home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Tech Arsenal 1
/
Tech Arsenal (Arsenal Computer).ISO
/
tek-12
/
mvcheck.zip
/
VIRUS.DAT
< prev
Wrap
Text File
|
1992-02-17
|
9KB
|
152 lines
Information sheet on the Michelangelo Virus
Compiled by J.M. Allen Creations / Michael A. Hotz
February 17, 1992
-----------------------------------------------------------------------------
This information was compiled by studying a disassembly of the virus code
taken from an infected system.
-----------------------------------------------------------------------------
OVERVIEW:
The Michelangelo virus is of the boot sector / partition table type.
It finds its way to the unsuspecting users system riding in the boot sector
of a floppy disk which all floppy disks have, even those that don't actually
boot DOS. A boot sector is simply a small program that is automatically
run from a disk whenever a system is booted from that disk. It's purpose
is to read the operating system from the disk, and begin the process to
bring the system up and running. The detailed process of the inner workings
of this virus follow.
INITIAL MEANS OF INFECTION:
When the user puts an infected disk in the system, the virus is
automatically run just like a normal boot sector would run at start up.
If first checks for its presence in the partition table of the first
hard drive in the system, the one normally booted from. If it doesn't
find its signature, it copies the existing partition table to the seventh
sector on the hard drive, normally reserved for multiple partition
tables. It then installs it's own code where the master partition table
resides. Once it has done all of this, it then continues with the normal
boot process by loading the true boot sector from a saved location on the
floppy disk, head 1 sector 3 for 360k disks, head 1 sector 14 for 1.2m disks.
MAKING ITSELF INVISIBLE:
After installing itself, the virus reads the original boot sector from the
saved location on the disk, and passes execution to it just as if the virus
were not there. If the disk in the A: drive is a system disk, it loads the
OS, and boot up proceeds in a totally normal manner. If the disk isn't
bootable, the user will still see the familiar "Insert system disk and
press any key message". At this point, the hard disk has been infected, and
the virus is resident in memory.
WHEN THE VIRUS BECOMES ACTIVE:
Whenever the user boots off of an infected floppy, or an infected hard
disk, the virus moves the top of memory from 640k to 638k by subtracting
two from a word in the BIOS data table low in memory. This word is used
by the operating system to determine how many kilobytes of conventional
memory are available. The virus then copies itself into this reserved
chunk of memory. The virus also saves the current address for the BIOS
disk ISR (interrupt service routine) and sets the address of this routine
to point to its resident floppy infecting code. Next, DOS gets pulled in
just like normal, except DOS reads this word in low memory to determine how
much memory to make available to the user. DOS sees 638k and sets it's top
of memory just below the virus in high memory, very effectively protecting
the virus from ever being overwritten in memory. This happens every time
the system is booted from an infected floppy or hard disk.
The average user will never have any clue that any of this has happened.
HOW INFECTION SPREADS:
Now, this virus sits there, and every time an int 13h is generated by
software requesting disk functions, the virus intercepts the call. It
first checks to see if the call is being directed at the first floppy
drive in the system. If it is not, then it passes the disk request on to
the original int 13h handler, normally in the system BIOS. If however, the
request is to the first floppy, it then reads the boot sector from the
floppy into an area of its reserved memory, just above the resident virus,
and checks for its signature in the boot sector. If it finds it, the virus
knows that the floppy in the drive has already been infected, and passes the
disk request on to the original int 13h handler. If it doesn't find
its signature, the virus then writes the original boot sector to the an
unused sector for later use, and copies its own infected boot program to the
boot sector of the floppy. The virus then returns control to the original
int 13h handler. At this point, the floppy is infected, all before the user
even sees the directory print on the screen, or the program run, or whatever
action was requested on the drive.
WHY THE VIRUS IS HARD TO DETECT:
Since there is normally a slight delay whenever a user accesses a floppy
drive, they user never perceives the extra milliseconds taken by the virus
to test and/or infect any disk in the first floppy every time it is accessed.
This means that EVER disk accessed in any way in the first floppy drive on an
infected system will also be infected.
Another reason the virus is so stealth like is, even though there is a lot
of virus protection software available, the TSR programs that sit in memory
and watch calls to critical interrupt service routines (ISR's) are useless
against a virus of this type because this virus is already resident in memory
before the TSR watchers ever get loaded. When the virus reads and writes to
the floppies, it doesn't call int 13h which the TSR watchers would detect,
it instead uses a far call to the address of the original int 13h handler
that it saved when it installed, thus the TSR watcher never sees the
call, and never warns you that the virus is there.
WHEN WILL THE VIRUS STRIKE:
The actual damage of the virus will occur when the system is booted on
March 6 based on the internal clock. In either case, booting from an
infected floppy or hard disk, the destruction will occur as soon as the
boot sector from the infected disk begins executing, at a point long before
the user would ever gain control off the system through the command
processor, generally enough time to virtually erase the entire disk, and
certainly enough time to at least erase the critical file allocation tables,
long before the user ever suspects anything is wrong.
WHAT WILL THE VIRUS DO:
As long as the date isn't March 6, the virus sits dormant, simply infecting
every floppy accessed in the first floppy drive. When the D-Day
rolls around, instead of loading itself and booting up normally, the virus
keeps control of the system, and simply starts at track 0 sector 1 and dumps
whatever happens to be at address 5000:5000 in memory to each sector on the
hard drive. It sits in a simple loop writing and incrementing track/sector
values until the users finally decides something is wrong. Of course by that
time, since it starts at the beginning of the drive, all of the File
Allocation Tables, and probably a good chunk for the first part of the drive
have been erased.
FINAL NOTES OF INTEREST:
The resident code doesn't do the actual destruction. It is only responsible
for making sure the virus infects as many disks as possible, increasing
the likelihood that it will get transfered to other systems, and others,etc...
It should also be noted that when a system is infected, disks put in the
first floppy will only be infected if they are accessed. Putting in a
disk, closing the door, opening the door and removing the disk will not
allow the virus to be written, but even a simple directory or any other
command where the disk is actually read or written will cause infection.
If a hard drive is clean, you can safely put an infected disk in the
first floppy AFTER the system is fully booted from the clean hard drive
without worry, because the boot sector program of the infected floppy must
actually be executed before it can install itself on the hard disk, a
situation which ONLY occurs when the disk is booted from.
HOW TO FIND THE VIRUS:
The easiest way to check for this particular virus is to use a program
that will report how much memory is available to DOS. The newer (4.0 and up)
versions of DOS come with a program called MEM.EXE. If first line of the MEM
command output says "655360 bytes total conventional memory", this virus is
not resident. If it is anything less, the machine MAY be infected.
There are certain cases when this could happen without a virus, such as on
machines which reserve part of the high memory for information, such as the
IBM PS/2 which have an EBDA, or systems with user definable BIOS hard disk
types. In any case where this number is less than 640k (655360), and
especially if this number is exactly 638k (655312), I suggest using a
commercial virus scan utility, or contact someone who can determine if the
virus exists, and remove it if necessary.