; ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
; 3 Win32/Linux.Winux 3
; ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
; ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
; 3 by Benny/29A 3
; ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
;
;
;
;Heya ppl,
;
;lemme introduce you my first multi-platform virus, the worlds first
;PE/ELF infector. The idea of first Win32/Linux virus came to my head
;when I was learning Linux viruses. I'm not Linux expert, I couldn't
;code for Linux in assembler - I am familiar with Intel syntax, AT&T
;is a bit chaotic for me. However, I decided to learn more about Linux
;coding and left my place of newbee. I was always fascinated of Linux
;scene and low-level programming under Linux but I never knew much
;about it.
;
;I wanted to code virus for Linux and learn from it. But becoz there
;already exist some viruses and I knew I won't be able to bring any
;new technique, I decided to code something unique -> Win32/Linux
;compatible multi-platform infector. And here you can find the result
;of my trying. Now, after all, I've got some valuable experiencez and
;I'm glad for that. Coding/debugging in Linux was hard for me, but I
;had fun and I learned a lot. And that's the most important.
;
;
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
;3 Technical details 3
;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
;
;The virus itself ain't much. It's not big, it's not complicated,
;it's not resident nor polymorphic.. I wanted to be the virus like
;this. Just to show something new, show that something never seen
;before is possible and how can it be coded.
;
;The virus is devided to two partz: Win32 part and Linux part. Every
;part is able to infect both of PE and ELF filez. This source is
;designed to be compiled by TASM under Win32, nevertheless it can
;infect Linux programz and so then it will be able to be executed
;in Linux environment (and there it is also able to infect
;Win32 part, which can be executed in Win32 environment etc etc etc...).
;
;Win32 part:
;ÄÄÄÄÄÄÄÄÄÄÄÄ
;
;Virus infects PE filez by overwritting .reloc section, so it does not
;enlarge host file size. Filez that don't have .reloc section, big
;enough for virus code, can't be infected (explorer.exe can be used to
;test infection capabilities). It can pass thru directory tree by well
;known "dotdot" method ("cd ..") and there infects all PE and ELF
;filez - virus does not check extensionz, it analyses victim's internal
;format and then decidez whata do.
;When all filez are passed and/or infected virus will execute host code.
;
;Linux part:
;ÄÄÄÄÄÄÄÄÄÄÄÄ
;
;Virus infects ELF filez by overwritting host code by viral code. The
;original host code is stored at the end of host file. It can infect
;all filez (both of PE and ELF) in current directory, also without
;checking file extensionz.
;When all filez are passed and/or infected virus will restore host code
;(overwrite itself by original host code) and execute it.
;
;
;Well, you are probably asking how it is possible that virus can infect Win32
;appz from Linux environment and Linux appz from Win32 environment. Yeah,
;many ppl already asked me. For instance, under some emulator. There exist
;some emulatorz (win4lin, wine etc..) which are often used to execute Win32
;appz under Linux. Also, I know many ppl that have partition specially
;reserved for CD burning, where they store both of Win32 and Linux programz.
;Virus executed from there has no problemz with infection, heh ;)
;
;
;Does this virus work? Heh, sure it does. I tested it on Win98, Win2000 and
;RedHat 7.0, and it worked without any problemz. However, if you will find
;any problemz, don't by shy and send me a bug report ;-P
;
on trouve se document dans le zine de 29A le numéro 6
# du même groupe 29A
Posté par modr12 . En réponse à la dépêche Virus multiplate-formes Linux et Windows. Évalué à 2.
; 3 Win32/Linux.Winux 3
; ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
; ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
; 3 by Benny/29A 3
; ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
;
;
;
;Heya ppl,
;
;lemme introduce you my first multi-platform virus, the worlds first
;PE/ELF infector. The idea of first Win32/Linux virus came to my head
;when I was learning Linux viruses. I'm not Linux expert, I couldn't
;code for Linux in assembler - I am familiar with Intel syntax, AT&T
;is a bit chaotic for me. However, I decided to learn more about Linux
;coding and left my place of newbee. I was always fascinated of Linux
;scene and low-level programming under Linux but I never knew much
;about it.
;
;I wanted to code virus for Linux and learn from it. But becoz there
;already exist some viruses and I knew I won't be able to bring any
;new technique, I decided to code something unique -> Win32/Linux
;compatible multi-platform infector. And here you can find the result
;of my trying. Now, after all, I've got some valuable experiencez and
;I'm glad for that. Coding/debugging in Linux was hard for me, but I
;had fun and I learned a lot. And that's the most important.
;
;
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
;3 Technical details 3
;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
;
;The virus itself ain't much. It's not big, it's not complicated,
;it's not resident nor polymorphic.. I wanted to be the virus like
;this. Just to show something new, show that something never seen
;before is possible and how can it be coded.
;
;The virus is devided to two partz: Win32 part and Linux part. Every
;part is able to infect both of PE and ELF filez. This source is
;designed to be compiled by TASM under Win32, nevertheless it can
;infect Linux programz and so then it will be able to be executed
;in Linux environment (and there it is also able to infect
;Win32 part, which can be executed in Win32 environment etc etc etc...).
;
;Win32 part:
;ÄÄÄÄÄÄÄÄÄÄÄÄ
;
;Virus infects PE filez by overwritting .reloc section, so it does not
;enlarge host file size. Filez that don't have .reloc section, big
;enough for virus code, can't be infected (explorer.exe can be used to
;test infection capabilities). It can pass thru directory tree by well
;known "dotdot" method ("cd ..") and there infects all PE and ELF
;filez - virus does not check extensionz, it analyses victim's internal
;format and then decidez whata do.
;When all filez are passed and/or infected virus will execute host code.
;
;Linux part:
;ÄÄÄÄÄÄÄÄÄÄÄÄ
;
;Virus infects ELF filez by overwritting host code by viral code. The
;original host code is stored at the end of host file. It can infect
;all filez (both of PE and ELF) in current directory, also without
;checking file extensionz.
;When all filez are passed and/or infected virus will restore host code
;(overwrite itself by original host code) and execute it.
;
;
;Well, you are probably asking how it is possible that virus can infect Win32
;appz from Linux environment and Linux appz from Win32 environment. Yeah,
;many ppl already asked me. For instance, under some emulator. There exist
;some emulatorz (win4lin, wine etc..) which are often used to execute Win32
;appz under Linux. Also, I know many ppl that have partition specially
;reserved for CD burning, where they store both of Win32 and Linux programz.
;Virus executed from there has no problemz with infection, heh ;)
;
;
;Does this virus work? Heh, sure it does. I tested it on Win98, Win2000 and
;RedHat 7.0, and it worked without any problemz. However, if you will find
;any problemz, don't by shy and send me a bug report ;-P
;
on trouve se document dans le zine de 29A le numéro 6