Slashdot Mirror
Boot Sector Virus Shipped on German Laptops
Juha-Matti Laurio writes "A consignment of laptops from German manufacturer Medion, sold through German and Danish branches of giant retail chain Aldi, have been found to be infected with the boot sector virus 'Stoned.Angelina', first seen as long ago as 1994. The affected notebook models (German language) Medion MD 96290 have been pre-installed with Windows Vista Home Premium and Bullguard anti-virus, which reportedly is unable to remove it. A special removal tool was released to clean the laptops. Aldi has shared the same warning as well. Two years ago several thousands of Creative Zen Neeon MP3 players were shipped with a Windows worm Wullik.B."
Apple did it too, remember? Cue people whining about how the fanbois ignore Apple's flaws so that they can pretend Creative is satan in 3.... 2.... 1....
It doesn't really seem to do anything.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
Quick translation: Since there was some Press-noise, MEDION feels the need to say that the ALDI-Notebook is not infected with the Stoned Angelina virus.
I just don't trust anything that bleeds for five days and doesn't die.
Aldi isn't really a grocery store - they're more like a large convenience store... i.e. supermarket. And yes, they sell PCs and Notebooks from time to time. And no, they're not crap either. Yes, they tend to be near the lower range, but within that lower range, you can get a great deal on them by going through stores like Aldi. The reason for that is simply numbers.. Aldi buys up thousands for a much lower price than a consumer can get. They then sell these at only slightly above the price they themselves paid... the profit on these machines for them is minimal. The additional turnover they get by luring in customers is what they're interested in mostly.
I always run DBAN on a new system or hard drive, OEM assembled or not. Insist on proper OS installation media and unless it too is defective, you'll be fine. But never, ever, trust a machine setup by anyone else. That's not practical for everyone, but we're all geeks here, installing your OS of choice should be a rite of passage. :)
Not necessarily. It would really depend on what kind of boot sector virus it would be and what specifically it does. You could end up with not being able to see or access any of your partitions or the boot loader could just be loaded on top of a bios overlay that is the boot virus(ie, nothing at all would happen to the virus).
/mbr to sabotage any chances of left over code being executed. Then a format to the partition and a new OS install. There are tools to redo the disk partitions and format under linux too.
A lot of times the boot sector virus will move the boot sector to another part of the disk and relay the content to itself. It can also mark sectors as bad and thereby hiding it's content. When you install a boot loader, it will actually install to the moved version of the boot sector. I have seen in the past, and I don't remember which one, but a normal Format would erase the portion of the boot sector hiding the code and it would execute again. You would need to boot in a way that the disk wasn't accessed until after you loaded tools to specifically deal with them. Usually an Fdisk/mbr with a regular Fdkisk to rebuild the partitions and then another
This whole process got more complicated with the logical block addressing and a write cache. The main board is now expecting the drives to represent something different then they actually read in order to maintain compatibility. With a LBA drive, you aren't actually accessing the drive in itself but asking it to access it. It is possible to have the code you are attempting to remove be accessed and running before your tools actually write over it and remove it. Of course once the boot process (boot to floppy/cd) is over, the underlying OS isn't really susceptible to executing the code as it is in the original Bios boot process. But nothing is there to ensure it won't happen. Some of the bad blocks that could be hiding code placed outside the boot sector could be accessed and contain something that is executable in the boot environment you are using.
In all, it is difficult to remove a boot sector virus and retain any information on the disk. What I wrote is a little bit dumbed down of the actual processes that can happen. I have seen claims of boot virus being able to do things even more elaborate but don't know of any in actual existence. I guess I am amazed that in this late in the game, they are still a problem. Almost every anti-virus app should be able to detect and at least disable them. A simple scan of an image waiting to be burned to a hard drive should catch any nasty unwanted things before going into production. Maybe they cannot scan the images now?
As opposed to the above comment, Medion Nordic HAS acknowledged that our laptops have been infected with Stoned.Angelina.
We also have a nice little fix for it, even though it oughtn't have been nescesary to make one in the first place.
But it's always fun to get 3x the amount of calls as normal due to a cock-up like this.
And to be honest - it's an MBR virus. Has no payload, spreads primarily through floppy disks. It's about as dangerous to computers today as diarrhoea is in a western country. Sounds bad, but nothing to worry about.
You used to be able to kill any boot sector virus instantly with "fdisk /mbr", but that command was retired when DOS went away.
Yes, I indeed think the guy who created the image installed DOS and various diagnostic/burn-in-testing tools first from some old infected floppies he had lying around at home. Quite dilettanish, because there are special Linux live CDs that do a better task at such preparations.
Want to hear the voice of GOD? cat