Winux - Virus for Windows by Benny

Virus for Windows

Author's notes

lemme introduce you my first multi-platform virus, the worlds first PE/ELF infector. The idea of first Win32/Linux virus came to my head when I was learning Linux viruses. I'm not Linux expert, I couldn't code for Linux in assembler - I am familiar with Intel syntax, AT&T is a bit chaotic for me. However, I decided to learn more about Linux coding and left my place of newbee. I was always fascinated of Linux scene and low-level programming under Linux but I never knew much about it.

I wanted to code virus for Linux and learn from it. But becoz there already exist some viruses and I knew I won't be able to bring any new technique, I decided to code something unique -> Win32/Linux compatible multi-platform infector. And here you can find the result of my trying. Now, after all, I've got some valuable experiencez and I'm glad for that. Coding/debugging in Linux was hard for me, but I had fun and I learned a lot. And that's the most important.

Technical details

The virus itself ain't much. It's not big, it's not complicated, it's not resident nor polymorphic.. I wanted to be the virus like this. Just to show something new, show that something never seen before is possible and how can it be coded.

The virus is devided to two partz: Win32 part and Linux part. Every part is able to infect both of PE and ELF filez. This source is designed to be compiled by TASM under Win32, nevertheless it can infect Linux programz and so then it will be able to be executed in Linux environment (and there it is also able to infect Win32 part, which can be executed in Win32 environment etc etc etc...).

Win32 part

Virus infects PE filez by overwritting .reloc section, so it does not enlarge host file size. Filez that don't have .reloc section, big enough for virus code, can't be infected (explorer.exe can be used to test infection capabilities). It can pass thru directory tree by well known "dotdot" method ("cd ..") and there infects all PE and ELF filez - virus does not check extensionz, it analyses victim's internal format and then decidez whata do. When all filez are passed and/or infected virus will execute host code.

Linux part

Virus infects ELF filez by overwritting host code by viral code. The original host code is stored at the end of host file. It can infect all filez (both of PE and ELF) in current directory, also without checking file extensionz. When all filez are passed and/or infected virus will restore host code (overwrite itself by original host code) and execute it.

Well, you are probably asking how it is possible that virus can infect Win32 appz from Linux environment and Linux appz from Win32 environment. Yeah, many ppl already asked me. For instance, under some emulator. There exist some emulatorz (win4lin, wine etc..) which are often used to execute Win32 appz under Linux. Also, I know many ppl that have partition specially reserved for CD burning, where they store both of Win32 and Linux programz. Virus executed from there has no problemz with infection, heh ;)

Does this virus work? Heh, sure it does. I tested it on Win98, Win2000 and RedHat 7.0, and it worked without any problemz. However, if you will find any problemz, don't by shy and send me a bug report ;-P

Licence agreement

This virus is covered by GPL - GNU General Public Licence. All crucial facts can be found there. Read it before using!

Last notez

While I was finishing Universe and coding Winux, many personal thingz happened to me. Again such depressive season as only winter can be fell down on me.. I'm finishing my high-school, last year, many examz (and I know nothing, you know that feeling, heh :) etc. End of next stage of my life is getting closer and I don't know how will that next one be for me, what it will take and bring to me. I'm looking forward to summer, the best season in the year, no depression, no school, no fucking problemz I still have and can't hold them all.. c ya l8r, somewhere in timespace..

