Our experience with the NYB virus...

John Feras (jferas@netaxs.com)
Sat, 13 Apr 1996 17:32:12 -0400 (EDT)

As you may have already read on Max Mansour's excellent new OmniGo web
page (see http://www.nfi.com/~mans19/omnigo/omnigo.html),
he recently discovered a "boot record" virus on the IZL developer's
package 3.5" floppy diskette that he recently purchased from us. This came
as quite a surprise to us here at FIT, as we have been regularly scanning
our systems to avoid exactly this situation. So, feeling victimized and
somewhat outsmarted by a 512 byte chunk of machine code, we thought we'd
share our experience.

We'll begin at the end of the story:

We believe that our infection by the NYB (New York Blues) virus was short
term, and that you could only have received the virus from us if you
purchased the IZL developers package from us AND IT WAS SHIPPED IN THE LAST

Even if you did get a floppy from us in that time frame, THE ONLY WAY THAT
FROM OUR UN-BOOTABLE FLOPPY. The virus is a boot sector virus, meaning it
resides in the section of the disk that is read and executed as the computer
is turned on. If you only copied files from our distribution disk to your
hard drive for ultimate download to your OmniGo, and did not attempt
(purposefully or accidentally) to boot from our floppy, your computer would
not become infected. The virus has no effect on the OmniGo, only the
machine you use to load software onto the OmniGo.

Even though our floppy is not bootable, the act of attempting to boot the
machine from the floppy would allow the virus to execute as the boot code,
and in the instant that the error "Non-system disk" was displayed, the virus
would have infected the hard drive.

The virus is read into memory (BUT NOT EXECUTED) by the act of reading the
floppy to copy files to the hard drive, since this causes the partition table
to be read. Even though this reads it into memory, since a boot attempt
doesn't occur, the virus does not get to run to infect the machine.

How we acquired the virus, and why it is so hard to detect:

The NYB is a "stealth" virus, which means that when your machine is infected,
it intercepts reads of the boot sector and makes it appear as though your
boot sector is healthy. It cannot mask its existence in main memory, however,
or on the boot sector of a floppy.

We acquired the virus from a client site where we do some software consulting.
The organization believed themselves to be totally clean, as they were using
a very recent version of McAfee on their Windows for Workgroups machines.

Infection by the virus is not obvious, on some machines it makes it appear
as though your second or third drive is not present. In machines with only
a single hard drive, the system will simply "hang" at random times, in a
state that only a re-boot will clear.

We were infected on March 18, and our regular scanning with MS anti-virus
failed to find NYB. We received email from Max Mansour on April 6th, and
immediately found another virus scanner (ALERT from Look Software, contact
sales@look.achilles.net for more info), detected the virus and removed it.

Removal of the virus is not difficult at all, once discovered. After booting
your PC from a known clean MS-DOS floppy, the following command will write
a clean boot sector to the hard drive:


In summary, we'd like to thank Max Mansour for making us aware
of this problem, and although we believe that we shipped only a few disks
containing the virus, we extend our sincere apologies to anyone who may have
acquired it from us.

We continue to be excited about the OmniGo and GEOS (on all present and
future platforms), and will be expanding the capabilities of IZL, as well as
working to broaden the list of GEOS software titles.


John Feras              Personalize your OmniGo, Zoomer, or GEOS desktop 
                         with IZL, from Feras Information Technologies (FIT)
jferas@netaxs.com       Software that FITs in the palm of your hand.        

Visit our IZL web page: http://www.netaxs.com/~jferas/izl.htm