Types of Viruses-System Programming-Lecture Notes, Study notes of System Programming

This lecture handout is for System Programming course. It was provided by Prof. Indubhushan Vijayabhas at Ambedkar University, Delhi. It includes: Types, Virus, Partition, Table, Work, Code, Sector, Load, Boot, Com, infect, Program, Relocate

Typology: Study notes

2011/2012

Uploaded on 08/07/2012

anishay
anishay 🇮🇳

4.2

(25)

118 documents

1 / 7

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Lecture # 45
Types of Viruses
Partition Table Virus
Boot Sector Virus
File Viruses
How Partition Table Virus Works
The Partition Table Code is executed at boot time to choose the Active Partition.
Partition Table Viruses embed themselves in the Partition Table of the disk.
If the Virus Code is large and cannot be accommodated in the Code Part of 512-
bytes Partition Table block then it may also use other Physically Addressed Blocks
to reside itself.
Hence at Boot time when Partition Table is to be executed to select the Active
Partition, the virus executes. The Virus when executed loads itself in the Memory,
where it can not be reached by the OS and then executes the original Partition Table
Code (stored in some other blocks after infection) so that the system may be booted
properly.
When the system boots the Virus will be resident in memory and will typically
intercept 13H (the disk interrupt).
Whenever a disk operation occurs int 13H occurs. The Virus on occurrence of 13H
checks if removable media has been accessed through int 13H. If so then it will copy
its code properly to the disk first Physical Block (and other blocks depending upon
size of Virus Code). The removable disk is now infected.
If the disk is now removed and is then used in some other system, the Hard Drive
of this system will not be infected unless the system is booted from this disk. Because
only on booting from this removable disk its first physical block will get the chance
to be executed.
docsity.com
pf3
pf4
pf5

Partial preview of the text

Download Types of Viruses-System Programming-Lecture Notes and more Study notes System Programming in PDF only on Docsity!

Lecture # 45

Types of Viruses

  • Partition Table Virus
  • Boot Sector Virus
  • File Viruses

How Partition Table Virus Works

  • The Partition Table Code is executed at boot time to choose the Active Partition.
  • Partition Table Viruses embed themselves in the Partition Table of the disk.
  • If the Virus Code is large and cannot be accommodated in the Code Part of 512- bytes Partition Table block then it may also use other Physicall y Addressed Blocks to reside itself.
  • Hence at Boot time when Partition Table is to be executed to select the Active Partition, the virus executes. The Virus when executed loads itself in the Memory, where it can not be reached by the OS and then executes the original Partition Table Code (stored in some other blocks after infection) so that the system may be booted properly.
  • When the system boots the Virus will be resident in memory and will typically intercept 13H (the disk interrupt).
  • Whenever a disk operation occurs int 13H occurs. The Virus on occurrence of 13H checks if removable media has been accessed through int 13H. If so then it will copy its code properly to the disk first Physical Block (and other bl ocks depending upon size of Virus Code). The removable disk is now infected.
  • If the disk is now removed and is then used in some other syste m, the Hard Drive of this system will not be infected unless the system is booted from this disk. Because only on booting from this removable disk its first physical block will get the chance to be executed.

How Partition Table Virus Loads

itself

  • The transient part of Command.Com loads itself such that its last byte is loaded in the last byte of Conventional Memory. If somehow there is some Memory beyond Command.Com’s transient part it will not be accessible by DOS.
  • At 40:13H a word contains the amount of KBs in Conventional Memory which is typically 640.
  • If the value at 40:13H is somehow reduced to 638 the transient part of Command.Com will load itself such that its last byte is loaded at the last byte of 638KB mark in Conventional RAM.
  • In this way last 2KB will be left unused by DOS. This amount of memory is used by the Virus according to its own size.

How Boot Sector Virus Works

  • Boot Sector also works in almost the same pattern, the

only difference is that it will embed itself within the Boot

Block Code.

How COM File Virus Infects

Files

  • A COM File Virus if resident may infect COM Files on execution.
  • Typically COM File Virus will Interrupt 21H Service 4B. This Service is used to load a Program.
  • Whenever a Program is to be Loaded int 21H Service # 4BH is used to Load a Program. The Virus if resident will check the parameters of this Service to get the file path. If the File is .COM File then the Virus appends itself to the file and tempers with the first 3-bytes of .COM File so that the execution branches to the Virus Code when the program is executed.

How COM Virus Loads Itself

  • When a file is Loaded in Memory it will occupy a number of Paragraphs controlled by some MCB.
  • If the file is infected the Virus is also loaded within the Memory Area allocated to the Program.
  • In this case the Virus does not exist as an Independent Program as it does not have its own PSP. If the Program is terminated the Virus Code will also be unloaded with the program. The Virus will try to attain an Independent Status for which it needs to relocate itself and create its own PSP and MCB in Memory.
  • When the program runs the Virus Code executes first. The Virus creates an MCB, defines a new PSP initializes the PSP and relocates itself, updates the last MCB, so that it can exist as an Individual Program, and then transfers the execution back to the Original Program Code.
  • Now if the Original Program Terminates the Virus will still remain resident.

The following slide illustrates how a COM file virus relocates itself to make itself

independent in memory.

Free Paras

Z

Virus PSP

Program

PSP

M

Free Paras Updated

Z

PSP

Virus

M

PSP

M

Paras

How the Virus Relocates itself

EXE File Viruses

  • The EXE File Viruses also works the same way in

relocating themselves.

  • The main difference in COM File and DOS EXE File is

that the COM File starts its execution from the first

instruction, whereas the entry point of execution in EXE

File can be anywhere in the Program.

  • The entry point in case of EXE File is tempered by the

Virus which is stored in a 27-byte header in EXE File.

File Viruses

Virus

Program

  • If the Virus size is known Viruses can be removed easily from file.
  • Firstly, the original value of first 3-bytes in case of COM File or the entry point in case of EXE should be restored.
  • The appended portion of Virus can be removed by coping the contents of original file into a temporary file.
  • The Virus Code is not copied.
  • The original file is then deleted and the temporary file is renamed as the original file.

Original .Com temp