merckens@dbf.kun.nl (Merckens A) (02/11/91)
The last few days I have read the discussion about detecting bootsector and partitiontable viruses. What struck me was, that the solution I use for over one year now, is still unknown to the net. The solution, which can be found in BOOTCOMP.ZIP, is based on methods used by these viruses (to catch a thief ....) Just like William A. Gatliff (gt154@prism.gatech.edu), I have created a program to read and save the bootsector and partition table to a file. But what is new, or at least what I have not seen from others, is that the program - BOOTCOMP.exe - that compares the "current" bootsector and partition table with the saved one, uses the ORIGINAL BIOS interrupts. "How does the program know where the original BIOS interrupts are?", you may ask, "since they are different for each machine, depending on the Bios and Harddisk controller". Well, the answer it is surprisingly simple. Eventhough I am not a assembler whiz, I managed to write a piece of code in assembler. This piece of code replaces the bootsector of a floppy disk, and should be written to the bootsector of this disk. This can be done by a program in the BOOTCOMP package (BOOTPUT.exe). Of course, before doing this, the computer should have been booted from an uninfected system disk. The file BOOTCOMP.exe should also be copied to the disk with the new bootsector. After this has been done, the computer should be booted from this floppy. The code in the bootsector then catches the original BIOS interrupts and patches them to the file BOOTCOMP.exe. Since no software, except in ROM, will be executed before executing the bootsector-code, it is 100% sure that the interrupts saved are the original BIOS interrupts (assuming installation of the new bootsector in an uninfected system). When the program BOOTCOMP.exe is called, it uses the original interrupts to get the "current" bootsector and partition table. So even if a virus has taken the interrupts, we will indeed get the true information, and comparison is correct. I am sure that this method can detect ALL bootsector and partition table viruses, also the ones that have yet to be developed by malicious persons. However, since I only have access to one bootsector-virus, maybe other netters will test if this statement holds true. I will upload the BOOTCOMP package to SIMTEL. As should be done more often, the complete source code is included. Arjen Merckens Internet: ambase@rugr86.rug.nl, merckens@cana.can.nl Bitnet : hgrrug5@ambase