WIER@NAUVAX.BITNET (10/05/89)
Original_From: Paul Balyoz
A new, extremely nasty virus has been discovered on some IBM PCs in
the state of Arizona. This virus, known as OGRE, has been found on
some disks in Flagstaff and nearby areas. This is the first
recognition of said virus that has come to my attention. This memo
gives a description of the virus and possible ways of recognizing and
removing it.
DESCRIPTION
The OGRE virus tries to infect any disks it sees that haven't yet been
infected with itself. It counts the number of disks it has infected
as it goes along. It does no harm until after it has infected a
certain number of disks. After that point it will display a message
on the screen at boot time identifying itself as the COMPUTER OGRE
dated April 1, and telling you to leave your machine alone as it
begins "stomping" blocks on the disk randomly, by writing blocks full
of one character all over the disk. This holds true for both floppy
disks and hard disks. The damage done in this manner is virtually
irrepairable. Once this happens the hard disk usually needs to be
reformatted (which effectively erases everything on on disk). If
backup copies of the files from that disk were made, it can be
restored back onto the reformatted disk, and all is well again (until
the next time).
If you see this message appear on your screen, ignore the warning and
TURN YOUR COMPUTER OFF IMMEDIATELY! The quicker you turn it off, the
less damage it will have done. The first blocks it destroys are the
boot blocks and file and directory information; files go after that.
If stopped in time, the files on the disk may be retrieved using
various disk utility programs.
TECHNICAL DETAILS
The OGRE virus spreads by writing copies of itself onto 3 unused
blocks on the disk. It then marks those blocks as being "bad," so
that normal disk usage won't ever choose those blocks for storing
ordinary data. Thus the virus can stay on the disk without being
bothered. The important step is when it modifies the boot blocks of
the disk so that next time the disk is booted, the special code on
those three blocks is executed, and the virus can try to infect new
disks. Thus, every time the disk is booted thereafter, the OGRE code
is executed, and can do what it has been programmed to do.
Because the OGRE virus operates at such a "low level," none of the
existing virus detection/elimination programs currently in existence
for the IBM PC will work. Note that OGRE doesn't create or modify any
of the files on the disk at the time of infection, nor does it effect
the FAT in any way. Thus it is virtually undetectable by present
means, until special programs are developed to detect and remove it.
RECOGNIZING THE VIRUS
If you have a "disk zap" or "sector edit" type of program, you can use
that to see if the OGRE virus has infected each of your disks. You'll
want to search the disk for the string "OGRE" (those four upper-case
ascii characters) or "COMPUTER OGRE" to be sure. You will know by the
surrounding text if each occurrance of the string is truly the virus
or not.
The software package "Norton Utilities" has a program that can do this
sort of disk-searching function. The most important place to look are
the boot- blocks on the disk. If the string exists in that area, your
disk is probably infected.
Note: It is possible for normal information on the disk to spell out
the string "OGRE" just by chance. As I understand it, that string
being found in the boot-blocks nearly guarantees infection. The text
before and after the string must be viewed to be sure. There is a
date of April 1, and a copy- right notice, as well as the English text
that it can display. You will know from the context whether your disk
is infected or not.
CLEANING AN INFECTED DISK
File copying will "clean" an infected disk.
Because OGRE doesn't effect any files, per se, a good method for
cleaning up an infected disk that hasn't been "stomped on" yet would
be to copy all of the files off that disk onto a freshly formatted
one. Of course you'll want to be sure that the virus isn't running
while you do this, or it will quickly infect the new disk as well!
Boot your computer from an original system disk that was distributed
with your computer. Make sure it is write-protected before booting.
If this disk has never been un-write-protected, then it can't ever
have been infected. Then go ahead and format the new disk, and copy
your files to it.
The infected disk you just copied all the files off of can now be
formatted to clean it up, and files copied back onto it again.
FUTURE VIRUS DETECTION IDEA
Checksum the boot blocks.
A program should be written to run a set of checksums on the boot
blocks of your disk, and remember the number somewhere. When run
thereafter it can recompute the checksum and compare it to the one
recorded previously. If the two checksums do not match exactly then
the boot blocks have been modified, which is not a normal thing to
have happen. The program can then notify the user that,
"The boot blocks on this disk have changed; you may have a virus."
If this program were written and launched from the AUTOEXEC.BAT file
on all bootable disks, then the user would know immediately if they
were infected. Of course, the OGRE virus would have already been
executed once by then, since the disk was booted before the
AUTOEXEC.BAT file was read, so it may have infected another disk; but
it won't have gone on the rampage yet. The user would thus have
pre-knowledge of the infection, and can combat it before any damage is
done.
DISCLAIMER
I have not personally seen the virus nor any disks damaged by it.
SOURCE INFORMATION
This new virus was discovered by members of the staff at Computer
Solutions here in Flagstaff Arizona. They are working on
disassembling the virus and will hopefully come up with a virus
removal procedure or program. The current theory is that it
originated somewhere in the Phoenix area, but nothing is sure yet.
Computer Solutions is trying to contact as many people as they can to
warn them about this new problem. You are encouraged to make copies
of this memo in any form and distribute them to anyone who might need
to know this information.
You can contact Computer Solutions at 602-774-1272 during the day.
submitted by:
*usual disclaimers*
---------------------------------------------------------------------
- Bob Wier Northern Arizona University
Ouray, Colorado & Flagstaff, Arizona
...arizona!naucse!rrw | BITNET: WIER@NAUVAX | WB5KXHjwright@atanasoff.cs.iastate.edu (Jim Wright) (10/05/89)
In article <0011.8910041808.AA09177@ge.sei.cmu.edu> WIER@NAUVAX.BITNET writes: | Because the OGRE virus operates at such a "low level," none of the | existing virus detection/elimination programs currently in existence | for the IBM PC will work. | | FUTURE VIRUS DETECTION IDEA | | Checksum the boot blocks. The new program BootChek goes one better than this. It will compare the entire boot block with a secured copy. Since it is small, this comparison is fast, and better than a checksum. If a change is detected, the computer is halted. WARNING: This will detect any *change* in the boot block. If you start with an infected system, this won't help. - -- Jim Wright jwright@atanasoff.cs.iastate.edu
ken@gargoyle.uchicago.edu (10/10/89)
> A new, extremely nasty virus has been discovered on some IBM PCs in > the state of Arizona. This virus, known as OGRE, has been found on > some disks in Flagstaff and nearby areas. This is the first > recognition of said virus that has come to my attention. This memo > gives a description of the virus and possible ways of recognizing and > removing it. This is a very interesting virus. However, I would like to know if anyone knows how it originally infects a disk. It would seem that it would have to be in an executable program at least initially (to infect the first disk). Any ideas?