defgen5.cvp

DEFGEN5.CVP   930728
 
                     Boot sector infectors
 
Having dealt with some non-viral terminology, let us cover some
viral related terms that may be unfamiliar.
 
Most people think of viral programs in terms of Fred Cohen's
definition.  That is, a virus is a program which always
"attaches" to another program.  This has given rise to a great
many misconceptions about some of the most common viral
programs, boot sector infectors.
 
Boot sector infecting viral programs, often referred to as
"BSI"s, *do*, in a sense, attach to another program.  Most
people are unaware of the fact that there is a "program" on
every disk, even those which are "blank".  Every formatted disk
has a "boot sector", specified, not by a filename, but simply by
its location as the first physical (or logical, in the case of
hard drives) sector.  When the computer is "booted", the ROM
programming looks for a disk, then "runs" whatever happens to be
in that sector as a program.
 
In most cases, with non-bootable disks, the "program" that is
there simply prints a message reminding the user that the disk
is non-bootable.  The important thing, however, is that
regardless of how small the actual program may be, the computer
"expects" there to be a program in the boot sector, and will run
anything that happens to be there.  Therefore, any viral program
that places itself in that "boot sector" position on the disk
will be the first thing to run, other than ROM programming, when
the computer starts up.  BSIs will copy themselves onto floppy
disks, and transfer to a new computer when the "target" machine
is (usually inadvertantly) booted with an infected floppy in the
A: drive.
 
The physical "first sector" on a hard drive is not the boot
sector.  On a hard drive the boot sector is the first "logical"
sector.  The number one position on a hard drive is the master
boot record or MBR.  (This name gets slightly confused by the
fact that the MBR contains the partition table; the data
specifying the type of hard disk and the partitioning
information.  "Master boot record", "partition table" and
"partition boot record" are often used interchangeably, although
they are not identical entities.)  Some viral programs, such as
the Stoned virus, always attack the physical first sector: the
boot sector on floppy disks and the master boot record on hard
disks.  Thus viri that always attack the boot sector might be
termed "pure" BSIs, whereas programs like stoned might be
referred to as an "MBR type" of BSI.
 
copyright Robert M. Slade, 1993   DEFGEN5.CVP   930728
 
============= 
Vancouver      ROBERTS@decus.ca         | "Remember, by the
Institute for  Robert_Slade@sfu.ca      |  rules of the game, I
Research into  rslade@cue.bc.ca         |  *must* lie.  *Now* do
User           p1@CyberStore.ca         |  you believe me?"
Security       Canada V7K 2G6           |    Margaret Atwood