home *** CD-ROM | disk | FTP | other *** search
-
- *********************************************
- *** Reports collected and collated by ***
- *** PC-Virus Index ***
- *** with full acknowledgements ***
- *** to the authors ***
- *********************************************
-
-
- Report on DISK KILLER (Ref No 89400100)
- 1990 Bryan Clough
-
- -------------------------------------------------------------------
-
- Also known as: OGRE
-
- A Boot Sector Virus that infects both Floppy & Hard Disks
-
- Length 2560 bytes, uses 8KB Memory
-
- -------------------------------------------------------------------
-
- HISTORY:
- --------
-
- First reported April 1989 in Milpitas, California.
- First reported in UK in October 1989.
- First Virus Detection program VIRUSCAN V42 - November 1989
- Embarrassed UK Magazine 'PC Today' when an incomplete version was
- included in a disk supplied with 40,000 copies of their August 1990
- issue.
-
- ------------------------------------------------------------------
-
- DAMAGE:
- -------
-
- INFECTION:
-
- It infects on any read to a drive and, on infection:
-
- With a Floppy, it overwrites Boot Sector and 6 sectors
- with its residual and the relocated code,
- whether in use or not. Then marks the 6
- blocks as 'bad'.
-
- With a Hard Disk, it overwrites the Boot Sector on the
- Active Partition and relocates legitimate
- code and the remainder of its own code to
- unused sectors on Physical Track 0.
-
- MANIFESTATION:
-
- It manifests on the first disk read within the hour after 48 hours
- of use on an infected system. If no disk read occurs, there is a
- wait for a further 48 hours.
-
- On manifestation, it encrypts Track 0 plus everything found on the
- Bootable Partition of Hard Disk or the entire Floppy.
-
- --------------------------------------------------------------------
-
- MESSAGES
-
- On manifestation, it displays the following message;
-
- Disk Killer - - Version 1.00 by COMPUTER OGRE 04/01/89
-
- Warning !!
-
- Don't turn off the power or remove the diskette while
- Disk Killer is Processing
-
- PROCESSING
-
- When it has finished, a further message is displayed:
-
- Now you can turn off the power.
- I wish you luck !
-
- --------------------------------------------------------------------
-
- IDENTIFICATION
-
- Signature: Word at offset 003Eh in the Boot sector contains
- the value 3CCBh
-
- Search String: 2EA1 1304 2008 002E A313 0481 0603 E0BE
- Starting at: location 195 (C3 hex)
-
- --------------------------------------------------------------------
-
- INTERRUPTS: 8h 9h 13h Function 2
-
- --------------------------------------------------------------------
- FEATURES
-
- * First Boot Sector Virus which does not assume a sector size of 512
- bytes.
-
- * First Boot Sector Virus which does not reinfect a system on a
- warm reboot.
-
- -------------------------------------------------------------------
-
- TREATMENT
-
- Disinfection: The listed disinfectors should be able to restore
- the original Boot Sector.
-
- Restoration: RestOgre will restore an encrypted disk.
-
- --------------------------------------------------------------------
-
- Last Updated: 26th April 1991
-
-
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- �
