![[Previous]](/Icons/BTN_Prev.gif){kind=icon}
![[Up]](/Icons/BTN_Up.gif){kind=icon}
![[Home]](/Icons/BTN_Home.gif){kind=icon}
![[Next]](/Icons/BTN_Next.gif){kind=icon}
|
|
|
|
Boot.437 is a virus that has been successful in the wild for quite some time. As the name suggests, it is a boot sector virus - when an infected floppy is in the drive during the boot process, unless the PC has been instructed via the BIOS not to boot from diskettes, the virus will be loaded into memory at segment zero, offset 7C00h, and control passes to that address from the firmware in the standard fashion.
Boot.437 first preserves the original Int 13h handler by reading it from offset 4Ch in segment 0 and preserving it for later use. It then installs itself into memory, by deducting 1KB from the memory size word at offset 413h, segment 0. There is what appears to be an attempt to break up the (very generic) sequence of instructions used to do this - one superfluous operation is present. This is, of course, no defence against a scanner which knows Boot.437 specifically, it only helps against some generic systems.
The next stage is to calculate a segment register corresponding to the now missing 1KB of conventional memory. This is obtained by the de facto standard code snippet which takes the reduced memory word mentioned above and shifts it left by 6 bits. The result is a new segment register value allowing the virus to access its new home in memory. When I see these code snippets turn up byte-for-byte in numerous viruses, I wonder if the original authors wish they could claim copyright or royalties on these useful modules_
With the memory reserved and a segment pointer obtained for that memory, Boot.437 copies its own image to the new location and passes control to the next instruction, but in the copy image. The original image in segment 0 is now redundant.
On receiving control, Boot.437's new image issues a disk reset command via the standard BIOS call, usually reserved for when a disk error has been detected before attempting a retry. However, Boot.437's author seems to be trying to pre-empt any such problem.
The virus is now installed, and must locate and execute the original boot sector stored on infection. At this point, 437 does not know if it is running courtesy of an infected hard disk or whether someone has booted from an infected floppy. This is determined by examining the byte at offset C3h within the virus body - this contains the physical number of the target drive stored when the disk was infected. If this is 80h or greater, the virus is deemed to have executed from a hard disk, otherwise it was from a floppy.
If this byte indicates the virus is being executed from a hard disk, the virus' work is almost complete. If, however, it indicates a floppy disk, Boot.437 calls the infection routine (see the next section). When control returns from this, it reads in the original sector (which the infection routine saves), hooks Int 13h by replacing the vector with a pointer to its own code, and passes control to the original sector.
This routine carries out all infections for the virus. First, the target disk's boot sector is read into memory: if the target is a hard disk, the partition table is examined to determine the location of the active partition. If the partition table does not contain an element marked as active, the disk is spared infection. If an active partition entry is found, the virus reads the boot sector of that partition into memory.
The infection routine now compares six bytes at offset 100h in the virus body with the bytes at the same position in the sector being examined - this is an infection test. If they match, the disk is already infected, and infection aborts. Otherwise, the sector is secreted for future reference, and the image in memory is patched with three virus bytes at the start: these represent a jump to the bulk of the virus code (437 bytes, hence the name) which is placed into the sector at offset 3Eh. The modified sector is then written back to disk, completing the process.
Once the Int 13h handler installed at the end of the installation routine is in place, all disk access requests will pass through the virus code. The virus is only interested in read and write requests - all others pass through unhindered.
In the case of a hard disk access request, a test is done to compare the target drive against the one from which the virus was loaded (using the value at C3h). If they match, the target is already infected and is left alone; the original disk request being allowed with no attempts at stealth. This allows the virus to infect quite happily any number of PC hard disks.
Floppy disk accesses are treated differently. Boot.437 examines another low memory word which indicates (amongst other things) which floppy disk drive motors are currently spinning. The virus masks the unwanted bits, then checks to see if a floppy drive is currently active. The floppy will only be infected if the motor on that drive is spinning; a ploy to eliminate signs of spurious disk activity [Other viruses also use this trick; e.g. Jumper. Ed.].
In all cases, if the disk is considered suitable for infection, Boot.437 invokes the infection routine described above. Control then passes to the original Int 13h handler.
Where the virus places the copy of the clean boot sector depends on the type of disk being infected; in head/cylinder/sector notation, the positions are as follows: 360K 1.0.3, 720K 1.0.5 (both of these place it at the end of the root directory), 1.2MB 1.0.13 (placing it over the penultimate sector of the root directory), and 1.44MB 1.0.17 (placing it over the the second cluster in the data area - part of the first file on the diskette will be overwritten).
As shown by the WildList, Boot.437 is a successful virus. I would imagine every scanner in existence can detect it [In the comparative review on p.12, every scanner except MSAV could. Ed.], yet it is still in the wild. Its code, whilst effective, demonstrates inefficiencies which may indicate a learning curve on the part of the author. The virus carries neither trigger nor payload, and is content simply to infect and to replicate.
|
|
|
|
![[VB]](/Icons/vb-tiny.gif){kind=icon}
|
Virus Bulletin: Boot.437 / webmaster@virusbtn.com | © 1998 Virus Bulletin Ltd. |