Parity boat

from Wikipedia, the free encyclopedia
Parity boat
Surname Parity boat
Aliases Generic
Known since 1993
First location Germany
Virus type Boot sector virus
File size 512 bytes
Host files Boot sector, MBR
Polymorph No
Stealth Yes
Memory resident Yes
system x86
programming language Assembler

Parity Boot is a group of boot viruses for x86 - computer with Betriebssystemem as MS-DOS or OS2 .

Aliases

There is no fixed nomenclature for computer viruses. The manufacturers of virus protection software therefore have different names for the malware. In addition to Parity Boot A and B , the virus is also called Generic 1 or Generic 2 . Colloquially, those affected often referred to it as the Parity Check Virus .

Viruses with Similar Names
There is also the Parity file virus , which is believed to have originated in Bulgaria . It infects * .com files. As usual, this virus is also known by other names. It can also be confused with the Quandary virus , which is also known under the common name Parity-enc (and also as Boot-c , NewBoot_1 , WeRSilly or IHC ). Quandary also infects boot sectors, but has a completely different code . This is why misinformation is circulating on the Internet: The company IBM is said to have unintentionally helped the parity boot virus to spread suddenly in Germany in 1996. An unspecified number of the VoiceType Vocabulary application were sold on infected floppy disks that year. In truth, it was the Quandary virus , and not one of the parity boot variants.

Versions and derivatives

Parity Boot occurs in five variants, whereby the variants Parity Boot A and Parity Boot A are almost identical in behavior. Variant Parity Boot A copies the original Master Boot Sector to sector 14 of the disk, for example, while Parity Boot B copies it to Sector 9. This minimal difference was relevant for antivirus programs of the time in order to clean infected data carriers as thoroughly as possible.

The other derivatives differ mainly in the varying infection or trigger times. With some parity boot variants, these can be irregular, or they can be an hour longer with each spread, as a counter in the malicious program counts the infections.

Up to 1999, new variants appeared again and again, whereby Parity Boot A is probably the original version. Version A was first known in April 1993, Version B in October of the same year. The B version was by far the most widely used. Otherwise, only the A version was of practical importance. The other variants were only reported in individual cases.

Due to the similarity of the virus code, today's malware scanners usually recognize the whole group with a single checksum, even if the viruses are no longer of any practical significance.

The most common names for the variants of the malware are:

  • Parity Boot A (aka Generic 1 )
  • Parity Boot B (aka Generic 2 )
  • Parity Boot C ( called Virus.Boot.Parity.a by Avira Antivirus )
  • Parity Boot D
  • Parity Boot E
  • Parity Boot I
  • Parity Boot K
  • Parity Boot L

function

Parity Boot is RAM-resident and takes up about one kilobyte of conventional memory . Normally no MS-DOS user noticed this, since the common DOS command MEM shows the size of the free and used RAM, but without the corresponding parameters does not list the consumption in detail. The virus reserves the required memory before starting MS-DOS and therefore does not run as a visible background service.

Parity Boot can also survive a warm start in memory because it intercepts the command.

Because of its programming, the Parity Boot Virus is independent of the operating system. As a platform, it needs a computer with a BIOS that can process x86 machine commands. The basic input / output system provides the interrupts for the malicious program: 13hfor hard disk access, 1Ahfor querying the system time, and interrupt 09hfor the trigger routine.

Infection Routine

The virus is activated when it is started from a hard disk or a boot floppy disk . It is then active in the RAM as a TSR program and tries for one hour to access every floppy disk that has been read in order to infect its boot sector . The standard values ​​in the virus code refer to 5.25 "floppy disks, but the newer 3.5" floppy disks can also be infected without any problems. In the case of hard disks, the partition sector is infected according to the same principle . It saves the original boot sector in the rear area of ​​the main directory, whereby the data located there is overwritten. A write-protected floppy disk cannot be infected.

Next, when an attempt is made to read the MBR of a hard drive or the boot sector of a floppy disk, the virus will check whether the sector is already infected or not. If this is not the case, the infection process begins. This process also serves as a simple but effective stealth routine for the virus . Any call to read or write to the master boot sector of the hard drive is redirected. However, this obfuscation technique does not protect the virus from being overwritten. The virus code in system memory is not specially camouflaged.

Payload

The malware starts a timer after its activation (i.e. immediately after the system start) and lets it run for an hour (the time span may vary in later versions of the virus). If there is no spread within this period, the program waits for the next keystroke. This then triggers the actual malicious code. The computer stops and the screen goes black. At the top left is the text in white: 

PARITY CHECK

The PC has hung up and is no longer accepting inputs. The virus uses the HLT mnemonic for this , a machine command which stops all program processes on x86 processors .

Since there is no longer any possibility to save open programs or files, Parity Boot can also cause annoying and data loss. The resulting consequences can vary in scope depending on the individual case. As long as the virus is not removed, the owner of the PC is forced to a very annoying, hourly restart.

The message Parity Check is supposed to lead the computer owner on the wrong track. The supposed connection with a parity check suggests a memory error or something similar. The computer owner will look for the problem in this area instead of recognizing the virus as such. As a result, the virus takes longer to detect and can spread more effectively.

Warm start

The Strg+ Alt+ key combination Entffor a warm start is also intercepted by the virus.

If you perform a warm start before the virus freezes the system, the malicious program remains resident in memory . In addition, the warm start command triggers another effect. According to various sources, the virus tries to re-infect a floppy disk or hard drive on this occasion. Access or attempted access to floppy disk drives can be clearly recognized by the operating noise, but this is unlikely to have made any user suspicious. In the 1990s, computers were usually set up in such a way that a floppy test was carried out during the boot process, and the BIOS may also look for a boot disk.

If the virus has already stopped the system, of course no warm start commands can be sent. All that remains is to restart the computer using the power switch or the reset button.

distance

Since floppy disks have become less important as a data carrier , Parity Boot, like all other boot sector viruses, is of no relevance to most users today. Read-only floppy disks could not be infected. Modern systems can no longer be infected by this virus because of various integrated measures. The secure boot procedure of the UEFI specification, for example, provides effective protection.

By rewriting or overwriting the boot sector, the virus could be removed from the data carrier without an anti-virus program, but not easily from the RAM. But this was only of practical use if you used a non-infected boot floppy disk to start up. If Parity Boot was already loaded into the RAM, a new infection took place very quickly. This is typical of almost any memory resilient boot sector virus. For the simplest and safest cleaning of an infected computer, almost any anti-virus program from 1993 onwards can be used. Parity Boot is then not only removed from the boot sector, but also from the system memory.

As of MS-DOS 6.0, the anti-virus program Microsoft Anti-Virus was included in the scope of delivery ( MSAV for DOS and MWAV for Windows 3.x). However, no version of the scanner was able to detect the parity boot virus. Possibly it was hardly widespread in the USA and therefore rather uninteresting for Microsoft.

distribution

The first two versions were discovered in Germany in 1993 . The variant Parity Boot B became one of the most common boot sector viruses in Central Europe in the following years . The number of reported infections only decreased as floppy disks became more and more important. The author of the virus code is unknown.

Computers in Germany were particularly affected . In 1996, Parity Boot was the most widespread virus there for a long time, although at that time it had been detected by almost every anti-virus program for years . At the peak of its spread, it accounted for up to 36% of all virus finds in Germany.

The British trade magazine Virus Bulletin reported in its April 1996 issue that the Parity Boot B variant was reported 37 times in February, accounting for 9.4% of all reports that month. The Parity Boot A version only received five reports in the same period, which is still 1.3%.

Trivia

The German metal band PARITY BOOT named themselves in 1995 after the computer virus.

Individual evidence

  1. a b c CourseHero.com: Parity Boot B infect the boot records.
  2. Mary-Jo crane Acher, Richard Riley, Joseph T Wells: Forensic accounting and fraud examination . John Wiley, Hoboken, NJ 2011, ISBN 978-0-470-43774-2 .
  3. ^ AVG-com: What is a computer virus.
  4. Reaperzine.de: PARITY BOOT - Metal Band.

Web links