Disk Killer Virus


 Virus Name:  Disk Killer 
 Aliases:     Computer Ogre, Disk Ogre, Ogre 
 V Status:    Common 
 Discovered:  April, 1989 
 Symptoms:    Bad blocks; message; BSC; TSR; encryption of disk 
 Origin:      Taiwan 
 Isolated:    Milpitas, California, United States 
 Eff Length:  N/A 
 Type Code:   BRtT - Resident Boot Sector Infector 
 Detection Method:  ViruScan, F-Prot, AVTK, NAV, Sweep, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV 
 Removal Instructions:  MDisk, F-Prot, NAV, or DOS COPY & SYS 
 
 General Comments: 
       The Disk Killer virus is a boot sector infector that spreads by 
       writing copies of itself to 3 blocks on either a floppy or hard 
       disk.  The virus does not care if these blocks are in use by another 
       program or are part of a file.  These blocks will then be marked as 
       bad in the FAT so that they cannot be overwritten. The boot sector 
       is patched so that when the system is booted, the virus code will be 
       executed and it can attempt to infect any new disks exposed to the 
       system. 
 
       The virus keeps track of the elapsed disk usage time since initial 
       infection, and does no harm until it has reached a predetermined 
       limit.  The predetermined limit is approximately 48 hours.  (On most 
       systems, Disk Killer will reach its limit within 1 - 6 weeks of its 
       initial hard disk infection.) 
 
       When the limit is reached or exceeded and the system is rebooted, a 
       message is displayed identifying COMPUTER OGRE and a date of April 
       1st.  It then says to leave alone and proceeds to encrypt the disk 
       by alternately XORing sectors with 0AAAAh and 05555h, effectively 
       destroying the information on the disk.  The only recourse after 
       Disk Killer has activated and encrypted the entire disk is to 
       reformat. 
 
       The message text that is displayed upon activation, and can be found 
       in the viral code is: 
 
         "Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/89 
 
                                Warning!! 
 
          Don't turn off the power or remove the diskette while Disk Killer 
          is Processing! 
 
                                PROCESSING 
 
          Now you can turn off the power.  I wish you Luck!" 
 
       It is important to note that when the message is displayed, if the 
       system is turned off immediately it may be possible to salvage some 
       files on the disk using various utility programs as this virus first 
       destroys the boot, FAT, and directory blocks. 
 
       Disk Killer can be removed by using McAfee Associate's MDisk or 
       CleanUp utility, or the DOS SYS command, to overwrite the boot 
       sector on hard disks or bootable floppies.  On non-system floppies, 
       files can be copied to non-infected floppies, followed by 
       reformatting the infected floppies.  Be sure to reboot the system 
       from a write-protected master diskette before attempting to remove 
       the virus first or you will be reinfected by the virus in memory. 
 
       Note: Disk Killer may have damaged one or more files on the disk 
       when it wrote a portion of its viral code to 3 blocks on the disk. 
       Once the boot sector has been disinfected as indicated above, these 
       corrupted files cannot reinfect the system, however they should be 
       replaced with backup copies since the 3 blocks were overwritten. 
 
       Note: Do not use the DOS DISKCOPY program to backup infected 
       diskettes as the new backup diskettes will contain the virus as well.

Show viruses from discovered during that infect .

Main Page