AZUSA Virus

Alias:
Strain:
detected when:January 1991 (?)
where:Ohio, USA
Classification:Resident Boot sector and Partition Table Infector
Length:1024 Bytes in memory, 1 sector (400 h) on media

Preconditions

Operating System(s):MS-DOS
Version/Release:2.xx upward
Computer model(s):IBM-PC, XT, AT and compatibles
Caroname:Stoned.Azusa

Attributes

Easy identification:1) Reduction of available memory by 1,024 bytes: CHKDSK returns 654,336 bytes total memory in- stead of 655,360 bytes on 640k machines. 2) "E9 8B 00" are first three bytes of infected boot record or partition table.

Type of Infection:

Virus is extremely virulent and will infect hard disk even if partition table cannot be found (cannot boot thereafter). Hard disk: virus replaces absolute sector 1 (partition code & table) with itself, main- taining table data in internal location. Floppy: Virus attempts to infect all floppies previously uninfected; original boot record is stored at track 28h head 1 sector 8 regardless of floppy size.

Infection Technique:
Infection Trigger:Booting an infected system
Storage Media affected:
Interrupts hooked:---
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:Permanent Damage: Data lost; COM1&LPT1 "hidden" 1)Data lost: as virus overwrites 1 sector on floppies, previously stored data are lost; on disk, partition table is overwritten but old table data are stored inside virus. 2)COM1 & LPT1 "hidden": after approx.20h re- boots, virus zeroes pointers to COM1 & LPT1 thus making those devices unaccessible. 3)Virus may cause boot failure on machines with security programs in place. Transient Damage: Reduction of available memory by 1,024 Bytes.
Damage Trigger:After approx. 20h reboots, COM1 & LPT1 become in- accessible as pointers are zeroed.
Particularities:1) Virus does not use stealth techniques (neither evasive measures nor encryption). 2) Odd coding techniques and lack of understand- ing of floppy disk characteristics indicate self-taught writer/experimenter.
Similarities:---

Agents

Countermeasures:Detection: SCAN v75, DISKSECURE
Standard means:---

Acknowledgements

Location:Virus Test Center, University Hamburg, Germany
Classification by:Klaus Brunnstein
Documentation by:A.Padgett Peterson, Computer Network Security, Orlando/Flori
Date:18-April-1991
Information Source:

(c) 1996 Virus-Test-Center, University of Hamburg