home *** CD-ROM | disk | FTP | other *** search
- VIRUS-L Digest Thursday, 12 Jan 1989 Volume 2 : Issue 12
-
- Today's Topics:
- Re: What happens in the floppy boot process (PC)
- Re: VIRUS ALERT: possible virus... keywords: CBUG, WEIRD (PC)
- CBUG.COM (PC)
-
- ---------------------------------------------------------------------------
-
- Date: Wed, 11 Jan 1989 14:01:08 PLT
- From: Wim Bonner <27313853@WSUVM1.BITNET>
- Subject: Re: What happens in the floppy boot process (PC)
-
- All that is done on a floppy boot is that the boot sector is read, and
- control is passed to a minature program which is stored in the boot
- sector. In the case of a non-bootable disk, a message is printed, and
- the computer waits for a keypress, then calls the bootstrap routine
- again. (ROM Bios calls for both I assume)
-
- In the case of a bootable disk, all it does is load continuos sectors
- starting with an offset (past the FATs and root directory.) then pass
- control to the loaded program.
-
- If you wipe out the IBMBIOS and IBMDOS (can't remember the names
- exactly) from the directoryof a previously bootable disk, the disk
- will still try to boot, but when it passes control, very unpredictable
- things will happen. (usually a complete lockup!)
-
- Any program which can be written using no DOS calls, and which is less
- than a sector can concievable be put into the boot sector of a disk.
-
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
- - -=-=-=-=-=-=-=-=-=- 10,000 Lemmings can't be wrong! -=-=-=-=-=-=-=-=-
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
- Wim Bonner Bitnet:27313853@WSUVM1 Compuserve:72561,3135 (King-Rat)
- The Loft - (509)335-7407 - 300/1200/2400 - 24hrs/day - PCboard 12.1/d
- Acknowledge-To: <27313853@WSUVM1>
-
- ------------------------------
-
- Date: Wed, 11 Jan 89 19:37:42 PLT
- From: Wim Bonner <27313853@WSUVM1.BITNET>
- Subject: Re: VIRUS ALERT: possible virus... keywords: CBUG, WEIRD (PC)
-
- I would suggest getting on of the Assembly dissasemblers, and running
- it. It would be interesting to know what the 149 byte program would
- look like in normal assembly code. I have seen a program called
- CRACKER on some BBS programs recently, and have used it on a small
- file. It made a pretty nice program listing.
-
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
- - -=-=-=-=-=-=-=-=-=- 10,000 Lemmings can't be wrong! -=-=-=-=-=-=-=-=-
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
- Wim Bonner Bitnet:27313853@WSUVM1 Compuserve:72561,3135 (King-Rat)
- The Loft - (509)335-7407 - 300/1200/2400 - 24hrs/day - PCboard 12.1/d
- Acknowledge-To: <27313853@WSUVM1>
-
- ------------------------------
-
- Date: Thu, 12 Jan 89 02:18:04 EST
- From: Steve <XRAYSROK@SBCCVM.BITNET>
- Subject: CBUG.COM (PC)
-
- >Date: Wed, 11 Jan 89 16:04:00 EST
- >From: Michael Brown <BROWN@CMR001.BITNET>
- >Subject: VIRUS ALERT: possible virus... keywords: CBUG, WEIRD (PC)
-
- > One of our AT clones has a file called C:\CBUG.COM. Running CBUG.COM
- >has the following effect: The first time the Y key is pressed, it
- >prints the message "YOUR COMPUTER IS NOW INFECTED WITH SOME WEIRD VIRUSES",
- >and it hangs the system. A warm boot will restore the system to normal.
-
- This is not a criticism of Michael, but I generally don't run
- unfamiliar programs unless I have backed up everything on the system
- that I care about. I have no idea whether CBUG.COM is a legitimate
- (but infected) program or not, but maybe someone else has heard of it.
-
- >The file is dated 1/01/80 (which is unusual, because that machine has a
- >clock, and usually get the date right) and the machine is running PCDOS
- >3.3.
-
- An expert will have to advise you about the contents of the file, but
- there is nothing strange about the date. That's just the creation
- date/time on the PC that created the file (not necessarily correct).
- Not only that, but I can set the clock on my PC to January 1, 1925 if
- I want to (and guess what date/time stamp gets put on my files?).
-
- >I checked the disk for other occurrences of the message, but it seems
- >to only be there once.
-
- Searching the disk and not finding the message in any other files
- doesn't mean very much. There is nothing to stop a virus from storing
- the characters in reverse order or shifting them all by one ASCII
- value and you might never find it...
-
- >I am planning on working on it tonight, using the following procedure...
- >- - Installing FSP 1.4 on the machine. (I have never used FluShot+, but from
- > my understanding it is reliable).
- >- - Running all of the software packages installed on the machine to find
- > out if any of the programs on the hard disk call it.
-
- This could be illuminating, but not if you have a virus which behaves
- like the one Dimitri wrote for his class... Why not disect the thing
- (CBUG.COM) since you have it and see what it actually does (or send it
- to someone on this list who will look at it for you)?
-
- >- - I will ask the people that used the machine in the last few days
- > to use all of the software (on floppies) that they used while
- > the machine is running under FSP.
-
- Hopefully not on the same machine, unless they don't care about
- exposing perhaps their only clean copy to a potential virus. And
- hopefully not on somebody else's machine unless the other machine
- doesn't have a hard drive and they take precautions not to spread the
- thing.
-
- >- - I am *not* sure this is a virus, but I don't understand how...
-
- All it takes is somebody bringing an infected floppy into your lab...
-
- Steven C. Woronick | Disclaimer: These are my own opinions
- Physics Dept. | and ideas. Always check things out for
- SUNY at Stony Brook, NY | yourself...
- Acknowledge-To: <XRAYSROK@SBCCVM>
-
- ------------------------------
-
- End of VIRUS-L Digest
- *********************
-
- Downloaded From P-80 International Information Systems 304-744-2253
-