damon@umbc2.umbc.edu (Damon Kelley; (RJE)) (09/15/89)
I've recently read George Woodside's file on how viruses work
(obtained from SIMTEL20.ARPA, VIRUS101.001-004). He says that a virus
latches on a read/write interrupt to spread itself. Would the
instructions the interrupt calls be near or located at the first JMP
instruction in the boot sector?
From reading a certain reference that concerns the programming of
the IBM PC, I have the impression that that JMP instruction in the
boot sector is quite consistant for the type of PC a user uses. If
that JMP instruction is changed, does that signal a virus present, or
have virus writers skipped around that limitation and had the virus
write over what code is found at that JMP destination?
jnet%"damon@umbc"
damon@umbc.bitnet
damon@umbc2.umbc.edufrisk@rhi.hi.is (Fridrik Skulason) (09/16/89)
A reply to "A question on detecting viruses on bootable disks (PC)" from Damon Kelley. > I've recently read George Woodside's file on how viruses work > obtained from SIMTEL20.ARPA, VIRUS101.001-004). He says that a virus > latches on a read/write interrupt to spread itself. Most of the boot sector viruses (BSV) do, but not all. The Yale/Alameda virus hooks into the keyboard interrupt, and will only spread when the Ctrl-Alt-Del combination is pressed. A program virus will of course use an entirely different method. > Would the instructions the interrupt calls be near or located at the > first JMP instruction in the boot sector? No. In fact the new interrupt routine does not have to be located in the boot sector at all. Many BSV only store a small part of their code on the boot sector, the rest (and the original boot sector) may be located somewhere else on the diskette. Most, (but not all) boot sectors contain a JMP instruction at the start. All disks formatted by the FORMAT command contain either a 3-byte JMP (DOS 2.x) or a 2-byte JMP (DOS 3.x and 4.x). This JMP instruction transfers control to a sequence of instructions, usually starting like this: CLI XOR AX,AX MOV SS,AX MOV SP,7C00 : : Most BSV replace the original boot sector with a new one. The new boot sector may look very similar to an uninfected one, or it may be obviously different (Not containing the "Not a system disk" message for example) Note that the virus boot sector may contain the same instructions as listed above. > From reading a certain reference that concerns the programming of > the IBM PC, I have the impression that that JMP instruction in the > boot sector is quite consistent for the type of PC a user uses. No, no, no. If the boot sector starts with a JMP instruction at all (and the boot sectors of many "autoboot" games don't) it does not depend upon the type of machine, but rather the program used to format the disk. > If that JMP instruction is changed, does that signal a virus present, Yes, but it is impossible to know if it has been changed, without keeping a copy of the original boot sector. > or have virus writers skipped around that limitation and had the virus > write over what code is found at that JMP destination? No - most of them just replace the boot sector. Fridrik Skulason University of Iceland frisk@rhi.hi.is Guvf yvar vagragvbanyyl yrsg oynax .................