Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Kampana

Kampana

Updated:
13 February 2007
Also Known As:
Anti-Tel, Campana, Drug, Holo, Holocaust, Holokausto, Kampana Boot, Spanish Telecom, Spanish Trojan, Telecom, Telecom PT1, Telefonica, Telephonica

Kampana is a boot virus that infects the DOS boot sector of floppy disks and the Master Boot Record (MBR) of the first hard drive (80h).

The boot virus code is two sectors in length and reserves 1 KB of memory by modifying the available-memory word at 40:13. On a computer with 640 KB of available memory, CHKDSK would report 654,336 bytes of free memory.

On the hard drive, the second virus sector and the original MBR are stored on physical sectors 6 and 7 of the infected drive. The virus stores the second virus sector and original DOS boot sector in the last two sectors of the root directory. Unlike the Stoned viruses, Kampana very methodically calculates the correct sectors for floppy disks ranging from 160 KB to 1.44 MB. If Kampana is active in memory, the virus sectors and original MBR sectors are all stealthed on the hard drive. Floppy disk sectors are not stealthed.

Kampana is often classified as multipartite, which means that it infects program files and boot sectors. However, this is not strictly correct. Kampana is a stealth virus and does not infect files, but is dropped by a file virus. For example, there is a file virus strain, Kampana.3700, that infects .com files and drops the Kampana boot-sector virus. However, the Kampana boot virus, in turn, does not infect .com files, as do true multipartite viruses. Moreover, the Kampana file virus is not at all common, while the Kampana boot sector virus is very common.

Each time that an infected hard drive is booted, a counter is incremented. When the counter reaches 401, the virus triggers. The virus then overwrites all sectors on the first and second hard disks with garbage characters. As this is being done, the following message (encrypted on the disk and in memory) is displayed:

Campana Anti-TELEFONICA (Barcelona)

The original Kampana file virus contains more encrypted text that credits a Grupo Holokausto in Barcelona, Spain, with programming the virus, and gives the date 23-8-90 along with a copyright notice. A message in the virus also demands lower phone rates and more service.

Kampana.3445 has three known strains:
  • Kampana.3445 - Drops the Kampana boot virus.
  • Kampana.3770 - Uses polymorphic technology and drops the Kampana boot virus.
  • Kampana.3784 - Drops the Kampana boot virus.


Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

To remove this virus, you need a Rescue Disk set or a Norton AntiVirus Emergency Disk.

To remove the virus using the Rescue Disk set:
If you do not have a current Rescue Disk set, you must create one on an uninfected computer.
  1. Close all programs on the infected computer, and then turn off the power. You must turn off the power to clear memory.
  2. Wait at least 30 seconds, and then:
    • If you have a current set of Rescue Disks that you created before the infection occurred, skip to step 7.
    • If you do not have a current Rescue Disk set, go on to step 3.
  3. On an uninfected computer, install Norton AntiVirus (if it is not already installed).
  4. Run LiveUpdate, and then run a full system scan.
  5. On the NAV toolbar, click Rescue.
  6. Follow the prompts to create a Basic Rescue set. For additional information, see the document How to create or update a Norton AntiVirus rescue disk set when Norton AntiVirus is already installed.
  7. Take the completed Basic Rescue set to the infected computer, and insert the "Basic Rescue Boot Disk" into the floppy disk drive. Restart the computer.
  8. When the Rescue Disk window appears, use the arrow keys on the keyboard to select Norton AntiVirus.




    CAUTION: Make sure that you select Norton AntiVirus when using a Rescue Disk that was created on another computer. Failure to do so could overwrite critical files and cause the computer to fail to start.
  9. On the command line at the bottom of the window, edit the line to read

    navdx /cfg:a /a /doallfiles /repair



    and then press Enter.

    NOTE: This will cause NAV to repair the infected files without prompting. If you want to be prompted when an infected files is found, use the command

    navdx /cfg:a /a /doallfiles /prompt
  10. Follow the prompts, and remove and insert disks as needed. You may need to do this several times. Press Enter after inserting each disk.
  11. When the scan has finished--this could take several hours--the removal process is complete. Remove all disks from the disk drives, and turn off the computer. Wait at least 30 seconds before restarting the computer.

To remove the virus using the Norton AntiVirus Emergency Disk:
The Norton AntiVirus Emergency Disk can either be created from the Norton AntiVirus (NAV) 2001 CD or downloaded from the Symantec FTP site. If you have an Emergency Disk that came supplied with an older version of NAV, we recommend that you create new disks.
  1. Close all programs on the infected computer, and then turn off the power. You must turn off the power to clear memory.
  2. Create a new Emergency Disk. For instructions on how to do this, see the document How to create Norton AntiVirus Emergency Disks.
  3. Take the completed Emergency Disk to the infected computer, and insert it into the floppy disk drive. Restart the computer.
  4. Press any key when prompted, and then follow the prompts.
  5. When the scan has finished--this could take some time--the removal process is complete. Remove all disks from the disk drives, and turn off the computer. Wait at least 30 seconds before restarting.