padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (03/28/91)
It seems that quite a few folks are getting hit by the AZUSA virus. Removing it, while not very difficult, is complicated by the fact that the virus has completely overwritten the master boot record code so that the original cannot be simply retrieved from another location as with most such viruses (STONED, JOSHI, etc). Since the virus has also overwritten the ASCII warning messages, simple patching of the virus code to remove the infection is not a good solution. The virus does contain the essential partition table information from the uninfected code in the proper offset (BE - FD) so removal of the virus requires the following steps: 1) Obtain a "good" master boot record from the same DOS version or higher. 2) Cold boot the infected machine from a write protected floppy 3) Extract the partition table information from the virus 4) Graft the partition table into the uninfected MBR code 5) Overwrite the virus with the composite MBR code. The following assembly language fragment can be used to perform this function. It assumes that a "good" MBR has been loaded into offset 200h-3FFh and that the infected PC has been cold-booted clean. (DEBUG format). MOV AX,0201 ;read a sector MOV BX,0400 ;into offset 400h-5FFh MOV CX,0001 ;MBR MOV DX,0080 ;fixed disk INT 13 CMP WORD PTR [03FE],AA55 ;make sure it was read JZ 0118 JMP 013C ;exit with ERRORLEVEL if not PUSH CS ;align segment registers (0118) POP DS PUSH DS POP ES MOV SI,05BE ;point si & di at table areas MOV DI,03BE MOV CX,0020 ;40 bytes = 20 words REPZ MOVSW ;put table into clean MBR MOV AX,0301 ;write one sector (0127) MOV BX,0200 ;from the "good" area MOV CX,0001 ;to MBR MOV DX,0080 ;of infected disk INT 13 ;we could read it before so JB 0127 ;try again on failure MOV AX,4C00 ;exit ERRORLEVEL zero (pass) INT 21 MOV AX,4C01 ;exit ERRORLEVEL one (fail) (013C) INT 21 Padgett ps - fiddling at this level is not for the inexperienced, caveat y'all.
128a-1ha@web-4e.berkeley.edu (04/14/91)
padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) writes: > > It seems that quite a few folks are getting hit by the AZUSA >virus. Removing it, while not very difficult, is complicated by the >fact that the virus has completely overwritten the master boot record >code so that the original cannot be simply retrieved from another >location as with most such viruses (STONED, JOSHI, etc). Since the >virus has also overwritten the ASCII warning messages, simple patching >of the virus code to remove the infection is not a good solution. > ...source code deleted... I got a copy of the virus from my friend. I did find a copy of the original boot sector on the disk (floppy) not sure about the partition table though since my hard drive is not infected, it was located on the second to the last sector. Does anyone know does this virus infect all floppy or just some? I am planning to write a program to write the orig boot sector back. Since my version of clean does not reconize it yet. Are there any virus expert against this? Say so fast, my program is almost ready.. - --Nelson - --128a-1ha@web.berkeley.edu