MIKEMAC@UNB.CA (Michael J. MacDonald I.S.P.) (02/07/91)
I recieved a call on Jan 29, 91 from a local pc retailer.
They seemed to have a virus.
This is what I was told:
1) it ``appeared'' about a week ago.
2) any access of an uninfected disk infects it.
3) infects any version of dos, he said that ``4.01 was worse''
4) infects a 386
5) warm boot infects.
6) infects all disks 1.2M, 5 1/4, 3.5, and hard disks.
7) formating a 1.2M disk on an infected machine will format the
full disk 100% complete, and then returns a Invalid Media or Track
0 bad. Formating the exact same disk with an uninfected system
the format completes successfully with no errors.
8) McAfee's(sp) scan V72 does not detect it
9) f-disinf version 1.12 July 90 says:
``This boot sector is infected with a new version of the virus.''
(no name).
What I have done and ``know to be true''
1) A fresh copy of Scan V72 and AVSearch 2.21 from the wuarchive
does not detect it.
2) I watched them do 7, 8 and 9 and I duplicated 8 on my own equipment.
3) If I try to boot an IBM PC Portable (lugable) (8086) 2 floppy) no
hard disk. The drive light comes on to do the boot and it never goes
off. A ctrl-alt-del does not do anything.
4) If I try to boot an IBM PC (original) (8086 ) 2 floppy) no
hard disk. The drive light comes on to do the boot and it goes
off, no boot, no error message. If I then stick in an clean
bootable floppy and ctrl-alt-del it will boot and not infect the
clean floppy.
5) The person said that the disk I had could boot a clone, but it would
not boot a true blue IBM 8086, it might boot a 386 didn't try.
6) f-disinf version 1.13 says:
``This boot sector is infected with a new version of the Stoned virus.''
7) f-disinf version 1.14 says: (not a quote)
This is not a typical boot sector and could be a virus.
I contacted Kenneth van Wyk and after exchanging a few notes etc
I recieved a confirmation that it was a new virus.
Fortunately the mdisk suite of utilities appears to clean up this
virus.
Anyway to make a long story short. We appear to have a brand new
boot sector virus. As far as a name, I suggest 910129 as the
date of first appearence. There is no ascii text in the boot
sector. An ugly name and if anyone has a better suggestion thats
ok. I do not have a machine that I can get an active virus to run on
such that I can test it.
I just recieved the following note from Ken
> Mike,
>
> Our technical contacts said that you should feel free to give the virus a
> name and send a write-up to VIRUS-L about it. They also added that,
> it'll eventually write junk over the master boot record of the first
> hard disk (causing not-too-hard-to-reverse loss of access to C: etc).
>
> Hope this helps.
>
> Cheers,
>
> Ken
I would like to express my thanks to Kenneth van Wyk
for his assistance in tracking this down and also for VIRUS-L
Thanks all .
mikemac...
P.S. if you want to contact me about this please feel free but NOTE
1) I will not send a copy of the virus to people who ask unless first
oked by ken.
2) I will be on vacation for the next two weeks.
========================================================================
Michael MacDonald, I.S.P.
Senior Systems Specialist,
Faculty of Computer Science It is wrong to assume that because
University of New Brunswick a computer can calculate PI to
Po. Box 4400 several thousand digits in a blink
Fredericton, New Brunswick of an eye that it is any more
CANADA E3B 5A3 intelligent than your average toaster.
(506) 453-4566
Netnorth/BITNET: MIKEMAC@UNB.CA
========================================================================