Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

CSV - Virus for MS-DOS by The Soul Manager

Virus for MS-DOS

The Soul Manager
Show all viruses by this author

1997-09-05

Comments
Download csv.zip (109189 bytes) or browse online

Author's notes

This is just a quick test virus. Many anti-virus programs do not deeply scan (i.e. emmulate) a file, if it contains recognized clean start-up code. The idea being tested here, is a virus that uses such code. In a normal compiled program, execution starts at the high-level compilers standard library start-up stub, which does all it needs (allocates memory, hooks certain interrupts, sets up stack, parses command-line and more), then calls the user level main routine (this IS main in C). The program then does whatever it is supposed to, and returns (just like any function) a value to terminate with. Then the compilers exit stub takes over (closes files, deallocates memory, etc) and terminates.

The idea behind this virus is to uses exactly that structure in the virus. The start-up code is executed, main is called, main returns, the program cleans-up, and terminates. Two exceptions here =). Firstly, main has been replaced with a polymorphic decryptor, that decrypts and executes the virus. (Note that the polymorphic decrryptor is in the same location as main.. it _IS_ main!). Secondly, when going resident, the virus hooks INT 21h, and then returns to the high-level compilers code. Therefore, it _DOES_ let _exit terminate (INT 21h, AH=4Ch). The thing is, the viruses INT 21h handler checks if it is an infected file's _exit terminating, and if it is, fixes up the memory allocation of the host, and the stack, then returns control to the original CS:IP.

PS. (I use the Turbo-C 3.0 startup code (TINY model), and standard library (SMALL model)).


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org