|Type||Boot sector virus|
|Place of Origin||United States|
|Infection Length||1 boot sector|
Payback is a full stealth memory resident virus coded by Priest. It infects the master boot records of floppy disks. It appeared shortly after Satanbug and was written in retaliation for the arrest of members of the British 'ARCV' virus writing group.
When a disk infected with Payback is run, the virus sets up the stack and 'DS' (data segment) register. Payback then allocates 1kb of memory by decrementing the 16-bit WORD at 0:413h (BIOS size of conventional memory) and hook INT 13h (BIOS Disk Services) directly in the IVT (interrupt vector table). Payback then copies itself to this newly allocated memory after hooking INT 13h. Once copied over Payback continues execution in this new copy and load the original (uninfected) boot sector back to 0:7C00h (load address of a boot sector) using INT 13h/AH=02h (Read Sector). The instructions to set registers CX and DX for this INT 13h calls are modified by the virus on each infection to reflect the correct location of the original sector on that disk.
Payback then hits the MBR. The MBR is loaded, checked if already infected (offset 10h = 12CDh, INT 12h instruction of the virus) and checked if bootable (last 16-bit word is 0AA55h). If these conditions are met MBR infection continues. The original MBR is written to head 0, track 0, sector 2 of the hard drive (unused by MS-DOS) and address of this sector is stored in the virus (see above). Payback then conditionally runs its activation routine and control is returned to the original, 'clean' sector at 0:7C00h.
Paybacks INT 13h handler performs two functions: infecting floppies, and stealth. Both these functions are performed if a read sector request (INT 13h, AH=02h) is called on head 0, cylinder 0, sector 1 (boot sector/MBR). In such a case the INT 13h handler begins by allowing the read of the boot sector to go through and aborts on error. Next Payback checks if the sector is already infected - WORD at offset +10 = -12CDh, same check as when infecting the MBR. If the sector is already infected, stealth action is taken. If the sector is not already infected and is on a floppy drive the disk is infected.
Stealth is achieved through a simple algorithm: CX and DX registers are saved, Payback takes the location of the original (uninfected) sector from the previously read virus body, reads the original sector over the infected sector in memory, restores registers and returns from the INT 13h handler. When infecting floppies, the original sector is stored in the last sector of the diskette. This sector is calculated using the 'NumSectors', 'SectorsPerTrack' and 'NumberOfHeads' fields of the BPB (BISO Parameter block) and checks are performed for non-standard disks. The address of this sector is stored in the virus body, and Payback writes itself to the floppies boot sector. As when infecting the MBR, Payback checks if the sector is bootable by 0AA55h marker in the last 16-bit WORD of the sector.
On infection Payback displays the message:
That was for ARCV, mother fucker! Payback! (c) 1993'
Also, on January 27th, Payback would erase the CMOS, format the first physical hard drive and display a message.
ARCV was a group based in Britain in the early 1990's that coded many viruses. Their name stood for "Association of Really Cruel Viruses". Members of their group were arrested in late 1992 and early 1993. Payback was written in protest of this.
Original research by JPanic aka @JPanicVX