Regswap - Virus for Windows by Vecna

Virus for Windows

Author's description

Due popular demand, i fixed this virus, and made it fully metamorphic, using the register exchange metamorphic technic. Altought this technic isnt so powerful as the one i used in Miss Lexotan 6mg, they can be combined, leading to a very efficient way of avoid detection.

Probably, the future of metamorphism will be a mix of this technic, together with the Miss Lexotan one and the code permutation developed by Z0MBiE in ZCME virus and AZCME engines. The mixing of procedures, as found in the old BadBoy virus, can be usefull too.

Peoples interessed in this technic should consult also AZCME32, also for w32, written by Z0MBiE/29A. It also change register usage, but using a more advanced technic using a internal disassembler instead of tables.

A review of the features: The first one is the PE infection way, inedit, that consist in overwriting the entrycode pointed by the entrypoint, in the code section, and saving it, encripted, to last section, increased before. We check before if the entrypoint isnt so close to the end of the code section, thing that can damage our host. As the entrypoint dont change, this help very much against heuristics.

The metamorphism consist in changing the register used in the whole virus body. Procedures are processed in turn, reseting the reg equivalence table each time, making each sub register-independent. The only fixed sequences are the vint21h procedure, due the requeriment of vint21 about the register usage, and the random number generator, coz i use the stack in a weird way, and is not worth fix this anymore.

The classical way to set a SEH frame pointed by ESP:

       sub ecx, ecx
       push dwo fs:[ecx]
       mov fs:[ecx], esp
After be processed by the engine, can turn to:

       sub esi, esi
       push dwo fs:[esi]
       mov fs:[esi], esp

And so on. All registers can be modificated.

The tables used by this metamorphic engine are in the following format:

   00..06  -  Register index
   07..08  -  Position of reg in instruction (xx000xxx or xxxxx000)
   09..16  -  Distance from previous reg-using instruction

Thus, each register in the virus occup 1 word in these tables. A short macro, xchr, is provided to make table contruction more easy.

Ideas to improve this technic:

