Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Omikane - Virus for Windows by Feathered Serpents

Virus for Windows

Feathered Serpents
Show all viruses by this author

2002-00-00

Comments
Download omoikane.zip (23692 bytes) or browse online

Released in NS#1

Author's notes

This virus was created to see if the above objectives were feasible. With the advent of the PE executable and advances in the anti-virus industry, new PE viruses are generally easy prey for AVs due to one or more of the following reasons:

Thus, this virus was born.

This virus, hides it's body in the last section of the host file (encrypted of course). It writes a small, POLYMORPHIC decryptor into the slack space at the end of the code section. It then patches the exe by looking for all "call [ExitProcess]" or "jmp [ExitProcess]" (depending on the linker) to jump to the decryptor. Since all calls are patched, no other infection marker is needed.

When the host finishes running and calls ExitProcess, it will jump to the polymorphic decryptor. The decryptor then decrypts the data in the last section of the file, and places it into a writable data section. Due to how windows "works", data sections CAN have code in them. After the virus is done decrypting, it jumps to the code in the data section and executes.

When the virus executes, it goes into the root directory of the current drive and attempts to infect files. If there are no files to infect, or a bait directory is determined (using a complex set of criteria), then a random subdirectory is chosen, and the infection process is repeated. (You can use "subst" to create a new drive letter and run the file on it to test it safely.)

...And so, some 2000 lines of code later - Mission Accomplished.


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org