erd@tut.cis.ohio-state.edu (Ethan R. Dicks) (05/16/88)
I recently was helping another friend flush the scourge of viruses from his disks, when I came across an interesting boot block, using ViewBoot. I have since written a program to read the boot block and save it to a 1024 byte file, or write a 1024 block file to the boot block. I have been saving viruses for some time now, but it was inconvenient to have one disk per virus. After I clean up the code, I will send it to the moderators. Here is this most amazing boot block... (it passes through VirusX _and_ Vcheck1.9) 0000: 444F5300 37FCBB02 8721CBF9 43FA0018 DOS.7....!..C... 0010: 4EAEFFA0 4A80670A 20402068 00167000 N...J.g. @ h..p. 0020: 4E7570FF 60FA646F 732E6C69 62726172 Nup.`.dos.librar 0030: 79000000 F0000000 54484953 20424F4F y.......THIS BOO 0040: 54424C4F 434B2043 414E4E4F 54204245 TBLOCK CANNOT BE 0050: 20494E46 45435445 44204259 20544845 INFECTED BY THE 0060: 20534341 2D564952 55532C20 42454341 SCA-VIRUS, BECA 0070: 55534520 49542057 41532047 454E4552 USE IT WAS GENER 0080: 41544544 20574954 48205448 45205649 ATED WITH THE VI 0090: 5255532D 50524F54 4543544F 52205631 RUS-PROTECTOR V1 00A0: 2E302042 59205448 45204D45 47412D4D .0 BY THE MEGA-M 00B0: 49474854 59205357 49535320 43524143 IGHTY SWISS CRAC 00C0: 4B494E47 20415353 4F434941 54494F4E KING ASSOCIATION 00D0: 20212121 000000F0 00000000 00000000 !!!............ 00E0: 00000000 00000000 00000000 00000000 ................ 00F0: 00000000 00000000 00000000 00000000 ................ 0100: 00000000 00000000 00000000 00000000 ................ 0110: 00000000 00000000 00000000 00000000 ................ 0120: 00000000 00000000 00000000 00000000 ................ 0130: 00000000 00000000 00000000 00000000 ................ 0140: 00000000 00000000 00000000 00000000 ................ 0150: 00000000 00000000 00000000 00000000 ................ 0160: 00000000 00000000 00000000 00000000 ................ 0170: 00000000 00000000 00000000 00000000 ................ 0180: 00000000 00000000 00000000 00000000 ................ 0190: 00000000 00000000 00000000 00000000 ................ 01A0: 00000000 00000000 00000000 00000000 ................ 01B0: 00000000 00000000 00000000 00000000 ................ 01C0: 00000000 00000000 00000000 00000000 ................ 01D0: 00000000 00000000 00000000 00000000 ................ 01E0: 00000000 00000000 00000000 00000000 ................ 01F0: 00000000 00000000 00000000 00000000 ................ 0200: 00000000 00000000 00000000 00000000 ................ 0210: 00000000 00000000 00000000 00000000 ................ 0220: 00000000 00000000 00000000 00000000 ................ 0230: 00000000 00000000 00000000 00000000 ................ 0240: 00000000 00000000 00000000 00000000 ................ 0250: 00000000 00000000 00000000 00000000 ................ 0260: 00000000 00000000 00000000 00000000 ................ 0270: 00000000 00000000 00000000 00000000 ................ 0280: 00000000 00000000 00000000 00000000 ................ 0290: 00000000 00000000 00000000 00000000 ................ 02A0: 00000000 00000000 00000000 00000000 ................ 02B0: 00000000 00000000 00000000 00000000 ................ 02C0: 00000000 00000000 00000000 00000000 ................ 02D0: 00000000 00000000 00000000 00000000 ................ 02E0: 00000000 00000000 00000000 00000000 ................ 02F0: 00000000 00000000 00000000 00000000 ................ 0300: 00000000 00000000 00000000 00000000 ................ 0310: 00000000 00000000 00000000 00000000 ................ 0320: 00000000 00000000 00000000 00000000 ................ 0330: 00000000 00000000 00000000 00000000 ................ 0340: 00000000 00000000 00000000 00000000 ................ 0350: 00000000 00000000 00000000 00000000 ................ 0360: 00000000 00000000 00000000 00000000 ................ 0370: 00000000 00000000 00000000 00000000 ................ 0380: 00000000 00000000 00000000 00000000 ................ 0390: 00000000 00000000 00000000 00000000 ................ 03A0: 00000000 00000000 00000000 00000000 ................ 03B0: 00000000 00000000 00000000 00000000 ................ 03C0: 00000000 00000000 00000000 00000000 ................ 03D0: 00000000 00000000 00000000 00000000 ................ 03E0: 00000000 00000000 00000000 00000000 ................ 03F0: 00000000 00000000 00000000 00000000 ................ Pretty strange huh? Perhaps some Virus examiner could explain why it works? My bets are on the byte immediately following the boot code, $F0. I think the virus looks for this magic cookie when deciding whether to spread or increment a counter. -ethan -- Ethan R. Dicks | ###### This signifies that the poster is a member in | ## good sitting of Inertia House: Bodies at rest. This space for rent | ## | ###### "You get it, you're closer."
carolyn@cbmvax.UUCP (Carolyn Scheppner CATS) (05/17/88)
In article <13348@tut.cis.ohio-state.edu> erd@tut.cis.ohio-state.edu (Ethan R. Dicks) writes: >[] >Here is this most amazing boot block... > >(it passes through VirusX _and_ Vcheck1.9) > >0000: 444F5300 37FCBB02 8721CBF9 43FA0018 DOS.7....!..C... >0010: 4EAEFFA0 4A80670A 20402068 00167000 N...J.g. @ h..p. >0020: 4E7570FF 60FA646F 732E6C69 62726172 Nup.`.dos.librar >0030: 79000000 F0000000 54484953 20424F4F y.......THIS BOO >0040: 54424C4F 434B2043 414E4E4F 54204245 TBLOCK CANNOT BE >0050: 20494E46 45435445 44204259 20544845 INFECTED BY THE >0060: 20534341 2D564952 55532C20 42454341 SCA-VIRUS, BECA >0070: 55534520 49542057 41532047 454E4552 USE IT WAS GENER >0080: 41544544 20574954 48205448 45205649 ATED WITH THE VI >0090: 5255532D 50524F54 4543544F 52205631 RUS-PROTECTOR V1 >00A0: 2E302042 59205448 45204D45 47412D4D .0 BY THE MEGA-M >00B0: 49474854 59205357 49535320 43524143 IGHTY SWISS CRAC >00C0: 4B494E47 20415353 4F434941 54494F4E KING ASSOCIATION >00D0: 20212121 000000F0 00000000 00000000 !!!............ The SCA virus won't infect this bootblock because it works out to the same checksum as an bootblock already infected with SCA. This will not protect against infection by any other bootblock viruses. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Carolyn Scheppner -- CATS >>Commodore Amiga Technical Support<< UUCP ...{allegra,ihnp4,rutgers}!cbmvax!carolyn PHONE 215-431-9180 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Chad_The-Walrus_Netzer@cup.portal.com (05/18/88)
In [a previous article] (Ethan R. Dicks) writes:
)I have since written a program to read the boot block and save it to a
)1024 byte file, or write a 1024 block file to the boot block.
The programs "Blocker" and "Diskx2" (which was written by Steve
Tibbett, who also wrote VirusX), both do this same thing, BTW..
"Diskx2" is quite flexible in this regards, in fact... A REAL nice disk
editor/explorer...
)Here is this most amazing boot block...
)(it passes through VirusX _and_ Vcheck1.9)
VirusX has ALWAYS discovered this particular boot block when I
tried it. (But NOT VirusX1.9... BUG/INCONSISTENCY/MISIMPLEMENTATION!!)
[Boot block deleted]
)Pretty strange huh?
)Perhaps some Virus examiner could explain why it works? My bets are on the
)byte immediately following the boot code, $F0. I think the virus looks for
)this magic cookie when deciding whether to spread or increment a counter.
Exactly right. The SCA virus has a special check to see if the
Boot Block Checksum is a certain value. If it is, the virus won't
infect that disk... So how so you get the disk protected? You use the
SCA virus eradicator program (called "Virus Protector V1.0", I believe).
It has a special option to "Protect" your disks from being infected by
the SCA virus... This option then puts the dumb message in the boot
block.
In my opinion it is better to rely on programs such as
"VirusX1.21", for your protection. First of all, who would trust more
SCA programs? Second, how do we know it is protected for REAL, and that
nothing else gets screwed up (This virus doesn't, but what about the
future?). And three, I don't trust ANY program that doesn't check to
see if a disk is writeable before writng to it... Try it... Insert a
WRITE-Protected disk into df0: while running "Virus-Protector", and
select the "Virus kill" or "Disk protect" options... the disk drive
will spin, and the program will report that the operation was completed
successfully... WRONG!!! The idiot programmers didn't even do a simple
Write-Protect check (which also means they must use their OWN code, and
not Amiga-DOS to do their disk I/O (Which I DON'T trust...))
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chad 'The_Walrus' Netzer -> AmigaManiac++
"Ever have one of those life's?"