EDV Virus


 Virus Name:  EDV 
 Aliases:     Cursy, Stealth Virus 
 V Status:    Common 
 Discovered:  1988 
 Symptoms:    BSC; master boot sector corruption; unusual system crashes 
 Origin:      France 
 Eff Length:  N/A 
 Type Code:   BRX - Resident Boot Sector & Master Boot Sector Infector 
 Detection Method:  ViruScan, NAV, F-Prot, Sweep, AVTK, 
                    IBMAV, NAVDX, VAlert, PCScan, ChAV 
 Removal Instructions:  MDisk/P, or NAV 
 
 General Comments: 
       The EDV, or Cursy, virus was first discovered in Le Havre, France in 
       1988 by Jean-Luc Nail.  At that time, it was named the Cursy virus. 
       Later, in January 1990, it was isolated separately and named the EDV 
       virus.  This virus is a memory resident infector of floppy diskette 
       boot sectors and hard disk master boot sector (partition table). 
 
       When a system is booted from a diskette infected with the EDV virus, 
       the virus will install itself memory resident at the top of high 
       system memory.  The value returned by interrupt 12 will be decreased. 
 
       Once the virus is memory resident, any disk accessed by the system 
       will become infected.  When the virus infects a diskette, it moves 
       the original boot sector to side 1, track 39, sector 8.  After 
       moving the original boot sector, it then copies the virus's code to 
       absolute sector 0, the boot sector of the diskette. 
 
       EDV will also infect hard disk drives when they are accessed.  In 
       the case of hard disks, the virus will move absolute sector 0 (the 
       master boot sector) to side 1, track 39, sector 8 as though it were 
       a 360K 5.25" floppy diskette.  After moving the master boot sector, 
       it will then overwrite the master boot sector with the viral code. 
 
       Once the virus has infected six disks with the virus in memory, the 
       EDV virus will activate.  Upon activation, the virus access the 
       keyboard interrupt to disable the keyboard and then will overwrite 
       the first 3 tracks of each disk on the system, starting with the 
       hard disks.  After overwriting the disks, it will then display the 
       following message: 
 
               "That rings a bell, no? From Cursy" 
 
       Upon activation, the user must power off the machine and reboot from 
       a system diskette in order to regain any control over the machine. 
 
       The following identification string appears at the very end of the 
       boot sector on infected floppy disks and the master boot sector of 
       infected hard drives, though it cannot be seen if the virus is in 
       memory: 
 
            "MSDOS Vers. E.D.V." 
 
       Jean-Luc Nail has indicated that the EDV or Cursy virus is quite 
       common in the Le Havre area of France, although it is rare outside 
       of France.

Show viruses from discovered during that infect .

Main Page