Thanks! That clears up *one* thing for me. I got the impression from the
discussion here that *all* low-level access to *all* drives was blocked on
NT systems.
Note: Read "NT-based operating systems" anywhere I refer to NT, plain, below.
NT doesn't allow low-level disk access. What you perceive as such are actually
Windows services that replace the BIOS and DOS interrupts by NT's own functions.
Even where NT virtually allows direct disk access, these services aren't a full
substitute for the original Int 13h. For example, Int 13 allows both the
creation and access to and from non-standard tracks on floppies (like higher
than track 80 for 1.44 floppies, or sectors with numbers beyond 18, for same
size floppies). Requests to access sectors outside the range of the standard
format aren't supported under Windows disk access, actually since Win 95.
That fact may have been noticed by users that had protected software which
required the presence of a "key floppy" in the drive, to authenticate that the
software wasn't pirated. These copy protection were based on the creation and
reading from special and non-standard tracks on the "key" floppy. The
introduction of Windows 95 killed the production of these protection schemes as
Win32 couldn't read the special tracks.
For how this is relevant to multipartites, see below.
However, doesn't that enable multipartite infectors (combination boot
*and* file infectors) to spread to floppy boot sectors from NT systems?
Other discussion here implied that it wasn't possible.
Your last question suggests a common misconception about multipartite infectors.
Contrarily to common knowledge, multipartite do not exchange virus code from
floppy to hard drive boot areas, and back. Except Junkie (I was the first to
analyze it, see
http://groups.google.com/[email protected]
) and Natas, multipartite do not affect the boot area of floppies, only that of
the hard drive (and files, of course).
The multipartite infection mechanism is this: When an infected file is opened,
the virus code copies itself into an overlay on the hard drive, usually to
unused sectors on track 0. The MBR loader is also modified so that the virus
overlay will run the next time the PC is booted. On next boot, the virus goes
resident on reading the overlay under control of the BIOS and the MBR, waits for
the OS to load, and infects additional files by intermediary of the OS services.
The OS is essential to multipartite's file infection, these will not occur
autonomously during boot time, when only BIOS services exist. Basically,
multipartite are *file infectors*, and their boot phase serves just as an
alternate channel to assist propagation.
As you can see, NT poses several obstacles on the way of multipartite: First
and foremost, reverse infection from the hard drive boot areas/overlay to floppy
boot area doesn't occur during the boot stage, not in existing boot infectors.
nor multipartite. For a multipartite to infect the boot sector of a floppy, the
resident code of the virus overlay must survive the transition from the BIOS
controlled phase and the loading of the OS. This doesn't happen as NT purges
memory before loading.
Lastly, even if a multipartite like Natas managed to load under NT, (no chance,
but suppose it did, just for the sake of the discussion) then it would fail
infecting the boot sector of floppies as Windows will not let it create the
non-standard track required on the floppy for the huge overlay that Natas uses.
An overlay of sufficient size is essential to multipartite (the Natas overlay
occupies 4096 bytes, which are eight sectors. One_Half, another multipartite
that was once common, occupies even more!). The latter is one of the reason why
Natas became extinct when Windows 95 appeared.
Regards, Zvi
. Follow with the D command (dump), repeat four times, and you