
    seven faces by lifewire/ikx                                februari 2003


    about 5000 bytes nt5 'resident' 'stealth' infector. 5% asm, 95% c++

    i would like to show how nice c++ is for viral usage. some people consider
    hll (so also c++) as lame but i think it is quite useful for viral usage.
    and not only for pre-/appenders! it is maybe a few bytes larger
    then needed, but do you care in these days? coding this toy took me about
    a few weeks, in asm it would have taken much longer i guess.

    the by bcc generated assembler source (which is very readable) can be
    optimized to cut some bytes. 

    i would like to use this space to thank some people: T-2000, my ikx mates,
    ratter, rajaat, gigabyte. for being my friend, for inspiration and ideas.

    i guess this is the last vx-thing i release, so ehm... bye!

    if you have something to tell me, contact me at lifewire@mail.ru


    description:

    loading

    on startup it enumerates the accessable processes. a already-running-check
    is done, and if not true, remote memory will be allocated and a thread is
    spawned. this thread will first mark the process as 'already done'. then
    some checks on the module filename are done: the name avp32 will enable
    the av_stealth feature. one of the names 'explorer, cmd, acdsee32, winrar
    or wincmd' will enable the file stealth feature. doing filestealth is not
    always good for all applications (for example winzip), so i chose for the
    'chosen few' stealth. after hooking the thread will check some registery
    key's for (exe) files runned at startup to ensure a safe place in the
    system.

    hooking

    after the stealth flags are determined, it will hook the following apis:
    CreateFileW,FindFirstChangeNotificationW, FindFirstFileExW and
    FindNextFileW. the first one is for general infection and under nt5
    CreateFileA will call CreateFileW so both are captured. hooking is done
    by overwriting the original api handling code inside the exporting module
    with a jmp to a hook handler inside the virus body. the original code is
    copied inside some by-virus allocated memory and is aligned on opcode size.
    so if an application calls a hooked api, it will follow this flow:
    1. call [address] 2. address: jmp virushook: 3. process hook by virus
    4. execute the few original opcodes which were originally on 'address'
    5. jmp to after the overwritten bytes on address+x. for this a small
    disassembler is used.

    hook handling: size stealth

    by hooking FindFirstChangeNotificationW i avoid the refreshing of a
    directory after a infection is avoided. the other two are simply for size
    stealth - if enabled.

    hook handling: av stealth

    createfilew is hooked, and used by avp32. first scanning will cause a
    mass infection, second i will avp32 not access infected files. i will let
    it open a random file in the %system% directory and avp doesn't care.

    compiling

    should be done with bcc32, version 5. (bcc 6 bitches about inline asm and
    it creates a larger binary with the same compiler flags)
