Quox

Alias:
Strain:-
detected when:
where:
Classification:Master-boot record (HD) infector, DBR (Floppy)- infector
Length:1 kilobyte(s)

Preconditions

Operating System(s):MS-DOS
Version/Release:None
Computer model(s):PC's
Caroname:Quox

Attributes

Easy identification:

Type of Infection:

Bootsector infection. Virus stored in additional Track. Selfrec in memory: Top[0..Ah] = FAh33hC0h8EhD0hBCh00h7ChFBhEBh2Ch Selfrec on disk: (M,F)BR[0..Ah] = FAh33hC0h8EhD0hBCh00h7ChFBhEBh2Ch

Infection Technique:
Infection Trigger:Int13Read, Int13WriteINFECTION_CRIT: (Track.Head.Sector) = 0.0.1 and (Drive in [0,1,128])DiscMediaByte <> F6h
Storage Media affected:Harddisks, Disketts
Interrupts hooked:13h/02, 13h/03
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:Transient: None Permanent: None
Damage Trigger:Transient: n/a Permanent: n/a
Particularities:n/a Displayed text: None Not displayed text: None Quox doesn't infect the hard drive during the executionof the viral bootstrap code. Instead, any disc which isinfected gets hit after INT 13h is trapped and 0.0.1 isaccessed.When a hard drive is hit, the virus moves the old MBRto 0.0.X, where X is the low 16 bits of the relative_sector field (MBR[1C6h..1C7h]) of the first partitiontable entry. Often, this happens to correspond to thefirst physical partition on the disc, and this firstphysical partition happens to start at 0.1.1. In sucha case, the relative_sectors field thus contains a numberequal to the number of sectors per track, so the virusdrops the old MBR with relative safety at the veryend of Track 0 Head 0. If the above assumption isfalse, however, problems may occur.
Similarities:

Agents

Countermeasures:
Standard means:

Acknowledgements

Location:Virus Test Center, University Hamburg, FRG
Classification by:Paul Ducklin
Documentation by:Paul Ducklin
Date:
Information Source:Caroentry (autom.converter by S.Freitag)

(c) 1996 Virus-Test-Center, University of Hamburg