| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | DBR - infector |
| Length: | 2 kilobyte(s) AT TO paragraph(s) OF MEMORY |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | Only effective if active DBR is at cyl 0 hd 1 sector 1 |
| Computer model(s): | PC's |
| Caroname: | Wxyc |
Attributes | |
| Easy identification: | |
Type of Infection: | Bootsector infection. |
| Infection Technique: | |
| Infection Trigger: | access of uninfected disk following activation MESSAGES_DISPLAYED: "WXYC rules this roost!" when booted on with zerosin three LSB of timer tick byte (0:46Ch) MESSAGES_NOT_DISPLAYED: "JAM WXYC" (in DBR name space) |
| Storage Media affected: | Harddisks, Disketts |
| Interrupts hooked: | Int 13 SELF_RECOGNITION_IN_MEMORY: none, loads on boot SELF_RECOGNITION_ON_DISK: CMP word ptr [06] after reading DBR/FBR |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient: none Permanent: none apparent |
| Damage Trigger: | |
| Particularities: | Corruption of floppy disk root directory Does not maintain registers according to IBM spec so somesystems (e.g. Zenith DOS 3.31) will not boot properly("Invalid partition" error) Tries to bypass MBR detection schemes & DBR protection by goingblindly for most likely DBR location on boot (see Limitations).Propagates STONED error of allocating 2k in memory when only oneis needed.REPAIR: Boot from clean floppy, return cyl 0 hd 0 sec 3 to cyl 0 hd 1 sec 1Floppy: replace FBR, zero affected directory sector. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Padgett Peterson |
| Documentation by: | Padgett Peterson |
| Date: | 2 November, 1993 |
| Information Source: | Carobase-entry (automatic converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg