CHESS@YKTVMV.BITNET (David.M.Chess) (07/26/90)
Summary
- -------
The net result of our analysis of a copy of the PC Today
diskette is that it does -not- contain a working copy of the Disk
Killer virus.
Provisos
- --------
The following is based on analysis of a 5.25" diskette that was
sent to us (electronically, as a diskette image) from the UK. The
originally diskette was received with a copy of the August issue of PC
Today magazine, published by Database Publications Ltd. in the UK. It
contains a program called PCSTORY.EXE (PC TODAY DISK LIBRARY, VOLUME 3,
AUGUST '90) which runs a ShareWare program called PowerMenu. (The
diskette doesn't seem to have been designed to be booted from, so
it's unlikely that too many people will be affected, *whatever*
booting from it turns out to actually do.)
We have done a bit of long-distance testing over the telephone
which indicates that the diskette from which the image was made has the
same properties as the diskette that we created from the image. When we
receive one of the original diskettes, we will confirm this. We will
also be checking that all of the diskettes we receive are the same.
3.5" diskettes were also distributed to some subscribers of the
magazine. At least one of these has been scanned with the IBM Virus
Scanning Program and does not appear to be infected. We will verify
this when we receive one of the original 3.5" diskettes.
Analysis
- --------
The boot record part of the virus is there, in the boot record, but
the rest of the virus (which, on floppies, is normally stored in three
clusters marked "bad" in the FAT) is not there.
The diskette does contain three "bad" clusters (containing five
"bad" sectors), but those clusters don't seem to contain anything at all
(they are full of hex "F6" bytes, which is what the FORMAT command
writes when it initializes a disk). The pointer in the boot record part
of the virus, which is supposed to point to the three bad clusters, in
fact points somewhere else entirely (to a point on the disk that
contains part of a file). The effect of this is that when the disk is
booted from, it reads in essentially random junk, and passes control to
it. A machine booted from the disk will generally hang, go into
Cassette BASIC, or otherwise malfunction.
We searched the diskette (using the Norton Utilities(tm)), and the
string "iller", which occurs in the non-boot-sector part of the virus,
does not occur anywhere on the disk. We also tried booting from the
diskette several times, and it never booted successfully, nor did the
hard disk in the machine become infected.
Since the boot sector is in fact the boot sector from the virus,
most virus scanning programs (all that we know of) that detect the
Disk Killer on diskettes will report that the diskette is infected
(since they all examine only the boot sector). In particular, the IBM
Virus Scanning Program will report that it is infected. Nonetheless,
the full virus is not present on the diskette and it will not spread.
Dave Chess, Bill Arnold, Steve White
High Integrity Computing Laboratory
IBM Thomas J. Watson Research Center