Virus Name: Filler
V Status: Rare
Symptoms: BSC; Master Boot Sector Altered; decrease in available free
Eff Length: N/A
Type Code: BRhX - Resident Boot Sector & Master Boot Sector Infector
Detection Method: ViruScan, Sweep, F-Prot,
AVTK, IBMAV, NAV, NAVDX, VAlert, ChAV
Removal Instructions: M-Disk/P or DOS SYS for system diskettes
The Filler virus was submitted in January, 1992. It was originally
reported in the public domain in Hungary in 1991. Filler is a
memory resident infector of diskette boot sectors and the hard disk
master boot sector (partition table). Filler is a stealth virus,
when it is memory resident, anti-viral programs will not be able to
detect its infection of the hard disk master boot sector, and will
have difficulty detecting its presence on diskette boot sectors.
When the system is booted from a Filler infected diskette, the
Filler virus will install itself memory resident at the top of
system memory but below the 640K DOS boundary. Total system memory
will not decrease, but available free memory as indicated by the
DOS CHKDSK program will have decreased by 8,192 bytes. The system
hard disk's master boot sector will be infected at this time, if it
was not previously infected with Filler.
Once the Filler virus is memory resident, it will infect non-write
protected diskettes exposed to the system. The infection of the
diskette usually occurs when the boot sector is accessed for some
reason. The Filler virus will write a copy of itself to the last
track of the diskette which is not normally accessable by DOS. It
will also store the original boot sector on this track. The virus
then alters the boot sector to point to the viral code.
The Filler virus is a stealth virus. When it is memory resident,
scanning infected diskettes will not detect the presence of the
Filler virus when using scanning technology. CRC-type checking
programs may be able to determine that the boot sector has been
altered. In the case of the hard disk master boot sector, if Filler
is memory resident, neither CRC-type checking or scanning programs
will be able to determine the Filler virus's presence. If you
suspect you have a Filler virus infection, power down your system
and then reboot from a known uninfected, write protected system
diskette, and then check the system with anti-viral software.
It is unknown what Filler might do besides replicate.