Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) Newsgroups: comp.virus Subject: MusicBug (PC) Message-ID: <0006.9012041821.AA14135@ubu.cert.sei.cmu.edu> Date: 5 Dec 90 12:41:54 GMT Sender: Virus Discussion List Lines: 28 Approved: krvw@sei.cmu.edu Just a bit more data (still haven't seen ALL the code) but the virus appears to be 4k long. It is stored in the boot sector (and I would expect in the partition table of a hard disk since Michael Head indicated that it had infected the hard disk) and seven consecutive sectors. The original boot sector is also stored as a single sector. The confusing part is that the virus seems to move the storage sectors around on each infection. Since I have not yet seen the infection mechanism, this is not certain, but the two boot sector samples supplied have differences in the data area used to identify the virus' storage location. This would account for the different effects reported - one sample put the virus right in the middle of where one of the hidden system files would reside. The first sample retrieves the code in seven segments beginning at cyl 2 hd 1 sector 1. The second sample expects them at cyl 0 hd 1 sect 9 (cyl is the same as track). Since I have not yet seen the replication code, the algorithm used is unknown by me as yet. The good news is that Mr. McAfee has just released v71 and it finds the virus in the boot sector, with the ID [Muboot]. Incidently, a new addition to v71 is the ability to add a signature string from an external file a la certain MacIntosh utilities for immediate tests for new viruses. BRAVO. Happy Holidays, Padgett Brought to you by Super Global Mega Corp .com