💾 Archived View for spam.works › mirrors › textfiles › virus › funbot2.cvp captured on 2023-06-16 at 21:02:28.
-=-=-=-=-=-=-
FUNBOT2.CVP 910918
Boot sequence
In order to point out the areas of possible viral program attack, it is
helpful to outline the sequence of operations in the boot process.
When the machine is first powered up, there is a certain amount of
programming contained in boot ROM. The amount of this varies greatly
between different types of machines, but basically describes the most
central devices, such as the screen and keyboard, and "points" to the
disk drives. A very basic location on the disk is addressed for further
information. This is the generic "boot sector"; as mentioned in the last
column, on MS-DOS hard disks it is the partition boot record that is
accessed first.
The boot record or sector contains further information about the
structure of the disk. It, or a subsequent linked sector, also describes
the location of further operating system files. This description is in
the form of a program, rather than simply data. Because this outline is
in the form of a program, and because this sector is "writable", in order
to allow for different structures, the boot record or sector is
vulnerable to attack or change. Boot sector infecting programs may
overwrite either the boot record or the boot sector, and may or may not
move the original boot sector or record to another location on disk. The
repositioning of the original sector's program allows the viral program
to "pretend" that everything is as it was.
This pretence is not absolute. A computer with an active viral program
resident will, of necessity, be different in some way from the normal
environment. The original sector position will, of course, have
different information in it. The viral program will need to "hook"
certain vectors for its own use in order to monitor activity within the
computer and in order to function. The viral program will have to occupy
a certain portion of memory, and may be identified by a memory map, or,
in the case of the Stoned virus, may try to hide by "telling" the
computer that it has less memory than is actually the case.
These tell-tale indicators are not absolute. There may be various
reasons why the "top of memory" marker is set to less than 640K. Each
different type of disk drive, and each drive of the same type which is
partitioned differently, will have a different boot record. As operating
systems or versions change, so will the boot sector. Therefore, the
environment of newly booted machines cannot, in isolation, be examined
and said to be infected or free from infection.
It is possible, however, to compare any machine with itself in a "known
clean" state. By saving information on the environment after a minimal
clean boot, and comparing this with subsequent boots, changes can be
detected, and the user alerted to a potential problem. Since a boot
sector infector can only infect a machine if the machine is booted from
an infected disk, it is also possible to replace the boot record with a
non-standard one, in order to prevent access to the hard disk unless
booted from the hard disk.
copyright Robert M. Slade, 1991 FUNBOT2.CVP 910918