CHESS@YKTVMV.BITNET (David.M.Chess) (07/26/90)
Summary - ------- The net result of our analysis of a copy of the PC Today diskette is that it does -not- contain a working copy of the Disk Killer virus. Provisos - -------- The following is based on analysis of a 5.25" diskette that was sent to us (electronically, as a diskette image) from the UK. The originally diskette was received with a copy of the August issue of PC Today magazine, published by Database Publications Ltd. in the UK. It contains a program called PCSTORY.EXE (PC TODAY DISK LIBRARY, VOLUME 3, AUGUST '90) which runs a ShareWare program called PowerMenu. (The diskette doesn't seem to have been designed to be booted from, so it's unlikely that too many people will be affected, *whatever* booting from it turns out to actually do.) We have done a bit of long-distance testing over the telephone which indicates that the diskette from which the image was made has the same properties as the diskette that we created from the image. When we receive one of the original diskettes, we will confirm this. We will also be checking that all of the diskettes we receive are the same. 3.5" diskettes were also distributed to some subscribers of the magazine. At least one of these has been scanned with the IBM Virus Scanning Program and does not appear to be infected. We will verify this when we receive one of the original 3.5" diskettes. Analysis - -------- The boot record part of the virus is there, in the boot record, but the rest of the virus (which, on floppies, is normally stored in three clusters marked "bad" in the FAT) is not there. The diskette does contain three "bad" clusters (containing five "bad" sectors), but those clusters don't seem to contain anything at all (they are full of hex "F6" bytes, which is what the FORMAT command writes when it initializes a disk). The pointer in the boot record part of the virus, which is supposed to point to the three bad clusters, in fact points somewhere else entirely (to a point on the disk that contains part of a file). The effect of this is that when the disk is booted from, it reads in essentially random junk, and passes control to it. A machine booted from the disk will generally hang, go into Cassette BASIC, or otherwise malfunction. We searched the diskette (using the Norton Utilities(tm)), and the string "iller", which occurs in the non-boot-sector part of the virus, does not occur anywhere on the disk. We also tried booting from the diskette several times, and it never booted successfully, nor did the hard disk in the machine become infected. Since the boot sector is in fact the boot sector from the virus, most virus scanning programs (all that we know of) that detect the Disk Killer on diskettes will report that the diskette is infected (since they all examine only the boot sector). In particular, the IBM Virus Scanning Program will report that it is infected. Nonetheless, the full virus is not present on the diskette and it will not spread. Dave Chess, Bill Arnold, Steve White High Integrity Computing Laboratory IBM Thomas J. Watson Research Center