Type File virus
Creator Bumblebee
Date Discovered 1999.12.20
Place of Origin Spain
Source Language Assembly
Platform MS Windows
File Type(s) .exe
Infection Length 2,757 bytes

Luna is a memory resident, polymorphic virus coded by Bumblebee. It appeared in the fourth issue of 29A magazine, which was the first issue Bumblebee's works appeared in.


When a file infected with Luna is executed, Luna hooks CreateFileA and VxDCall to become memory resident. Files are infected when they are opened or run. Luna increases the size of the last section of the file and places itself in it. The virus contained a simple polymorphic engine.

It will avoid infecting any file with the characters AV*.*, DR*.*, F-*.*, AN*.*, CE*.*, PI*.*, and TB*.*, causing it to avoid most antivirus programs of the time.


On the 15th day of every odd month (January, March, May…) Luna switches upper and lowercase letters of every .txt file the user opens. The virus contains a bug that causes it to sometimes destroy files it infects.


Luna was coded by Bumblebee in Spain in 1999. It appeared in issue 4 of 29A magazine and was one of the first viruses Bumblebee contributed to the magazine. Bumblebee himself did not provide any dates for when he started or finished it, but the earliest samples appeared on the 20th of December in 1999.


Bumblebee was originally working on a 32-bit windows virus Deus when he realized he had a part Win32 and Win9x virus. He decided to explore the Win9x part in more detail and started work on Luna. He looked at some other viruses for inspiration on how to go memory resident, looking st Nigr0's K32 and Griyo's HPS.

Instead, he went his own way on this, hooking CreateFileA, which caused him to marvel at how many ways there are to load a file in memory. He described it as “cute to patch” though exactly what this means is uncertain given English was not his first language. Allocating memory from VxDCall was an idea he took from Griyo to make the virus hardest to detect in memory and make antivirus people do more work.

He originally wanted to do a cavity infector, similar to CIH, but was dissatisfied at how the file size grew as a result of choosing this method. Bumblebee described the polymorphism as “unexpected” but it became a necessity to keep the antivirus people on their toes. Luna’s polymorphic engine would take six hours of coding and was an xor loop with variable opcodes.


Bumblebee. 29A Magazine, Issue 4, Win9x.Luna. 1999

Kaspersky Lab. SecureList, Win95.Luna.

Trend Micro, PE_LUNA.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License