Slashdot Mirror

← Back to Stories (view on slashdot.org)

Boot Sector Virus Shipped on German Laptops

Posted by Zonk on from the extra-value-for-your-deutschmark dept.

Juha-Matti Laurio writes "A consignment of laptops from German manufacturer Medion, sold through German and Danish branches of giant retail chain Aldi, have been found to be infected with the boot sector virus 'Stoned.Angelina', first seen as long ago as 1994. The affected notebook models (German language) Medion MD 96290 have been pre-installed with Windows Vista Home Premium and Bullguard anti-virus, which reportedly is unable to remove it. A special removal tool was released to clean the laptops. Aldi has shared the same warning as well. Two years ago several thousands of Creative Zen Neeon MP3 players were shipped with a Windows worm Wullik.B."

7 of 79 comments (clear)

  1. Now that's what I call.... by gandhi_2 · · Score: 5, Funny

    ...cutting out the middleman!

    --
    THL phish sticks
  2. stoned.angelina by Walzmyn · · Score: 5, Funny

    stoned.angelina is a nasty virus too. If your computer is infected it will download other child viruses with weird names from third world countries.

  3. Hmm by Poromenos1 · · Score: 4, Informative

    It doesn't really seem to do anything.

    --
    Send email from the afterlife! Write your e-will at Dead Man's Switch.
  4. So, is this... by NorQue · · Score: 5, Funny

    ... a Retro-Virus? ;-)

  5. ALDI-Notebook NOT infected... by Simon+(S2) · · Score: 4, Informative
    ...says ALDI:

    Aufgrund vereinzelt anders lautender Pressemitteilungen stellt die MEDION AG klar, dass das ALDI-Notebook nicht mit dem Virus Stoned Angelina ausgeliefert worden ist.

    Quick translation: Since there was some Press-noise, MEDION feels the need to say that the ALDI-Notebook is not infected with the Stoned Angelina virus.
    --
    I just don't trust anything that bleeds for five days and doesn't die.
  6. Isn't Adli a grocery store? by no_pets · · Score: 4, Funny

    Isn't Adli a grocery store? WTF is it doing selling PCs? If you buy a PC at the grocery store you deserve to get infected. IMHO

    --
    "A government is a body of people, usually notably ungoverned." - Shepard Book Quoting Malcolm Reynolds
  7. Re:Fix in O(1)-time by sumdumass · · Score: 4, Informative

    Not necessarily. It would really depend on what kind of boot sector virus it would be and what specifically it does. You could end up with not being able to see or access any of your partitions or the boot loader could just be loaded on top of a bios overlay that is the boot virus(ie, nothing at all would happen to the virus).

    A lot of times the boot sector virus will move the boot sector to another part of the disk and relay the content to itself. It can also mark sectors as bad and thereby hiding it's content. When you install a boot loader, it will actually install to the moved version of the boot sector. I have seen in the past, and I don't remember which one, but a normal Format would erase the portion of the boot sector hiding the code and it would execute again. You would need to boot in a way that the disk wasn't accessed until after you loaded tools to specifically deal with them. Usually an Fdisk/mbr with a regular Fdkisk to rebuild the partitions and then another /mbr to sabotage any chances of left over code being executed. Then a format to the partition and a new OS install. There are tools to redo the disk partitions and format under linux too.

    This whole process got more complicated with the logical block addressing and a write cache. The main board is now expecting the drives to represent something different then they actually read in order to maintain compatibility. With a LBA drive, you aren't actually accessing the drive in itself but asking it to access it. It is possible to have the code you are attempting to remove be accessed and running before your tools actually write over it and remove it. Of course once the boot process (boot to floppy/cd) is over, the underlying OS isn't really susceptible to executing the code as it is in the original Bios boot process. But nothing is there to ensure it won't happen. Some of the bad blocks that could be hiding code placed outside the boot sector could be accessed and contain something that is executable in the boot environment you are using.

    In all, it is difficult to remove a boot sector virus and retain any information on the disk. What I wrote is a little bit dumbed down of the actual processes that can happen. I have seen claims of boot virus being able to do things even more elaborate but don't know of any in actual existence. I guess I am amazed that in this late in the game, they are still a problem. Almost every anti-virus app should be able to detect and at least disable them. A simple scan of an image waiting to be burned to a hard drive should catch any nasty unwanted things before going into production. Maybe they cannot scan the images now?