Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

YLang - Virus for Windows by Dr.L

Virus for Windows

Dr.L
Show all viruses by this author

1999-12-00

Comments
Download ylang.zip (5902 bytes) or browse online

Released in 29A#4

Author's notes

This is my first virus designed for ms-windows I have tested it only under Win95 os, but i think it works on win98 too! The virus isn't destructive as far i know but it's a virus, so be carefull! The current version of Win9x.Ylang is not detected by main anti-virus programs (avp don't caught it)...so once again BE CAREFULL!

Description: This virus search for PE-exe files using a directory-tree search algo (hi LJ! ) on drive C: The virus appends to the end of code section a loader. The entry point is modidified to point to this loader. The loader aim is to decrypt the main code put at the end of last section and to put the decrypted code into the stack and...executes it there! Result: the virus dont modify sections flag, this means if a section isn't originally writable, after infection it has still read only attributes! There is one exception...first section is marked as Executable... but in most of the cases...first section is the code section of host! Previous version of this virus is detected by avp ! The first version of Win9x.Ylang was only running only on Win95...not Win98.. The reason was hard to find for me ... In kernel32.dll of Win95, the apis with no names are put in first places in the big table of pointers to apis addresses...in Win98 isn't true at all! (Don't trust no one...er...i mean: in vx oriented zines ,infos aren't always true! keep in Mind this point when trying to design viruses ;)) The last point is ,this virus uses crc-like/checksum technics to retrieve apis addresses needed to perform infection.

Known bugs: the virus isn't fully EXE-packed aware ! this means some infected packed EXE-files will not work after infection :( but most packed files will only warn you it was modified and will still work after infection


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org