| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | DBR - infector |
| Length: | 2 kilobyte(s) AT TO paragraph(s) OF MEMORY |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | Only effective if active DBR is at cyl 0 hd 1 sector 1 |
| Computer model(s): | PC's |
| Caroname: | WXYC |
Attributes | |
| Easy identification: | |
Type of Infection: | Bootsector infection. Selfrec in memory: none, loads on boot Selfrec on disk: CMP word ptr [06] after reading DBR/FBR |
| Infection Technique: | |
| Infection Trigger: | access of uninfected disk following activation |
| Storage Media affected: | Harddisks, Disketts |
| Interrupts hooked: | Int 13 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient: none Permanent: none apparent |
| Damage Trigger: | Transient: none Permanent: none |
| Particularities: | Corruption of floppy disk root directoryDoes not maintain registers according to IBM spec so somesystems (e.g. Zenith DOS 3.31) will not boot properly("Invalid partition" error) Displayed text: "WXYC rules this roost!" when booted on with zerosin three LSB of timer tick byte (0:46Ch) Not displayed text: "JAM WXYC" (in DBR name space) Tries to bypass MBR detection schemes & DBR protection by goingblindly for most likely DBR location on boot (see Limitations).Propagates STONED error of allocating 2k in memory when only oneis needed.REPAIR: Boot from clean floppy, return cyl 0 hd 0 sec 3 to cyl 0 hd 1 sec 1Floppy: replace FBR, zero affected directory sector. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Padgett Peterson |
| Documentation by: | Padgett Peterson |
| Date: | 2 November, 1993 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg