Z0MBiE 4a:
- PE infector (1st section
alignment)
- ring0-resident via LDT
- i-am-here function using
io callback
Z0MBiE 4b:
- Kewl polyengine demo.
- PE infector (last section appending,
multiple infections allowed-max 255)
- ring0-resident via LDT
- i-am-here function using io callback
Z0MBiE 4c:
- PE infector (poly, last section
appending)
- ring0-resident via LDT+SEH,
standard on-IFS-call file infecting
- i-am-here function using
io callback
- kill AV VxDs when entered
ring-0 (avp/web)
- ring3 PE-dropper to improve
spreading,
dropper is the own
code (virii just contains PE headers at startup)
dropper functions:
- scan drives for files, and
simply access 'em (to infect in ring-0)
engines used: KME32 1.01, KILLAVXD 1.02