Aragon Virus

Virus Name: Aragon Aliases: V Status: Rare Discovery: August, 1992 Symptoms: BSC; master boot sector altered; decrease in total system & available free memory Origin: Unknown Eff Length: N/A Type Code: BRtX - Resident Boot Sector & Master Boot Sector Infector Detection Method: ViruScan, AVTK, F-Prot, Sweep, NAV, IBMAV, NAVDX, VAlert, PCScan, ChAV Removal Instructions: DOS SYS on infected system diskettes; M-Disk/P on hard disk General Comments: The Aragon virus was submitted in August, 1992. Its origin or point of isolation is unknown. Aragon is a memory resident stealth virus which infects the hard disk master boot sector (partition table) and the boot sectors on diskettes. It cannot be detected on the hard disk master boot sector when the virus is memory resident. The first time the system is booted from an Aragon infected diskette, the Aragon virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 1,024 bytes. Also at this time, the Aragon virus will infect the hard disk's master boot sector if it was not previously infected. The original master boot sector will have been moved to side 0, cylinder 0, sector 9. Once the Aragon virus is memory resident, it will infect diskette boot sectors when an unwrite-protected diskette is accessed for any reason. In the case of 360K 5.25" diskettes, the original boot sector will have been moved to sector 11. Aragon is a stealth virus. It will redirect any attempts to read the infected hard disk master boot sector so that the original, uninfected master boot sector stored by the virus will be shown instead. As such, no change in the master boot sector, or the viral infection itself, cannot be detected on the master boot sector when the virus is memory resident.