MMCCUNE@sctnve.BITNET (05/16/91)
Here is a new boot infector. I have a removal utility called NO_NOINT
that remvoes it. It is will be available on most FTP sites soon. I
have also updated my INNOC utility to INNOC5 to handle this new virus.
...<MM>.
Noint Virus
-----------
(The Furtive Stoned Virus)
The Noint Virus was reported by Todd Fisher of Cleveland, OH, in May
of 1991. This is a furtive Boot Sector infector capable of infecting
Hard disks as well as diskettes. It was reported that Noint can
infect Novell networks. The action of Noint is reminiscent of that
of the Stoned virus. (Stoned is the most prevalent Boot-sector virus
in the US). Since Noint has, in addition, the ability to hide itself
-which the Stoned does not- it's possible that Noint may become even
more widespread than the Stoned in time.
The virus spreads ONLY by booting (or attempted booting) from an
infected disk(ette). If an infected diskette is left in a clean
machine, and the machine turned off without removing the disk, the
next time the computer is turned on, the virus will become RAM-
resident as soon as the machine reads and executes the Boot sector
of the diskette in Drive A:, even though a "Non-System Disk or Disk
Error" is issued. By the time the operator removes the infected
diskette and presses any key to continue booting, the virus has
already infected the hard disk. It remains active in RAM, waiting
for the next diskette to be inserted. From then on, every time
the computer is booted from the hard disk, the virus will become
TSR and continue infecting new diskettes. A simple dir read of a
diskette is sufficient to infected it. Noint does not infect files.
Like the Stoned, the virus moves a diskette's original Boot Sector
to Track 1, Sector 3 and and writes itself in the Boot Sector's
place. In the case of hard disks, it's the Partition Table that
gets displaced to Track 0, Sector 7; the virus then writes itself
into its place.
If an infected system is booted from a clean, non-infected system
diskette, however, the virus will not be active. Files may then be
copied and disks accessed without fear of infection. This is the
approach to use when cleaning up an infected system.
The virus checks diskettes to see whether they are already infected
by itself. If so, it doesn't try to infect them again. This feature
has been used to develop an immunization program that effectively
fools the virus into thinking that the immunized diskette is already
infected, thus preventing infection. The program is included. It will
immunize fresh diskettes and clean up infected ones, as long as the
process is carried out on a clean system.
A separate utility is provided to clean up infected hard disks. This
utility has been tested on DOS systems only. Read the accompanying
DOC files. Additional work to allow cleaning up the virus in Novell
systems without lengthy reformatting and reinstallation needs to be
done.
No manipulation tasks (damaging or otherwise) have been detected.
However, since the virus stashes away the original Boot Sector of
infected diskettes to the end of the Directory table, some diskette
directory entries may be corrupted or overwritten. This may give the
effect of displaying "unusual" filenames when a dir of the diskette
is listed.
There are two major differences between the action of the Stoned and
that of Noint: Noint doesn't use any BIOS calls (INT calls) as such.
(thus: "No-Int"). Instead, it calls Int 13 by its direct address to do
all reading/writing to disk. Therefore, while the Noint virus will
probably work on most IBM-compatible machines, it may not be able to
run on all hardware.
The second difference between Noint and the Stoned is that Noint is a
furtive ("stealth") infector, while the Stoned is not. It hides its
code on disk as long as it's present in memory. Again, this is
accomplished by means of a direct JMP to Int 13 code, causing a
redirection. If the Boot Sector/Partition Table are examined while
the Noint virus is in memory, the virus will not allow its code to be
visualized, will redirect the Read and display instead the original
Boot Sector which it has stashed away. This furtiveness works on some
machines but not on all.
A suitable search string for the Noint virus is:
-------------
FF 2E 0C 01 00 53 51 52 56 57 06 BE 02 00 B8 01 02 B9
01 00 BB 00 02 0E 07 32 F6 9C 2E FF 1E 0C 01 73 0F 33
The above string contains an instance of bypassing a DOS Int call, as
well as part of the read-redirection routine, so it should be typical
of this virus and not cause false alarms. This string should be found
in all Boot Sectors/Partition Tables of disks infected by it. If
desired, either the upper or lower half only of the above string may
be used with fair reliability to detect the virus. The string may
be used with Norton Utilities, or with any of the virus scanners that
accept replaceable, user-provided search strings, such as IBM's VIRSCAN.
The characters may need to be reformatted or re-spaced to comply with
the format requirements of each scanner.
- ------------------------------------------------------------------
This file and the attached utilities are provided
as a public service by:
CompuService Norwalk
P.O. Box 385
Norwalk, CT 06852
(203) 847-8992
May, 1991