Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

P-adic 1.9 - Virus for Windows by Dr.L

Virus for Windows

Dr.L
Show all viruses by this author

2002-00-00

Comments
Download p-adic.zip (8542 bytes) or browse online

Released in 29A#6

Author's notes

It's a per-process encrypted EPO win32 virus. Tested both on Win95 and Win2K. It's old style and new style bound aware so the applications as calc.exe and notepad.exe on Win9x and Win2K will not crash if they are infected!

This virus uses several technics:

Checksum routine to recognize api strings in the export section of the Kernel32.dll

Whenever the size of the virus is less than the size of the relocation section, if this latter do exist then this section is renamed and the virus is placed there.

This virus uses a basic EPO routine.

A short piece of code overwrites the original entry point of the host so the entry point isn't modified. The bytes overwritten are saved somewhere in the virus body. Obviously, Before to jump to the host code these bytes are restored. Pure overwritter viruses are lame, never forget that!

The main feature is that the sections attributes of the host aren't odified, i.e if a section is a non-writable one, after infection the section attribute is still non-writable.

How we do that? There are two technics used. The first one is the use of the api GlobalAlloc. This api is called first, to create a memory space to decrypt and run the main part of the virus there. But we need a special routine to get the address of this api.

In order to perform this task we search in the Import table of the target, an api name with 11 or more letters.

We patch the name with the "GlobalAlloc" string. At run time, the infected host is loaded in memory by windows, the address of the GlobalAlloc api is set. Windows makes the job for us :) Nevetheleast, we need to restore the correct address. GetProcAddress api is used.(we can't pre-calculate a checksum for it because the name of this api isn't known before infection time)

The virus uses the allocated memory space to move to and to decrypt its main routine. So when the decryption process is over, the virus jumps to that new memory space. It creates an infectious thread and returns to host.

the infectious routine is a classic one:


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org