| Alias: | Telefonica.D Virus |
| Strain: | --- |
| detected when: | |
| where: | |
| Classification: | System virus: Boot/MBR infector, memory resident, partly sel |
| Length: | 2 kBytes |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | All models |
| Computer model(s): | PC's |
| Caroname: | Galicia |
Attributes | |
| Easy identification: | ID word: V1. Self recognition in memory: 7C B8 (h) at [0:004C] Self recognition on disk: 56 31 (h) at [01B3h] |
Type of Infection: | System: Upon booting from an infected diskette or disk (MBR), virus makes itself memory resident at top of memory/below 640 kBytes, and it hooks Int 13h. Disk: After booting from an infected diskette, memory resident virus will infect MBR upon trigger condition; original MBR is saved. Diskette: Once virus became memory resident, it will infect any uninfected diskette in drive A: and B: upon trigger condition; original boot sector is saved. |
| Infection Technique: | |
| Infection Trigger: | System/Memory: booting from infected disk/diskette Disk/Diskette: any read (Int 13) access, when drive is not actual drive. |
| Storage Media affected: | Diskette,Harddisk |
| Interrupts hooked: | Int 13h/02 (Read) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | --- |
| Encoding Method: | |
| Damage: | Transient: At trigger time, virus displays message: "Galicia contra =>telefonica!". This text string is encrypted in virus body. Permanent/Disk: Upon trigger condition, virus attempts to format 1st cylinder (track 0/head 0/sector 6); due to a program- ming error (un-initialised buffer adress), this attempt will very probably abort with an error. Permanent/Diskette: Upon infecting a diskette, virus overwrites track 0/head 1/ector which contains part of root directory: on 5,25" DD: last sector of root dir; on 5,25" HD: 3rd sector of root dir; on 3,5" DD: 3rd last sector of root dir; on 3,5" HD: 2nd sector of root dir. As virus does not store this sector elsewhere, parts of root directory (e.g. entries 16-32 on 3.5" HD) are lost. |
| Damage Trigger: | Transient: IF (May 22) AND (time > 12:00) AND (access to drive which is not to actual drive) Permanent/Disk: IF (May 22) AND (time > 12:00) AND (access to drive which is not to actual drive) Permanent/Diskette: upon infection of boot sector |
| Particularities: | Findviru calls the virus "Telefonica.d", probably due to the displayed text, though the virus has no relation to the Telefonica family. |
| Similarities: | |
Agents | |
| Countermeasures: | Several actual AntiVirus products detect Galicia, essentially under its name; at publi- cation time, only few AV products (e.g. Kaspersky's AVP) properly clean it from media. |
| Standard means: | Cleaning diskettes: format infected diskette (MS-DOS >=5.0, DR DOS >=6.0) with /U. Cleaning hard disk: Use DOS FDISK /MBR command to overwrite the virus. |
Acknowledgements | |
| Location: | 1) BSI/German Information Security Agency, Bonn 2) Virus Tes |
| Classification by: | 1) Hubert Schmitz (GISA V2) 2) Klaus Brunnstein, VTC |
| Documentation by: | 1) Hubert Schmitz (GISA V2) 2) Klaus Brunnstein, VTC |
| Date: | 10-February-1995 |
| Information Source: | CaroBase entry (1) and additional analysis (2), with informa |
(c) 1996 Virus-Test-Center, University of Hamburg