RZOTTO@DKNKURZ1.BITNET (Otto.Stolz) (10/09/90)
Dear colleague, this is meant to both warn you from the software cited below and get some help against a possible new virus. Today, a disk marked "Diskette zum Buch 'Programmieren mit PostScript', IBM-360-Kbyte-Format - Version 1.0, Bestell-Nr. 90337 / 01069054rv" from the publisher "Markt & Technik" was taken out of its shrink-wrap cover, fitted with a write-protect tab, then used to boot one of our IBM compatibles (a Siemens PCD-2). Later that day, F-OSCHK claimed that the boot sector and the partition record of this very computer's hard disk have been modified. This evening, I had a look on the Markt & Technik diskette with F-DISINF and F-BOOT and found these results: > F-DISINF Disinfects boot sectors Version 1.12 - July '90 > > This boot sector is not an usual DOS boot sector. > It may be infected with an unknown virus. > F-BOOT Shows the boot sector Version 1.12 - July '90 > > eb28 9049 424d 2050 4e43 4900 0202 0100 0270 00d0 02fd > 0200 0900 0200 0000 0000 0000 0000 0000 0000 0000 fa33 > c08e d0bc f07b fbb8 c007 8ed8 be5b 0090 fcac 0ac0 740b > 56b4 0ebb 0700 cd10 5eeb f032 e4cd 16b4 0fcd 1032 e4cd > 10cd 190d 0a0d 0a0d 0a0d 0a0d 0a0d 0a0d 0a0d 0a20 2020 > 2054 6869 7320 6469 736b 2069 7320 6e6f 7420 626f 6f74 > 6162 6c65 0d0a 0d0a 2049 6620 796f 7520 7769 7368 2074 > 6f20 6d61 6b65 2069 7420 626f 6f74 6162 6c65 2c0d 0a72 > 756e 2074 6865 2044 4f53 2070 726f 6772 616d 2053 5953 > 2061 6674 6572 2074 6865 0d0a 2020 2020 2073 7973 7465 > 6d20 6861 7320 6265 656e 206c 6f61 6465 640d 0a0d 0a50 > 6c65 6173 6520 696e 7365 7274 2061 2044 4f53 2064 6973 > 6b65 7474 6520 696e 746f 0d0a 2074 6865 2064 7269 7665 > 2061 6e64 2073 7472 696b 6520 616e 7920 6b65 792e 2e2e > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 55aa I also booted the PCD-2 from a write-protected DOS diskette, then had a look on its hard disk with F-DISINF, F-BOOT and F-PBR (from a write- protected F-PROT diskette) finding: > F-DISINF Disinfects boot sectors Version 1.12 - July '90 > > This boot sector is not infected. > F-BOOT Shows the boot sector Version 1.12 - July '90 > > eb34 9049 424d 2020 332e 3300 0204 0100 0200 0293 f4f8 > 3d00 1100 0600 1100 0000 0000 0000 0000 0000 0000 0000 > 0000 0012 0000 0000 0100 fa33 c08e d0bc 007c 1607 bb78 > 0036 c537 1e56 1653 bf2b 7cb9 0b00 fcac 2680 3d00 7403 > 268a 05aa 8ac4 e2f1 061f 8947 02c7 072b 7cfb cd13 7267 > a010 7c98 f726 167c 0306 1c7c 0306 0e7c a33f 7ca3 377c > b820 00f7 2611 7c8b 1e0b 7c03 c348 f7f3 0106 377c bb00 > 05a1 3f7c e89f 00b8 0102 e8b3 0072 198b fbb9 0b00 bed6 > 7df3 a675 0d8d 7f20 bee1 7db9 0b00 f3a6 7418 be77 7de8 > 6a00 32e4 cd16 5e1f 8f04 8f44 02cd 19be c07d ebeb a11c > 0533 d2f7 360b 7cfe c0a2 3c7c a137 7ca3 3d7c bb00 07a1 > 377c e849 00a1 187c 2a06 3b7c 4038 063c 7c73 03a0 3c7c > 50e8 4e00 5872 c628 063c 7c74 0c01 0637 7cf7 260b 7c03 > d8eb d08a 2e15 7c8a 16fd 7d8b 1e3d 7cea 0000 7000 ac0a > c074 22b4 0ebb 0700 cd10 ebf2 33d2 f736 187c fec2 8816 > 3b7c 33d2 f736 1a7c 8816 2a7c a339 7cc3 b402 8b16 397c > b106 d2e6 0a36 3b7c 8bca 86e9 8a16 fd7d 8a36 2a7c cd13 > c30d 0a4e 6f6e 2d53 7973 7465 6d20 6469 736b 206f 7220 > 6469 736b 2065 7272 6f72 0d0a 5265 706c 6163 6520 616e > 6420 7374 7269 6b65 2061 6e79 206b 6579 2077 6865 6e20 > 7265 6164 790d 0a00 0d0a 4469 736b 2042 6f6f 7420 6661 > 696c 7572 650d 0a00 4942 4d42 494f 2020 434f 4d49 424d > 444f 5320 2043 4f4d 0000 0000 0000 0000 0000 0000 0000 > 0000 0080 55aa > F-PBR Shows the Partition Boot Record Version 1.12 - July '90 > > fa2b c08e d08e c08e d8b8 007c 8be0 fb8b f0bf 007e fcb9 > 0001 f3a5 e900 02b9 1000 8b36 857e f604 8075 0883 ee10 > e2f6 eb37 90bf be07 57b9 0800 f3a5 5ebb 007c 8b14 8b4c > 02bd 0500 b801 02cd 1373 092b c0cd 134d 7419 ebf0 befe > 7dad 3d55 aa75 14be be07 ea00 7c00 008b 3687 7eeb 0a8b > 3689 7eeb 048b 368b 7eac 0ac0 74fe bb07 00b4 0ecd 10eb > f2ee 7f8d 7ea7 7ec8 7e0d 0a49 6e76 616c 6964 2050 6172 > 7469 7469 6f6e 2054 6162 6c65 000d 0a45 7272 6f72 204c > 6f61 6469 6e67 204f 7065 7261 7469 6e67 2053 7973 7465 > 6d00 0d0a 4d69 7373 696e 6720 4f70 6572 6174 696e 6720 > 5379 7374 656d 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 aa55 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 8001 0100 0405 9165 1100 0000 93f4 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 55aa Neither did F-FCHK find any infected files on the hard disk. Unfortunately, I have no copies of that hard disk's previous boot sector and partition boot record to compare the above to. If I boot from the hard disk in spite of F-OSCHK's warnings, F-MMAP (from a write-protected diskette) shows the usual memory map (from visual inspection only, i.e. addresses and lengths not checked). Now, several possibilities come to mind: 1. The M&T diskette contains some hitherto unknown boot-sector virus (either directly from the publisher, or the retail store has taken back the software and re-wrapped it). 2. The M&T diskette contains a boot sector that is not quite a virus, but tampers with the hard-disk's boot sectors, for some unknown purpose. 3. The M&T diskette is clean (though strange), and the hard-disk's boot sectors have been tampered with by some other program, during the day. 4. The M&T diskette is clean (though strange), and somebody has changed F-OSCHK's checksums in the AUTOEXEC.BAT on the hard disk. However, this file is dated 17 Sep 90, and the checksums equal those in a second file, OSNUMBER, dated 28 Aug 90. I reckon, the fourth possibility is pretty improbable, as the intruder would have had to change 2 files, also forging their creation dates. But I'm not sure about the other three. Of course, we will check with the retail-store, and with the publisher. Anyway, can you contribute more insight? - -- Have you used the cited software, and had any problems? - -- Can you make some sense of the above boot records? - -- Or have you seen similar boot records, before? - -- Can you imagine other reasons than the ones given above for F-OSCHK to balk? - -- What do you suggest to mend the situation? Please reply privately or through VIRUS-L. Many thanks in advance Otto Stolz
CHESS@YKTVMV.BITNET (David.M.Chess) (10/11/90)
The first boot sector in your posting is actually quite innocent;
it just prints the messages
This disk is not bootable
If you wish to make it bootable,
run the DOS program SYS after the
system has been loaded
Please insert a DOS diskette into
the drive and strike any key...
waits for a keystroke, and then reboots via INT 19. Is that in
fact what happened when you booted from it? If not, perhaps
there's a confusion of diskettes, and some other diskette may
be infected with something? Of course, there's always the
possibility that some executable file on the diskette (or
some other diskette) is infected with something, or is
otherwise nefariously altering boot sectors.
The other two boot sectors also look mostly innocent. Except
for the BPB area (describing the disk capacity etc), and an
"80" just before the '55AA' at the end, the second one is
identical to my own DOS 3.3 boot record on my C:. The last
looks like a legitimate master boot record to casual inspection,
although it's a bit different from mine.
Possibly F-OSCHK was somehow fooled by something (a new device
driver?) in the system? Or perhaps some program made some
non-viral changes to the boot sector(s), as part of a copy-prot
scheme or something like that? (That might explain that "80",
although there's also likely some other explanation that I'm
just overlooking.)
DC