|
|
step 1: Initialisation of ROM BIOS routines.
step 2: Boot strap loader (boot sector is executed).
In floppy this is DBR in harddisks it is MBR and then DBR.
(See DOS Diskette structure for DBR and MBR)
step 3: IO.SYS, MSDOS.SYS loaded.
step 4: CONFIG.SYS executed.
step 5: COMMAND.COM executed.
step 6: AUTOEXEC.BAT executed.
In step 2 we find that the boot sector is loaded and executed. This is the place where the virus should latch to infect the system. There are two method by which we can write a boot virus. Firstly, the entire virus is made up inside the boot sector itself. By this method the virus code is very small ( < 512 bytes) and it may not have many special features. Secondly, the virus main code resides in some other location, but the virus has put a code in the boot sector so that the virus main code is loaded and executed when the boot sector is executed. By this method boot virus can be > 512 bytes and may have special features. For convinience let us name the two methods as STYLE1 and STYLE2.
STYLE1:
As we already saw it has the virus code in the boot sector. The original boot sector is shifted somewhere safe in the disk. During booting the virus is loaded by the small bootstrap loader of the BIOS. The virus gets the contorl from the BIOS. First it checks to see if the harddisk is infected or not. If not it infects it. It then establishes itself in the memory after capturing certain interrupts (normally, int 13h). Then it loads the original boot sector from the saved location and gives the control to it for normal booting process. On the whole the user may not notice the time delay since the process is very fast. Once the booting process is complete the virus will be active in memory. When a clean diskette is accessed the virus latches into it. This diskette will now become a carrier of the virus. If this diskette is used in other system for booting then the virus infects that system and so on. A typical STYLE1 virus infected boot sector is shown below. It may be a MBR in case if harddisk.
|--------------------|
| Boot sector |
Boot sector is loaded by the computer's BIOS at
|--------------------| booting process.
| JMP instruction |
| BPB of disk |
The VIRUS code loads the original boot sector.
| VIRUS code |
|--------------------|
STYLE2:
In this method the boot sector will contain a small code for loading the virus form a hiding location. This code is called as VIRUS LOADER PROGRAM (VLP). The VLP loads the main virus code then gives control to it. The main virus code infects the harddisk if not infected already and then it establishes itself in memory, captures interrupts (normally int 13h). Then it loads the original boot sector form the shifted location and gives control to it for normal booting. Some STYLE2 virus will have their own bootstrap loader so there is no need for the original boot sector. Once active in memory the virus infects the diskettes comming on its way. A typical STYLE2 virus infected boot sector is shown below. It may be a MBR in case of harddisk.
|---------------------|
| Boot sector | Boot sector
is loaded by the BIOS itself.
|---------------------|
| JMP instruction |
| BPB of disk |
| VIRUS code (VLP) | VPL loads the main virus code somewhere
in the
|=====================| disk and gives control to it. The rest of original
| Rest of orignal | boot sector is not executed
since VPL passes
| boot sector | control
to the nain virus code.
| .....
|
| .....
|
|---------------------|
Note that both STYLE1 and STYLE2 viruses reduce the memory count at 40:13. The amount decreased depends on the design of the virus.
A sample boot virus:
I've written a boot virus simply for study purpose. You may download the source from here. This boot virus is of STYLE2. It infects harddisks and floppy disks. Its VPL in the boot sector is encripted. Only on booting it is decripted. Most of the virus scanners do not detect this virus except for very few (detected as Generic virus). It corrupts the CMOS configuration bytes on 29th of every month. It also plays with the screen when the user has pressed the keys 1000 times. The source is fully documented and the technical details may be seen in the program itself. I've made the very simple and short. The download will be a ZIP file having the source of the virus, regenerated COM file of the virus, instructions on how to launch the virus. Please use this code only for study purposes.
How to test the virus is active or not ?
First launch the virus on a clean bootable diskette
by seeing the instruction in the ZIP file. Then restart the computer. Go
to the setup menu. Change the primary master to NONE. Now, the harddisk
may not be visible to the virus. Save the setup and restart the computer.
Insert the infected disk in the drive and try to boot from it. If it boots
up then the virus will be active in memory. Check it by running MEM command
which will report the total base memory count as 638KB. This is because
the virus has swallowed 2KB of memory. This proves the virus is active
in memory. Now insert a clean bootable diskette in the drive and access
it. The virus should latch on this diskette too. Check this diskette the
same way by booting. After you are done with it, restore the primary master
setup back to USER (your own HDD's). Save the setup and restart. Make sure
that you have removed the infected diskette form the drive .
Back
to my home page