Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Proto-T - Virus for MS-DOS by Urnst Kouch

Virus for MS-DOS

Urnst Kouch
Show all viruses by this author

1992-11-00

Comments
Download proto-t.zip (6046 bytes) or browse online

Published in Crypt newsletter 9

Author's notes

Assemble with any MASM/TASM compatible assembler.

On call, PROTO-T will manipulate the interrupt table directly, hooking int 21h and decreasing the amount of memory by a little over 1k. It will infect COMMAND.COM if a shell is installed while the virus is in RAM. At start, PROTO-T polls the system time. If it is after 4:00 in the afternoon, the speaker will issue a hideous ringing noise and the hard file will be read very quickly, faking a massive Michelangelo-style trashing. The disk will continue to read until the user restores control by booting. (I took this slick routine from the first issue of "Computer Virus Developments Quarterly," edited by Mark Ludwig, American Eagle Publishing, Tucson, AZ.) The disk effect is harmless, but unsettling to those surprised by it. Heh.

Files infected with PROTO-T will generally function normally until 4 in the afternoon, when the virus locks them up until the next day by way of the nuisance routines described above. Infected files have the ASCII string, 'This program is sick. [PROTO-T by Dumbco, INC.]' appended to them at the end where the body of the virus is located.

PROTO-T is not currently scanned. However, its modifications are easily flagged by a good file integrity checker. For example, Dr. Solomon's Toolkit picked PROTO-T changes off an infected disk with both the QCV (quick check virus) and CHKVIRUS (CHECKVIRUS) utilities. Unfortunately, the novice user is left on his own by the Toolkit to determine the cause of the changes - a drawback which diminishes the software's value considerably, IMHO.

I encourage you to play with PROTO-T by Dumbco. It is a well-behaved resident virus, useful in demonstrating the behavior of simple resident infectors and how they can "pop-up" suddenly and ruin your day. Of course, files infected by PROTO-T are, for all intents and purposes, useless for future computing unless you like the idea of a resident virus keeping you company and freezing up your work late in the afternoon.

Known incompatibilities: PROTO-T will behave weirdly on machines using SYMANTEC's NDOS as a command processor. And some caches will cause PROTO-T to hang the machine immediately. For best results, plain vanilla MS-DOS 4.01 and MS-DOS 5.0 with or without memory management seems to work fine. (Ain't this somethin': software advisories with a virus!)

Code for PROTO-T was obtained from Nowhere Man's VCL 1.0 assembly libraries, & our European friends Dark Helmet and Peter Venkmann with their very complete code archives (in particular, the CIVIL_II template). The 'scarey ' subroutine was excerpted from "Computer Virus Developments Quarterly", Vol. 1., No.1.


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org