ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
                    ³        VIRUS REPORT         ³
                    ³         Disk Killer         ³
                    ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

Synonyms: Ogre, Disk Ogre, Computer Ogre.

Date of Origin: Spring, 1989.

Host Machine: PC compatibles.

Host Files: Remains resident. Infects both floppy and hard disk boot
sectors.

Increase in Size of Infected Files: n/a.

Nature of Damage: Corrupts or overwrites boot sector. Affects system
run-time operation. Corrupts program or overlay files. Corrupts data
files. Formats or erases all/part of disk.

Detected by: Scanv39+, F-Prot, IBM Scan, Pro-Scan.

Removed by: MDISK, CleanUp, F-Prot, or DOS COPY and SYS commands.

     The Disk Killer is a boot sector virus that infects both hard disks
and floppies.

     The first organization to report this virus was Birchwood systems in
San Jose in early Summer, 1989. Additional reports were received from
Washington, Oklahoma, Minnesota and Arizona. It was finally isolated at
Wedge Systems in Milpitas, California. Disk Killer was isolated on
September 26, 1989. 

     The virus spreads by writing copies of itself to three unused
clusters on either a floppy or hard disk, marking them as "bad" in the
FAT to prevent overwriting. The boot sector is modified to execute the
virus code during the boot, permitting it to infect any new disks exposed
to the system.

     The virus counts the number of disks it has infected and does no harm
until it has reached a predetermined limit. When the limit is reached or
exceeded and the system is rebooted, this message is displayed:

"Disk Killer <197> Version 1.00 by COMPUTER OGRE. Don't turn off the
power or remove the diskettes while Disk Killer is processing! ...
PROCESSING ... Now you can turn off the power. I wish you luck."

     During "processing", it writes clusters of a single character
randomly all over the disk, effectively trashing it.

     Note that when the message is displayed, if the system is turned off
immediately it may be possible to salvage some files on the disk using
various utility programs, as this virus first destroys the boot sector,
FATs, and root directory.

     The internal messages do not appear in sector zero, but are stored in
sector 152 on floppy disks and an as yet undetermined location on hard
disks. This had always added to the confusion over the virus because
message remnants were sometimes discovered in the middle of executable
files, and it was assumed that the virus was a COM or EXE infector. 

     If your boot sector does not contain the standard DOS error messages,
then immediately power down and clean out the boot. Infected boot
sectors begin with FAEB. You can check boot sectors with a tool such as
Norton's NU. If the DOS messages are not there (non-system disk; etc.),
then the system is infected. MDISK will remove the virus.

     Disk Killer can be removed by using MDisk, or the DOS SYS command, to
overwrite the boot sector on your hard disk or bootable floppies. On
non-system floppies, files can be copied to non-infected floppies,
followed by reformatting the infected floppies. Be sure to turn the
system off, then reboot the system from a write-protected master
diskette before attempting to remove the virus, or you will be
reinfected by the virus in memory.


ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º  This document was adapted from the book "Computer Viruses",       º
º  which is copyright and distributed by the National Computer       º
º  Security Association. It contains information compiled from       º
º  many sources. To the best of our knowledge, all information       º
º  presented here is accurate.                                       º
º                                                                    º
º  Please send any updates or corrections to the NCSA, Suite 309,    º
º  4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS  º
º  and upload the information: (202) 364-1304. Or call us voice at   º
º  (202) 364-8252. This version was produced May 22, 1990.           º
º                                                                    º
º  The NCSA is a non-profit organization dedicated to improving      º
º  computer security. Membership in the association is just $45 per  º
º  year. Copies of the book "Computer Viruses", which provides       º
º  detailed information on over 145 viruses, can be obtained from    º
º  the NCSA. Member price: $44; non-member price: $55.               º
º                                                                    º
º            The document is copyright (c) 1990 NCSA.                º
º                                                                    º
º  This document may be distributed in any format, providing         º
º  this message is not removed or altered.                           º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ

Downloaded From P-80 International Information Systems 304-744-2253