Path: utzoo!attcan!uunet!cs.utexas.edu!sun-barr!olivea!samsung!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: RZOTTO@DKNKURZ1.BITNET (Otto.Stolz) Newsgroups: comp.virus Subject: Possible Boot-Sector Virus in Shrink-Wrapped Software (PC) Message-ID: <0008.9010111649.AA06500@ubu.cert.sei.cmu.edu> Date: 8 Oct 90 23:26:52 GMT Sender: Virus Discussion List Lines: 153 Approved: krvw@sei.cmu.edu Dear colleague, this is meant to both warn you from the software cited below and get some help against a possible new virus. Today, a disk marked "Diskette zum Buch 'Programmieren mit PostScript', IBM-360-Kbyte-Format - Version 1.0, Bestell-Nr. 90337 / 01069054rv" from the publisher "Markt & Technik" was taken out of its shrink-wrap cover, fitted with a write-protect tab, then used to boot one of our IBM compatibles (a Siemens PCD-2). Later that day, F-OSCHK claimed that the boot sector and the partition record of this very computer's hard disk have been modified. This evening, I had a look on the Markt & Technik diskette with F-DISINF and F-BOOT and found these results: > F-DISINF Disinfects boot sectors Version 1.12 - July '90 > > This boot sector is not an usual DOS boot sector. > It may be infected with an unknown virus. > F-BOOT Shows the boot sector Version 1.12 - July '90 > > eb28 9049 424d 2050 4e43 4900 0202 0100 0270 00d0 02fd > 0200 0900 0200 0000 0000 0000 0000 0000 0000 0000 fa33 > c08e d0bc f07b fbb8 c007 8ed8 be5b 0090 fcac 0ac0 740b > 56b4 0ebb 0700 cd10 5eeb f032 e4cd 16b4 0fcd 1032 e4cd > 10cd 190d 0a0d 0a0d 0a0d 0a0d 0a0d 0a0d 0a0d 0a20 2020 > 2054 6869 7320 6469 736b 2069 7320 6e6f 7420 626f 6f74 > 6162 6c65 0d0a 0d0a 2049 6620 796f 7520 7769 7368 2074 > 6f20 6d61 6b65 2069 7420 626f 6f74 6162 6c65 2c0d 0a72 > 756e 2074 6865 2044 4f53 2070 726f 6772 616d 2053 5953 > 2061 6674 6572 2074 6865 0d0a 2020 2020 2073 7973 7465 > 6d20 6861 7320 6265 656e 206c 6f61 6465 640d 0a0d 0a50 > 6c65 6173 6520 696e 7365 7274 2061 2044 4f53 2064 6973 > 6b65 7474 6520 696e 746f 0d0a 2074 6865 2064 7269 7665 > 2061 6e64 2073 7472 696b 6520 616e 7920 6b65 792e 2e2e > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 55aa I also booted the PCD-2 from a write-protected DOS diskette, then had a look on its hard disk with F-DISINF, F-BOOT and F-PBR (from a write- protected F-PROT diskette) finding: > F-DISINF Disinfects boot sectors Version 1.12 - July '90 > > This boot sector is not infected. > F-BOOT Shows the boot sector Version 1.12 - July '90 > > eb34 9049 424d 2020 332e 3300 0204 0100 0200 0293 f4f8 > 3d00 1100 0600 1100 0000 0000 0000 0000 0000 0000 0000 > 0000 0012 0000 0000 0100 fa33 c08e d0bc 007c 1607 bb78 > 0036 c537 1e56 1653 bf2b 7cb9 0b00 fcac 2680 3d00 7403 > 268a 05aa 8ac4 e2f1 061f 8947 02c7 072b 7cfb cd13 7267 > a010 7c98 f726 167c 0306 1c7c 0306 0e7c a33f 7ca3 377c > b820 00f7 2611 7c8b 1e0b 7c03 c348 f7f3 0106 377c bb00 > 05a1 3f7c e89f 00b8 0102 e8b3 0072 198b fbb9 0b00 bed6 > 7df3 a675 0d8d 7f20 bee1 7db9 0b00 f3a6 7418 be77 7de8 > 6a00 32e4 cd16 5e1f 8f04 8f44 02cd 19be c07d ebeb a11c > 0533 d2f7 360b 7cfe c0a2 3c7c a137 7ca3 3d7c bb00 07a1 > 377c e849 00a1 187c 2a06 3b7c 4038 063c 7c73 03a0 3c7c > 50e8 4e00 5872 c628 063c 7c74 0c01 0637 7cf7 260b 7c03 > d8eb d08a 2e15 7c8a 16fd 7d8b 1e3d 7cea 0000 7000 ac0a > c074 22b4 0ebb 0700 cd10 ebf2 33d2 f736 187c fec2 8816 > 3b7c 33d2 f736 1a7c 8816 2a7c a339 7cc3 b402 8b16 397c > b106 d2e6 0a36 3b7c 8bca 86e9 8a16 fd7d 8a36 2a7c cd13 > c30d 0a4e 6f6e 2d53 7973 7465 6d20 6469 736b 206f 7220 > 6469 736b 2065 7272 6f72 0d0a 5265 706c 6163 6520 616e > 6420 7374 7269 6b65 2061 6e79 206b 6579 2077 6865 6e20 > 7265 6164 790d 0a00 0d0a 4469 736b 2042 6f6f 7420 6661 > 696c 7572 650d 0a00 4942 4d42 494f 2020 434f 4d49 424d > 444f 5320 2043 4f4d 0000 0000 0000 0000 0000 0000 0000 > 0000 0080 55aa > F-PBR Shows the Partition Boot Record Version 1.12 - July '90 > > fa2b c08e d08e c08e d8b8 007c 8be0 fb8b f0bf 007e fcb9 > 0001 f3a5 e900 02b9 1000 8b36 857e f604 8075 0883 ee10 > e2f6 eb37 90bf be07 57b9 0800 f3a5 5ebb 007c 8b14 8b4c > 02bd 0500 b801 02cd 1373 092b c0cd 134d 7419 ebf0 befe > 7dad 3d55 aa75 14be be07 ea00 7c00 008b 3687 7eeb 0a8b > 3689 7eeb 048b 368b 7eac 0ac0 74fe bb07 00b4 0ecd 10eb > f2ee 7f8d 7ea7 7ec8 7e0d 0a49 6e76 616c 6964 2050 6172 > 7469 7469 6f6e 2054 6162 6c65 000d 0a45 7272 6f72 204c > 6f61 6469 6e67 204f 7065 7261 7469 6e67 2053 7973 7465 > 6d00 0d0a 4d69 7373 696e 6720 4f70 6572 6174 696e 6720 > 5379 7374 656d 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 aa55 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 8001 0100 0405 9165 1100 0000 93f4 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 > 0000 0000 55aa Neither did F-FCHK find any infected files on the hard disk. Unfortunately, I have no copies of that hard disk's previous boot sector and partition boot record to compare the above to. If I boot from the hard disk in spite of F-OSCHK's warnings, F-MMAP (from a write-protected diskette) shows the usual memory map (from visual inspection only, i.e. addresses and lengths not checked). Now, several possibilities come to mind: 1. The M&T diskette contains some hitherto unknown boot-sector virus (either directly from the publisher, or the retail store has taken back the software and re-wrapped it). 2. The M&T diskette contains a boot sector that is not quite a virus, but tampers with the hard-disk's boot sectors, for some unknown purpose. 3. The M&T diskette is clean (though strange), and the hard-disk's boot sectors have been tampered with by some other program, during the day. 4. The M&T diskette is clean (though strange), and somebody has changed F-OSCHK's checksums in the AUTOEXEC.BAT on the hard disk. However, this file is dated 17 Sep 90, and the checksums equal those in a second file, OSNUMBER, dated 28 Aug 90. I reckon, the fourth possibility is pretty improbable, as the intruder would have had to change 2 files, also forging their creation dates. But I'm not sure about the other three. Of course, we will check with the retail-store, and with the publisher. Anyway, can you contribute more insight? - -- Have you used the cited software, and had any problems? - -- Can you make some sense of the above boot records? - -- Or have you seen similar boot records, before? - -- Can you imagine other reasons than the ones given above for F-OSCHK to balk? - -- What do you suggest to mend the situation? Please reply privately or through VIRUS-L. Many thanks in advance Otto Stolz