Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Skipo - Virus for Windows by Tiberio Degano

Virus for Windows

Tiberio Degano
Show all viruses by this author

2009-12-18

Comments
Download skipo.zip (4457446 bytes) or browse online

Released in Decepticons #1

Author's docs

Introduction:

this virus is Multi-Layer Multi-Algorithm highly obfuscated polymorphic virus it use enfish & SK epo insert the first decryptor in the middle of the host and replace a proc of the host and return it again when the virus finish. it use also use an extra epo and new epo (subtitute with SK Epo) named Parameter infection Epo.this new epo search for call dword [RegisterClassA/EXA] and search in the previous 100 bytes for the wndProc and change it to the virus. when the virus finish itreturn the same number and then use setwindowlong & callwindowProc to return to the host.

Features:

  1. Read & Write local Variables
  2. ReadOnly global variables
  3. call up to 18 API (the hardest thing to code)
  4. very realistic garbage include (IF/Else - While/Loop-Push/POP)
  5. swap the registers for every poly (very known)
  6. swap the registers in the middle of the poly (mov eax,ecx) and retrain the init registers again before the loop jump
  7. use an Anti-NegativePattern trick:copy a code from the host and put it between IF and endif to avoid being excuted
  8. write commands similar to th decryptor instructions mov eax,[ecx+0040XXXX]
  9. use every register in the garbage untill it initialized by the decryptor
  10. Multi-layer & Multi-Algorithm up to 4 layers with 4 alogrithms

EPO:

Dynamic blocks of code EPO:sk epo search for call-->push ebp/mov ebp,esp and then disassemble the code by hde32 disassembler untill reach leave ret or pop ebp/ret search for int3 after the proc and take the whole and replace them by the first layer of decryption( 1 or 2 algorithms).and return the proc again at the end. this EPO reserve the parameters and also the registers of the real Procedure to make the program runs fine.

Parameter Infection EPO:as described before so the entrypoint become hidden in the middle of the code.

Infection Routine:

  1. the virus infect .data section that come before .rsrc section. it move .rsrc down and fix the RVAs and the Data Directory for that. it infect a RW section so it doesn't modify the characterisrics of any section (anti-heru (NOT HERO hee hee)
  2. it infect its section only (avoid become harmful or spread by chance) and gives a message with the name of the virus and me
  3. it remove any NX and ASLR and SafeSEH compitability from the charactersitics of the file
  4. the mark is size padding size/6-->0 I decide to use it to make many files could be infected (less infection but more files are suspecious)

I try in this virus to fix the weaknesses of zmist like allowable to geometry and weak algorithm and not be multi layer (as they use code disassembling as a key validation for their xray because its meta under the encryption not strong poly) I'm also try to fix the weaknesses of SK like simple poly could be searched

I don't mean that this virus is powerful than zmist or SK but I hope this virus to become ery complex for Avers and Peter Szor and take more than 7 days :)

The Limitation of Skipo:

This virus infect a program has a ReadOnly section bigger than the virus and also infect programs that the last 2 sections :.data & .rsrc the EPO find a proc bigger than 200 byte

I think this virus will be the last virus for me and I think I'll jump into AVing and create the first free community for Avers (AV scene maybe :) ) I'm waiting for feedbacks at [email protected] from any vxer or aver (we are in the same field don't worry you will not get infected) hope you enjoyed

At the end I want to say :this virus is for Research only and not for harming any one. SO you will say this virus not every time run (due to EPO) and not designed for spreading (I mean spreading over PCs) but designed for testing AVs defences and write a virus could brea these defences and become undetectable virus :)


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org