FUNBOT2.CVP 910918 Boot sequence In order to point out the areas of possible viral program attack, it is helpful to outline the sequence of operations in the boot process. When the machine is first powered up, there is a certain amount of programming contained in boot ROM. The amount of this varies greatly between different types of machines, but basically describes the most central devices, such as the screen and keyboard, and "points" to the disk drives. A very basic location on the disk is addressed for further information. This is the generic "boot sector"; as mentioned in the last column, on MS-DOS hard disks it is the partition boot record that is accessed first. The boot record or sector contains further information about the structure of the disk. It, or a subsequent linked sector, also describes the location of further operating system files. This description is in the form of a program, rather than simply data. Because this outline is in the form of a program, and because this sector is "writable", in order to allow for different structures, the boot record or sector is vulnerable to attack or change. Boot sector infecting programs may overwrite either the boot record or the boot sector, and may or may not move the original boot sector or record to another location on disk. The repositioning of the original sector's program allows the viral program to "pretend" that everything is as it was. This pretence is not absolute. A computer with an active viral program resident will, of necessity, be different in some way from the normal environment. The original sector position will, of course, have different information in it. The viral program will need to "hook" certain vectors for its own use in order to monitor activity within the computer and in order to function. The viral program will have to occupy a certain portion of memory, and may be identified by a memory map, or, in the case of the Stoned virus, may try to hide by "telling" the computer that it has less memory than is actually the case. These tell-tale indicators are not absolute. There may be various reasons why the "top of memory" marker is set to less than 640K. Each different type of disk drive, and each drive of the same type which is partitioned differently, will have a different boot record. As operating systems or versions change, so will the boot sector. Therefore, the environment of newly booted machines cannot, in isolation, be examined and said to be infected or free from infection. It is possible, however, to compare any machine with itself in a "known clean" state. By saving information on the environment after a minimal clean boot, and comparing this with subsequent boots, changes can be detected, and the user alerted to a potential problem. Since a boot sector infector can only infect a machine if the machine is booted from an infected disk, it is also possible to replace the boot record with a non-standard one, in order to prevent access to the hard disk unless booted from the hard disk. copyright Robert M. Slade, 1991 FUNBOT2.CVP 910918