BEIJING VIRUS (a.k.a. "Bloody" virus)

 


             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************



  Date:    12 Dec 90 14:51:41 -0500

  From:    Ray Glath <76304.1407@CompuServe.COM>

  Subject: virus report (PC)


                 BEIJING VIRUS (a.k.a. "Bloody" virus)


  December 7, 1990


  Copyright Raymond M. Glath, Sr.

            President


            RG Software Systems, Inc.

            6900 E. Camelback Road, #630

            Scottsdale, AZ  85251

            (602) 423-8000


  New virus discovery.


  First reported appearance on a number of computers in the Civil

  Engineering Department at Massachusetts Institute of Technology

  (M.I.T.) in Cambridge MA, USA.


  Mr. (   ) had been experiencing strange events with several systems.

  Running Vi-Spy showed that there was an un-explainable 2048 bytes of

  RAM that was "hidden" from DOS. Mr. (    ) used Vi-Spy to acquire

  the partition table and boot sector into a file which he then sent

  to RG Software Systems, Inc.'s Virus Analysis Lab (VAL) where the

  code was dis-assembled and analyzed. Within 24 hours after receipt

  of the virus sample, an identification pattern was developed and an

  updated "emergency release" of Vi- Spy was shipped overnight to Mr.

  (    ).


  Type of Virus: PC DOS Boot infector. Infects Partition Table (Master

  Boot Record) on hard disks as well. (Drive C:)


  Vector:        5 1/4" Diskettes only.


  Types of computers susceptible to infection:  PC's and Compatibles

  with 640k or more RAM.


  Infection acquired by:  Attempting to boot from an infected

  diskette, whether or not the diskette is "bootable".


  Symptoms:      Available RAM size decreases by 2048 bytes.  3 1/2"

  diskettes become non-readable.  Occasional "garbage characters"

  appear on screen.  Diskettes that were "bootable" will no longer

  boot the system.  5 1/4" High Density diskettes may show "0 bytes in

  1 hidden files" as a message from CHKDSK.


  Danger level:  Considered to be a very dangerous virus in that it

  may cause damage to any diskette or hard disk due to bugs in the

  virus that can cause it to write to the FAT or the Root Directory.


  Naming convention used:  This virus was named for the political

  statement it attempts to make. The following message is stored in

  encrypted form. Due to a bug in the virus' decryption routine, the

  actual message may be displayed as garbage characters.


            Encrypted message: "Bloody! Jun. 4, 1989"


  This is the date of the Chinese "Tianamen Square" confrontation

  between rebelling Students and the Chinese Army in Beijing.


  Technical Notes:


  1. Trigger mechanism for message display: The first appearance of

  the message will be 1 - 128 system boots, then every 6 boots

  thereafter.


  2. This virus attempts to save the original boot sector into another

  sector, however bugs can cause it to just replicate itself into both

  sectors. Thus no automatic clean-up can be reliably performed unless

  the original, un-infected Partition Table and Boot Sector are

  available to use in a replacement operation.


  There is no attempt made by the virus to determine what type of disk

  is in use, thus the damaging effects are produced due to its always

  writing to a fixed number of disk sectors, no matter what disk

  mapping is in effect.


  3. The virus intercepts all diskette reads and writes where it

  checks for its infection through a comparison of the 1st 6 bytes of

  sector 1. If the disk is not infected, it adds itself to the disk.


  4. Detection avoidance techniques used by the virus:  When

  attempting to infect, if the write fails, it tries one additional

  time, and then aborts its infection attempt. Therefore the user

  doesn't notice a failure when the disk is write protected.  Also,

  the virus bypasses DOS completely when intercepting diskette reads

  and writes. Thus, a program that monitors system interrupts will not

  see the activity of this virus.


***************************   more   ********************************


  Note: Since this report has been completed, the Beijing virus has

  also turned up in another department at M.I.T. and has

  simultaneously appeared at the City University of London.


  This is the first time we've noticed a Boot Sector virus appearing

  simultaneously on both sides of the Atlantic, leading to speculation

  that multiple persons were involved in its release.


  Researchers in the U.K. have named this the "Bloody" virus.


  With the timing of this virus' release, there is an improved

  opportunity for it to spread, through students' carrying infected

  diskettes home for the holidays.


  To help protect his privacy, the name of the individual at M.I.T.

  has been removed from this report.


----------------------------- more ----------------------------


  Date:    13 Dec. 1990

  From:  Padgett Peterson <padgett%tccslr.dnet@uvs1.orl.mmc.com>

  Subject:  Bloody/Beijing Virus (PC)


   Since Mr. Glath neglected to include a signature string in his

   VALERT posting, enclosed is a 16 byte id stringthat a user put on

   HOMEBASE for use with John's SCAN v71 /ext switch:


    37 55 7b 78 78 73 6e 36 37 5d 62 79 39 37 23 3b


   I have not seen the virus so cannot attest to the string's validity

   but at least it is more than nothing. If someone has seen the virus

   please confirm/deny this string's effectiveness.


      Padgett


-


  Date:    Fri, 22 Mar 91 17:20:18 +0700

  From:  swimmer@rzsun3.informatik.uni-hamburg.de (Morton Swimmer)

  Subject:  Bloody (PC)


  The "Bloody" virus has just hit Germany. (The virus was described

  before.)  It was reported to us at our information stand at the

  CeBit 1991 by a firm from Darmstadt.  It is fairly stupid, or so it

  seems, as it doesn't even maintain a minimal boot record.  It

  therefore creates all sorts of wierd mistakes and causes floppy

  disks to become unusable.


  Cheers, Morton



  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Comments

Post a Comment

Popular posts from this blog

BOTTOM LIVE script

                                  BOTTOM                                   ======                     by Adrian Edmondson and Rik Mayall                                 Bottom Live                                 ===========                               Richie  Rik Mayall                                Eddie  Adrian Edmondson Introduction ------------ [Opening shot of theatre, with huge pictures of Richie and Eddie. Caption: "Live from the Mayflower Theatre, Southampton".] Vox Pop 1:  So I'm hoping that this is a lot ruder than the TV, because             they can get away with it. [Cut to Ade's dressing-room door. It opens to reveal a clothes rail, its only contents a brown jacket.] Vox Pop 2:  I just think they're ace, you know, absolutely excellent. [Cut to dressing-gown, pan across a pair of glasses and a revolver.] Vox Pop 3:  It couldn't be too rude, I mean that's what young people want. [Rik's dressing-room door.]
Read more

Fawlty Towers script for "A Touch of Class"

Fawlty Towers A Touch of Class Written by John Cleese and Connie Booth First of first series, first broadcast on September 19, 1975 on BBC2 Transcribed by Jason R. Heimbaugh (jrh@uiuc.edu) on October 10, 1993 Basil Fawlty  John Cleese Sybil Fawlty  Prunella Scales Manuel        Andrew Sachs Polly         Connie Booth Major Gowen   Ballard Berkeley Miss Tibbs    Gilly Flower Miss Gatsby   Renee Roberts Lord Melbury  Michael Gwynn Danny Brown   Robin Ellis Sir Richard   Morris Martin Wyldeck Mr Watson     Lionel Wheeler Mr Wareing    Terence Conoley Mr Mackenzie  David Simeon               [The Fawlty Towers reception lobby. The main entrance is at the               back, with the stairs to the right. The entrance to the dining               room is in the right wall; on the left, the reception desk               running along the left wall, with the entrance to the office               behind it. The entrance to the bar is beyond the desk.] Basil         [on th
Read more