[comp.virus] EB21 or PrintScreen virus

deepak@shakti.ernet.in (12/03/90)

Recently we encountered a virus, SCAN detects whom as PrintScreen
Virus.  This virus is a boot sector based virus and writes in the hard
disk if the machine is booted with an infected floppy. If one reads
the code, its first instruction is EB21, this code uses interrupt 5
and 6D, to my wonder, how does it write in the harddisk? because no
encounters of interrupt 13 are seen.  Does any one know about it?  The
detector which we had installed (on the basis of int 13 had been
bypassed!)  Can the hard-disk be written without use of BIOS int 13?
(We have XT & ATs)

Has any one experienced similar phenomena?
thanks.

- -------------------------------------------------------------------------
       /\           Quality is the continuing stimulus which causes us to
      /  )          create the world in which we live.
      ( /           All of it.
       V            Every last bit.
     _/\_
    |    |o
    |    |0.
    |    |                                      deepak@shakti.ernet.in

CHESS@YKTVMV.BITNET (David.M.Chess) (12/05/90)

deepak@shakti.ernet.in asks how the PrintScreen virus can read/write
disks without doing INT13s (and therefore without being caught by some
INT13-hooking anti-virus program).  I don't want to give enough detail
to be of help to future virus writers, but in general boot viruses get
control early enough that they can easily access the INT13 call-chain
down below the level at which any given DOS program (or even DOS
itself) has woven itself in; that is, they can just call the "real"
INT13 code directly, without ever doing an actual INT13.  Many boot
viruses, including the PrintScreen, do this; no magic...  DC

frisk@rhi.hi.is (Fridrik Skulason) (12/06/90)

deepak@shakti.ernet.in writes:
>Can the hard-disk be written without use of BIOS int 13? (We have XT & ATs)

Yes, in numerous ways - many Bulgarian viruses do this, by the use of
an obscure INT 2FH function, which enables them to bypass any program
monitoring INT 13H.

Other viruses do this by a direct JMP into ROM.

In the case of boot sector viruses, any 13H monitoring program is
useless, because the virus gains control of INT 13, before the
monitoring program is executed.

- -frisk

- --
Fridrik Skulason      University of Iceland  |
Technical Editor of the Virus Bulletin (UK)  |  Reserved for future expansion
E-Mail: frisk@rhi.hi.is    Fax: 354-1-28801  |