| Alias: | |
| Strain: | |
| detected when: | July 1993 |
| where: | USA |
| Classification: | System virus (MBR,FBR infector), memory resident |
| Length: | 1.Length (Byte) on media: 1 (or 0) sector 2.Length (Byte) in RAM: 1 kByte |
Preconditions | |
| Operating System(s): | MSDOS |
| Version/Release: | |
| Computer model(s): | IBM PCs and Compatibles |
| Caroname: | Rm |
Attributes | |
| Easy identification: | Text in virus: "RMBDRMCC B WRM" |
Type of Infection: | File infection: --- Self-Identification in files: --- System infection: Upon booting from infected media, virus makes itself memory resident (hi-memory). By manipulating INT 13, virus hides it's pre- sence in memory (stealth mechanism). Self-Identification in memory: none Self-identification on disks: none |
| Infection Technique: | |
| Infection Trigger: | MBR of drive 80 is infected on every boot from an infected diskette or hard disk. Diskette boot records are infected on any INT13 read or write. |
| Storage Media affected: | Hard disk, floppy disks |
| Interrupts hooked: | INT 13/02, 13/03 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent Damage: 1) Overwrites 0x0E sectors, starting at sector 4, of some tracks on cylinder 0. 2) Side effects: Infected diskettes will not have a valid BPB, and will often not be readable at all. When a machine is booted from an infected diskette, the virus will infect the hard disk, and then boot from the bootable partition on the hard disk! (Rather than booting from diskette.) Transient Damage: --- |
| Damage Trigger: | Permanent Damage: 1) If INT13 AND (AH=02 or AH=03) AND (0040:0071 & 0x80 set) [The BIOS "break" bit, high bit of 0040:0071, is set during an INT13 read or write] 2) --- Transient Damage: --- |
| Particularities: | 1) Hard disk required, even to boot from an infected floppy. 2) Very unusual infection methods, in that it saves neither original MBR of hard disks nor original DBR of diskettes. Instead, it contains essentially all of the code from the normal MBR, and uses that to boot the system. Even when booting from an infected floppy, virus reads MBR of hard disk, copies partition table, and (after infecting of hard disk) uses MBR code to boot from hard disk. 3) Meaning of text "RMBDRMCC B WRM" unclear. |
| Similarities: | --- |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | IBM High Integrity Computing Lab, Hawthorne N.Y. |
| Classification by: | David Chess, HICL |
| Documentation by: | David Chess (CAROBase entry) Klaus Brunnstein, VTC Hamburg ( |
| Date: | 6-July-1993 |
| Information Source: | Reverse analysis of virus code |
(c) 1996 Virus-Test-Center, University of Hamburg