Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!uakari.primate.wisc.edu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Newsgroups: comp.virus Subject: Disk Killer Virus (PC) Message-ID: <0014.8909271119.AA09775@ge.sei.cmu.edu> Date: 27 Sep 89 01:50:40 GMT Sender: Virus Discussion ListLines: 28 Approved: krvw@sei.cmu.edu The CVIA has isolated the "Disk Killer" virus after 6 months of work and over three dozen reports. The virus activates after a random time period which varies from a few days to a few months, and when it activates, it performs a low level format of the hard disk - thereby destroying itself along with everything else. As it formats, it displays the message - "Disk Killer -- Version 1.00 by COMPUTER OGRE. Don't turn off the power or remove the diskettes while Disk Killer is processing. I wish you luck." The first organization to report this virus was Birchwood systems in San Jose in early Summer. Additional reports were received from Washington, Oklahoma, Minnesota and Arizona. We finally isolated it at Wedge Systems in Milpitas California and discovered that it is a boot sector infector that infects hard disks and floppies. The internal messages do not appear in sector zero, but are stored in sector 152 on floppy disks and an as yet undetermined location on hard disks. This had always added to the confusion over the virus because message remnants were sometimes discovered in the middle of executable files, and it was assumed that the virus was a COM or EXE infector. The virus appears to be very widespread and everyone should watch out for it. If your boot sector does not contain the standard DOS error messages, then immediately power down and clean out the boot. (Infected boot sectors begin with FAEB). This is a nasty virus and should be treated cautiously. ViruScan V39 identifies the virus, but it will not be posted till the 29th due to major revisions in SCAN's architecture for version 39. Alan