Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Solaris - Virus for Windows by Bumblebee

Virus for Windows

Bumblebee
Show all viruses by this author

2002-03-00

Comments
Download solaris.zip (13822 bytes) or browse online

Released in 29A#6

Author's comments

INTRODUCTION

Each time i see Plage 2000 itw and i hear ppl like my worms i feel sad, coz those bugs didn't made me think at all. Them're kinda a toy i coded fast and easily. So i liked to code something complex with Solaris. Just to prove myself i can do other things but worms. My late viruses are kinda experimental and outta lab them won't be able to spread so far. So this is my way back to the bussiness and the so called *serious things*.

The name of this virus is a a lil tribute to the magician of hard sci-fi, Stanislav Lem, and his great book Solaris. Just think Ursula Le Guin calls him master of imagination (together with J. L. Borges, another great monster).

Well, i suppose retarded avers will call it as it goes out from their ass. Doesn't matter, let's call it Solaris :) As well as the planet in the book, you won't be able to understand Solaris easily (at least i hope so).

VIRUS OVERVIEW

It's a polymorphic win32 direct action PE infector that infects EXE, SCR and DLL files form current, windows and system folders. Due the generated poly code it's very huge and its generation is complex the virus behavior has been setup for being a slow infector. It's better to have a slow infector than suddenly to have a slow computer. The generated poly code includes also the virus code coz the virus is pushed into the stack and executed there. That's main reason it's not a big virus, we cannot use too much stack (remember DLL are also infected by the virus, you should know the consequences).

Both poly engine and the fact it must be fully relocatable to infect DLLs is not easy task. DLL infection makes the virus able to spread faster as many DLLs are infected. But again that makes the comp slow coz there are several virus instances working at the same time. I've used shared files by name to avoid that in a kinda successfuly way. Even the virus has other features, eg. 2nd non-poly encryption layer, its most interesting features come from the not usual poly engine and the DLL infection (very annoying).

The source is full commented. I hope i've introduced Solaris.

BSEE REVIEW

Here i include an host increased size review (BSEE with Solaris test version size 3420, final sample is about 4kbs):

             target: ping.exe (OS Win98 4.10.1998)
      original size: 28.672 bytes
  object/file align: 1000h/1000h
      virus padding: 101
   samples infected: 52

Note: 1st gen infected 1st sample. Sample j was infected by j-1 sample.

Frequency tabulation for infected samples with RECLEVEL 6

sizefreq.Cu. freq.increase
61.509020232.837
65.549222436.877
69.690224641.018
73.730065245.058

average final size: 68.093

average increased size: 39.417

We can see how median is very close to average. So even samples have variable size, that size fits in a normal distribution. Kewl test for a random number generator :)

At one hand we have than PE aligment makes us lose some of the sense of the test, but at other hand since we will manage aligned files nor true poly size... that fact doesn't matters for the test. Gen codes have very variable size but due PE aligment issues we only see 4 different file sizes.

The way of the bee

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org