Payback
Payback
Type Boot sector virus
Creator Priest
Date Discovered 1993?
Place of Origin United States
Source Language Assembly
Platform DOS
Infection Length 1 boot sector
Reported Costs

Payback is a full stealth memory resident virus coded by Priest. It infects the master boot records of floppy disks. It appeared shortly after Satanbug and was written in retaliation for the arrest of members of the British 'ARCV' virus writing group.

Behavior

When a disk infected with Payback is run, the virus sets up the stack and 'DS' (data segment) register. Payback then allocates 1kb of memory by decrementing the 16-bit WORD at 0:413h (BIOS size of conventional memory) and hook INT 13h (BIOS Disk Services) directly in the IVT (interrupt vector table). Payback then copies itself to this newly allocated memory after hooking INT 13h. Once copied over Payback continues execution in this new copy and load the original (uninfected) boot sector back to 0:7C00h (load address of a boot sector) using INT 13h/AH=02h (Read Sector). The instructions to set registers CX and DX for this INT 13h calls are modified by the virus on each infection to reflect the correct location of the original sector on that disk.

Payback then hits the MBR. The MBR is loaded, checked if already infected (offset 10h = 12CDh, INT 12h instruction of the virus) and checked if bootable (last 16-bit word is 0AA55h). If these conditions are met MBR infection continues. The original MBR is written to head 0, track 0, sector 2 of the hard drive (unused by MS-DOS) and address of this sector is stored in the virus (see above). Payback then conditionally runs its activation routine and control is returned to the original, 'clean' sector at 0:7C00h.

Paybacks INT 13h handler performs two functions: infecting floppies, and stealth. Both these functions are performed if a read sector request (INT 13h, AH=02h) is called on head 0, cylinder 0, sector 1 (boot sector/MBR). In such a case the INT 13h handler begins by allowing the read of the boot sector to go through and aborts on error. Next Payback checks if the sector is already infected - WORD at offset +10 = -12CDh, same check as when infecting the MBR. If the sector is already infected, stealth action is taken. If the sector is not already infected and is on a floppy drive the disk is infected.

Stealth is achieved through a simple algorithm: CX and DX registers are saved, Payback takes the location of the original (uninfected) sector from the previously read virus body, reads the original sector over the infected sector in memory, restores registers and returns from the INT 13h handler. When infecting floppies, the original sector is stored in the last sector of the diskette. This sector is calculated using the 'NumSectors', 'SectorsPerTrack' and 'NumberOfHeads' fields of the BPB (BISO Parameter block) and checks are performed for non-standard disks. The address of this sector is stored in the virus body, and Payback writes itself to the floppies boot sector. As when infecting the MBR, Payback checks if the sector is bootable by 0AA55h marker in the last 16-bit WORD of the sector.

Payload

On infection Payback displays the message:

That was for ARCV, mother fucker!
Payback! (c) 1993'

Also, on January 27th, Payback would erase the CMOS, format the first physical hard drive and display a message.

Background

ARCV was a group based in Britain in the early 1990's that coded many viruses. Their name stood for "Association of Really Cruel Viruses". Members of their group were arrested in late 1992 and early 1993. Payback was written in protest of this.

Sources

Original research by JPanic aka @JPanicVX

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License