Denny Lin's Anti-Virus tips

Inexpensive boot sector virus detection and prevention techniques by Denny Lin (6/15/94)

Boot sector viruses are with few exceptions, the most common type of viruses found at La Sierra University student's disks; they are very infectious, and can cause major damage to data stored on hard disks. These kinds of viruses are spread when an infected floppy disk (it doesn't matter whether it is bootable or not) is used to boot a computer. While many view viruses as some insignificant threat, a student centered campuswide computer lab (such as MICOL) can become a virus infection site that threatens the work of faculty and staff; all it takes is a benevolent teacher or staff who lets a student (carrying an infected floppy disk) use his/her computer; any floppy disk used thereafter will be infected and capable of infecting other computers.

Disclaimer: This discussion is limited to IBM Compatible PCs; most of the discussion applies to computers installed with DOS 5.0 or later versions. The author makes no guarantees whatsoever about the effectiveness of these methods, and assumes no liability whatsoever for loss of data due to use/misuse of the following information.

Preventive measures: If your computer has a bootable hard disk, it is a prime target for this kind of virus attack. Depending on the kind of ROM BIOS on your computer, you might be able to alter the bootup sequence, so drive A: is not sought for a bootable and potentially infectious disk. For example, if your computer is equipped with an American Megatrends Inc. BIOS, change the bootup sequence to C:, A:; this prevents floppy disks infected with boot sector viruses from infecting your hard drive; it will allow drive A: to be used for booting a computer when drive C: is damaged, and does not affect the operation of drive A: in any other way.

Removing a boot sector virus: Boot sector viruses infect the Master Boot Record of a hard drive, and the Boot Record of a floppy disk. If, and only if you own DOS version 5.0 or later, you may use the following suggestions. You can find out what version of DOS you have by typing VER at the DOS prompt; make sure the computer has reported a DOS version 5.0 or later before you use any of these suggestions. Failure to do so can result in severe damages to your hard drive and floppy disks!

BootSector Virus on Hard Disks: Again, if you have DOS 5.0 or later, you can reconstruct the Master Boot Record with the following DOS command: FDISK /MBR

FDISK is an external DOS command supplied with DOS 5.0 for building disk partitions; the /MBR switch is undocumented

Boot sector virus detection: Yes, it is possible to detect a boot sector virus on your hard disk without commercial software! Provided you have Borland's TURBO PASCAL compiler to produce the following programs. It should be simple to convert these programs into QBASIC, but I'll leave that to other astute readers in cyberspace) There are several tell tale signs to look for.

One method for verifying a boot sector virus infection without commercial software, is by using a simple homegrown PASCAL program. This method works on any DOS machine, and is independent of the DOS version. Boot sector viruses try to infect a disk whenever drives are reset. Our program resets drive A:, and if a boot sector virus is present, its light will turn on momentarily; the drive head will make an audible noise while attempting to make a copy of the virus. The PASCAL code is as follows:

Program Reset_Disk;

uses dos;

VAR Regs : Registers;

BEGIN
WITH Regs DO
BEGIN
ah := $00; { Function nubmer for interrupt call }
dl := 0; { Drive a: }
END;
intr($13,Regs); { Interrupt call }
END.

The above method was discovered by serendipity, when I noticed that while running a program used to verify student data disks, Drive A:'s light would turn on whenever the computer's hard disk was infected with a boot sector virus. So reliable was this test that we have been using this sign to determine whether a computer has been infected by a boot sector virus. However, this method did not provide us with an easy way to remove boot sector viruses.

Boot sector viruses infect other disks by making a copy of itself in the computer's memory. If you suspect a virus infection, you can compare a "snapshot" of your current computer's memory usage with a previous "clean snapshot".

MEM is an external DOS command that reports memory usage; while viruses are not likely to be immediately evident and listed by using the MEM command, any difference between a clean and a current snapshot is highly suspicious. If no new program(s) were installed, or the computer's configuration was not modified, then your computer is probably infected.

There is an instance where this method would cause a false alarm: a snapshot generated during a computer bootup sequence will be very different from a snapshot generated after the computer has been booted.

It is possible to automatically detect and remove a boot sector virus (when one is found). This involves modifying your AUTOEXEC.BAT file to: a) compare file contents of previous and current computer memory usage; b) do nothing if file contents are identical; c) rewrite master boot record and cold boot computer if file contents are not identical.

Comparing two files: Because FC, the external DOS command used to compare file contents does not generate Errorlevel codes when files are different, I used a simple ASCII file compare program written in TURBO PASCAL. When files are identical, an Errorlevel 0 is generated; a 1 is generated when files are not identical. The following is a listing of the program:

Program Compare;

uses crt, dos;

{ This program does an ASCII comparison of files and returns }
{ a DOS Errorlevel code. This is very useful for batch file }
{ programs to detect a memory resident virus. }
{ Written by Denny Lin, 4/20/94 }
VAR Mode : Byte;
File1, File2 : Text;
FileName1, FileName2 : String;

FUNCTION File_Compare : Integer;

VAR String1, String2 : String; VAR Done : Boolean;

BEGIN
File_Compare := 0;
Done := False;
Assign(File1, FileName1);
Assign(File2, FileName2);
Reset(File1);
Reset(File2);
WHILE ((NOT EOF(File1)) AND (NOT EOF(File2)) AND (NOT Done)) DO
BEGIN
Readln(File1, String1);
Readln(File2, String2);
IF String1 <> String2 { If files are different }
THEN
BEGIN
File_Compare := 1;
Done := True; { Done comparing }
END;
END;
Close(File1);
Close(File2);

END;

BEGIN
IF ParamCount < 2 { Interactive file compare }
THEN
BEGIN
Write('_File1: ');
Readln(FileName1);
Write('_File2: ');
Readln(FileName2);
END
ELSE
{ File names entered as parameters }
BEGIN
FileName1 := ParamStr(1);
FileName2 := ParamStr(2);
END;

Halt(File_Compare); { Program halts with Errorlevel given by File_Compare } END.

Custom Search
BOOT.COM is used to reboot the computer. Certain viruses are capable of sur viving a warm boot (pressing CtrlAltDel). This program performs a cold boot, and causes the computer to perform a memory scan upon bootup.

This file was created with DEBUG, but a PASCAL program using an Inline procedure would work just as well:

(Create BOOT.COM by typing the following in DEBUG :)

A 0100
MOV AX,40
MOV ES,AX
ES: MOV WORD PTR [72],0000 < Signals BIOS to perform cold boot
JMP FFFF:0000 < Ask for a reboot
< Press Enter here
N BOOT.COM < Names the file as BOOT.COM
RCX
11
W < Writes BOOT.COM
Q < Quits DEBUG

(TURBO PASCAL program BOOT.PAS :)

Program Boot;

{ Cold boot a computer }

BEGIN
Inline($B8/$40/$00/$8E/$C0/$26/$C7/$06/$72/$00/$00/$00/$EA/$00/$00/$FF/$FF);
END.

Taking the clean snapshot: This is to be done when you know that your compu has no viruses, or after you have added a new program into your computer, or made hardware modifications (such as increa sing RAM). You can take a snapshot by typing:

mem /c > SNAPSHOT.OLD

at the DOS prompt; however, the report generated at the DOS prompt will NEVER be similar to the report generated in your AUTOEXEC.BAT and will cause false alarms. The first snapshot needs to be generated in AUTOEXEC.BAT, while the computer is being booted. Type the following at the end of your AUTOEXEC.BAT:

mem /c > SNAPSHOT.OLD

Save the file (AUTOEXEC.BAT), and reboot your computer. Once your computer has rebooted, set the file attributes of SNAPSHOT.OLD to Readonly; this prevents accidental erasure. You can do this by typing:

ATTRIB SNAPSHOT.OLD +R

Next, erase the line that says mem /c > SNAPSHOT.OLD, and replace it with the following:

mem /c > SNAPSHOT.NEW
COMPARE.EXE SNAPSHOT.OLD SNAPSHOT.NEW
IF Errorlevel 1 GOTO REMOVE
GOTO END
:REMOVE FDISK /MBR
BOOT.COM
:END

Save your AUTOEXEC.BAT file, and reboot the computer.

Troubleshooting: If your computer never gets to the DOS prompt and continually reboots, you need to interrupt the loop by pressing CtrlBreak; type Y at the Terminate Batch Job (Y/N)? prompt. Make sure you have properly generated a clean snap shot of your computer's memory usage.

If you see a _File1: prompt, make sure the contents of AUTOEXEC.BAT matches the listing above; you have not supplied enough parameters for COMPARE.EXE

If you get Bad command or file name, make sure you have a complete PATH to MEM.EXE, COMPARE.EXE, BOOT.COM (or BOOT.EXE), and FDISK.EXE; otherwise, you need to modify the path in your AUTOEXEC.BAT, or copy these files to the root directory.

Boot Sector viruses on floppy disks: Unless your floppy disks are known to have caused a hard disk infection, or you have scanned the floppy disks with commercial software, I know of no other way to detect boot sector viruses on floppy disks. One possible way is to try infecting a hard disk; if the above method reveals that a virus penetrated the system, you can be certain that the floppy disk was infected. However, this is very risky because some boot sector viruses may completely wipe out a hard disk during this process.

If your hard disk has been infected with a boot sector virus, any floppy disk used on your computer is likely to carry a virus. The following works only if you have DOS 5.0 or later.

Format your disk: Yes! You may format your floppy disk and still get every piece of data back. However, you must make sure you have the UNFORMAT external DOS command (it comes with DOS 5.0) to recover your files. If your disk is in drive A:, type the following at the DOS prompt:

FORMAT A: /Q

It is safer to not supply any other switches; DOS will scan the size of your floppy disk and save information for UNFORMAT. When you're done, immediately do the following:

UNFORMAT A:

You'll be prompted with Are you sure you want to update the system area? to which you must respond with a Y; this causes a fresh boot record to be written. Your disk will then be rebuilt, and the boot sector virus will be overwritten.

Another very simple way to protect your floppy disks from viruses of any kind is to write protect them; for 5.25" disks, cover the writeprotect notch with opaque tape; for 3.5" disks, slide open the writeprotect hole.

You are visitor number since December 23, 2013.

Main Page | Biography | Project Esther | Computer Tips, Tricks & Tools | Movie Reviews | My Faith | My Car | April | E-mail