Disk Killer

Classification

Category :

Malware

Type :

Virus

Aliases :

Disk Killer, Ogre

Summary

A rather nasty virus, which will activate if the computer has been turned on for 48 hours. It will then display the following messages on the screen:

Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/1989 Warning !! Don't turn off the power or remove the diskette while Disk Killer is Processing!
PROCESSING

I hope you will never see this appear - it sure means trouble, namely that the virus has started to encrypt all the data on the hard disk (using a simple XOR method). When finished, the virus will display this message:

Now you can turn off the power I wish you luck !

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

If you see this message, start looking for a recovery program. You can of course reformat the disk and restore everything from a backup, but it is not necessary because the virus only encrypts everything on the disk, but does not actually destroy anything. At least, this seems to have been the intention of the author, but there are a few errors in the encryption code, which may make recovery impossible.

Like some other boot sector viruses, Disk Killer hides in sectors it marks as "bad" in the FAT. The infection/replication mechanism is very similar to that used by other boot sector viruses - despite some early reports that this virus was somehow more advanced than the rest. On a hard disk, the virus will hide in the sectors just before the boot record. Disk Killer is the first boot sector virus that is properly able to handle other sector sizes than 512 bytes.