BEIJING VIRUS (a.k.a. "Bloody" virus)

 


             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************



  Date:    12 Dec 90 14:51:41 -0500

  From:    Ray Glath <76304.1407@CompuServe.COM>

  Subject: virus report (PC)


                 BEIJING VIRUS (a.k.a. "Bloody" virus)


  December 7, 1990


  Copyright Raymond M. Glath, Sr.

            President


            RG Software Systems, Inc.

            6900 E. Camelback Road, #630

            Scottsdale, AZ  85251

            (602) 423-8000


  New virus discovery.


  First reported appearance on a number of computers in the Civil

  Engineering Department at Massachusetts Institute of Technology

  (M.I.T.) in Cambridge MA, USA.


  Mr. (   ) had been experiencing strange events with several systems.

  Running Vi-Spy showed that there was an un-explainable 2048 bytes of

  RAM that was "hidden" from DOS. Mr. (    ) used Vi-Spy to acquire

  the partition table and boot sector into a file which he then sent

  to RG Software Systems, Inc.'s Virus Analysis Lab (VAL) where the

  code was dis-assembled and analyzed. Within 24 hours after receipt

  of the virus sample, an identification pattern was developed and an

  updated "emergency release" of Vi- Spy was shipped overnight to Mr.

  (    ).


  Type of Virus: PC DOS Boot infector. Infects Partition Table (Master

  Boot Record) on hard disks as well. (Drive C:)


  Vector:        5 1/4" Diskettes only.


  Types of computers susceptible to infection:  PC's and Compatibles

  with 640k or more RAM.


  Infection acquired by:  Attempting to boot from an infected

  diskette, whether or not the diskette is "bootable".


  Symptoms:      Available RAM size decreases by 2048 bytes.  3 1/2"

  diskettes become non-readable.  Occasional "garbage characters"

  appear on screen.  Diskettes that were "bootable" will no longer

  boot the system.  5 1/4" High Density diskettes may show "0 bytes in

  1 hidden files" as a message from CHKDSK.


  Danger level:  Considered to be a very dangerous virus in that it

  may cause damage to any diskette or hard disk due to bugs in the

  virus that can cause it to write to the FAT or the Root Directory.


  Naming convention used:  This virus was named for the political

  statement it attempts to make. The following message is stored in

  encrypted form. Due to a bug in the virus' decryption routine, the

  actual message may be displayed as garbage characters.


            Encrypted message: "Bloody! Jun. 4, 1989"


  This is the date of the Chinese "Tianamen Square" confrontation

  between rebelling Students and the Chinese Army in Beijing.


  Technical Notes:


  1. Trigger mechanism for message display: The first appearance of

  the message will be 1 - 128 system boots, then every 6 boots

  thereafter.


  2. This virus attempts to save the original boot sector into another

  sector, however bugs can cause it to just replicate itself into both

  sectors. Thus no automatic clean-up can be reliably performed unless

  the original, un-infected Partition Table and Boot Sector are

  available to use in a replacement operation.


  There is no attempt made by the virus to determine what type of disk

  is in use, thus the damaging effects are produced due to its always

  writing to a fixed number of disk sectors, no matter what disk

  mapping is in effect.


  3. The virus intercepts all diskette reads and writes where it

  checks for its infection through a comparison of the 1st 6 bytes of

  sector 1. If the disk is not infected, it adds itself to the disk.


  4. Detection avoidance techniques used by the virus:  When

  attempting to infect, if the write fails, it tries one additional

  time, and then aborts its infection attempt. Therefore the user

  doesn't notice a failure when the disk is write protected.  Also,

  the virus bypasses DOS completely when intercepting diskette reads

  and writes. Thus, a program that monitors system interrupts will not

  see the activity of this virus.


***************************   more   ********************************


  Note: Since this report has been completed, the Beijing virus has

  also turned up in another department at M.I.T. and has

  simultaneously appeared at the City University of London.


  This is the first time we've noticed a Boot Sector virus appearing

  simultaneously on both sides of the Atlantic, leading to speculation

  that multiple persons were involved in its release.


  Researchers in the U.K. have named this the "Bloody" virus.


  With the timing of this virus' release, there is an improved

  opportunity for it to spread, through students' carrying infected

  diskettes home for the holidays.


  To help protect his privacy, the name of the individual at M.I.T.

  has been removed from this report.


----------------------------- more ----------------------------


  Date:    13 Dec. 1990

  From:  Padgett Peterson <padgett%tccslr.dnet@uvs1.orl.mmc.com>

  Subject:  Bloody/Beijing Virus (PC)


   Since Mr. Glath neglected to include a signature string in his

   VALERT posting, enclosed is a 16 byte id stringthat a user put on

   HOMEBASE for use with John's SCAN v71 /ext switch:


    37 55 7b 78 78 73 6e 36 37 5d 62 79 39 37 23 3b


   I have not seen the virus so cannot attest to the string's validity

   but at least it is more than nothing. If someone has seen the virus

   please confirm/deny this string's effectiveness.


      Padgett


-


  Date:    Fri, 22 Mar 91 17:20:18 +0700

  From:  swimmer@rzsun3.informatik.uni-hamburg.de (Morton Swimmer)

  Subject:  Bloody (PC)


  The "Bloody" virus has just hit Germany. (The virus was described

  before.)  It was reported to us at our information stand at the

  CeBit 1991 by a firm from Darmstadt.  It is fairly stupid, or so it

  seems, as it doesn't even maintain a minimal boot record.  It

  therefore creates all sorts of wierd mistakes and causes floppy

  disks to become unusable.


  Cheers, Morton



  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Comments

Post a Comment

Popular posts from this blog

BOTTOM LIVE script

                                  BOTTOM                                   ======                     by Adrian Edmondson and Rik Mayall                                 Bottom Live                                 ===========                               Richie  Rik Mayall                                Eddie  Adrian Edmondson Introduction ------------ [Opening shot of theatre, with huge pictures of Richie and Eddie. Caption: "Live from the Mayflower Theatre, Southampton".] Vox Pop 1:  So I'm hoping that this is a lot ruder than the TV, because             they can get away with it. [Cut to Ade's dressing-room door. It opens to reveal a clothes rail, its only contents a brown jacket.] Vox Pop 2:  I just think they're ace, you know, absolutely excellent. [Cut to dressing-gown, pan across a pair of glasses and a revolver.] Vox Pop 3:  It couldn't be too rude, I mean that's what young people want. [Rik's dressing-room door.]
Read more

Evidence supporting quantum information processing in animals

              Evidence supporting quantum            information processing in animals                    James A. Donald                    1068 Fulton Av                    Sunnyvale, CA 94089-1505                    USA I show that quantum systems can rapidly solve some problems for which finite state machines require a non- polynomially large time. This class of problems is closely related to the class of problems that animals can solve rapidly and effortlessly, but are intractable for computers by all known algorithms. 1. Introduction      Animals, including very simple animals, can rapidly and effortlessly perceive objects, whereas computers take nonpolynomial time to do this by all known algorithms [1, 2, 3, 4, 5, 6]. Our persistent inability to emulate perception gives reason to doubt the current paradigm and to look for an alternative paradigm.      Penrose[7] and many others [8, 9, 10] argue from practical considerations, Godel's theorem, and
Read more

ARMIES OF CHAOS

                          ARMIES OF CHAOS -      Before anyone proposes more gun control, he or she should know  about a simple, deadly weapon 4 times as powerful as Dirty Harry's  legendary .44 Magnum -- and at least twice as concealable -- that  _can't_ controlled.        This simple, deadly weapon can be made by anyone -- even a  child -- with unpowered hand tools in an hour's time using $5 worth  of materials, most of which are available around the house anyway.   In traditional form it's reusable an unlimited number of times, and  modern plastics have rendered its disposable version electronically  undetectable.  You can clear a room with such a weapon (more of a  hand-held directional grenade than a gun -- sort of a recycleable  Claymore mine) and it's just one of hundreds of similar time-proven  designs.        Complete instructions for building this simple, deadly weapon  could be given in half the space I'm using here and not require a  single illustrat
Read more