VIRUS-L Digest Thursday, 12 Jan 1989 Volume 2 : Issue 12 Today's Topics: Re: What happens in the floppy boot process (PC) Re: VIRUS ALERT: possible virus... keywords: CBUG, WEIRD (PC) CBUG.COM (PC) --------------------------------------------------------------------------- Date: Wed, 11 Jan 1989 14:01:08 PLT From: Wim Bonner <27313853@WSUVM1.BITNET> Subject: Re: What happens in the floppy boot process (PC) All that is done on a floppy boot is that the boot sector is read, and control is passed to a minature program which is stored in the boot sector. In the case of a non-bootable disk, a message is printed, and the computer waits for a keypress, then calls the bootstrap routine again. (ROM Bios calls for both I assume) In the case of a bootable disk, all it does is load continuos sectors starting with an offset (past the FATs and root directory.) then pass control to the loaded program. If you wipe out the IBMBIOS and IBMDOS (can't remember the names exactly) from the directoryof a previously bootable disk, the disk will still try to boot, but when it passes control, very unpredictable things will happen. (usually a complete lockup!) Any program which can be written using no DOS calls, and which is less than a sector can concievable be put into the boot sector of a disk. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -=-=-=-=-=-=-=-=-=- 10,000 Lemmings can't be wrong! -=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Wim Bonner Bitnet:27313853@WSUVM1 Compuserve:72561,3135 (King-Rat) The Loft - (509)335-7407 - 300/1200/2400 - 24hrs/day - PCboard 12.1/d Acknowledge-To: <27313853@WSUVM1> ------------------------------ Date: Wed, 11 Jan 89 19:37:42 PLT From: Wim Bonner <27313853@WSUVM1.BITNET> Subject: Re: VIRUS ALERT: possible virus... keywords: CBUG, WEIRD (PC) I would suggest getting on of the Assembly dissasemblers, and running it. It would be interesting to know what the 149 byte program would look like in normal assembly code. I have seen a program called CRACKER on some BBS programs recently, and have used it on a small file. It made a pretty nice program listing. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -=-=-=-=-=-=-=-=-=- 10,000 Lemmings can't be wrong! -=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Wim Bonner Bitnet:27313853@WSUVM1 Compuserve:72561,3135 (King-Rat) The Loft - (509)335-7407 - 300/1200/2400 - 24hrs/day - PCboard 12.1/d Acknowledge-To: <27313853@WSUVM1> ------------------------------ Date: Thu, 12 Jan 89 02:18:04 EST From: Steve Subject: CBUG.COM (PC) >Date: Wed, 11 Jan 89 16:04:00 EST >From: Michael Brown >Subject: VIRUS ALERT: possible virus... keywords: CBUG, WEIRD (PC) > One of our AT clones has a file called C:\CBUG.COM. Running CBUG.COM >has the following effect: The first time the Y key is pressed, it >prints the message "YOUR COMPUTER IS NOW INFECTED WITH SOME WEIRD VIRUSES", >and it hangs the system. A warm boot will restore the system to normal. This is not a criticism of Michael, but I generally don't run unfamiliar programs unless I have backed up everything on the system that I care about. I have no idea whether CBUG.COM is a legitimate (but infected) program or not, but maybe someone else has heard of it. >The file is dated 1/01/80 (which is unusual, because that machine has a >clock, and usually get the date right) and the machine is running PCDOS >3.3. An expert will have to advise you about the contents of the file, but there is nothing strange about the date. That's just the creation date/time on the PC that created the file (not necessarily correct). Not only that, but I can set the clock on my PC to January 1, 1925 if I want to (and guess what date/time stamp gets put on my files?). >I checked the disk for other occurrences of the message, but it seems >to only be there once. Searching the disk and not finding the message in any other files doesn't mean very much. There is nothing to stop a virus from storing the characters in reverse order or shifting them all by one ASCII value and you might never find it... >I am planning on working on it tonight, using the following procedure... >- - Installing FSP 1.4 on the machine. (I have never used FluShot+, but from > my understanding it is reliable). >- - Running all of the software packages installed on the machine to find > out if any of the programs on the hard disk call it. This could be illuminating, but not if you have a virus which behaves like the one Dimitri wrote for his class... Why not disect the thing (CBUG.COM) since you have it and see what it actually does (or send it to someone on this list who will look at it for you)? >- - I will ask the people that used the machine in the last few days > to use all of the software (on floppies) that they used while > the machine is running under FSP. Hopefully not on the same machine, unless they don't care about exposing perhaps their only clean copy to a potential virus. And hopefully not on somebody else's machine unless the other machine doesn't have a hard drive and they take precautions not to spread the thing. >- - I am *not* sure this is a virus, but I don't understand how... All it takes is somebody bringing an infected floppy into your lab... Steven C. Woronick | Disclaimer: These are my own opinions Physics Dept. | and ideas. Always check things out for SUNY at Stony Brook, NY | yourself... Acknowledge-To: ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253