Cansu Virus


 Virus Name:  Cansu 
 Aliases:     Sigalit, V-Sign 
 V Status:    Common 
 Discovery:   June, 1992 
 Symptoms:    BSC; Master Boot Sector Altered; decrease in total system & 
              available free memory; graphic display 
 Origin:      Turkey 
 Eff Length:  N/A 
 Type Code:   BRXh - Resident Floppy Boot Sector Infector 
 Detection Method:  AVTK, ViruScan, Sweep, IBMAV, 
                    F-Prot, NAV, NAVDX, VAlert, PCScan, ChAV 
 Removal Instructions:  M-Disk/P or DOS 5.0 F-Disk /MBR on Hard Disk; 
                        DOS SYS command on bootable diskettes 
 General Comments: 
       The Cansu virus was submitted from Canada in June, 1992.  It is 
       originally from Turkey.  Cansu is a memory resident infector of the 
       hard disk master boot sector (partition table) and diskette boot 
       sectors. 
 
       When the first Cansu infected diskette is booted, the Cansu virus 
       will install itself memory resident at the top of system memory 
       but below the 640K DOS boundary.  Total system and available free 
       memory, as indicated by the DOS CHKDSK program, will have decreased 
       by 2,048 bytes.  The virus uses interrupt 13. 
 
       Once Cansu is memory resident, it will infect the hard disk's master 
       boot sector the first time the user accesses the hard disk.  It will 
       also infect any non-write protected diskettes which are accessed 
       with the virus memory resident. 
 
       When Cansu infects the system hard disk, it saves approximately 
       38 bytes of the master boot sector within its viral code and 
       overwrites Side 0, Cylinder 0, Sector 1.  The virus is too large to 
       fit entirely within the master boot sector, so the remainder of the 
       virus is written to Side 0, Cylinder 0, Sectors 4 and 5.  On 
       diskettes, the virus also saves 38 bytes of the original boot sector, 
       and then overwrites the original diskette boot sector.  The remainder 
       of the virus will be stored in the last two sectors of the root 
       directory.  For example, on 360K 5.25" diskettes, sectors 10 and 11 
       will contain the remainder of the code. 
 
       Cansu is slightly polymorphic, and a wildcard search string is 
       necessary to detect the virus.  Since the original boot sector 
       and master boot sector are not saved, disinfection should be 
       performed by replacing the master boot sector and diskette boot 
       sectors with clean copies using utilities intended for this purpose. 
 
       The Cansu virus will display a V-shaped block character graphic 
       on the system monitor after 64 diskettes have been infected by 
       the virus.  The graphic is accompanied by a system hang.

Show viruses from discovered during that infect .

Main Page