padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (12/13/90)
Recently, I received several infected disks in what appear to be the original un-opened sealed envelopes. Examination showed that the seals, while similar to those on the "Modular Component Technologies" disk that contained the STONED virus, are different. First, the envelopes have square flaps rather than the triangular one used on the MCT disk. Second, the "floppy disk" seal uses a thinner font and a different typeface than the MCT. Finally, the red square overlay is centered on the seal and has different (chinese ?) characters. The seals bear the (sequence ?) numbers 01206 and 01081. As mentioned, SCAN v71 does detect this virus [Muboot] on these disks but CLEAN does not disinfect them. Floppies may be disinfected by replacement of the boot sector though the other eight sectors of the virus may have overlaid part of files on the disk. On the samples provided, the virus stores the real boot sector followed by seven viral code sectors on the disk with the CX and DX values for Int 13 retrieval stored in offset 42h (DX) and 44h (CX) of the disk boot sector. The original disks show no errors, but after infecting a floppy, CHKDSK reported "4 lost clusters in 4 chains" where the 4096 bytes of viral code appeared on the disk following pre-existing programs. Since the real boot sector is stored here, use of the /F with CHKDSK followed by deletion/overwrite of the "garbage" files would render a previously bootable floppy disk unbootable. In limited testing on a hard disk (ST-412), the virus infects the boot record (not the partition table) and after a cold boot from a clean, protected floppy, the above method of recovery works. On the HD, the "lost clusters" do not coincide with the viral code, instead files in other areas may be corrupted/lost in multiple 4k (or larger) chunks. My concern is that since these disks were apparently distributed along with Packard-Bell Computers and these computers are generally sold by mass marketeers & department stores (I have seen about a dozen ads in the last week) that the potential for a considerable spread exists. I have no idea how many disks are involved. Incidently, regardless of the operating system involved, these infected disks have the signature "IBM 3.3" in the infected boot record and the first three bytes of the sector are "FA E9 CC". No "stealth" is involved. An infected machine will have total memory reduced by 4096 bytes (on 640k machine, CHKDSK will report 651264 bytes instead of 655360). The following is a abbreviated directory listing of the three infected distribution disks (2 in "SVA" envelope, 1 in "COMBASE" envelope - note: id is by disk label, there are no markings on the envelopes other than the seal): "SVGA-Utility" Disk No. 1 "SVGA-Utility" Disk No. 2 Volume in drive A has no label Volume in drive A has no label Directory of A:\ Directory of A:\ VGA800 DRV 32720 10-19-88 WIN30 <DIR> 1-01-80 VGA800 GRB 3573 10-18-88 OAK386 3EX 34460 2-24-89 VGA800 LGO 468 10-18-88 OAK386 386 139491 2-24-89 SD_VGA_5 VGA 46592 10-07-88 OAK386 GRB 8589 2-24-89 SDVGA8 VGA 48128 10-05-88 OAK386 LGO 468 11-12-87 DSVGA EXE 11003 10-13-88 OAK386 DRV 32720 10-19-88 VP11 EXE 11006 3-19-87 READ ME 574 8-09-90 GEMINSTL BAT 2935 10-29-88 7 File(s) 67584 bytes free SETUP TXT 1968 10-23-88 VP BAT 51 10-23-88 "COMBASE" Disk GEMSETUP TXT 12072 11-03-88 VP1_1 TXT 2205 10-30-88 Volume in drive A is NN OAK25V2 DRV 990 1-25-89 Directory of A:\ OAK43V2 DRV 990 1-25-89 OAK640V2 DRV 2023 1-25-89 ADCOMHLP DBF 1214 3-31-89 OAK800V2 DRV 2023 1-25-89 ADCOMHLP DBT 36462 3-31-89 OAK3 SC 1503 2-08-89 ADCOMM DBT 1536 2-08-88 OAK4 SC 1539 2-08-89 ADCOMMAC DBT 1024 11-18-87 OAK5 SC 6611 2-07-89 COMBASE EXE 289328 3-31-89 OAK6 SC 6625 2-07-89 ADCOMMAC MAC 211 3-31-89 OAK1 SC 1503 3-07-89 ADCOMM MAS 66 1-11-90 OAK2 SC 1539 3-07-89 ADCOMM TEL 540 1-18-90 DSVGA9 EXE 13480 3-16-89 ADCOMDEF MEM 1348 1-16-90 READ ME 1513 1-03-80 CAPTURE TXT 0 5-06-89 UTILITY <DIR> 1-01-80 10 File(s) 25600 bytes free 25 File(s) 59392 bytes free