'TraceVir' is a simple memory-resident infecter of MS-DOS .COM files written to test Qark's VSTE engine. It appeared in Issue 6 of VLAD magazine in February of 1996.

Behavior

When executed TraceVir begins by saving the flags and all registers due to its EPO (Entry-Point Obscuring) nature. After testing if it was already memory-resident, TraceVir allocates memory using Qarks standard method of reducing the hosts MCB if it was the last MCB in the chain, and the 'top of memory' field of the hosts PSP. INT 21h was then hooked directly. TraceVir then restores the flags and registers, restores the hosts patched bytes and returns control.

Besides handling TraceVirs residency check, the INT 21h handler infects .COM files on 'execute' calls. TraceVir does not check file extensions and instead detects .COM files by absence of MZ marker. TraceVir uses the VSTE engine to place a 'JMP NEAR' to the virus somewhere in the middle of the host instead of the start, and appends the virus to the end of file. Files are marked as infected by setting the low 5 bits of the time-stamp to 02h. The virus is not encrypted.

TraceVir included the text strings:

TraceVir by Qark/VLAD
This virus tests the VSTE engine

Variants

Tracevir sometimes known as Midinfector family, also includes "Joan". Joan is 762 bytes. Midinfector also 762 and another is 760.

Sources

Original research by JPanic aka @JPanicVX