Ibex

Alias:
Strain:	-
detected when:
where:
Classification:	Master-boot record (HD) infector, DBR (Harddisk)- infector ,
Length:	1 kilobyte(s)
Preconditions
Operating System(s):	MS-DOS
Version/Release:	All models
Computer model(s):	PC's
Caroname:	Ibex
Attributes
Easy identification:
Type of Infection:	Bootsector infection. Selfrec in memory: None Selfrec on disk: Bootrec[0x0137]=0x37
Infection Technique:
Infection Trigger:	(BootFromFloppy -> infects HD) (INT13 AX=0201 CX=0001DH=00 DL<80 -> infects floppy)
Storage Media affected:	Harddisks, Disketts
Interrupts hooked:	13/0201
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:	-
Encoding Method:
Damage:	Transient: None Permanent: Writes random junk to every sector of the hard disk.
Damage Trigger:	Transient: None Permanent: INT1A AX=04 -> DL=07 (Seventh of the month), or( INT1A AX=04 -> DL=00 and INT1A AX=00 -> DL<0x10)
Particularities:	The virus resides at the top of memory, reducing the BIOS memory size at 0000:0413. Due to what looks like a bug, this virus, which is designedonly to infect MBRs, will sometimes "infect" the sector attrack 0, sector 1, head 1 on a hard disk (where the os bootrecord often resides). When it does this, it saves the originalcontents of that sector in the next sector (track 0, head 1,sector 2). This will often overwrite the first sector of thepartition's FAT, rendering the filesystem corrupt, and themachine generally unbootable. This, plus the very obviousonce-a-month damage, will probably make this virus too obviousto become really widespread. Displayed text: None Not displayed text: None
Similarities:
Agents
Countermeasures:
Standard means:
Acknowledgements
Location:	Virus Test Center, University Hamburg, FRG
Classification by:	David M. Chess, HICL
Documentation by:	David M. Chess, HICL
Date:	1993/11/09
Information Source:	Carobase-entry (automatic converter by S.Freitag)

Ibex

Preconditions

Attributes

Agents

Acknowledgements