Bios Virus


 Virus Name:  Bios 
 Aliases:     Ned 
 V Status:    Rare 
 Discovery:   November, 1992 
 Symptoms:    .COM & .EXE growth; continuous system reboots; CHKDSK file 
              allocation errors; decrease in total system & available free 
              memory 
 Origin:      Unknown 
 Eff Length:  2,048 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  AVTK, ViruScan, Sweep, F-Prot, IBMAV, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, AVTK/N, LProt, IBMAV/N, Innoc, NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Bios, or Ned, virus was submitted in November, 1992.  Bios is 
       a memory resident infector of .COM and .EXE programs, including 
       COMMAND.COM.  It employs some stealth techniques to avoid detection. 
 
       The first time a program infected with the Bios virus is executed, 
       the Bios virus will install itself memory resident at the top of 
       system memory but below the 640K DOS boundary, hooking interrupts 
       09, 1C, and 21.  Total system and available free memory, as indicated 
       by the DOS CHKDSK program, will have decreased by 8,336 bytes. 
 
       Once the Bios virus is memory resident, it will infect .COM and .EXE 
       programs when they are executed.  Infected programs will increase 
       in size by 2,048 bytes, though the file length increase will be 
       hidden when Bios is memory resident.  The virus will be located at 
       the beginning of .COM programs and the end of .EXE programs.  The 
       file's date and time in the DOS disk directory listing will not be 
       altered.  The following text string is encrypted within the viral 
       code and cannot be seen in infected programs: 
 
               "Mr.Watshira Sae-eu KMIT-NB Date 12/28/1990 BIOS" 
 
       Systems infected with the Bios virus may notice that the DOS CHKDSK 
       program will return file allocation errors on infected programs. 
       Once COMMAND.COM becomes infected, attempts to reboot the system 
       will result in a continuous series of reboots occurring. 
 
       See:   2KB 

Show viruses from discovered during that infect .

Main Page