VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Shaitan - Virus for Windows by The Shaitan

Virus for Windows

The Shaitan
Show all viruses by this author


Download (9016 bytes) or browse online

Author's notes

When a file infected by Win32.Shaitan is executed, the virus looks up the current process' Import table for the address of GetModuleHandle API function. If located, the API function will be called to retrieve the base address of KERNEL32.DLL. Otherwise, a hard-coded address (0xbff70000) will be assumed. Next, using this address, the virus scans the Export Table of KERNEL32.DLL for the address of the GetProcAddress API function. Finally using this function the virus obtains addresses of all other API functions it needs (e.g CreateFileA, FindFirstFileA etc). The virus searches for and infects files in the following order:

The file encrypts its data using a simple xor operation with 0xFF as key. Files are infected by appending the virus to the last section in the file and increasing its size. The virus uses memory-mapped files to improve performance. Infected files will grow by about 3k.

Umm, that's about all folks! This is my first Win32 virus, so if something doesnt work, well... maybe next time :) The code is heavily commented, so it should be easy enough to follow (if you can't... dont ask me, i can't really follow it either! ;)

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka