Giving Old Viruses the Boot

Giving Old Viruses the Boot

Further to my recent post on the venerable (but still out there) Slammer worm, we were asked recently about a real old-timer, a boot-sector infector called Stoned.Angelina. (Oddly enough, I think this was the last BSI reported to me when I was still doing occasional 2nd-line AV support earlier in this decade.) How could such an elderly

Further to my recent post on the venerable (but still out there) Slammer worm, we were asked recently about a real old-timer, a boot-sector infector called Stoned.Angelina. (Oddly enough, I think this was the last BSI reported to me when I was still doing occasional 2nd-line AV support earlier in this decade.) How could such an elderly

Further to my recent post on the venerable (but still out there) Slammer worm, we were asked recently about a real old-timer, a boot-sector infector called Stoned.Angelina. (Oddly enough, I think this was the last BSI reported to me when I was still doing occasional 2nd-line AV support earlier in this decade.) How could such an elderly virus infect a protected system?

For those who may have missed out on this phase of virus pre-history, a BSI infects when a PC is booted with an infected floppy (remember those?) in drive A. (The floppy doesn’t have to be bootable.) Which is why we used to advise people to reconfigure their PC CMOS settings so that the system would boot by default off the hard disk even if there was a floppy disk present – when people made extensive use of the funny little things, it was surprisingly easy to forget there was one still in the floppy drive when you switched off the system.

From a detection point of view, the difficulty is that if the system isn’t initially booting from the hard disk, the infection has already taken place by the time a scanner gets a look-in, and, unfortunately, NT derived systems can present particular problems if a BSI does manage to infect the hard disk.

Because so many systems nowadays are floppy-free zones, we tend not to give much thought to the issue. However, there are clearly still vulnerable systems and infected diskettes out there. If this might apply to you, you might want to consider:

  • Checking CMOS configuration on all systems (especially older systems) and fix any that are still set to boot by default from drive A
  • Doing a little data housekeeping. Floppy disks aren’t the most reliable of media for very long-term storage, and you may want to transfer data that still need to be kept to a more resilient and less risky storage medium.
  • While you’re doing that housekeeping, you might want to take the opportunity to scan those disks with an up-to-date scanner. Certainly I have floppies around here that were probably last checked with scanners that don’t even exist any more.

David Harley
Research Author
ESET LLC

Discussion