How the PBR of the Active Partition Becomes Infected

Most FBR viruses attempt to infect the MBR or PBR of the hard drive during bootup from an infected floppy disk. During the floppy disk bootup process, the ROM BIOS boot program loads the FBR into memory and checks the signature at the end of the boot record. If the signature matches, the bootstrap program in the FBR executes, launching the virus. The virus then can install itself as a memory-resident service provider. Finally, before the virus loads the original FBR and transfers control to the original bootstrap program, it attempts to infect the PBR of the active partition on the hard drive.

The virus loads the MBR of the first physical hard drive into memory and examines the partition table stored within the MBR to determine the location and the size of the active partition. After the virus determines the starting location of the active partition, it can retrieve this partition’s boot record. This is a simple task for the virus because the PBR always occupies the absolute first sector of a partition.

The virus then examines the PBR contents. It determines whether the PBR bootstrap routine has been infected. If the PBR does contain a copy of the virus, the virus aborts the infection process and proceeds to boot the floppy disk. If the PBR is uninfected, the virus saves the original PBR elsewhere on the drive so that it can later locate and load it, allowing the computer to boot normally. It then infects the PBR bootstrap routine.

The common PBR virus writes the original PBR in a sector near the end of the entire physical drive (as opposed to the end of the infected logical partition). Unfortunately, some do not check whether the targeted sector already is in use. In this way, the average PBR virus can inadvertently overwrite existing data stored in one of the hard drive partitions.

After the virus saves a copy of the original boot record at the end of the drive, it overwrites the current boot record of the active partition with a newly constructed viral boot record. The new boot record contains the virus’ bootstrap routine and the old boot record’s BPB data. As with floppy disks, the BPB data must be visible in the PBR for proper computer operation. Consequently, most viruses leave the BPB area of the PBR intact.

How and When Partition Boot Record Viruses Infect New Items

The PBR virus installs itself as a memory-resident service provider in the same manner as its FBR alter ego. After it establishes itself as a service provider, anytime the user or operating system attempts to access any floppy disk, the virus service provider is invoked and given control of the computer.

In the most common scenario, the virus waits for accesses to the floppy drives and attempts to infect floppy disks anytime they’re used for other purposes. See “When and How the FBR Virus Infects New Items” for details on the floppy disk infection process.

Potential Damage the PBR Virus Can Do

Most PBR viruses save the original boot record in a sector toward the end of the infected hard drive. Because few, if any, PBR viruses verify that the target sector is unused, they might inadvertently overwrite part of a file that occupies this space.

The PBR virus can cause other problems. Even if the virus happens to overwrite an unused sector at the end of the hard drive with the original PBR, the user still might overwrite the saved boot record with his own data later. After the user overwrites the saved PBR with other data, the original PBR is lost. Subsequent bootups from the hard drive result in a system crash. This crash occurs because the virus loads what it falsely believes to be the original PBR and transfers control to its supposed bootstrap routine. If the PBR is overwritten, the virus executes garbage machine code rather than the original bootstrap routine.

Some PBR viruses take precautions to prevent the previously mentioned situation from occurring. They might, for example, reduce the size of the last partition to reserve the final sector(s) for themselves, and store the original PBR in this area. This way, a user can’t overwrite the original PBR.

Finally, if the virus does modify or encrypt the BPB area, it must rely upon a technique called stealthing (see “Stealth Viruses”) to conceal the changes to the BPB from the operating system or other programs that access the PBR. Anytime the operating system or a program attempts to access the PBR, the virus’ resident service provider must supply the requesting program with the original PBR data. In these situations, if the virus isn’t resident (as when a user boots from an uninfected floppy boot disk), the infected partition is inaccessible. Luckily, this damage usually can be fixed using common disk utilities, such as the Norton Disk Doctor or Norton Disk Editor.

Partition Boot Record Virus Example

The Form virus is a memory-resident boot record infector. It does not infect files. Unlike many other boot record viruses, it infects the Partition Boot Record of the active partition but not the Master Boot Record on hard drives.

Form goes memory-resident when a computer is booted from an infected floppy disk or hard disk. After the virus becomes resident, it infects all nonwrite-protected disks accessed. Form occupies the upper 2 KB of system memory, and decrements the amount of system memory specified in the “Total memory in K-bytes” field of the BDA by 2 to reserve space for itself. The virus intercepts the BIOS disk system service provider to infect other media.

The virus checks the system date after it installs in memory, and if it’s the 18th of the month, the keyboard system service provider is intercepted. The virus then produces a “click” on the PC speaker each time a user presses a key. The “click” may not occur if a keyboard driver is installed on the computer, but the virus still infects disks properly.

The virus stores the original boot record and part of its executable code on the last sectors of the hard disk, or in clusters marked as bad on a floppy. Form contains the following text:

The FORM-Virus sends greeting to everyone who’s reading this text.
FORM doesn’t destroy data! Don’t panic! F******s go to Corinne.

Form does not damage files or data, except for the possibility of the original boot sector being overwritten.

This analysis was performed by John Wilber of the Symantec AntiVirus Research Center.