gmonkey.gif (29622 bytes)

Z0MBiE 4a:

 - PE infector (1st section alignment)
 - ring0-resident via LDT
 - i-am-here function using io callback

Z0MBiE 4b:

- Kewl polyengine demo.
- PE infector (last section appending, multiple infections allowed-max 255)
- ring0-resident via LDT
- i-am-here function using io callback

Z0MBiE 4c:

 - PE infector (poly, last section appending)
 - ring0-resident via LDT+SEH, standard on-IFS-call file infecting
 - i-am-here function using io callback
 - kill AV VxDs when entered ring-0 (avp/web)
 - ring3 PE-dropper to improve spreading,
   dropper is the own code (virii just contains PE headers at startup)
dropper functions:
 - scan drives for files, and simply access 'em (to infect in ring-0)

engines used: KME32 1.01, KILLAVXD 1.02

Source