Virus is installs itself at the top of the current free memory block in a 1 kB slot using DOS memory allocation functions.
Virus size is bytes, and it installs itself at offset h in the allocated block. Virus goes resident by int 27h TSR. There is a flag set during infection which determines the method by which exit is made into the host program. Virus code is appended to the host without any padding. A dummy critical error handler is installed during infection to suppress error messages, and the file attribute is cleared and restored afterwards.
The INT 08h handler which is only installed June-December counts to and then patches a word in the virus installation code this might be a bug, it would cause subsequent generations to crash during installation and toggles the video enable bit in the video controller 10 times with a software delay loop inbetween toggles. Javascript is disabled in your web browser For full functionality of this site it is necessary to enable JavaScript.
Classification Category :. Type :. Aliases :. Summary Not yet analyzed. Removal Automatic action Suspect a file is incorrectly detected a False Positive? Flashcards Collections. Documents Last activity. Add to Add to collection s Add to saved. X86 Exceptions and Interrupts Vector No. Do not use. Fault - exception that can generally be corrected and once corrected the program can continue. The return address points to the faulting instruction. Trap — exception is reported immediately after the execution of the trapping instruction.
Study the code below if you do not understand the above explaination:. The above code gets the segment and offset of the existing INT 21h handler and puts them in the two variables.
It is important to log the old interrupt segment and offset, so that we can still call the old interrupt without crashing the computer.
The IVT can be found at segment:offset the lowest possible part of memory. Because the data for each of the interrupts is 4 bytes two words long, you can obtain the segment and offset by multiplying the interrupt number by four.
For example, to obtain the segment and offset of the old INT 21h handler by reading directly from the interrupt vector table, use the code below:. Basically the result is the same as for the other code, but reading direct from the IVT can sometimes prevent triggereing heuristic virus scanners. You can use whichever method you prefer. Now that we have the original INT 21h handler segment and offset, it is time to set our own interrup handler for INT 21h.
Once again, this can be done one of two ways. The first way is to use function 35h of INT 21h. Below is the code that does this:. Of couse, we will still redirect calls to the old INT 21h when the virus is not involved in the function being requested.
The second way to set an interrupt handler is by directly modifying the interrupt vector table. You simply find out the offset of the new handler at put it at address h and put the segment of the new handler at h.
Examine the code below:. Now the new interrupt handler is set up, it's time to put out virus in memory. There's various ways of doing this modifying the memory control blocks etc. This interrupt is numbered 27h and the only input it needs is DX which should hold the size of the memory resident code:.
The virus is now memory resident, and the program will return to the operating system. Now we have written the code to go memory resident and set the interrupt handler, it is now time to write the actual code of the new INT 21h handler.
0コメント