|Place of Origin||Australia|
|File Type(s)||.asm, .com*, .exe*|
|Infection Length||431 bytes|
When an infected file (executable assembler from infect .ASM file) is run, ASMVirus immediately enters a ASCII FindFirst/FindNext (INT 21h AH=4Eh/4Fh) loop searching for "*.asm". Only the first uninfected file is infected. The infection process begins by renaming the victim file to '*.as0' and setting its attributes to 'hidden'. A new .ASM file containing the virus is created in its place. This new .ASM file begins with a 2-byte comment: ";~". This is the infection marker, files beginning with these 2 bytes will be considered infected.
Next is the rest of the Assembler header: a code segment is declared and all segment registers are 'assumed' to be this segment, org 100h directive is given (the starting address of the assemble file) and the 'radix' is set to 10 (decimal). A label 'start:' is emitted, and then the virus itself is added to the .ASM files in the form of 'db' (declare byte) statements. 10 bytes of virus are emitted per line in base 10 (decimal).
Once the virus body is complete, ASMVir ends the .ASM file with and 'ends' directive to end the segment and an 'end start' to conclude the program and declare the 'start' label as the entrypoint to the assemble executable. According to Qark, these .ASM files run under MASM, TASM and a86, and run as both .COM and .EXE files.
ASMVirus includes the text string:
ASMVirus by Qark/VLAD
Original research by JPanic aka @JPanicVX