So the virus writer SPTH has returned to the scene, in some sense. He has written a DOS virus. And not just any DOS virus. This one is, wait for it, executable ASCII! Yay.
His inspiration is apparently the EICAR anti-virus test file, however the only thing that they have in common is that they are both executable ASCII.
The EICAR anti-virus test file is so much more than just executable ASCII, and SPTH’s virus is so… not that.
The EICAR anti-virus test file uses a more restrictive character set than just the printable characters.
The EICAR anti-virus test file was designed to be short (it’s only 68 bytes of code/text).
The EICAR anti-virus test file was designed to be described easily by, for example, telephone. This rules out some characters such as quotation marks.
The EICAR anti-virus test file was also designed to be read unambiguously. This rules out characters such as ‘O’ and ‘0’, or space and underscore, since they are easily mistaken for each other.
Finally, because the EICAR anti-virus test file is self-modifying, it had to use a trick to avoid the prefetch-queue cache bug that exists on CPUs prior to the Pentium. The trick that the EICAR anti-virus test file uses to avoid the bug is to place the modified bytes beyond the end of the queue, and to use a branch instruction to reach it. In fact, the branch instruction is not required at all. It simply allows the execution to proceed more “cleanly”. The “EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$” string can be executed safely (there is no risk of illegal memory accesses, etc), so the branch instruction can be removed. Important registers are altered, but the alteration occurs in a predictable way that can be reversed.
Further, the pointer construction is inefficient, and can be achieved in fewer bytes. All these things are the basis for my 59 bytes version. You know what they say – size does matter.
SPTH’s virus, on the other hand, is about as opposite as possible. It has no restrictions on the character set.
The decoder is large and repetitive (each byte is decoded individually, instead of using a loop and, for example, the IMUL 30 method or the Base64 method). It’s more than eight times larger than the virus code itself! The code is so large that the prefetch-queue cache bug is not a concern.
Oh, and it’s an overwriter of .com files in the current directory.
Another funny thing – DOS executes in a 16-bit environment, but the virus code saves and restores the 32-bit registers. Just in case something or other, I suppose.
So it seems that SPTH loves the 80s so much that he’s reliving them. If that means that all we’ll be seeing from him are viruses for a dead platform, that’s good news for us.
— Peter Ferrie