AT is a resident file virus that occupies 144 bytes at 0000:0350 in the
interrupt table. It attaches to the end of COM files. AT is one of the
smallest resident viruses.
AT intercepts DOS function 4Bh (load program) and infects all executed
programs that do not begin with 'M'. This way only "true" COM files
AT recognises itself in memory and on disk by comparing the first word
of itself (8B60h) to where it would expect to find itself (at offset
0000:0350 in interrupt table or 140 bytes from the end of file).
Although virus occupies 144 bytes while resident, it is only 140 bytes
on disk because it doesn't need to store the last 4 bytes -- these
contain the address of a FAR CALL instruction which virus uses to
pass the control back to DOS. The virus uses this internally by calling
DOS via INT F7h which is where this doubleword is located in memory.
All kinds of other optimising tricks are used, such as addressing the
INT 21h handler at 0035:0035 (eliminating some installation instructions).
Wherever possible instructions are doing double or triple duty. There is
no error checking, even if one of the DOS calls fails all the rest of
them are still called as if no error had occurred.
All interrupts vectors from D4h to F6h are overwritten by this virus
when it installs itself over the interrupt vector table. The virus
actually hooks only INT 21h, though. Virus revectors original INT 21h
to INT F7h for it's own use.
Virus relies on DOS setting up the SI register to be 100h when COM
files are execute (this is almost always the case). AT virus also
uses the PUSHA and POPA instructions which are not supported on the 8086.
There are several minor variants of this virus. Their sizes range
from 132 to 149 bytes.
A later variant of this virus. Smallest virus in this group is only
108 bytes long. Other variants' size varies between 114 and 122 bytes.