VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Nemox - Virus for Linux by Cyneox

Virus for Linux

Show all viruses by this author


Download (6915 bytes) or browse online

Released in DCA#1

Author's notes

Lin32.Nemox is a half virus which will infect any ELF files in the current directory: "." .I've wrote some lame functions which will search for ELF files check if they are infectable or not and then start the infection procedure.

It is using the common "Segment Padding Infection" procedure. That means : segments needed for execution will be padded properly to reflect the insertion of our virus code.We will copy our virus code after the code segment ( between .text and .data ). Then we will update the PHDR(Program Header) and SHDR (Sections Header) so that they contain the correct information about the file which has been "infected".

Nemox is using the same technique which I've used when I coded Nfect0r.So if you didnt get it just search for Nf3ct0r 6) . Q.:Why a half virus !? R.: well I dont want that stupid user will simply execute my binaries and getting infected( I mean the whole system) without knowing that. If they want to transform my source codes into fully functionable viruses they should do that at their own risk.

A virus which is executing only his own virus code is a dead virus. So I've chosed a simply method how to return to the host code...At the beginning of my virus code I wrote : "push dword 0x0". Later on the "0x0" will be replaced with the original entry point of the host file.At the end of the virus code I wrote "ret" which will return the programm execution to "push dword [original entry point". Its quite simple to understand and isnt so suspicious like a "jmp" procedure.

Many ppl have told to me I shouldnt use "much" stack in my programm.Well it does.I didnt want to use a temporary file were I could write all that info about the target: entry point , several offsets , file size , file name etc.If u want to improve that feel free and just do it... I always use the stack for data storage etc. Its "cheap" and simply usable.

Well I'm so happy that I've finished this project although my work wasnt so "perfect": After infecting several executables I've realized that the string table got fucked up , that means I couldnt see the names of several section etc. Well thats very vulnerable to many AV's but thats not my problem. If u want to improve this code just do it and make it even better ;)

What really mathers to me , is that Lin32.Nemox really worked that way I wanted to...

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka