Virus Profile: Disk Killer

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 4/1/1989
Date Added: 4/15/1989
Origin: Taiwan
Length: Unknown
Type: Virus
Subtype: Boot
DAT Required: 4002
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

The virus keeps track of the elapsed disk usage time since initial infection, and does no harm until it has reached a predetermined limit. The predetermined limit is approximately 48 hours. (On most systems, Disk Killer reaches its limit within 1 - 6 weeks of its initial hard disk infection.)

When the limit is reached or exceeded and the system is rebooted, a message is displayed identifying COMPUTER OGRE and a date of April 1st. It then says to leave it alone and proceeds to encrypt the disk by alternately XORing sectors with 0AAAAh and 05555h, effectively destroying the information on the disk. The only recourse after Disk Killer has activated and encrypted the entire disk is to reformat.

The message text that is displayed upon activation, and can be found in the viral code is:

"Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/89

Warning!!

Don't turn off the power or remove the diskette while Disk Killer is Processing!

PROCESSING

Now you can turn off the power. I wish you Luck!"

It is important to note that when the message is displayed, if the system is turned off immediately it may be possible to salvage some files on the disk using various utility files as this virus first destroys the boot, FAT, and directory blocks.

Methods of Infection

The only way to infect a computer with an MBR/Boot Sector infector is to attempt to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred. Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

Aliases

Computer Ogre, Disk Ogre, Ogre
   

Virus Family Statistics (over the past 30 days)

Family Statistics information
Virus Name Infected Files Scanned Files % Infected Computers
Disk Killer 4 8808 0.00

Virus Characteristics

Disk Killer is a destructive, memory resident, Master Boot Record (MBR)/Boot Sector infecting virus. It spreads by writing copies of itself to 3 blocks on either a floppy diskette or hard disk. The virus does not care if these blocks are in use by another file or are part of a file. These blocks are marked as bad in the File Allocation Table (FAT) so that they cannot be overwritten. The MBR is patched so that when the system is booted, the virus code is executed and it can attempt to infect any new diskettes exposed to the system.

Note: Disk Killer may have damaged one or more files on the disk when it wrote a portion of its viral code to 3 blocks on the disk. Once the MBR has been disinfected, these corrupted files cannot reinfect the system, however they should be replaced with backup copies since the 3 blocks were overwritten.

Note: Do not use the DOS DISKCOPY file to backup infected diskettes as the new backup diskettes will contain the virus as well.

Additional Comments:
The Disk Killer virus is a boot sector infector that spreads by writing copies of itself to 3 blocks on either a floppy or hard disk. The virus does not care if these blocks are in use by another program or are part of a file. These blocks will then be marked as bad in the FAT so that they cannot be overwritten. The boot sector is patched so that when the system is booted, the virus code will be executed and it can attempt to infect any new disks exposed to the system. The virus keeps track of the elapsed disk usage time since initial infection, and does no harm until it has reached a predetermined limit. The predetermined limit is approximately 48 hours. (On most systems, Disk Killer will reach its limit within 1 - 6 weeks of its initial hard disk infection.) When the limit is reached or exceeded and the system is rebooted, a message is displayed identifying COMPUTER OGRE and a date of April 1st. It then says to leave alone and proceeds to encrypt the disk by alternately XORing sectors with 0AAAAh and 05555h, effectively destroying the information on the disk. The only recourse after Disk Killer has activated and encrypted the entire disk is to reformat. The message text that is displayed upon activation, and can be found in the viral code is: "Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/89 Warning!! Don't turn off the power or remove the diskette while Disk Killer is Processing! PROCESSING Now you can turn off the power. I wish you Luck!" It is important to note that when the message is displayed, if the system is turned off immediately it may be possible to salvage some files on the disk using various utility programs as this virus first destroys the boot, FAT, and directory blocks. Disk Killer can be removed by using McAfee Associate's MDisk or CleanUp utility, or the DOS SYS command, to overwrite the boot sector on hard disks or bootable floppies. On non-system floppies, files can be copied to non-infected floppies, followed by reformatting the infected floppies. Be sure to reboot the system from a write-protected master diskette before attempting to remove the virus first or you will be reinfected by the virus in memory. Note: Disk Killer may have damaged one or more files on the disk when it wrote a portion of its viral code to 3 blocks on the disk. Once the boot sector has been disinfected as indicated above, these corrupted files cannot reinfect the system, however they should be replaced with backup copies since the 3 blocks were overwritten. Note: Do not use the DOS DISKCOPY program to backup infected diskettes as the new backup diskettes will contain the virus as well.

Variants

Variants information
Virus Name Type Subtype Differences
Disk_Killer.1_00 Virus Boot
   

Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.

To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type
BOOTSCAN C: /BOOT /CLEAN /NOMEM

Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean

Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.

This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95