ANTI-EXE VIRUS HELP!!!
Trent Stewart
have tried using f-prot. But when F-Prot starts it says that the memory has the
virus in it, so I used a boot disk and it still says that the memory still has
the virus in it.
What do I do. I am indesperate need to get rid of this before it hits everyone
around!
Graham Cluley
If F-Prot is finding AntiEXE in memory after using the boot disk there
are two possibilities:
1) The boot disk was infected and is not a proper clean,
write-protected, system diskette
2) F-Prot is false alarming.
I would recommend getting a friend without the virus to make you a clean,
write-protected DOS system diskette and trying that. Dr Solomon's
FindVirus can reliably detect and repair this virus. In fact, AntiEXE is
so common I would expect most good anti-virus products can do it.
Here's some information about AntiEXE from Dr Solomon's Anti-Virus
Toolkit:
AntiEXE
Aliases: NewBug, D3, CMOS4.
Type: Memory-resident boot and partition sector virus.
Affects: Write-enabled hard and floppy disks if the computer is booted
from an infected (not necessarily bootable) floppy. Some EXE files.
File Growth: N/A
Description
This boot and partition sector virus infects the hard disk when booted
from an infected floppy. Diskettes are infected on read access (eg. DIR
command).
When a certain (unknown as yet) EXE file is being executed or read from a
disk (eg. using the COPY command) the virus patches the first byte of the
in-memory file image, thus causing unpredictable errors. In most cases
the computer hangs.
You can download an evaluation copy of FindVirus which can detect and
repair this virus via ftp or worldwide web (see my sig below).
Regards
Graham
---
Graham Cluley CompuServe: GO DRSOLOMON
Senior Technology Consultant, UK Support: sup...@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit. US Support: sup...@us.drsolomon.com
Email: gcl...@uk.drsolomon.com UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com USA Tel: +1 617-273-7400
Evaluation version available: ftp.drsolomon.com:/pub/progs/dsav752.zip
Phone our USA office after downloading for decryption password
jhb
>
>A friends computer had been completely infected by the ANTI-EXE virus and I
>have tried using f-prot. But when F-Prot starts it says that the memory has the
>virus in it, so I used a boot disk and it still says that the memory still has
>the virus in it.
>
>What do I do. I am indesperate need to get rid of this before it hits everyone
>around!
>
elses computer to check if it is clean. Mak a boot disk write protect this disk
then reboot your system with this disk and run f-prot.
Good Luck,
JHB
cho...@comox.island.net
>On 1 Nov 1995, Trent Stewart wrote:
>> A friends computer had been completely infected by the ANTI-EXE virus and I
>> have tried using f-prot. But when F-Prot starts it says that the memory has the
>> virus in it, so I used a boot disk and it still says that the memory still has
>> the virus in it.
>>
>> What do I do. I am indesperate need to get rid of this before it hits everyone
>> around!
> Obviously f-prot is crap. Try another scanner, like Mcaffe's. If the
>only sign you have of the virus is that the scanner/cleaner told you so
>you might not have a virus at all. Older scanners false in the new OS's.
>By old, I mean months.
Don't be stupid. Anyway, a more likely reason is that your boot disk
is infected. Get a different boot disk (go to a store, and ahve them
format a system disk and put a scanner on it).
-- The Executioner
------====### legal notice ###====--------------------------------------------
Microsoft(tm) Network is prohibited from redistributing this work in any form,
either in whole or in part. License to distribute this posting is available to
Microsoft(tm) for (US)$999.99. Posting without prior permission constitutes an
agreement to these terms. Site license is available for (US)$99,999,999,999.99
cho...@comox.island.net
'Mike' Michael Ramey
survive a power-off 'cold' reboot from a "known-clean write-protected"
DOS system diskette! People who report this are *not* crazy (at least
not any more crazy than I am). See below for my experience and how I
recovered from it -- and the comments of others on my experience.
This is a very long post, my apologies; I will put it on my public
ftp site and point to it there in the future. Hope this helps, -mr
------------------------------------------------------------
From: mra...@u.washington.edu (Michael Ramey)
Date: 5 Oct 1995 18:23:32 GMT
Newsgroups: alt.comp.virus
Subject: Re: I found an Anti-exe virus... Removal procedures (very long).
I also had an AntiExe infection which appeared in memory even when booting
from a "known clean write protected" diskette. Subsequent deliberate
reinfections did *not* display this behavior. A note from Dr Solomon
below may explain how the virus image can persist in RAM. I am attaching
my recovery procedure, the note from Dr Sol, and several other articles
which may be helpful. Thanks to all the people whose work I have included.
-mr
>psze...@access.mbnet.mb.ca (Pete Szekely) wrote:
>>Usually, I am successful at removal of such nasties,
>>but this one refuses to leave!
XWW...@prodigy.com (Henri Delger) writes:
>A virus is a program, written to the disk like any other
>software, and completely removable, like any other
>software. Viruses don't "refuse to leave;" but they may
>remain - if - you try removing them while they're in memory,
>and fail - or - if you miss a copy of the virus, and that copy
>subsequently re-infects the system. [snip]
~Date: Sun, 16 Jul 1995 09:42:30 -0700
~From: Michael Ramey <mra...@u.washington.edu>
~Subject: AntiExe removed; survives clean boot!?
On Friday I cleaned up an 'AntiExe' virus infection.
This virus appeared to survive in memory even after a power-off cold boot
from a write-protected known clean floppy diskette! There were other
strange occurrences, which I will describe as best I can from memory.
The computer is a no-name laptop clone with AMIBIOS:
Main Processor: PENTIUM (tm) CPU
Numeric Processor: Present
Floppy Drive A: 1.44 MB, 3-1/2"
Floppy Drive B: None
Display Type: VGA/PGA/EGA
AMIBIOS Date: 06/06/92
Base Memory Size: 640 KB
Ext. Memory Size: 15360 KB
Hard Disk C: Type: 47 (USER TYPE)
Cyl 692, Hd 16, WPcom 65535, LZone 692, Sect 60, Size 324 MB
Hard Disk D: Type: None
Serial port(s): 3F8,2F8
Parallel Port(s): 378
This laptop is running MS-DOS 6.22; the clean-boot diskette I used for
cleanup is MS-DOS 6.20; could this cause the problem described below?
The infection appeared when a faculty member came into the computer lab
with a floppy diskette and used one of the Gateway computers. Apparently
he accidentally booted the Gateway with his diskette in the A: drive.
After he left, I noticed strange messages on the monitor; they appeared
to be from DiskSecure-2.42. Unfortunately, I did not document these
messages; I thought DiskSecure would clear the problem when I rebooted;
it did not! I did a 'clean boot' and used F-PROT 2.18a, which found the
AntiExe virus on the hard disk. I removed it using F-PROT 2.18a.
This computer runs MS-DOS 6.20; the boot diskette was the same version.
Later I reinfected this lab computer (and one other) with the same
diskette the instructor used when the infection first appeared. On all
subsequent reinfections, DiskSecure detected and cleared the infection!
I was unable to reproduce the behavior of the original infection.
The infected diskette had been used in the professor's laptop computer; he
had lots of infected diskettes. When the laptop was booted from its hard
disk, it would infect any diskette which was not write-protected when it
was referenced by DIR, CHKDSK, or SCANDISK.
To disinfect the laptop, I did a power-off clean boot (using a MS-DOS 6.20
diskette), and ran F-PROT 2.18a from a write-protected diskette. F-PROT
detected AntiExe in memory [Why?] and would not continue.
I used the infected laptop to make an infected boot disk (FORMAT A: /U /S)
and copied the most essential DOS programs to it. I used F-PROT on
another machine to disinfect this floppy, and then rebooted the laptop
from the floppy. F-PROT still found the AntiExe virus in memory [Why?],
but the laptop was not infective; it would _not_ infect floppy disks.
(I did get lots of erratic, unreproducable read and format errors on the
A: drive, which continued even after the successful disinfection.)
I connected a Colorado Trakker tape drive, installed the TAPE program,
backed-up the entire hard disk to tape, and compared the tape to the hard
disk. I planned to try F-PROT first, and if necessary use FDISK/MBR.
Having convinced myself that the virus was not _active_ (since the laptop
was not infecting diskettes, even tho' F-PROT found the virus in memory),
and having a complete backup of the hard disk, I then ran 'F-PROT /NOMEM'
to skip the memory scan. F-PROT found AntiExe on the hard disk; and
removed it. After that, F-PROT found no virus on the laptop!
I was still unable to install DiskSecure on the laptop, because the A:
drive was very intermittent in its ability to read diskettes.
[ 1985-08-31; the owner of this computer has since reported problems with
diskette drive A: and asked me for repair service recommendations; I don't
know the results of the repair. -mr ]
--Mike Ramey, University of Washington, Seattle WA USA.
~Date: 14 Sep 1995 18:46:38 GMT
~Newsgroups: alt.comp.virus
~Subject: Re: Stoned.Empire.Monkey
[ Dr. Sol: Ghost-persistence of Boot Sector viruses (AntiExe). ]
>John Vick (VI...@AIB.EDU) writes:
>>Note: We have some new IBM PCs (300 series) and they "look" at C:
>>during the boot process even when your booting from A:
>>In this case we let f-prot load WITHOUT scanning memory and then
>>told it to scan/disinfect C:
drs...@chartridge.win-uk.net (Dr Alan Solomon) writes:
>I would expect all PCs to do this. If you are booting Dos from a
>floppy, you should see a hard disk read, because Dos has to read
>the partition sector in order to discover that there is a Dos
>partition on the hard disk, otherwise it wouldn't know of a drive
>C. I think it's just the one sector that's read.
Alan -- Thank you for (I think?) explaining why ... when I had a laptop
infected with AntiExe, F-PROT found AntiExe in memory (an I/O buffer?)
even when I booted from a clean diskette in the A: drive ... even though
the AntiExe 'virus' was NOT infective after the A: drive clean boot (that
is, it did not infect diskettes). Correct me if I misunderstand: The
boot program on the A: diskette reads the C-drive (disk-0) MBR & Partition
Table into a RAM buffer and processes the C-drive PT without executing the
C-drive MBR (which would install an active/infective virus TSR in RAM).
The solution John Vick used worked for me also. This question has been
driving me crazy for months! -mr
From mra...@u.washington.edu Thu Oct 5 10:39:19 1995
~Date: Tue, 8 Aug 1995 14:26:17 -0700
~From: Michael Ramey <mra...@u.washington.edu>
~Subject: Removing stealth boot-sector virus with F-Prot. (long)
My apologies to all. I posted a message saying what NOT to do,
but I did not give any suggestion about what you _should_ do.
I hope the excerpt from Howard Wood's "The Scanner" will be helpful.
It describes removing the EXEBUG virus, but the principles involved
will apply (I believe) to other boot-sector stealth viruses.
Thanks to Woody for this excellent F-Prot tutorial. -mr
On 2 Aug 1995, I wrote:
>Please be sure that 'fdisk/mbr' is =NOT= the first thing you try for
>MBR infections! This attempted fix can render your _entire_ hard disk
>unreadable -- and all your files will be GONE.
> The 'fdisk/mbr' fix will work ONLY with mbr infectors which do NOT
>encrypt, move, or otherwise modify the Partition Table (which is
>intimately associated with and processed by the executable code in the
>mbr).
> For mbr infectors which DO modify the Partition Table, 'fdisk/mbr'
>will write a new mbr, but it will not be able to process the modified
>Partition Table, and all partitions on your hard disk will be lost.
--------------------
The Scanner - The Anti-Virus Newsletter of Today
April 1995
Volume 1 Issue 3
The Scanner is a newsletter compiled by Howard Wood with the
help of many people in the Anti-Virus community as well as users.
Those who contribute to The Scanner are primarily concerned with
'getting the word out' about the virus situation, and encourage
the free dissemination of this information. Therefore, please
feel free to repost complete, unedited copies of The Scanner
wherever you feel there may be interest in the topic, or need for
the knowledge. You are also encouraged to contact the authors
regarding an individual article's Copyright.
The Scanner is in no way liable for the accuracy of any or
all information it is passing along. While accuracy and facts are
the paramount goal of The Scanner, it is humanly impossible to
verify all information and guarantee its accuracy 100%.
The goal of The Scanner is to disseminate as much information
to as wide spread a group as possible. Researchers, developers and
users alike need various levels of information to deal with the
viruses, Trojans and hacks that are encountered daily. The
Scanner will *attempt* to pass along viable information for all
groups.
Most of all, The Scanner is *your* newsletter. If you have
encountered any viruses, Trojans, or hacked programs let us know.
We need to all work together to combat the problems out there.
Since the last issue there have been some address changes. Any
correspondence with either The Scanner staff or Howard Wood can be
sent to the following addresses:
The Scanner SC...@aol.com
Howard Wood HRR...@aol.com
Howar...@Flagship.org
The Scanner is now available on the following FTP sites:
FTP: informatik.uni-hamburg.de
DIR: /pub/virus/texts/scanner/
( Thanks to Vesselin V. Bontchev's assistance and time )
FTP: OAK.oakland.edu
DIR: SimTel/msdos/virus/SNR9501.ZIP
( Thanks to Wolfgang Stiller's assistance and time )
DISCLAIMER: The views represented herein do not necessarily
represent the views of the staff. Scanne
contributors assume all responsibility for
ensuring that articles submitted do not
violate copyright protections.
Woody
[ deleted ]
*******
The Virus Spotlight
EXEBUG
I asked Henri Delger ( virus GURU at PRODIGY ) about the
EXEBUG virus. Here is what Henri had to say:
While ExeBug is in memory, it will mis-direct attempts
to read its code in (cylinder&head 0, sector 1) to the relocated
MBR data (in cylinder&head 0, sector 17) which makes it a
"stealth" type virus.
From then on, the virus will be in memory, ready to infect
other diskettes, on any access (even DIR). The FORMAT command
cannot remove this type of virus, since FORMAT doesn't write to
sector (cylinder&head 0, sector 1) where the virus code is
written.
In addition, ExeBug alters the CMOS data, so that the A>
drive is shown as "Not Installed," which may prevent some PCs from
being booted from an uninfected DOS boot disk, at least until the
CMOS/Setup is restored.
Depending on the computer's BIOS, the A> drive may be
accessed temporarily with the <F1> key to allow a boot from an
uninfected floppy, necessary before attempting to remove the
virus. The CMOS Setup itself may be accessed at the start of the
boot process, with the <F2> or <DEL> key, or by a combination of
the <Ctrl>+<Alt> plus either <S>, <Esc>, or <Ins> keys. (Some PCs
do not have the Setup program built-in, but on a separate
diskette.)
Once the PC has been booted from an uninfected boot diskette,
DOS won't be able to access the hard disk,displaying an "Invalid
drive specification" message, because the partition data which was
in sector (cylinder&head 0,sector 1) was written over by the
virus.
This virus is an example where the undocumented DOS5/6
command FDISK /MBR is futile, since the partition data will still
be missing from (cylinder&head 0, sector 1). Copying the original
data from (cylinder&head 0, sector 17 to 1)will write over the
virus code, allowing a re-boot from the hard disk.
ExeBug will "trojanize" EXE files, writing a small program in
the "slack" space at the end of the file, which can destroy
Directory and File Allocation table data in the month of March,
thus causing files to be inaccessible to DOS, and if fragmented,
lost to most data recovery programs.
Antivirus programs do not find these trojans, nor are they
shown with the DIR command. Although they are harmless once the
virus itself is removed, they can be wiped off the disk if a
utility is used to "wipe" the file "slack," or if a utility is
used to fully de-fragment the disk.
Regards,
Henri Delger
Thanks Henri, now, lets take this to "The Lab". First thing I
am going to do is put an infected disk in the drive and boot from
that disk. This is a very common way for bootsector viruses to
travel. An unsuspecting user has a disk in the drive and forgets
about it and turns the system on. The system tries to boot from
the disk and if it is a non-systems disk the error message will
appear on the screen. So lets use that scenario.
I put an infected floppy disk into the drive the[n] booted the
system. This is a very typical scenario. An infected disk is in
the system and the user turns the system on. The usual error
message comes up and the user removes the disk not knowing that
the system is now infected. Well, we see the message:
Non-system disk or disk error
Replace and press any key when ready.
(NOTE: this message will vary from system to system depending on
the DOS used and the language being used in the DOS)
So, I remove the disk and the system comes up all is hunky
dorie right? Wrong. I do a chkdsk and see that there are only
654336 total free bytes when there should be 655360 bytes free.
The system is infected. At this point I would like to tell you
that some systems use a part of the memory for their
BIOS operations. If your system is one of these then be sure you
know how much memory the system reserves for these operations so
you will be familiar with what the total free meory should be.
Lets start with F-Prot 217 this time. I turn the system off
and put my F-Prot 217 bootable floppy in the A: drive. Turn the
system back on. It will come up but there will also be an error
message:
Diskette drives or Type mismatch error - use setup
Press F1 key to continue or CTL-ALT-ESC for setup
(NOTE: this message will vary from system to system, the
point is EXEBUG has messed up the CMOS and removed the A: drive
information so the system will not recognize the A: drive, forcing
the system to boot from the C: drive. If your boot drive is B:
then the B: drive will be disabled )
Make the proper data inputs to the CMOS then continue on. We
finally arrive at the start up screen for F-Prot. (Those of you
that are more familiar with the program and prefer to use line
commands probably don't use this, so be sure you read the DOCs
that explain these commands in order to be sure to properly use
the program). Now, there are some things one must be aware of.
If we just do a SCAN, F-Prot will come up and say:
Master Boot Sector infection: EXEBUG.A
The following message will appear in a red box:
Error: No hard disk found.
This is all you get. You must go back to the opening screen
and Tab down to Action. Go into to Action and you can either
choose Disinfect/Query or Automatic disinfection. Because this is
in the Bootsector these are your only choices for removing this
type of infection. [I recommend "Disinfect/Query". -mr] Now run
the program again. This time you will see a red box with the following
message in it:
The Master Boot Sector is infected with the
A variant of the Exbug virus.
Disinfect (Y/N)?
Obviously you would choose Y. The program will then put
another red box on the screen saying:
Error: No hard disk found.
Look very carefully below the red box:
Master Boot Sector infection: EXEBUG.A
Virus removed.
See the message that tells you the virus has been removed?
This message comes up because while F-Prot has removed the bug we
have not reset the system so it [DOS -mr] can see the hard drive.
Turn the system off and then back on again and you will be back in
business. If you want to make sure you got it, turn the system
off and put the bootable disk in the system and bootup again.
This time just do a Scan and you will find that the Exebug virus
is no longer there. F-Prot has removed the virus from the system
and you are now ready to move on.
A note from Mikko reminded me to tell you that if you use
F-Prot from the command line use F-Prot /HARD/DISINF, do not use
F-Prot C:/DISINF. For more information see COMMAND.DOC on the F-
Prot disk.
F-Prot will remove both variants A and C the same way. It
takes longer reading about it than the actual process takes.
[ snip ]
From Otto....@uni-konstanz.de Thu Oct 5 10:39:32 1995
~Date: Thu, 17 Aug 95 18:34:53 MEZ
~From: Otto Stolz <Otto....@uni-konstanz.de>
~Subject: General Virus-Removing Method (PC)
Latest Update: 2 Aug 1995 11:05 h
Abbreviation Used Herein
------------------------
AV : Anti-Virus
BIOS : Basic Input/Output System (= ROM part of the operating system)
ROM : Read-Only Memory
HD : Hard disk
MBR : Master Boot Record (= 1st sector on HD)
PT : Partition Table (= part of the MBR)
DBR : DOS Boot Record (= 1st sector in active partition on HD)
FBR : Floppy Boot Record (= 1st sector on floppy disk)
BR : Boot Record (where the MBR/DBR distinction does not apply)
Outline of the Procedure
------------------------
0. Be sure what you are dealing with: Use several reliable AV scanners
(e.g. F-Prot, AVP, Dr. Solomon's) to identify the problem. Read the
documentation on both the scanner and the virus found.
1. Clean the infected computer (both memory & HD), then check it again
for viruses. Proceed only, if the computer checks out clean.
2. Using the clean computer, check all diskettes (in case of BR virus),
or all executable files (in case of file virus), that possibly were in
contact with the infected computer. Take notes on the viruses found.
In case of multipartite virus, check both diskettes and executables.
3. Clean the diskettes, or executables, found infected, in step 2, then
check them again for viruses.
4. If the virus alters data (beyond infections), then undo these
alterations on every computer found infected in step 1 (or 6, below),
and on all media that possibly were in contact with any of these com-
puters. (A full data recovery may well be impossible, depending on
the nature of the virus, and on the availability of backups).
5. Prevent re-infection.
6. Notify the owners of all computers that possibly were in contact with
the diskettes, or executables, found infected, in step 2. Have them
check these computers for the virus, and perform steps 0 to 5 w.r.t.
any computer found infected.
This general procedure is supposed to recover your systems from any con-
ceivable virus. The following particular procedures cover most current
viruses but not all; cf. the pre-conditions stated with these procedures.
Ad 1. Removing a Virus from the Memory of a Computer
----------------------------------------------
Note: this procedure is termed "Booting from a Clean Floppy", or "Booting
Clean".
1.1.1 Switch the power off.
1.1.2 Insert a Known Clean Boot Diskette into drive A.
1.1.3 Switch the power on, and enter the BIOS Setup Menu.
(Consult the pertinent user's manual for the specific procedure.
If the computer requires to load the setup menu from a disk, you
may have to tinker with the hardware before you can boot clean.)
1.1.4 In the BIOS Setup Menu, check the specification of drive A, and
correct it if necessary. If the BIOS allows to set up the Boot
Sequence, specify A as the 1st (or only) drive to boot from.
1.1.5 If you are going to remove a MBR infector from your HD, and if the
BIOS allows to set up any Boot-Sector Protection (aka MBR Pro-
tection), then disable such protection.
1.1.6 Store these settings to the CMOS, and leave the Setup Menu;
the computer will now be booted from the diskette in drive A.
Note: A Known Clean Boot Diskette (required in step 1.1.2) is
either a DOS distribution disk from a trustworthy vendor, that has
been write-protected from its very beginning,
or a DOS bootable disk prepared on a computer that has been
booted clean, immedeately before the disk was prepared,
and that has been write-protected ever since.
Ad 1. Removing a Virus from a HD, Using an AV Tool
--------------------------------------------
If you have a Rescue Disk for the infected computer from a reliable
integrity checker, you may be able to restore the programs on the HD with
that disk. Refer to the pertinent documentation for the exact procedures,
and for possible limits, or caveats.
If a virus is known to a reliable virus scanner, and the infection is
reversible, you can usually exploit the scanner to remove that virus.
Refer to the pertinent documentation for the exact procedures, and for
possible limits, or caveats.
For BR infectors, this is normally no problem. File infectors, however,
tend to irreversibly change the files: in most cases, the file ends up
with one to 15 random bytes appended, after an attempted disinfection;
this may render the program unusable. Some file infectors even overwrite
large parts of the programs they infect; these, of course, cannot be
disinfected, at all. To be on the safe side, I recommend to replace
infected files with clean copies (cf. infra, sub 3.1) rather than
attempting to disinfect them.
Beware of scanners that do not perform an exact identification of the
viruses found| An attempt to disinfect a virus, without having it
identified beyond any doubt, may do more harm than good.
If these pre-conditions do not hold, you may have to use the generic
methods discussed below.
Ad 1. Removing a MBR Virus from a HD (Generic Method)
-----------------------------------------------
1.2.0 Boot from a clean DOS diskette (cf. supra, sub 1.1), version 5.0 or
later.
1.2.1 Issue the command
FDISK /STATUS
(under DOS 6, choose the pertinent FDISK menu item),
and check the response: it should indicate error-free access to the
HD, and a plausible PT.
1.2.2 If any partition on the HD is DOS formatted, issue the command
DIR C:
(replacing "C" with the drive letter for the DOS partition),
and check the response: it should indicate error-free access to the
HD, and a plausible root directory.
If no partition is DOS formated, then boot, from a clean diskette,
a suitable operating system, and verify that you can access the
C partition alright. Then repeat step 1.2.0.
Proceed only if steps 1.2.1 and 1.2.2 have convinced you that you can
access the HD without problems, even if you have booted from diskette|
1.2.3 If Steps 1.2.1 and 1.2.2 have checked out alright, enter
FDISK /MBR
This will overwrite the virus in the MBR with standard MBR code.
1.2.4 Re-install any non-standard MBR you may wish to have on your HD
(e.g. particular boot managers).
The checks in steps 1.2.1 and 1.2.2 can fail for various reaons:
- Some MBR viruses, such as Stoned.Empire.Monkey.A, replace the entire
MBR (including the PT which is needed to access the HD partitions), so
both steps 1.2.1 and 1.2.2 will fail. Refer to "Exploiting a Stealth
Virus", below sub 3.4, for a generic method to overcome this problem.
- Some MBR viruses alter the PT, e.g. to introduce a fake boot partition,
so step 1.2.1 will show an unexpected partitioning, but NOT a con-
spicuous error message. In this case, the PT has to be reconstructed;
that requires particular knowledge, and tools, hence that case is not
covered by this guideline.
- The HD may have a non-standard (e.g. compressed, or encrypted) boot
partiton, so step 1.2.2 will fail (showing just the few files needed
to implement the compression, or encryption) while 1.2.1 will succeed.
Still, step 1.2.3 will mend the situation; however, you must be quite
sure that the PT is correct.
- The HD may have a grossly non-standard MBR (e.g. due to an access con-
troll system, or a boot manager). In this case, by all means, do NOT
use FDISK /MBR: this step may render the whole HD inaccessible (e.g.
when the HD is encrypted to prevent unauthorized access)| Rather, refer
to the documentation pertaining to the non-standard MBR for advice.
Ad 1. Removing a DBR Virus from a HD (Generic Method)
-----------------------------------------------
1.3.0 Boot from a clean DOS diskette (cf. supra, sub 1.1), which has
exactly the same version as in the boot partition of the HD. (If
you use a different version, many DOS programs will refuse to work
after you have cleaned out the virus.)
1.3.1 Issue the command
DIR C:
(replacing "C" with the drive letter for the DOS partition),
and check the response: it should indicate error-free access to the
HD, and a plausible root directory.
1.3.2 If step 1.3.1 checks out alright, then issue the command
SYS C:
(replacing "C" with the drive letter for the boot partition). This
will overwrite the DBR, the two hidden system files (BIOS extension
and DOS), and the command interpreter (COMMAND.COM) with standard
code. Check the response for possible error messages.
Note: For some DOS versions, the documentation does not claim that the
boot record is replaced by the Sys command. Hence, you cannot take
for granted that Sys will indeed overwrite the boot record, in all
DOS versions. So, check with the version you are using.
Ad 1 & 3. Removing a File Virus from any Medium (Generic Method)
------------------------------------------------------
3.1.1 With a reliable virus scanner, delete, or rename, all infected
files. Take notes about the infections found.
3.1.2 Re-install the files from clean master copies, preferably from
the distribution disks that have been write-protected from the
very beginning.
Ad 1 & 3. Removing a Companion Virus from any Medium (Generic Method)
-----------------------------------------------------------
3.2.1 With a reliable virus scanner, delete all copies of the virus.
Take notes about the infections found.
Ad 3. Removing a BR Virus from Diskettes (Generic Method)
---------------------------------------------------
3.3.1 On a clean computer, format a batch of diskettes.
3.3.2 Copy the files from the infected diskettes to the clean diskettes,
by means of the Copy, or Xcopy, command, or with a file copying
utility.
3.3.3 Degauss, or format, the infected diskettes, then use them for any
purpose.
Note: In step 3.3.2, be sure to avoid Diskcopy, and any disk copying
utility: these would copy the FBR containing the virus along with
the files|
Ad 1 & 3. Exploiting a Stealth Virus
--------------------------
Warning: This procedure is intended only as a last resort. It requires
a good knowledge of the virus involved, and of PC, and DOS,
interna.
A stealth virus is one which hides the modifications it has made in the
infected program (be it a file or or BR), usually by monitoring the
system functions used by programs to read files or physical blocks from
storage media, and forging the results of such system functions so that
programs trying to read these areas see the original uninfected form of
the program instead of the actual infected form. This feature can be ex-
ploited to recover from the infection.
3.4.1 Activate the virus:
In case of a BR infector, boot from an infected disk (usually the
HD); in case of a file infector, run an infected program.
3.4.2 Copy the infected programs (which will appear uninfected due to
the stealth virus) to places were they will not become re-infected.
In case of an MBR infector, read the MBR with any utility that
uses BIOS interrupts (almost any one, when you specify physical
sector addresses); in case of an DOS infector, read the DBR from
the boot partition with any utility that uses DOS interrupts
(almost any one, when you specify logical sector numbers). Store
the boot record in a file.
In case of a file infector, simply copy the infected file using
a "non-excutable" extension, e.g.
copy miracle.exe *.999
or into an archive, eg. using the popular PKZIP utility from a
write-protected floppy disk, as in
a:\pkzip -rp programs *.exe *.com
This will work with most file infectors.
3.4.3 Boot clean (cf. above, sub 1.1).
3.4.4 Copy the program back to its original place, e.g.
copy miracle.999 *.exe
or
a:\pkunzip -do programs
respectively.
Ad 5. Preventing Re-Infection from Boot-Sector Viruses, Using the BIOS
----------------------------------------------------------------
5.1.1 Enter the BIOS Setup Menu. (Consult the pertinent user's manual
for the specific procedure.)
5.1.2 If the BIOS allows to set up the Boot Sequence, specify C as the
1st (or only) drive to boot from. This will prevent you from
inadvertendly booting from a floppy disk (which might be infected).
5.1.3 If the BIOS allows to set up any Boot-Sector Protection (aka MBR
Protection), then enable such protection. This will prevent you
from inadvertendly altering the MBR, and with some BIOSes, also
the DBR, with BIOS services (hence it will protect you from
most MBR infectors, including droppers; OTOH, this will impede
even legitimate alterations, as attempted by some access control
schemes, and by some boot managers). This will, however, not
prevent direct writes, via hardware instructions, to the boot
sector.
5.1.4 Store these settings to the CMOS, and leave the Setup Menu.
Ad 5. Preventing Re-Infection, Using an AV Tool
-----------------------------------------
No software tool can prevent you from inadvertently booting from a
diskette! Hence, you should use the BIOS (cf. supra), whenever feasable.
However, you can setup many AV tools to check every diskette on first
access, and to report any known boot-sector virus found there (e.g.
Virstop from the F-Prot package). There are also some automatic boot
sector virus removers available (e.g. HS or DiskSecureII). Refer to the
documentation of your AV tool for the specific procedure.
You can also setup many AV tools to check every program at startup, and
prevent execution of any program found infected (and thus further
spreading the virus). Note however that most TSR scanners (the technical
term for this sort of defense) do not even attempt to search for poly-
morphic viruses
In any case, be sure to use only the most recent version of a reliable AV
tool, and to understand its documentation, thoroughly.
From Otto....@uni-konstanz.de Thu Oct 5 10:39:43 1995
~Date: Thu, 17 Aug 95 18:34:36 MEZ
~From: Otto Stolz <Otto....@uni-konstanz.de>
~Subject: AntiEXE Synopsis
Based on tests, conducted in 1993 by Vesselin Bontchev
<bont...@fbihh.informatik.uni-hamburg.de>:
------------------------------------------------------
Boot sector viruses (tested via image files):
CARO | FindVirus 6.31 | F-Prot 2.08h
---------------+-----------------+-------------
AntiEXE | like a new boot | AntiExe
Misnomers:
CARO | F-Prot 2.08h
---------------+---------------------------------
Rm | Possibly a dropper for AntiExe
Russian_Hook | AntiExe image file (new variant)
Stoned.Bunny.C | Possibly a dropper for AntiExe
From the IBM Computer Information Center:
-----------------------------------------
NICKNAME NAME USED BY IBM ANTIVIRUS
AntiEXE D3
=========================================================================
~Date: June 1995
~From: F-Prot 2.18a Shareware Version
~Subject: Detection of the AntiExe Virus
This is an excerpt of a list of the viruses detected/identified by this
version of F-PROT.
Virus name Removable? Identification Other
------------------------------------------------------------------------------
AntiExe Yes Exact Boot
=========================================================================
~Date: 1993-09-21
~From: CARObase
~Subject: AntiEXE
NAME: AntiEXE
ALIASES: D3
TARGETS: MBR, FBR
RESIDENT: TOP
MEMORY_SIZE: 1K
STORAGE_SIZE: 1S
WHERE: LAST_R (any floppy), AT 0/0/0dH (HARD)
{
The virus calculates the address of the last
sector of a root directory, using data from
BIOS parameter block on a diskette
}
STEALTH: INT 13/AH=02,CX=0001,DH=0 { Hides infected MBR/FBR }
POLYMORPHIC: NONE
ARMOURING: CODE { Remaps INT 13 to INT D3 and uses the latter }
TUNNELLING: BIOS (OTHER - loaded before DOS)
INFECTIVITY: 6 { As Stoned - MBR infector }
OBVIOUSNESS: NONE
COMMONNESS: 2
COMMONNESS_DATE: 1993-09-19
TRANSIENT_DAMAGE: When the virus is active in memory, some (one?) EXE
program(s) are copied/loaded with a very first byte
changed (i.e. 'MZ' sign is corrupted). Thus, such
a program would be treated by DOS as a COM program,
most likely hanging a PC when executed.
T_DAMAGE_TRIGGER: First eight bytes of a sector being read are as
follows:
DB 'M', 'Z', 40H, 00H, 88H, 01H, 37H, 0FH
I.e. the virus hunts for a certain EXE header.
PERMANENT_DAMAGE: NONE
P_DAMAGE_TRIGGER: NONE
SIDE_EFFECTS: As in the case of Stoned, if a floppy being infected
contains many files/subdirectories in its root
directory, several (up to 16) last entries
in the root directory get corrupted.
INFECTION_TRIGGER: Floppies: INT 13/AH=02,CX=00001,DH=0 && DL<=1
{ I.e. it attempts to infect a floppy in
either A: or B: drive when the floppy's
Boot record is being read }
Hard disk: Boot from an infected floppy { As Stoned }
MSG_DISPLAYED: NONE
MSG_NOT_DISPLAYED: 'MZ'
INTERRUPTS_HOOKED: 13/AH=02, 13/AH=F9, D3
SELFREC_IN_MEMORY: NONE { Doesn't need any - MBR/FBR infector }
SELFREC_ON_DISK: PDisk[0/0/1][0-3] == Virus[0-3]
{ Compares first 4 bytes of MBR/FBR to the virus body }
LIMITATIONS: NONE { MS-DOS/PC-DOS }
COMMENTS: The virus hunts for a certain unknown EXE program.
Besides INT 13/AH=02 (Read Sector(s)) BIOS function,
the virus also intercepts INT 13/AH=F9, which is unknown
to me. In the case of AH=F9 the virus simply returns
to the caller.
ANALYSIS_BY: Dmitry O. Gryaznov
DOCUMENTATION_BY: Dmitry O. Gryaznov
ENTRY_DATE: 1993-09-21
LAST_MODIFIED: 1993-09-21
SEE_ALSO:
END:
=========================================================================
~Date: Wed, 01 Dec 93 10:57:31 -0500
~From: bont...@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
~Subject: Re: 'D3' virus (PC).
P.L...@mail.nerc-swindon.ac.uk (P.L...@mail.nerc-swindon.ac.uk) writes:
> Does anyone have any information on what S&S [Alan Solomon]
> describe as the 'D3' virus?
Yes, somebody does. :-)
> Its a boot-sector infector that apparently has no payload
> and is not stealthed. It hooks int13.
It is a MBR infector, does have a payload, is stealth, and hooks
interrupts 13h and 0D3h.
> Any additional info on its behaviour , or what its
> called by others, would be of interest.
Standard CARO name of this virus is AntiEXE. F-Prot calls it AntiExe.
SCAN calls it "NewBug [Genb]". Here is a CARObase entry for this
virus. For a description of the CARObase format (although a slightly
obsolete version) and explanation of the meanings of the different
field and entries, see
ftp.informatik.uni-hamburg.de:/pub/virus/texts/carobase/carobase.zip
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bont...@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany
=========================================================================
~Date: Mon, 17 Oct 94 14:41:25 +0400
~From: Oleg Nickolaevitch Kazatski <kaza...@kartaly.chel.su>
~Subject: Re: ANTI-EXE What does it Do. (PC)
ken...@vt.edu (David C Kennedy) writes:
> Does anyone out there know what Anti-Exe corrupts. Norton 8 says it
> corrupts specific unknown exe files.
F-Prot
------
Name: AntiExe*
Alias: D3
Type: Boot MBR
AntiExe is a simple boot sector virus, infecting floppy boot
records and hard disk master boot records. The virus is very
small, it is not encrypted, and does not have any stealth
capability or activation routine.
The virus will only infect hard drives when an attempt to
boot from an infected diskette is made. Once the virus has
infected the hard drive, all non-protected floppies used
in the machine will be infected.
The only special thing about the AntiExe virus is that it
redirects the BIOS disk interrupt 13h to unused interrupt
D3h - this way the virus can bypass some behaviour blocker
programs.
[Analysis by Mikko Hypp>nen / Data Fellows Ltd]
=========================================================================
~Date: Wed, 25 Jan 1995, 19:44 +0100 (MEZ)
~From: Otto Stolz <Otto....@uni-konstanz.de>
~Subject: AntiEXE Memo (German)
I have written a memo, 7 pages in German, on the AntiEXE virus, com-
prising features, and removal, of the virus.
It is available for the asking. If you can print Postscript files, or
process Word 5.0 files, give a valid E-mail address; you will also need
XXDECODE to read the files. If you cannot use any of these file formats,
give a valid postal address, or a fax number.
=========================================================================
~Date: Mon, 30 Jan 95 11:48:35 -0500
~From: swid...@rl.ac.uk (S Widlake)
~Subject: Re: AntiEXE virus (PC)
bhi...@halcyon.com (Bill Hinsee) writes:
>My office has had numerous run-ins with a virus called AntiEXE (the
>name given by mcafee's virusscan). Does anybody know what exactly this
>virus does? All I've seen it do is slow the pc's down considerably.
Ah, a question about the AntiEXE virus, just what I was waiting for...
I'm a bit surprised that McAfee's SCAN recognises it as "AntiEXE" -
you must be using version 2.x.x - all versions 1xx identify it as
"NewBug [genp] or [genb]" ie. they didn't identify it at all.
AntiEXE, as recognised Fridrik Skulason's F-Prot package and also
Dr. Solomon's Anti-Virus ToolKit FINDVIRU program, is a pretty
trivial Master Boot Record / Boot Sector virus - it just spreads
(copies itself) it doesn't DO much anything else.
This is the AntiEXE info. taken from F-Prot Version 2.16...
There are a few tiny errors that I'll point out along the way.
Name: AntiExe
Alias: D3, NewBug, CMOS4
Origin: Russia
Type: Resident Boot MBR
Solomon's used to call it D3 I've forgotten why.
AntiExe is a boot sector virus, infecting floppy boot records
and hard disk master boot records. The virus is not encrypted.
The virus will only infect hard drives when an attempt to
boot from an infected diskette is made. Once the virus has
infected the hard drive, all non-protected floppies used
in the machine will be infected.
ie. Not too easy to catch but spreads itself very effectively
AntiExe is one of the few viruses which overwrite the MBR
without saving a copy of it somewhere else on the hard disk. The
virus is based on a normal DOS MBR code, and contains all the
functionality of it.
Wrong - You'll find your good unencrypted MBR in Sector 13
(That's Cylinder 0 - Head 0 - Sector 13)
If the virus founds that more than one partition has the active
partition mark set, the virus will try display a message and then
enter an infinite loop. The code to display the message does not
work as intended, and displays garbage. The text is encrypted,
and cannot be decrypted because of the bug.
If the virus FINDS that more than one partition has the active
partition mark set... then there's something really wrong with
the partition table and the drive will be unbootable - You see
you "can't have" more than ONE "active" partition.
If a system is booted from an infected diskette, the computer
will automatically boot up from the hard disk instead of
displaying the usual 'Non-system disk' error.
Wrong - 100% wrong. Exactly the opposite will occur - the usual
"Non-system disk" error will be displayed - you get the "usual"
"Bzzzt. You're trying to boot a data disk, try again" response.
AntiExe is a stealth virus; when active it will present the
original MBR and diskette boot sectors when inspected. It also
blocks any writes to the MBR and diskette boot sectors by
converting the write operation to a 'reset disk' operation.
I haven't checked this... it might even be true...
One special thing about the AntiExe virus is that it redirects
the BIOS disk interrupt 13h to unused interrupt D3h - this way
the virus can bypass some behaviour blocker programs.
Ah, that's why - D3 - I remember now.
If Ctrl-Break is pressed while the virus is doing disk-access,
the virus enters it's destructive phase. At this time it overwrites
the first 8 sectors of every head starting from sector 4, head 0.
Nope, never once observed nor ever even heard of anything like this.
AntiEXE targets an unknown EXE file, sized 200256 bytes. Whenever
this specific EXE file is accessed, the virus corrupts it's
contents.
This may well be true. Why else would it be called "AntiEXE".
[Analysis by Mikko Hypponen/Data Fellows Ltd & Jeremy Gumbley/Symbolic]
Now you've read this you probably think I'm on some sort of "crusade"
against F-Prot. Well let me state that I'm NOT - I think F-Prot is
one of the very best anti-virus packages out there (far, far better
than junk like MSAV & CPAV) and would recommend it to everyone with
a PC - I AM on a "crusade" against this damned AntiEXE virus. One
of "our dear users" first caught this virus, oh, about 10 months ago
and it keeps on comming back! Can I get them to check ALL of their
floppies ??? Of course not - they're just not bothered... Anyway, I
haven't seen this virus so far this year...
FYI - Data Fellows & Frisk "know" about this little error which first
came about in version 2.15 (2.14 was OKay) but is still wrong in the
new (read current) version 2.16 - I'd posted to a different group ;-)
HEY FRISK - fix the ANTIEXE info. screen - someone has "broken" it.
Once again, I'll say that Frisk's F-Prot package is one of the very
best, it's just that passing around bad virus info. is not good ;-(
What do I use - Dr. Solomon's Anti-Virus ToolKit - it's the Dog's B...
S.
=========================================================================
~Date: Wed, 08 Feb 95 12:30:58 -0500
~From: Mikko Hypponen <Mikko.H...@datafellows.fi>
~Subject: Re: AntiEXE virus (PC)
S Widlake (swid...@rl.ac.uk) wrote:
> This is the AntiEXE info. taken from F-Prot Version 2.16...
> There are a few tiny errors that I'll point out along the way.
Thanks for pointing this out again - the virus description that
you were referring to was (due to an error) describing another
virus, and not the common AntiExe virus.
> FYI - Data Fellows & Frisk "know" about this little error which first
> came about in version 2.15
.
> HEY FRISK - fix the ANTIEXE info. screen - someone has "broken" it.
This was actually corrected already some time ago, but the corrected
description was never included in the shareware version of F-PROT.
It will be included in the next version.
- --
Mikko Hermanni Hypp>nen // mikko.h...@datafellows.fi
Data Fellows Ltd's F-PROT Professional Support: f-p...@datafellows.fi
Computer virus information available via WWW; http://www.datafellows.fi
=========================================================================
~Date: Thu, 16 Feb 95 14:36:16 -0500
~From: sbri...@netcom.com (Mike)
~Subject: Re: ANTIEXE Virus (PC)
MR HENRI J DELGER (XWW...@prodigy.com) wrote:
: AntiExe is a stealth virus, blocking attempts to write to the first sector
: of disks if in memory, thus preventing its code from being overwritten. It
: also is a dangerous virus: if the user hits Ctrl + Break while the virus is
: in RAM, attempting to access a disk, AntiExe will start overwriting disk
sectors.
actually, I failed to find the CTRL-BREAK code in the virus.... I did find
that it scans the first 8 or so bytes of any sector read/written to for a
specific exe header, trashing the 9th byte if found.
Cheers,
Mike
=========================================================================
~Date: Wed, 12 Jul 95 06:23:41 -0400
~From: gcl...@sands.co.uk
~Subject: Re: RE: New Bug virus - also called ANTIEXE (?) (PC)
JLI...@ccmail.turner.com (Jack Linder) writes:
> I'm trying to find out more about the New Bug virus. I'm told it is
> similar (a derivitive?) to the ANTIEXE virus.
Hi Jack
NewBug and AntiExe are two names for the *same* virus.
AntiExe (Aliases include D3, NewBug)
Type: Memory-resident boot and partition sector virus.
Affects: Floppy and hard disks. Some EXE files.
File Growth: N/A
Removal: Dr Solomon's Anti-Virus Toolkit - Method 3.
Description: This boot and partition sector virus infects hard disks
when booted from an infected floppy. Diskettes are infected on read
access (e.g. DIR command)
When a certain (unknown yet) EXE file is being executed or read from
a disk (e.g. COPY command) the virus patches first byte of the
in-memory file image thus causing unpredictable errors (in most cases
computer just hangs).
Variants: There are two slightly different variants of the virus.
Regards
Graham
- ---
Graham Cluley Email: gcl...@sands.co.uk
Senior Technology Consultant, CompuServe Tech Support: GO DRSOLOMON
Dr Solomon's Anti-Virus Toolkit UK Support: sup...@sands.co.uk
S&S International plc, UK USA Tel: +1 617 273 7400
UK Tel: +44 (0)1296 318700 USA Support: 10044...@compuserve.com
From fr...@complex.is Thu Oct 5 10:39:58 1995
~Date: Thu, 9 Jun 94 10:23:02 WET
~From: Fridrik Skulason <fr...@complex.is>
~Subject: Frisk's Technical Notes
> Frisk -- Could I get a copy of -all- your technical notes?
I have removed some of them...they were outdated...here are the current ones:
============================================================================
Frisk Software International - Technical note #8
Generic boot sector disinfection
Although F-PROT is usually up-to-date with respect to virus detection and
disinfection, there are occasional cases of a virus infecting a machine
before we have implemented disinfection of that particular virus.
The instructions below describe a "generic" method for the removal of boot
sector viruses.
If the virus infects the Master (Partition) boot sector.
Create a bootable system diskette on a different (clean) machine, that
is running DOS 5 or 6, with the FORMAT /S or "SYS" commands. You cannot
use DOS 4 or older for this purpose.
Copy the file FDISK.EXE to that diskette and write-protect it.
Boot the infected machine with this diskette - do not rely on just
pressing Ctrl-Alt-Del...press the Reset button or turn the machine off
and then back on.
Check if you are able to access all partitions on the hard disk normally.
If they are not recognized, it might be because the virus encrypts the
partition data or overwrites it....in this case the generic disinfection
method described below is not possible. One method with will often work
is to wipe out the MBR with a disk editor, and then run NDD and tell it
to recover the lost partitions. My favourite tool for this purpose is NDD
version 4.5. However, you should make a backup copy of the (infected)
MBR first - if you don't know how to do that, you probably should not
be fiddling with the MBR anyhow.
If everything seems to be OK, give the command FDISK /MBR. This will
overwrite the code part of the MBR - in effect "killing" the virus.
(note: if you are using Novell DOS 7.0, you need to select this option
from the menu, not give a command-line switch).
Reboot the machine normally from the hard disk.
If the virus infects the DOS boot sector:
Create a bootable system diskette on a different (clean) machine, that
is running exactly the same version of DOS as the infected machine.
COPY the SYS.COM file from the DOS directory to the diskette and write-
protect it.
Boot from the diskette and give the command SYS C:
In addition to copying the system files over (which is not necessary to
remove the virus), this will overwrite the DOS boot sector with "clean"
code, killing the virus.
============================================================================
Frisk Software International - Technical note #1
Cross-linked files
"Cross-linked files" usually means that there is an internal inconsistency
in the allocation of clusters ... two files appear to "own" the same cluster.
This can happen in two different ways:
Every file has a "starting cluster" field in its directory entry...if two
files appear to have the same starting cluster, or if the "starting
cluster" of one file has already been allocated to another file, you get
the files reported as cross-linked.
The FAT (File Allocation Table) basically contains a linked list of
clusters allocated to each file....each cluster has one (12 or 16 bit)
entry in the FAT, and the entry may indicate that the cluster is unused,
bad (at least one sector in the cluster has read/write errors), the
last cluster of a file or (and most important) the next cluster allocated
to the file....and allocating the same cluster twice gives you
cross-linked files.
In some cases the "cross-linking" is simply caused by FAT corruption. For
example if the FAT is overwritten with garbage, one could easily expect files
to be randomly cross linked. In this case, practically no program will
load or work properly - with the exception of those that fit it one cluster,
typically 8192 bytes, but can be smaller (down to 512 bytes) or bigger (32768
bytes for example) ... the cluster size depends on the size of the hard disk,
but the lower limit is determined by the fact that each DOS partition can only
have 64K clusters.
To determine if the FAT is totally corrupted, look at it with a disk editor
(my personal recommendation - version 4.5 of the Norton Utilities) It should
(in FAT view mode) appear as lists of increasing numbers, with <EOF>s and 0s
in between.
If both copies of the FAT are indeed corrupted, the fastest way to recover
is to reformat and restore the last complete backup. If no backup is
available, it might be possible to wipe the FAT, and re-build it from scratch.
Possible, but not easy.
Usually, however, the damage to the FAT is not extensive, maybe just a single
pair of files that is cross-linked.
In this case, it is most likely that one of the files is corrupted, but the
other one is OK. If you can verify that this is the case, do the following:
Copy the file that is OK to a different file or directory, delete both
of the cross-linked files, and copy the file back. The other file will have
to be restored from a backup.
Now, why do cross-linked files appear ?
There are several reasons - but the primary reason is of course that MS-DOS
is not a decent operating system. If a flaky program overwrites a random
location in memory, and this random location just happens to be in the middle
of a disk buffer that contains a part of the FAT that is about to be written
to the disk, you get FAT corruption and possibly cross-linked files.
Also, if a program crashes after a updated directory has been written to disk,
but before the updated FAT has been written, you may get cross-linking
later on. This is why it is a good idea to run CHKDSK after every crash.
Viruses can cause cross-linking, but that happens very rarely. It is a common
mis-conception that cross-linking is somehow associated with viruses, but
this is simply not true. Unfortunately the VSUM hypertext program indicates
in many cases that various viruses cause cross-linking of files, but that is
quite simply incorrect.
There are a few malicious viruses (and Trojans) that corrupt the FAT, but there
is also a much more non-obvious method of a virus indirectly causing cross-
linking of files.
If a computer is infected with a full-stealth virus, such as Frodo, and the
user runs CHKDSK /F while the virus is active, CHKDSK may detect a mismatch in
the file allocation sizes - the number of clusters allocated to an infected
file might be larger that the number it would seem to require, considering
the size of the file. This is, however, caused by the fact that the virus
subtracts its own size form the real file size. If CHKDSK /F is allowed
to "fix" this, it will mark the extra clusters as "free", and they may later
be used by another file, causing cross-linking and various other problems.
Note that in this case, the damage is not really done by the virus, but rather
by CHKDSK. One rule, therefore, should be to run a virus scanner...our own
F-PROT recommended, of course :-)...before running CHKDSK.
============================================================================
Frisk Software International - Technical note #9
The ExeBug problem
The ExeBug virus is particularly difficult do disinfect in some cases, because
of a trick it plays with the CMOS. What the virus does is to change the CMOS
to indicate that the machine does not have a floppy drive. Then, before
every floppy access it toggles the relevant bits.
This means that if you turn the machine off, and back on, it will probably
be in the state where it does not appear to have any floppy drives.
On some machines, this means the the computer will then boot from the hard
disk, loading the virus, which will then load the boot sector from the floppy
drive and execute that.
The result is that booting the machine from a "clean" diskette is quite
difficult - the virus automatically becomes active.
The solution is as follows:
Enter setup mode, (either by running a SETUP program, or by pressing
the relevant keys during boot-up...depending on the system.
The CMOS will probably show that no floppies are present. Fix that,
save the changes, and turn the machine off.
Turn it back on, boot from a "clean" diskette, and verify that the CMOS
information is correct.
If the virus is a known ExeBug variant, you can now use F-PROT /HARD /DISINF
to remove it. You may not be able to access the partitions on the hard
disk - that is normal - they will re-appear the next time you boot the machine.
If this is a new ExeBug variant, which cannot be removed with F-PROT, we
would of course appreciate a sample, but in order to remove it you should
be able to use the Norton Disk Doctor.
============================================================================
Frisk Software International - Technical note #3
Recovery from Michelangelo
When the Michelangelo virus activates, it overwrites the first 9 sectors
on heads 0-3 on every track of the hard disk. Recovery from this may or
may not be possible, depending on two factors.
Time: If the virus was allowed to run without interruption when it
activated, it will have overwritten data on every track, making
recovery much more complicated than if the user hit reset or the
power-off within seconds of the activation of the virus,
Size of the disk: As the virus only overwrites 9 sectors, disks with a
large number of sectors on every track - 32 sectors maybe, will
have a large part of their data intact. Also, a disk might have
(or rather, appear to have, from the BIOS' point of view) a large
number of heads...maybe 64, and as described before, the virus will
only destroy data on the first 4 heads.
The fastest method to recover would probably be to re-partition the disk,
re-format and restore yesterday's backup. However, as the users who make
backups every day may not be the ones who are most likely to be hit by the
virus, we will assume that no backups exist.
We will also assume that the person trying to restore the data is thoroughly
familiar with partition layouts, disk editors and other similar tools. In
my personal opinion, the best tool for doing this by hand is NU, version 4.5,
rather than versions 5 and later.
If not - don't try this....send the disk to some professional data recovery
service.
Finally, we will assume this is a "normal" disk - not a "fancy" one like a
HPFS/Stacker/Doublespace volume.
The virus will always have trashed the MBR - head 0, track 0, sector 1, which
needs to be rebuilt - usually by hand, but if one restores the rest first,
a program like NDD should be able to reconstruct it.
The first step is to "map" the disk, and determine the extent of the damage.
As DOS keeps two copies of the FAT, there is a chance that the second one is
intact, but the virus usually trashes the first one. Locate the second one
(If you don't know what an intact FAT looks like, you probably should not be
doing this anyhow), and if it is OK, just copy it over the first one.
Examine the root directory - if it is OK, fine...if not, then you need to
re-build it by locating other directories on the disk, noting their
starting cluster and re-creating the root directory
You need to re-construct the DOS boot sector too. The best way (assuming you
don't have a backup of it) is to copy it from a different machine with
identical partitioning, but it can also be re-built manually, or in some
cases reconstructed by NDD....however, then you would have to reconstruct the
MBR first...
In other words: Recovering from Michelangelo is not easy, but an attack does
not have to be a complete disaster.
============================================================================
Frisk Software International - Technical note #7
Monkey virus removal
The problem with removing the monkey virus is that it changes the data part
of the partition sector.
This means that if you attempt to remove it after booting from the hard disk,
the virus is active and able to hide by using stealth techniques.
If you boot from a diskette, the partition data is invalid, and all the
drives on the hard disk seem to be gone.
What you need to do is:
1) Boot from a clean diskette
2) Run F-PROT /HARD /DISINF (not F-PROT C:)
3) Disinfect
4) Reboot the machine - the hard disk should re-appear, and the machine
should be clean.
============================================================================
Frisk Software International - Technical note #2
Destroyed by Vienna ?
F-PROT may sometimes report that a program has been destroyed by Vienna,
when this is in fact not the case.
The program in question is typically 5 byte long, named REBOOT.COM and
if disassembled, it contains a single instruction, a "far JMP" into ROM,
for the purpose of rebooting the computer.
Some variants of Vienna may destroy .COM files by writing exactly the same
instruction to the beginning of those programs, which makes it impossible to
properly distinguish between a destroyed program and one which has the
purpose of rebooting the machine.
We decided, however, not to change the current behaviour of F-PROT, as we
consider this reboot method unsafe, and under some circumstances capable of
causing more damage than most viruses. One possible problem is with disk
write caching software, which may for example intercept Ctrl-Alt-Del
properly, but may miss this jump into ROM...causing loss of data that had
not been written to a disk.
If you have a reboot program that F-PROT reports as destroyed by Vienna, we
recommend that you get rid of it, and use a "safe" reboot program instead.
From pad...@tccslr.dnet.mmc.com Thu Oct 5 10:41:25 1995
~Date: Sun, 23 Jul 95 10:59:42 -0400
~From: "A. Padgett Peterson" <pad...@tccslr.dnet.mmc.com>
~Subject: RE: AntiExe descriptions & actions ???
Mike Ramey wrote:
> After removal (and before installing DiskSecure-2.42 on the laptop),
>I re-infected the laptop from a diskette that was infected by the laptop;
>this re-infection did NOT display the 'persistence' after a clean boot
>that the original infection showed. Also, infection from this diskette
>on the Gateway computers in the lab did NOT resist automatic correction
>by DiskSecure, the way the original infection did. [Padgett -- you will
>probably not see the 'persistence' or 'DS2-resistance' in the copy I sent
>you.]
Correct.
> With the AMI-BIOS "Boot Sector Protection" = ENABLED, we got a
>warning message during the virus re-infection; when we said "No" -- do not
>continue, F-PROT did not find an infection (if we said "Yes", F-PROT said
>the machine was infected). But, here's the rub: After cleaning the
>machine and installing DiskSecure-2.42, we then repeated the re-infection
>process and said "No" to the AMI-BIOS warning message, BUT DiskSecure
>immediately detected an error (Sector 5 mismatch?) and then did its own
>recovery successfully. So, DiskSecure detected a boot-record corruption
>that was *not* prevented by the AMI-BIOS "Boot Sector Protection"
>warning. I wonder what that means.
It means that the AMI-BIOS "BSP" only protects the first sector. The virus
failed to change 0,0,1 but succeeded in changing 0,0,D. This is what DS2
detected/fixed.
This also means that any system using more than the first "hidden sector"
(such as the OnTrack mechanism for handling large disks - over 528 Mb -
or the extended sectors used by DR-DOS) could be corrupted.
If I ever get around to DS3, it will include such protection of all hidden
sectors.
> I am confused! Does this virus have multiple forms? Does it infect
>the MBR and/or the DBR? Is it possible the laptop was infected when it
>was purchased?
All I can say is that this virus does not account for all of the original
symptoms (Mikko is rite though - it does use a limited form of "stealth").
It is entirely contained in the {M/F}BR and does not affect the CMOS. It
does provide for self-identification (Int 13 Fn F9) that is never used.
P.fla
=end=
--
-Mike Ramey 685-0940 FAX:685-3836 Wilcox-171 Box:35-2700 UofW 98195
From: b...@stimpy.us.itd.umich.edu (Bruce Burrell)
Date: 8 Oct 1995 02:59:35 GMT
Newsgroups: alt.comp.virus
Subject: Re: ANTIEXE ??????
scott (sc...@fox.nstn.ca) wrote:
> I was wondering if any one knows anythig about the ANTIEXE <sort of
> virus>. One of us here think, (so he says) that it comes with windows 95.
> What I want to know is what it really is , and what does it do? Norton
> and McAffie ID it as a virus
AntiEXE is indeed a virus, but it is not a part of Win95. Some here
would argue that any Windows product is a virus, but I digress...
What it does is spread; it has no "payload" except to corrupt at
random a .EXE file. Nobody seems to know exactly what program it is,
although its length is probably 200256 bytes (if memory serves).
AntiEXE is a Boot Sector Infector (BSV); it infects hard drives by
being on an infected floppy in the A: drive when the computer is
(re)booted. Note that DOS need not be on the diskette for the infection
to succeed.
From that point onward, AntiEXE will attempt to infect any uninfected
floppy in the A: or B: drive whenever the diskette is read. If the
diskette is write protected or already infected, of course, no infection
occurs.
AntiEXE should cause no damage to the data of contemporary hard
drives; ones formatted under DOS 2.x may get trashed. Files and
subdirectories on floppies may disappear, but the data remains available
to data recovery tools.
Since Win95 uses a special format in order to fit more data on
diskette, AntiEXE and other viruses may corrupt these disks because they
make incorrect assumptions about the safety of using a particular place
on the diskette for auxiliary storage. A sector usually an unused part
of the root directory on a regular disk will actually be data on the
Win95 disks (disk #2 in particular), so the virus will trash the
installation procedure.
Note that Disk #2 is written to during the Win95 install procedure;
this makes it a good candidate for viral infection.
> Please indulge me.
Done.
-BPB
=== end ===
--
-Mike Ramey 685-0940 FAX:685-3836 Wilcox-171 Box:35-2700 UofW 98195
Jack Winslade
:
:
: >> A friends computer had been completely infected by the ANTI-EXE virus and I
: >> have tried using f-prot. But when F-Prot starts it says that the memory has the
[munch]
: > Obviously f-prot is crap. Try another scanner, like Mcaffe's. If the
[chomp]
: Don't be stupid. Anyway, a more likely reason is that your boot disk
[bobbitt]
Mounting a floppy that is infected with ANTIEXE and doing a 'dir' on it
WILL bring enough of an image of it into memory that any good virus
scanner should catch it.
To clean it up, boot on a write-protected known-clean floppy. Clean up
the hard disk, then clean up the many floppies that are used to sneaker-
net stuff around. Chances are that if they were mounted on the dirty
machine, they are infected.
Good day JSW
Sean D. Baker
>A friends computer had been completely infected by the ANTI-EXE virus and I
>have tried using f-prot. But when F-Prot starts it says that the memory has the
>virus in it, so I used a boot disk and it still says that the memory still has
>the virus in it.
Well, is your boot disk write protected???
>What do I do. I am indesperate need to get rid of this before it hits everyone
>around!
More than likley your boot disk is infected as well. You will have
to obtain a BD that is clean as well as a clean version of an
anti-virus app.
Good Luck...
Bruce Burrell
[snip]
> My computer is infected with the antiexe virus also. All the boot records
> are infected. I used f-prot (version 220) and it can't detect the virus.
> I also used Mcafee's (scn227), it detects the virus but can't clean it.
> What should I do?
You must first boot from an uninfected write-protected DOS floppy; an
original diskette is preferred. Then take a diskette (perhaps the same
one) containing F-PROT.EXE, ENGLISH.TX0, and SIGN.DEF and put it in the
A: drive. Type F-PROT /HARD /DISINF and, when asked, respond that you
would like to remove the virus. This should clean your hard drive.
Make sure that your hard drive is clean by booting from it, then
scanning with the F-PROT floppy or, if it's already installed, the F-PROT
on the hard drive. Assuming it's clean, run F-PROT *from the hard
drive*, change the <A>ction to Disinfect/Query and the <S>ource to be the
diskette drive, and <B>egin the scan. Check all your diskettes; yes,
*every* one.
Finally, if your computer allows it, set the CMOS so that the machine
attempts to boot from the hard drive before the floppy (i.e. C:, then A:).
This simple step will halt a whole host of Boot Sector Virus infections,
make your machine start up a bit faster, and have no negative side
effects. If you need to boot from floppy on occasion, just switch the
CMOS setting for the time being.
-BPB
Martin Unruh
just get to the dosprompt and type
fdisk /mbr.
This writes a new standard bootsector to your HDD and - if your fdisk.exe
is not infected, you should at least get rid of your bootsector
infection.
m.u.