Virus Name: BFD
V Status: Rare
Discovery: July, 1992
Symptoms: BSC; .EXE files altered; decrease in total system & available
free memory; high density diskettes may fail to boot
Origin: United States
Eff Length: 452 Bytes Overwriting
Type Code: ORhEB - Overwriting Resident Boot Sector & .EXE Infector
Detection Method: ViruScan, Sweep, F-Prot, AVTK, IBMAV,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, Innoc, NProt, AVTK/N, LProt, IBMAV/N,
Removal Instructions: Delete infected files
The BFD virus was isolated in the United States in July, 1992. This
virus is a memory resident multi-partite virus which infects diskette
boot sectors and .EXE programs. It should be considered a stealth
virus as infected programs do not have any file length increase but
execute properly, and it will infect files on open. It spreads
The first time a program infected with the BFD virus is executed,
this virus will infect the current drive's boot sector if the
current drive is a floppy drive. It will also access the C:
drive, though the C: drive's boot sector will not become
infected. Also at this time, the virus will install itself
memory resident at the top of system memory but below the 640K
DOS boundary. Total system and available free memory, as indicated
by the DOS CHKDSK program, will have decreased by 2,048 bytes.
Interrupt 13 will be hooked by BFD in memory. The user should
note that BFD can also become memory resident by booting from
an infected diskette. The same memory allocation will occur.
Once the BFD virus is memory resident, it will infect .EXE programs
when they are executed or opened, as well as diskette boot sectors
when a non-write protected diskette is accessed. Infected .EXE
programs will have no file length increase regardless of whether
the virus is memory resident. The BFD virus infects programs by
writing its viral code to the .EXE header area of the file.
Infected programs will not have any change in file date and time
in the DOS disk directory listing. No text strings occur within
the viral code in infected programs.
When the BFD virus infects diskettes, it overwrites the boot
sector. The boot sector will be missing the usual DOS error
messages. In the case of high density 5.25" system disks, attempts
to boot from the diskette after infection will fail, resulting
in a hung system.
BFD doesn't appear to do anything besides replicate.
Known variant(s) of BFD are:
BFD-452: A 452 byte variant of the BFD virus described above.
Origin: USSR December, 1992