Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Red Team - Virus for Windows by The Soul Manager

Virus for Windows

The Soul Manager
Show all viruses by this author

1997-06-00

Comments
Download redteam.zip (26219 bytes) or browse online

Author's notes

Infects NewEXE apps by inserting itself into the code segment and correcting the Segment table, Resource table, and Gangload Area data. No new segment is added. It also adds its own relocation items to those of the code segment.

All system calls via the Win16 Kernel API. This is achieved by obtaining the KERNEL module reference from the NewEXE header. The INITTASK import item was added solely to fool F/Win.

Infected applications simply infect the 16-bit kernel. If the Kernel exports a function named 'CALLPROC32W', INITTASK is intercepted, otherwise WINEXEC is our target. This allows for WinNT/95 compatibility.

Since the Kernel does not import itself, the relocation items for the virus are changed from import ordinals to ptr's. This is done by getting the addresses of the functions we need from the Kernel's entry table.

The viruses WINEXEC handler immediately passes control to the original WINEXEC handler, and then uses the returned Module Handle to infect the file in the background (multi-tasking).

Since NT/95 don't call WINEXEC (atleast for the 16bit Kernel) we intercept INITTASK instead. When INITTASK is issued, we assume that a new application has recently been executed, and we walk though the chain of Module Handles (by using GETEXEPTR) to infect all currently loaded modules that have only one instance running, and are applications not libraries/drivers.

The first time an application is executed in the same directory as PC-Eudora, the virus attempts to add a message to the OUTBOX. This message is addressed to all recipients in the Nick Names database, and is marked as 'Queued to be Sent'. The message contains a 'good times' style virus warning hoax, and includes an EXE files masquerading as an Anti-Virus, as its attachment. The attached EXE file is, ofcourse, infected.


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org