Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!uakari.primate.wisc.edu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM
Newsgroups: comp.virus
Subject: Disk Killer Virus (PC)
Message-ID: <0014.8909271119.AA09775@ge.sei.cmu.edu>
Date: 27 Sep 89 01:50:40 GMT
Sender: Virus Discussion List 
Lines: 28
Approved: krvw@sei.cmu.edu

The CVIA has isolated the "Disk Killer" virus after 6 months of work
and over three dozen reports.  The virus activates after a random time
period which varies from a few days to a few months, and when it
activates, it performs a low level format of the hard disk - thereby
destroying itself along with everything else.  As it formats, it
displays the message - "Disk Killer -- Version 1.00 by COMPUTER OGRE.
Don't turn off the power or remove the diskettes while Disk Killer is
processing.  I wish you luck."  The first organization to report this
virus was Birchwood systems in San Jose in early Summer.  Additional
reports were received from Washington, Oklahoma, Minnesota and
Arizona.  We finally isolated it at Wedge Systems in Milpitas
California and discovered that it is a boot sector infector that
infects hard disks and floppies.  The internal messages do not appear
in sector zero, but are stored in sector 152 on floppy disks and an as
yet undetermined location on hard disks.  This had always added to the
confusion over the virus because message remnants were sometimes
discovered in the middle of executable files, and it was assumed that
the virus was a COM or EXE infector.  The virus appears to be very
widespread and everyone should watch out for it.  If your boot sector
does not contain the standard DOS error messages, then immediately
power down and clean out the boot.

(Infected boot sectors begin with FAEB).  This is a nasty virus and
should be treated cautiously.  ViruScan V39 identifies the virus, but
it will not be posted till the 29th due to major revisions in SCAN's
architecture for version 39.

Alan