Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

New era of bootsectorviruses #1: FAT12 IMG infection at Disks

SPTH
Ready Rangers Liberation Front [6]
January 2005

[Back to index] [Comments]

Abstract

Bootsector viruses were the first form of computerviruses. They were most widespread from the beginning of computerviruses until December 1995 (according to VirusBulletin). But then, Macroviruses (CAP, ColdApe, ...), Scriptviruses (Kak, LoveLetter, ...) and finally Win32 viruses (Sircam, Klez, Mydoom, Netsky, ...) were even more widespread, and the production of bootsectorviruses decreased to nearly zero. A reason for that could be, that it's damn hard (if not impossible) writing a bootsectorvirus, which stays in memory while the OS (Windows) loads. How did the old bootsector viruses work? When booting from an infected Disk, such a virus first infects the MBR (Master Boot Record) of the HD and the bootsector of the first partition. Then it stays in memory, let the OS load processing, and hooks (most times?) INT 0x21 for checking Disk access. OK, and what the hell will be the different between the old style of bootsector infectors and my once? My idea is to infect the Images of Disks/HDs/CD-ROMs. For that we don't need the INT 0x21, because we use our own File System driver (in this article here FAT12). For writing our own File System driver it's of course nessecary to fully understand how the system works. For my first article about new bootsectorviruses I'm using FAT12, because it's the most easy of all as far as I know. As FAT12 is just used for DISK, the article is just about .IMG file infection. IMG files are 1:1 images of Disks. As you may know, I wanted to infect CD-ROM Bootsectors, but that did not work with Disks, because ISO or NRI files are at least 2MB as far as I know. Anyway, let's start with FAT12 IMG bootsector infectors, next time let's move to CD-ROMs, ok? :D

[Read the article]

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua