|
NCSA Virus Report #19
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
???????????????????????????????
? VIRUS REPORT ?
? Alameda Virus ?
???????????????????????????????
Synonyms: Yale, Merritt, Peking, Seoul virus.
Date of Origin: Spring, 1987.
Place of Origin: Merritt College, Alameda, California.
Host Machine: PC compatibles. Does not run on 80286.
Host Files: Remains resident. Infects floppy disk boot sector.
Increase in Size of Infected Files: n/a.
Nature of Damage: Resident. Corrupts or overwrites floppy boot sector.
Detected by: Scanv56+, F-Prot, IBM Scan.
Removed by: CleanUp, MDisk, F-Prot, or DOS SYS command..
Scan Code: BB 40 00 8E DB A1 13 00 F7 E3 2D E0 07 8E C0 0E 1F 81 FF 56 34
75 04 FF 0E F8 7D. You can also search at offset 00EH for A1 13 00 F7 E3
2D E0 07.
History: First discovered at Merritt college in California in the Spring
of 1987. In February, 1988, it popped up at Alameda College, where it
received large publicity. In October, 1988, it surfaced at Yale
University, where it became known as the Yale virus. The original
version caused no intentional damage.
The original Alameda would only run on an 8088/8086, and was
presumably assembled using A86 on such a machine. Because it does not
infect hard disks, we may presume that the author's machine did not have
one. The original version would not run on an 80286 or an 80386 machine,
although it will infect on such a machine. Later versions of the virus
can run on an 80286.
Description of Operation: The Alameda virus spends its life in the boot
sector of 5.25" 360K floppy disks. When the machine boots from an
infected 360K floppy, the Alameda becomes memory resident, occupying 1K
of memory. It infects 360K floppies in the A: drive only. Pressing
Ctrl-Alt-Del activates the virus, rather than removing it from memory.
At this point, it looks for a floppy in drive A: to infect. It will
infect any 360K disk in that drive, whether or not it is a bootable disk.
The original boot sector is held in track thirty-nine, head zero,
sector eight. It does not map this sector bad in the FAT (unlike the
Brain) and should that area be used by a file, the virus will die. It
apparently uses head 0, sector 8 and not head 1 sector 9 because this is
common to both single sided and double sided formats and common to both
8-sectored and 9-sectored formats (both the old 160K single sided and
later 180K single sided formats).
Alameda redirects the keyboard interrupt (INT 09H) to look for
Ctrl-Alt-Del sequences. When it detects Ctrl-Alt-Del, it will attempt to
infect any floppy it finds in drive A:.
The virus is not malevolent. It contains code to format track
thirty-nine, head zero, but this has been disabled. It also contains a
count of the number of times it has infected other diskettes, although it
is referenced for write only and is not used as part of an activation
algorithm. The virus remains resident at all times after it is booted,
even if the user removes the floppy from a machine having no bootable
hard disk, and reboots with Ctrl-Alt-Del. When Ctrl-Alt-Del is pressed
from inside Cassette Basic, it activates and infects the floppy from
which the user is attempting to boot.
Alameda contains no anti-detection mechanisms as does the Brain
virus.
The Alameda contains a rare POP CS instruction that is not understood
by 80286 systems, and hangs the system up. The POP CS command is used to
pass control to itself in upper memory. When such a machine hangs, the
virus has already installed itself in high RAM and hooked the keyboard
interrupt, so that the infection can spread if a warm boot is then
performed.<Note: In fact, the way the virus is most often discovered is
that a 286 won't boot from an infected disk.>
Removal: Alameda can not only live through an Ctrl-Alt-Del reboot
command, but this is its only means of reproduction to other floppy
diskettes. The only way to remove it from an infected system is to turn
the machine off and reboot with an uninfected copy of DOS. The Norton
utilities can be used to identify infected diskettes by looking at the
boot sector and the DOS SYS utility can be used to remove it <197> unlike
the Brain.
??????????????????????????????????????????????????????????????????????
? This document was adapted from the book "Computer Viruses", ?
? which is copyright and distributed by the National Computer ?
? Security Association. It contains information compiled from ?
? many sources. To the best of our knowledge, all information ?
? presented here is accurate. ?
? ?
? Please send any updates or corrections to the NCSA, Suite 309, ?
? 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS ?
? and upload the information: (202) 364-1304. Or call us voice at ?
? (202) 364-8252. This version was produced May 22, 1990. ?
? ?
? The NCSA is a non-profit organization dedicated to improving ?
? computer security. Membership in the association is just $45 per ?
? year. Copies of the book "Computer Viruses", which provides ?
? detailed information on over 145 viruses, can be obtained from ?
? the NCSA. Member price: $44; non-member price: $55. ?
? ?
? The document is copyright © 1990 NCSA. ?
? ?
? This document may be distributed in any format, providing ?
? this message is not removed or altered. ?
??????????????????????????????????????????????????????????????????????
|
|
