Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Yildiz - Virus for Windows by Black Jack

Virus for Windows

Black Jack
Show all viruses by this author

2000-09-20

Comments
Download yildiz.zip (4331 bytes) or browse online

Relaesed in Coderz#1

Author's comments

Win9x direct acting/global ring3 resident PE header cavity virus, size 323 bytes (but of course infected files won't increase in size)

When an infected file is run, the virus takes control. It then tries to find the kernel32 base address by a simple algorithm which should make it compatible with Win9X and WinME (although I haven't tested it with the second one). After that it gets the undocumented Win9X API VxDCall0 and uses it to call int 21h. The VxDCall0 API is the very first exported API in Win9X; I don't know which API is first in WinNT, that's why unpredictable results may occur when the virus runs in that OS (I haven't tried it out, but of course the virus can't work in NT). Then it goes TSR (read more about this a bit later), and infects all PE EXE files in the current directory by overwriting the unused padding bytes in the PE header with the virus body. The memory residency consist in infecting kernel32.dll in memory. To do so, it creates a temporary file called "Yildiz." and writes the first 4KB of kernel32.dll there. Then this file is infected like any other PE file. And finally the content of the infected temp file is read back into kernel32 memory. Yep, you have read right, by using the int21h with VxDCall0 you can read from a file into read-only memory! (This trick was discovered by Murkry/IkX, read more about it in the comments to his Darkside virus source, published in Xine#3). As I have already said, the kernel32 is infected in memory just like any other file, this means the entry point is set to the virus, no APIs are hooked. As you should know, the entry point of a DLL is a init routine that is called whenever the DLL is loaded by a program. And since kernel32 is imported by all programs, this means for us that whenever a program is run (and kernel32 is mapped into the program's address space), our virus will infect all PE EXE files in the directory of the program.


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org