Joshi Virus


 Virus Name:  Joshi 
 Aliases:     Happy Birthday Joshi, Stealth Virus 
 V Status:    Common 
 Discovered:  June, 1990 
 Symptoms:    BSC; machine hangs and message 
 Origin:      India 
 Eff Length:  N/A 
 Type Code:   BRX - Resident Boot Sector/Master Boot Sector Infector 
 Detection Method:  ViruScan, NAV, F-Prot, Sweep, AVTK, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV 
 Removal Instructions:  NAV, or M-Disk/P 
 
 General Comments: 
       The Joshi virus was isolated in India in June 1990.  At the time it 
       was isolated, it was reported to be widespread in India as well as 
       portions of the continent of Africa.  Joshi is a memory resident 
       boot sector infector of diskettes and the hard disk master boot 
       sector (partition table). 
 
       After a system has been booted from a Joshi-infected diskette, the 
       virus will be resident in memory.  Joshi takes up approximately 6K 
       of system memory, and infected systems will show that total system 
       memory is 6K less than is installed if the DOS CHKDSK program is 
       run. 
 
       Joshi has some similarities to two other boot sector infectors. 
       Like the Stoned virus, it infects the master boot sector of hard 
       disks. Similar to the Brain virus's method of redirecting all 
       attempts to read the boot sector to the original boot sector, Joshi 
       does this with the master boot sector. 
 
       On January 5th of any year, the Joshi virus activates.  At that 
       time, the virus will hang the system while displaying the message: 
 
             "type Happy Birthday Joshi" 
 
       If the system user then types "Happy Birthday Joshi", the system 
       will again be usable. 
 
       This virus may be recognized on infected systems by powering off 
       the system and then booting from a known-clean, write-protected DOS 
       diskette.  Using a sector editor or viewer to look at the boot 
       sector of suspect diskettes, if the first two bytes of the boot 
       sector are hex EB 1F, then the disk is infected.  The EB 1F is a 
       jump instruction to the rest of the viral code. The remainder of 
       the virus is stored on track 40, sectors 1 through 5 on 360K 5.25 
       inch Diskettes.  For 1.2M 5.25 inch diskettes, the viral code is 
       located at track 80, sectors 1 through 5.  It will also be located 
       on the last track of 3.5" diskettes. 
 
       To determine if a system's hard disk is infected, you must look at 
       the hard disk's master boot sector.  If the first two bytes of the 
       master boot sector are EB 1F hex, then the hard disk is infected. 
       The remainder of the virus can be found at cylinder 0, side 0, 
       sectors 2 through 6. The original master boot sector will be located 
       at cylinder 0, side 0, sector 9. 
 
       The Joshi virus can be manually removed from an infected system by 
       first powering off the system, and then booting from a known-clean, 
       write-protected master DOS diskette.  If the system has a hard 
       disk, the hard disk should have data and program files backed up, 
       and the original master boot sector copied back to cylinder 0, side 
       0, sector 1 from sector 9.  Diskettes are easier to remove Joshi 
       from, the DOS SYS command can be used.  There are also several 
       disinfector programs available. 
 
       Systems infected with Joshi may experience problems when attempting 
       to access programs or data files on write protected diskettes. 
 
       Known variant(s) of Joshi are: 
       Joshi-B: Similar to behavior to the original Joshi virus, the 
                major change with this variant is that when the system 
                is booted on January 5, the boot will hang with no message 
                displayed.  If the user types "Happy Birthday Joshi", then 
                the system boot will proceed. 
                Origin:  Unknown  May, 1992.

Show viruses from discovered during that infect .

Main Page