MIKEMAC@UNB.CA (Michael J. MacDonald I.S.P.) (02/07/91)
I recieved a call on Jan 29, 91 from a local pc retailer. They seemed to have a virus. This is what I was told: 1) it ``appeared'' about a week ago. 2) any access of an uninfected disk infects it. 3) infects any version of dos, he said that ``4.01 was worse'' 4) infects a 386 5) warm boot infects. 6) infects all disks 1.2M, 5 1/4, 3.5, and hard disks. 7) formating a 1.2M disk on an infected machine will format the full disk 100% complete, and then returns a Invalid Media or Track 0 bad. Formating the exact same disk with an uninfected system the format completes successfully with no errors. 8) McAfee's(sp) scan V72 does not detect it 9) f-disinf version 1.12 July 90 says: ``This boot sector is infected with a new version of the virus.'' (no name). What I have done and ``know to be true'' 1) A fresh copy of Scan V72 and AVSearch 2.21 from the wuarchive does not detect it. 2) I watched them do 7, 8 and 9 and I duplicated 8 on my own equipment. 3) If I try to boot an IBM PC Portable (lugable) (8086) 2 floppy) no hard disk. The drive light comes on to do the boot and it never goes off. A ctrl-alt-del does not do anything. 4) If I try to boot an IBM PC (original) (8086 ) 2 floppy) no hard disk. The drive light comes on to do the boot and it goes off, no boot, no error message. If I then stick in an clean bootable floppy and ctrl-alt-del it will boot and not infect the clean floppy. 5) The person said that the disk I had could boot a clone, but it would not boot a true blue IBM 8086, it might boot a 386 didn't try. 6) f-disinf version 1.13 says: ``This boot sector is infected with a new version of the Stoned virus.'' 7) f-disinf version 1.14 says: (not a quote) This is not a typical boot sector and could be a virus. I contacted Kenneth van Wyk and after exchanging a few notes etc I recieved a confirmation that it was a new virus. Fortunately the mdisk suite of utilities appears to clean up this virus. Anyway to make a long story short. We appear to have a brand new boot sector virus. As far as a name, I suggest 910129 as the date of first appearence. There is no ascii text in the boot sector. An ugly name and if anyone has a better suggestion thats ok. I do not have a machine that I can get an active virus to run on such that I can test it. I just recieved the following note from Ken > Mike, > > Our technical contacts said that you should feel free to give the virus a > name and send a write-up to VIRUS-L about it. They also added that, > it'll eventually write junk over the master boot record of the first > hard disk (causing not-too-hard-to-reverse loss of access to C: etc). > > Hope this helps. > > Cheers, > > Ken I would like to express my thanks to Kenneth van Wyk for his assistance in tracking this down and also for VIRUS-L Thanks all . mikemac... P.S. if you want to contact me about this please feel free but NOTE 1) I will not send a copy of the virus to people who ask unless first oked by ken. 2) I will be on vacation for the next two weeks. ======================================================================== Michael MacDonald, I.S.P. Senior Systems Specialist, Faculty of Computer Science It is wrong to assume that because University of New Brunswick a computer can calculate PI to Po. Box 4400 several thousand digits in a blink Fredericton, New Brunswick of an eye that it is any more CANADA E3B 5A3 intelligent than your average toaster. (506) 453-4566 Netnorth/BITNET: MIKEMAC@UNB.CA ========================================================================