![[Previous]](/Icons/BTN_Prev.gif){kind=icon}
![[Up]](/Icons/BTN_Up.gif){kind=icon}
![[Home]](/Icons/BTN_Home.gif){kind=icon}
![[Next]](/Icons/BTN_Next.gif){kind=icon}
|
|
|
|
Jackripper is yet another new boot sector virus known to be at large both in the UK and in the rest of Europe. It is intentionally destructive, slowly corrupting the data on the hard disk. The message 'FUCK EM UP!' encrypted within the virus leaves no doubt as to the aims of its author. Jackripper's name is taken from another string within the virus body [thankfully! Ed.].
Jackripper infects the Master Boot Sector (MBS) of hard disks when the PC is booted from an infected floppy. On booting, the virus decrypts part of its boot sector in memory (if indeed a simple XOR-ing process can truly be considered encryption). It then decreases the system memory by 2K, and copies itself to this newly created free space.
The virus subsequently jumps to the high memory copy of itself. It then stores the address of the original Int 13h routine and reads the second sector of the virus code into memory. This is stored in sector 8, cylinder 0 on a hard disk, and in the penultimate sector of the root directory of a diskette (both 3.5- and 5.25-inch).
Next, it installs the address of the new Int 13h handler and reads the original MBS of a hard disk (which is stored at sector 9, cylinder 0), or the boot sector of a floppy (stored in the last sector of the root directory). This is loaded into memory at the location 0000:7C00h (i.e. where the boot code would normally be loaded). Its last act before jumping to the original boot code is to re-encrypt that part of the virus boot sector which was decrypted on booting.
When the virus is active in memory, it uses stealth techniques to avoid detection. All read and write requests are redirected to the stored copy of the original sector. The second sector of the virus code, or the sector where the original Master Boot Sector is stored, will also be hidden from view. On a read request, a sector full of zeroes is returned. When a write request is made, it is not acted upon, and the virus copies its own boot sector to the Master Boot Sector. This causes the drive light to flash and indicate the expected activity.
Reads and writes to all other sectors are also intercepted. In the case of a write, there is a 1 in 1024 chance (based on the low byte of the clock count from Int 1Ah) that two words from the sector will be swapped before the write is completed. This corruption does not actually take place if the sector concerned is one where either the virus' own boot code, or the original boot code, is stored. A lower word of the clock count is read, and a value stored at a particular memory location within the virus is subtracted from this -- the original word is then stored at this memory location. The new value is used in deciding whether to try to infect the drive being accessed.
If the infection process fails to write to a floppy disk (presumably due to write-protection), the carry flag is cleared, and no error condition is displayed.
The virus code is somewhat erratic, and the fact that a part of the virus boot sector is encrypted is no barrier to its disassembly. The true purpose of the encryption seems to be to hide the two text strings within the virus boot sector.
When a floppy disk is infected, the messages at the end of the boot sector are preserved within the new virus boot code; thus, a casual glance at the boot sector will show nothing amiss. By the same process, the partition table is included in the new MBS on hard disks.
As the virus only corrupts on writing, the files most likely to be affected are data files. Therefore, by the time an infection is discovered, it is possible that data stored on disk has been slightly corrupted.
|
|
|
|
![[VB]](/Icons/vb-tiny.gif){kind=icon}
|
Virus Bulletin: Ripper / webmaster@virusbtn.com | © 1998 Virus Bulletin Ltd. |