![[Previous]](/Icons/BTN_Prev.gif){kind=icon}
![[Up]](/Icons/BTN_Up.gif){kind=icon}
![[Home]](/Icons/BTN_Home.gif){kind=icon}
![[Next]](/Icons/BTN_Next.gif){kind=icon}
|
|
|
|
One of the most common viruses in recent months has been the New Zealand (2) virus. This was, until recently, the only virus to infect the Master Boot Sector of a disk.
Joshi is the second virus of this type to be seen. Removal of a Joshi infection from hard disks is complicated by the fact that this virus, like New Zealand, is unaffected by a DOS FORMAT. It is therefore necessary either to perform a low level format of the disk, followed by repartitioning, and then a DOS FORMAT of all DOS partitions on the disk, or to replace the original Master Boot Sector.
The first of these options is painstaking and involves replacing all files on the hard disk from backups. Fortunately in the cases of both Joshi and New Zealand, the 'non-destructive' option is a straightforward procedure involving the restoration of the original Master Boot Sector using utilities such as Norton (see VB, September 1990, p.9).
Joshi was first reported in August of this year. The virus originated in the Indian sub-continent and is now widespread in Europe and has recently appeared in the wild in the UK. Unlike many new viruses, Joshi does not employ self-modifying encryption, so every copy is identical. However, the virus does use 'stealth' which makes it undetectable if it is active in memory.
The virus consists of a boot sector and then uses a further 8 sectors elsewhere on the disk. One of these sectors contains a copy of the original Master Boot Sector, the next two sectors are not used, and the remaining five contain the virus code.
As with the majority of viruses, Joshi is not deliberately destructive. However, due to an oversight by its author, Joshi is likely to corrupt some data on infected 720 Kb diskettes.
The only deliberate side effect of Joshi occurs on January 5th of any year. If an infected disk is used to boot from, the following message will be displayed on a cyan background:
This message remains on screen until the required text is typed in, unless the PC is switched off and booted from a clean disk. Once the text is entered, the boot process continues normally and no further evidence of the virus is seen.
There are several features of this virus which are of particular interest. First of all this virus will survive a warm boot (Ctrl-Alt-Del). Secondly, on floppy disks the virus formats a new track at the end of the disk, which it then uses to store itself and the original boot sector of the disk. Also, on floppy disks some or all of the error messages contained within the original boot sector are copied to the virus boot sector, so if an infected disk is inspected on a clean PC, using a utility such as The Norton Utilities, it will look like a clean boot sector. For this reason dedicated virus detection software is essential for reliable diagnosis.
As with New Zealand, the Joshi virus can only infect a PC if the machine is booted from an infected disk. Non-system disks can spread infection to a PC; the usual 'non-system disk. Please insert a system disk and retry' will be displayed as the virus goes into memory. This re-emphasises the danger of negligently leaving diskettes in the floppy drive when the machine is shut down. Once the machine is powered up again, it will automatically boot from the floppy drive, providing the opportunity for a boot sector virus to infect the hard disk. Note: boot sector viruses will infect any DOS- formatted diskette, regardless of whether it is used to transfer pure data or executable images.
When the PC is booted from an infected disk the virus checks as to whether or not it is already in memory. If it is, control is passed straight to the virus, otherwise the amount of available memory is reduced by 6 Kbytes. The virus boot sector plus the 8 sectors assigned to the rest of the virus, including the original disk boot sector, are loaded into this 6 Kb reserved block of memory and control is transferred to the virus in memory.
Next the virus checks the interrupt vectors for INT 8H, INT 9H and INT 13H. If these vectors do not already point to the virus' own sub-routines, they are altered to do so and the previous settings are stored for later use. The virus then sets markers to indicate that it does not know whether the first two floppy drives and the first two fixed drives are infected. It then copies the original disk boot sector stored in the virus' 6 Kb reserved memory block to the address to which it would have been loaded by the computer's start up process. The virus jumps to that address, thus returning control to the normal boot up procedure.
The memory-resident part of the virus is subsequently accessed through Int 8h (Timer Interrupt), Int 9h (Keyboard Interrupt), Int 13h (ROM BIOS disk services) and Int 21h (DOS services).
At this stage Int 21h has not been set. This is because the Master Boot Sector executes before DOS is loaded into memory and any setting of this vector would be overwritten by DOS. This problem is solved by using Int 8h to set the vector for INT 21h. Int 8h is generated 18.2 times per second to keep the time-of-day clock current. The Int 8h handler monitors the Int 21h vector and does nothing until the vector changes. It then changes the vector to point to its own routine and saves the previous value.
The other function of the INT 8H handler is to monitor the state of the floppy drive motors. If it detects that a motor has stopped, a marker is set so that next time that drive is used the disk is checked for infection. This means that all uninfected floppy disks used in an infected PC will be infected.
The Int 9h handler monitors what is typed at the keyboard. If the "Happy Birthday Joshi!" message is displayed, this routine supplies the codes of the keys typed to the INT 21H handler rather than to the normal operation of INT 9H. The second function of this routine is to intercept a warm boot request (Ctrl-Alt-Del) and prepare the PC so that the virus remains intact in memory during the boot process.
The Int 13h (ROM BIOS disk services) handler checks for disk infection and infects all clean disks. Every time INT 13H is called, it checks whether or not a disk is infected. If it is, the disk function is checked and if it is not a request to read, write or verify, the Master Boot Sector control is returned to the INT 13H handler.
Otherwise the first sector on the disk is loaded and 344 bytes of its contents are checked against the copy of the virus boot sector originally loaded during the bootstrapping process. If they match, then the disk is already infected and control is returned to the normal Int 13h handler unless the Int 13h is a call to read, write or verify the Master Boot Sector. If it is, the call is redirected to the original Master Boot Sector rather than the virus boot sector.
Any attempt to read the Master Boot Sector of a disk will show the clean original Master Boot Sector rather than the virus boot sector. This will cause any virus scanning program to diagnose a PC as uninfected if the virus is memory-resident at the time of checking. This re-emphasises the need to boot the PC from a clean write-protected system diskette prior to using virus scanning software. Scanning software should not be installed or run from a hard disk.
Infection is the same on floppy disks and hard disks, except for the location at which the virus is stored on disk.
For hard disks the virus is placed on the first track of the disk, which is unused in almost all cases. For floppy disks an extra track is formatted after the last track and this track is used to store 8 sectors of data. On floppy disks the number of sectors per track is checked and if it is less than 15, the disk is assumed to have 40 tracks, otherwise the disk is taken to have 80 tracks. This assumption is incorrect in the case of 3.5 inch 720 Kb disks, which have 9 sectors/track and 80 tracks, which causes corruption of track 40.
The virus alters the copy of its own boot sector in memory to contain the correct BIOS Parameter Block (BPB) (for hard disks this will be meaningless data). It then copies itself from the reserved 6 Kbyte memory area, which now includes the original Master Boot Sector, into 8 sectors chosen for the type of disk and writes the virus boot sector to the Master Boot Sector location. The marker is set to indicate that the disk has been infected and control is returned to the start of the virus Int 13h handler.
The Int 21h handler checks the date, and if it is the 5th of January of any year, it starts the message routine, which retains control until the correct key sequence is entered.
The PC must be switched off and booted from a clean write-protected system floppy disk before commencing disinfection. A warm boot (Ctrl-Alt-Del) is not sufficient to remove Joshi from memory.
For floppy disks, all files can be copied safely to another disk and the disks then reformatted using DOS FORMAT. To copy the files use the DOS COPY command or a file-by-file backup program. Do not use DISKCOPY or any image copier as this will copy the virus onto the destination diskette.
For hard disks there are two methods:
|
|
|
|
![[VB]](/Icons/vb-tiny.gif){kind=icon}
|
Virus Bulletin: Joshi / webmaster@virusbtn.com | © 1998 Virus Bulletin Ltd. |