ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ VIRUS REPORT ³ ³ Alameda Virus ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Synonyms: Yale, Merritt, Peking, Seoul virus. Date of Origin: Spring, 1987. Place of Origin: Merritt College, Alameda, California. Host Machine: PC compatibles. Does not run on 80286. Host Files: Remains resident. Infects floppy disk boot sector. Increase in Size of Infected Files: n/a. Nature of Damage: Resident. Corrupts or overwrites floppy boot sector. Detected by: Scanv56+, F-Prot, IBM Scan. Removed by: CleanUp, MDisk, F-Prot, or DOS SYS command.. Scan Code: BB 40 00 8E DB A1 13 00 F7 E3 2D E0 07 8E C0 0E 1F 81 FF 56 34 75 04 FF 0E F8 7D. You can also search at offset 00EH for A1 13 00 F7 E3 2D E0 07. History: First discovered at Merritt college in California in the Spring of 1987. In February, 1988, it popped up at Alameda College, where it received large publicity. In October, 1988, it surfaced at Yale University, where it became known as the Yale virus. The original version caused no intentional damage. The original Alameda would only run on an 8088/8086, and was presumably assembled using A86 on such a machine. Because it does not infect hard disks, we may presume that the author's machine did not have one. The original version would not run on an 80286 or an 80386 machine, although it will infect on such a machine. Later versions of the virus can run on an 80286. Description of Operation: The Alameda virus spends its life in the boot sector of 5.25" 360K floppy disks. When the machine boots from an infected 360K floppy, the Alameda becomes memory resident, occupying 1K of memory. It infects 360K floppies in the A: drive only. Pressing Ctrl-Alt-Del activates the virus, rather than removing it from memory. At this point, it looks for a floppy in drive A: to infect. It will infect any 360K disk in that drive, whether or not it is a bootable disk. The original boot sector is held in track thirty-nine, head zero, sector eight. It does not map this sector bad in the FAT (unlike the Brain) and should that area be used by a file, the virus will die. It apparently uses head 0, sector 8 and not head 1 sector 9 because this is common to both single sided and double sided formats and common to both 8-sectored and 9-sectored formats (both the old 160K single sided and later 180K single sided formats). Alameda redirects the keyboard interrupt (INT 09H) to look for Ctrl-Alt-Del sequences. When it detects Ctrl-Alt-Del, it will attempt to infect any floppy it finds in drive A:. The virus is not malevolent. It contains code to format track thirty-nine, head zero, but this has been disabled. It also contains a count of the number of times it has infected other diskettes, although it is referenced for write only and is not used as part of an activation algorithm. The virus remains resident at all times after it is booted, even if the user removes the floppy from a machine having no bootable hard disk, and reboots with Ctrl-Alt-Del. When Ctrl-Alt-Del is pressed from inside Cassette Basic, it activates and infects the floppy from which the user is attempting to boot. Alameda contains no anti-detection mechanisms as does the Brain virus. The Alameda contains a rare POP CS instruction that is not understood by 80286 systems, and hangs the system up. The POP CS command is used to pass control to itself in upper memory. When such a machine hangs, the virus has already installed itself in high RAM and hooked the keyboard interrupt, so that the infection can spread if a warm boot is then performed. Removal: Alameda can not only live through an Ctrl-Alt-Del reboot command, but this is its only means of reproduction to other floppy diskettes. The only way to remove it from an infected system is to turn the machine off and reboot with an uninfected copy of DOS. The Norton utilities can be used to identify infected diskettes by looking at the boot sector and the DOS SYS utility can be used to remove it <197> unlike the Brain. ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º This document was adapted from the book "Computer Viruses", º º which is copyright and distributed by the National Computer º º Security Association. It contains information compiled from º º many sources. To the best of our knowledge, all information º º presented here is accurate. º º º º Please send any updates or corrections to the NCSA, Suite 309, º º 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS º º and upload the information: (202) 364-1304. Or call us voice at º º (202) 364-8252. This version was produced May 22, 1990. º º º º The NCSA is a non-profit organization dedicated to improving º º computer security. Membership in the association is just $45 per º º year. Copies of the book "Computer Viruses", which provides º º detailed information on over 145 viruses, can be obtained from º º the NCSA. Member price: $44; non-member price: $55. º º º º The document is copyright (c) 1990 NCSA. º º º º This document may be distributed in any format, providing º º this message is not removed or altered. º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ  Downloaded From P-80 International Information Systems 304-744-2253