The downside to breaking the 528 MB DOS barrier

The magazine of the Melbourne PC User Group
The downside to breaking
the 528 MB DOS barrier
Roger Riordan

Stoned virus was not intended to be destructive, and was normally fairly innocuous, but if it infected certain clones it would render the hard disk completely inaccessible. Indeed if it had not happened that Chisholm (where I worked at the time) had had a lab full of Olivetti M24 PCs, which were crashing faster than the technicians could reinstall the software on them, it is probable that I would never have become involved in the antiviral industry.

This incompatibility arose because in the IBM XT, and exact clones, the Master Boot Record (or MBR), which contains the partition information, was in sector 1 of track 0, cylinder 0, and the rest of track 0 was unused. The unknown author of Stoned saw this as an ideal hiding place, and copied the original MBR to sector 7 before replacing it with the virus. However in the Olivetti PCs the master boot record was immediately followed by the DOS boot sector, and then the first File Allocation Table, so that Stoned saved the original MBR in the middle of the FAT, with disastrous results.

Most viruses that infect the MBR have followed this lead, but many have chosen other sectors and on our test PCs nearly every sector on this track has been changed by one virus or another. These viruses have provided a strong incentive to the industry not to put anything important in this area, and it has come to be regarded as a convenient working area. What the authors of the article "Extended CHS addressing" in the March PC Update don't tell us is that their system uses this area, thereby reintroducing the incompatibility that launched VET.

Each disk manufacturer has adopted their own scheme, but the two we have been able to examine both move the normal disk structure down one track, so that the MBR is in sector 1, track 1, the DOS boot sector in sector 1, track 2, and so on. Sector 1 on track zero contains a special boot program that loads the device driver from following sectors. This intercepts all calls to Int 13, and remaps the drive so DOS can access the hard disk. If you boot from the hard disk the driver will offer to boot from a floppy. If you accept this the PC will appear to boot from the floppy, but the device driver will have already been loaded, and drive C will appear to be perfectly normal. However the special driver will not be loaded if a system disk is in drive A when you switch on, and drive C will be inaccessible to DOS.

Utilities that access the drive directly will get a totally different view of the drive, and may even find that the physical arrangement of the drive has changed. In the one sytem we have in captivity (a Western Digital 1 GB drive with Dynamic Drive Overlay V6.03, (c) Ontrack Computer Systems) the drive has 16 heads, and each track contains 63 sectors, but if you boot from a floppy it appears to have only 6 heads and 55 sectors per track. We can find no logical explanation for this.

The authors of some implementations of this system had heard of Stoned virus and left sector 7 free for it to use, but this is no great help, as several relatively common viruses (including Crazy Boot, FAT Avenger, LZR and Sampo) write to other sectors. Furthermore it appears that some utility software also writes to this area. We have already recovered one hard disk that was wrecked when a disk optimiser wrote timing information to several sectors in track zero.

If you have one of these large disks you should be aware that most boot sector viruses will wreck it, and there is a significant probability that utilities using direct sector addressing will do likewise. At this stage the information required to restore the damage is not generally available, and it is likely that you will have to reinstall the device driver, and lose the contents of the hard disk.

The normal advice with antiviral and integrity checking software is to boot the PC from a known clean system disk before running the software to ensure that no "stealth" virus is in memory where it can interfere in the test. However if you boot a PC with one of these drives from a floppy drive C will be totally inaccessible to DOS. Even worse the software will find that the Master Boot Record has changed, and may well offer to put back the "correct" version. Don't let it do so!

These drivers normally offer a "Boot from Floppy" option during booting, but this occurs after the device driver (and any virus that has infected the MBR) has been run. At the moment this is not a big problem, as most viruses will destroy the driver, but a stealth virus designed to coexist with the driver could be completely invisible to any integrity checker that did not search for that specific virus in memory, and disable it if it found it.

We are working on a revised version of VET to give full protection to these drives. We expect to have a beta version late in April but as this has to access the disk controller directly it may introduce other compatibility problems, and we do not expect to introduce it generally till June. If you are a VET user, and have one of these drives, ask us for a beta version of "big" VET, and do not use the Emergency feature. If you run into any problems with your drive contact us before you make any recovery attempts.

About the author
Roger Riordan is the Managing Director of Cybec Pty Ltd, author and supplier of the VET antiviral system. He is also a long-time member of Melb PC.

Reprinted from the June 1995 issue of PC Update, the magazine of Melbourne PC User Group, Australia

[About Melbourne PC User Group]