Junkie Virus


 Virus Name:  Junkie 
 Aliases:    
 V Status:    Common 
 Discovered:  July, 1994 
 Symptoms:    .COM & .EXE growth; MBR & Boot Sector altered; 
              decrease in total system & available free memory 
 Origin:      Sweden 
 Eff Length:  1,030 - 1,042 Bytes 
 Type Code:   PRtCKBX - Parasitic Resident .COM, MBR, & Boot Sector Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, ViruScan, Sweep, NAV, NAVDX, 
                    VAlert, PCScan, ChAV, 
                    AVTK/N, Sweep/N, NShld, Innoc, IBMAV/N, NProt, NAV/N, 
                    LProt 
 Removal Instructions:  Delete infected files, Replace MBR, DOS SYS on system 
              diskettes 
 General Comments: 
       The Junkie virus was received in July, 1994.  It appears to be from 
       Sweden.  Junkie is a memory resident multi-partite virus which 
       infects diskette boot sectors, the system hard disk master boot 
       sector (containing the partition table), and .COM files, including 
       COMMAND.COM.  As of August, 1994, confirmed public domain infections 
       have been reported in the United States, Canada, Belgium, 
       The Netherlands, and Spain. 
 
       When the first Junkie infected program is executed, this virus will 
       infect the system hard disk master boot sector.  The virus doesn't 
       become memory resident nor infect programs at this time.  Later, 
       when the system is booted from the system hard disk, the Junkie 
       virus becomes memory resident at the top of system memory but below 
       the 640K DOS boundary, moving interrupt 12's return.  Total system 
       and available free memory, as indicated by the DOS CHKDSK program, will 
       have decreased by 3,072 bytes.  Interrupts 1C and 21 will be hooked 
       by the virus in memory. 
 
       Once the Junkie virus is memory resident, it will infect .COM 
       programs, including COMMAND.COM, when they are executed or opened for 
       any reason.  Programs infected with the Junkie virus will have a file 
       length increase of 1,030 to 1,042 bytes with the virus being located 
       at the end of the file.  The program's date and time in the DOS disk 
       directory listing will not be altered.  The following text strings are 
       encrypted within the viral code in all Junkie infected programs: 
 
               "Dr White - Sweden 1994" 
               "Junkie Virus - Written in Malmo...M01D" 
 
       The Junkie virus infects diskette boot sectors when they are accessed. 
       The virus will write a copy of itself the last track of the diskette, 
       and then alter the boot sector to point to this code.  On high density 
       5 1/4 inch diskettes, the viral code will be located on Cylinder 79, 
       Side 1, Sectors 8 and 9. 
 
       It is unknown what Junkie does besides replicate.

Show viruses from discovered during that infect .

Main Page