Slashdot Mirror
Boot Sector Virus Shipped on German Laptops
Juha-Matti Laurio writes "A consignment of laptops from German manufacturer Medion, sold through German and Danish branches of giant retail chain Aldi, have been found to be infected with the boot sector virus 'Stoned.Angelina', first seen as long ago as 1994. The affected notebook models (German language) Medion MD 96290 have been pre-installed with Windows Vista Home Premium and Bullguard anti-virus, which reportedly is unable to remove it. A special removal tool was released to clean the laptops. Aldi has shared the same warning as well. Two years ago several thousands of Creative Zen Neeon MP3 players were shipped with a Windows worm Wullik.B."
Apple did it too, remember? Cue people whining about how the fanbois ignore Apple's flaws so that they can pretend Creative is satan in 3.... 2.... 1....
...cutting out the middleman!
THL phish sticks
stoned.angelina is a nasty virus too. If your computer is infected it will download other child viruses with weird names from third world countries.
hahah :)
Cant even clean up with their own AV.. Sucks to be them..
It doesn't really seem to do anything.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
Stupid, Stupid, Stupid, Stupid... and in case i didn't mention STUPID...
What was whoever doing on the base image that caused it to become infected? I build system images, and rule #1: Make sure it works cleanly when you're done.
Somebody's Head
------------------- = Silver platter
(Silly junk character filter, I can't even ASCII Art a silver platter)
I will not give in to the terrorists. I will not become fearful.
... a Retro-Virus? ;-)
Quick translation: Since there was some Press-noise, MEDION feels the need to say that the ALDI-Notebook is not infected with the Stoned Angelina virus.
I just don't trust anything that bleeds for five days and doesn't die.
Systems shipped by Wal-Mart were found to contain numerous copies of a simple text game where the user imagines an animal and the game asks questions in order to deduce the animal in question. Anti-malware programs no only failed to identify the game as a threat, but were themselves overwritten with the game.
You mean this one?
Thank goodness it wasn't a BIOS trojan.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Isn't Adli a grocery store? WTF is it doing selling PCs? If you buy a PC at the grocery store you deserve to get infected. IMHO
"A government is a body of people, usually notably ungoverned." - Shepard Book Quoting Malcolm Reynolds
Aldi isn't really a grocery store - they're more like a large convenience store... i.e. supermarket. And yes, they sell PCs and Notebooks from time to time. And no, they're not crap either. Yes, they tend to be near the lower range, but within that lower range, you can get a great deal on them by going through stores like Aldi. The reason for that is simply numbers.. Aldi buys up thousands for a much lower price than a consumer can get. They then sell these at only slightly above the price they themselves paid... the profit on these machines for them is minimal. The additional turnover they get by luring in customers is what they're interested in mostly.
I always run DBAN on a new system or hard drive, OEM assembled or not. Insist on proper OS installation media and unless it too is defective, you'll be fine. But never, ever, trust a machine setup by anyone else. That's not practical for everyone, but we're all geeks here, installing your OS of choice should be a rite of passage. :)
My question is: What good is this "Bullguard anti-virus" if it can't even remove a simple virus that is over 10 years old?
Now that is efficient! Why email trojans to the criminals when you can have them preinstalled by the factory!
I smell a conspiracy.
load "$",8,1
I mean, without voluntarily looking for it? And how do you get it accidentally on a new PC? Have they stored the bios on infected floppies, or what? Installed DOS first, because the Windows Vista upgrade is cheaper than an OEM version? Tsk, tsk.
How adorably quaint.
${YEAR+1} is going to be the year of Linux on the desktop!
If there's a tool to clean it up, then use it. Or just format everything including MBR and get GRUB inside, and boot your fav. distro. (just a thought) And if that virus causes the user (owner of the machine) to lose data (for e.g), there are lawsuits. Next time I buy new stuff, I'll ask - "can you please provide me with a hard drive with a formatted MBR (done in front of me)?" Oh well, if I ask that for an HDD, I may end up with modems without internal firmwares and the tech guy will respond: "okay, you told us to remove everything, we erased the chip" LOL
Do I require the c-sig package to have a signature?
You need to install a bootloader as well. In fact, just a bootloader should do the trick.
It's not a bug, it's a feature.
How do you identify a troll on Slashdot? They're modded +5, Insightful.
Just imagine if Worst Buy sold these. The Gector Squad would offer a special "new PC tuneup" for an extra hundred clams or so, but then you'd probably get infected by some of the warez they allegedly use to "support" customers. Wait...why am I asking this question? They already do this!
Now I don't have to wait for my daughter to download a virus, it comes preinstalled!
If I was deep this is would be profound, if smart then wise, if a poet then verse. Here it is, you judge!
Not necessarily. It would really depend on what kind of boot sector virus it would be and what specifically it does. You could end up with not being able to see or access any of your partitions or the boot loader could just be loaded on top of a bios overlay that is the boot virus(ie, nothing at all would happen to the virus).
/mbr to sabotage any chances of left over code being executed. Then a format to the partition and a new OS install. There are tools to redo the disk partitions and format under linux too.
A lot of times the boot sector virus will move the boot sector to another part of the disk and relay the content to itself. It can also mark sectors as bad and thereby hiding it's content. When you install a boot loader, it will actually install to the moved version of the boot sector. I have seen in the past, and I don't remember which one, but a normal Format would erase the portion of the boot sector hiding the code and it would execute again. You would need to boot in a way that the disk wasn't accessed until after you loaded tools to specifically deal with them. Usually an Fdisk/mbr with a regular Fdkisk to rebuild the partitions and then another
This whole process got more complicated with the logical block addressing and a write cache. The main board is now expecting the drives to represent something different then they actually read in order to maintain compatibility. With a LBA drive, you aren't actually accessing the drive in itself but asking it to access it. It is possible to have the code you are attempting to remove be accessed and running before your tools actually write over it and remove it. Of course once the boot process (boot to floppy/cd) is over, the underlying OS isn't really susceptible to executing the code as it is in the original Bios boot process. But nothing is there to ensure it won't happen. Some of the bad blocks that could be hiding code placed outside the boot sector could be accessed and contain something that is executable in the boot environment you are using.
In all, it is difficult to remove a boot sector virus and retain any information on the disk. What I wrote is a little bit dumbed down of the actual processes that can happen. I have seen claims of boot virus being able to do things even more elaborate but don't know of any in actual existence. I guess I am amazed that in this late in the game, they are still a problem. Almost every anti-virus app should be able to detect and at least disable them. A simple scan of an image waiting to be burned to a hard drive should catch any nasty unwanted things before going into production. Maybe they cannot scan the images now?
As opposed to the above comment, Medion Nordic HAS acknowledged that our laptops have been infected with Stoned.Angelina.
We also have a nice little fix for it, even though it oughtn't have been nescesary to make one in the first place.
But it's always fun to get 3x the amount of calls as normal due to a cock-up like this.
And to be honest - it's an MBR virus. Has no payload, spreads primarily through floppy disks. It's about as dangerous to computers today as diarrhoea is in a western country. Sounds bad, but nothing to worry about.
Do you know why I don't shop at either Lidl or Aldi? The employees look unhappy there and are unfriendly and that says a lot. I prefer shopping at Real. They have their lineup of el cheapo wares too, and the service is much better.
Not that I would buy a PC at a supermarket, anyway. I recommend buying from smaller specialized retailers, which will also be happy to build a PC by your specifications and with your OS of choice (or no OS at all).
Want to hear the voice of GOD? cat
You used to be able to kill any boot sector virus instantly with "fdisk /mbr", but that command was retired when DOS went away.
I had to scan and repair about 1000 floppies and write a memo about not taking your work home. The IT manager did not believe that virii existed. Discovered it by looking at the boot sector with debug. The text string:"your PC is stoned", showed up. F-prot saved the day. That particular version of Stoned had a bug which would trash part of the root directory.
Do you know why I don't shop at either Lidl or Aldi? The employees look unhappy there and are unfriendly and that says a lot.
I guess that's why Wal-Mart had the "smile or get fired" policy.
Justice is the sheep getting arrested while an impartial judge declares the vote void.
So here's the deal - if you boot off a disk other than the infected one (say an installation CD) and can still read the infected drive (mount it, etc)- then (re-)installing a bootloader should get rid of the virus.
Your boot sector (MBR) has a data section that stores the partition table/drive information for that hard drive/disk and a code section that contains the actual boot loader. A virus could either overwrite only the code section - in which case your data is still readable and the virus can simply be removed by the above method - or it could overwrite the whole sector (this is pretty rare) in which case your disk is only readable when you boot off it (and the virus hijacks the bios disk read/write interrupt and redirects reads to the boot sector).
Doing a bootloader install after you boot off an infected disk is, of course, pointless!
I remember getting this virus on my 386 in the early 90's. That just goes to show how little things have changed if this virus is still able to infect machines.
The Information Revolution will be fought on the command line.
never to buy bullguard if it can't even deal with a 14 year old virus.
What could happen is that the Jump sequence that moves the drive to executable portion of the MBR which doesn't have to be in the MBR could be over written and placed onto another portion of the drive. Then when you install the boot loader, you would be installing to the new executable section of the drive. If the boot loader didn't replace the bios parameter block, the virus could still run. Now if the boot loader does replace the PBP, then the partition and format information may not be accessible. And once you locate it and change the location, you could still be executing the virus.
Your boot sector is actually divided into several sections and moreso depending on the platform and OS or partition. Any boot loader that can go on a disk using a bios overlay would just install itself to the overlay. With a boot virus, it's default actions are similar to a bios overlay in which it moves the executable code and replaces it with it's own code in order to get extra features from the bios.
In short, a simple boot loader could render the virus inactive but it won't ensure it is gone or cannot run. It doesn't even ensure the virus would be inactive. The virus wouldn't have to hijack the entire read write process. The Fat file system which all x86 computers use at the fundamental bios-boot level allows for the execute portions of the boot sector to be moved and different overlays installed. This is how you get a bios overlay to allow an 80 gig drive on a computer that won't hold over 8 gigs. An intelligent boot loader would see this and load in the regular execute portion as represented by the overlay. Once the OS is loaded, the OS accesses the information from the partition and format tables located at the moved places. There isn't a need for a fancy intercept of all the read/write processes like with the old compressed file systems MS used.
Similarly, most boot sector virus move or remove the interrupt 12 return upon execution to allow itself to remain in memory and reinfect even once it was removed from the disk. Installing a boot loader on it's own might not remove the virus or even disable it. Dully noted. I don't think any removal process could be trusted adter botting to an infected disk. But the boot virus are a little more robust then your giving them credit for. It can be very difficult to remove then and often times you lose the partitions with it. You can go back and retrieve the partition information and reset them. But that is typically more advanced then the normal user can accomplish on their own. I like to use Fdisk to back up the partition information before removing the boot virus so I can rebuild the partition and format information onto the new boot sector.
Theres also a program called testdisk that scans the hard drive to recover partition information and rebuild the partition table: http://www.cgsecurity.org/wiki/TestDisk
I always wondered where this setting was...
... that theses weren't "trusted" computers (or TPM or whatever they call them).
At least you're still able to re-format and start from scratch.....