Virus Name: Keydrop
Aliases: Keydrop Dropper
V Status: Rare
Discovered: May, 1991
Symptoms: BSC; Master boot sector altered; characters dropped from
keyboard buffer; decrease in total system & available free
memory; possible file damage
Eff Length: N/A
Type Code: BRtX - Resident Boot Sector & Master Boot Sector Infector
Detection Method: ViruScan, Sweep, AVTK, NAV, F-Prot,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, AVTK/N, NAV/N, NProt, Innoc 4.0+
Removal Instructions: M-Disk/P, DOS SYS on system diskettes
The Keydrop virus was submitted in May, 1991 from Europe. Keydrop
is a memory resident infector of diskette boot sectors and the hard
disk master boot sector (partition table). The original Keydrop
sample submitted was contained in a .COM program which "dropped"
the boot sector virus. The .COM dropper program is not described as
its behavior is not similar to the virus, and the virus does not
naturally infect .COM programs.
When a system is booted from a diskette infected with the Keydrop
virus, the virus will install itself memory resident at the top of
system memory but below the 640K DOS boundary. Total system and
available free memory will decrease by 5,120 bytes. Interrupt 12's
return will also have been moved. At this time, the virus will
infect the system's hard disk master boot sector. The system hard
disk will have 6K in bad sectors after infection.
After Keydrop is memory resident, it will infect 360K diskettes
when they are accessed on an infected system. High density
diskettes will not be infected. Infected diskettes will have
3,072 bytes in bad sectors, and the diskette boot sector will have
been altered. The original boot sector, and the viral code which
does not fit in the boot sector, will be found in the bad sectors.
Infected hard disks will have 6K in bad sectors. The bad sectors
will contain the original master boot sector and the remainder of
the viral code.
Keydrop's name comes from the copyright notice found in the viral
code located in the bad sectors:
"(c) Copyright 1990 Keydrop inc."
Keydrop activates on a random basis, at which time it will
occasionally drop a character from the keyboard buffer, making the
user think they missed a keystroke on the keyboard.
This virus may damage files when it infects diskettes and the
system hard disk. It does not check to see if the sectors it is
going to mark as bad are in use, so they may be in the middle of
programs or data files.
Known variant(s) of Keydrop are:
Keydrop Dropper: A small program which, when executed, drops the
Keydrop boot virus.