is easy because the boot sector is such a simple animal. Since code
size is a primary concern, the search and copy routines are combined
in KILROY to save space.
First, the copy mechanism must determine where it came
from. The third to the last byte in the boot sector will be set up by
the virus with that information. If the boot sector came from drive
A, that byte will be zero; if it came from drive C, that byte will be
80H. It cannot come from any other drive since a PC boots only
from drive A or C.
Once KILROY knows where it is located, it can decide
where to look for other boot sectors to infect. Namely, if it is from
drive A, it can look for drive C (the hard disk) and infect it. If there
is no drive C, it can look for a second floppy drive, B:, to infect.
(There is never any point in trying to infect A. If the drive door on
A: were closed, so it could be infected, then the BIOS would have
loaded the boot sector from there instead of C:, so drive A would
already be infected.)
One complication in infecting a hard drive is that the virus
cannot tell where the DOS boot sector is located without loading
the partition boot sector (at Track 0, Head 0, Sector 1) and reading
the information in it. There is not room to do that in such a simplevirus, so we just guess instead. We guess that the DOS boot sector
is located at Track 0, Head 1, Sector 1, which will normally be the
first sector in the first partition. We can check the last two bytes in
that sector to make sure they are 55H AAH. If they are, chances are
good that we have found the DOS boot sector. In the relatively rare
cases when those bytes belong to some other boot sector, for a
different operating system, tough luck. The virus will crash the disk.
If the ID bytes 55H AAH are not found in an infection attempt, the
virus will be polite and forget about trying to infect the hard drive.
It will go for the second floppy instead.
No comments:
Post a Comment