Leviathan | |
---|---|
Type | File virus |
Creator | Benny |
Date Discovered | 1999 |
Place of Origin | Czech Republic |
Source Language | Assembly |
Platform | MS Windows |
File Type(s) | .exe |
Infection Length | 3,236 bytes |
Leviathan is a Windows 32-bit virus coded in 1999 by Benny. It is the first multi-threaded, semi-polymorphic, anti-debugging, anti-heuristic virus for 32-bit windows. It is also the first virus to attempt to simulate neural nets. Antivirus products often mistake the virus for Benny's Millenium because of some similarities between the two.
Behavior
When a file infected with Leviathan is executed, it spawns seven threads from its main function. Each thread has a limited set of abilities, communicating and passing control to other threads.
The virus scans victim files for GetModuleHandleA and GetModuleHandleW functions for access to Windows Kernel functions. If it finds them, it will store the addresses of the functions in its installation routine. If it doesn't find the functions, it will not affect the file.
Payload
The virus keeps a generation counter for each new infection. When it has reached 30 generations, it will display a message.
Win32.Leviathan (c) 1999 by Benny
Hey stupid !
This is gonna be your nightmare...
30th generation of Leviathan is here... beware of me !
Threads are stripped, ship is sinkin'...
Greetz: Darkman/29A
Super/29A
Billy Belcebu/DDT
and all other 29Aers...
Special greet:
Arthur Rimbaud
New milenium is knockin on the door...
New generation of viruses is here, nothing promised, no regret.
Variants
Several variants of the virus were coded by both Benny and other people. Most were likely by Benny, given he encouraged people to email him to suggest improvments and fixes to the virus. At least one was by someone Benny considered a lamer after someone posing as 29A member Z0mbie leaked the source code. All variants are between 3,040 and 3,432 bytes long.
Wildfire
He gave a copy of the source code to someone maliciously posing as Z0mbie on IRC (it was actually a someone he considered a lamer who usually goes by the name IntelServ) who made a modified version of the virus or leaked it to someone who did.
This variant displays the message:
Win32.Wildfire (c) 1998 Magnic
I am/I can - The Wildfire virus.
-d e c o d e-
idwhereamif73hrjddhffidosyeudifr
ghfeugenekasperskydjfkdjisfatued
938rudandmydickisgrowingehdjfggk
The virus is actually from 1999, in spite of what the message says and appeared shortly after the original.
Origin
Leviathan was coded some time in 1999 in the Czech Republic by Benny of the group 29A. It appeared in issue 4 of their magazine. When finished with the original, Benny shared the binary with friends who were interested.
Benny's intent when creating Leviathan was to create a virus simulating neural nets. The virus contains various functions, parameters and subroutines which are analogous to the cells and functions of a working brain, complete with neurons, dendrites, and axons. The virus however did not contain any learning abilities because Benny did not believe there was anything important for it to learn.
Benny described the virus as being very difficult to code. The methods of synchronizing the virus's threads was the most difficult. It was unoptimized and written to simulate a high-level language.
Name and Dedication
Leviathan was first mentioned in the Tanakh (Old Testament to Christians) as a sea monster. It may have originally been a whale, though the word "leviathan" can be used as an adjective describing any large sea creature. Leviathan is also one of four or seven princes of Hell and is important in LaVeyan Satanism.
The virus was dedicated to Jean Nicolas Arthur Rimbaud, a French poet known for his influence on modern literature. Rimbaud mentions Leviathan in one of his early poems, The Drunk Boat.
Sources
Benny.29A, Issue 4, Win32.Leviathan. 1999