Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: CCTR132@csc.canterbury.ac.nz (Nick FitzGerald) Newsgroups: comp.virus Subject: EMPIRE Virus (PC) Message-ID: <0014.9104171702.AA08284@ubu.cert.sei.cmu.edu> Date: 17 Apr 91 00:30:00 GMT Sender: Virus Discussion List Lines: 36 Approved: krvw@sei.cmu.edu In VIRUS-L Digest V4 #62 padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) wrote: > In my previous alert on the EMPIRE virus, I had not yet seen the >second sector with the transposed text. Since then I have received >this >[deletions] >Text of encrypted message follows: > >I'm becoming a little confused as to where the "evil empire" is these >days. >[rest of virus message deleted] If it's not too late, I would respectfully suggest that "Evil Empire" is a better name for this virus as it is more easily identified when the beasty does trigger and display its message, _AND_ it is a "more unique" name. Tim also sent me a copy of this virus, and it has an interesting feature when it infects a HD with a controller that writes to the MBR. A week or so ago, it was mentioned that some XT HD controllers write up to 17 bytes (yep, 17!) of guff to the MBR immediately before the 64 bytes reserved for the partition table. Well, my XT at home has just such a controller and when that machine is infected with the Empire virus (I'll use this name for now to avoid/prevent confusion) the HD is rendered unbootable. This is because the HD controller seems to always slip its mystery bytes into a write to 0,0,1, including the viral infection write. As the Empire virus code requires all of the MBR sector apart from the last 66 bytes, its code is corrupted by these 17 mystery bytes, and it doesn't execute correctly, hanging the machine at boot-up. - --------------------------------------------------------------------------- Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337