Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: What does everyone know about Virii?

  1. #1
    Senior Member
    Join Date
    Oct 2001
    Posts
    346

    What does everyone know about Virii?

    I have on several old floppies a rather malicious virus of the old days called Generic-437. I would like to send the file to the AO archives, but my problem is this: being the more or less n00b that I am, I don't know how to reduce a virused disk to a stable, (mostly) harmless file. You know how it is, don't want to destroy AO or anything I've actually seen this virus destroy a BIOS. It's mean.

    SSJVegeta-Sei


    Pierce me with steel, rend me with claw and fang; as I die, a legend is born for another generation to follow.
    An\' it harm none, do as ye will. - Wiccan Rede

  2. #2
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Zip it?
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  3. #3
    Senior Member
    Join Date
    Oct 2001
    Posts
    346
    It's stealth, can't actually see the file... it just imbeds itself into everything and copies onto any outgoing file.

    SSJVegeta-Sei


    Pierce me with steel, rend me with claw and fang; as I die, a legend is born for another generation to follow.
    An\' it harm none, do as ye will. - Wiccan Rede

  4. #4
    I am a cracker
    Guest
    And why would you wanna send it to AO archives?

  5. #5
    Senior Member
    Join Date
    Oct 2001
    Posts
    346
    Have you ever checked out the archives? They maintain a huge set of virii. It's not in there, so I thought they might want it.

    SSJVegeta-Sei


    Pierce me with steel, rend me with claw and fang; as I die, a legend is born for another generation to follow.
    An\' it harm none, do as ye will. - Wiccan Rede

  6. #6
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Originally posted here by SSJVegeta-Sei
    It's stealth, can't actually see the file... it just imbeds itself into everything and copies onto any outgoing file.

    SSJVegeta-Sei
    Admittedly I'm no virus expert or anything but it sounds like you have found the only "magic" virus on earth. I'd telepathically send it to M$ so they can embed it in their new OS.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  7. #7
    Senior Member
    Join Date
    Oct 2001
    Posts
    346
    Probably already have. Here, I'll send you a copy...
    Actually, if you PM me your home address, I'll mail you a copy. Since it instantly copied itself onto any disk inserted into the PC when I had it. It is old though - basic virus protection got rid of it - the last computer I saw destroyed by it was a 486. Still, it's a vicious little thing...

    SSJVegeta-Sei


    Pierce me with steel, rend me with claw and fang; as I die, a legend is born for another generation to follow.
    An\' it harm none, do as ye will. - Wiccan Rede

  8. #8
    Senior Member
    Join Date
    Oct 2001
    Posts
    346
    Ah... it's also called Boot-437... here's the info from www.mcafee.com


    The Boot-437 virus was first listed as "In The Wild" on The WildList in March 1994. Since the first reports, the virus became common throughout the world, but is now only occasionally reported in some European countries. However, like many other boot viruses - the number of new incidents reported are growing fewer each year.

    Upon booting from an infected diskette, Boot-437 (detected by VirusScan 95 as "Bath"), installs itself to memory and to the hard drive boot record.

    Boot-437 does not employ any payload - it simply replicates. When this virus replicates to a diskette, the user may notice a considerable delay before the disk read/write operation completes. The user may also notice an undue amount of drive-head read/write activity when attempting to access write-protected diskettes - almost like the diskette is corrupt. In each case, delays are due to the virus attempting to replicate.

    Boot-437 does not employ read-stealth characteristics. If the user attempts to view the hard drive's boot record, the true boot record would be what the user is shown, albeit an infected boot record. The virus saves the original uninfected boot record to physical cylinder, side and head 0,0,6.

    Boot-437 infects boot sectors in diskettes and the boot record in hard drives. Upon loading into memory, this virus will reduce the top of DOS memory by 2K. As an example, on v6.20 DOS-based computer, [where there is originally 640K conventional memory available], the memory reduction will result in showing 587,664 bytes available, rather than 589,712. Please note different computers may display different amounts of conventional memory available, depending on configuration.

    Upon booting an infected computer where DOS is the operating system, the virus loads and stays resident in memory. Like most memory-resident boot viruses running under DOS, Boot-437 intercepts calls to Int13h, redirecting the call to its own code. When the virus is in memory - when it is able to intercept calls to Int13h - virtually any diskette access will result in its infection.

    Upon booting an infected computer where Windows 95 is the operating system, the virus will load itself into memory. However, because Windows 95 uses a specialized 32-bit filesystem driver, the virus is unable to replicate to other diskettes - even under a Windows DOS box. The short reason for this is due to Windows 95s' specialized 32-bit disk driver. Once Windows 95 completes startup (more accurately, once VMM32.SYS loads), calls to Int13h are not made in the same fashion as DOS thus, while the virus still resides on the hard drive's master boot record, the virus is unable to replicate.

    The following points should be noted:

    1) Post-infection of a Windows 95 system, upon restarting Windows 95, the user may see the following Performance Warning:

    The message indicates a change to the Int13h address - at least the Int13h address that was last being pointed to, as recorded by Windows 95. The message would appear when there is a change to the Int13h address, regardless of whether there was truly a physical change to the boot record or not.

    The message can be indicative of a virus, however there are other valid reasons why it might appear (disk compression software, disk encryption software, etc). The performance warning message box will appear only once. Upon the next system restart the system, the message will not appear. If you see the message, and did not expect to, it is best to investigate the reason behind it immediately.

    2) While this specific variant does not have a [working] dangerous payload, other boot viruses might (for example, Michelangelo). As noted above, while Windows 95 effectively stops the virus from replicating, upon boot, the virus is still able to load. Viruses with payloads that are programmed to activate at the time of boot will in fact activate (for example, Michelangelo) regardless of the operating system installed to the hard drive. Before the operating system ever loads, the virus has the potential to cause damage. If you suspect a boot virus, do not rely on Windows 32-bit filesystem drivers to stop the payload from activating.

    3) The Windows 95 32-bit disk driver can be disabled. In doing so, the system is placed in "DOS compatibility mode". Once in DOS compatibility mode, there are calls to Int13h. This means - in theory - the virus may once again have the ability to replicate. In the case of Boot-437, the virus in fact will replicate in DOS compatibility mode (but only if Window 95 is in compatibility mode).

    SSJVegeta-Sei


    Pierce me with steel, rend me with claw and fang; as I die, a legend is born for another generation to follow.
    An\' it harm none, do as ye will. - Wiccan Rede

  9. #9
    I am a cracker
    Guest
    I am just curious what kind of virus is it?
    A macro?
    A boot sector?
    A executable load?
    A polymorphic Virus?

    Does it carry a big pay load if so, what kind of pay load?

    As a Cracker I don't condone the writing or spreading of viruses, but I Have respect for the knowledge, technical skills and the level of coding ability needed.


    Here's is the stoned virus code

    PUSH CS
    POP DS
    MOV SI,200H
    MOV DI,0
    LODSW
    CMP AX,[DI]
    JNZ HIDEHD ;Hide real boot sector in hard drive

    LODSW
    CMP AX,[DI+2]
    JNZ HIDEHD ; Hide real boot sector in hard drive

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    742

    Re: What does everyone know about Virii?

    Originally posted here by SSJVegeta-Sei
    I have on several old floppies a rather malicious virus of the old days called Generic-437. I would like to send the file to the AO archives, but my problem is this: being the more or less n00b that I am, I don't know how to reduce a virused disk to a stable, (mostly) harmless file. You know how it is, don't want to destroy AO or anything I've actually seen this virus destroy a BIOS. It's mean.

    SSJVegeta-Sei
    Since this seems to be a boot sector virus you should be able to use Win Image to make a copy of the disc and then send it to who ever you want to.. But I would not advice anyone to play with a boot sector virus since they can be nasty to remove without loosing data incase of a infection.

    But its possible to edit the bootsector and save a copy of the virus but then you need some skills or detailed information about the virus so that you know were to look for it.

    Hope this help .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •