AsmVirus
ASM Virus
Type File virus
Creator Qark
Date Discovered 1996.04
Place of Origin Australia
Source Language Assembly
Platform DOS
File Type(s) .asm, .com*, .exe*
Infection Length 431 bytes

ASMVirus is a direct-action infecter of .ASM (Assembler Source Code) files. It was coded by Qark of VLAD and appeared in VLAD's April Fool's Edition alongside another concept virus, Systa.

Behavior

When an infected file (executable assembler from infect .ASM file) is run, ASMVirus immediately enters a ASCII FindFirst/FindNext (INT 21h AH=4Eh/4Fh) loop searching for "*.asm". Only the first uninfected file is infected. The infection process begins by renaming the victim file to '*.as0' and setting its attributes to 'hidden'. A new .ASM file containing the virus is created in its place. This new .ASM file begins with a 2-byte comment: ";~". This is the infection marker, files beginning with these 2 bytes will be considered infected.

Next is the rest of the Assembler header: a code segment is declared and all segment registers are 'assumed' to be this segment, org 100h directive is given (the starting address of the assemble file) and the 'radix' is set to 10 (decimal). A label 'start:' is emitted, and then the virus itself is added to the .ASM files in the form of 'db' (declare byte) statements. 10 bytes of virus are emitted per line in base 10 (decimal).

Once the virus body is complete, ASMVir ends the .ASM file with and 'ends' directive to end the segment and an 'end start' to conclude the program and declare the 'start' label as the entrypoint to the assemble executable. According to Qark, these .ASM files run under MASM, TASM and a86, and run as both .COM and .EXE files.

ASMVirus includes the text string:

ASMVirus by Qark/VLAD

Sources

Original research by JPanic aka @JPanicVX

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License