Virus Name: WelcomB
V Status: In The Wild
Discovered: December, 1996
Symptoms: Boot Sectors Changed;
decrease in total system & available free memory
Eff Length: N/A
Type Code: BRtX - Resident Diskette Boot Sector & MBR Infector
Detection Method: NAV, NAVDX, PCScan, ViruScan, AVTK
Removal Instructions: Do not use FDisk /MBR
The WelcomB virus was received in December, 1996, and has been
reported to be in the wild. WelcomB is a memory resident infector
of diskette boot sectors as well as the system hard disk master
boot record (MBR) containing the disk partitioning information.
When the system is booted with a WelcomB infected diskette, the
WelcomB virus will install itself memory resident at the top of
system memory but below the 640K DOS boundary, moving interrupt 12's
return. Total system and available free memory will decrease by
2K if the boot was from a diskette and 6K if it was from the system
hard disk. If the system hard disk was not previously infected by
the virus at this time, the virus will infect the system hard disk
master boot record, relocating the disk partitioning information.
Once the WelcomB virus is memory resident, it will infect the boot
sector of any non-write protected diskette accessed on the system.
In the case of diskettes, the viral code is located in the boot
sector and continued in the last or second to last sector of
the root directory. The following text string can be found within
the viral code:
"Welcome to BUPT 9146,Beijing!"
Since the WelcomB virus does not keep a copy of the original Master
Boot Record, and overwrites where DOS expects the disk partitioning
information to be, the DOS FDisk program with the /MBR option cannot
be used to replace this information and disinfect this virus.