|   | CIAC Advisory number A- 27NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
 ________________________________________________________________________
 THE COMPUTER INCIDENT ADVISORY CAPABILITY
 
 CIAC
 
 INFORMATION BULLETIN
 ________________________________________________________________________
 
 The Disk Killer (Orge) Virus on MS DOS Computers
 
 June 28, 1990, 1000 PST	                                     Number A-27
 
 ________________________________________________________________________
 Name: Disk Killer virus (also known as the Ogre virus)
 Types: Only one known variant
 Platform: MS DOS computers
 Damage: Overwrites mounted disks
 Symptoms: Writes "COMPUTER OGRE 04/01/89" on screen and overwrites disk
 Detection/Eradication:  VIRALERT, VIRHUNT, RESSCAN, CodeSafe, CleanUp,
 F-Prot, IBM Scan, Pro-Scan, and others (contact CIAC for information
 about these products)
 Critical Disk Killer Facts
 ________________________________________________________________________
 
 The Disk Killer virus is a destructive virus affecting MS DOS
 computers.  This virus infects the boot sector, then hides itself by
 marking unused blocks on floppy or hard disks as bad.   After remaining
 dormant for approximately 48 hours of operation (not calendar) time
 after the initial infection,  Disk Killer executes upon the first boot
 or reboot after this period.   Upon execution, this virus displays the
 following message:
 
 Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/89
 
 Warning!!
 
 Don't turn off the power or remove the diskette while Disk Killer
 is Processing!
 
 Next, the word "PROCESSING" will be displayed, followed by this message:
 
 Now you can turn off the power.  I wish you Luck!
 
 Disk Killer overwrites the boot sector, then the file allocation table
 (FAT), then the directory randomly with blocks of a single character.
 
 The proper procedure depends upon when you detect Disk Killer:
 
 1. If your machine is infected before it executes and you detect this
 virus through a scan package (such as CodeSafe, RESSCAN, VIRHUNT, or
 IBM Scan)---TURN YOUR MACHINE OFF.  Then use a write-protected bootable
 floppy disk to boot your system;  otherwise, you will have disk Killer
 in memory, causing re-infection.  Remove Disk Killer by installing and
 executing a PC virus eradication package such as VIRHUNT.
 
 2. If the message shown above appears on your computer's screen, Disk
 Killer has already executed---LEAVE YOUR MACHINE ON AND ALLOW THIS
 VIRUS TO EXECUTE WITHOUT INTERRUPTION (i.e., until "Now you can turn
 off the power..." is displayed).  It is true that Disk Killer will
 overwrite your disk, but don't worry---you can restore all data and
 files from your disk (floppy or hard disk) using a recovery package
 such as UNKILL.   Reboot from a write-protected master floppy, and
 remove the virus using virus eradication software.
 
 Regardless of which particular procedure (1 or 2) you use, be sure to
 scan any disks (in particular, bootable floppies) before resuming
 normal activity with your computer.
 
 Note:  Because this virus modifies every byte in every sector on your
 disk, Norton Utilities not a feasible means of recovering from the Disk
 Killer virus.  Note also that a considerable amount of incorrect
 information about responding to Disk Killer has already been
 distributed.  If you follow this incorrect information, which advises
 you to turn your machine off as soon as Disk Killer begins to execute,
 it is extremely likely that you will not be able to fully recover from
 this virus.
 
 Additional Note:  The CIAC team first became aware of this virus early
 last Fall.   At that time, however, we chose to briefly describe this
 virus in the CIAC Bulletin Board (FELIX) and CIAC Bulletin A-15, rather
 than to issue a separate bulletin; infections at that time appeared to
 be limited to MS DOS computers equipped with hard disks made by a
 particular manufacturer in Taiwan.
 
 For additional information or assistance, please contact CIAC:
 
 David S. Brown
 (415) 423-9878 or (FTS) 543-9878
 FAX:  (415) 423-0913, (FTS) 543-0913 or (415) 422-4294
 
 Send e-mail to:
 
 [email protected]
 
 Neither the United States Government nor the University of California
 nor any of their employees, makes any warranty,  expressed or implied,
 or assumes any legal liability or responsibility for the accuracy,
 completeness, or usefulness of any information, product, or process
 disclosed, or represents that its use would not infringe privately
 owned rights.  Reference herein to any specific commercial products,
 process, or service by trade name, trademark manufacturer, or
 otherwise, does not necessarily constitute or imply its endorsement,
 recommendation, or favoring by the United States Government or the
 University of California.  The views and opinions of authors expressed
 herein do not necessarily state or reflect those of the United States
 Government nor the University of California, and shall not be used for
 advertising or product endorsement purposes.
 |   |