Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

TAPAKAN - Virus for Windows by Voodoo

Virus for Windows

Voodoo
Show all viruses by this author

2001-04-09

Comments
Download tapakan.zip (36024 bytes) or browse online

Published in DVL#11

Author's comments

Infection method

Find the last secdtion of the victim. Pack it. Write our code on its place. Append the packed original section to the end of the victim. Change the entry point to our code.

Spread

After gaining the control, the code will be pushed to stack and started there. In this circumstances we can forsake to set RW attribute on last section. Further we will unpack original section and move it on its place. After that we will catch CreateFileW (in the case of NT) and Create FileA, CreateProcess, GetProcAddress (in the case of 9x). Right after that we will return the control to the victim. CreateFileW catched by replacing the first five bytes with cann NewCreateFileW. Before that the write permission is set on CreateFileW. CreateFileA, CreateProcess, GetProcAddress catched by replacing the addresses in import table. MD9x will not allow to open the memory for write in which kernel32.dll resides. The infection take place on file open or proccess creation. There is no explicit destructive function in this virus ;-) implicit ones ae sufficient.

; Явной деструктивной функции не содержит ;-) хватает неявных.

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org