Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Seiryo - Virus for Windows by Feathered Serpents

Virus for Windows

Feathered Serpents
Show all viruses by this author

2002-00-00

Comments
Download seiryo.zip (9226 bytes) or browse online

Author's notes

The purpose of this virus was to test a relatively new method of allocating space for a virus. Traditionally, the virus is simply appended to the end of the file as either a separate section or tacked onto the last section. This has the problem that usually the entry point to the file is now not the code section, and inevitably program execution leaves the code section.

This idea was derived from Zombie's Zmist - that is to use the .reloc section. This virus looks for a file with a reloc section, memory maps it, and proceeds to expand the code section to fit the virus. It then copies itself into this space. All the other sections are moved back to make space for the virus, the code section is updated to reflect these changes (thanks to reloc telling you where the data is), and then the entire PE header must be updated. So, how well does this method work?

Here's a breakdown of what must be done and it's complexity:

But:

So, how well does it work? It works ok.

Well, coding it is lots of work, and the debugging highly unpleasant. Reconstructed files are surprisingly stable providing that the code is correctly debugged. It could well become the preferred method of infection in terms of stealth. The lengthy code, potential bugs, and complexity could be a deterrence for use in an average virus.


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org