Jumper is a Master Boot Sector (MBS) virus which has little to draw undue attention to itself, save being encountered in the wild. Despite the fact that it is neither innovative nor particularly well-written, it does have a few features which are interesting not for their originality, but their rarity. This month's analysis takes a look at this oddity.
From the point of view of the user, infection of the hard disk proceeds in the usual manner. Internally, the virus begins in a manner typical to this type of virus: first, it determines the size of base memory by pulling the value at memory location 0413h in the BIOS Data Area (segment 0). It reduces this value by 2, and writes it back, decreasing the top of memory by 2K, and copies itself into this 'hole'.
Before execution jumps to the high copy, the virus records the interrupt 1Ch vector in the vector table at the base of memory and points that vector to its own code at the top of memory. Interrupt 1Ch, which is the System Timer Tick interrupt, is called by Interrupt 08h, and is generated approximately 18.2 times per second.
Processing now jumps to the high copy, pushing the segment and address onto the stack and issuing a RETF (Return Far) instruction.
At this point, Jumper retrieves the location of the copy of the original boot sector and loads it into memory. The virus then determines if it was run from a floppy disk; if so, it infects the first hard drive. Finally, processing is passed to the original boot sector code.
Once the virus has become resident in memory, it does not immediately begin infecting floppy disks, because it has not yet hooked the appropriate interrupt vector. To understand how Jumper does start to infect floppies, we must examine the Int 1Ch handler in detail.
This is the routine which modifies the Interrupt 21h vector, giving control to the virus code and allowing it to infect floppy disks. However (as stated above), certain conditions must be met before it can actually infect.
Every time the timer ticks, Jumper compares the second lowest byte of the timer value in the BIOS Data Area with the value at offset 01C6h in the image of the boot sector containing the virus at the top of memory. Until the timer value exceeds the value stored within the boot sector, the interrupt vector is not altered.
The fact that the byte concerned is at offset 1C6h is interesting: in the case of an infected hard disk, this byte is part of the partition table -- to be precise, it is the lowest byte of the value stored as the starting sector of the first entry in the partition table. This value will almost inevitably contain the number of the first sector on the second track of the disk, but its numerical value will vary depending on the layout of the disk in question.
If a floppy disk is infected, the value at offset 01C6h is part of the message which is displayed if the diskette does not contain a bootable copy of DOS -- it is the space (ASCII value 20h) between 'Replace' and 'and'.
As soon as the value from the timer exceeds that from the boot sector, the Int 21h vector is hooked, and the value in the memory image of the boot sector is changed to 0. This serves as a flag which will ensure that the vector is not altered twice.
At first sight, this seems like an incredibly convoluted way to hook an interrupt vector. However, when the virus code is first executed and becomes memory-resident, DOS is not yet operating, so Int 21h does not point to the DOS Int 21h handler. Thus, the virus delays hooking the interrupt until a later time.
Once this handler is in place, Jumper proceeds with its dirty work. It intercepts only two of the multitudinous Int 21h functions -- 0Eh (Select Default Drive), and 0Ah (Buffered Keyboard Input). Its behaviour is dependent on which of these functions called it.
If it is subfunction 0Eh, and the new default drive is A or B, that drive is infected immediately, and the original interrupt handler is executed.
If, on the other hand, it is subfunction 0Ah (the Buffered Keyboard Input service provided by DOS), a number of tests are performed. Firstly, Jumper examines offset 043Fh in the BIOS Data Area (BDA). The byte held at this location contains a bitmap of the status of the drive motors. If a bit is set, the motor in the drive corresponding to that bit is running. Jumper checks to see if the motor in drive A: is active. If so, it continues to the next test; if not, control passes to the original handler.
Next, Jumper re-examines the clock in the BDA. It will only infect if the lowest bit is set. This amounts to a 50% chance of infection, and is effectively random, as this bit is changing more than 18 times every second, giving Jumper the properties of a sparse infector.
Int 21h function 0Ah is used by the DOS format program in order to accept keyboard input. Taking into account the 50% chance discussed above, Jumper seems to infect diskettes as they are formatted fairly reliably. This leads me to suspect that the author of the Jumper virus is deliberately targeting the FORMAT command.
If so, it is obvious why he checks to see if the motor on drive A: is running -- in order to make the user less suspicious of strange activity on the disk drive. This would certainly fit with targeting 'FORMAT'.
The trigger routine of this virus is nothing remarkable -- sometimes, whilst booting up, it locks the machine by repeatedly displaying the character 'I'. The conditions for this are based (once again) upon tests of the clock count in the BIOS Data Area, but the trigger routine is called more often than can be accounted for here.
This is probably because the virus also calls the trigger if the attempt to read the original boot sector with Int 13h fails. As such attempts are supposed to be made three times to allow for the hardware, this is perhaps not surprising.
|Virus Bulletin: Jumper.B / email@example.com||© 1998 Virus Bulletin Ltd.|