frisk@rhi.hi.is (Fridrik Skulason) (08/15/90)
As I did the dissection of Frodo (4096) for the Virus Bulletin, I have
examined the virus in some details. A few comments follow:
The virus is designed to overwrite the boot sector, but this part
of the virus does not work in any of the samples I have been able
to obtain copies of, as the code is garbled and would probably
cause the computer to "hang". Don't bee surprized if you hear
of computers "hanging" on Sept. 22. I think I know almost how
the code looked originally, however the cause of the garbling is
yet unknown.
The program written to the boot sector is not a virus. This is very
similar to the effect of the GhostBalls virus, which also contains a
non-infectious program it writes to the boot-sector. All the
program does, if it is copied to the boot sector and executed, is to
display the message FRODO LIVES on the screen, with a moving border
and disable INT 9 meanwhile, preventing CTRL-ALT-DEL from having any
effects.
The virus is able to evade some (if not all) interrupt monitoring
programs, so the best way to stop it is to use a virus-specific
program like (my own) F-DRIVER or VSHIELD (or was that FSHIELD, I
never remember which is which).
The reported FAT damage is not real - the virus only confuses CHKDSK,
which reports FAT damage, as the number of allocated clusters appears
to be incorrect. The real damage seems to be done by CHKDSK/F
NEVER, NEVER run CHKDSK/F with Frodo or any other "stealth" virus
active in memory. This will cause serious damage, preventing virus
recovery.
PS: a message to Paul Carapetis. I apologize for posting a personal
message to the list, but all my efforts to reach him by E-mail have
been unsuccessful, and as I knows he reads comp.virus.....
Message follows: Yes please, I would be very grateful.
- -frisk