The Plague
The plague
Australian Society of Anaesthetists Newsletter Volume 95, Issue 2, June 1994
Cold, blue Tuesday morning. Unlocking my office door I pushed past the sign above into the chaos beyond. The vinyl moose head on my wall usually oversees a post nuclear disaster area. Today it looked as if they had just finished filming DieHard 4. A tangle of cables covered my desk top, ensnaring a desktop computer, the docking station for my laptop, laser printer, modem, loud speakers, monitors, mice and keyboards.
What little room was left was taken up with piles of computer disks marked unknown, clean, infected.
The paperless office…NOT!
Piled up in one corner of the room were the FAQ sheets from the computer virus forum. A good path to this forum is through the National Institute of Standards and Technology’s Computer Security Resource Clearing House.
On top of the FAQ’s were the printouts on the particular virus that has plagued our department. Gleaned from the IBM Computer Virus Information Centre;
Then there were the manuals for the antiviral programs I have launched against the virus. In three days of caffeine induced insomnia I have become an expert on viruses and antiviral software.
Four anti viral programs
- Mwav supplied with Microsoft Windows. A complete waste of space
- McAfee’s WSCAN for Microsoft Windows. An evaluation copy can be dowloaded. WSCAN has a very nice Window’s interface and is worth a look.
- F-PROT from Iceland. What else is there to do in the Land of the Midnight Sun? A shareware copy can be downloaded. F-PROT seems to have the Internet vote as the smartest software available. The shareware version cannot be easily automated so it may not be the best choice for protecting a department.
- VET is a very nice home grown product (CYBEC Pty Ltd. PO Box 205, Hampton Vic 3188, AUSTRALIA.) It can be easily set up to automatically protect hard drives and clean infected floppies.
How did it begin
Two weeks earlier we had noticed our computers would occasional stop in their tracks if we exchanged floppy disks. (We have 10 PC’s in the department and no network so file exchange is by floppy disk). We put the problem down to subtle timing differences between disk drives. One week ago our secretary started getting bizarre error messages from her word processor such as “Unhandled exception error #1252. Close all applications. Restart computer.” Phil G. was getting so many “out of memory” errors he decided to reinstall all his programs.(50 floppy disks) The virus scanners supplied with DOS and Windows reported ‘all clear’ on all machines. Our comfort was short lived.
Where did our plague begin?
3 years ago in an East European country a crazed programmer put the finishing touches to a new virus. Perhaps it was the infamous “Dark Avenger” of Bulgaria who encrypted the messages “F…’EM UP!” and “(C) 1992 Jack Ripper” into the viral genome. (Ever met an eloquent anarchist?)
The ‘Ripper’ is a stealth Boot Record infector that uses a RAM resident program to cover its tracks, infect other disks and slowly corrupt data files. It is very nasty indeed. To fully appreciate the cunning of its creator I need to get technical for a moment. Serious technophobes should skip forward to “How did it get here”. Ever wondered why you ‘boot’ a computer to start it?
Booting computers…A load of cobblers?
Ever wondered why you ‘boot’ a computer to start it? The information on all types of disk is arranged in concentric tracks. These tracks in turn are composed of discrete sectors. The only thing a computer ‘knows’ about itself when you turn it on is how to read the first sector of the first track of the first drive it comes to. This sector holds a tiny program known as the ‘bootstrap’ or ‘boot’ program. This first program ‘teaches’ the computer how to read the other sectors of the first track. These sectors hold a much larger program. This second program ‘teaches’ the computer all about using disk drives. This make it possible for the computer to read the next tracks on the disk. These contain even larger programs needed to make the next step up in ‘awareness’. The computer is “lifting itself up by its bootstraps.” If you turn on your PC with a disk in the drive the program in the boot sector will always be run.
Anatomy of a virus
The ‘Ripper’ replaces the ‘boot program’ so it is launched when you turn the computer on with an infected floppy in the drive. The virus moves the boot sectors of the hard drive to a safe hiding place and then copies itself into the boot sector of the hard drive. Finally it launches a copy of the original boot sectors of the floppy disk so you do not know what has happened.
“Darn” you say “I forgot that floppy was in the disk drive”. You take it out and reboot your computer. Now it looks as if the PC is booting normally off the hard drive. In fact the virus on the boot sector of the hard drive now runs first before handing control over to the copy of the boot sector. The virus also puts a itself into high memory of the computer. The virus can then intercept all calls to the disk drive. If it sees another program is trying to “look” at the boot sector it will “show” it the copy. This ability to hide its image on the disk puts the ‘ripper’ into the class of stealth viruses.
This RAM resident virus program will also infect the boot sector of any floppy disk that is put in the disk drive without write protection.
And last but not least is the ‘warhead’ of the virus. Approximately one write in a thousand it will randomly swap two bytes in the output. This change may be very subtle. eg Change a letter in a text document or one number in a spreadsheet. It can go on for months quietly corrupting data. You may even backup the corrupted data before you realise anything is wrong. Eventually the virus will corrupt something important like the file allocation tables on your hard drive. You then lose everything!
How did it get here?
The virus had come into the hospital on a new laptop computer. The supplier blames the manufacturer the manufacturer blames the supplier! The owner borrowed one of my disks to copy a file and infected the boot sector. I accidentally booted my laptop with the disk in the drive and loaded the virus onto my hard drive.
I then contaminated 20 out of my set of 100 disks and passed the infection on to 4 other machines in the department. When Phil G re-installed all of his programs he inadvertently infected 45 of his 50 backup disks. (Little wonder he was responsible for the sign on my door.)
What should you do?
Start worrying now! Beg, borrow, download or steal at least two recently updated scanners. (I recommend VET and F-PROT). Install a RAM resident virus shield to check your hard drive on ‘boot’ and scan all incoming floppy disks. NEVER ‘boot’ the computer with a floppy disk in the hard drive.
cliche #123:
“I thought it would never happen to me. ” I sat down to spend the rest of that desolate Tuesday checking ALL my disks. Life was so much simpler before computers
Dave Sainsbury
EMAIL: david.sainsbury”AT”adelaide.edu.au Last Update:02/05/2005 |
Leave a Reply