/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
					New phase of fight for existence
					Debugging in viruses
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
	hi there!

	Not so long ago Z0mbie wrote about debugging in viruses. Here is a solution
of this task. A virus-debugger Nastena finds unknown entry point (UEP) by 
debugging of victim. So the entry point of virus can occur very far from
victim's entry point and none heuristic can detect it.
	Debugging is needed to determine order of program execution and look for 
appropriate place for injected code. In Nastena victim application is not
rebuilded (as in ZMist), code is written instead of piece of code never executed
or executed but has no labels. Labels and execution count determined during
debugging and written to table of execution profile. To avoid appearance of 
windows, consoles and other trash these actions taken:
- When debuggee starts injecting hook in it. So, when debuggee creates user
objects and sends messages to them, hook became active and ends debugging
- Monitoring of current addresses. If address of currently executed command
is equal to address of some API (CreateWindowEx, AllocConsole etc), debugging
is stopped
	Virus skips debugging code inside DLLs. This accelerates infection process.
However, DLLs may create user objects (for instance, in MFC applications), but
hook helps in this case.
	Some other features:
- Remote thread creation either in win9x or winnt. Usually virus stays resident
in explorer's process
- Infection of LAN. Please test this feature!
- Self-detection (when debugging virus checks own signature). AVs can not do
this because they can not debug processes
- Virus does not have constant code parts (in infected files, not processes)
and obvious references to encrypted body
	The stuff applied while creation of virus:
- LDE32 (Z0mbie)
- RPME (Z0mbie) I changed mutation engine in compliance with loader's 
peculiarities
- efork (microb)
	Time needed for infection - 1..5 sec (Athlon 700, maximum 4096 steps of
debugging). 
	This virus isn't ideal - weak encryption, no mutation of body, no check for
access of memory inside CODE section and other disadvantages. But it can help 
other people to write undetectable viruses. I hope this will be made soon!

wbr whale
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
note for stupid avers: debug version is harmless
make debug version:		mki nas
make release version:	mkv release