Disk killer
| Disk killer | |
|---|---|
| Surname | Disk killer |
| Aliases | Ogre |
| Known since | 1989 |
| First location | USA or Taiwan |
| Virus type | Cluster virus |
| Other classes | Link virus, boot sector virus |
| Authors | Pseudonym: Computer Ogre |
| File size | 2009 bytes |
| Host files | Boot sectors, MBR , sectors |
| Polymorph | No |
| Stealth | No |
| Memory resident | Yes |
| system | x86 with MS-DOS and FAT |
| programming language | Assembler |
Disk Killer is considered a boot sector virus , but actually the virus code is written to other sectors. Only one link is set in the boot sector or MBR. From this point of view, the virus is primarily a cluster virus . Disk Killer can cause data loss on MS-DOS computers, but in most cases it is reversible.
According to the signature , Disk Killer was completed on April 1, 1989. The unknown author used the pseudonym Computer Ogre .
In its February 1990 issue, the Brish specialist magazine Virus Bulletin names the USA in June 1989 as the location of the first known infection . In contrast, most recent sources on the Internet state that the virus was first discovered in Taiwan .
Infections caused by disk killers were not reported too often in the DACH countries compared to other viruses of the time. Since the name "Disk Killer" reveals the destructive effects of the virus, the malware became very well known and feared. Aside from regular reports from the UK, the virus was not too common in Europe . Disk killer was much more common in the United States.
According to the software manufacturer Kaspersky Lab, Disk Killer was the first known malware whose damage routine could encrypt files.
Aliases
The author of the virus called his program Disk Killer - Version 1.00 .
Since there is no fixed nomenclature for computer viruses , the virus has several common names . In addition, malware is also called differently by the manufacturers of antivirus software . Disk Killer is also known as: Disk Killer 1.0 , DiskKiller , Ogre , Disk Ogre , Ogre Virus , Computer Ogre , Disk Killer.a , Virus.DOS.DiskKiller or Virus / Boot: Disk Killer .
Versions and derivatives
- A version is known that uses a different assembler . It was discovered in January 1990 and is known as Disk Killer 2 or Disk Killer.b .
- In a 2011 youtube video, an executable file called disktroj.com is used under MS-DOS to demonstrate the effects of the virus. This is not the virus itself, but a Trojan horse that only contains the Disk Killer payload and executes it directly.
- A version with a defective duplication routine was supplied on 40,000 to 50,000 sticky disks in the British magazine PC Today . When infected, the virus code overwrites itself in important parts. Viruses that cannot spread because of a bug are called intended viruses .
- A drooper tool for boot sector viruses called EVI-Tool also contained some well-known examples, including Jerusalem , (c) Brain , Michelangelo and also Disk Killer.
function
Disk Killer is a memory resident virus. It attacks IBM-PC / AT and compatible computers and, depending on the platform, is dependent on MS-DOS operating systems . Disk Killer, only the FAT - File System infect.
The virus code is 2560 bytes long and consumes eight kilobytes of system memory when executed . Disk Killer is not displayed by the MS-DOS MEM command, the conventional memory is already reduced before the operating system is loaded. An infected system therefore only has 632 kilobytes of conventional RAM.
It is unknown which high-level programming language was used before compilation . Disk Killer uses the following interrupts : Int 13 Function 2, Int 9 and Int 8.
The virus does not use stealth or polymorphic techniques to camouflage from anti-virus software or the user.
Infection Routine
It is distributed via floppy disks . When booting from infected media , Disk Killer loads itself into memory . Then every read access to the floppy drive or hard disk triggers an infection attempt .
If the boot sector of a floppy disk or the MBR of a hard disk is infected, Disk Killer does not copy itself directly into it. The virus code would be too big for that. The original boot sector is modified and loads the virus into memory during the boot process. Disk Killer itself sits on a different part of the disk. In the case of floppy disks, these five sectors are marked as defective for camouflage. Another sector is used to store the original, 512-byte boot sector. No attention is paid to whether this area is already being used. Disk Killer can also cause minor damage through its infection routine. The virus embeds itself on hard drives in the Special Reserved Sectors, if they are available. This type of infection is not uncommon and is also used by other viruses. The majority of boot sector viruses, however, infect the boot sector itself and can then, depending on the individual case, spread regardless of the platform. Disk Killer can therefore also be viewed as a cluster virus.
Particularities:
- The virus contains a counter that counts the number of infections.
- Since the boot sector is only modified, it is possible to infect a system infected with Disk Killer with a second boot sector virus that moves the original sector. If both viruses do not use the same sectors or system memory areas, the computer could still start and load both viruses into memory one after the other. The obvious consequence would then be that the two infection routines interfere with each other. It is difficult to say what effect this would have in practice.
- Disk Killer was the first known boot virus that could properly handle sector sizes other than 512 bytes. Sometimes 1024 bytes were used.
- In addition to being redirected to the virus code, the boot sector or MBR is also equipped with a routine that reserves eight kilobytes of system memory for execution.
Payload
The virus has a harmful payload .
When the virus code is executed , a counter that uses the timer interrupt is activated to trigger the logic bomb . Practically when the system is started. After 48 hours, the malware waits another 60 minutes. If the infected hard drive is read in these 60 minutes, the payload is triggered. Perhaps the developer of the virus wanted to increase the likelihood that it is an active server and not a workstation in the idle task . If there is no access, the counter is reset and Disk Killer waits another 255 hours. If the computer is still switched on, the damage routine is activated in any case.
The malicious program part of the virus causes data loss by encoding the hard drive. If it becomes active, a message will first appear on the screen.
At the top of the screen it says:
Disk Killer—Version 1.00 by COMPUTER OGRE 04/01/1989
At the bottom of the screen:
Warning !! Don't turn off the power or remove the diskette while Disk Killer is Processing!
At the same time as this message appears, the malicious program begins to overwrite the hard disk with clusters. It starts with the boot sector, followed by the file system and the root directory. The virus encrypts the hard drive by alternately XORing sectors with 0AAAAh and 05555h, which appears to effectively destroy the stored data.
During this process the word flashes in the middle of the screen:
PROCESSING
Disk Killer then displays another message in the same place:
Now you can turn off the power I wish you luck !
Then the program starts a continuous loop that freezes the computer.
An immediate shutdown of the computer could retain part of the data. Since the important parts of the disk are overwritten first, this should really be done in a fraction of a second. Decoding for data recovery is also possible.
Identification and removal
- In the boot sector of infected systems, the value 3CCBh is in position 003Eh .
- Disk Killer has been recognized and cleaned by almost every virus scanner since 1991.
- An encoded hard drive can be recovered through a suitable decoding routine. At the beginning of 1990 there were already two shareware tools against Disk Killer and its effects.
- AntiOgre was able to track down disk killers and remove them from data carriers. Since the original boot sector was secured from infection, it was sufficient to copy it back again. This was also possible manually with correspondingly in-depth IT knowledge. It is not known whether the tool also deleted the virus from system memory. If it was booted from a clean and, if possible, write-protected floppy disk, this was not necessary.
- RestOgre was an application to restore the encoded data.
- According to unconfirmed reports, a bug in the encryption routine should make data recovery impossible in some cases.
- Reloading a disk's MBR does not remove Disk Killer. The virus is then no longer loaded into memory when the program starts. In general, in the event of a virus attack, the generic overwriting of the MBR is rarely an adequate solution. Antivirus software is always preferable. As an emergency solution, you could boot from a non-infected floppy disk and execute the DOS command SYS.
- When restoring a hard drive from a backup, you have to reckon with a simultaneous reinfection and take appropriate measures.
Situation around 1990
The number of MS-DOS viruses was still manageable in 1989 and was in the lower three-digit range. In those times the Commodore Amiga was a more popular platform for virus programmers. Due to the spread and the lively exchange and trade of pirated copies , the spread in the Amiga scene was even more effective at that time.
Viruses for x86 computers or the MS-DOS operating system became more and more common as they spread. Were the most widespread in 1989 probably the file virus Jerusalem , and the boot sector infecting Stoned virus . The majority of the viruses of that time had no harmful effects planned, but Disk Killer is one of the destructive viruses and was therefore very much feared by users. For many users, he was the epitome of the evil data destroyer, although only rumors about him were known. This reputation was probably due not least to its dangerous-sounding name. As a result, anti-virus software manufacturers often mentioned Disk Killers in their advertisements. In effect, the Jerusalem virus did significantly more damage, it was more widespread and the payload was easier to trigger. Disk Killer's destructive effect was triggered comparatively rarely, since computers were rarely switched on for two days at a time. This was hardly the case, especially with private individuals. Network servers were at great risk. It is possible that the virus author was purposely pursuing the tactic of using workstation users to spread the virus. Server systems, on the other hand, were planned as victims. Since the developer was concerned with causing damage, file servers in particular were an effective target.
In 1990 the English computer journal PC Today triggered an incident with the virus. Each issue of the magazine was accompanied by a free floppy disk. The July issue was infected with a copy of Disk Killer. More than 50,000 copies have been sold. According to other sources, 40,000 floppy disks were said to have been infected with only one inactive version of the virus. Disk Killer was unable to spread because of a bug in the infection routine. PC Today launched a recall and tightened virus protection measures for the future.
In February 1990 a research result on Disk Killer was published by the Virus Test Center of the University of Hamburg. Morton Swimmer classified and documented the virus.
According to the British specialist magazine Virus Bulletin , the first reports about disk killers often contained the rumor that the virus was a completely new development and could not be detected with current technical possibilities. That was not confirmed. In January 1993, only one Disk Killer find was reported to the bulletin. The February 1994 issue reported on virus sabotage. As an example, an older story about a manager was given. She had fired an employee because he had bought the wrong program because of a mix-up. As an unpleasant farewell gift, he infected your computer with Disk Killer and left a targeted logic bomb.
Disk Killer died out from the mid-1990s for various reasons:
- Diskettes were less important because of the CD-ROM .
- MS-DOS computers became increasingly rare.
- The NTFS file system began to replace FAT, especially on server systems.
- The use of antivirus programs established itself.
Individual evidence
- ↑ a b c d e f g h i https://www.virusbulletin.com/uploads/pdf/magazine/1990/199001.pdf PDF download: Virus Bulletin - January 1990 edition.
- ↑ a b c d e https://malware.wikia.org/wiki/Disk_Killer Malware.Wikia: Disk Killer (incl. Hash values)
- ↑ Executive Guide to Computer Viruses by Charles Ritstein. ISBN 978-1-56806-251-8 .
- ↑ https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Disk%20Killer/detailed-analysis.aspx Sophos.com: Virus database, disk killer and disk Killer 2
- ↑ a b A Pathology of Computer Viruses by David Ferbrache. ISBN 978-3-540-19610-5 .
- ↑ https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Evi-Kit/detailed-analysis.aspx Sophos.com: Evi Kit, details
- ↑ a b c d http://virus.wdfiles.com/local--files/eddie/msdosvir.290 Virus.wdFiles.com: Virus catalog from 1990 with an entry on Disk Killer
- ↑ https://www.f-secure.com/v-descs/diskkill.shtml F-Secure.com: Virus database, entry on Disk Killer
- ↑ a b c http://agn-www.informatik.uni-hamburg.de/catalog/msdos/html/disk_kil.htm Informatik.Uni-Hamburg.de: Disk Killer by Morton Swimmer, University of Hamburg (Virus Test Center) , February 1990.
- ↑ Introduction to Personal Computing by Christian Scholz. ISBN 978-3-11-012111-7 .
- ↑ https://web.archive.org/web/20120418185636/http://www.viruslist.com/de/viruses/encyclopedia?chapter=153311162 Viruslist.com - The history of malware / 1990
- ↑ https://www.virusbulletin.com/uploads/pdf/magazine/1993/199304.pdf PDF download: Virus Bulletin - January 1993 edition.
- ↑ https://www.virusbulletin.com/uploads/pdf/magazine/1994/199402.pdf PDF download: Virus Bulletin - February 1994 edition.