76304.1407@CompuServe.COM (Ray Glath) (12/13/90)
BEIJING VIRUS (a.k.a. "Bloody" virus)
December 7, 1990
Copyright Raymond M. Glath, Sr.
President
RG Software Systems, Inc.
6900 E. Camelback Road, #630
Scottsdale, AZ 85251
(602) 423-8000
New virus discovery.
First reported appearance on a number of computers in the Civil
Engineering Department at Massachusetts Institute of Technology
(M.I.T.) in Cambridge MA, USA.
Mr. ( ) had been experiencing strange events with several
systems. Running Vi-Spy showed that there was an un-explainable
2048 bytes of RAM that was "hidden" from DOS. Mr. ( ) used
Vi-Spy to acquire the partition table and boot sector into a file
which he then sent to RG Software Systems, Inc.'s Virus Analysis
Lab (VAL) where the code was dis-assembled and analyzed. Within
24 hours after receipt of the virus sample, an identification
pattern was developed and an updated "emergency release" of Vi-
Spy was shipped overnight to Mr. ( ).
Type of Virus: PC DOS Boot infector. Infects Partition Table (Master
Boot Record) on hard disks as well. (Drive
C:)
Vector: 5 1/4" Diskettes only.
Types of computers susceptible to infection:
PC's and Compatibles with 640k or more RAM.
Infection acquired by:
Attempting to boot from an infected diskette,
whether or not the diskette is "bootable".
Symptoms: Available RAM size decreases by 2048 bytes.
3 1/2" diskettes become non-readable.
Occasional "garbage characters" appear on screen.
Diskettes that were "bootable" will no longer boot
the system.
5 1/4" High Density diskettes may show "0 bytes in
1 hidden files" as a message from CHKDSK.
Danger level: Considered to be a very dangerous virus in that it
may cause damage to any diskette or hard disk due
to bugs in the virus that can cause it to write to
the FAT or the Root Directory.
Naming convention used:
This virus was named for the political statement
it attempts to make. The following message is
stored in encrypted form. Due to a bug in the
virus' decryption routine, the actual message may
be displayed as garbage characters.
Encrypted message: "Bloody! Jun. 4, 1989"
This is the date of the Chinese "Tianamen Square"
confrontation between rebelling Students and the
Chinese Army in Beijing.
Technical Notes:
1. Trigger mechanism for message display: The first appearance of
the message will be 1 - 128 system boots, then every 6 boots
thereafter.
2. This virus attempts to save the original boot sector into
another sector, however bugs can cause it to just replicate
itself into both sectors. Thus no automatic clean-up can be
reliably performed unless the original, un-infected Partition
Table and Boot Sector are available to use in a replacement
operation.
There is no attempt made by the virus to determine what type of
disk is in use, thus the damaging effects are produced due to its
always writing to a fixed number of disk sectors, no matter what
disk mapping is in effect.
3. The virus intercepts all diskette reads and writes where it
checks for its infection through a comparison of the 1st 6 bytes
of sector 1. If the disk is not infected, it adds itself to the
disk.
4. Detection avoidance techniques used by the virus:
When attempting to infect, if the write fails, it tries one
additional time, and then aborts its infection attempt. Therefore
the user doesn't notice a failure when the disk is write
protected. Also, the virus bypasses DOS completely when
intercepting diskette reads and writes. Thus, a program that
monitors system interrupts will not see the activity of this
virus.
*************************************************************
Note: Since this report has been completed, the Beijing virus has
also turned up in another department at M.I.T. and has
simultaneously appeared at the City University of London.
This is the first time we've noticed a Boot Sector virus
appearing simultaneously on both sides of the Atlantic, leading
to speculation that multiple persons were involved in its
release.
Researchers in the U.K. have named this the "Bloody" virus.
With the timing of this virus' release, there is an improved
opportunity for it to spread, through students' carrying infected
diskettes home for the holidays.
To help protect his privacy, the name of the individual at M.I.T. has been
removed from this report.