After the virus reserves memory for itself by updating the BDA, it moves itself into the newly reserved memory and attempts to hook into the direct disk system services (see fig. 15.13). The computer’s ROM BIOS contains disk service routines that DOS calls upon to directly read from and write to floppy disks and hard drives. DOS’s reliance on these services provides a foolproof, convenient method for the virus to activate and infect other disks.

Figure 15.13  Virus copies itself to reserved memory.

The PC also contains a memory structure, known as the Interrupt Vector Table (IVT), which is like a phone book that contains addresses for each of the services that the computer might need as it operates. Whereas a normal phone book might contain the street address of a given store or service provider, the IVT contains the address of a specific ROM BIOS service program in the computer’s memory. When the operating system needs to request a service, it can look up the address of the service provider in the IVT phone book and determine where to send its request.

One of the IVT phone book entries contains the address of the ROM BIOS disk service routines. The FBR virus hooks into the system services by changing the contents of this entry and informing the computer and any subsequent operating system that it now is a proxy for the ROM BIOS disk service provider. All requests to read and write to disks on the computer then are sent to the virus rather than to the original ROM BIOS disk services.

Later, when the operating system makes a system service request, the IVT is consulted and the virus has the request sent to it. The virus can then examine the request and, if it desires, infect the floppy disk being accessed. After the virus performs its mischief, it can then redirect the request to the original ROM BIOS driver so that it can be properly serviced (see fig 15.14).

Figure 15.14  The fully-installed boot virus.

After the virus updates the IVT and establishes itself as the disk service provider, most FBR viruses try to determine whether a hard drive is attached to the computer; if so, the virus attempts to infect its Master Boot Record or active Partition Boot Record. This way, the next time the computer restarts in a typical bootup to the hard drive, the virus can install itself in memory and infect other floppy disks.

To complete its work, the FBR virus must retrieve the original FBR on the floppy disk and initiate the original bootup sequence as if the virus were not present. This is important because a virus must be unobtrusive to remain viable. If the FBR virus installed itself in memory, infected the hard drive, and caused bootup on the floppy disk to fail, it might quickly be detected and removed. Most viruses maintain a copy of the original FBR in one of the sectors at the end of the floppy disk. After the virus installs itself in memory, it loads the original FBR into memory and executes the original bootstrap routine. The bootstrap routine then proceeds normally, completely oblivious to the presence of the virus.

Most floppy disks contain data and don’t carry the DOS operating system files; thus, after the virus transfers control to the original bootstrap routine, it displays a message such as “Non-system disk.” At this point, the average user realizes that he or she accidentally booted from a data disk, removes the disk from the drive and reboots. This is why most FBR viruses infect the MBR or active Partition Boot Record of the hard drive during bootup. This infection guarantees that even if the floppy disk doesn’t contain the proper operating system files, the virus can still spread to the hard drive and eventually to other disks. Finally, a small number of FBR viruses can maintain their memory-resident status, even through a “warm” reboot. If a computer is warm-booted while the virus is resident, the virus can still infect other disks, even if it neglected to infect the hard drive.

When and How the FBR Virus Infects New Items

Most FBR viruses attempt to infect disks whenever they get a chance (although some viruses are more discriminating than others). If an infected floppy disk is in drive A:, the first opportunity presented to the FBR virus is during a system reset. Almost all FBR viruses also attempt to infect the hard drive’s MBR or active Partition Boot Record during the floppy boot process. This process is discussed in the sections “Partition Boot Record Viruses” and “Master Boot Record Viruses.”

The FBR virus also has an opportunity to infect after it installs itself in memory and designates itself as the proxy disk service provider. Any time thereafter when DOS or its programs attempt to access a floppy disk (or the hard drive), the operating system calls upon the virus (see fig. 15.15).

Figure 15.15  The boot virus infection process.

If the virus is not resident in memory, merely accessing an infected disk can’t cause the computer to become infected. Unless the user boots from an infected floppy disk, the FBR virus never executes. If it doesn’t execute, it can’t infect the hard drive or install itself as a resident service provider. If the computer is already infected and the virus is installed as a resident service provider, however, accessing uninfected floppy disks in any way while the virus is resident can cause the virus to spread to these floppies.

Almost all FBR viruses infect disks when the user or the operating system makes a legitimate disk request. Disk requests usually cause the drive to whir and the drive’s LED light to brighten. Floppy drives usually whir only when the user initiates some disk activity, such as a directory or a file copy. If the virus were to try to spread at some arbitrary time, the user might notice the activity (via the noise or LED light) and suspect something was amiss.

Infecting new floppy disks only when the user or operating system requests disk activity is advantageous to the virus for several reasons. Most importantly, if the user or the operating system requests the use of a floppy drive, the drive probably actually contains a disk. Secondly, the virus can sneakily infect the floppy disk boot record immediately before or after the BIOS disk service provider services the normal disk request. The infection process generally requires less than a second. Because the user most likely requested the disk activity anyway, the drive whirs for what appears to be a legitimate purpose. In this way, the virus effectively spreads to new floppy disks without divulging its presence.