padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) (04/12/91)
Tim Martin at the University of Alberta was kind enough to forward to
me this new virus. First reported as a STONED variant examination has
produced a considerable number of variants from the traditional
STONED.
This alert is a result of a disassembly performed on the boot sector
of an infected floppy. Since the sector containingthe disply message
was not included this text is not available, however examination
indicates that this second sector (trk 0 hd 1 sector 3 on floppy)
contains only text.
Listing follows:
Virus Name: EMPIRE
Aliases:
V Status: New
Discovery: April, 1991
Symptoms: Memory reduction, possible floppy failures, Messages
Origin: Alberta Canada (?)
Eff. Length: N/A
Type Code: BPRtS (Boot and Partition table infector - Resident TOM - Stealth)
Detection: CHKDSK, F-DISKINF, DISKSECURE (SCAN v76C does not pick this up)
Removal: Cold boot from clean, write-protected floppy, replace MBR (FD) or
Boot Record (Floppy) see text.
General Comments: On first look, the virus appears similar to the STONED but
There are notable differences: a "cute" at the start will throw a
researcher off if a standard STONED opening is expected. The virus
consists of two sectors - the first which replaces the MBR on a fixed
disk and the BR on a floppy, contains the executable code. The
second sector contains the display message- I have not seen this as
yet but it is said to refer to the USA as the "evil empire" and
makes reference to the war with Iraq. This sector has a trivial
encryption scheme to defeat text examination.
When active in a PC, total memory will be reduced by 2048 bytes
(CHKDSK will return 653312 "total bytes memory" on a 640k machine)
A "stealth" mechanism is employed by the virus so that an examination
of the MBR will fail when the virus is active in memory since
any request for the MBR will be intercepted by the virus and the
real MBR will be returned. Similarly, any attempt to write to the
MBR will be changed to a reset by the virus.
No message is displayed at boot-up, rather display is a function of
a trigger based on the real time clock during operation.
On a floppy disk the original boot record is stored on track 0 head 1
sector 2 and the message is stored on the next sector. High density
floppies may exhibit failures as a result of this. Low density floppies
with over 80 directory entries may also have problems. These can
occur even long after the floppy is disinfected if the directory is
not restored.
The original MBR on a fixed disk is stored on cyl 0 head 0 sector 6
with the message on the next sector. Normally, this should be in
the "hidden sector" area but a disk without "hidden sectors" will
probably experience FAT failures.
Signature scanning should reveal the virus when booted from a clean
floppy disk using the string "A3 08 7C A1 13 04 48".