home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Cream of the Crop 22
/
Cream of the Crop 22.iso
/
virus
/
vds31e.zip
/
INFO-NYB.TXT
< prev
next >
Wrap
Text File
|
1996-11-05
|
7KB
|
137 lines
S A M P L E T E C H R E P O R T
Copyright (c) 1994-96 by VDS Advanced Research Group
Virus : NYB-boot or B1
Date : April 6, 1994
Document ID: TY94040601
B1 a.k.a. NYB-boot Virus Information
------------------------------------
DESCRIPTION
-----------
NYB-boot (a.k.a. B1) virus infects the MBR on hard disks and the BR on
floppy diskettes. The virus fits in one sector, relocating the original
contents of the MBR/BR to another place on the disk. On hard disks, the
MBR is moved to sector 17, head 0, cylinder 0. On floppy disks, the
location is the last sector of the root directory; which depends on the
capacity of the diskette. For example, on 360K diskettes, the original
clean boot sector is moved to sector 3, head 1, track 0, whereas
on 1.2M diskettes, it will be at sector 14, head 1, track 0.
The virus stays resident in memory just below the top of conventional base
memory. It reduces the base memory size by 1K. For example, a system with
640K base memory will appear to have 639K after the virus goes resident.
Once loaded in memory, NYB-boot points the disk access vector (INT 13h)
to its own handler to be able to spread. Its handler examines read and write
requests. It infects the MBR/BR if it is not already infected. The handler
also has stealth capability to mask its presence on the disk. It also
protects itself against being overwritten. For example, you cannot use
a general purpose disk sector editor such as Norton Utilities(tm) and
modify the MBR, where the virus is located, as long as the virus is active
in memory. You will most likely get an error message about the operation.
The coding style in the virus suggests that its author is relatively
experienced in PC assembly language; there is an apparent attempt to
minimize code size and to use tricky code (to make reading it difficult).
The virus is highly infectious, more so than other Stoned variants. Doing
a simple DIR on an unprotected diskette will cause it to get infected.
Diskettes in both the A: and B: drives are infected. The virus transfers
from infected diskettes to hard disks if the system is booted off of an
infected floppy. Once the hard disk is infected, any unprotected disks
used in that system will become infected by the NYB-boot.
Diskettes used for backup with a program that has its own disk format may
become corrupted and lose data. The virus checks the BIOS timer tick counter
and executes a loop that contains a VERIFY SECTOR instruction. This may
confuse certain software and give the impression of disk problems. The virus
itself does not appear to have deliberate overwriting of data. The diskette
can also become unusable if this mechanism triggers.
DETECTION
---------
On infected systems with 640K of base memory, the virus interrupt handler
code will be located at 9FC0:0044 with the following sequence of bytes:
9fc0:0044 50 push ax
9fc0:0045 d1 e8 shr ax,1
9fc0:0047 fe cc dec ah
9fc0:0049 74 03 jz 004e
9fc0:004b e9 6c 01 jmp 01ba
9fc0:004e 53 push bx
9fc0:004f 51 push cx
9fc0:0050 52 push dx
You can check if the virus is present by using the DEBUG program as follows:
1. At the DOS prompt, type DEBUG.
2. Once the DEBUG prompt, which is a - (dash), appears, type:
-d 9fc0:0044 <enter>
3. Look at the sequence of bytes displayed. If they are
50 D1 E8 FE CC 74 03 E9 6C 01 53 51 52
then, the virus is in memory.
4. Type:
-q <enter>
to exit the DEBUG program.
REMOVAL
-------
A. For simple removal without an anti-virus, take the following steps:
1. Turn the infected computer OFF.
2. Boot off of a clean, write-protected (preferably original) DOS 5.0 or
higher diskette. Earlier DOS versions do NOT have the capability to
replace MBR code while leaving the partition table intact.
3. Once the A:> appears, type:
DIR C:\ <enter>
You should see your root directory on the hard disk. If you DON'T,
then obtain the latest copy of VDS for removal. If everything looks fine,
type:
FDISK /MBR <enter>
4. This should get rid of the virus in the MBR and replace it with good code.
5. Remove the diskette, and turn the computer OFF and ON.
6. Check the base memory size and run DEBUG as explained above to verify that
the virus is no longer in memory.
7. For bootable diskettes, the DOS SYS command will be effective. For
non-bootable diskette, simply copy the files to another disk, and then
format the diskette, and then copy the files back. Note that you MUST NOT
use the DISKCOPY command, that would transfer the virus as well. If you
copy only the files, then the virus would NOT be transferred.
B. A safer approach would be to use the VDS Pro software. Get a copy of
version 3.0k or later. You can run VFSLITE or VDSFSCAN or VDS with the
-S option to scan for the virus and remove it automatically. As a
precautionary measure, you might want to install VDSTSR memory-resident
program so that any warmboot attempts off of an infected floppy will be
caught immediately and your hard disk will be protected. You should also
install VDS integrity checker for stronger protection. Note that the
integrity checker can detect and remove NYB-boot and many such viruses
easily, even before we get a sample of the virus.
If you have a version of VDS earlier than 3.0k, then you can use the
VITALFIX program to remove the virus. On flopyy diskettes, choose the
"BOOT RECORD OPERATIONS" from the "MAIN MENU", then choose
"VITALIZE FLOPPY BR". On hard disks, choose the "PARTITION RECORD
OPERATIONS" from the "MAIN MENU", then choose "CONSTRUCT NEW MBR".
To scan for the virus using an earlier VDS version, you need to create
an external signature file. This is a simple text file, named XTERNAL.SIG
and it can be created with any ASCII text editor. Put the following in
this file:
NYB-boot
BOOT
bb 44 00 ba 80 00 be 13 04 31 ff 8e df ff 0c ad
After you are done, put the XTERNAL.SIG file in the C:\VDSPRO30 directory.
Now you can use VDSFSCAN or VFSLITE to scan diskettes for this virus.
We recommend that you use VDSFSCAN to scan more multiple diskettes in a
convenient manner, and then remove the virus.