Virus.Multi.JumpBoot

Class Virus
Platform Multi
Description

Technical Details


It is a very dangerous memory resident multipartite virus. While executing
an infected file the virus infects the MBR of the hard drive, and returns
the control to DOS. While loading from infected disk the virus copies
itself into Interrupt Vectors Table, hooks INT 13h and stays memory
resident. The virus is stealth one while accessing to infected MBR.


While writing sectors to the floppy disks the virus checks the first byte
of the sector. It that byte is JMP command (E9h or EBh), the virus
overwrites that sector with its code. As a result the COM files which
begin with JMP instruction are overwritten with virus copy when these files
are copied to the floppy disk. While overwriting a sector the virus does
not check is that sector the file beginning. So the virus can write its
copy to the file middle. After infecting any file the virus disables its
infection routine and does not infect the files up to next reboot.