| Alias: | RMBD |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | Master-boot record (HD) infector, DBR (Floppy)- infector, re |
| Length: | 1 kilobyte(s) |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | Hard disk required, even to boot from an infected floppy |
| Computer model(s): | PC's |
| Caroname: | RM |
Attributes | |
| Easy identification: | |
Type of Infection: | |
| Infection Technique: | |
| Infection Trigger: | MBR of drive 80 is infected on every boot from aninfected diskette or hard disk. Diskette boot records areinfected on any INT13 read or write. |
| Storage Media affected: | Harddisks, Disketts |
| Interrupts hooked: | 13/02, 13/03 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | - |
| Encoding Method: | |
| Damage: | Transient: - Permanent: Overwrites 0x0E sectors, starting at sector 4, ofsome tracks on cylinder 0. |
| Damage Trigger: | Transient: - Permanent: INT13 and (AH=02 or AH=03) and (0040:0071 & 0x80 set)[The BIOS "break" bit, the high bit of 0040:0071, is found to be setduring an INT13 read or write] |
| Particularities: | The virus resides at the top of memory, reducing the BIOS memory size at 0000:0413. Infected diskettes will not have a valid BPB, and will oftennot be readable at all. When a machine is booted from an infecteddiskette, the virus will infect the hard disk, and then boot fromthe bootable partition on the hard disk! (Rather than booting fromdiskette.) Not displayed text: "RMBDRMCC B WRM" [I've been unable to make anysense of it so far.] Very unusual, in that it saves neither the original MBRof hard disks nor the original DBR of diskettes. Instead, itcontains essentially all of the code from the normal MBR, anduses that to boot the system. Even when booting from aninfected floppy, the virus reads the MBR of the hard disk,copies the partition table, and (after infected the hard disk),uses the MBR code to boot from the hard disk. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | David M. Chess, IBM HICL |
| Documentation by: | David M. Chess |
| Date: | 93/07/06 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg