When infecting floppy disks, the BBS virus is much more sophisticated than Stoned. Obviously, trying to hide multiple sec-tors in a place like the root directory just won’t do. After all, the root directory isn’t that big to begin with.
The BBS attempts to infect disks in a manner completely compatible with DOS. It won’t take up areas on the disk normally reserved for operating system data. Instead, it works within the framework of the file system on the disk, and reserves space for itself in much the same way the file system reserves space for a file.
To do that, it must be smart enough to manipulate the File Alloca-tion Tables on the disk.
Every disk is broken down into logical units called clusters by DOS. Clusters range anywhere from one to 64 or more sectors, Advanced Boot Sector Techniques 173
depending on the size of the disk. Each cluster is represented by one entry in the File Allocation Table (FAT). This entry tells DOS what it is doing with that cluster. A zero in the FAT tells DOS that the cluster is free and available for use. A non-zero entry tells DOS that this cluster is being used by something already.
The FAT system allows DOS to retrieve files when requested.
A file’s directory entry contains a field pointing to the first cluster used by the file. (See Figure 3.4) If you look that cluster up in the FAT, the number you find there is either the number of the next cluster used by the file, or a special number used to indicate that this is the last cluster used by the file.
Typically, a disk will have two identical copies of the FAT table (it’s important, so a backup made sense to the designers of DOS). They are stored back-to-back right after the operating sys-tem boot sector, and before the root directory. DOS uses two kinds of FATs, 12-bit and 16-bit, depending on the size of the disk. All of the standard floppy formats use 12-bit FATs, while most hard disks use 16-bit FATs. The main criterion DOS uses for choosing which to use is the size of the disk. A 12-bit FAT allows about 4K entries, whereas a 16-bit FAT allows nearly 64K entries. The more FAT entries, the more clusters, and the more clusters, the smaller each cluster will be. That’s important, because a cluster represents the minimum storage space on a disk. If you have a 24 kilobyte cluster size, then even a one byte file takes up 24K of space.
Let’s consider the 12-bit FAT a little more carefully here. For an example, let’s look at a 360K floppy. Clusters are two sectors, and there are 355 of them. The first FAT begins in Track 0, Head 0, Sector 2, and the second in Track 0, Head 0, Sector 4. Each FAT is also two sectors long.
The first byte in the FAT identifies the disk type. A 360K disk is identified with an 0FDH in this byte. The first valid entry in the FAT is actually the third entry in a 12-bit FAT. Figure 12.2 dissects a typical File Allocation Table.
Normally, when a diskette is formatted, the FORMAT program verifies each track as it is formatted. If it has any trouble verifying a cylinder, it marks the relevant cluster bad in the FAT using an FF7 entry. DOS then avoids those clusters in every disk access. If it did not, the disk drive would hang up on those sectors every time something tried to access them, until the program accessing them timed out. This is an annoying sequence of events you may some-174 The Giant Black Book of Computer Viruses
times experience with a disk that has some bad sectors on it that went bad after it was formatted.
When infecting a floppy disk, the BBS virus first searches the FAT to find some sectors that are currently not in use on the disk.
Then it marks these sectors, where it hides its code, as bad even though they really aren’t. That way, DOS will no longer access them. Thus, the BBS virus won’t interfere with DOS, though it will take up a small amount of space on the disk—and it can still access itself using direct Interrupt 13H calls. (See Figure 12.3) In the event that there aren’t enough contiguous free clusters on the disk for BBS, the virus will simply abort its attempt to infect the disk.
The BBS utilizes several generic routines to manipulate the FAT, which are included in the FAT manager file FATMAN.ASM, which will work with any diskette using a 12-bit FAT. To set up the FAT management routines, a call must be made to INIT_FAT_MANAGER with the boot sector of the disk to be accessed in the SCRATCHBUF disk read/write buffer area in mem-ory. Once properly initialized, the first routine, FIND_FREE, will locate a number of contiguous free sectors on the disk in question.
The number of sectors to find are stored in bx before calling FIND_FREE. On return, the carry flag is set if no space was found,
0000 FD FF FF 03 40 00 05 60 00 FF 8F 00 09 A0 00 0B 0010 C0 00 0D E0 00 0F 00 01 11 20 01 13 40 01 15 60 0020 01 17 80 01 19 A0 01 1B C0 01 1D E0 01 1F F0 FF 0030 00 00 00 00 00 00 00 00 F7 7F FF F7 7F FF F7 0F
Entry 0 and 1: Disk ID in first byte.
Entry 2: Pointer to entry 3.
Entry 3: Pointer to entry 4.
Entry 6: End of file mark.
Entry 7: (New file) Points to 8.
Empty Clusters
Bad Clusters Fig. 12.2: A Typical File Allocation Table.
Advanced Boot Sector Techniques 175
otherwise cx contains the cluster number where the requested free space starts.
Next, the MARK_CLUSTERS routine is called to mark these clusters bad. On entry, MARK_CLUSTERS is passed the starting cluster to mark in dx and the number of clusters to mark in cx.
Finally, UPDATE_FAT_SECTOR writes both FATs out to disk, completing the process. Thus, marking clusters bad boils down to the rather simple code
call INIT_FAT_MANAGER mov cx,VIR_SIZE+1
Fig. 12.3: The BBS virus on floppy disk.
176 The Giant Black Book of Computer Viruses
ORIG BOO
T SEC TOR
MAIN BODY OF V IRUS
VIRAL BOOTSECTOR FA
T O NE
FAT T WO
ROO T D IRECTORY
Marked Bad
Computer boots from this sector
call FIND_FREE jc EXIT mov dx,cx
mov cx,VIR_SIZE+1 call MARK_CLUSTERS call UPDATE_FAT_SECTOR
With FATs properly marked, the virus need only write itself to disk. But where? To find out, the virus calls one more FAT-MAN.ASM routine, CLUST_TO_ABSOLUTE. This routine is passed the cluster number in cx, and it returns with the cx and dx registers set up ready for a call to Interrupt 13H that will access the disk beginning in that cluster.
The only thing that FATMAN needs to work properly is the data area in the floppy disk boot sector (See Table 10.1). From this data, it is able to perform all the calculations necessary to access and maintain the FAT.
The BBS will attempt to infect a floppy disk every time Track 0, Head 0, Sector 1 (the boot sector) is read from the disk. Normally, this is done every time a new disk is inserted in a drive and accessed.
DOS must read this sector to get the data area from the disk to find out where the FATs, Root Directory, and files are stored. BBS simply piggy-backs on this necessary activity and puts itself on the disk before DOS can even get the data. This logic is illustrated in Figure 12.4.