 3h so this idea is kinda implemented into this code. I have written simple tut about it but it is available in Serbian only. By reading nanojmp macro you will be able to figure it out by yourself.

Virus currently supports infection of ASpack 2.x (I guess, tested on 2.12), UPX (0.8 - 1.25), PECompact 2.59, PEPack v1.0, and FSG v2.0. Probably it will support more packers as soon as I find time to reverse 'em more.

It appends to last section, and no it doesn't move reloc if present.

It is polymorphic virus (cool) and uses DSRPE which stands for : "Deroko's Shity Random Polymorphic Engine", well this engine is not finished yet completely, I have started working on it 2-3 months ago and due to exams I never finished it. When I started coding it, I had many ideas and I planed to implement self modifying poly engine (metamorph-poly engine, sounds cool) but it ain't happen Maybe I'll finish it one day... here is used simple, modified, and unfinished version... (maybe 10% done, but it works fine)

Launches 4 threads:

  1. For virus, this thread will infect files, thread is filled with nanomites, so tracing, and checking it, in debugger is not smart thing to do.
  2. For main program. This thread will hook ExitProcess so any call to ExitProcess from infected program will return to this thread.
  3. For checksum checking. Thread will loop constantly during execution of viri thread. It will check check- sum in 100miliseconds time intervals. If checksum is wrong, it means someone is using breakpoint in virus, and virus will terminate whole process, also this Thread will loop trough API addresses and check if there is BP set in API calls.
  4. This is payload thread, it will popup at 13th of every month, will create window via CreateWindowExA and will show you lyrics of She is my sin - Nightwish. It will stay active untill infected program doesn't finish...

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org