To understand the operation of a boot sector virus one must first understand how a normal, uninfected boot sector works. Since the operation of a boot sector is hidden from the eyes of a casual user, and often ignored by books on PC’s, we will discuss them here.
When a PC is first turned on, the CPU begins executing the machine language code at the location F000:FFF0. The system BIOS ROM (Basic-Input-Output-System Read-Only-Memory) is located in this high memory area, so it is the first code to be executed by the computer. This ROM code is written in assembly language and stored on chips (EPROMS) inside the computer. Typically this code will perform several functions necessary to get the computer up and running properly. First, it will check the hardware to see what kinds of devices are a part of the computer (e.g., color or mono monitor, number and type of disk drives) and it will see whether these devices are working correctly. The most familiar part of this startup code is the memory test, which cycles through all the memory in the machine twice, displaying the addresses on the screen. The startup code will also set up an interrupt table in the lowest 1024 bytes of memory. This table provides essential entry points (interrupt vectors) so all programs loaded later can access the BIOS services. The BIOS startup code also initializes a data area for the BIOS starting at the memory location 0040:0000H, right above the interrupt vector table. Once these various house-keeping chores are done, the BIOS is ready to transfer control to the operating system for the computer, which is stored on disk.
But which disk? Where on that disk? What does it look like? How big is it? How should it be loaded and executed? If the BIOS knew the answers to all of these questions, it would have to be configured for one and only one operating system. That would be a problem. As soon as a new operating system (like OS/2) or a new version of an old familiar (like MS-DOS 4.0) came out, your computer would become obsolete! For example, a computer set up with PC-DOS 2.0 could not run MS-DOS 3.3, or Xenix. A machine set up with CPM-86 (an old, obsolete operating system) could run none of the above. That wouldn’t be a very pretty picture.
The boot sector provides a valuable intermediate step in the process of loading the operating system. It works like this: the BIOS remains ignorant of the operating system you wish to use.
However, it knows to first go out to floppy disk drive A: and attempt to read the first sector on that disk (at Track 0, Head 0, Sector 1) into memory at location 0000:7C00H. If the BIOS doesn’t find a disk in drive A:, it looks for the hard disk drive C:, and tries to load
its first sector. (And if it can’t find a disk anywhere, it will either go into ROM Basic or generate an error message, depending on what kind of a computer it is.) Once the first sector (the boot sector) has been read into memory, the BIOS checks the last two bytes to see if they have the values 55H AAH. If so, the BIOS assumes it has found a valid boot sector, and transfers control to it at 0000:7C00H. From this point on, it is the boot sector’s responsibil-ity to load the operating system into memory and get it going, whatever the operating system may be. In this way the BIOS (and the computer manufacturer) avoids having to know anything about what operating system will run on the computer. Each operating system will have a unique disk format and its own configuration, its own system files, etc. As long as every operating system puts a boot sector in the first sector on the disk, it will be able to load and run.
Since a sector is normally only 512 bytes long, the boot sector must be a very small, rude program. Generally, it is designed to load another larger file or group of sectors from disk and then pass control to them. Where that larger file is depends on the operating system. In the world of DOS, most of the operating
Loaded by BIOS
Loaded by the Boot sector
(RAM)
Figure 13: Loading the DOS operating system.
IBMBIO.COM Boot Sector
ROM BIOS
0000:7C00
0000:0700 F000:0000
system is kept in three files on disk. One is the familiar COM-MAND.COM and the other two are hidden files (hidden by setting the “hidden” file attribute) which are tucked away on every DOS boot disk. These hidden files must be the first two files on a disk in order for the boot sector to work properly. If they are anywhere else, DOS cannot be loaded from that disk. The names of these files depend on whether you’re using PC-DOS (from IBM) or MS-DOS (from Microsoft). Under PC-DOS, they’re called IBMBIO.COM and IBMDOS.COM. Under MS-DOS they’re called IO.SYS and MSDOS.SYS.
When a normal DOS boot sector executes, it first deter-mines the important disk parameters for the particular disk it is installed on. Next it checks to see if the two hidden operating system files are on the disk. If they aren’t, the boot sector displays an error message and stops the machine. If they are there, the boot sector tries to load the IBMBIO.COM or IO.SYS file into memory at location 0000:0700H. If successful, it then passes control to that program file, which continues the process of loading the PC/MS-DOS operating system. That’s all the boot sector on a floppy disk does.
A hard drive is a little more complex. It will contain two (or more) boot sectors instead of just one. Since a hard drive can be divided into more than one partition (an area on the disk for the use of an operating system), it may contain several different oper-ating systems. When the BIOS loads the boot sector in the first physical sector on the hard drive, it treats it just the same as a floppy drive. However, the sector that gets loaded performs a completely different function. Rather than loading an operating system’s code, this sector handles the partition information, which is also stored in that sector (by the FDISK program in DOS). No matter how many partitions a disk may have, one of them must be made active (by setting a byte in the partition table) to boot off the hard disk.
The first boot sector determines which partition is active, moves itself to a different place in memory, and then loads the first sector in the active partition into memory (at 0000:7C00H), where the partition boot sector originally was. The first sector in the active partition is the operating system boot sector which loads the
oper-ating system into memory. It is virtually identical to the boot sector on floppy disk.
Designing a boot sector virus can be fairly simple—at least in principle. All that such a virus must do is take over the first sector on disk (or the first sector in the active partition of a hard disk, if it prefers to go after that). From there, it tries to find uninfected disks in the system. Problems arise when that virus becomes so compli-cated that it takes up too much room. Then the virus must become two or more sectors long, and the author must find a place to hide multiple sectors, load them, and copy them. This can be a messy and difficult job. If a single sector of code could be written that could both load the DOS operating system and copy itself to other disks, one would have a very simple virus which would be practi-cally impossible for the unsuspecting user to detect. Such is the virus we will discuss in this chapter. Its name is KILROY.
Rather than designing a virus that will infect a boot sector, it is much easier to design a virus that simply is a self-reproducing boot sector. That is because boot sectors are pretty cramped—there
Partition Boot Sector
DOS Boot Sector
DOS Boot Sector
Operating System (IO.SYS) Partition
Boot Sector
(1) (2) (3)
BIOS Loads Partition Boot Sector
Partition Boot Sector Loads DOS Boot Sector
DOS Boot Sector Loads DOS
7C00
0600
7C00
0700
Figure 14: The hard disk boot sequence in three steps.
may only be a dozen free bytes available for “other code”—and the layout of the boot sector will vary with different operating systems.
To deal with these variations in such a limited amount of space would take a miracle program. Instead, we will design a whole, functional boot sector.