home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.12
< prev
next >
Wrap
Text File
|
1995-01-03
|
6KB
|
131 lines
VIRUS-L Digest Thursday, 12 Jan 1989 Volume 2 : Issue 12
Today's Topics:
Re: What happens in the floppy boot process (PC)
Re: VIRUS ALERT: possible virus... keywords: CBUG, WEIRD (PC)
CBUG.COM (PC)
---------------------------------------------------------------------------
Date: Wed, 11 Jan 1989 14:01:08 PLT
From: Wim Bonner <27313853@WSUVM1.BITNET>
Subject: Re: What happens in the floppy boot process (PC)
All that is done on a floppy boot is that the boot sector is read, and
control is passed to a minature program which is stored in the boot
sector. In the case of a non-bootable disk, a message is printed, and
the computer waits for a keypress, then calls the bootstrap routine
again. (ROM Bios calls for both I assume)
In the case of a bootable disk, all it does is load continuos sectors
starting with an offset (past the FATs and root directory.) then pass
control to the loaded program.
If you wipe out the IBMBIOS and IBMDOS (can't remember the names
exactly) from the directoryof a previously bootable disk, the disk
will still try to boot, but when it passes control, very unpredictable
things will happen. (usually a complete lockup!)
Any program which can be written using no DOS calls, and which is less
than a sector can concievable be put into the boot sector of a disk.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
- -=-=-=-=-=-=-=-=-=- 10,000 Lemmings can't be wrong! -=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Wim Bonner Bitnet:27313853@WSUVM1 Compuserve:72561,3135 (King-Rat)
The Loft - (509)335-7407 - 300/1200/2400 - 24hrs/day - PCboard 12.1/d
Acknowledge-To: <27313853@WSUVM1>
------------------------------
Date: Wed, 11 Jan 89 19:37:42 PLT
From: Wim Bonner <27313853@WSUVM1.BITNET>
Subject: Re: VIRUS ALERT: possible virus... keywords: CBUG, WEIRD (PC)
I would suggest getting on of the Assembly dissasemblers, and running
it. It would be interesting to know what the 149 byte program would
look like in normal assembly code. I have seen a program called
CRACKER on some BBS programs recently, and have used it on a small
file. It made a pretty nice program listing.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
- -=-=-=-=-=-=-=-=-=- 10,000 Lemmings can't be wrong! -=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Wim Bonner Bitnet:27313853@WSUVM1 Compuserve:72561,3135 (King-Rat)
The Loft - (509)335-7407 - 300/1200/2400 - 24hrs/day - PCboard 12.1/d
Acknowledge-To: <27313853@WSUVM1>
------------------------------
Date: Thu, 12 Jan 89 02:18:04 EST
From: Steve <XRAYSROK@SBCCVM.BITNET>
Subject: CBUG.COM (PC)
>Date: Wed, 11 Jan 89 16:04:00 EST
>From: Michael Brown <BROWN@CMR001.BITNET>
>Subject: VIRUS ALERT: possible virus... keywords: CBUG, WEIRD (PC)
> One of our AT clones has a file called C:\CBUG.COM. Running CBUG.COM
>has the following effect: The first time the Y key is pressed, it
>prints the message "YOUR COMPUTER IS NOW INFECTED WITH SOME WEIRD VIRUSES",
>and it hangs the system. A warm boot will restore the system to normal.
This is not a criticism of Michael, but I generally don't run
unfamiliar programs unless I have backed up everything on the system
that I care about. I have no idea whether CBUG.COM is a legitimate
(but infected) program or not, but maybe someone else has heard of it.
>The file is dated 1/01/80 (which is unusual, because that machine has a
>clock, and usually get the date right) and the machine is running PCDOS
>3.3.
An expert will have to advise you about the contents of the file, but
there is nothing strange about the date. That's just the creation
date/time on the PC that created the file (not necessarily correct).
Not only that, but I can set the clock on my PC to January 1, 1925 if
I want to (and guess what date/time stamp gets put on my files?).
>I checked the disk for other occurrences of the message, but it seems
>to only be there once.
Searching the disk and not finding the message in any other files
doesn't mean very much. There is nothing to stop a virus from storing
the characters in reverse order or shifting them all by one ASCII
value and you might never find it...
>I am planning on working on it tonight, using the following procedure...
>- - Installing FSP 1.4 on the machine. (I have never used FluShot+, but from
> my understanding it is reliable).
>- - Running all of the software packages installed on the machine to find
> out if any of the programs on the hard disk call it.
This could be illuminating, but not if you have a virus which behaves
like the one Dimitri wrote for his class... Why not disect the thing
(CBUG.COM) since you have it and see what it actually does (or send it
to someone on this list who will look at it for you)?
>- - I will ask the people that used the machine in the last few days
> to use all of the software (on floppies) that they used while
> the machine is running under FSP.
Hopefully not on the same machine, unless they don't care about
exposing perhaps their only clean copy to a potential virus. And
hopefully not on somebody else's machine unless the other machine
doesn't have a hard drive and they take precautions not to spread the
thing.
>- - I am *not* sure this is a virus, but I don't understand how...
All it takes is somebody bringing an infected floppy into your lab...
Steven C. Woronick | Disclaimer: These are my own opinions
Physics Dept. | and ideas. Always check things out for
SUNY at Stony Brook, NY | yourself...
Acknowledge-To: <XRAYSROK@SBCCVM>
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253