While using ClamWin to scan my NES/Famicom ROMs for malware, I found this strange virus in one of my FDS files:
After uploading the file on VT I got the following results:
URL: https://www.virustotal.com/fi/file/00571dd8badfd02c9722f4953b51b5d4ee958de987746e5e44bb294fbe561bde/analysis/
Once I opened the file in a hex editor, I found the following text strings:
1)
2)
If the attached pictures are not displayed well enough, these are the actual text strings:
After some googling, I found some information about the virus; e.g. at http://www.f-secure.com/v-descs/diskkill.shtml
I decided to extract the contents of the disk image by using FDSList 1.2 for Windows. Entering the command 'FDSList "Bishojou Sexy Slot (19xx)(Super PIG)[b].fds" -w' produced the following output:
The file containing the suspicious text strings is "TITLEDAT"...
I tested how ClamWin would react if I copy'n'pasted the text strings above into an empty text file which I would then scan with ClamWin. Much to my surprise, ClamWin flagged the text file as infected even though all that the file contained was the text strings – I did not add any actual malicious code there. Is there any (easy) way of finding out whether the FDS file really carries any dangerous payload? I'm not a programmer at all, and even if I was able to find an "ad-hoc" disassembler, I would have no easy way of telling whether the code really makes any sense.
Of course, I could simply replace all the files that were poisoned with a potentially malicious payload but it would be interesting to know whether this particular file poses any potential danger – either to a real Famicom (which sounds odd) or to some older systems such as DOS as the text string suggests that the malware was made way back in 1989... and speaking of that, I wonder why this kind of virus is residing within a Nintendo FDS ROM in the first place. Perhaps the one who infected the file thought that those who are willing to play a game called "Bishojou Sexy Slot" deserve to get hit by malware.
I have attached both "Bishojou Sexy Slot (19xx)(Super PIG)[b].fds" and "TITLEDAT" if you want to tamper with the files.
Code:
Bishojou Sexy Slot (19xx)(Super PIG)[b].fds: Boot.Diskkiller FOUND
After uploading the file on VT I got the following results:
URL: https://www.virustotal.com/fi/file/00571dd8badfd02c9722f4953b51b5d4ee958de987746e5e44bb294fbe561bde/analysis/
Once I opened the file in a hex editor, I found the following text strings:
1)
2)
If the attached pictures are not displayed well enough, these are the actual text strings:
Code:
Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/1989...Warning !!...Don't turn off the power or remove the diskette while Disk Killer is Processing!.PROCESSING...Now you can turn off the power....I wish you luck !
Code:
Non-System disk or disk error..Replace and strike any key when ready.....Disk Boot failure...IBMBIO COMIBMDOS COM
After some googling, I found some information about the virus; e.g. at http://www.f-secure.com/v-descs/diskkill.shtml
I decided to extract the contents of the disk image by using FDSList 1.2 for Windows. Entering the command 'FDSList "Bishojou Sexy Slot (19xx)(Super PIG)[b].fds" -w' produced the following output:
Code:
DISK ' ' Side A Files 5 Maker $00 Version $00
-----------------------------------------------------
000 $00 'LOADER00' $D000-$DFFF ( 4096) [CODE]
001 $00 'NMI_MASK' $2000-$20FF ( 256) [CODE]
002 $10 'TITLEDAT' $9000-$BD0F (11536) [CODE]
003 $20 'COMMON ' $9000-$CE7F (16000) [CODE]
004 $10 'SEXYSLOT' $6000-$8FFF (12288) [CODE]
-----------------------------------------------------
| 44314 Bytes Used, 21112 Bytes Free, 67Full |
-----------------------------------------------------
DISK ' ' Side A Files 13 Maker $00 Version $00
-----------------------------------------------------
000 $E0 'G_AMI ' $D000-$D95F ( 2400) [CODE]
001 $E1 'G_MAMI ' $D000-$DADF ( 2784) [CODE]
002 $E2 'G_ERI ' $D000-$D9DF ( 2528) [CODE]
003 $E3 'G_EMI ' $D000-$DA5F ( 2656) [CODE]
004 $E4 'G_EMA ' $D000-$DA5F ( 2656) [CODE]
005 $E5 'G_RIE ' $D000-$D9DF ( 2528) [CODE]
006 $E6 'G_MARI ' $D000-$DADF ( 2784) [CODE]
007 $E7 'G_KKS0 ' $D000-$D95F ( 2400) [CODE]
008 $E8 'G_KKS1 ' $D000-$D95F ( 2400) [CODE]
009 $E9 'G_KKS2 ' $D000-$D9DF ( 2528) [CODE]
010 $EA 'G_ENDING' $D000-$DB7F ( 2944) [CODE]
011 $D0 'SEXY VOI' $D000-$D6FF ( 1792) [CODE]
012 $D1 'ENDVOICE' $BE00-$CF4F ( 4432) [CODE]
-----------------------------------------------------
| 35098 Bytes Used, 30328 Bytes Free, 53Full |
-----------------------------------------------------
-----------------------------------------------------
000 $00 'LOADER00' $D000-$DFFF ( 4096) [CODE]
001 $00 'NMI_MASK' $2000-$20FF ( 256) [CODE]
002 $10 'TITLEDAT' $9000-$BD0F (11536) [CODE]
003 $20 'COMMON ' $9000-$CE7F (16000) [CODE]
004 $10 'SEXYSLOT' $6000-$8FFF (12288) [CODE]
-----------------------------------------------------
| 44314 Bytes Used, 21112 Bytes Free, 67Full |
-----------------------------------------------------
DISK ' ' Side A Files 13 Maker $00 Version $00
-----------------------------------------------------
000 $E0 'G_AMI ' $D000-$D95F ( 2400) [CODE]
001 $E1 'G_MAMI ' $D000-$DADF ( 2784) [CODE]
002 $E2 'G_ERI ' $D000-$D9DF ( 2528) [CODE]
003 $E3 'G_EMI ' $D000-$DA5F ( 2656) [CODE]
004 $E4 'G_EMA ' $D000-$DA5F ( 2656) [CODE]
005 $E5 'G_RIE ' $D000-$D9DF ( 2528) [CODE]
006 $E6 'G_MARI ' $D000-$DADF ( 2784) [CODE]
007 $E7 'G_KKS0 ' $D000-$D95F ( 2400) [CODE]
008 $E8 'G_KKS1 ' $D000-$D95F ( 2400) [CODE]
009 $E9 'G_KKS2 ' $D000-$D9DF ( 2528) [CODE]
010 $EA 'G_ENDING' $D000-$DB7F ( 2944) [CODE]
011 $D0 'SEXY VOI' $D000-$D6FF ( 1792) [CODE]
012 $D1 'ENDVOICE' $BE00-$CF4F ( 4432) [CODE]
-----------------------------------------------------
| 35098 Bytes Used, 30328 Bytes Free, 53Full |
-----------------------------------------------------
The file containing the suspicious text strings is "TITLEDAT"...
I tested how ClamWin would react if I copy'n'pasted the text strings above into an empty text file which I would then scan with ClamWin. Much to my surprise, ClamWin flagged the text file as infected even though all that the file contained was the text strings – I did not add any actual malicious code there. Is there any (easy) way of finding out whether the FDS file really carries any dangerous payload? I'm not a programmer at all, and even if I was able to find an "ad-hoc" disassembler, I would have no easy way of telling whether the code really makes any sense.
Of course, I could simply replace all the files that were poisoned with a potentially malicious payload but it would be interesting to know whether this particular file poses any potential danger – either to a real Famicom (which sounds odd) or to some older systems such as DOS as the text string suggests that the malware was made way back in 1989... and speaking of that, I wonder why this kind of virus is residing within a Nintendo FDS ROM in the first place. Perhaps the one who infected the file thought that those who are willing to play a game called "Bishojou Sexy Slot" deserve to get hit by malware.
I have attached both "Bishojou Sexy Slot (19xx)(Super PIG)[b].fds" and "TITLEDAT" if you want to tamper with the files.