284 lines
8.9 KiB
Plaintext
284 lines
8.9 KiB
Plaintext
|
|
|
|
An Explanation of how the Stoned Virus operates
|
|
|
|
Mike Lawrie (rures@hippo.ru.ac.za)
|
|
|
|
|
|
|
|
Notation
|
|
|
|
Cylinders, heads and drives are numbered from zero, sectors are
|
|
numbered from one.
|
|
|
|
|
|
1. Characteristics of the Stoned Virus
|
|
|
|
A PC that is infected with the Stoned virus will occasionally
|
|
display, at boot time, the message "Your PC is now Stoned!". This
|
|
message will never display if the booting is from the hard disk,
|
|
but only from a floppy disk, so you will never be informed that
|
|
your hard disk is infected.
|
|
|
|
Having booted with an infected disk (hard or floppy), subsequent
|
|
writes to a floppy in drive A: will cause that floppy to be
|
|
infected.
|
|
|
|
An infected hard-disk will in all likelihood suffer no ill-
|
|
effects, but a 360Kb floppy disk that is infected will have
|
|
problems if there are many files in the root directory. The last
|
|
sector of the directory gets corrupted by the virus.
|
|
|
|
It is quite safe to put an infected floppy into a PC - it will
|
|
not cause any problems. The infection takes place ONLY AT BOOT
|
|
TIME, so be careful about how you boot the PC.
|
|
|
|
If your hard disk is infected, then boot off a disinfected floppy
|
|
and clean up your hard disk as soon as possible.
|
|
|
|
|
|
2. Where the virus is stored
|
|
|
|
The virus is stored in the boot sector of a disk, and the boot
|
|
code is stored elsewhere. In the case of a hard disk system, the
|
|
'elsewhere' is cylinder 0, sector 7, head 0; in the case of a
|
|
floppy, it is cylinder 0, sector 3, head 1.
|
|
|
|
|
|
3. Propogation
|
|
|
|
The virus loads into memory each time the PC is booted from an
|
|
infected disk (hard or floppy). Once it is memory resident (it
|
|
grabs 2 Kb of RAM), then each and every time that there is a disk
|
|
write, the target disk is checked to see if the virus is
|
|
installed. If it is not installed, then it installs itself
|
|
immediately and without notification.
|
|
|
|
|
|
4. Confirmation
|
|
|
|
You can confirm that your disks are free of the virus by looking
|
|
at the boot sectors of the disk.
|
|
|
|
|
|
4.1 Floppy
|
|
|
|
Use debug to read the boot sector, as follows:-
|
|
|
|
a:> debug
|
|
|
|
- L 0 0 0 1
|
|
|
|
- D 180
|
|
|
|
- Q
|
|
|
|
If the display produced by the 'd180' shows the text "Your PC is
|
|
now Stoned!", then that disk is infected.
|
|
|
|
|
|
4.2 Hard disk
|
|
|
|
You cannot use debug, because debug reads only relative to the
|
|
start of the DOS partition, and you need to read and alter the
|
|
boot partition which is an absolute sector. Use a utility that
|
|
allows absolute disk reads, such as one of the Norton advanced
|
|
utilities. Do a read and display of absolute sector zero of the
|
|
hard drive, and look at bytes 0x18a onwards for the text "Your PC
|
|
is now Stoned!".
|
|
|
|
|
|
|
|
5. How to get rid of the virus
|
|
|
|
You must clear the virus off ALL disks from which you will boot
|
|
your computer. It is quite safe to put an infected disk into the
|
|
computer, as long as you do not boot from that disk.
|
|
|
|
If you accidently boot from an infected disk, then your hard disk
|
|
will be infected immediately, and ANY writing that you do to a
|
|
floppy disk will cause that disk to be infected. This takes you
|
|
back to square one.
|
|
|
|
|
|
5.1 Floppy system
|
|
|
|
The algorithm for doing this with debug is:-
|
|
|
|
5.1.1. Read the first few sectors from the disk into RAM
|
|
|
|
5.1.2. Move the boot code to where it belongs
|
|
|
|
5.1.3. Zeroise the boot code that is in the wrong position
|
|
|
|
5.1.4. Write the first few sectors back to the disk
|
|
|
|
|
|
The commands are best put into a .BAT file, and redirection used.
|
|
Here are two files that work together. (Blank lines have been
|
|
inserted only for clarity - do not put them into the .DAT file).
|
|
|
|
|
|
DESTONE.BAT
|
|
|
|
debug < destone.dat
|
|
|
|
|
|
DESTONE.DAT
|
|
|
|
L 0 0 0 10
|
|
|
|
M DS:1600 17FF DS:0
|
|
|
|
F DS:1600 17FF 0
|
|
|
|
W 0 0 0 10
|
|
|
|
Q
|
|
|
|
|
|
To use this system, BOOT YOUR COMPUTER WITH A DISK THAT IS NOT
|
|
INFECTED, then insert an INFECTED disk into drive A:, and type
|
|
DESTONE. If you cannot work out which disk to put the DESTONE.?AT
|
|
files onto, you should not be attempting this procedure.
|
|
|
|
NB! This is a potentially dangerous method of using debug. Test
|
|
this process VERY CAREFULLY on a test disk that has been
|
|
infected.
|
|
|
|
DO NOT USE THIS PROCESS ON A DISK THAT IS NOT INFECTED!!! YOU
|
|
WILL DESTROY THE BOOT SECTOR. (The DOS 'SYS' command will re-
|
|
instate it for you).
|
|
|
|
|
|
|
|
5.2 Hard disk system
|
|
|
|
The principle is much the same as for a floppy disk system,
|
|
except that there is probably no need to zeroise the boot code
|
|
that is stored on cylinder 0, sector 7, head 0.
|
|
|
|
|
|
CAVEAT FOR HARD DISK SYSTEM
|
|
|
|
If the partition table has been altered subsequent to the time at
|
|
which the virus infected the hard disk, then simply moving the
|
|
cylinder 0, sector 7, head 0 code into the boot sector will
|
|
destroy the hard disk partitions.
|
|
|
|
The way around this is to compare the bytes from 0x1BE to 0x1FF
|
|
in the boot sector (ie the cylinder 0, sector 1, head 0) against
|
|
the corresponding bytes in sector 7. If there is a difference,
|
|
then copy those values from sector 1 into sector 7 before writing
|
|
all of sector 7 to sector 1.
|
|
|
|
|
|
6. How the virus operates
|
|
|
|
When booting from an infected hard disk, the virus simply becomes
|
|
memory resident, as described below. The complexity of the
|
|
booting applies only to booting from floppies.
|
|
|
|
Suppose that a PC is being booted from an infected floppy disk.
|
|
The virus executes before the boot process gets going, and writes
|
|
itself into a reserved area of memory as well as to the boot
|
|
sector of the hard disk - having moved the proper hard disk boot
|
|
program to a 'hidden' sector. Any subseqent write to floppy drive
|
|
A: will cause the virus to install itself onto the floppy drive
|
|
in the floppy boot sector - having likewise moved the proper
|
|
floppy disk boot program to a 'hidden' sector (actually, not so
|
|
hidden).
|
|
|
|
The first sector from the disk (ie the BOOT sector, aka cyl 0,
|
|
sec 1, hd 0) is read into RAM at 0000:7C00. In this case the
|
|
virus code is read in, rather than the boot program, because the
|
|
disk is infected.
|
|
|
|
The code executes to address 00A1, (ie absolute 0000:7CA1), and
|
|
does the following:-
|
|
|
|
copies the INT 13 vector (disk i/o) into the virus code
|
|
|
|
grabs 2 Kb of RAM from DOS
|
|
|
|
sets INT 13 to point to code in the virus in the grabbed 2 Kb
|
|
|
|
moves itself into that 2 Kb, and stays resident
|
|
|
|
The code is now installed high in RAM, let's call the segment,
|
|
say, TOP. Execution continues at TOP:00E4. Nothing has yet
|
|
happened about booting DOS, that is still to come when the virus
|
|
is good and ready. The code continues:-
|
|
|
|
reset the disk system
|
|
|
|
read the boot code from the 'hidden' sector into RAM at
|
|
0000:7C00 (if booted from hard disk use cyl 0 sec 7 hd 0,
|
|
else use cyl 0 sec 3 hd 1)
|
|
|
|
if booting from a hard disk, go straight to the boot code in
|
|
RAM at 0000:7C00 (clearly, the virus is already installed on
|
|
the hard disk)
|
|
|
|
if the DOS timer low byte equals xxxxx000, show the stoned
|
|
message
|
|
|
|
attempt to read the boot sector from the hard drive into a
|
|
buffer
|
|
|
|
if the read has an error, don't do anything fancy, go straight
|
|
to the boot code in RAM at 0000:7C00
|
|
|
|
if the read is error-free, see if the boot sector has the virus
|
|
stored on it.
|
|
|
|
if the virus is stored on the hard disk, then go to the boot
|
|
code in RAM at 0000:7C00
|
|
|
|
store the virus onto the hard disk by moving the boot code to
|
|
cyl 0 sec 7 hd 0, move the partition table to the end of the
|
|
virus code, and writing the virus to the boot sector at cyl 0
|
|
sec 1 hd 0
|
|
|
|
go to the boot code in RAM at 0000:7C00
|
|
|
|
The DOS boot will now proceed normally, but note that the INT 13
|
|
vector is pointing to the memory resident virus code. Thus any
|
|
later redirecting by other systems (eg DOS itself) will probably
|
|
preserve the bad INT 13 (it is not possible to preserve the good
|
|
one, the virus gobbled it up *before* the system executed the
|
|
boot code). Thus, any subsequent disk requests sent via INT 13
|
|
(ie the vast majority of them) will be inspected by the memory
|
|
resident virus code.
|
|
|
|
|
|
Let's now look at what the memory resident virus code does to all
|
|
INT 13's.
|
|
|
|
INT 13 points to TOP:0015, where TOP is the segment address of
|
|
the memory resident virus. Of course, DOS might have tried to
|
|
intercept INT 13 also, so if you look at the INT 13 vector, you
|
|
might see it pointing to DOS, and hidden in DOS will be the
|
|
vector to TOP:0015.
|
|
|
|
The memory resident algorithm is as follows:-
|
|
|
|
trap all INT 13's (ie low level disk accesses)
|
|
|
|
ignore all but floppy disk write requests on drive a:
|
|
|
|
if the disk motor is not running, do a normal INT 13
|
|
|
|
have up to 4 attempts to read the boot sector cyl 0 sec 1 hd 0,
|
|
give up if errors occur
|
|
|
|
if the virus is already installed on the floppy disk, drop
|
|
through to a proper INT 13
|
|
|
|
write the boot sector to the hidden area (cyl 0 sec 3 hd 1 for
|
|
floppy)
|
|
|
|
--
|
|
uucp: uunet!m2xenix!puddle!5!494!4!CCML.RURES
|
|
Internet: CCML.RURES@f4.n494.z5.fidonet.org
|