Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Subsist - Virus for Windows by roy g biv

Virus for Windows

roy g biv
Show all viruses by this author

2010-03-10

Comments
Download subsist.zip (10322 bytes) or browse online

Author's description

Polymorphism Using Subroutines

What is it?

Most script viruses that use encryption just carry an encrypted block and try to make the decryptor hard to read. I decided to try something a bit different. Instead of a single decryptor, there are many. The code is encoded using numbers, then it is broken into many smaller pieces. Each of the pieces is placed into a subroutine or function. Each subroutine has a random name, and it is written in random order. In JScript, the subroutines also accept a random number of (unused) parameters. If subroutine, then the block is assigned to a variable with random name. If function, then the block is returned to a variable with random name. Each routine requires execution of a previous routine in order to concatenate the blocks in the right order. The decoding is using "chr" (VBScript) or "String.fromCharCode" (JScript). To make more difficult, the decoded script is not constant. All of the variables have random names that change each time.

So simple, so what?

It sounds very simple, but it looks really great. :) There is lots of whitespace and garbage comments. In JScript, there is also a trick with the tokeniser so that comments can appear between the object and the method call. The variable assignments and subroutines can appear anywhere in the code (after the variable is defined), so it is hard to see which lines execute in which order. It is hard to describe, you have to see for yourself.


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org