Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Boot Sector Virus Shipped on German Laptops

Posted by Zonk on Sat Sep 15, 2007 12:16 PM
from the extra-value-for-your-deutschmark dept.
Security Portables Worms Hardware
Juha-Matti Laurio writes "A consignment of laptops from German manufacturer Medion, sold through German and Danish branches of giant retail chain Aldi, have been found to be infected with the boot sector virus 'Stoned.Angelina', first seen as long ago as 1994. The affected notebook models (German language) Medion MD 96290 have been pre-installed with Windows Vista Home Premium and Bullguard anti-virus, which reportedly is unable to remove it. A special removal tool was released to clean the laptops. Aldi has shared the same warning as well. Two years ago several thousands of Creative Zen Neeon MP3 players were shipped with a Windows worm Wullik.B."
+ -
story

Related Stories

Submission: Boot Sector Virus Shipped on German Laptops by Anonymous Coward
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Boot Sector Virus Shipped on German Laptops 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • Apple did it too, remember? Cue people whining about how the fanbois ignore Apple's flaws so that they can pretend Creative is satan in 3.... 2.... 1....
    • I think this is a common experience, because of quality control issues and manufacturing being outsourced to contractors. Here Apple talking about iPods shipping with a Windows Virus on it... straight from Apple's site. Click here [apple.com]. Apparently, a contractor was to blame.

  • Now that's what I call.... (Score:5, Funny)

    by gandhi_2 (1108023) on Saturday September 15 2007, @12:21PM (#20617229) Homepage
    ...cutting out the middleman!

  • stoned.angelina (Score:5, Funny)

    by Walzmyn (913748) on Saturday September 15 2007, @12:22PM (#20617237)
    stoned.angelina is a nasty virus too. If your computer is infected it will download other child viruses with weird names from third world countries.
    • Provided that it does not download the aforementioned third world country security service to beat you up and stuff your new digital camera up your arse that can probably be tolerated..

  • hah (Score:2, Funny)

    by Anonymous Coward
    hahah :)
    Cant even clean up with their own AV.. Sucks to be them..

  • Hmm (Score:5, Informative)

    by Poromenos1 (830658) on Saturday September 15 2007, @12:23PM (#20617263) Homepage
    It doesn't really seem to do anything [symantec.com].

  • Ouch (Score:4, Funny)

    by spikedvodka (188722) on Saturday September 15 2007, @12:24PM (#20617265)
    Stupid, Stupid, Stupid, Stupid... and in case i didn't mention STUPID...

    What was whoever doing on the base image that caused it to become infected? I build system images, and rule #1: Make sure it works cleanly when you're done.

        Somebody's Head
    ------------------- = Silver platter

    (Silly junk character filter, I can't even ASCII Art a silver platter)

  • So, is this... (Score:5, Funny)

    by NorQue (1000887) on Saturday September 15 2007, @12:24PM (#20617275)
    ... a Retro-Virus? ;-)

  • ALDI-Notebook NOT infected... (Score:5, Informative)

    by Simon (S2) (600188) on Saturday September 15 2007, @12:25PM (#20617279) Homepage
    ...says ALDI:

    Aufgrund vereinzelt anders lautender Pressemitteilungen stellt die MEDION AG klar, dass das ALDI-Notebook nicht mit dem Virus Stoned Angelina ausgeliefert worden ist.

    Quick translation: Since there was some Press-noise, MEDION feels the need to say that the ALDI-Notebook is not infected with the Stoned Angelina virus.
  • Systems shipped by Wal-Mart were found to contain numerous copies of a simple text game where the user imagines an animal and the game asks questions in order to deduce the animal in question. Anti-malware programs no only failed to identify the game as a threat, but were themselves overwritten with the game.
    • Someone help me get that joke pls?
      • Pervading Animal [fourmilab.ch], while a harmless text game for Univac systems, was nonetheless one of the first programs known to self-replicate and distribute in the manner of a Trojan Horse. It was so widespread that there were stories of install tapes coming from the Univac vendor already infected.

        The Animal game eventually stopped replicating when there were changes to the Univac filesystem that broke its copy test.

  • You mean this one [sourceforge.net]?

    Thank goodness it wasn't a BIOS trojan.

  • Isn't Adli a grocery store? (Score:5, Funny)

    by no_pets (881013) on Saturday September 15 2007, @12:33PM (#20617337)
    Isn't Adli a grocery store? WTF is it doing selling PCs? If you buy a PC at the grocery store you deserve to get infected. IMHO

    • No, it's a supermarket. (Score:4, Informative)

      by Animaether (411575) on Saturday September 15 2007, @12:39PM (#20617383) Journal
      Aldi isn't really a grocery store - they're more like a large convenience store... i.e. supermarket. And yes, they sell PCs and Notebooks from time to time. And no, they're not crap either. Yes, they tend to be near the lower range, but within that lower range, you can get a great deal on them by going through stores like Aldi. The reason for that is simply numbers.. Aldi buys up thousands for a much lower price than a consumer can get. They then sell these at only slightly above the price they themselves paid... the profit on these machines for them is minimal. The additional turnover they get by luring in customers is what they're interested in mostly.

      • Aldi isn't really a grocery store - they're more like a large convenience store... i.e. supermarket.

        Ah -- the German equivalent of a Super Wal-Mart or Target.

    • ... but against super-cheap prices, run by slaves [wikipedia.org](very low wages, very strict time policies on the counters), and selling great deals on a weekly basis (for which great interest exists). Another company that runs pretty much by the same formula is Lidl [wikipedia.org].
        • Do you know why I don't shop at either Lidl or Aldi? The employees look unhappy there and are unfriendly and that says a lot. I prefer shopping at Real [wikipedia.org]. They have their lineup of el cheapo wares too, and the service is much better.

          Not that I would buy a PC at a supermarket, anyway. I recommend buying from smaller specialized retailers, which will also be happy to build a PC by your specifications and with your OS of choice (or no OS at all).
          • Do you know why I don't shop at either Lidl or Aldi? The employees look unhappy there and are unfriendly and that says a lot.

            I guess that's why Wal-Mart had the "smile or get fired" policy.
    • I am writing this on one of those Aldi Medion laptops (now a year old). They do sell electronic hardware too, but something different every week. about 3x year they have a Medion laptop for sale, in between they have a desktop.

      These are usually very good value for money. The drawback is that you have no choice, as they only sell one model.
      They can be so cheap because of their buying power, there are about 8.000 Aldi stores in Europe, and each gets 15 computers to sell as a minimum, AFAIK. The next week it w

  • Always run DBAN or some other eraser first (Score:3, Informative)

    by Giro d'Italia (124843) on Saturday September 15 2007, @12:40PM (#20617387)
    I always run DBAN on a new system or hard drive, OEM assembled or not. Insist on proper OS installation media and unless it too is defective, you'll be fine. But never, ever, trust a machine setup by anyone else. That's not practical for everyone, but we're all geeks here, installing your OS of choice should be a rite of passage. :)

    • Re: (Score:1, Informative)

      by Anonymous Coward
      and what if your driver CD(s) have a virus? After all, one can "set things up themself" and still get backdoored by a printer driver [slashdot.org].
    • That's a bit extreme, isn't it?

      DBAN and similar tools are great for erasing data on a hard drive you're loosing physical possession of (for whatever reason), but there's no need to spend hours or days cleaning a disk you've just acquired. If you erase the boot sector and partition information then you have destroyed everything you need to destroy in order to ensure it's "clean" - i.e. as far as the BIOS or OS is concerned there is nothing stored on the disk to load and execute. This can be achieved in just
  • My question is: What good is this "Bullguard anti-virus" if it can't even remove a simple virus that is over 10 years old?
  • Now that is efficient! Why email trojans [slashdot.org] to the criminals when you can have them preinstalled by the factory!

    I smell a conspiracy.
  • I mean, without voluntarily looking for it? And how do you get it accidentally on a new PC? Have they stored the bios on infected floppies, or what? Installed DOS first, because the Windows Vista upgrade is cheaper than an OEM version? Tsk, tsk.
    • During the boot cycle, the bios needs operating parameters outside what is stored in the bios. It could preload them itself but then all operating systems would have to start loading from it and then unload it somewhere along the line. Instead, then allow a small amount boot code to be placed in the boot sector of a drive's media that the OS can control and unload at it's convenience. It also controls disk access outside the limitations of the bios which would allow for larger drives and different file syst
      • The way a PC boots is that the bios loads a peice of code from the MBR and runs it, it provides this code with services to access hard and floppy drives (no filesystem support just the ability to read and write sectors). What happens from there is up to the OS that put the code in the MBR. In the windows world the MBR code hands off to code in the boot sector of the active partition. That code in turn typically has some form of minimal filesystem support allowing it to read and load the rest of the OS.

    • Re: (Score:2, Informative)

      by lordtoran (1063300)
      Yes, I indeed think the guy who created the image installed DOS and various diagnostic/burn-in-testing tools first from some old infected floppies he had lying around at home. Quite dilettanish, because there are special Linux live CDs that do a better task at such preparations.
  • How adorably quaint.
  • If there's a tool to clean it up, then use it. Or just format everything including MBR and get GRUB inside, and boot your fav. distro. (just a thought) And if that virus causes the user (owner of the machine) to lose data (for e.g), there are lawsuits. Next time I buy new stuff, I'll ask - "can you please provide me with a hard drive with a formatted MBR (done in front of me)?" Oh well, if I ask that for an HDD, I may end up with modems without internal firmwares and the tech guy will respond: "okay, you t
  • It's not a bug, it's a feature.
  • Just imagine if Worst Buy sold these. The Gector Squad would offer a special "new PC tuneup" for an extra hundred clams or so, but then you'd probably get infected by some of the warez they allegedly use to "support" customers. Wait...why am I asking this question? They already do this!
  • Now I don't have to wait for my daughter to download a virus, it comes preinstalled!

  • I work at Medion's Hotline (Score:3, Informative)

    by Anonymous Coward on Saturday September 15 2007, @01:52PM (#20617863)
    As opposed to the above comment, Medion Nordic HAS acknowledged that our laptops have been infected with Stoned.Angelina.

    We also have a nice little fix for it, even though it oughtn't have been nescesary to make one in the first place.

    But it's always fun to get 3x the amount of calls as normal due to a cock-up like this.

    And to be honest - it's an MBR virus. Has no payload, spreads primarily through floppy disks. It's about as dangerous to computers today as diarrhoea [wikipedia.org] is in a western country. Sounds bad, but nothing to worry about.

  • FDISK (Score:4, Informative)

    by Reason58 (775044) on Saturday September 15 2007, @02:54PM (#20618289)
    You used to be able to kill any boot sector virus instantly with "fdisk /mbr", but that command was retired when DOS went away.
  • I had to scan and repair about 1000 floppies and write a memo about not taking your work home. The IT manager did not believe that virii existed. Discovered it by looking at the boot sector with debug. The text string:"your PC is stoned", showed up. F-prot saved the day. That particular version of Stoned had a bug which would trash part of the root directory.
  • I remember getting this virus on my 386 in the early 90's. That just goes to show how little things have changed if this virus is still able to infect machines.

  • remind me (Score:3, Insightful)

    by JustNiz (692889) on Saturday September 15 2007, @07:13PM (#20620405)
    never to buy bullguard if it can't even deal with a 14 year old virus.
  • ... that theses weren't "trusted" computers (or TPM or whatever they call them).

    At least you're still able to re-format and start from scratch.....
    • You need to install a bootloader as well. In fact, just a bootloader should do the trick.

      • Re:Fix in O(1)-time (Score:5, Informative)

        by sumdumass (711423) on Saturday September 15 2007, @01:42PM (#20617801) Journal
        Not necessarily. It would really depend on what kind of boot sector virus it would be and what specifically it does. You could end up with not being able to see or access any of your partitions or the boot loader could just be loaded on top of a bios overlay that is the boot virus(ie, nothing at all would happen to the virus).

        A lot of times the boot sector virus will move the boot sector to another part of the disk and relay the content to itself. It can also mark sectors as bad and thereby hiding it's content. When you install a boot loader, it will actually install to the moved version of the boot sector. I have seen in the past, and I don't remember which one, but a normal Format would erase the portion of the boot sector hiding the code and it would execute again. You would need to boot in a way that the disk wasn't accessed until after you loaded tools to specifically deal with them. Usually an Fdisk/mbr with a regular Fdkisk to rebuild the partitions and then another /mbr to sabotage any chances of left over code being executed. Then a format to the partition and a new OS install. There are tools to redo the disk partitions and format under linux too.

        This whole process got more complicated with the logical block addressing and a write cache. The main board is now expecting the drives to represent something different then they actually read in order to maintain compatibility. With a LBA drive, you aren't actually accessing the drive in itself but asking it to access it. It is possible to have the code you are attempting to remove be accessed and running before your tools actually write over it and remove it. Of course once the boot process (boot to floppy/cd) is over, the underlying OS isn't really susceptible to executing the code as it is in the original Bios boot process. But nothing is there to ensure it won't happen. Some of the bad blocks that could be hiding code placed outside the boot sector could be accessed and contain something that is executable in the boot environment you are using.

        In all, it is difficult to remove a boot sector virus and retain any information on the disk. What I wrote is a little bit dumbed down of the actual processes that can happen. I have seen claims of boot virus being able to do things even more elaborate but don't know of any in actual existence. I guess I am amazed that in this late in the game, they are still a problem. Almost every anti-virus app should be able to detect and at least disable them. A simple scan of an image waiting to be burned to a hard drive should catch any nasty unwanted things before going into production. Maybe they cannot scan the images now?
        • So here's the deal - if you boot off a disk other than the infected one (say an installation CD) and can still read the infected drive (mount it, etc)- then (re-)installing a bootloader should get rid of the virus.

          Your boot sector (MBR) has a data section that stores the partition table/drive information for that hard drive/disk and a code section that contains the actual boot loader. A virus could either overwrite only the code section - in which case your data is still readable and the virus can simply be
          • It really depends. If the boot virus moves the boot code then all you are doing is installing a boot loader. The boot loader installation doesn't go directly for the first sector of the drive as you would believe. It would tell the drive to place it in the boot sector but if the partition mapping has moved it, then it would be the wrong section.

            What could happen is that the Jump sequence that moves the drive to executable portion of the MBR which doesn't have to be in the MBR could be over written and place

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.