Urkel Virus


 Virus Name:  Urkel 
 Aliases:    
 V Status:    New 
 Discovered:  January, 1997 
 Symptoms:    Boot Sector Changes; Master Boot Record Altered; 
              decrease in total system & available free memory; 
              "invalid drive specification" error; message displayed 
 Origin:      Unknown 
 Eff Length:  N/A 
 Type Code:   BRtX - Resident Boot Sector & MBR Infector 
 Detection Method:  NAV, NAVDX, PCScan, AVTK, ViruScan 
 Removal Instructions:  F-Prot, do NOT us FDisk /MBR to disinfect 
 
 General Comments: 
       The Urkel virus was received in January, 1997.  Its origin or point 
       of isolation is unknown.  Urkel is a memory resident infector of 
       diskette boot sectors and the system hard disk master boot record. 
 
       When the system is booted from an Urkel infected diskette, this 
       virus will become memory resident at the top of system memory but 
       below the 640K DOS boundary, moving interrupt 12's return.  Total 
       system and available free memory, as indicated by the DOS CHKDSK 
       program from DOS 5.0, will have decreased by 2,048 bytes.  Also at 
       this time, the virus will infect the system hard disk master boot 
       record if it has not been previously infected by the virus.  Later, 
       upon booting the system from the system hard disk, the virus will 
       become memory resident in a similar manner. 
 
       Once the Urkel virus is memory resident, it will infect diskette 
       boot sectors when an un-write protected diskette is accessed on the 
       system.  This virus alters the boot record, and also writes a 
       portion of the viral code in the last or second to last sector of 
       the diskette root directory.  Since a sector of the root directory 
       is overwritten, any directory entries which were originally in this 
       sector will be lost. 
 
       The Urkel virus contains the encrypted text string "Urkel", this 
       string is sometimes displayed on the system monitor. 
 
       A note about the Urkel virus: this virus relocates the information 
       contained in the disk partition table contained in the master boot 
       record.  As a result, attempting to access the hard disk after 
       booting the system from an uninfected, write-protected system 
       diskette will result in an "invalid drive specification" error. 
       Also as a result of this relocation, the FDisk program with the 
       /MBR option should not be used to replace the master boot record 
       as the partitioning information is not in its expected location and 
       all data on the system hard disk may be lost.

Show viruses from discovered during that infect .

Main Page