Virus.Boot.PMBS

Class Virus
Platform Boot
Description

Technical Details


It’s a dangerous memory resident boot virus. On loading from infected disk
it copies itself into extended memory, switches the PC into protect mode and
run virtual V86 machine. The DOS and applications will be executed under
that virtual PC. It hooks all interrupts (from 0 till FFh) and checks the
critical situation. On critical situation on reading the floppy it infects
it (the MBR of hard drive is infected on loading from infected floppy). On
other critical situation it displays one of the messages and hangs the
computer up:


Unimplemented Interrupt:
Offending instructions:
General Protection Fault:
Offending instructions:
Offending CS:IP:

This virus contains the internal string “PMBSVIRS” also.
PMBS is a stealth virus. It checks the ports input/output (by using protect mode 386 features) and corrects
the data which is for output on reading infected MBR.


This virus contains several errors, including the error of principle. The
programmer’s bug is the infection of the floppy. The virus saves on floppy
the part of itself only, not all code. The virus consist of two parts of
code – the code which is executed in real mode (on loading and on infection
then the virus jumps to V86 mode), and the code of protected mode. The
virus doesn’t save the code which is executed in protected mode. The second
generation of the virus will hang up.


The problem of principle is using of infected i386 as i86 only. The virus
can’t let switch i386 in protected mode again. So, EMS386, QEMM386,
MS-WINDOWS e.t.c. will not work. Moreover, the DOS command MEM will hang up
infected PC. It’s because this program checks extended memory also, and the
virus stops it.