Parity Boot

Benjamin Sidle
Sophos Plc

Parity_Boot.A and Parity_Boot.B are two rather unremarkable boot sector viruses which are becoming increasingly prevalent in the wild. Both variants are very similar in function and code; indeed, it is possible to detect them both using the same search pattern.

The main difference between them is that variant 'A' stores a copy of the original Master Boot Sector (MBS) in sector 14, side 0, cylinder 0 of the fixed disk, whereas variant 'B' copies it to sector 9, side 0, cylinder 0. Although this is a small difference, it is vital to distinguish between the two for the purpose of disinfection. The remainder of this article will discuss the Parity_Boot.B virus.

On Start-up

When a machine is booted from an infected floppy disk, the virus first examines the contents of the fixed disk's MBS. After checking for the marker 55AAh at the end of the sector, the virus checks whether the byte at offset 01BCh is C9h. If that is not the case, the hard disk is deemed suitable for infection, and the virus copies its own code to the MBS of the disk.

When an infected system is booted, the virus stores part of the 24-hour ticker timer count for later use. It also stores the address of the current Int 13h handler and reduces the amount of DOS memory by 1K, reserving it for installing the virus code. Parity_Boot then hooks both Int 13h (BIOS Disk Services) and Int 09h (BIOS keyboard).

Finally, Parity_Boot issues an Int 19h (soft reboot), the purpose of which is to start the booting procedure again, but this time using the virus' Int 13h and Int 09h functions. As Parity_Boot is a stealth virus, this loads the original boot sector into memory, and passes control to it.

Resident Operation

When an attempt is next made to read the MBS, or the boot sector of a diskette, the virus checks to see whether or not the sector is already infected: if it is not, the infection process begins. This doubles as a stealth routine: every call to read or write to the Master Boot Sector of the fixed disk will be redirected.

The virus clearly shows its age: it does not even attempt to handle 1.44M floppy disks (the values default to those for 1.2M diskettes). For hard disks, the MBS is copied to the area mentioned above. On diskettes, the virus uses part of the BIOS Parameter Boot block area (the number of sectors per FAT) to calculate where to store the original boot sector.

Trigger

The activation and execution of the virus' payload is handled by the new Int 09h handler. If Ctrl-Alt-Del is pressed, the virus will simulate a memory parity error and perform a warm reboot.

During every call to Int 09h, there is a chance that the virus will enter its second trigger routine. If the clock count byte stored during boot-up is less than the current value, the message 'PARITY CHECK' (disguised within the virus by XORing the text with the value 55h) is displayed, and the processor is halted with the HLT instruction -- the only option is to turn the machine off. If neither condition is met, the virus' Int 09h handler jumps to an absolute offset within the BIOS (which is a fixed entry point for all BIOSes), and makes no effort to use the original Int 09h handler.

Parity_Boot

Aliases:: None known.
Type:: Memory-resident boot sector virus with stealth capabilities.
Infection:: Master Boot Sector on hard disk, boot sector on diskette.
Self-recognition on Disk:: Checks offset 01BCh for the value C9h.
Hex Pattern:
Intercepts:: Int 13h for infection, and Int 09h for the trigger routine.
Trigger:: Displays the message 'PARITY CHECK' and halts the processor.
Removal:: Boot from a clean system disk using the same version of the operating system as installed on the hard disk, and use the DOS command FDISK /MBR.

Virus Bulletin: Parity Boot / webmaster@virusbtn.com