First Boot Sector Virus I have seen in a while
http://www.theregister.co.uk/2007/09/17/vi...toned_angelina/
had to clean someone myself today with this.
madness eh.
Suppose we all have old floppies around, but 13 years..
Full Version: Stoned aka Angelina is back
Heya od1
Thanks for sharing your experience of that virus. For all being interested in how you got rid of it: Can you drop some notes about that please?
Thanks in advance
B. Udo
Thanks for sharing your experience of that virus. For all being interested in how you got rid of it: Can you drop some notes about that please?
Thanks in advance
B. Udo
I think in most cases getting rid would be easy. Start up with a CD in the tray, go to Recovery Console and run FixBoot and/or FixMBR. They will rewrite the bootsectors on the hard disc.
You may have more trouble if you are dualbooting with Linux though as you'll erase the Linux bootloader from loading.
You may have more trouble if you are dualbooting with Linux though as you'll erase the Linux bootloader from loading.
Hi,
info here : http://www.bullguard.com/support/tech-guid...edangelina.aspx
Though we used an ME boot disk, and fdisk /mbr : did the trick, though using the one on bullguards support article is a better idea (using bootrec /fixmbr from the Vista DVD)
We dont generally see many of these nowadays gladly o.O
I believe this one did not cause too much trouble, if they move the mbr code to another location (and are badly written) this is when problems are caused.
OD
info here : http://www.bullguard.com/support/tech-guid...edangelina.aspx
Though we used an ME boot disk, and fdisk /mbr : did the trick, though using the one on bullguards support article is a better idea (using bootrec /fixmbr from the Vista DVD)
We dont generally see many of these nowadays gladly o.O
I believe this one did not cause too much trouble, if they move the mbr code to another location (and are badly written) this is when problems are caused.
OD
QUOTE (od1 @ Sep 19 2007, 03:40 PM) 
Though we used an ME boot disk, and fdisk /mbr : did the trick, though using the one on bullguards support article is a better idea (using bootrec /fixmbr from the Vista DVD)
I was going under the notion of Windows 2000/XP/Vista. FDISK /MBR has changed to FIXMBR in those.QUOTE
I believe this one did not cause too much trouble, if they move the mbr code to another location (and are badly written) this is when problems are caused.
If they change the location then you have a lot of expensive paperweights as the MBR is industrywide and platform independent. The BIOS talks to the MBR to find out what logical discs there are on the physical drive, and unless BIOSes are updated they wouldn't be able to talk to the disc.
Hi Bobbi,
I am by no means an expert on this, tbh this is one of the first I have dealt with (im not that old
)
But far as I'm aware (correct me if im wrong) the point I was getting at with the second point was if they incorrectly replace the mbr code
0
|---MBR---|------------rest
Virus...
|-malcode-|-MBR-
If the malware puts this is an 'incorrect' location, typical fixes will fix the mbr, then when it returns to where it should, there is misplaced code there//
similar to prepender viruses misplacing the return address, it wont run/
I am by no means an expert on this, tbh this is one of the first I have dealt with (im not that old
)But far as I'm aware (correct me if im wrong) the point I was getting at with the second point was if they incorrectly replace the mbr code
0
|---MBR---|------------rest
Virus...
|-malcode-|-MBR-
If the malware puts this is an 'incorrect' location, typical fixes will fix the mbr, then when it returns to where it should, there is misplaced code there//
similar to prepender viruses misplacing the return address, it wont run/
Hey od1,
0
|---MBR--*|bs (disc c:)------------rest|viral code---^|-------- rest
*: Jump to start of viral code;
^: Jump to bootsector (in this case (bs (disc c:))
What happens during startup is this:
* BIOS reads the hardware and finds out that there is a hard disc.
* BIOS asks harddisc what is on it by reading the Master Boot Record. Master Boot Record contains a jump to somewhere else on the disc, and apart from telling the BIOS that there is a partition called C it also executes the viral code executed at the position the MBR told the BIOS. After the viral code is executed the BIOS jumps back to the MBR and goes on its merry way.
* BIOS does all other sorts of checks and proceeds to boot up the hard disc known as C: by jumping to the bootsector for C:
Only sector 0 of the physical disc is hard coded to be the Master Boot Record. It doesn't matter what is in it. Normally sector 0 contains the address of where the Boot Record code is situated and ready to be executed. When the MBR gets infected, the virus changes the address to point to itself and remembers the original address that was in it. Now the computer reads sector 0, executes virus and the virus jumps to the original MBR. The same method of working is done in the bootsector of logical discs like C or E. The computer boots up the logical disc reads their "sector 0", finds the adress of the boot code and goes there to execute. What happens during FIXMBR or FDISK is that the adress that should have been in that first sector is being put back in, so that the computer does not execute the viral code next time. Reboot and you're "virusfree". It is physically on the disc but is rendered harmless.
QUOTE
But far as I'm aware (correct me if im wrong) the point I was getting at with the second point was if they incorrectly replace the mbr code
0
|---MBR---|------------rest
This is correct.0
|---MBR---|------------rest
QUOTE
Virus...
|-malcode-|-MBR-
This is impossible. The BIOS is hardcoded to look at the first sector/cluster on the harddisc to read the code telling him what the disc looks like (as in number of partitions, the size of them, where they begin, etc.) What an MBR virus does is change the entry point. Once the virus has changed the MBR it looks a bit like this|-malcode-|-MBR-
0
|---MBR--*|bs (disc c:)------------rest|viral code---^|-------- rest
*: Jump to start of viral code;
^: Jump to bootsector (in this case (bs (disc c:))
What happens during startup is this:
* BIOS reads the hardware and finds out that there is a hard disc.
* BIOS asks harddisc what is on it by reading the Master Boot Record. Master Boot Record contains a jump to somewhere else on the disc, and apart from telling the BIOS that there is a partition called C it also executes the viral code executed at the position the MBR told the BIOS. After the viral code is executed the BIOS jumps back to the MBR and goes on its merry way.
* BIOS does all other sorts of checks and proceeds to boot up the hard disc known as C: by jumping to the bootsector for C:
Only sector 0 of the physical disc is hard coded to be the Master Boot Record. It doesn't matter what is in it. Normally sector 0 contains the address of where the Boot Record code is situated and ready to be executed. When the MBR gets infected, the virus changes the address to point to itself and remembers the original address that was in it. Now the computer reads sector 0, executes virus and the virus jumps to the original MBR. The same method of working is done in the bootsector of logical discs like C or E. The computer boots up the logical disc reads their "sector 0", finds the adress of the boot code and goes there to execute. What happens during FIXMBR or FDISK is that the adress that should have been in that first sector is being put back in, so that the computer does not execute the viral code next time. Reboot and you're "virusfree". It is physically on the disc but is rendered harmless.
Thanks for the info bobbi :)
Now, a couple of AV software whilst attempting to fix this, did it incorrectly causing the machine not to boot.
How would this happen ?
Now, if the virus changed the original entry point to point to itself, I take it after it had run it would then point back to the original entry point and the machine would continue as normal?
If something was to 'fix' this, it would just change it back to the usual bootsector ?
OD
Now, a couple of AV software whilst attempting to fix this, did it incorrectly causing the machine not to boot.
How would this happen ?
Now, if the virus changed the original entry point to point to itself, I take it after it had run it would then point back to the original entry point and the machine would continue as normal?
If something was to 'fix' this, it would just change it back to the usual bootsector ?
OD
Hi od1,
QUOTE
Now, a couple of AV software whilst attempting to fix this, did it incorrectly causing the machine not to boot.
How would this happen ?
I have no idea without looking at them. Be aware that my illustration of what constitues the MBR/Boot sector is extremely simplified, so it may very well be that something like a rootkit would interfere with giving the correct data to the anti-virus program. Then when the MBR Fixer wrote down the new info to the disc it wrote down the wrong ones, and Whammo! The end on next boot. Old bootsector viruses are hardly found these days as the older architecture of them would interfere with the workings of Windows. So it may also be that the new anti-viruses aren't used to the old school viruses, and thus workde the fix in the wrong way. With a MBR/Bootsector virus I never used a fix from an AV program anyway. It is best and easiest to simply use FIXMBR, FIXBOOT and/or FDISK.How would this happen ?
QUOTE
Now, if the virus changed the original entry point to point to itself, I take it after it had run it would then point back to the original entry point and the machine would continue as normal?
It depends on exactly how the virus works, but it would mean somehow that the original bootsector code would be run and the virus on top of that. QUOTE
If something was to 'fix' this, it would just change it back to the usual bootsector ?
Yep. Either it would rewrite the bootsector from scratch, or kill off the redirect to the virus code. Personally I think that rewriting is best, as you don't know what the virus does exactly. If it copied the original bootsector to somewhere else and wrote the viral code on the bootsector, the kill-off of the rediret would still execute the virus. A complete rewrite wouldn't.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.