	      Load and execute program, TbMem exploit  млллллм млллллм млллллм
			     Written by 	       ллл ллл ллл ллл ллл ллл
			    Darkman/29A 		мммллп плллллл ллллллл
						       лллмммм ммммллл ллл ллл
						       ллллллл ллллллп ллл ллл

ФФФФФФФФФФФФ
Introduction
ФФФФФФФФФФФФ

  When a program is terminated (function 00h, 31h and 4Ch), TbMem examines if
a interrupt has been set by comparing the interrupt vector table with its
lookup table. TbMem does nothing more than comparing the interrupt vector
table with its lookup table. TbMem doesn't examine every interrupt vector in
the interrupt vector table, below is an overview of the interupt vectors being
examined by TbMem:

  INT 08h (IRQ 0  System timer)
  INT 09h (IRQ 1  Keyboard)
  INT 10h (BIOS System Video Services)
  INT 13h (BIOS Fixed disk/FDD Services)
  INT 15h (BIOS System Services)
  INT 16h (BIOS Keyboard Services)
  INT 17h (BIOS Printer Services (LPT))
  INT 1Ah (BIOS Real-Time Clock Services)
  INT 1Ch (BIOS User Timer Tick)
  INT 20h (DOS Program Terminate)
  INT 21h (DOS Function call)
  INT 26h (DOS Absolute Disk Write)
  INT 28h (DOS Idle)
  INT 29h (DOS Fast Console Output)
  INT 2Ah (Local Area Network)
  INT 2Fh (Software Multiplex)
  INT 40h (BIOS Diskette Service)
  INT 50h (BIOS Reserved)
  INT 70h (IRQ 8  AT Real Time Clock)
  INT 76h (IRQ 14 AT Fixed Disk)

ФФФФФФФФФФФ
The exploit
ФФФФФФФФФФФ

  When a program is executed (function 4B00h), the lookup table is recreated.
This means if a virus makes changes in the interrupt vector table and then
afterwards execute or just tries to execute some other program. TbMem will be
unable to detect any changes in the interrupt vector table, since the lookup
table will be identical to the interrupt vector table. To avoid TbMem
detecting changes in the interrupt vector table simply include the following
code in your virus after the interrupt vectors has been set:

	     mov     ax,4b00h		 ; Load and execute program
	     int     21h

ФФФФФФФФФФФ
Final notes
ФФФФФФФФФФФ

  This technique could easily be combined with the Server function call DOS
exploit, making the exploit even more powerful. A example of how to use the
Server function call DOS exploit can be found in Carriers, which is included
in 29A Magazine issue 2.

  I don't know for how long the above described exploit has been working, but
it seems like Qark already knew about this exploit long ago. A example of this
TbMem exploit can also be found in Padania, which is included in VLAD Magazine
issue 7.

  I've documented another TbMem exploit, which amazingly enough still works.
You can find the article, which I've named "ThunderBYTE Anti-Virus API's", in
Source of Kaos Magazine issue 3. It exploits both TbMem and TbScanX.