| Alias: | |
| Strain: | --- |
| detected when: | March 1993 |
| where: | USA |
| Classification: | System virus (MBR, FBR infector), memory resident |
| Length: | 1.Length (Byte) on media: 1 Sector 2.Length (Byte) in RAM: 1 kByte |
Preconditions | |
| Operating System(s): | MSDOS |
| Version/Release: | |
| Computer model(s): | IBM PCs and Compatibles |
| Caroname: | Qrry |
Attributes | |
| Easy identification: | Test if bootrec[0]==EBh & bootrec[0170h]==ABCDh |
Type of Infection: | File infection: --- Self-Identification in files: --- System infection: Virus code stored at 27h/01h/09h. Upon booting from an infected disk, virus makes itself memory resident (in hi-memory). Self-Identification in memory: --- Self-Identification on disk: bootrec[0]==EBh & bootrec[0170h]==ABCDh |
| Infection Technique: | |
| Infection Trigger: | If given values in INT 13 registers are found. |
| Storage Media affected: | Hard disk, floppy disks |
| Interrupts hooked: | INT 13/0201 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent Damage: overwrites the first 9 sectors of the first 3 tracks on any disk or diskette head that's read from. Transient Damage: --- |
| Damage Trigger: | Permanent Damage: All days in December: Real_Time_Clock_Month == 12 Transient Damage: --- |
| Particularities: | Name "QRRY" is taken from some ASCII characters that happens to appear in virus code; no other obvious characteristic for naming. |
| Similarities: | --- |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | IBM High Integrity Computing Lab, Hawthorne N.Y. |
| Classification by: | David Chess, HICL |
| Documentation by: | David Chess (CAROBase entry) Klaus Brunnstein, VTC Hamburg ( |
| Date: | March 8, 1993 |
| Information Source: | Reverse analysis of virus code |
(c) 1996 Virus-Test-Center, University of Hamburg