BootEXE Virus


 Virus Name:  BootEXE 
 Aliases:     BootEXE.205 
 V Status:    New 
 Discovery:   July, 1994 
 Symptoms:    .EXE files altered; TSR 
 Origin:      Unknown 
 Eff Length:  205 Bytes 
 Type Code:   ORsEK - Overwriting Resident .EXE Infector 
 Detection Method:  F-Prot, AVTK, Sweep, NAV, NAVDX, IBMAV, VAlert, PCScan, 
                    ChAV, ViruScan 2.54+, 
                    AVTK/N, Sweep/N, LProt, NAV/N, IBMAV/N, Innoc, 
                    NShld 2.33+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The BootEXE or BootEXE.205 virus was received in July, 1994.  It is 
       a memory resident infector of .EXE files which may under some 
       conditions infect boot sectors, though the sample analysed doesn't 
       appear to. 
 
       When the first BootEXE infected program is executed, this virus will 
       install itself memory resident as a low system memory TSR of 832 
       bytes.  Because of the manner in which this virus hooks interrupts, 
       the TSR will not have any interrupts mapped to it in memory. 
 
       Once the BootEXE virus is memory resident, it will infect .EXE files 
       as they are executed, opened, or copied.  Infected programs will not 
       increase in size as the virus overwrites 205 bytes of the .EXE file 
       header.  The file's date and time in the DOS disk directory listing 
       will not be altered.  The following text string is visible within the 
       viral code in all BootEXE infected programs: 
 
               "(C)VVM" 
 
       Known variant(s) of BootEXE are: 
       BootEXE.453.A: Received in January, 1996, this is a 453 byte 
           variant of the BootEXE virus described above.  It becomes 
           memory resident at the top of system memory but below the 640K 
           DOS boundary, not moving interrupt 12's return.  Available free 
           memory, as indicated by the DOS CHKDSK program from DOS 5.0, 
           will have decreased by 4,096 bytes.  Interrupt 13 will be 
           hooked by the virus in memory.  Once resident, it will infect 
           .EXE files when they are executed, opened, or copied, by 
           overwriting 453 bytes of the .EXE file's 512 byte header, 
           resulting in no file length increase in the DOS disk directory 
           listing.  The file's date and time in the DOS disk directory 
           listing will not be altered.  The following text strings are 
           visible within the viral code: 
           "*.CH?" 
           "BOSCO D'SOUZA" 
           .EXE files larger than 64K may fail to function once infected 
           with this virus as the virus infects them in a manner which 
           causes them to become, in effect, .COM files. 
           Origin:  Unknown  January, 1996. 
       BootEXE.453.B: Received in January, 1996, this is a 453 byte 
           variant of the BootEXE virus described above.  It becomes 
           memory resident at the top of system memory but below the 640K 
           DOS boundary, not moving interrupt 12's return.  Available free 
           memory, as indicated by the DOS CHKDSK program from DOS 5.0, 
           will have decreased by 4,096 bytes.  Interrupt 13 will be 
           hooked by the virus in memory.  Once resident, it will infect 
           .EXE files when they are executed, opened, or copied, by 
           overwriting 453 bytes of the .EXE file's 512 byte header, 
           resulting in no file length increase in the DOS disk directory 
           listing.  The file's date and time in the DOS disk directory 
           listing will not be altered.  The following text strings are 
           visible within the viral code: 
           "*.CH?" 
           "BOSCO D'SOUZA" 
           .EXE files larger than 64K may fail to function once infected 
           with this virus as the virus infects them in a manner which 
           causes them to become, in effect, .COM files. 
           Origin:  Unknown  January, 1996. 
       BootEXE.453.C: Functionally similar to BootEXE.453.B, this 
           variant contains the following unencrypted text strings: 
           "*.CHK" 
           "ROYDEN D'SOUZA" 
           .EXE files larger than 64K may fail to function once infected 
           with this virus as the virus infects them in a manner which 
           causes them to become, in effect, .COM files. 
           Origin:  Unknown  January, 1996. 
       BootEXE.453.D: Received in January, 1996, this is a 453 byte 
           variant of the BootEXE virus described above.  It becomes 
           memory resident at the top of system memory but below the 640K 
           DOS boundary, not moving interrupt 12's return.  Available free 
           memory, as indicated by the DOS CHKDSK program from DOS 5.0, 
           will have decreased by 2,048 bytes.  Interrupt 13 will be 
           hooked by the virus in memory.  Once resident, it will infect 
           .EXE files when they are executed, opened, or copied, by 
           overwriting 453 bytes of the .EXE file's 512 byte header, 
           resulting in no file length increase in the DOS disk directory 
           listing.  The file's date and time in the DOS disk directory 
           listing will not be altered.  The following text strings are 
           visible within the viral code: 
           "*.CHK" 
           "BOSCO D'SOUZA" 
           .EXE files larger than 64K may fail to function once infected 
           with this virus as the virus infects them in a manner which 
           causes them to become, in effect, .COM files. 
           Origin:  Unknown  January, 1996.

Show viruses from discovered during that infect .

Main Page