Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Weird - Virus for Windows by Weird 0.14

Virus for Windows

Weird 0.14
Show all viruses by this author

1999-05-26

Comments
Download weird.zip (66134 bytes) or browse online

Released in Matrix#1

Author's notes

Technical stuff

Virus has a very good infection part. It was born on hard exploration of PE EXE format. I found things that I couldn't find anywhere else. I will write an english tutorial about it soon as I can.

Disadvantages of this virus is that it is easy to remove. I have an idea how to crypt all of the virus code. I dunno when I will implement it.

More other things can be added: more backdoor functions, possibility of infecting .zip files, spreading via mail, icq; adding notifications via email, icq etc. Also client/server needs few minor changes.

Some notes for the readers

In Win32.Weird you can find how virus works. Also, in Server/English subfolder you can find translated source of the most important viral parts.

Name of this virus is 'Kuang2 theVirus'. Also, 'Coded by Weird' is not only a viral signature - it is a signature for all my progs.

Virus have small backdoor capabilities by itself, but many with some of my plugins. Check my www for more.

Decsription

It is not a dangerous memory resident parasitic Win32 virus. It writes itself to the end of PE EXE files (Windows executable) by increasing last file section and modifying PE header fields. The virus copy in infected files consists of two parts. First part (starter) is a short routine (about one kilobyte of code and data), the second part is the main virus code (about 10Kb of size) encrypted with silly encryption loop.

When the infected file is executed, the starter takes control, decrypts the second part of virus code, drops it to Windows directory as a PE EXE file with random name and executes it. The main virus instance stays memory resident as a hidden Windows application, runs a low priority thread that periodically scans drives' directory trees, looks for PE EXE files and infects them.

The virus also affects the EXPLORER.EXE file. It copies it with the EXPLORER.E name, infects this copy and writes the [rename] instruction to the WININIT.INI file to replace original EXPLORER.EXE with infected copy on next Windows startup.

The virus has a backdoor ability. When it is active as a Windows application it opens Internet connection and waits for specific calls from there. The virus has a little list of supported commands compared to other known backdoors, but it allows to upload, download, execute and delete files on the infected machine from remote host.

The virus contains the "copyright" text:

xCoded by Weirdx

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org