| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | Master-boot record (HD) infector, DBR (Floppy)- infector |
| Length: | 6 kilobyte(s) |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | Display routine assumes colour video |
| Computer model(s): | PC's |
| Caroname: | Joshi |
Attributes | |
| Easy identification: | |
Type of Infection: | Bootsector infection. Virus stored in additional Track. Selfrec in memory: Broken {??? Apparently buggy attempt at Compares} Selfrec on disk: Compares |
| Infection Technique: | |
| Infection Trigger: | Int13Read, Int13Write, Int13VerifyINFECTION_CRIT: FloppyDrive = 0 or 1,HardDrive = 128 or 129 |
| Storage Media affected: | Harddisks, Disketts |
| Interrupts hooked: | 13h/02h, 13h/03h, 13h/04h, 13h/0Ah, 13h/0Bh,21h/48h, 21h/49h, 21h/4Ah,21h/2Ah, 21h/2Bh, 21h/2Ch, 21h/2Dh,08h, 09h |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient: Screen display; user must type "Happy Birthday Joshi"to regain control of machine Permanent: None |
| Damage Trigger: | Transient: Month = January and DayOfMonth = 5 Permanent: n/a |
| Particularities: | None Displayed text: 'Type "Happy Birthday Joshi" !' Joshi is a bulky boot sector virus with read and writestealth. Its hiding place on floppies is an extra trackwhich it formats for the purpose -- except that itassumes that any disc with under 15 sectors per trackhas only 40 tracks. This means that the "extra" trackon 720KB stiffies is actually track 40, so that any datathere is wiped out on infection.Joshi stores the Interrupt Vector Table during bootup.It then hooks INT 09h, and watches for Ctrl-Alt-Del.If the 3-finger salute occurs, the virus copies theboot-time IVT back in place and issues an INT 19h, thusattempting to induce a "re-IPL" without a full reboot.The virus is thus apparently able to survive a warmboot -- though this trick crashes many PCs.Joshi also traps INT 08h and uses it to monitor the stateof the INT 21h vector during bootup. Once it seems thatDOS is up and running, INT 21h is hooked. Thereafter,whenever one of a number of DOS functions is called(memory allocation and date/time services are trapped),the virus checks to see if it is January 5th. If so,the screen is set to 40x25 text mode; a full-screencyan box pops up and the message 'Type 'Happy BirthdayJoshi" !' appears. Once this command is obeyed(exactly -- any mistakes in typing and you will haveto start over, without any keystroke echo to help you)then control is regained. Ctrl-Alt-Del will not workduring the compulsory birthday greetings. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Paul Ducklin |
| Documentation by: | Paul Ducklin |
| Date: | |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg