[Previous] [Up] [Home] [Next]


NYB -- Grist to the Mill

Derek Karpinski
Andersen Consulting

NYB is a simple boot sector virus with stealth capabilities, which infects the boot sector of diskettes and the partition boot sector of the first hard drive. It consists of a single sector, which is unencrypted and easy to detect. Despite this, it is in the wild in the UK and China.

My overall impression was that this is the product of a person who misread texts on structured programming and safe practice with assembler. Structured programming does not mean that every task must be serviced by an ill-defined function call. NYB would be regarded by most professionals as an accident waiting to happen. Its multiplicity of calls reduces its efficiency, makes detection trivial and, fortunately, makes the virus difficult to maintain or modify. I predict few variants, and suggest that this virus is merely another trivial annoyance.

Action on Booting

Unusually, NYB does not create a stack for its own use. As it makes extensive reference to the stack via the base pointer to store and retrieve data, this may be regarded as a feature liable to cause unexpected results, such as a system hanging.

The virus subtracts 1Kbyte from the BIOS memory available to DOS or subsequent operating systems, copies itself to this area of memory (which is hidden from DOS), stores the original Int 13h diskette handler interrupt, replaces the original Int 13h interrupt, issues a call to the replacement Int 13h handler which will result in infection of a previously uninfected hard disk, loads the original boot sector into memory and continues the boot process normally.

Action when Resident

NYB intercepts all reads from track 0 of all drives. The sector at track 0, sector 1, head 0 is examined for infection; if none is found, a location is specified for storage of the original boot sector. On hard drives this is track 0, sector 11, head 0; on floppies, the last sector of the root directory. As usual, no check is made to see if this sector contains data, so data loss may result. The original boot sector is written to this location, and the virus to the original boot sector.

If track 0, sector 1, head 0 (the location of the boot sector) were read, the call would be stealthed, and the contents of the original boot sector returned instead.

The virus stores the current machine state on the stack shortly after entry to the replacement Int 13h handler, and subsequently accesses the current stack (which may or may not have been accessed by the virus) to determine the machine state on entry -- this is done by a series of MOVs. Not good style. Not reliable. But it works most of the time.

Detection and Removal

The virus can be detected through the loss of 1Kbyte of memory after booting: removal should take place following a cold boot from a known clean system diskette.

The SYS command removes the virus from system floppies following a clean boot, but as the original boot sector will still be lurking on the diskette, the user may prefer to FORMAT /S instead. Users of DOS 3.3 and later may remove the virus from a hard drive with the FDISK /MBR command. On prior versions of DOS, restore the MBS from a known good backup, or examine the sector at track 0, sector 11, head 0, which should be the virus's copy of the original boot sector: this can then be restored.

Conclusion

NYB is a virus which is badly structured, and uses some horrible techniques, but which is still capable of causing infection. It is not the worst written but still functional virus I have encountered -- indeed, some areas seem to show some ability -- but it is unreliable and unmaintainable.

In short, an uninteresting specimen.


NYB

Aliases:
Stoned.i, B1, New York Boot.
Type:
Memory-resident boot sector virus with stealth capabilities.
Infection:
Master Boot Sector of first hard drive, boot sector of floppy disks.
Self-recognition on Disk:
Compares 40h bytes of virus image from offset 40h with boot sector image.
Hex Pattern:
0EE8 AB00 50D1 E8FE CC74 03E9
6C01 5351 5206 5657 1E55 8BEC
Intercepts:
Int 13h. All reads from track 0, sector 1, head 0 are stealthed, and the original boot sector returned. Reads from track 0 cause the infection routine to activate.
Removal:
For hard drives, use FDISK /MBR if supported. For floppy disks use SYS, but preferably FORMAT /s.


[Previous] [Up] [Home] [Next]

[VB] Virus Bulletin: NYB / webmaster@virusbtn.com © 1998 Virus Bulletin Ltd.