PoiNtEr->: Virus Programming Tutorial-3

                             Difference between a dream and an aim. A dream requires soundless sleep, whereas an aim requires sleepless efforts.

Search This Blog

Monday, November 12, 2012

Virus Programming Tutorial-3

Boot Sector Virus
The boot sector virus can be the simplest or the most sophisticated of all computer viruses. On the one hand, the boot sector is always located in a very specific place on disk. Therefore,both the search and copy mechanisms can be extremely quick and simple, if the virus can be contained wholly within the boot sector.
On the other hand, since the boot sector is the first code to gain control after the ROM startup code, it is very difficult to stop before it loads. If one writes a boot sector virus with sufficiently sophisticated anti-detection routines, it can also be very difficult to detect after it loads, making the virus nearly invincible.

When a PC is first turned on, the CPU begins executing the machine language code at the location F000:FFF0. The system BIOS ROM (Basic-Input-Output-System Read-Only-Memory) is located in this high memory area, so it is the first code to be executed by the computer. This ROM code is written in assembly language and stored on chips (EPROMS) inside the computer. Typically this code will perform several functions necessary to get the computer up and running properly. First, it will check the hardware to see what kinds of devices are a part of the computer (e.g., color or mono monitor, number and type of disk drives) and it will see whether these devices are working correctly. The most familiar part of this startup code is the memory test, which cycles through all the memory in the machine twice, displaying the addresses on the screen. The startup code will also set up an interrupt table in the
lowest 1024 bytes of memory. This table provides essential entry points (interrupt vectors) so all programs loaded later can access the BIOS services. The BIOS startup code also initializes a data
area for the BIOS starting at the memory location 0040:0000H, right above the interrupt vector table. Once these various house-keeping chores are done, the BIOS is ready to transfer control to
the operating system for the computer, which is stored on disk.

//Sample Kilroy Virus Code
                   MOV SI,OFFSET MESSAGE      ;set offset of message up
                   MOV AH,0EH                               ;Exxecute BIOS INT 10H,Fctn OEH
LODSB                                                              ;get character to display
OR              AL,AL
JZ                DM2                                               ;repeat until 0
INT             10H                                                 ;Display it
JMP             SHORT DM1                                ;and get another
DM2:           RET

MESSAGE:               DB          'Kilroy and #!sh@1 was  here!' ,0DH,0AH,0AH,0          

 Besides displaying a message, the virus can be noticed as it searches for drives to infect,especially if you have a second floppy or drive. If your hard disk is infected,or if you have no hard disk, you will notice that the second floppy lights up for a second or two before your machine boots up.
This is a pretty rudimentary virus. It can make mistakes when infecting the hard drive and miss the boot sector. It can only replicate when the machine boots up. And it can get stuck in places
where it cannot replicate any further (for example, on a system with only one floppy disk and a hard disk). Still, it will do it’s job, and travel all around the world if you’re not careful with it.

No comments:

Post a Comment