Merritt

Alias:Yale, Alameda (A)
Strain:Merritt/Alameda-Strain
detected when:November 24, 1988
where:University of New Brunswick, Fredericton, CANADA
Classification:System Virus (= BootSector-Virus)
Length:512 Bytes

Preconditions

Operating System(s):MS-DOS
Version/Release:
Computer model(s):
Caroname:Yale.A

Attributes

Easy identification:No characteristic text (in code, Vol-labels etc).

Type of Infection:

Boots when infected disk is inserted and system is booted. Installs itself in high memory, removes that memory from DOS. Installs itself as the Warm-start (CTRL+ALT+DEL) interrupt handler (actually the keyboard handler); spreads by CTRL+ALT+DEL interrupt handler. Moves "real" boot sector to track 39, sector 8. Does not infect .COM or .EXE files.

Infection Technique:
Infection Trigger:
Storage Media affected:
Interrupts hooked:
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:Permanent Damage: moves boot block to track 39, sector 8 (if there was a file, it is corrupted). This sector is not marked as bad, so a file may overwrite the real boot block so that the disk may become "NOT bootable". It will count to 39 and Blast the FAT (`0'). It counts a certain key stroke (there is also code for decrementing the count by another keystroke).
Damage Trigger:
Particularities:Hangs-up 80286-systems.
Similarities:With other members of Merritt/Alameda-strain.

Agents

Countermeasures:Michael MacDonalds own vaccine, which identifies virus and overwrites the boot block.
Standard means:Compare boot sector of infected disk with a "real" system disk. If different: check track 39, sector 8; if this contains the real boot block, execute a SYS command to reinstall real boot block and system files.

Acknowledgements

Location:School of Computer Science, University of New Brunswick
Classification by:Michael J. MacDonald
Documentation by:Michael J. MacDonald, Software Specialist University of New
Date:June 5, 1989
Information Source:---

(c) 1996 Virus-Test-Center, University of Hamburg