STONED variant: AZUSA virus

 

             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************

  STONED variant: AZUSA

  ---------------------

  Date:    Wed, 27 Mar 91 11:31:48 -0500

  From:    Padgett Peterson <padgett%tccslr.dnet@uvs1.orl.mmc.com>

  Subject: Azusa (PC)

  It seems that quite a few folks are getting hit by the AZUSA virus.

  Removing it, while not very difficult, is complicated by the fact

  that the virus has completely overwritten the master boot record

  code so that the original cannot be simply retrieved from another

  location as with most such viruses (STONED, JOSHI, etc). Since the

  virus has also overwritten the ASCII warning messages, simple

  patching of the virus code to remove the infection is not a good

  solution.

  The virus does contain the essential partition table information

  from the uninfected code in the proper offset (BE - FD) so removal

  of the virus requires the following steps:

  1) Obtain a "good" master boot record from the same DOS version or

  higher.

  2) Cold boot the infected machine from a write protected

  floppy

  3) Extract the partition table information from the virus 4)

  Graft the partition table into the uninfected MBR code 5) Overwrite

  the virus with the composite MBR code.

  The following assembly language fragment can be used to perform this

  function. It assumes that a "good" MBR has been loaded into offset

  200h-3FFh and that the infected PC has been cold-booted clean.

  (DEBUG format).

  MOV AX,0201                            ;read a sector

  MOV BX,0400                            ;into offset 400h-5FFh

  MOV CX,0001                            ;MBR

  MOV DX,0080                            ;fixed disk

  INT 13

  CMP WORD PTR [03FE],AA55               ;make sure it was read

  JZ 0118

  JMP 013C                               ;exit with ERRORLEVEL if not

  PUSH CS                                ;align segment registers

  (0118) POP DS

  PUSH DS

  POP ES

  MOV SI,05BE                            ;point si & di at table areas

  MOV DI,03BE

  MOV CX,0020                            ;40 bytes = 20 words

  REPZ

  MOVSW                                    ;put table into clean MBR

  MOV AX,0301                            ;write one sector (0127)

  MOV BX,0200                            ;from the "good" area

  MOV CX,0001                            ;to MBR

  MOV DX,0080                            ;of infected disk

  INT 13                                 ;we could read it before so

  JB 0127                               ;try again on failure

  MOV AX,4C00                           ;exit ERRORLEVEL zero (pass)

  INT 21

  MOV AX,4C01                      ;exit ERRORLEVEL one (fail) (013C)

  INT 21

      Padgett

   ps - fiddling at this level is not for the inexperienced, caveat

   y'all.

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++