WelcomB Virus

Virus Name: WelcomB Aliases: Buptboot V Status: In The Wild Discovered: December, 1996 Symptoms: Boot Sectors Changed; decrease in total system & available free memory Origin: Unknown Eff Length: N/A Type Code: BRtX - Resident Diskette Boot Sector & MBR Infector Detection Method: NAV, NAVDX, PCScan, ViruScan, AVTK Removal Instructions: Do not use FDisk /MBR General Comments: The WelcomB virus was received in December, 1996, and has been reported to be in the wild. WelcomB is a memory resident infector of diskette boot sectors as well as the system hard disk master boot record (MBR) containing the disk partitioning information. When the system is booted with a WelcomB infected diskette, the WelcomB virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, moving interrupt 12's return. Total system and available free memory will decrease by 2K if the boot was from a diskette and 6K if it was from the system hard disk. If the system hard disk was not previously infected by the virus at this time, the virus will infect the system hard disk master boot record, relocating the disk partitioning information. Once the WelcomB virus is memory resident, it will infect the boot sector of any non-write protected diskette accessed on the system. In the case of diskettes, the viral code is located in the boot sector and continued in the last or second to last sector of the root directory. The following text string can be found within the viral code: "Welcome to BUPT 9146,Beijing!" Since the WelcomB virus does not keep a copy of the original Master Boot Record, and overwrites where DOS expects the disk partitioning information to be, the DOS FDisk program with the /MBR option cannot be used to replace this information and disinfect this virus.