Virus Name: Int40
V Status: In The Wild
Discovery: December, 1996
Symptoms: Boot Sectors Altered; MBR Altered
Eff Length: N/A
Type Code: BRaX - Resident Diskette Boot Sector & MBR Infector
Detection Method: NAV, NAVDX, AVTK, ViruScan, PCScan
Removal Instructions: F-Prot
The Int40 virus was received in January, 1997. It has been reported
to be in the wild in the United States and Finland since December,
1996. Its origin is unknown. Int40 is a memory resident boot sector
virus which uses stealth techniques to avoid detection.
When the system is booted from an Int40 infected diskette, this virus
will infect the system hard disk master boot record containing the
disk partition table. It also becomes memory resident at this time,
as it will if the system is booted from the infected system hard
disk. Int40 installs itself in memory at the location where the
interrupt table is usually found, thus there will be no decrease in
total system and/or available free memory.
Once the Int40 virus is memory resident, it will infect any non-
write-protected diskette accessed on the system. The virus is a
full stealth virus, and attempts to scan diskettes with the virus
memory resident will result in no detection being detected.
The Int40 virus does not intentionally do anything besides replicate,
however since it installs itself into the interrupt table in memory,
some applications may not function properly due to compatibility
problems with the viral code.