Bad Sectors 1.2 Virus
Virus Name: Bad Sectors 1.2
Aliases: Bad Sectors
V Status: Rare
Discovery: June, 1993
Symptoms: .COM & .EXE growth; slow system response; file corruption;
decrease in total system & available free memory
Eff Length: 3,430 - 3,443 Bytes
Type Code: PRtAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, IBMAV, AVTK, Sweep,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, NProt, IBMAV/N, AVTK/N, Sweep/N, Innoc, NAV/N,
Removal Instructions: Delete infected files
The Bad Sectors 1.2 virus was received in June, 1993. Its origin
or point of isolation is unknown. This virus is a memory resident
infector of .COM and .EXE programs, including COMMAND.COM. It
displays some stealth characteristics, though is not a full stealth
When the first Bad Sectors 1.2 infected program is executed, this
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary, moving interrupt 12's
return. Total system and available free memory, as indicated by the
DOS CHKDSK program, will have decreased by 5,120 bytes. Interrupts
08, 16, 21, 25, and 26 will be hooked by the virus in memory.
Once memory resident, the Bad Sectors 1.2 virus will infect .COM and
.EXE programs when they are executed. It will also infect one .COM
or .EXE program in the directory being accessed each time a DOS DIR
command is issued.
Bad Sectors 1.2 infected programs will have a file length increase
of 3,430 to 3,443 bytes with the virus being located at the end of
the file. This file length increase, however, will be hidden when
the virus is memory resident. The file's date and time in the DOS
disk directory listing will not be altered. The following text
strings are visible within the viral code in all Bad Sectors 1.2
Systems infected with this virus will experience sluggish or slow
response time, particularly with regard to the DOS DIR command.
Random file corruption may also occur.
Known variant(s) of Bad Sectors 1.2 are:
Bad Sectors.3422: Received in February, 1995, this variant's size
in memory is also 5,120 bytes, hooking interrupts 08, 16, 21, 25,
and 26. It infects .COM and .EXE files, including COMMAND.COM,
when they are opened or when a DOS DIR command is issued.
Infected programs will have a file length increase of 3,422 to
3,436 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will not be altered. The following text strings are visible
within the viral code in all infected programs:
Origin: Unknown February, 1995.