Linux.Grip (rel2)This is both encrypted and obfuscated virus for Linux, it's based of my old Linux.Tahorg virus (kernel part was omitted for simplicity) and the following: disassembler engines (which to use is specified in Makefile) lde32bin.inc - LDE32 engine by Z0mbie rgblde.inc - RBLDE engine by roy g biv mlde32.inc - MLDE32 engine by uNdErX catchy.inc - Catchy engine by sars infect.asm/virus.asm - modified parts of Linux.Tahorg bfi.bin - my BrainFuck interpreter xtea* - XTEA encryption by Farshid Mossaiby mk_key.asm - generate 16 random bytes of key and the BF program which after execution leaves these key on the tape, random is stolen from TZ#1 by Z0mbie, seed is initialized by: (time(NULL) ^ getpid() ^ RDTSC.HI ^ RDTSC.LO) sqrt is classical: int sqrt(int x) { register int r; x = (x + 1) >> 1; for (r = 0; x > r; x -= r++) ; } which i found on some site, sorry forgot the URL. each byte of key (n) decomposed to multiplicands (x, y) and reminder (t), so the product of x * y is the closest number to the n: x = y = sqrt(n); while ((t = (x * y)) < n) y++; t -= n; assert((x * y - t) == n); when, we produce program to multiply factors we got: #define S(c) *code++ = c; #define M(c,n) for (i = 0; i < n; i++) S(c) S('>'); M('+', x) S('['); S('<'); M('+', y) S('>'); S('-'); S(']'); and add the reminder: if (t < 0) { t = -t; cmd = '+'; } else { cmd = '-'; } M(cmd, t); S('>'); the resulting program is quite simple. surely, we may produce much more sophisticated bf program, but all this shit was done only to play with the old idea about using interpreters inside the virus, to obfuscate it's code or the encryption key like indeed is in my case. the bf program pigtailed on virus is not encoded (though it can be done effectively since BF has only 8 instructions, 3 bits per instruction, see bfmerge.c from BF distribution on my page). as i said, the virus lacks optimizations and many features, a sort of a "test".Source Code