Virus.Boot.DiskFiller

Class Virus
Platform Boot
Description

Technical Details


This is a very dangerous stealth virus that hits Boot-sectors of
floppy disks and the MBR of hard disks during access. This virus formats an
additional track on the floppy disk (the 40th on 360K size and 80th on 1.2M)
and then puts its code there. After that, the virus mounts its head part into
the boot sector of the floppy, its original contents is practically
unchanged. On a hard disk infection, the virus places its body just after the
MBR. Inside the MBR, it changes the active boot sector address only and sets
this address to the sector containing the beginning of the virus code.


When COMMAND.COM is started, the virus moves itself into the low address
memory area. According to the system time it encrypts and displays the
message:

Haha,v�rus van a g�pben!!
Ez egy eddig m�g nem k�zismert v�rus. De hamarosan az lesz.
A neve egyszer�en t�lt�get�
Ezt a nev�t onnan kapta, hogy felt�lt�geti a FAT-t�bl�t
k�l�nb�z� alakzatokkal.
Ez m�r meg is t�rt�nt !!!

and then “draws” in the FAT sectors the following picture:


****** ******
* ** *
* * * ** * * *
* ** *
* **** ** **** *
* * * *
**** ****

The virus also contains the string “command.com”, hooks INT 13h,1Ch,21h.