new boot sector virus (PC)

 


             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************



  Date:    Mon, 26 Nov 90 23:16:00 -0500

  From:    Michael Head <CCMH@MVS.MCGILL.CA>

  Subject: new boot sector virus (PC)


  We have found an unknown boot sector virus on "COMBASE" and

  "SVGA-UTILITY" software shipped in PACKARD-BELL PACKMATE-III and

  386sx computers .  The diskettes are in sealed envelopes.  The seal

  bears characters which appear to be chinese .


  The disks were not intended to be booted and will produce the

  standard error message "NON-SYSTEM DISK etc." if accidently booted,

  however the harddisk if present will have been infected.


  The symptoms are varied. Some infected systems play a few notes with

  every DOS command issued . On others there are no notes but there is

  a lot of I/O of write protected disks (one has the feeling it is

  trying to burn its way onto the disk) .  Still others (my

  quarantined Taiwanese AT) will not boot at all after being infected.


  Now for the bad news. SCANV67c does not report anything. F-PROT113

  also doesn't find a known virus but reports the boot sector is an

  unusual DOS boot sector and there may be a an unknown virus. (Thanks

  Fridrik,it sure is lonely trying to convince yourself your the first

  one to ever see a brand new virus).


       Michael Head


                    ------------ more ----------


  Date:    30 November, 1990

  From:    Padgett Peterson <padgett%tccslr.dnet@uvs1.orl.mmc.com>

  Subject: MUSICBUG (PC)


  Thanks to Michael Head, I have had a chance to take a brief look at

  this infector. If it were not for the vector, it might not be

  dangerous, however it appears to be being distributed along with

  Packard- Bell computers. Since these are often sold from general

  merchandisors, it has the capacity to become widespread among

  non-computer-literate users.


  The distribution appears to be on utilities disks provided with the

  computers. I have not fully disassembled the virus yet but it is a

  boot sector infector that can be recognised on floppies since the

  DOS warning messages are not found on the boot sector and the jump

  parameter of CCh is found in the third byte.


  Once infected, the virus goes resident in the TOM reducing a CHKDSK

  total memory return by 4k (640k machine will report 651,264 bytes

  instead of 655,360 bytes).


  Only part of the code is stored in the boot sector of an infected

  floppy. What looks like sloppy programming has the virus store the

  action in DOS sector 45 (cyl 2 head 1 sect 1) on the floppy,

  overwriting sector(s) in the files area. Both this sector and the

  reserved area at the TOM will contain the ASCII string "MusicBug

  v1.06. MacroSoft Corp.". It looks like this string will be found at

  9C00:0210 in memory but cannot guarentee the address yet. Once the

  rest of it is pulled apart, I can let you know what it does to a

  hard disk & hopefully a cure.


  From what I have been told, the sealed envelopes containing the

  floppy are marked with the same imprint of a blue floppy disk & blue

  numbers partially overwritten by a red square containing what look

  like chinese characters as was found with the "Modular Component

  Technologies" disks that contained the STONED virus a few months

  ago.


     Meanwhile, it's getting late,

       Padgett


                        ------- more --------


  Date:    03 Dec 90 14:30:21 +0000

  From:    frisk@rhi.hi.is (Fridrik Skulason)

  Subject: Re: new boot sector virus (PC)


  CCMH@MVS.MCGILL.CA (Michael Head) writes:  We have found an unknown

  boot sector virus on "COMBASE" and "SVGA-UTILITY" software shipped

  in PACKARD-BELL PACKMATE-III and 386sx computers .  The diskettes

  are in sealed envelopes.  The seal bears characters which appear to

  be chinese .


  The diskettes are probably from Taiwan - a country which is

  practically flooded by viruses - a friend of mine ordered a machine

  from a company there and received it infected with three different

  viruses.


  Also, every company in Iceland which imports machines from Taiwan,

  has at least once received infected machines or floppies.


  Now for the bad news. SCANV67c does not report anything. F-PROT113

  also doesn't find a known virus but reports the boot sector is an

  unusual DOS boot sector and there may be a an unknown virus. (Thanks

  Fridrik,it sure is lonely trying to convince yourself your the first

  one to ever see a brand new virus).


  Well, I am glad the routine I added in version 1.13 to analyze boot

  sectors for suspicious code turned out to be useful - I am working

  on improvements for version 1.14


  - -frisk


  Fridrik Skulason      University of Iceland  |

  Technical Editor of the Virus Bulletin (UK)  |  Reserved for future

  expansion E-Mail: frisk@rhi.hi.is    Fax: 354-1-28801  |


                    ------------- more ----------


  Date:    12 December, 1990

  From:    Padgett Peterson <padgett%tccslr.dnet@uvs1.orl.mmc.com>

  Subject: Music-Bug Update (PC)


  Recently, I received several infected disks in what appear to be the

  original un-opened sealed envelopes. Examination showed that the

  seals, while similar to those on the "Modular Component

  Technologies" disk that contained the STONED virus, are different.

  First, the envelopes have square flaps rather than the triangular

  one used on the MCT disk.  Second, the "floppy disk" seal uses a

  thinner font and a different typeface than the MCT.  Finally, the

  red square overlay is centered on the seal and has different

  (chinese ?) characters.  The seals bear the (sequence ?) numbers

  01206 and 01081.


  As mentioned, SCAN v71 does detect this virus [Muboot] on these

  disks but CLEAN does not disinfect them. Floppies may be disinfected

  by replacement of the boot sector though the other eight sectors of

  the virus may have overlaid part of files on the disk. On the

  samples provided, the virus stores the real boot sector followed by

  seven viral code sectors on the disk with the CX and DX values for

  Int 13 retrieval stored in offset 42h (DX) and 44h (CX) of the disk

  boot sector.


  The original disks show no errors, but after infecting a floppy,

  CHKDSK reported "4 lost clusters in 4 chains" where the 4096 bytes

  of viral code appeared on the disk following pre-existing programs.

  Since the real boot sector is stored here, use of the /F with CHKDSK

  followed by deletion/overwrite of the "garbage" files would render a

  previously bootable floppy disk unbootable.


  In limited testing on a hard disk (ST-412), the virus infects the

  boot record (not the partition table) and after a cold boot from a

  clean, protected floppy, the above method of recovery works. On the

  HD, the "lost clusters" do not coincide with the viral code, instead

  files in other areas may be corrupted/lost in multiple 4k (or

  larger) chunks.


  My concern is that since these disks were apparently distributed

  along with Packard-Bell Computers and these computers are generally

  sold by mass marketeers & department stores (I have seen about a

  dozen ads in the last week) that the potential for a considerable

  spread exists. I have no idea how many disks are involved.


  Incidently, regardless of the operating system involved, these

  infected disks have the signature "IBM 3.3" in the infected boot

  record and the first three bytes of the sector are "FA E9 CC".  No

  "stealth" is involved. An infected machine will have total memory

  reduced by 4096 bytes (on 640k machine, CHKDSK will report 651264

  bytes instead of 655360).


  The following is a abbreviated directory listing of the three

  infected distribution disks (2 in "SVA" envelope, 1 in "COMBASE"

  envelope - note: id is by disk label, there are no markings on the

  envelopes other than the seal):


   "SVGA-Utility" Disk No. 1          "SVGA-Utility" Disk No. 2


  Volume in drive A has no label    Volume in drive A has no label

  Directory of  A:\                 Directory of  A:\


  VGA800   DRV    32720  10-19-88   WIN30        <DIR>      1-01-80

  VGA800   GRB     3573  10-18-88   OAK386   3EX    34460   2-24-89

  VGA800   LGO      468  10-18-88   OAK386   386   139491   2-24-89

  SD_VGA_5 VGA    46592  10-07-88   OAK386   GRB     8589   2-24-89

  SDVGA8   VGA    48128  10-05-88   OAK386   LGO      468  11-12-87

  DSVGA    EXE    11003  10-13-88   OAK386   DRV    32720  10-19-88

  VP11     EXE    11006   3-19-87   READ     ME       574   8-09-90

  GEMINSTL BAT     2935  10-29-88      7 File(s) 67584 bytes free

  SETUP    TXT     1968  10-23-88

  VP       BAT       51  10-23-88        "COMBASE" Disk

  GEMSETUP TXT    12072  11-03-88

  VP1_1    TXT     2205  10-30-88    Volume in drive A is NN

  OAK25V2  DRV      990   1-25-89    Directory of  A:\

  OAK43V2  DRV      990   1-25-89

  OAK640V2 DRV     2023   1-25-89   ADCOMHLP DBF     1214   3-31-89

  OAK800V2 DRV     2023   1-25-89   ADCOMHLP DBT    36462   3-31-89

  OAK3     SC      1503   2-08-89   ADCOMM   DBT     1536   2-08-88

  OAK4     SC      1539   2-08-89   ADCOMMAC DBT     1024  11-18-87

  OAK5     SC      6611   2-07-89   COMBASE  EXE   289328   3-31-89

  OAK6     SC      6625   2-07-89   ADCOMMAC MAC      211   3-31-89

  OAK1     SC      1503   3-07-89   ADCOMM   MAS       66   1-11-90

  OAK2     SC      1539   3-07-89   ADCOMM   TEL      540   1-18-90

  DSVGA9   EXE    13480   3-16-89   ADCOMDEF MEM     1348   1-16-90

  READ     ME      1513   1-03-80   CAPTURE  TXT        0   5-06-89

  UTILITY      <DIR>      1-01-80     10 File(s) 25600 bytes free

  25 File(s) 59392 bytes free



  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Comments

Post a Comment

Popular posts from this blog

BOTTOM LIVE script

                                  BOTTOM                                   ======                     by Adrian Edmondson and Rik Mayall                                 Bottom Live                                 ===========                               Richie  Rik Mayall                                Eddie  Adrian Edmondson Introduction ------------ [Opening shot of theatre, with huge pictures of Richie and Eddie. Caption: "Live fro...
Read more

Evidence supporting quantum information processing in animals

              Evidence supporting quantum            information processing in animals                    James A. Donald                    1068 Fulton Av                    Sunnyvale, CA 94089-1505                    USA I show that quantum systems can rapidly solve some problems for which finite state machines require a non- polynomially large time. This class of problems is closely related to the class of problems that animals can solve rapidly and effortlessly, but are intractable for computers by all known algorithms. 1. Introduction      Animals, including very simple animals, can rapidly and effortlessly perceive objects, whereas computers take nonpolynomial time to do this by all...
Read more

ARMIES OF CHAOS

                          ARMIES OF CHAOS -      Before anyone proposes more gun control, he or she should know  about a simple, deadly weapon 4 times as powerful as Dirty Harry's  legendary .44 Magnum -- and at least twice as concealable -- that  _can't_ controlled.        This simple, deadly weapon can be made by anyone -- even a  child -- with unpowered hand tools in an hour's time using $5 worth  of materials, most of which are available around the house anyway.   In traditional form it's reusable an unlimited number of times, and  modern plastics have rendered its disposable version electronically  undetectable.  You can clear a room with such a weapon (more of a  hand-held directional grenade than a gun -- sort of a recycleable  Claymore mine) and it's just one of hundreds of similar time-proven  designs. ...
Read more