V386 | |
---|---|
Type | File virus |
Creator | Qark |
Date Discovered | 1996.02 |
Place of Origin | Australia |
Source Language | Assembly |
Platform | DOS |
File Type(s) | .exe |
Infection Length | 422 bytes |
386 was a memory-resident infecter of MS-DOS .EXE files. The primary feature of this virus was use of 80386 instructions and registers. It was coded by Qark of VLAD and first appeared in issue 6 of VLAD magazine in February 1996.
Behavior
When executed the virus first checks for the presence of an 80386+ processor. I/O Privilege Level bits of the flags register are set to 01h (2000h) and if when flags are set by POPF instruction these bits are non-zero, CPU is 80386+.
Next the 386 Virus checks if it is already memory-resident: INT 21h is called with EAX='VLAD' if EAX='ROCK' is returned the virus is memory-resident. The virus goes resident and restores control to the host. Memory-residency is achieved through standard Qark code. If the hosts MCB was the last MCB in the chain the virus reduces the MCB and the 'top of memory' field of the hosts PSP. INT 21h is then hooked directly.
Apart from the residency-check, the INT 21h handler infects .EXE files on 'execute' calls. The 386 Virus does not check file extensions but instead checks the file for 'MZ' header. Files with the 'maxmem' field of the MZ header not set to 0FFFFh and NewEXE files are avoided. Files are marked as infected by placing 'VL' in the MZ checksum field (offset +12h).
Variants
There are about six different versions of V386, most with an infection length of between 420 and 440. One variant however is 653 bytes. Some antivirus products may call some of thes variants "Assignation".
Sources
Original researech by JPanic aka @JPanicVX