Virus Name: Sticky
Aliases: Multi-2, Nu Way
V Status: Common
Discovered: May, 1992
Symptoms: .COM & .EXE growth; Master boot sector altered;
decrease in total system & available free memory
Eff Length: 927 - 1,407 Bytes
Type Code: PRtAKX - Parasitic Resident .COM, .EXE, Overlay, and
Master Boot Sector Infector
Detection Method: ViruScan, AVTK, IBMAV, NAV, F-Prot, PCScan,
Sweep, NAVDX, VAlert, ChAV,
NShld, LProt, Sweep/N, Innoc, AVTK/N, IBMAV/N,
Removal Instructions: Delete infected files
The Sticky, or Multi-2, virus was discovered at several sites in the
United States and Canada in May, 1992. Sticky is a memory resident
multi-partite virus which infects the hard disk master boot sector
(partition table) and all executable files.
When the first Sticky infected program is executed, the Sticky virus
will infect the system hard disk's master boot sector. This virus
writes a copy of its viral code to Side 0, Cylinder 0, Sectors 2 and
3, and then alters the master boot sector to point to this code. The
Sticky virus does not become memory resident at this time, and will
not infect files.
Later, when the system user boots from the Sticky virus infected
hard disk, the Sticky virus will become memory resident above the
top of system memory but below the 640K DOS boundary. Interrupt
12's return will be moved. Total system and available free memory,
as indicated by the DOS CHKDSK program, will have decreased by
3,072 bytes. Interrupt 21 will be hooked by Sticky in memory.
Once the Sticky virus is memory resident, it will infect any
executable program which is opened or executed. Infected .COM
programs will have a file length increase of 927 bytes. .EXE
programs will increase in size by 1,133 to 1,407 bytes. In both
cases, the virus will be located at the end of the file. The
program's date and time in the DOS disk directory listing will not
be altered. Sticky is an encrypted virus, and no text strings are
visible within the viral code in infected programs.
It is unknown what Sticky does besides replicate.