Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!usc!ucsd!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) Newsgroups: comp.virus Subject: MUSICBUG (PC) Message-ID: <0017.9012041357.AA13652@ubu.cert.sei.cmu.edu> Date: 5 Dec 90 12:41:33 GMT Sender: Virus Discussion List Lines: 36 Approved: krvw@sei.cmu.edu Thanks to Michael Head, I have had a chance to take a brief look at this infector. If it were not for the vector, it might not be dangerous, however it appears to be being distributed along with Packard- Bell computers. Since these are often sold from general merchandisors, it has the capacity to become widespread among non-computer-literate users. The distribution appears to be on utilities disks provided with the computers. I have not fully disassembled the virus yet but it is a boot sector infector that can be recognised on floppies since the DOS warning messages are not found on the boot sector and the jump parameter of CCh is found in the third byte. Once infected, the virus goes resident in the TOM reducing a CHKDSK total memory return by 4k (640k machine will report 651,264 bytes instead of 655,360 bytes). Only part of the code is stored in the boot sector of an infected floppy. What looks like sloppy programming has the virus store the action in DOS sector 45 (cyl 2 head 1 sect 1) on the floppy, overwriting sector(s) in the files area. Both this sector and the reserved area at the TOM will contain the ASCII string "MusicBug v1.06. MacroSoft Corp.". It looks like this string will be found at 9C00:0210 in memory but cannot guarentee the address yet. Once the rest of it is pulled apart, I can let you know what it does to a hard disk & hopefully a cure. From what I have been told, the sealed envelopes containing the floppy are marked with the same imprint of a blue floppy disk & blue numbers partially overwritten by a red square containing what look like chinese characters as was found with the "Modular Component Technologies" disks that contained the STONED virus a few months ago. Meanwhile, it's getting late, Padgett Brought to you by Super Global Mega Corp .com