Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: 70033.1271@CompuServe.COM (Steve Albrecht) Newsgroups: comp.virus Subject: Boot sector self-check (PC) Message-ID: <0005.9102081416.AA29807@ubu.cert.sei.cmu.edu> Date: 5 Feb 91 15:29:26 GMT Sender: Virus Discussion List Lines: 62 Approved: krvw@sei.cmu.edu > From: gt154c@prism.gatech.edu (Gatliff, William A.) > To help combat this, what would be the possibility of deliberately > infecting ones boot-sector with a piece of code that would display > some kind of 'ok' message if it hadn't been tampered with? While waiting for the same type of self-check in the boot sector, we have developed a small program (so far only intended to protect ourselves against reinfection by the Stoned virus) which does the following: 1. Reads the partition table sector (absolute sector 1). 2. Compares the sector with a previously saved copy of absolute sector 1 (in a DOS file). 3. Writes (using Int 13h) the saved copy to absolute sector 1 in the event of a discrepancy. 4. Immediately reboots the machine with a system reset (hard boot). This program is placed in the AUTOEXEC.BAT file (this does lead to the possibility that the process can be disabled very easily). A separate initialization program is used to save the "clean" copy of absolute sector 1 (necessary for step 2 above). This file must be saved at a time when the sector is known to be clean. We have used McAfee's SCAN and direct examination of the sector with a low-level sector editor to verify that absolute sector 1 is "clean". The immediate reboot (step 4) is necessary because the Stoned virus is still in memory at this point, and a reboot will prevent the virus from rewriting itself to the partition table. This process monitors and corrects problems in absolute sector 1 only. If a virus changes additional sectors, this process will restore the original code in the partition table, and the system should boot normally, if no changes have been made to the boot sector (logical sector 1). This process is not as complex as programming a self-check into the code contained in the partition table sector, and is perhaps not as effective as a deterrent to partition table viruses in general. However, it works very effectively against the Stoned virus. We have not had a chance to test it against other partition table viruses. One caveat, though, is that this process will not work against a virus which somehow prevents the write operation in step 3 above. Luckily, the Stoned virus does not interfere. One additional benefit we have realized is that in the case of accidental corruption of the partition table, the saved copy can be found with a low-level sector editor, and restored to absolute sector 1. We haven't had cause to use this benefit yet, but it is there if the need arises. We will likely improve on this program (barring availability of a commercial alternative), but I share the idea for what it may be worth to any of you who have been plagued by pesty comments about legalisation. Steve Albrecht 70033,1271@compuserve.com