Virus Name: Badsec
Aliases: 905, Backfont
V Status: Rare
Discovery: February, 1992
Symptoms: .EXE file growth; decrease in system and available free
memory; bad sectors or lost clusters; unexpected accesses to
other than current drive; system hangs
Eff Length: 765 Bytes
Type Code: PRhE - Parasitic Resident .EXE Infector
Detection Method: AVTK, Sweep, ViruScan, F-Prot, ChAV,
NAV, IBMAV, NAVDX, VAlert, PCScan,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The Badsec virus was received in February, 1992. Its origin or
point of isolation is unknown. Badsec is a memory resident infector
of .EXE programs.
The first time a program infected with the Badsec virus is executed,
this virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary. It does not move interrupt
12's return. Total system and available free memory, as indicated
by the DOS CHKDSK program, will have decreased by 4,384 bytes.
Interrupt 21 will be hooked by the virus.
Once the Badsec virus is memory resident, it will infect .EXE
programs when they are executed. Infected programs will have a
file length increase of 765 bytes, with the virus being located at
the end of the file. The program's date and time in the DOS disk
directory listing will not be altered.
Systems infected with the Badsec virus may notice that occassionally
the system will access drives other than the current drive
unexpectedly. When these accesses occur, a bad sector or a lost
cluster may result, hence the virus' name. System hangs may also
occur at this time as well.
Topsy-900: Received in July, 1992, Topsy-900 is based on the
Badsec virus described above. It is from the USSR.
Topsy-900 becomes memory resident when the first infected
program is executed, installing itself memory resident
at the top of system memory but below the 640K DOS
boundary. Total system memory will have decreased by
2,736 to 5,472 bytes, and interrupt 21 will be hooked
by the virus. Once resident, Topsy-900 may infect .EXE
programs when executed, though it does this somewhat
sporatically. Infected programs will have a file length
increase of 900 bytes with the virus being located at the
end of the file.
Origin: USSR July, 1992.