S A M P L E T E C H R E P O R T Copyright (c) 1994-96 by VDS Advanced Research Group Virus : NYB-boot or B1 Date : April 6, 1994 Document ID: TY94040601 B1 a.k.a. NYB-boot Virus Information ------------------------------------ DESCRIPTION ----------- NYB-boot (a.k.a. B1) virus infects the MBR on hard disks and the BR on floppy diskettes. The virus fits in one sector, relocating the original contents of the MBR/BR to another place on the disk. On hard disks, the MBR is moved to sector 17, head 0, cylinder 0. On floppy disks, the location is the last sector of the root directory; which depends on the capacity of the diskette. For example, on 360K diskettes, the original clean boot sector is moved to sector 3, head 1, track 0, whereas on 1.2M diskettes, it will be at sector 14, head 1, track 0. The virus stays resident in memory just below the top of conventional base memory. It reduces the base memory size by 1K. For example, a system with 640K base memory will appear to have 639K after the virus goes resident. Once loaded in memory, NYB-boot points the disk access vector (INT 13h) to its own handler to be able to spread. Its handler examines read and write requests. It infects the MBR/BR if it is not already infected. The handler also has stealth capability to mask its presence on the disk. It also protects itself against being overwritten. For example, you cannot use a general purpose disk sector editor such as Norton Utilities(tm) and modify the MBR, where the virus is located, as long as the virus is active in memory. You will most likely get an error message about the operation. The coding style in the virus suggests that its author is relatively experienced in PC assembly language; there is an apparent attempt to minimize code size and to use tricky code (to make reading it difficult). The virus is highly infectious, more so than other Stoned variants. Doing a simple DIR on an unprotected diskette will cause it to get infected. Diskettes in both the A: and B: drives are infected. The virus transfers from infected diskettes to hard disks if the system is booted off of an infected floppy. Once the hard disk is infected, any unprotected disks used in that system will become infected by the NYB-boot. Diskettes used for backup with a program that has its own disk format may become corrupted and lose data. The virus checks the BIOS timer tick counter and executes a loop that contains a VERIFY SECTOR instruction. This may confuse certain software and give the impression of disk problems. The virus itself does not appear to have deliberate overwriting of data. The diskette can also become unusable if this mechanism triggers. DETECTION --------- On infected systems with 640K of base memory, the virus interrupt handler code will be located at 9FC0:0044 with the following sequence of bytes: 9fc0:0044 50 push ax 9fc0:0045 d1 e8 shr ax,1 9fc0:0047 fe cc dec ah 9fc0:0049 74 03 jz 004e 9fc0:004b e9 6c 01 jmp 01ba 9fc0:004e 53 push bx 9fc0:004f 51 push cx 9fc0:0050 52 push dx You can check if the virus is present by using the DEBUG program as follows: 1. At the DOS prompt, type DEBUG. 2. Once the DEBUG prompt, which is a - (dash), appears, type: -d 9fc0:0044 3. Look at the sequence of bytes displayed. If they are 50 D1 E8 FE CC 74 03 E9 6C 01 53 51 52 then, the virus is in memory. 4. Type: -q to exit the DEBUG program. REMOVAL ------- A. For simple removal without an anti-virus, take the following steps: 1. Turn the infected computer OFF. 2. Boot off of a clean, write-protected (preferably original) DOS 5.0 or higher diskette. Earlier DOS versions do NOT have the capability to replace MBR code while leaving the partition table intact. 3. Once the A:> appears, type: DIR C:\ You should see your root directory on the hard disk. If you DON'T, then obtain the latest copy of VDS for removal. If everything looks fine, type: FDISK /MBR 4. This should get rid of the virus in the MBR and replace it with good code. 5. Remove the diskette, and turn the computer OFF and ON. 6. Check the base memory size and run DEBUG as explained above to verify that the virus is no longer in memory. 7. For bootable diskettes, the DOS SYS command will be effective. For non-bootable diskette, simply copy the files to another disk, and then format the diskette, and then copy the files back. Note that you MUST NOT use the DISKCOPY command, that would transfer the virus as well. If you copy only the files, then the virus would NOT be transferred. B. A safer approach would be to use the VDS Pro software. Get a copy of version 3.0k or later. You can run VFSLITE or VDSFSCAN or VDS with the -S option to scan for the virus and remove it automatically. As a precautionary measure, you might want to install VDSTSR memory-resident program so that any warmboot attempts off of an infected floppy will be caught immediately and your hard disk will be protected. You should also install VDS integrity checker for stronger protection. Note that the integrity checker can detect and remove NYB-boot and many such viruses easily, even before we get a sample of the virus. If you have a version of VDS earlier than 3.0k, then you can use the VITALFIX program to remove the virus. On flopyy diskettes, choose the "BOOT RECORD OPERATIONS" from the "MAIN MENU", then choose "VITALIZE FLOPPY BR". On hard disks, choose the "PARTITION RECORD OPERATIONS" from the "MAIN MENU", then choose "CONSTRUCT NEW MBR". To scan for the virus using an earlier VDS version, you need to create an external signature file. This is a simple text file, named XTERNAL.SIG and it can be created with any ASCII text editor. Put the following in this file: NYB-boot BOOT bb 44 00 ba 80 00 be 13 04 31 ff 8e df ff 0c ad After you are done, put the XTERNAL.SIG file in the C:\VDSPRO30 directory. Now you can use VDSFSCAN or VFSLITE to scan diskettes for this virus. We recommend that you use VDSFSCAN to scan more multiple diskettes in a convenient manner, and then remove the virus.