Virus Name: Tijuana
V Status: New
Discovery: July, 1998
Symptoms: Diskette Boot Sector & MBR altered;
decrease in total system & available free memory
Eff Length: N/A
Type Code: BRtX - Resident Diskette Boot Sector & MBR Infector
Detection Method: ViruScan
Removal Instructions: ViruScan /clean following clean cold system boot
The Tijuana or Boot-3250 virus was received in July, 1998. It is
from Mexico and appears to be in the public domain. Tijuana is
a memory resident stealth virus which infects diskette boot
sectors and the system hard disk master boot sector.
When the system is booted from a Tijuana infected diskette, the
Tijuana virus will infect the master boot record of the system
hard disk and install itself memory resident. Total system and
available free memory, as indicated by the DOS CHKDSK program
from DOS 5.0, will have decreased by 2,048 bytes. Interrupt 12's
return will have been moved.
Once the Tijuana virus is memory resident, it will infect the
boot sector of un-write protected diskettes accessed on the system.
On diskettes, the virus places the viral code in the last two
sectors of the diskette's root directory, thus on these disks, any
directory entries in those sectors will be lost. The following
text is unencrypted within the viral code:
"Fecha de Creacion: 29 de Marzo de 1995
VIRUS Tijuana. Ver 3a
Al haber terminado este VIRUS, se cumplio una
de mis grandes aspiraciones. Pido disculpas
a las personas que fueron atacadas por
When the virus is memory resident, anti-viral programs cannot
detect its presence on the system hard disk master boot record
or infected diskettes. If found in memory, system users should
boot from a known uninfected system diskette and then recheck
their systems for the virus's presence on diskette.
Tijuana can be removed successfully from the system hard disk
master boot record and diskette boot sectors by first cold booting
the system from a known clean boot diskette then running the
ViruScan program with the /clean option.