padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (03/28/91)
It seems that quite a few folks are getting hit by the AZUSA
virus. Removing it, while not very difficult, is complicated by the
fact that the virus has completely overwritten the master boot record
code so that the original cannot be simply retrieved from another
location as with most such viruses (STONED, JOSHI, etc). Since the
virus has also overwritten the ASCII warning messages, simple patching
of the virus code to remove the infection is not a good solution.
The virus does contain the essential partition table
information from the uninfected code in the proper offset (BE - FD) so
removal of the virus requires the following steps:
1) Obtain a "good" master boot record from the same DOS version or
higher.
2) Cold boot the infected machine from a write protected floppy
3) Extract the partition table information from the virus
4) Graft the partition table into the uninfected MBR code
5) Overwrite the virus with the composite MBR code.
The following assembly language fragment can be used to
perform this function. It assumes that a "good" MBR has been loaded
into offset 200h-3FFh and that the infected PC has been cold-booted
clean. (DEBUG format).
MOV AX,0201 ;read a sector
MOV BX,0400 ;into offset 400h-5FFh
MOV CX,0001 ;MBR
MOV DX,0080 ;fixed disk
INT 13
CMP WORD PTR [03FE],AA55 ;make sure it was read
JZ 0118
JMP 013C ;exit with ERRORLEVEL if not
PUSH CS ;align segment registers (0118)
POP DS
PUSH DS
POP ES
MOV SI,05BE ;point si & di at table areas
MOV DI,03BE
MOV CX,0020 ;40 bytes = 20 words
REPZ
MOVSW ;put table into clean MBR
MOV AX,0301 ;write one sector (0127)
MOV BX,0200 ;from the "good" area
MOV CX,0001 ;to MBR
MOV DX,0080 ;of infected disk
INT 13 ;we could read it before so
JB 0127 ;try again on failure
MOV AX,4C00 ;exit ERRORLEVEL zero (pass)
INT 21
MOV AX,4C01 ;exit ERRORLEVEL one (fail) (013C)
INT 21
Padgett
ps - fiddling at this level is not for the inexperienced, caveat y'all.128a-1ha@web-4e.berkeley.edu (04/14/91)
padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) writes: > > It seems that quite a few folks are getting hit by the AZUSA >virus. Removing it, while not very difficult, is complicated by the >fact that the virus has completely overwritten the master boot record >code so that the original cannot be simply retrieved from another >location as with most such viruses (STONED, JOSHI, etc). Since the >virus has also overwritten the ASCII warning messages, simple patching >of the virus code to remove the infection is not a good solution. > ...source code deleted... I got a copy of the virus from my friend. I did find a copy of the original boot sector on the disk (floppy) not sure about the partition table though since my hard drive is not infected, it was located on the second to the last sector. Does anyone know does this virus infect all floppy or just some? I am planning to write a program to write the orig boot sector back. Since my version of clean does not reconize it yet. Are there any virus expert against this? Say so fast, my program is almost ready.. - --Nelson - --128a-1ha@web.berkeley.edu