Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

The Bugger - Virus for MS-DOS by The Slug

Virus for MS-DOS

The Slug
Show all viruses by this author

1996-12-01

Comments
Download bugger.zip (4739 bytes) or browse online

Released in 29A#1 magazine

Author's comments

Its first difference with a normal COM virus is the tricky resident check; it's designed to avoid lamers writing the typical resident program wich returns the residency code and forces the virus to not install in memory. To avoid that, the virus makes an extra check of a random byte in the memory copy; if the check fails, it jumps to a simulated HD formatting routine }:).

Another interesting feature is the tunneling routine. It uses the common code trace method but it starts tracing from PSP call to int 21h instead of doing it from normal int 21h vector in order to avoid resident antivirus stopping trace mode. This call is supported for compatibility with older DOS versions and it has some little diferences with the normal int 21 handler: first, the function code is passed in cl register (not in ah as usual) and second, the function to call can't be higher than 24h. These diferences are handled by the O.S. in a separated routine and then it jumps to the original int 21h handler, so the tunneling routine only skips the first 'compatibility' routines and gets the real int 21h address А:).

The last big feature, is the infection method; the virus infects COM files by changing a call in host code to point to it. This call may be one between the second and fifth. This is done by intercepting the int 21h service 4bh (exec), when a COM file is executed, the virus changes its first word with an int CDh call, it intercepts this int and jumps to the int 21h. When the host starts running, it executes the int CDh and then the virus takes control; it restores host first word and changes int 01h to trace host in order to find a call to infect }:) The use of int CDh can be avoided by tracing int 21h until host code, but this way we have the same problem of resident antivirus.

And that's all folks :), enjoy it.


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org