V386
V386
Type File virus
Creator Qark
Date Discovered 1996.02
Place of Origin Australia
Source Language Assembly
Platform DOS
File Type(s) .exe
Infection Length 422 bytes

386 was a memory-resident infecter of MS-DOS .EXE files. The primary feature of this virus was use of 80386 instructions and registers. It was coded by Qark of VLAD and first appeared in issue 6 of VLAD magazine in February 1996.

Table of Contents

Behavior

When executed the virus first checks for the presence of an 80386+ processor. I/O Privilege Level bits of the flags register are set to 01h (2000h) and if when flags are set by POPF instruction these bits are non-zero, CPU is 80386+.

Next the 386 Virus checks if it is already memory-resident: INT 21h is called with EAX='VLAD' if EAX='ROCK' is returned the virus is memory-resident. The virus goes resident and restores control to the host. Memory-residency is achieved through standard Qark code. If the hosts MCB was the last MCB in the chain the virus reduces the MCB and the 'top of memory' field of the hosts PSP. INT 21h is then hooked directly.

Apart from the residency-check, the INT 21h handler infects .EXE files on 'execute' calls. The 386 Virus does not check file extensions but instead checks the file for 'MZ' header. Files with the 'maxmem' field of the MZ header not set to 0FFFFh and NewEXE files are avoided. Files are marked as infected by placing 'VL' in the MZ checksum field (offset +12h).

Variants

There are about six different versions of V386, most with an infection length of between 420 and 440. One variant however is 653 bytes. Some antivirus products may call some of thes variants "Assignation".

Sources

Original researech by JPanic aka @JPanicVX

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License