Curse Boot Virus


 Virus Name:  Curse Boot 
 Aliases:     Smiley Worm 
 V Status:    Common 
 Discovery:   September, 1992 
 Symptoms:    Boot Sectors altered; decrease in total system & available 
              free memory; system time corrupted 
 Origin:      Unknown 
 Isolated:    Northern California, United States 
 Eff Length:  N/A 
 Type Code:   BRt - Resident Boot Sector Infector 
 Detection Method:  ViruScan, NAV, AVTK, IBMAV, PCScan, 
                    F-Prot, Sweep, NAVDX, VAlert, ChAV 
 Removal Instructions:  DOS SYS on boot diskettes & hard disk 
 General Comments: 
       The Curse Boot virus was originally reported in 1990, though samples 
       received at that time did not replicate, appearing to be incomplete. 
       The first working sample received of the Curse Boot virus was from 
       a public domain infection at a college in Northern California in 
       September, 1992.  Curse Boot is a memory resident infector of 
       360K 5.25 inch diskette boot sectors, as well as hard disk boot 
       sectors.  It is a stealth virus, concealing diskette boot sector 
       infections when it is memory resident. 
 
       The first time the system is booted from a diskette infected with 
       the Curse Boot virus, the Curse Boot virus will infect the hard 
       disk boot partition's boot sector.  The virus will have marked 
       four sectors bad in the file allocation table, and then transferred 
       the original boot sector and three sectors of viral code to these 
       bad sectors.  The hard disk boot sector is then infected by the 
       virus.  At this time the Curse Boot virus will also become memory 
       resident, allocating 4,096 bytes from the top of system memory but 
       below the 640K DOS boundary.  Interrupt 12's return will have been 
       moved. 
 
       Once memory resident, the Curse Boot virus will infect 360K 5.25 
       inch diskettes when they are accessed for any reason.  As with the 
       system hard disk, the virus marks four sectors bad, and places the 
       original boot sector and three sectors of viral code in these bad 
       sectors, then infects the boot sector itself. 
 
       Systems infected with Curse Boot may notice that the system time 
       upon boot will have the hours set to zero, instead of the actual 
       value stored in CMOS memory for the system clock.  For example, 
       if the system clock on boot is 21:30.00, after booting from a 
       Curse Boot infected disk, the system time will read 0:30.00. 
 
       Curse Boot hides the boot sector infection on 360K 5.25" diskettes 
       when the virus is memory resident, redirecting attempts to read 
       the boot sector to the original, uninfected boot sector.  As a 
       result, anti-viral programs will not be able to detect the virus 
       on diskettes when Curse Boot is memory resident.  It does not, 
       however, hide the infection of the hard disk boot sector. 

Show viruses from discovered during that infect .

Main Page