The most significant type of viruses is following:-
Boot sector virus: - it infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus.
Parasitic virus: - the traditional and most common form of virus .it is also called as file virus. A parasitic virus attaches itself to executable files and replicates, when the infected program is executed, finding other executable files to infect.
Stealth virus :- A form of virus explicitly designed to hide itself from detecting by antivirus software.
Working procedure of different types of viruses:-
Once we understand how the computer normally works then only we would be able to understand what abnormalities occur if a virus enters the computer. And then possibly we would be able to write the program to detect and remove these viruses. Let us begin with the boot-time procedure.
Boot sector virus:-
The entire procedure can be divided into following distinct steps:
a. When the machine is switched on the microprocessor passes the control to a set of routines called Power On self Test (POST) routines. The POST routines perform a reliability test of the other ROM programs to find whether they are in order or not.
b. A ROM startup routines sets up the Interrupt Vector Table (IVT), with the address of ROM BIOS routines.
c. A ROM startup routine performs the RAM test and stores the base memory size at locations 0x413 and 0x410.
d. ROM startup routines checks and initialize the standard equipment (like Keyboard, VDU, floppy Disk Drive and Printer) and stores a list of this equipment in memory at location 0x410.
e. The ROM startup routines check for non-standard equipment attached to the computer. If found, they momentarily transfer control to ROM extension routines. The ROM extension routines initialize the non-standard equipment (like hard disk) and hand over the control back to the ROM startup routine.
f. A ROM startup routine reads from COMS RAM (in case of AT and above) the system boot up sequence. Usually this sequence is A:, C: indicating that the system would first attempt to boot from the A drive and if it fails to do so then it would attempt to boot from the C drive. This sequence can be changed by the user.
In case of an XT the booting sequence is always A:, C: and this sequence cannot be changed.
g. A ROM startup routine called Bootstrap Loader loads the contents of side 0, track 0, sector 1 of the first drive in the system boot up sequence. Now there are two possibilities:
1. The first drive in the system boot up sequence is drive A.
2. The first drive in the system boot up sequence is drive C.
Let us now study the booting form these drives separately.
1. The Bootstrap Loader Program is a short and primitive program, smart enough to move the head of the disk drive to track 0, and read the contents of the first physical sector of the disk into memory, at a predetermined location and pass control to it.
Side 0, track 0, sector 1 of the floppy disk contains Boot Parameter and a Disk Bootstrap Program. Hence the Bootstrap Loader loads these into memory and hands over control to them.
In the boot parameters the first three bytes contain a jump instruction. This instruction causes the control to jump to the Disk Bootstrap Program, bypassing the Boot Parameters which are placed after the jump instruction.
The Disk Bootstrap Program's task is to load the file IO.SYS into memory. But it is handicapped because it doesn't known the exact location of IO.SYS on the disk which depending upon:
· Number of copies of FAT on the disk
· Number of sectors occupied by each copy of FAT
· Number of sectors occupied by the directory
As we had seen earlier, these parameters vary from one type of disk to another. This is where the Boot Parameters come to the rescue of the Disk Bootstrap Program. Using the data in Boot Parameters it calculates the exact location of IO.SYS. Once this location has been found out, the actual loading of Operating System into the memory starts.
2. The Disk Bootstrap Program first examines whether the file IO.SYS is present on the disk or not. If present, it loads the file into memory and passes control to it. If absent, it flashes the familiar message:
Non-system disk. Insert system disk and press any key
On inserting the system disk and hitting a key it loads IO.SYS from the disk. As soon as IO.SYS is loaded, the Disk Bootstrap Program is wiped out from memory.
3. IO.SYS consists of two modules: Disk BIOS and SYSINIT. The SYSINIT module loads the file MSDOS.SYS from disk into memory and passes control to it.
4. MSDOS.SYS builds some internal data structures and work areas and then returns the control to SYSINIT.
SYSINIT loads a file CONFIG.SYS file from root directory of the floppy. This optional file can contain a variety of commands that enable the user to customize the working environment. For instance the user may specify the number of disk buffer, the maximum number of files that can be opened, etc. If it is found, the entire CONFIG.SYS file is loaded into memory and each command in it is executed one line at a time.
5. SYSINIT then loads the Resident Portion of the file COMMAND.COM into memory. Once this portion is loaded, the SYSINIT module is discarded from memory and control is handed over to the Resident Portion.
6. The Resident Portion of COMMAND.COM loads the Transient Portion of COMMAND.COM into the high end of memory. High end here means the top of the base memory. The high end would vary from computer to computer since different computers are likely to have different base memory sizes. The Resident Portion figures out the high end from the base memory size stored at locations 0x413, 0x414 during RAM test.
The Transient Portion of COMMAND.COM executes the file AUTOEXEC.BAT, if it is present in the root directory
7. The Transient Portion of COMMAND.COM finally displays the DOS prompt.
While booting from a hard disk steps (a) through (g) given above remain the same. Rests of the steps are as follows:
1. Since capacity of hard disks is huge, logical partitions are created on it to accommodate different operating systems. The information about where each partition begins and ends, the size of each partition, etc. is stored in a partition table in side 0, track 0, sector 1. This sector also contains a Master Boot Program. The partition table is 64 bytes long. The partition table also indicates which is the bootable partition. The ROM Bootstrap Loading program loads the partition table and the Master boot program into memory and passes control to it.
2. The Master boot program finds out which is the bootable partition, loads the boot sector (containing Boot Parameters and Disk bootstrap program) from the bootable partition and passes control to it.
3. Once the Disk Bootstrap program receives the control the rest of the booting procedure is the same as in case of booting from a floppy disk.
Figure given below shows the booting procedure from a floppy disk and a hard disk for easy comparison.
That is how the computer boots up normally. It is this boot-time procedure which gets altered when either the Master boot sector or the boot sector of the hard disk gets infected by the virus. On a floppy there is no master boot sector, therefore, only the boot sector of a floppy can get infected with a virus. The virus which infects the master boot sector is called 'Partition Table Virus', whereas, the one which infects the boot sector is called 'Boot Sector Virus'. There is another variety called 'File Virus' which is deadlier than the boot sector and the partition table virus. How do these viruses work and how to eradicate them? Well, we will find out exactly how in the next article.
Booting From An Infected disk:
An infected floppy disk may contain a virus in the boot sector, whereas an infected hard disk may contain a virus either in the partition table sector or in the boot sector or both. Whenever a disk is infected by a virus it ensures that the contents of the normal boot sector or the partition table sector are stored at some safe place on the disk.
Assuming that the boot sector of a floppy/hard disk is infected by a virus let us see how the normal booting procedure would be altered. This procedure is as follows.
a. POST routines are executed.
b. IVT is set up with relevant address
c. AM test is performed and Base Memory size is stored at locations 0x413 and 0x414.
d. Standard equipment is initialized.
e. Non-standard equipment is initialized.
f. System boot up sequence is determined.
g. Contents of boot sector are loaded and control is passed to it. In case of floppy disk this loading would be done by the Bootstrap Loader Program, whereas in case of hard disk it is done by the Master Boot Program. Since we are assuming that the boot sector has been infected, the virus would get loaded in memory and control would be passed to it.
h. The virus gets loaded at a place in memory where the normal Disk Bootstrap Program is loaded. Ultimately the virus will have to bring the Disk Bootstrap Program in memory since it is this program which knows how to load the file IO.SYS. If the Disk Bootstrap Program is to enter memory at the same location where the virus is present right now then the virus is bound to get overwritten. This would virtually be suicide for the virus. It knows this thoroughly well and hence before loading Disk Bootstrap Program into memory it makes a copy of itself at the high end of memory. To figure out where the high end memory for a particular computer is, it takes the help of the base memory size stored at location 0x413 and 0x414.
As you will see later there could be one more threat to the survival of the virus. To take care of this threat once it makes a copy of itself at the high end it reduces the value of base memory size at location 0x413 and 0x414 by an amount equal to the size of the virus.
A virus would like once the entire booting is complete somehow or the other the control should reach it. This it ensures by capturing a few interrupts.
Note that reducing the base memory size and capture of interrupts has to be done by the virus before it loads the Disk Bootstrap Program
i. The virus loads the Disk Bootstrap Program at a fixed location in memory thereby the first copy of the virus. Control is handed over to the Disk Bootstrap Program.
j. The Disk Bootstrap Program loads the file IO.SYS.
k. The SYSINIT module of IO.SYS loads the file MSDOS.SYS from disk into memory and passes control to it.
l. MSDOS.SYS builds some internal data structure and work areas and then returns the control to SYSINIT. SYSINIT loads a file CONFIG.SYS from root directory and sets the environment.
m. SYSINIT then loads Resident Portion of the file COMMANND.COM into memory. Once the Resident Portion is loaded the SYSINIT module is discarded from memory and control is handed over to the Resident Portion.
n. The Resident Portion of COMMAND.COM loads the Transient Portion of COMMAND.COM into high end of memory. The Resident portion figures out the high end from the base memory size stored at locations 0x413, 0x414. But since the virus has already reduced this value the Transient Portion gets loaded just below the virus
o. The Transient portion of COMMAND.COM executes the file AUTOEXEC.BAT, if it is present in the root directory.
p. The Transient portion of COMMAND.COM finally displays the DOS prompt.
Thus, by the time we get the DOS prompt the virus has already managed to become active in memory. Let us now see how the virus spreads from one disk to another. The medium used by the virus to spread is the floppy disk. If we insert a clean uninfected disk when the virus is active in memory and attempt to perform any disk I/O the control would first reach the virus since it has already captured interrupt 19, the disk I/O interrupt. When the control reaches the virus it checks the boot sector doesn’t contain virus code then it makes a copy of itself in the boot sector of this clean disk. Before making the copy it takes care to copy the normal boot sector contents to some other sector on the disk. Once this is done the virus passes control to the normal ROM-BIOS disk I/O routine. Thus, the user feels that everything is fine since I/O has been performed successfully. However, the virus has managed to plant itself on a clean disk thereby infecting it.
If we now take this infected disk to some other machine and try to boot the machine from that disk then the virus is bound to get loaded in memory. Once in memory, it would infect any clean disks that are used on this machine. This is how it manages to spread itself from one machine to another.
Working of A Partition Table Virus
When a virus infects the partition table sector it keeps the data area intact and replaces the Master Boot Program with the virus code. Before doing this it copies the contents of the partition table sector to some other location on the disk. This virus cannot afford to disturb the data area in the partition table sector since the bootstrap loader program relies on this data to determine the bootable partition. If you are lucky the machine may still boot but you may not be able to access any of your logical drives on the hard disk. A sure sign that something is seriously wrong with the partition table. And that would defeat that very purpose since a virus does not want you to know of its existence till it has destroyed some of your work.
Now during booting, the Bootstrap Loader Program loads the virus into memory. This virus does three things. First it loads itself at the high end of memory after checking the RAM size from location 0x413 and 0x414.
The virus then reduces the RAM size in these two locations. As a result when the Transient Portion of COMMAND.COM is loaded it will be loaded below the virus. After reducing the base memory size it steals interrupt 19 and assigns the address of the virus code in place of the original address in the IVT. In much the same way as we did when we wrote TSR. So whenever a call is made to interrupt 19, first the virus code is executed followed by the actual ROM-BIOS routine.
After reducing the memory size and capturing interrupts it proceeds to load the Master Boot Program in memory from the sector where it has displaced by the virus. From here onwards the normal booting procedure is followed. The only difference is that when the Resident Portion of COMMAND.COM loads the Transient Portion it will read the reduced RAM size from locations 0x413 and 0x414 and hence would load the Transient Portion below the virus.
Let us now see that would happen if we attempt to copy a file to a floppy in drive A. When we give the copy command, an interrupt 19 would be generated. But since the address of the ROM-BIOS routine has been replace by the address of the virus it’s the virus which will get the control. And not knowing the difference the virus code would get executed. The virus checks the CPU registers and realizes that a write to A drives is being attempted. Hence it proceeds to copy itself in the first physical sector of the floppy that is the boot sector. But before it does this it transfers the original contents of this sector to another area on the disk. It then hands over the control to the original routine in the ROM-BIOS. Thus a floppy gets infected.
If we attempt to boot another machine with this floppy the first sector containing the virus would get loaded in memory. Now the virus acts intelligently. If known that it has been loaded from a floppy and hence proceeds to copy itself in the first physical sector of the hard disk, that is the partition table sector. Instead of copying itself in the partition table sector, some type of virus may copy itself in the first logical sector of the DOS partition that is the boot sector. In either case before copying itself the virus would first display the original contents of the sector to some other location. Once this is done this it reduces the RAM size and steals some interrupts. Then back again to the floppy disk to load the original boot sector in memory.
Note that even if the infected disk is not bootable disk and we attempt to boot from the floppy, the virus still manages to enter into the machine. This is because DOS flashes the ‘Non-System Disk’ error message only when it fails to load the file IO.SYS. By this time the virus has already reached the memory and taken over the control. Thus a non-bootable floppy may also infect your computer.
This is how the virus spreads from one floppy to another, one machine to another, one installation to another and across the seas.
parasitic or File Viruses:
In terms of sheer number of viruses, these are the most common kind. The simplest file viruses work by locating a type of file that they know how to infect (usually a file name ending in ".COM" or ".EXE") and overwriting part of the program they are infecting. When this program is executed, the virus code executes and infects more files. These overwriting viruses do not tend to be very successful since the overwritten program rarely continues to function correctly and the virus is almost immediately discovered. The more sophisticated file viruses modify the program so that the original instructions are saved and executed after the virus finishes.
Be aware that many file viruses (such as 4096 which is also known as Frodo) also infect overlay files as well as the more usual *.COM and *.EXE files. Overlay files have various extensions, but ".OVR" and ".OVL" are common examples.
Macro Viruses:- There is particular type of file virus that that many people don't understand. These are the files from the Microsoft Office applications (e.g., MS Word, MS Excel, MS Access, etc.). These programs all have their own macro languages (a BASIC like language) built in. The associated files (MS Word documents or templates and MS Excel spreadsheet files) are usually thought of only as data files so many people are surprised that they can be infected. But these files can contain programs (the macro language) that are executed when you load one of these files into the associated product. The program inside of these files is interpreted by the MS Office application. What is now a language originally began as a very simple macro language that the user could use to combine keystrokes to automate some routine function? The macro language in these products has since grown substantially and now is a fully capable language based on Visual Basic (VBA). Since anything that contains a program can potentially be infected by a virus, these files can harbor viruses.
A micro virus is particularly threatening for a number of reasons:
1. A micro virus is platform independent .virtually all of the macro viruses infect M-S Word documents. Any hardware platform and operating system that supports word can be infected.
2. Macro V infects documents not executable portion of code. Most of the information in the computer is stored in the form of document not program.
3. Macro virus is easily spread. A very common method is by electronic mail.
A virus such as the one just described is easily detected because an infected version of a program is longer than the corresponding uninfected one. One way thwart such a simple means of a detecting a virus is to compress the executable file so that both the infected and uninfected versions are of identical length. The following diagram describes it more clearly.
We assume that program p1 is infected with the virus CV.
When the program is invoked, control passes to its virus, which performs the following steps:
*For each uninfected file p2 that is found, the virus first compress that file to produce p2*, which is shorter than original program by the size of virus.
*A copy of the virus is prep ended to the compressed program.
*The compressed version of the original infected program, p1* is uncompressed.
*The uncompressed original program is executed.
A compression stealth virus
A virus is said to be polymorphic if its code appears to be different every time it replicates (though generally each replication of the virus is functionally identical). This is usually achieved by encrypting the body of the virus, and adding a decryption routine which is different for each replication. When a polymorphic virus replicates, a portion of the decryption code is modified.
A portion of virus generally called a mutation engine creates a random encryption key to encrypt the remainder of the virus. The key stored with, the virus, and the mutation engine itself is altered. When an infected program is invoked, the virus uses the stored random key to decrypt the virus. When the virus replicates, a different random key is selected.
Additionally, random, do-nothing blocks of code can be embedded in the program and are shuffled around to further vary the signature. In essence, it looks like a different program to virus scanners.
Diagnosis-Indication of Virus Infection:-
Lots of things can go wrong with computers, with most problems usually arising from software bugs or hardware malfunctions. However, when two or more troublesome virus like symptoms appear at the same time, the odds on an infection increase, that’s when you should check your system for the virus. If you have observed any of the following symptoms of virus infection.
1. Program load take longer than normal.
2. Disk accesses seem to be excessive for very simple tasks.
3. Unusual error message appear.
4. Access lights come on when there is no obvious reason.
5. System memory is reduced.
6. Files mysteriously disappear.
7. Available disk space is reduced for no good reason.
8. Executable programs change size.
9. Icons change in appearance.