CCTR132@csc.canterbury.ac.nz (Nick FitzGerald) (01/31/91)
In V4 #17 (28 Jan 91) gt1546c@prism.gatech.edu (Gatliff, William A.) wrote: >Pardon my input into something I know very little about, but I >have a question/comment: >I have observed that, according to a lot of the posts in this >newsgroup, many of these viri infect the boot sector of a disk. > >To help combat this, what would be the possibility of 'delibrately' >infecting ones boot-sector with a piece of code that would display >some kind of 'ok' message if it hadn't been tampered with? > >For example, as the computer goes to boot, it loads the boot sector >and prints something like 'All is ok as of ...<maybe insert a date >here.> as instructed by the program that lies there (the one I *put* >there.) Ok. Now, if the user doesn't see that message when he boots, >he can suspect that all is not ok. Maybe this piece of code would run >some kind of check on itself to be sure it hadn't been relocated or >something... If you did this and the "All is OK" didn't come up you could well suspect a boot sector infection, but I'm afraid this isn't a good diagnostic. Many boot sector infectors make a copy of the original boot sector and store it somewhere "safe" on the infected disk/ette. What happens at boot-up is that the virus code is loaded *as if* it were a "proper" boot sector (the BIOS program that does this is very "dumb" as regards the contents of the boot sector). The viral code is then executed as the boot sector code would be and it does whatever (with STONED, for example, it installs itself at the top of memory and reduces the ammount of available memory, looks for an uninfected hard disk to infect and so on). The virus then loads the original boot sector from its hiding place and passes control to the boot sector code. The machine then continues to boot "as normal". If a virus such as STONED infected a machine with a cherry "All is OK" message in the boot sector, you would continue to see this now terribly misleading message after the STONED code loaded and passed control to the original boot sector. If the "All is OK" boot sector did a check of the actual (physical) boot sector then it wouldn't give an erroneous message if the disk was infected with STONED or similar boot sector infectors, but it would still give a misleading report if a stealth boot sector infector struck, as the virus would intercept the attempt to read the boot sector and return the contents of the original from its hiding place. (This seems to be a lot of extra code to jam into a single sector, so to do this an "All is OK" boot program may have to deal with loading in extra sectors of code, etc remembering that you don't yet have access to the DOS file handling calls to readily locate that code.) - --------------------------------------------------------------------------- Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337