![[Previous]](/Icons/BTN_Prev.gif){kind=icon}
![[Up]](/Icons/BTN_Up.gif){kind=icon}
![[Home]](/Icons/BTN_Home.gif){kind=icon}
![[Next]](/Icons/BTN_Next.gif){kind=icon}
|
|
|
|
Yet another boot sector virus has joined the ranks of 'infectors at large': Angelina has become established in the wild, both in the UK and worldwide. In fact, the majority of viruses found in the wild are boot sector viruses: the most common method of transmission is by booting from an infected floppy which is not scanned before being used.
Apart from its one distinguishing characteristic (i.e. being in the wild), this virus is a completely unremarkable creature containing the usual childish style of message, which is feebly encoded and never displayed:
Greetings for ANGELINA!!!/ by Garfield/ Zielona Gora
The last line of this message also appears the file virus Reverse. 'Zielona Gora', the name of a town in Poland, is Polish for 'Green Hill'.
When an infected floppy or hard disk is booted, the virus lowers the available memory by 1 Kilobyte, by altering the value at memory location 0000:0413h in the ROM BIOS data area. It then copies itself to this reserved area.
Next, Angelina stores the address of the original Int 13h handler in the same area where the copy of the virus code is located. The entry to the Interrupt Vector Table is then modified, making the Int 13h handler point to a new handler within the reserved area. Finally, the virus issues an Int 19h call (soft reboot), re-starting the boot procedure, but this time using the new Int 13h handler.
From now on, whenever an attempt is made to read sector 1, side 0, cylinder 0 of a disk (which is the boot sector for diskettes, and the Master Boot Sector of a hard disk) the read is intercepted. All other reads and Int 13h functions are passed straight to the original Int 13h handler.
Once this attempt to read the boot sector is intercepted, the virus reads the sector using the original Int 13h and checks to see whether or not it is infected, by comparing the word at offset 00F0h with C681h. If the disk is not infected, the virus will infect it.
In the case of a floppy disk, the original boot sector is copied to the last sector of the root directory. On a hard disk, the original Master Boot Sector is copied to sector 2, side 0, cylinder 0, making use of what would otherwise be 'dead' space in that area. However, if the disk is already infected, the read will be stealthed, and pointed to the copy of the original sector.
Angelina has no noteworthy features. It exists only to propagate, and is little more than another pointless 'wannabe' effort.
Although this virus does not carry a destructive payload, there are boot sector viruses in the wild which do. The importance of checking incoming diskettes for viruses cannot be overstressed: the few seconds spent scanning a disk may mean the difference between a fully operational PC and a minor catastrophe, or something worse.
|
|
|
|
![[VB]](/Icons/vb-tiny.gif){kind=icon}
|
Virus Bulletin: Stoned.Angelina / webmaster@virusbtn.com | © 1998 Virus Bulletin Ltd. |