A description of PC viruses and their symptoms - Januar '91 This document lists the boot sector viruses recognized by F-PROT at the time of writing. Since new viruses are continually appearing, this document will never be completely up to date. A short description of the viruses follows, but it is far from complete. The list of known Boot Sector Viruses (BSV) now includes: Alameda Ashar --> Brain Brain Chaos --> Brain Den Zuk Disk Killer E.D.V. Fallboot --> Swap Filler Form Italian --> Ping-Pong Joshi Korea Lbc --> Korea Musicbug New-Zealand Ohio --> Den Zuk Ogre --> Disk Killer Pentagon Ping-Pong PrintScreen Stoned --> New-Zealand Swap Typo --> Ping-Pong V-1 Yale --> Alameda A few additional boot sector viruses have been reported, but are not recognized by the F-PROT package. They are: Nichols and Missouri. I have not been able to obtain a copy of those two viruses yet. As a matter of fact, it is not even certain that they exist at all, as no virus researcher has a copy of them. F-DRIVER should be able to stop them, but I will update F-DISINF to recognize and remove them if they ever become available. Now, let's have a look at the viruses mentioned above. Alameda (Yale) One of the oldest viruses around. It was first found in California in April '87. It replaces the original boot sector with itself and stores the original boot sector on track 39, head 0, sector 8. This sector is generally not used unless the diskette is almost full. The first version of the virus contained a POP CS instruction, which only exists on 8088 and 8086 machines. This was "fixed" later, so the virus worked correctly on '286 and '386 machines. Since this virus is so old, several variants have been reported. Some of them are reported to format the hard disk, when they have infected a predetermined number of diskettes. All variants of the Alameda virus replicate only when Ctrl-Alt-Del is pressed. Alameda was probably written on an old IBM PC, by a rather lousy programmer, using the A86 assembler. Brain This is the oldest PC virus known, first detected in January '86. Several variants of this virus are known, but most of them are fairly harmless. This virus is rather large and most of it is located in sectors that are marked as "bad" in the FAT. Before this virus infects diskettes, it looks for a "signature". This makes it possible to "inoculate" against it, just by putting the signature in the correct place in the boot sector. F-INOC does just that. The Brain virus tries to hide from detection by hooking into INT 13. When an attempt is made to read an infected boot sector, Brain will just show you the original boot sector instead. This means that if you look at the boot sector using F-BOOT or any similar program, everything will look normal, if the virus is active in memory. The major effect of this virus is a (fairly harmless) change of the volume label. It usually becomes (c) Brain but one variant of the virus changes the text into (c) ashar One of the most interesting details regarding the Brain virus is the following text, which appears inside it: Welcome to the Dungeon (c) 1986 Basit & Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES 730 NIZAB BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE :430791,443248,280530. Beware of this VIRUS.... Contact us for vaccination............ $#@%$@!! In another version of the virus, the text looks like this: Welcome to the Dungeon (c) 1986 Brain & Amjads (pvt) Ltd. VIRUS_SHOE RECORD v9.0 Dedicated to the dynamic memories of millions of virus who are no longer with us today - Thanks GOODNESS!! BEWARE OF THE er..VIRUS :This program is catching program follows after these messeges..... $#@%$@!! These messages have led to considerable speculation regarding the possible author(s) of the virus. One harmful variant has been reported, which will attack on May 5. 1992, and another 'Chaos' with different text strings has been reported, but not yet made available for research. Den Zuk This virus seems to have been originally written as an anti-virus, designed to seek out and destroy copies of the Brain virus. If it finds a Brain-infected diskette, it will remove the infection, and replace it with a copy of itself. This virus hides on track 40 on diskettes, but normally 360K diskettes only have tracks numbered 0 to 39. This virus does not infect 1.2M or 3.5" diskettes correctly, but will destroy data on them. The volume label "(c) Brain" on an infected diskette would be changed to "YùCù1ùEùRùP". A mysterious string, but with a simple explanation. YC1ERP is the call sign of a radio amateur in Indonesia who is suspected of being the author of "Den Zuk" and "Ohio". On a computer infected with this virus, pressing Ctrl-Alt-Del will not result in a simple reboot. Instead the text "DEN ZUK" will appear on the screen for a fraction of a second. Then the computer will appear to reboot, but the virus will remain in memory. Pressing Ctrl-Alt-F5 will produce a "true" reboot. The Ohio virus is presumably an older version of this virus and seems to be written by the same person. Den Zuk will also remove the "Ohio" virus if it is found. Disk Killer A recent, rather nasty virus that seems to have originated in the U.S. It contains an infection counter that is incremented each time a new diskette is infected. The virus will activate if the computer has been turned on for 48 hours. It will then display the following messages on the screen: Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/1989 Warning !! Don't turn off the power or remove the diskette while Disk Killer is Processing! PROCESSING I hope you will never see this appear - it sure means trouble, namely that the virus has started to encrypt all the data on the hard disk (using a simple XOR method). When finished, the virus will display this message: Now you can turn off the power I wish you luck ! If you see this message, start looking for a recovery program. You can of course reformat the disk and restore everything from a backup, but it is not necessary because the virus only encrypts everything on the disk, but does not destroy anything. Like many other viruses, Disk Killer hides in sectors it marks as "bad" in the FAT. The infection/replication mechanism is very similar to that used by other boot sector viruses - despite some early reports that this virus was somehow more advanced than the rest. On a hard disk, the virus will hide in the sectors just before the boot record. Disk Killer is the first boot sector virus that is properly able to handle other sector sizes than 512 bytes. E.D.V. Most boot sector viruses hide by lowering the amount of RAM visible to the operating system and hiding in the free space they create. E.D.V. is different. It searches for free RAM, starting at E800 and searching downwards. It is also unusual on one other way - on every timer tick it will check if ES or DS point to it - which is possibly the case if a virus-scanning program like F-SYSCHK is running. In this case a HLT instruction is executed - which halts the computer. Aside from this, the virus is fairly usual. It marks infected diskettes with a "EV" at the end of the boot sector and stores the original boot sector code in the last sector of the last track on 360K diskettes, just like the Yale virus. One encrypted text string is stored inside the virus code: That rings a bell,no ? from Cursy Filler The Filler virus was first reported in Hungary. It uses the "extra track" method to hide the virus code, storing the rest of the virus code and the original boot sector on track 40. Its effects are not known, but it may affect programs in some way. Form This is a non-remarkable virus from Switzerland. It is able to infect hard disks as well as floppies, and stores the rest of itself, as well as the original boot sector on the last track of the disk. It contains the following text: The FORM-Virus sends greetings to everyone who's reading this text. FORM doesn't destroy data! Don't panic! Fuckings go to Corinne. Joshi Joshi is reported to have originated in India. It infects the partition boot sector of hard disks, storing the original, as well as the rest of the virus code elsewhere on track 0, head 0. Just like the Brain virus, Joshi redirects attempts to read the virus code while it is active in memory. The virus activates on January 5th of any year and displays the message: type Happy Birthday Joshi Unless the user obeys and types "Happy Birthday Joshi", the system will hang. Korea This virus is in some ways similar to the Stoned virus - it is only 512 bytes long and stores the original boot sector at track 0, head 1, sector 3. It may therefore be destructive in the case of 1.2M or 3.5" diskettes. It might even be more dangerous to hard disks, as track 0, head 1, sector 3 often contains a part of the FAT. This virus contains the text string: virse program messge Njh to Lbc New Zealand (Stoned) Some boot sector viruses, like Den Zuk, can only infect diskettes, but other, like New Zealand, can also infect hard disks, where it replaces the Partition Boot Record, instead of the Boot Sector. A computer infected with this virus will sometimes display the following message when it starts. Your computer is now stoned. This virus seems to have been designed to be harmless, but due to a mistake, it did not quite work out that way. On an infected diskette, the original boot sector is stored on track 0, head 1, sector 3. This is the last sector of the root directory on a 360K diskette, so this will work unless the root directory contains more than 96 files, which is rather unlikely. Overwriting this sector on a 1.2M diskette is, however, much more likely to cause damage. Pentagon This "virus" does not work, so it will not be described here, but with some modifications it could be turned into a working virus. It originated in the Philippines and was sent to the US and UK from there. Ping-Pong The Ping-Pong virus (also called "Bouncing Ball" or "Italian") is probably the most common and best known boot sector virus. This virus was first found in Italy in March 1988, but now it is known all over the world. An infected diskette will contain 1K in "bad clusters". When this virus activates, a small "ball" starts bouncing around the screen, but in most cases no serious damage occurs. There is one small bug in the virus code, which causes a crash on '286 machines (and also V20, '386 and '486). The reason is that the author used the "MOV CS,AX" instruction, which only exists on '88 and '86 processors. However, this has recently been "fixed". One variant of this virus ("Typo") appeared in Israel. There the effect of the virus has been drastically changed. Instead of displaying a bouncing ball, the virus introduces typing errors in all text going out to the printer. PrintScreen This is a very small Boot Sector virus that stores the original boot sector in the last sector of the root directory, just like the Stoned and Korea viruses. It relocates the original INT 13 to INT 6D, which will cause problems with many VGA cards. As the name indicates, the virus will occasionally perform a PrintScreen operation. Swap The Swap virus does not really swap anything, so the name is a bit misleading. This boot virus from Israel is unusual in that it does not store the original boot sector anywhere, but instead it just overwrites the original boot sector with a short piece of code to load the rest of the virus, which is stored on one of the last sectors on track 39. A similar method is used by the Alameda virus. When this virus activates it is said to produce a display of falling letters on the screen - similar to the Cascade virus, but I have not seen this effect yet. V-1 This is a remarkable virus, from a technical point of view, as it is the first one to operate both as a boot sector virus and also as a program virus. As a boot sector virus it is able to infect the partition table on hard disks, storing the original sector on track 0, head 0, sector 4. When infecting diskettes, it will format an extra track, where it stores the original boot sector, as well as the rest of the virus code. When the virus is executed, it will load itself into memory and monitor the execution of programs. When a non-infected COM file is executed, it will be infected. The virus adds 1253 bytes to all programs it infects.