Boot Sector Virus Shipped on German Laptops 79
Juha-Matti Laurio writes "A consignment of laptops from German manufacturer Medion, sold through German and Danish branches of giant retail chain Aldi, have been found to be infected with the boot sector virus 'Stoned.Angelina', first seen as long ago as 1994. The affected notebook models (German language) Medion MD 96290 have been pre-installed with Windows Vista Home Premium and Bullguard anti-virus, which reportedly is unable to remove it. A special removal tool was released to clean the laptops. Aldi has shared the same warning as well. Two years ago several thousands of Creative Zen Neeon MP3 players were shipped with a Windows worm Wullik.B."
Not jut Creative... (Score:2, Informative)
Hmm (Score:5, Informative)
ALDI-Notebook NOT infected... (Score:5, Informative)
Quick translation: Since there was some Press-noise, MEDION feels the need to say that the ALDI-Notebook is not infected with the Stoned Angelina virus.
No, it's a supermarket. (Score:4, Informative)
Always run DBAN or some other eraser first (Score:3, Informative)
Re:Always run DBAN or some other eraser first (Score:1, Informative)
Re:Fix in O(1)-time (Score:5, Informative)
A lot of times the boot sector virus will move the boot sector to another part of the disk and relay the content to itself. It can also mark sectors as bad and thereby hiding it's content. When you install a boot loader, it will actually install to the moved version of the boot sector. I have seen in the past, and I don't remember which one, but a normal Format would erase the portion of the boot sector hiding the code and it would execute again. You would need to boot in a way that the disk wasn't accessed until after you loaded tools to specifically deal with them. Usually an Fdisk/mbr with a regular Fdkisk to rebuild the partitions and then another
This whole process got more complicated with the logical block addressing and a write cache. The main board is now expecting the drives to represent something different then they actually read in order to maintain compatibility. With a LBA drive, you aren't actually accessing the drive in itself but asking it to access it. It is possible to have the code you are attempting to remove be accessed and running before your tools actually write over it and remove it. Of course once the boot process (boot to floppy/cd) is over, the underlying OS isn't really susceptible to executing the code as it is in the original Bios boot process. But nothing is there to ensure it won't happen. Some of the bad blocks that could be hiding code placed outside the boot sector could be accessed and contain something that is executable in the boot environment you are using.
In all, it is difficult to remove a boot sector virus and retain any information on the disk. What I wrote is a little bit dumbed down of the actual processes that can happen. I have seen claims of boot virus being able to do things even more elaborate but don't know of any in actual existence. I guess I am amazed that in this late in the game, they are still a problem. Almost every anti-virus app should be able to detect and at least disable them. A simple scan of an image waiting to be burned to a hard drive should catch any nasty unwanted things before going into production. Maybe they cannot scan the images now?
I work at Medion's Hotline (Score:3, Informative)
We also have a nice little fix for it, even though it oughtn't have been nescesary to make one in the first place.
But it's always fun to get 3x the amount of calls as normal due to a cock-up like this.
And to be honest - it's an MBR virus. Has no payload, spreads primarily through floppy disks. It's about as dangerous to computers today as diarrhoea [wikipedia.org] is in a western country. Sounds bad, but nothing to worry about.
FDISK (Score:4, Informative)
Re:Where do you get such an old virus? (Score:2, Informative)