Farewell Angelina

Kurt Wismer (whose blog at http://anti-virus-rants.blogspot.com/ is well worth tracking, by the way) responded to my “Giving Old Viruses the Boot” blog as follows (I’ve only just seen it, hence my re-opening the topic as a fresh blog, rather than as another response to the original blog):

kurt wismer Says:
June 20th, 2008 at 11:39 am
“How could such an elderly virus infect a protected system? ”

‘simple – old viruses never die, they just become too rare to measure their prevalence accurately…’

The question I was trying to answer was actually how an aged BSI (Boot Sector Infector) can be detected post-infection but not pre-infection. In fact there are at least two relevant scenarios: (possibly inadvertent) floppy booting, as mentioned above, and infection earlier in the supply chain, before AV was installed. Most times, the scanner should have picked up the infected boot sector when the diskette was originally accessed, but if the diskette is inserted but never accessed and then left in the drive, that will usually result in an infection.

I suspect, though, that Kurt had in mind the fact that many vendors no longer detect obsolete malware of a certain age, and in fact that does seem to have happened with regard to Stoned.Angelina and the infected Medion laptops of 2007. I can understand why vendors sometimes drop detection for antique zoo viruses (though sometimes this can result in poor performance in detection tests that use large collections of obsolete malware), but there’s clearly an additional risk in dropping detection of malware that was formerly in the wild. (Actually, I’m surprised Angelina hasn’t made a return to the WildList: maybe I blinked and missed it.)

Thanks also to Derek W. for pointing out that “Actually, some BIOS now have a switch for “OS Install” that won’t allow updates to the boot block area unless its set to “Enable”.” Over the years, there’ve also been attempts to do something like this in software, with varying degrees of success. Certainly, though, this seems a useful facility, given that the occasional BSI zombie does continue to come to life. And I won’t even mention MBR-infesting rootkits…

David Harley
Research Author

Author David Harley, ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.