User`s guide
VIRUS BULLETIN ©1991 Virus Bulletin Ltd, 21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England. Tel (+44) 235 555139.
/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted
by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.
Page 11
VIRUS BULLETINAugust 1991
Jump
Figure 2. Uninfected disk
Infected
boot
sector
Virus
code
Original
boot
sector
Boot
sector
Figure 3. Disk after boot sector virus infection
Parasitic Viruses
Parasitic viruses modify the contents of
COM and/or EXE files. They usually
insert themselves at the end, or at the
beginning of the file, leaving the bulk
of the program intact. The initial jump
instruction in the program is modified,
but program functionality is usually
preserved, although there are several
viruses which overwrite the first few
hundred bytes of the program rendering
it unusable. When an infected program
runs, the virus code is executed first.
The virus then returns control to the
original program, which executes
normally. The extra execution time due
to the virus is normally not perceptible
to the user. (See Figure 1.)
Most parasitic viruses, such as Cas-
cade, spread when another (uninfected)
program is loaded and executed. Such a
virus, being memory-resident, first
inspects the program for infection. If it
is not infected, the virus will infect it.
If it is already infected, further
infection is not necessary (although
some viruses such as Jerusalem do
reinfect ad infinitum). Other viruses do
not install themselves in memory, but
spread by finding the first uninfected
program on disk and infecting it. An
example is the Vienna virus.
Boot Sector Viruses
Boot sector viruses modify the contents
of either the Master Boot Sector or the
DOS Boot Sector, depending on the
virus and type of disk, usually replac-
ing the legitimate contents with their
own version.
The original version of the boot sector
is normally stored somewhere else on
the disk, so that on bootstrapping, the
virus version will be executed first.
(See Figures 2 and 3.) This normally
loads the remainder of the virus code
into memory, followed by the execu-
tion of the original version of the boot
sector. From then on, the virus remains
memory-resident until the computer is
switched off.
A boot sector virus is thus able to
monitor and interfere with the action of
the operating system from the very
moment it is loaded into memory.
Examples of boot sector viruses
include Brain (floppy disk boot sector
only), Italian (floppy disk and hard
disk DOS Boot Sector) and New
Zealand (floppy disk DOS Boot Sector
and hard disk Master Boot Sector).
Multi-Partite Viruses
A comparatively recent development
has been the emergence of viruses
which exhibit the infective characteris-
tics of both boot sector viruses and
parasitic viruses. For example, the Flip
virus (see VB, Sept. 1990, pp 18-21)
infects executable files (COM and
EXE) as well as the Master Boot Sector
of hard and floppy disks.