                              
                           Quiz #3
                             By
                         Horny Toad



Try and see how many of these you can answer without your
notes.  Most of them should be fairly easy.  They should be
common knowledge if you want to advance in virus writing.
Again, like the previous quizes, don't sweat it.  Use these
questions as a reminder of the concepts that you need to
learn.



Questions for Quiz 3

1. Describe the difference between the int 27h and the MCB manipulation
   techniques in going resident.
2. Why is the MCB technique more preferred?
3. How is conventional memory divided up?
4. What are the essential attributes of a resident virus?
5. Why is a self-recognition routine necessary in resident code?
6. Where is the MCB located in relation to its corresponding block of
   memory?
7. What is the difference in using int 27h and int 21h function 31h?
8. What information can be derived from the MCB?
9. What are the benefits/disadvantages of prepending vs. appending
   int 27h virii?
10. Where is the IVT located?
11. Describe two techniques in changing the IVT to point to your ISR.
12. Describe the normal interrupt process.
13. What considerations need to be taken when program execution is
    transferred to your custom ISR?
14.   Where is the number 1 location to find out information on individual         
      interrupts?
15.   Describe certain precautions that you can take in experimenting with  
      actual virus code.                                    



(Brief) Answers to Quiz 2


1. What is meant by the delta offset?
The amount at which the main body virus code has moved down passed the
main body of the host program.
2.   What is the value of the delta offset during the first
run of the virus?
Zero.
3.   What would happen if the virus didn't check the host
for previous infection?
The infected program would increase from several infections and be
caught in a semi-loop of several virus runs.
4.   What information can we get from the DTA?
File name, attributes, time, date, size.
5.   Where is the DTA located?
Offset 80h of the PSP.
6.   What happens when the "call" instruction is initiated?
A near call pushes the IP onto the stack and loads the offset of
the called procedure into the IP.  It then reverses the procedure
on return.
7.   What instruction does e9 hex equate to?
JMP.
8.   What is the significance of DX when AH=3fh and int 21
is issued?
Address of the input area.
9.   Describe the procedure in checking whether a file has
previously been infected with this virus.
You can use a marker byte or do a comparison of the file size with
the jump to the main virus body and the size of the virus. (Clearly
defined in the tutorial)
10.  What value is CX after "xor CX,CX" has been done?
Zero.
11.  What is the purpose for doing an int 20 during the
first run of the virus?
The virus is the host program, you can't expect it to run twice.
12.  What parameters does the AH=4fh in next_bug use?
The same attributes from the find first file instruction (AH=4eh).
13.  What does the pop instruction do?
Transfers info, previously pushed on to the stack, to a specified
destination.
14.  When used in code, what does the term "offset" mean?
The offset is a displacement, or location, from a specific point,
typically off a segment register.
15.  Do "mov DX,OFFSET whatever" and "lea DX,whatever"
produce the same result in DX?
Essentially, yes.