From karyn Thu Aug 1 14:16:36 1991 Return-Path: Received: by (4.1/SMI-4.1) id AA00450; Thu, 1 Aug 91 14:12:47 PDT From: karyn (Karyn Pichnarczyk) Message-Id: <9108012112.AA00450@> Subject: CIAC Bulletin B-35: Brunswick Virus on MS DOS Computers To: external Date: Thu, 1 Aug 91 14:12:47 PDT Cc: ciac, karyn (Karyn Pichnarczyk) X-Mailer: ELM [version 2.3 PL0] Status: RO _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Brunswick Virus on MS DOS Computers August 1, 1991, 1430 PDT Number B-35 _________________________________________________________________________ Name: Brunswick virus Aliases: Brunswick, 910129 Types: Two known variants Platform: MS-DOS computers Damage: May overwrite Master Boot Record Symptoms: Not apparent until attack phase when Master Boot Record is destroyed and disk will not boot First Discovered: January 1991 Detection: VIRHUNT v. 1.3D-1, VIRSCAN v.2.0.2 and others (contact CIAC for information about these products) Eradication: VIRHUNT v. 1.3D-1, VIRSCAN v.2.0.2 and others _________________________________________________________________________ Critical Brunswick Virus Facts The Brunswick virus infects the boot sector/master boot record of hard disks and floppies in drives A: and B: only. Once resident, this virus covertly infects all floppies and hard disks it contacts. An infected machine does not display any obvious indications of infection; therefore it can be very difficult to determine if your system is infected until the attack phase commences. Brunswick usually enters a machine through the boot-up of an infected floppy. (This entry method is similar to that employed by the "Stoned" virus described in CIAC Advisory A-28.) The virus immediately infects the Master Boot Record through Interrupt 13. Thereafter, all disks placed in floppy A: or B: will become infected until the machine is re-booted from a clean disk. Infection occurs differently for hard disks and floppies. On hard disks, the original boot record is moved to Cylinder 0 Sector 16 Head 0. On floppy drives, the original boot record is relocated to Cylinder 0 Sector 3 Head 1. If hard disks have last been partitioned under DOS 2.0, the virus will overwrite portions of the File Allocation Table. The virus contains logic to prevent re-infection of disks and code to save the BIOS Parameter block so that 3.5 inch 1.44 MB floppies will remain readable after infection (unlike "Stoned"). The Brunswick virus mechanics are fairly straightforward. It retains a generation counter which is decremented within each new infection. Upon boot-up, the virus compares this counter to an internal constant. If the counter is larger than the constant, no action is taken; else the virus destroys the master boot record by overwriting it with random characters. This generation counter is never changed within a particular infection; therefore, if an infection and a successful boot-up have occurred, this particular infection will NEVER destroy the Master boot record (although infections will still take place). Newer versions of anti-viral products mentioned above will detect the virus. An unauthorized write attempt to a write-protected floppy is another indication that this virus may be resident. Removal is a simple process of running any of the previously mentioned virus removal utilities. If none of these are available, contact CIAC to obtain manual removal instructions. Infections can be easily prevented by adopting sound protection procedures, such as write-protecting all floppies and checking all diskettes before use with a trusted scanning utility. Also, always open the floppy door before booting a PC because booting with an infected NON-BOOTABLE floppy WILL CAUSE INFECTION to the hard disk. For additional information or assistance, please contact CIAC: Karyn Pichnarczyk (415) 422-1779 or (FTS) 532-1779 karyn@cheetah.llnl.gov During working hours call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@llnl.gov. Send FAX messages to: (415) 423-8002 or (FTS) 543-8002 This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.