Boot Sector Virus Shipped on German Laptops

Juha-Matti Laurio writes "A consignment of laptops from German manufacturer Medion, sold through German and Danish branches of giant retail chain Aldi, have been found to be infected with the boot sector virus 'Stoned.Angelina', first seen as long ago as 1994. The affected notebook models (German language) Medion MD 96290 have been pre-installed with Windows Vista Home Premium and Bullguard anti-virus, which reportedly is unable to remove it. A special removal tool was released to clean the laptops. Aldi has shared the same warning as well. Two years ago several thousands of Creative Zen Neeon MP3 players were shipped with a Windows worm Wullik.B."

Not jut Creative...

[wal9001]

Apple did it too, remember? Cue people whining about how the fanbois ignore Apple's flaws so that they can pretend Creative is satan in 3.... 2.... 1....

Re:

[recoiledsnake]

I think this is a common experience, because of quality control issues and manufacturing being outsourced to contractors. Here Apple talking about iPods shipping with a Windows Virus on it... straight from Apple's site. Click here [apple.com]. Apparently, a contractor was to blame.

Re:

[empaler]

I think this is a common experience, because of quality control issues and manufacturing being outsourced to contractors. Here Apple talking about iPods shipping with a Windows Virus on it... straight from Apple's site. Click here [apple.com]. Apparently, a contractor was to blame.

Apparently, Apple was to blame. I don't really care about whether or not it's an inhouse or an outsourced screwup, when I purchase Apple gear, they've branded the item as theirs. The only exemption from this is if some computer store that sells the iPods has the added service to update the official firmware before selling the ipods as an added service to the customers, and the computer they then hook the iPod up to infects the iPod.

Now that's what I call....

[gandhi_2]

...cutting out the middleman!

stoned.angelina

[Walzmyn]

stoned.angelina is a nasty virus too. If your computer is infected it will download other child viruses with weird names from third world countries.

Re:

[arivanov]

Provided that it does not download the aforementioned third world country security service to beat you up and stuff your new digital camera up your arse that can probably be tolerated..

hah

[Anonymous Coward]

hahah :)
Cant even clean up with their own AV.. Sucks to be them..

Re:

[ettlz]

You need to install a bootloader as well. In fact, just a bootloader should do the trick.

Re:Fix in O(1)-time

[sumdumass]

Not necessarily. It would really depend on what kind of boot sector virus it would be and what specifically it does. You could end up with not being able to see or access any of your partitions or the boot loader could just be loaded on top of a bios overlay that is the boot virus(ie, nothing at all would happen to the virus).

A lot of times the boot sector virus will move the boot sector to another part of the disk and relay the content to itself. It can also mark sectors as bad and thereby hiding it's content. When you install a boot loader, it will actually install to the moved version of the boot sector. I have seen in the past, and I don't remember which one, but a normal Format would erase the portion of the boot sector hiding the code and it would execute again. You would need to boot in a way that the disk wasn't accessed until after you loaded tools to specifically deal with them. Usually an Fdisk/mbr with a regular Fdkisk to rebuild the partitions and then another /mbr to sabotage any chances of left over code being executed. Then a format to the partition and a new OS install. There are tools to redo the disk partitions and format under linux too.

This whole process got more complicated with the logical block addressing and a write cache. The main board is now expecting the drives to represent something different then they actually read in order to maintain compatibility. With a LBA drive, you aren't actually accessing the drive in itself but asking it to access it. It is possible to have the code you are attempting to remove be accessed and running before your tools actually write over it and remove it. Of course once the boot process (boot to floppy/cd) is over, the underlying OS isn't really susceptible to executing the code as it is in the original Bios boot process. But nothing is there to ensure it won't happen. Some of the bad blocks that could be hiding code placed outside the boot sector could be accessed and contain something that is executable in the boot environment you are using.

In all, it is difficult to remove a boot sector virus and retain any information on the disk. What I wrote is a little bit dumbed down of the actual processes that can happen. I have seen claims of boot virus being able to do things even more elaborate but don't know of any in actual existence. I guess I am amazed that in this late in the game, they are still a problem. Almost every anti-virus app should be able to detect and at least disable them. A simple scan of an image waiting to be burned to a hard drive should catch any nasty unwanted things before going into production. Maybe they cannot scan the images now?

Re:

[genmax]

So here's the deal - if you boot off a disk other than the infected one (say an installation CD) and can still read the infected drive (mount it, etc)- then (re-)installing a bootloader should get rid of the virus.

Your boot sector (MBR) has a data section that stores the partition table/drive information for that hard drive/disk and a code section that contains the actual boot loader. A virus could either overwrite only the code section - in which case your data is still readable and the virus can simply be

Re:

[sumdumass]

It really depends. If the boot virus moves the boot code then all you are doing is installing a boot loader. The boot loader installation doesn't go directly for the first sector of the drive as you would believe. It would tell the drive to place it in the boot sector but if the partition mapping has moved it, then it would be the wrong section.

What could happen is that the Jump sequence that moves the drive to executable portion of the MBR which doesn't have to be in the MBR could be over written and place

Re:

[pasamio]

Theres also a program called testdisk that scans the hard drive to recover partition information and rebuild the partition table: http://www.cgsecurity.org/wiki/TestDisk [cgsecurity.org]

Hmm

[Poromenos1]

It doesn't really seem to do anything [symantec.com].

Ouch

[spikedvodka]

Stupid, Stupid, Stupid, Stupid... and in case i didn't mention STUPID...

What was whoever doing on the base image that caused it to become infected? I build system images, and rule #1: Make sure it works cleanly when you're done.

    Somebody's Head
------------------- = Silver platter

(Silly junk character filter, I can't even ASCII Art a silver platter)

So, is this...

[NorQue]

... a Retro-Virus? ;-)

Re:

[ettlz]

Damn, does that mean it has to be run in VM86 mode?

Re:

[spiderbitendeath]

No, Vista just makes it feel like it is.

ALDI-Notebook NOT infected...

[Simon (S2)]

...says ALDI:

Aufgrund vereinzelt anders lautender Pressemitteilungen stellt die MEDION AG klar, dass das ALDI-Notebook nicht mit dem Virus Stoned Angelina ausgeliefert worden ist.

Quick translation: Since there was some Press-noise, MEDION feels the need to say that the ALDI-Notebook is not infected with the Stoned Angelina virus.

Re:

[Anonymous Coward]

Better translation:

Due to isolated press reports to the contrary, MEDION AG clarifies that the ALDI-Notebook has not been being delivered with the virus Stoned Angelina.

Re:

[lordtoran]

Trotzdem ist die Übersetzung sehr viel akkurater. Auch wenn es den englischsprachigen Lesern egal sein dürfte ... dies ist schließlich Slashdot.

Re:

[lordtoran]

Okay, dankend angenommen :-)

Re:

[empaler]

Still not a chance in hell I'll buy a computer from Aldi.

In other news...

[LaminatorX]

Systems shipped by Wal-Mart were found to contain numerous copies of a simple text game where the user imagines an animal and the game asks questions in order to deduce the animal in question. Anti-malware programs no only failed to identify the game as a threat, but were themselves overwritten with the game.

Re:

[EVil Lawyer]

Someone help me get that joke pls?

Re:

[LaminatorX]

Pervading Animal [fourmilab.ch], while a harmless text game for Univac systems, was nonetheless one of the first programs known to self-replicate and distribute in the manner of a Trojan Horse. It was so widespread that there were stories of install tapes coming from the Univac vendor already infected.

The Animal game eventually stopped replicating when there were changes to the Univac filesystem that broke its copy test.

Special removal tool?

[davidwr]

You mean this one [sourceforge.net]?

Thank goodness it wasn't a BIOS trojan.

Isn't Adli a grocery store?

[no_pets]

Isn't Adli a grocery store? WTF is it doing selling PCs? If you buy a PC at the grocery store you deserve to get infected. IMHO

No, it's a supermarket.

[Animaether]

Aldi isn't really a grocery store - they're more like a large convenience store... i.e. supermarket. And yes, they sell PCs and Notebooks from time to time. And no, they're not crap either. Yes, they tend to be near the lower range, but within that lower range, you can get a great deal on them by going through stores like Aldi. The reason for that is simply numbers.. Aldi buys up thousands for a much lower price than a consumer can get. They then sell these at only slightly above the price they themselves paid... the profit on these machines for them is minimal. The additional turnover they get by luring in customers is what they're interested in mostly.

Re:

[abb3w]

Aldi isn't really a grocery store - they're more like a large convenience store... i.e. supermarket.

Ah -- the German equivalent of a Super Wal-Mart or Target.

Yes it is a grocery store...

[thrill12]

... but against super-cheap prices, run by slaves [wikipedia.org](very low wages, very strict time policies on the counters), and selling great deals on a weekly basis (for which great interest exists). Another company that runs pretty much by the same formula is Lidl [wikipedia.org].

Re:

[lordtoran]

Do you know why I don't shop at either Lidl or Aldi? The employees look unhappy there and are unfriendly and that says a lot. I prefer shopping at Real [wikipedia.org]. They have their lineup of el cheapo wares too, and the service is much better.

Not that I would buy a PC at a supermarket, anyway. I recommend buying from smaller specialized retailers, which will also be happy to build a PC by your specifications and with your OS of choice (or no OS at all).

Re:

[KDR_11k]

Do you know why I don't shop at either Lidl or Aldi? The employees look unhappy there and are unfriendly and that says a lot.

I guess that's why Wal-Mart had the "smile or get fired" policy.

Re:

[RogerWilco]

I am writing this on one of those Aldi Medion laptops (now a year old). They do sell electronic hardware too, but something different every week. about 3x year they have a Medion laptop for sale, in between they have a desktop.

These are usually very good value for money. The drawback is that you have no choice, as they only sell one model.
They can be so cheap because of their buying power, there are about 8.000 Aldi stores in Europe, and each gets 15 computers to sell as a minimum, AFAIK. The next week it w

Re:

[runderwo]

ALDI has sold computers since 1987. [homecomputer.de]

Always run DBAN or some other eraser first

[Giro d'Italia]

I always run DBAN on a new system or hard drive, OEM assembled or not. Insist on proper OS installation media and unless it too is defective, you'll be fine. But never, ever, trust a machine setup by anyone else. That's not practical for everyone, but we're all geeks here, installing your OS of choice should be a rite of passage. :)

Re:

[Anonymous Coward]

and what if your driver CD(s) have a virus? After all, one can "set things up themself" and still get backdoored by a printer driver [slashdot.org].

Re:

[DigitAl56K]

That's a bit extreme, isn't it?

DBAN and similar tools are great for erasing data on a hard drive you're loosing physical possession of (for whatever reason), but there's no need to spend hours or days cleaning a disk you've just acquired. If you erase the boot sector and partition information then you have destroyed everything you need to destroy in order to ensure it's "clean" - i.e. as far as the BIOS or OS is concerned there is nothing stored on the disk to load and execute. This can be achieved in just

Bullguard anti-virus

[jmanforever]

My question is: What good is this "Bullguard anti-virus" if it can't even remove a simple virus that is over 10 years old?

Re:

[thatskinnyguy]

It isn't any good. In fact, it's so worthless, it isn't really worth the powder to blow it to Hell!

Efficient!

[fishthegeek]

Now that is efficient! Why email trojans [slashdot.org] to the criminals when you can have them preinstalled by the factory!

I smell a conspiracy.

Where do you get such an old virus?

[wulper]

I mean, without voluntarily looking for it? And how do you get it accidentally on a new PC? Have they stored the bios on infected floppies, or what? Installed DOS first, because the Windows Vista upgrade is cheaper than an OEM version? Tsk, tsk.

Re:

[sumdumass]

During the boot cycle, the bios needs operating parameters outside what is stored in the bios. It could preload them itself but then all operating systems would have to start loading from it and then unload it somewhere along the line. Instead, then allow a small amount boot code to be placed in the boot sector of a drive's media that the OS can control and unload at it's convenience. It also controls disk access outside the limitations of the bios which would allow for larger drives and different file syst

Re:

[petermgreen]

The way a PC boots is that the bios loads a peice of code from the MBR and runs it, it provides this code with services to access hard and floppy drives (no filesystem support just the ability to read and write sectors). What happens from there is up to the OS that put the code in the MBR. In the windows world the MBR code hands off to code in the boot sector of the active partition. That code in turn typically has some form of minimal filesystem support allowing it to read and load the rest of the OS.

Re:

[lordtoran]

Yes, I indeed think the guy who created the image installed DOS and various diagnostic/burn-in-testing tools first from some old infected floppies he had lying around at home. Quite dilettanish, because there are special Linux live CDs that do a better task at such preparations.

Re:

[Cracked Pottery]

I got a hundred of them. Of course a lot them are still on 5 1/4" diskettes. Most of the stoned viruses were comparatively harmless, Disk Killer was a real bastard, kiss bye bye to everything.

Remember the KAK worm. Shut down computers at 5:00 PM on Friday. Something like that. It was spread in an invisible executable signature in Outlook Express. I had a good deal of admiration for that one, and we made a lot of money cleaning it up. Now who would have thought about a script as a signature that copied its

Re:

[lordtoran]

I remember the good old times of DOS bootsector viruses. I had a virus named Tremor that reprogrammed the VGA registers, so from time to time the screen contents would shiver like having a cold, and on some occasions a little Pacman appeared and ate the menu bar of Norton Commander. It was fun until I switched on the PC one day and was greeted with the message "ROM BIOS NOT FOUND" in 40x25 black & white mode.

Re:

[funkatron]

Can I borrow a copy of KAK for the office?

Boot sector virus?

[dwalsh]

How adorably quaint.

so, there's a tool to clean it up, use it

[fadilnet]

If there's a tool to clean it up, then use it. Or just format everything including MBR and get GRUB inside, and boot your fav. distro. (just a thought) And if that virus causes the user (owner of the machine) to lose data (for e.g), there are lawsuits. Next time I buy new stuff, I'll ask - "can you please provide me with a hard drive with a formatted MBR (done in front of me)?" Oh well, if I ask that for an HDD, I may end up with modems without internal firmwares and the tech guy will respond: "okay, you t

Re:

[ettlz]

If there's a tool to clean it up, then use it.

Time to use dd in anger, methinks.

Oblig

[Pykasye]

It's not a bug, it's a feature.

Just imagine if...

[squidguy]

Just imagine if Worst Buy sold these. The Gector Squad would offer a special "new PC tuneup" for an extra hundred clams or so, but then you'd probably get infected by some of the warez they allegedly use to "support" customers. Wait...why am I asking this question? They already do this!

Cool! Preinstalled virus!

[Interested Bystander]

Now I don't have to wait for my daughter to download a virus, it comes preinstalled!

I work at Medion's Hotline

[Anonymous Coward]

As opposed to the above comment, Medion Nordic HAS acknowledged that our laptops have been infected with Stoned.Angelina.

We also have a nice little fix for it, even though it oughtn't have been nescesary to make one in the first place.

But it's always fun to get 3x the amount of calls as normal due to a cock-up like this.

And to be honest - it's an MBR virus. Has no payload, spreads primarily through floppy disks. It's about as dangerous to computers today as diarrhoea [wikipedia.org] is in a western country. Sounds bad, but nothing to worry about.

FDISK

[Reason58]

You used to be able to kill any boot sector virus instantly with "fdisk /mbr", but that command was retired when DOS went away.

Re:

[lordtoran]

From my own experience, many boot sector viruses were tough enough to survive CTRL-ALT-DEL or even a warm reboot via the reset button, so it is imperative to turn the PC completely off after that procedure.

The first time I saw this one

[wuzzerd]

I had to scan and repair about 1000 floppies and write a memo about not taking your work home. The IT manager did not believe that virii existed. Discovered it by looking at the boot sector with debug. The text string:"your PC is stoned", showed up. F-prot saved the day. That particular version of Stoned had a bug which would trash part of the root directory.

I got this virus in early 90's

[smutt]

I remember getting this virus on my 386 in the early 90's. That just goes to show how little things have changed if this virus is still able to infect machines.

remind me

[JustNiz]

never to buy bullguard if it can't even deal with a 14 year old virus.

just be thankful ...

[IchBinEinPenguin]

... that theses weren't "trusted" computers (or TPM or whatever they call them).

At least you're still able to re-format and start from scratch.....