Boot Sector Virus Shipped on German Laptops

Juha-Matti Laurio writes "A consignment of laptops from German manufacturer Medion, sold through German and Danish branches of giant retail chain Aldi, have been found to be infected with the boot sector virus 'Stoned.Angelina', first seen as long ago as 1994. The affected notebook models (German language) Medion MD 96290 have been pre-installed with Windows Vista Home Premium and Bullguard anti-virus, which reportedly is unable to remove it. A special removal tool was released to clean the laptops. Aldi has shared the same warning as well. Two years ago several thousands of Creative Zen Neeon MP3 players were shipped with a Windows worm Wullik.B."

Not jut Creative...

[wal9001]

Apple did it too, remember? Cue people whining about how the fanbois ignore Apple's flaws so that they can pretend Creative is satan in 3.... 2.... 1....

Re:Not jut Creative...

[recoiledsnake]

I think this is a common experience, because of quality control issues and manufacturing being outsourced to contractors. Here Apple talking about iPods shipping with a Windows Virus on it... straight from Apple's site. Click here . Apparently, a contractor was to blame.

Re:Not jut Creative...

[empaler]

I think this is a common experience, because of quality control issues and manufacturing being outsourced to contractors. Here Apple talking about iPods shipping with a Windows Virus on it... straight from Apple's site. Click here . Apparently, a contractor was to blame. Apparently, Apple was to blame. I don't really care about whether or not it's an inhouse or an outsourced screwup, when I purchase Apple gear, they've branded the item as theirs. The only exemption from this is if some computer store that sells the iPods has the added service to update the official firmware before selling the ipods as an added service to the customers, and the computer they then hook the iPod up to infects the iPod.

Now that's what I call....

[gandhi_2]

...cutting out the middleman!

Re:Now that's what I call....

funny windoze problems. Serves those blokheads right.

stoned.angelina

[Walzmyn]

stoned.angelina is a nasty virus too. If your computer is infected it will download other child viruses with weird names from third world countries.

Re:stoned.angelina

[arivanov]

Provided that it does not download the aforementioned third world country security service to beat you up and stuff your new digital camera up your arse that can probably be tolerated..

hah

hahah :)
Cant even clean up with their own AV.. Sucks to be them..

Fix in O(1)-time

[Algorithmnast]

Alright, I'll be the first to say it: I can remove any Windows boot sector virus by just installing Linux on it.

It did seem obligatory....

Re:Fix in O(1)-time

[ettlz]

You need to install a bootloader as well. In fact, just a bootloader should do the trick.

Re:Fix in O(1)-time

[sumdumass]

Not necessarily. It would really depend on what kind of boot sector virus it would be and what specifically it does. You could end up with not being able to see or access any of your partitions or the boot loader could just be loaded on top of a bios overlay that is the boot virus(ie, nothing at all would happen to the virus).

A lot of times the boot sector virus will move the boot sector to another part of the disk and relay the content to itself. It can also mark sectors as bad and thereby hiding it's content. When you install a boot loader, it will actually install to the moved version of the boot sector. I have seen in the past, and I don't remember which one, but a normal Format would erase the portion of the boot sector hiding the code and it would execute again. You would need to boot in a way that the disk wasn't accessed until after you loaded tools to specifically deal with them. Usually an Fdisk/mbr with a regular Fdkisk to rebuild the partitions and then another /mbr to sabotage any chances of left over code being executed. Then a format to the partition and a new OS install. There are tools to redo the disk partitions and format under linux too.

This whole process got more complicated with the logical block addressing and a write cache. The main board is now expecting the drives to represent something different then they actually read in order to maintain compatibility. With a LBA drive, you aren't actually accessing the drive in itself but asking it to access it. It is possible to have the code you are attempting to remove be accessed and running before your tools actually write over it and remove it. Of course once the boot process (boot to floppy/cd) is over, the underlying OS isn't really susceptible to executing the code as it is in the original Bios boot process. But nothing is there to ensure it won't happen. Some of the bad blocks that could be hiding code placed outside the boot sector could be accessed and contain something that is executable in the boot environment you are using.

In all, it is difficult to remove a boot sector virus and retain any information on the disk. What I wrote is a little bit dumbed down of the actual processes that can happen. I have seen claims of boot virus being able to do things even more elaborate but don't know of any in actual existence. I guess I am amazed that in this late in the game, they are still a problem. Almost every anti-virus app should be able to detect and at least disable them. A simple scan of an image waiting to be burned to a hard drive should catch any nasty unwanted things before going into production. Maybe they cannot scan the images now?

Re:Fix in O(1)-time

[genmax]

So here's the deal - if you boot off a disk other than the infected one (say an installation CD) and can still read the infected drive (mount it, etc)- then (re-)installing a bootloader should get rid of the virus.

Your boot sector (MBR) has a data section that stores the partition table/drive information for that hard drive/disk and a code section that contains the actual boot loader. A virus could either overwrite only the code section - in which case your data is still readable and the virus can simply be removed by the above method - or it could overwrite the whole sector (this is pretty rare) in which case your disk is only readable when you boot off it (and the virus hijacks the bios disk read/write interrupt and redirects reads to the boot sector).

Doing a bootloader install after you boot off an infected disk is, of course, pointless!

Re:Fix in O(1)-time

[sumdumass]

It really depends. If the boot virus moves the boot code then all you are doing is installing a boot loader. The boot loader installation doesn't go directly for the first sector of the drive as you would believe. It would tell the drive to place it in the boot sector but if the partition mapping has moved it, then it would be the wrong section.

What could happen is that the Jump sequence that moves the drive to executable portion of the MBR which doesn't have to be in the MBR could be over written and placed onto another portion of the drive. Then when you install the boot loader, you would be installing to the new executable section of the drive. If the boot loader didn't replace the bios parameter block, the virus could still run. Now if the boot loader does replace the PBP, then the partition and format information may not be accessible. And once you locate it and change the location, you could still be executing the virus.

Your boot sector is actually divided into several sections and moreso depending on the platform and OS or partition. Any boot loader that can go on a disk using a bios overlay would just install itself to the overlay. With a boot virus, it's default actions are similar to a bios overlay in which it moves the executable code and replaces it with it's own code in order to get extra features from the bios.

In short, a simple boot loader could render the virus inactive but it won't ensure it is gone or cannot run. It doesn't even ensure the virus would be inactive.

or it could overwrite the whole sector (this is pretty rare) in which case your disk is only readable when you boot off it (and the virus hijacks the bios disk read/write interrupt and redirects reads to the boot sector).

The virus wouldn't have to hijack the entire read write process. The Fat file system which all x86 computers use at the fundamental bios-boot level allows for the execute portions of the boot sector to be moved and different overlays installed. This is how you get a bios overlay to allow an 80 gig drive on a computer that won't hold over 8 gigs. An intelligent boot loader would see this and load in the regular execute portion as represented by the overlay. Once the OS is loaded, the OS accesses the information from the partition and format tables located at the moved places. There isn't a need for a fancy intercept of all the read/write processes like with the old compressed file systems MS used.

Similarly, most boot sector virus move or remove the interrupt 12 return upon execution to allow itself to remain in memory and reinfect even once it was removed from the disk. Installing a boot loader on it's own might not remove the virus or even disable it.

Doing a bootloader install after you boot off an infected disk is, of course, pointless!

Dully noted. I don't think any removal process could be trusted adter botting to an infected disk. But the boot virus are a little more robust then your giving them credit for. It can be very difficult to remove then and often times you lose the partitions with it. You can go back and retrieve the partition information and reset them. But that is typically more advanced then the normal user can accomplish on their own. I like to use Fdisk to back up the partition information before removing the boot virus so I can rebuild the partition and format information onto the new boot sector.

Re:Fix in O(1)-time

[pasamio]

Theres also a program called testdisk that scans the hard drive to recover partition information and rebuild the partition table: http://www.cgsecurity.org/wiki/TestDisk

Backwards Compatibility

I guess this is what Microsoft means by backwards compatibility!

Hmm

[Poromenos1]

It doesn't really seem to do anything.

Ouch

[spikedvodka]

Stupid, Stupid, Stupid, Stupid... and in case i didn't mention STUPID...

What was whoever doing on the base image that caused it to become infected? I build system images, and rule #1: Make sure it works cleanly when you're done.

    Somebody's Head
------------------- = Silver platter

(Silly junk character filter, I can't even ASCII Art a silver platter)

Re:Ouch

installing the backdoor that did not get detected ?

So, is this...

[NorQue]

... a Retro-Virus? ;-)

Re:So, is this...

[ettlz]

Damn, does that mean it has to be run in VM86 mode?

Re:So, is this...

[spiderbitendeath]

No, Vista just makes it feel like it is.

ALDI-Notebook NOT infected...

[Simon+(S2)]

...says ALDI:

Aufgrund vereinzelt anders lautender Pressemitteilungen stellt die MEDION AG klar, dass das ALDI-Notebook nicht mit dem Virus Stoned Angelina ausgeliefert worden ist.

Quick translation: Since there was some Press-noise, MEDION feels the need to say that the ALDI-Notebook is not infected with the Stoned Angelina virus.

Re:ALDI-Notebook NOT infected...

Better translation:

Due to isolated press reports to the contrary, MEDION AG clarifies that the ALDI-Notebook has not been being delivered with the virus Stoned Angelina.

Re:ALDI-Notebook NOT infected...

[empaler]

Still not a chance in hell I'll buy a computer from Aldi.

Re:ALDI-Notebook NOT infected...

Klugscheißer.

Re:ALDI-Notebook NOT infected...

[lordtoran]

Trotzdem ist die Übersetzung sehr viel akkurater. Auch wenn es den englischsprachigen Lesern egal sein dürfte ... dies ist schließlich Slashdot.

Re:ALDI-Notebook NOT infected...

>dies ist schließlich Slashdot.

Du hast das </sarkasmus> tag vergessen, lol.

Re:ALDI-Notebook NOT infected...

[lordtoran]

Okay, dankend angenommen :-)

This is proof....

.... that there is more backwards compatibility support in Vista than people thought :)

In other news...

[LaminatorX]

Systems shipped by Wal-Mart were found to contain numerous copies of a simple text game where the user imagines an animal and the game asks questions in order to deduce the animal in question. Anti-malware programs no only failed to identify the game as a threat, but were themselves overwritten with the game.

Re:In other news...

[EVil+Lawyer]

Someone help me get that joke pls?

Re:In other news...

[LaminatorX]

Pervading Animal, while a harmless text game for Univac systems, was nonetheless one of the first programs known to self-replicate and distribute in the manner of a Trojan Horse. It was so widespread that there were stories of install tapes coming from the Univac vendor already infected.

The Animal game eventually stopped replicating when there were changes to the Univac filesystem that broke its copy test.

Special removal tool?

[davidwr]

You mean this one?

Thank goodness it wasn't a BIOS trojan.

Isn't Adli a grocery store?

[no_pets]

Isn't Adli a grocery store? WTF is it doing selling PCs? If you buy a PC at the grocery store you deserve to get infected. IMHO

Re:Isn't Adli a grocery store?

[RogerWilco]

I am writing this on one of those Aldi Medion laptops (now a year old). They do sell electronic hardware too, but something different every week. about 3x year they have a Medion laptop for sale, in between they have a desktop.

These are usually very good value for money. The drawback is that you have no choice, as they only sell one model.
They can be so cheap because of their buying power, there are about 8.000 Aldi stores in Europe, and each gets 15 computers to sell as a minimum, AFAIK. The next week it will be an LCD TV, or car stereo system.
http://en.wikipedia.org/wiki/Aldi

The nice thing about the machines they sell is that it's usually a very complete package, so the laptop will include a laptop case, bluetooth remote, wireless mouse, integrated webcam, integrated card reader, some games installed (I got MS flightsimulator). Also their after sales warranty of three years is appartenly very good (I never had one break down, this is currently my second)

Re:Isn't Adli a grocery store?

ALDI sells decent products at decent prices.
Last time I checked a few years back their workers in Germany worked harder
and made 30% more than employees at department stores.
Not that they make a lot - ALDI competes in the free market.

Pinko lefty Marxists love to pick on large chains like ALDI.
Smug Pot smoking students with Che Guevara T-shirts :-)
You never see them work in their own cars. They cannot fix their own cars :-)

With 5000 stores you cannot totally avoid evil psycho bosses popping up
here and there - Just like the odd Microsoft Windows Compatible virus :-)
From those of us who use Linux I would like to mention that the incident
was about a Microsoft Windows Compatible Virus (TM)
There is no reason to worry - Just Install Linux and smile :-)
Problem gone.

Re:Isn't Adli a grocery store?

[runderwo]

ALDI has sold computers since 1987.

No, it's a supermarket.

[Animaether]

Aldi isn't really a grocery store - they're more like a large convenience store... i.e. supermarket. And yes, they sell PCs and Notebooks from time to time. And no, they're not crap either. Yes, they tend to be near the lower range, but within that lower range, you can get a great deal on them by going through stores like Aldi. The reason for that is simply numbers.. Aldi buys up thousands for a much lower price than a consumer can get. They then sell these at only slightly above the price they themselves paid... the profit on these machines for them is minimal. The additional turnover they get by luring in customers is what they're interested in mostly.

Re:No, it's a supermarket.

[abb3w]

Aldi isn't really a grocery store - they're more like a large convenience store... i.e. supermarket.

Ah -- the German equivalent of a Super Wal-Mart or Target.

Re:No, it's a supermarket.

No, Aldi is by no means a Wal-Mart or Target.
Aldi has a very reduced range of products (~700 distinct products at most!) and doesn't sell anything from popular brands (exception: HARIBO; for other products the brand name is often changed). Still, quality is _mostly_ top-notch. Additionally there is a half-week change cycle for temporary offers like PCs, Notebooks, etc. This makes Aldi the largest store chain in Germany, but no Wal-Mart.

Rawr!

Arrrrgh!

Always run DBAN or some other eraser first

[Giro+d'Italia]

I always run DBAN on a new system or hard drive, OEM assembled or not. Insist on proper OS installation media and unless it too is defective, you'll be fine. But never, ever, trust a machine setup by anyone else. That's not practical for everyone, but we're all geeks here, installing your OS of choice should be a rite of passage. :)

Re:Always run DBAN or some other eraser first

and what if your driver CD(s) have a virus? After all, one can "set things up themself" and still get backdoored by a printer driver.

Re:Always run DBAN or some other eraser first

[DigitAl56K]

That's a bit extreme, isn't it?

DBAN and similar tools are great for erasing data on a hard drive you're loosing physical possession of (for whatever reason), but there's no need to spend hours or days cleaning a disk you've just acquired. If you erase the boot sector and partition information then you have destroyed everything you need to destroy in order to ensure it's "clean" - i.e. as far as the BIOS or OS is concerned there is nothing stored on the disk to load and execute. This can be achieved in just a few seconds.

The only scenario where something like DBAN will help on media you've acquired is if, for some reason, you suspect that a) the media has been used before, and b) you have a reasonable expectation that at some point in the future someone is going to do a forensic analysis on it and you don't want whatever was on there to be associated with you. Then the additional hours/days might be worthwhile.

I still like the idea of encrypted hard drives where the user can change the hardware key by swapping a module or flipping some switches on the physical drive. Want to instantly erase all the data on a drive? Change the key via the switches and boom! Data is permanently scrambled and meaningless without the original key settings.

Yes it is a grocery store...

[thrill12]

... but against super-cheap prices, run by slaves(very low wages, very strict time policies on the counters), and selling great deals on a weekly basis (for which great interest exists). Another company that runs pretty much by the same formula is Lidl.

Re:Yes it is a grocery store...

At least in germany the employees are relatively well paid at ALDI in comparison to other supermarkets. LIDL is much worse in this respect. The only thing both have in common is their goal to prohibit forming unions.

Re:Yes it is a grocery store...

[lordtoran]

Do you know why I don't shop at either Lidl or Aldi? The employees look unhappy there and are unfriendly and that says a lot. I prefer shopping at Real. They have their lineup of el cheapo wares too, and the service is much better.

Not that I would buy a PC at a supermarket, anyway. I recommend buying from smaller specialized retailers, which will also be happy to build a PC by your specifications and with your OS of choice (or no OS at all).

Re:Yes it is a grocery store...

[KDR_11k]

Do you know why I don't shop at either Lidl or Aldi? The employees look unhappy there and are unfriendly and that says a lot.

I guess that's why Wal-Mart had the "smile or get fired" policy.

Bullguard anti-virus

[jmanforever]

My question is: What good is this "Bullguard anti-virus" if it can't even remove a simple virus that is over 10 years old?

Re:Bullguard anti-virus

[thatskinnyguy]

It isn't any good. In fact, it's so worthless, it isn't really worth the powder to blow it to Hell!

Re:Bullguard anti-virus

The broken German of their error message is also hilarious for anyone who can speak real German. (It's the German version of "Engrish".) That speaks a lot about the quality of their software.

Efficient!

[fishthegeek]

Now that is efficient! Why email trojans to the criminals when you can have them preinstalled by the factory!

I smell a conspiracy.

Where do you get such an old virus?

[wulper]

I mean, without voluntarily looking for it? And how do you get it accidentally on a new PC? Have they stored the bios on infected floppies, or what? Installed DOS first, because the Windows Vista upgrade is cheaper than an OEM version? Tsk, tsk.

Re:Where do you get such an old virus?

[sumdumass]

During the boot cycle, the bios needs operating parameters outside what is stored in the bios. It could preload them itself but then all operating systems would have to start loading from it and then unload it somewhere along the line. Instead, then allow a small amount boot code to be placed in the boot sector of a drive's media that the OS can control and unload at it's convenience. It also controls disk access outside the limitations of the bios which would allow for larger drives and different file systems to be installed without having to update the bios each time something new comes along. For MS windows, this is DOS.

Now the newer windows versions windows, they actually pass the stuff off to 32 bit code that would do direct disk access instead of the bios init 13h calls. But if you look on every windows bootable media, whether it is a cd, boot disk, or install media, you will see a form of IO.SYS, MSDOS.SYS, and a couple of others. The newer distributions might have them named something different but their role is the same, to provide simple disk access and a command structure so the OS can load. This will be dos or a very slimed down version of it.

So that is why DOS seems to be present on bootable media that aren't connected with DOS. I'm not sure if linux uses a form of DOS or not. The DOS initial originally stoop for Disk Operating System which would imply it allowed access to an operating system on a disk. So it would surprise me if every OS that doesn't run or load from a ROM file uses a version of DOS even if it isn't called that.

In this case, I think DOS as in MSDOS is a misnomer. I could be wrong there though.

Re:Where do you get such an old virus?

[lordtoran]

Yes, I indeed think the guy who created the image installed DOS and various diagnostic/burn-in-testing tools first from some old infected floppies he had lying around at home. Quite dilettanish, because there are special Linux live CDs that do a better task at such preparations.

Re:Where do you get such an old virus?

[Cracked+Pottery]

I got a hundred of them. Of course a lot them are still on 5 1/4" diskettes. Most of the stoned viruses were comparatively harmless, Disk Killer was a real bastard, kiss bye bye to everything.

Remember the KAK worm. Shut down computers at 5:00 PM on Friday. Something like that. It was spread in an invisible executable signature in Outlook Express. I had a good deal of admiration for that one, and we made a lot of money cleaning it up. Now who would have thought about a script as a signature that copied itself to the drive? The same company that made word processors with executable text scripts that ordinary users don't understand. Made me want to swallow a couple of Vicodin ES.

Re:Where do you get such an old virus?

[petermgreen]

The way a PC boots is that the bios loads a peice of code from the MBR and runs it, it provides this code with services to access hard and floppy drives (no filesystem support just the ability to read and write sectors). What happens from there is up to the OS that put the code in the MBR. In the windows world the MBR code hands off to code in the boot sector of the active partition. That code in turn typically has some form of minimal filesystem support allowing it to read and load the rest of the OS.

Re:Where do you get such an old virus?

[lordtoran]

I remember the good old times of DOS bootsector viruses. I had a virus named Tremor that reprogrammed the VGA registers, so from time to time the screen contents would shiver like having a cold, and on some occasions a little Pacman appeared and ate the menu bar of Norton Commander. It was fun until I switched on the PC one day and was greeted with the message "ROM BIOS NOT FOUND" in 40x25 black & white mode.

Re:Where do you get such an old virus?

[funkatron]

Can I borrow a copy of KAK for the office?

Boot sector virus?

[dwalsh]

How adorably quaint.

so, there's a tool to clean it up, use it

[fadilnet]

If there's a tool to clean it up, then use it. Or just format everything including MBR and get GRUB inside, and boot your fav. distro. (just a thought) And if that virus causes the user (owner of the machine) to lose data (for e.g), there are lawsuits. Next time I buy new stuff, I'll ask - "can you please provide me with a hard drive with a formatted MBR (done in front of me)?" Oh well, if I ask that for an HDD, I may end up with modems without internal firmwares and the tech guy will respond: "okay, you told us to remove everything, we erased the chip" LOL

Re:so, there's a tool to clean it up, use it

[ettlz]

If there's a tool to clean it up, then use it.

Time to use dd in anger, methinks.

Oblig

[Pykasye]

It's not a bug, it's a feature.

Just imagine if...

[squidguy]

Just imagine if Worst Buy sold these. The Gector Squad would offer a special "new PC tuneup" for an extra hundred clams or so, but then you'd probably get infected by some of the warez they allegedly use to "support" customers. Wait...why am I asking this question? They already do this!

Cool! Preinstalled virus!

[Interested+Bystander]

Now I don't have to wait for my daughter to download a virus, it comes preinstalled!

Nostalgia

Good to see these old virii going in an age of windows worms.... takes me back !

I work at Medion's Hotline

As opposed to the above comment, Medion Nordic HAS acknowledged that our laptops have been infected with Stoned.Angelina.

We also have a nice little fix for it, even though it oughtn't have been nescesary to make one in the first place.

But it's always fun to get 3x the amount of calls as normal due to a cock-up like this.

And to be honest - it's an MBR virus. Has no payload, spreads primarily through floppy disks. It's about as dangerous to computers today as diarrhoea is in a western country. Sounds bad, but nothing to worry about.

FDISK

[Reason58]

You used to be able to kill any boot sector virus instantly with "fdisk /mbr", but that command was retired when DOS went away.

Re:FDISK

These days, boot windows repair console and run "fixmbr", it does the same thing.

Re:FDISK

[lordtoran]

From my own experience, many boot sector viruses were tough enough to survive CTRL-ALT-DEL or even a warm reboot via the reset button, so it is imperative to turn the PC completely off after that procedure.

The first time I saw this one

[wuzzerd]

I had to scan and repair about 1000 floppies and write a memo about not taking your work home. The IT manager did not believe that virii existed. Discovered it by looking at the boot sector with debug. The text string:"your PC is stoned", showed up. F-prot saved the day. That particular version of Stoned had a bug which would trash part of the root directory.

I got this virus in early 90's

[smutt]

I remember getting this virus on my 386 in the early 90's. That just goes to show how little things have changed if this virus is still able to infect machines.

remind me

[JustNiz]

never to buy bullguard if it can't even deal with a 14 year old virus.

A bit offtopc, but... How do you beat

A stealth virus that attacks the BIOS, embeds itself into all firmware it can identify, stays resident in the boot sector and infects backup files and removable media so it that it can spread from PC to PC? Wouldn't this be the end-all-be all malware that would change the way we look at PC security? The BIOS would come to have fail-safes built in and so would all firmware. Physical switches would become the standard for updating all firmware devices. Shouldn't we be doing this already?

Re:FBBG!

... said the guy lying about being homeless while failing to get Linux working on a ThinkPad...

just be thankful ...

[IchBinEinPenguin]

... that theses weren't "trusted" computers (or TPM or whatever they call them).

At least you're still able to re-format and start from scratch.....