T762102@DM0LRZ01.BITNET (02/23/90)
Gonzalo M. Rojas Costa <LISTVIR@USACHVM1.BITNET> writes: > This virus only copies itself to the address 9800h:0000. It don't >installs resident with INT 27 or the function 31H. If I execute a big >program (that ocupies the segment 9800h), this program erase the virus >from memory and a crash will occurr. Sorry, this is a misunderstanding, due to my poor English. What I did mean was not that the virus is a TSR program, but that once you run an infected application, it will stay in memory permanently (until the next reboot, of course :-) ). I call such a virus memory resident, since it's resident in the memory all the time. What I do *not* call a memory resident virus is a virus which gets its code executed only when one executes an infected application. >For that reason I don't find appropriate the name 1559 for this >virus. Besides, the size of the virus is 1554 bytes. Then I don't >find the reason for that name. Agreed. So let's call it the 1554 virus. (John McAfee?) >The 32 bytes overwritten can be found at offset (14,15)*16+1271 on >the infected program that I disassembled. (It seems that the offset >where the bytes overwritten are located is (14,15)*16+number, and >number depends of the size of the program being infected). Nope. The number is hard coded in the virus body. Here is the relevant portion of the code: org xxx push ds push cs pop ds lea si,[4F7h] mov di,100h mov cx,20h rep movsb This code restores the original bytes into their place. It is executed just after the virus has performed a jump at cs+[0Eh]:0. Therefore the full address of xxx is (cs+[0Eh])*10h. The instruction lea si,[4F7h] actually loads SI with the number 4F7h (1271 decimal). rep movsb moves 20h (32 decimal) bytes from DS:SI to ES:DI. And we have DS == CS (push cs; pop ds). Therefore, the bytes are got from (full address) (CS+[0Eh])*10h+4F7h. To eliminate the value of the CS register, just remember that the file was loaded at address CS:100h (i.e., the full address is CS*10h+100h). I speak here only for the .COM files. Now, if we subtract the two values, we'll get (CS+[0Eh])*10h+4F7h-CS*10h+100h = [0Eh]*10h+3F7h from the beginning of the file. And 3F7h is just 1015 decimal --- the number I stated in my previous posting. I repeat, this is true only for the .COM files. BTW, has someone of the other antivirus researchers produced a program which is able to disinfect the files from this virus? And even to restore their original size? I spoke with David Chess and he told me that he prefers the "delete the infected file and restore them from backups" method. But have in mind, that guy from Taiwan (was he from there?) is in trouble --- and may not have the appropriate backups. (We all miss them just when we need them :-).) Vesselin