Rudra - Virus for Windows by LiteSys

Virus for Windows

Released in 29A#6

Author's comments

This is Rudra, my first polymorphic virus. It's a direct action (with directory backwards navigation) and a per-process resident virus. Hooks the following APIs: CreateProcessA, WinExec, CreateFileA, OpenFileA, CopyFileA, MoveFileA, _lopen.

To say that the poly engine is stupid is an appropiate metaphor, the reasons are obvious: the decryption opcodes are fixed and in a fixed position in the decryptor, so it would be very easy to the avers to detect it using mask. I used two encryption layers (maybe it's a very bad implemented idea), being the first the polymorphic one. It's the first poly engine i've written so far, and I didn't have any other poly code so I think many concepts are still unclear in my mind. But next will be better, promised.

The infection algorithm is, obviously, last section expanding, I really don't care about overwriting the .reloc section, albeit it's never used, I let it alone...

This virus has multiple payloads. Executed every sabbath, consists in executing one of the three following payloads:

This virus uses SEH to generate an exception and to trap any possible exceptions.

Don't ask me why that name, it came from nothing... hehe. Ok, ok, ok, you get a prize if you guess where did this name came from!

By the way, this is another shitty virus written by me... don't expect too much stability or optimization 'cause I don't have time to spend with it...

So, in resume, this virus has:

So, I don't have anything else to say about this shit, maybe greets, yeah greets are gewd and go to: Mindlock, Knight-7, Evul, Gigabyte, Tokugawa, Maquiavelo, Thorndike and everybody I forgot... hope you forgive me =P.

"Patria o Muerte: Venceremos" (Ernesto "Che" Guevara)
Venezuela, Junio/Julio 2001

