|
CIAC Advisory number A- 27
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
________________________________________________________________________
THE COMPUTER INCIDENT ADVISORY CAPABILITY
CIAC
INFORMATION BULLETIN
________________________________________________________________________
The Disk Killer (Orge) Virus on MS DOS Computers
June 28, 1990, 1000 PST Number A-27
________________________________________________________________________
Name: Disk Killer virus (also known as the Ogre virus)
Types: Only one known variant
Platform: MS DOS computers
Damage: Overwrites mounted disks
Symptoms: Writes "COMPUTER OGRE 04/01/89" on screen and overwrites disk
Detection/Eradication: VIRALERT, VIRHUNT, RESSCAN, CodeSafe, CleanUp,
F-Prot, IBM Scan, Pro-Scan, and others (contact CIAC for information
about these products)
Critical Disk Killer Facts
________________________________________________________________________
The Disk Killer virus is a destructive virus affecting MS DOS
computers. This virus infects the boot sector, then hides itself by
marking unused blocks on floppy or hard disks as bad. After remaining
dormant for approximately 48 hours of operation (not calendar) time
after the initial infection, Disk Killer executes upon the first boot
or reboot after this period. Upon execution, this virus displays the
following message:
Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/89
Warning!!
Don't turn off the power or remove the diskette while Disk Killer
is Processing!
Next, the word "PROCESSING" will be displayed, followed by this message:
Now you can turn off the power. I wish you Luck!
Disk Killer overwrites the boot sector, then the file allocation table
(FAT), then the directory randomly with blocks of a single character.
The proper procedure depends upon when you detect Disk Killer:
1. If your machine is infected before it executes and you detect this
virus through a scan package (such as CodeSafe, RESSCAN, VIRHUNT, or
IBM Scan)---TURN YOUR MACHINE OFF. Then use a write-protected bootable
floppy disk to boot your system; otherwise, you will have disk Killer
in memory, causing re-infection. Remove Disk Killer by installing and
executing a PC virus eradication package such as VIRHUNT.
2. If the message shown above appears on your computer's screen, Disk
Killer has already executed---LEAVE YOUR MACHINE ON AND ALLOW THIS
VIRUS TO EXECUTE WITHOUT INTERRUPTION (i.e., until "Now you can turn
off the power..." is displayed). It is true that Disk Killer will
overwrite your disk, but don't worry---you can restore all data and
files from your disk (floppy or hard disk) using a recovery package
such as UNKILL. Reboot from a write-protected master floppy, and
remove the virus using virus eradication software.
Regardless of which particular procedure (1 or 2) you use, be sure to
scan any disks (in particular, bootable floppies) before resuming
normal activity with your computer.
Note: Because this virus modifies every byte in every sector on your
disk, Norton Utilities not a feasible means of recovering from the Disk
Killer virus. Note also that a considerable amount of incorrect
information about responding to Disk Killer has already been
distributed. If you follow this incorrect information, which advises
you to turn your machine off as soon as Disk Killer begins to execute,
it is extremely likely that you will not be able to fully recover from
this virus.
Additional Note: The CIAC team first became aware of this virus early
last Fall. At that time, however, we chose to briefly describe this
virus in the CIAC Bulletin Board (FELIX) and CIAC Bulletin A-15, rather
than to issue a separate bulletin; infections at that time appeared to
be limited to MS DOS computers equipped with hard disks made by a
particular manufacturer in Taiwan.
For additional information or assistance, please contact CIAC:
David S. Brown
(415) 423-9878 or (FTS) 543-9878
FAX: (415) 423-0913, (FTS) 543-0913 or (415) 422-4294
Send e-mail to:
[email protected]
Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.
|
|
