Vista attacked by 13-year-old virus A batch of laptops pre-installed with Windows Vista Home Premium was found to have been infected with a 13-year-old boot sector virus. Those of you with a long memory will vividly recall the year 1994: Nirvana's lead singer Kurt Cobain died, South Africa held its first multi-racial elections, and Tony Blair became leader of …
"...security firms have a duty to maintain protection against older threats for just this kind of eventuality."
What about OS manufacturers producing software which can't be hacked to within an inch of its life by a 12-year old with a few scripts and "PCs for dummies"?
It's MS who should be getting strung up for this - they've have 13 years to sort their security.
Fortuitously I reorganized my anachronistic cds this weekend. From 1994 I've the 10 disk Microsoft Developer Network set. It includes Windows 3.11, Windows for Workgroups 3.11 and, notably, Windows NT 3.1. As an aside, about 5 years ago I loaded up the NT 3.1 stuff on a PII and dropped by the Microsoft site looking for "updates". In short order I was met with a pop up exclaiming, "Well! We haven't seen you here before." Good fun, and no, I'm not wrinkly.
1994 was most certainly not pre NT, what with NT existing before v4 (3.4.1, 3.1 etc)
I thought that stoned stopped your machine booting every 8th time (geddit? no neither do I, ahem) displaying a message saying 'this machine is stoned', if you then typed 'so am i' it would boot. Maybe this was a different variant.
I seem to remember that all you need to do to get rid of it is 'fdisk /mbr', although I can't imagine that would work on Vista.
I hardly think that MS should be embarrased about it appearing on some OEM laptops, how is it their fault?
Now THOSE were real mean virus-machines, not the lame-a$$ "virii" made in VB, VBScript, ActiveX and similar crapveloment, taking advantage of an ill-concieved development model. C and assembly, taking over the MBR's! Though I didn't know that I could boot my Stoned PC by getting ... ahem... stoned.
Protection from old virii is what made me ditch McAffee way back in 1994 (coincidence?), as it was able to remove NATAS, but good ole DIR II trashed the damned AV. *sigh* How I miss the good old times when virii were actually intelligent and (sometimes) humorous, instead of trying to sell me v1@gr4, showing porn popups or phishing stuff from my PC.
The virus is only able to spread to further disks when Windows [itself] is not yet started,…the virus can infect further disks at boot time, but not after Windows has been started.
http://sunbeltblog.blogspot.com/2007/09/update-on-stoned-virus-infection-of.html
The title of the article is "Vista attacked by 13-year-old virus" but how is Vista being attacked, or responsible, or anything to do with this except by also being pre-installed on the same harddrive as the offending boot sector?
You might as well have titled the article "USB cable attacked by 13-year-old virus" but I guess that wouldn't tick the "slag off Vista whether it's justified or not" buttons that so many people seem to have right now. (Vista isn't perfect but what, exactly, do you expect it to do in this situation?)
What a thrill to see an old virus resurge under Vista. We once had a bit of a Mac OS 9 worm ship on our LinuxPPC discs, although it was never a real threat; it was wrapped in some Linux or Mac OS shell that made it inert. But still, I wonder, should, say, nVIR, an old virus that could infect Macs running System 4.1or higher, effect the Classic environment on Macs running OS X? (To think what a pain reinstalling the system software was in those days... "insert disk 3" "ok..."
Well, how about Vista blocks installation of virus? Better yet Vista won't execute anything unless I say so?
While you're at it, get the media player, message program etc out of the business version, you're supposed to be working!
Let me know when I can buy a proper business version.
Cheers,
Simon.
Not that bad? An AV package that doesn't actually stop/delete/quarantine a virus, and you say it's not that bad? FFS, it may have spotted it but it did (according to the report) nothing about it.
Now, in a previous incarnation as a SysAdmin, we had an AV system forced upon us against our wishes and advice to senior management and that too 'did detect' (allegedly) but not clean or remove viruses. Bang went ten thousand documents.....but not a problem. After all, following a quick scan of the network, we knew what the virus was....shame the AV we were using and paying for couldn't stop it/quarantine it/get rid of it.
/rant
Someone (anonymous) has actually beaten me to this: Vista doesn't run the virus, but the virus does run Vista. Still a victory for backward compatibility though in my opinion!
Re: @Leo, in fairness, Vista couldn't be expected to block the exection of a boot virus. That would be like expecting the US Army to do something about the Roman Empire, in more ways than one; Vista is nowhere in sight while the virus does its business, and the virus has come and gone by the time Vista boots.
it's not easy for AV software to quarantine or destroy something that's overwritten your boot sector; there might even be a bit of touchy legality involved in copying the real thing back. Cleaning the virus out is one thing, but doing so in such a way that your PC is still capable of booting is not trivial since the virus is now your bootloader...
DOS 8? I thought they only actually got to DOS 7, and the last one you could actually get without windows being 6.2.2... obviously I'm talking about the MS-DOS line, but then I'm assuming that's what you meant?
I actually worked out the other day the time it takes to send a floppy worth of data over an adsl link - in the line of a dozen seconds to upload, under 2 to download!! Now how long did it take to write a floppy back in the day? Progress!
Vladimir Plouzhnikov: They didn't install Vista from floppies; they installed it the usual way. The virus has infected it later. For an infection to occur, all you need is to forget a not necessarily bootable infected floppy disk in drive A: and have the BIOS of the machine configured to try to boot from the floppy disk drive first. By the time you see the message that the boot has failed (because the floppy is not bootable), the virus has already infected the hard disk.
Fraser: The DOS command FDISK/MBR would indeed remove this particular virus. Beware, however, it is *very* dangerous to use it as a generic MBR virus removal. When used on hard disks infected with some MBR viruses, it can screw them up very badly and leave the disk non-bootable (or even not easily accessible when booting from another disk).
Patrick Evans: Vista isn't running the virus - the latter runs *before* the OS loads. And, as suc and others noted, the virus STOPS WORKING (i.e., can no longer infect) once Vista is loaded and running.
Leo Davidson: Good question. In fact, a laptop running Linux (or any other IBM PC compatible machine no matter what OS it runs) could have been *infected* by this virus too. But on modern OSes like Linux, WinXP, Vista, etc., the virus stops working once the OS loads.
Simon: Vista (or Linux or whatever) cannot "block" the installation of the virus as a matter of principle - because at the time when the virus infects the hard disk, the OS isn't yet loaded and isn't running, so it (the OS) can't do a thing about the installation of the virus.
A more interesting question is why Vista doesn't *warn* that the MBR has changed. Older Windows versions used to do so.
Jason Haas: No, MacOS viruses like nVIR or INIT-29 no longer work under OS X.
Bronek Kozicki: They were sold by Aldi, ferkrissake! This is a discount GROCERY STORE! I wouldn't be surprised if even the tomatoes there have viruses, let alone the notebooks. :-)
Regards,
Vesselin
The "virus" in question is essentially a seperate OS of its own. It is booted by the BIOS completely independently of the OS. The exact same thing could happen to machine with Linux on it. Maybe even an Intel Mac.
In fact, Vista is probably the *only* OS that's "immune" if you use BitLocker. Good luck getting the virus to have an effect on a BitLocker system.
You see, this "virus" isn't really a virus at all. It's a bootable application that moves unprotected data on the hard disk. It doesn't do anything malicious or damaging. It's only a "virus" in that it would infect itself onto floppy disks and then spread to other machines when someone tried to boot to one of them.
Now, if you showed that the virus actually ran under Vista and infected new floppy disks - that would be a different story. However, I seriously doubt that's the case. Even then, though - Vista is certainly vulnerable to viruses that existed before it did. That's not Vista's fault - it's job isn't to be an anti-virus system. Vista blocks attack vectors, so that viruses are prevented from getting on your system. It does a better job of that than any other OS available today. But in this case, the virus has nothing to do with Vista. It's code was run before Windows had started - before the hard drive containing the OS had even been accessed by the machine.
The article should reflect that. Or at least, it would if it were written by a reputable source.
Vista may not have noticed that the MBR was changed if the machine had the boot sector virus before Vista was even installed in the first place. I know that Vista writes its own MBR entry, but the virus seems to change the location of the MBR, letting an OS write its entry there in the wrong place.
To Vista there may not have been any changes to detect.
Someone must have done this for a laugh and poke a few digs at 'the most secure windows ever'. And nearly pi$$ed myself at the 'backward compatibility' post :)
As to bitlocker, or selinux for that matter, it wouldn't make any difference. The MBR is still needed to 'see' what to do with the disk. Not sure about the on board encryption some motherboards use though.
cheers
this thing hasn't got anything to do with the OS, and is far less dramatic than it seems. It doesn't do any 'real' damage. Reinstalling the boot manager does the trick on any *Nix.
I don't know much about Vista, but XP can be fixed with a "fixboot" followed by "fixmbr" from the repair console.
I don't really think you can blame either Vista or Bullguard on this one... a lot of anti-virus programs no longer scan for boot sector/MBR viruses unless specifically configured to do so, or you manually do a "full system scan" and include the boot sector. This is because boot sector viruses are pretty uncommon anymore, and usually due to the restrictions of space, they were pretty limited to what they could do originally. Even if you had an infected boot sector, it would be highly unlikely they would be able to do much in Windows itself, because most of them were designed to work within DOS... and if they did attempt to make modifications within Windows, the "real time scanning" of most modern AV software would pick it up and/or data execuation prevention would stop it... which is why we really haven't seen any major issues with boot sector viruses in years...
Maybe he means DR-DOS? Those goes all the way up to 8.05.
Oh, great. Now I'm thinking twice about whether to pull out those old floppies containing Karateka my mom took home from work some two decades ago and feeding it to my newly rebuilt P166 with a 5.25" floppy drive (and is plugged in to my home network). Now that I remember it, her office had a Denzuko outbreak when she brought those disks home...
Then again, I never had any luck with that stupid gate that falls down onto you everytime you try to cross it, and as of late I feel like trying to break through.
"The 'virus' in question is essentially a seperate OS of its own. It is booted by the BIOS completely independently of the OS. The exact same thing could happen to machine with Linux on it. Maybe even an Intel Mac."
Probably not possible on an Intel Mac as they run EFI, not BIOS (though EFI is technically an extended version of BIOS). Even the old(er) PPC Macs were using OpenFirmware, not BIOS (extension of BIOS as well?). I'm guessing not all types/versions of BIOS are susceptible though, so it's really not even a matter of PC/Mac, nor a matter of MS/Apple/*nix.
@Dr. Vesselin Bontchev
Aha, so they still had the floppy drive in those Vista-ready machines! They must know something about Vista we don't...
@anonymous re: DOS 8 - You're right - I've just checked my DOS bootable floppy disk and it says 6.22 on it. DOS 8 was probably part of Windows 98 or ME. I used NDOS 8 as a command processor, hence the confusion...
Actually, I wouldn't assume Linux boxes are susceptible ... I haven't checked so it's possible I'm wrong and they are, but I have a sneaking suspicion that the machine would be rendered unbootable by the infection. Well, the virus would boot and run, but I have my doubts it would have handled relocating the real boot record properly.
Having said that I could be wrong, enough of that stuff is 'standard' (being influenced more by the way the BIOS works and the hard drive is partitioned at a very low level common to every OS for PCs than by the filesystem or specific bootloader). So I guess it depends.
Oh, and the last 'proper' version of MS-DOS was 6.22, not 6.2.2. I know I'm kind of splitting hairs but I can't help myself. 7.0 was, if I remember correctly, the marginally castrated DOS under Win95, although I suppose you could still credit it with being a real DOS since you could still SYS a floppy if I remember correctly; they were just trying to pretend Windows 95 was a real OS, nothing at all like the mere GUI shell that 3.11 was. Not sure about 8.0; did they use that as the version number reported by the DOS shell on Windows 98? I don't recall ever checking.
.....of anything at all which AutoRuns from an inserted disk?
This should hopefully ram home the fact that any OS which automatically runs (or offers to run) any software found on an inserted CD or memory-stick is simply begging for a Take Two of the old "Brain/Stoned" class of exploit.
In fact an exploit of this kind would be far more infectious, since it wouldn't even be necessary to reboot the computer with the disk left in.
Brandon Paddock: "In fact, Vista is probably the *only* OS that's "immune" if you use BitLocker." No, it is not. At best, BitLocker encrypts only the OS partition and would have no effect whatsoever on the infectability of the disk. At worst, BitLocker encrypts the whole disk and infecting it would have messed it up. But it wouldn't have *prevented* the infection in either case.
Pooper Scooper: Good point; maybe the disk was indeed infected before Vista was installed on it. Vista writes a partition table entry in the MBR - but it doesn't overwrite the whole MBR, so its installation wouldn't have removed the virus. This virus doesn't "change the location of the MBR". It saves a copy of the original MBR in another (unused) sector and overwrites the *program* part of the MBR with its code, leaving the data (i.e., the partition table) intact.
Steve Coffman: "Even if you had an infected boot sector, it would be highly unlikely they would be able to do much in Windows itself". True for this particular virus, false in general. If the virus is like Michelangelo - an MBR infector with a destructive payload that can trigger at boot time - it would have destroyed the contents of the infected disk (well, a large part of it, anyway) when it triggered - and trigger it would have, if the computer was booted on the trigger date.
malware: You are wrong - viruses *are* malware. The term "malware" means "malicious software" and includes all malicious programs of any kind - viruses, worms, Trojan horses, password stealers, addware, spyware, and so on.
Vladimir Plouzhnikov: A floppy disk drive is also used to transfer files from one computer to another - not just for booting the computer.
Geoff Mackenzie: "I wouldn't assume Linux boxes are susceptible". And you would be wrong. They *are* infectable by boot sector and master boot sector viruses. Of course, once the OS loads, the virus stops running.
"the machine would be rendered unbootable by the infection". No, it wouldn't be.
"I have my doubts it would have handled relocating the real boot record properly". It would have. Trust me, I know.
Anteaus: "This should hopefully ram home the fact that any OS which automatically runs (or offers to run) any software found on an inserted CD or memory-stick is simply begging for a Take Two of the old "Brain/Stoned" class of exploit." While having the OS run automatically stuff from mounted disks is indeed a bad idea (which, BTW, Macs do too), it has absolutely nothing to do with boot sector viruses like Brain or Stoned. As others have said multiple times, these viruses run and infect *before* the OS has had the chance to load, so blaming the OS for failing to prevent the infection is simply stupid and ignorant.
Regards,
Vesselin
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
