Virus Name: Bios
V Status: Rare
Discovery: November, 1992
Symptoms: .COM & .EXE growth; continuous system reboots; CHKDSK file
allocation errors; decrease in total system & available free
Eff Length: 2,048 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: AVTK, ViruScan, Sweep, F-Prot, IBMAV,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, AVTK/N, LProt, IBMAV/N, Innoc, NAV/N
Removal Instructions: Delete infected files
The Bios, or Ned, virus was submitted in November, 1992. Bios is
a memory resident infector of .COM and .EXE programs, including
COMMAND.COM. It employs some stealth techniques to avoid detection.
The first time a program infected with the Bios virus is executed,
the Bios virus will install itself memory resident at the top of
system memory but below the 640K DOS boundary, hooking interrupts
09, 1C, and 21. Total system and available free memory, as indicated
by the DOS CHKDSK program, will have decreased by 8,336 bytes.
Once the Bios virus is memory resident, it will infect .COM and .EXE
programs when they are executed. Infected programs will increase
in size by 2,048 bytes, though the file length increase will be
hidden when Bios is memory resident. The virus will be located at
the beginning of .COM programs and the end of .EXE programs. The
file's date and time in the DOS disk directory listing will not be
altered. The following text string is encrypted within the viral
code and cannot be seen in infected programs:
"Mr.Watshira Sae-eu KMIT-NB Date 12/28/1990 BIOS"
Systems infected with the Bios virus may notice that the DOS CHKDSK
program will return file allocation errors on infected programs.
Once COMMAND.COM becomes infected, attempts to reboot the system
will result in a continuous series of reboots occurring.