Saving History

Following the news last week about laptops being shipped with an old boot sector virus. There have been a number of reports about how well modern security products fare against these old types of threats. Third party testers have been checking that vendors are able to detect and remove the threat. The testing so far has focussed on consumer products and Sophos had not been tested so we decided to carry out our own tests.

To find someone with the hands on experience with Boot sector viruses we turned to Paul ‘Duck’ Ducklin, from Sophos Australia, his findings are as follows (he’s not normally the shy type I hasten to add).


As you probably know from Mark’s blog entry here:

the German supermarket chain Aldi (which operates in many countries outside Germany, including Australia — indeed, their local North Sydney branch is about 60 seconds walk from Sophos and is well-patronised by SophosLabs for emergency bulk supplies such as biscuits and ice cream) recently shipped a bunch of laptops with the old-school boot virus “Angelina” on the hard disk.

Since these laptops come with Windows Vista, this begs the question: how to get rid of it? (The virus, I mean, not Vista.)

Good news!

I made an infectious floppy today, and infected a Vista Ultimate image on the PINK network in the lab.

I then installed a standalone SAV7 (7.0.2, virus data 4.21, current version) straight from the installer I had fetched from the internet, and:

1. Ran a default scan of the C: drive.

SAV7 detected and reported the virus on the hard disk.

2. Reconfigured the scan to “automatically clean up items that contain virus/spyware”.

SAV7 detected and reported the virus, and then automatically and correctly disinfected the hard disk.

Errr, that’s that. Good isn’t it?

So you can use SAV7 to check and fix your Aldi laptop, if you think you might have bought one with this little piece of history on it 🙂

Note, the reference to ‘PINK’ network refers to the fact that we have separate controlled networks to separate malware analysis from the rest of the company. Live malware only occur on the ‘Pink’ network.