Keydrop Virus


 Virus Name:  Keydrop 
 Aliases:     Keydrop Dropper 
 V Status:    Rare 
 Discovered:  May, 1991 
 Symptoms:    BSC; Master boot sector altered; characters dropped from 
              keyboard buffer; decrease in total system & available free 
              memory; possible file damage 
 Origin:      Europe 
 Eff Length:  N/A 
 Type Code:   BRtX - Resident Boot Sector & Master Boot Sector Infector 
 Detection Method:  ViruScan, Sweep, AVTK, NAV, F-Prot, 
                    IBMAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, AVTK/N, NAV/N, NProt, Innoc 4.0+ 
 Removal Instructions:  M-Disk/P, DOS SYS on system diskettes 
 
 General Comments: 
       The Keydrop virus was submitted in May, 1991 from Europe.  Keydrop 
       is a memory resident infector of diskette boot sectors and the hard 
       disk master boot sector (partition table).  The original Keydrop 
       sample submitted was contained in a .COM program which "dropped" 
       the boot sector virus.  The .COM dropper program is not described as 
       its behavior is not similar to the virus, and the virus does not 
       naturally infect .COM programs. 
 
       When a system is booted from a diskette infected with the Keydrop 
       virus, the virus will install itself memory resident at the top of 
       system memory but below the 640K DOS boundary.  Total system and 
       available free memory will decrease by 5,120 bytes.  Interrupt 12's 
       return will also have been moved.  At this time, the virus will 
       infect the system's hard disk master boot sector.  The system hard 
       disk will have 6K in bad sectors after infection. 
 
       After Keydrop is memory resident, it will infect 360K diskettes 
       when they are accessed on an infected system.  High density 
       diskettes will not be infected.  Infected diskettes will have 
       3,072 bytes in bad sectors, and the diskette boot sector will have 
       been altered.  The original boot sector, and the viral code which 
       does not fit in the boot sector, will be found in the bad sectors. 
 
       Infected hard disks will have 6K in bad sectors.  The bad sectors 
       will contain the original master boot sector and the remainder of 
       the viral code. 
 
       Keydrop's name comes from the copyright notice found in the viral 
       code located in the bad sectors: 
 
               "(c) Copyright 1990  Keydrop inc." 
 
       Keydrop activates on a random basis, at which time it will 
       occasionally drop a character from the keyboard buffer, making the 
       user think they missed a keystroke on the keyboard. 
 
       This virus may damage files when it infects diskettes and the 
       system hard disk.  It does not check to see if the sectors it is 
       going to mark as bad are in use, so they may be in the middle of 
       programs or data files. 
 
       Known variant(s) of Keydrop are: 
       Keydrop Dropper: A small program which, when executed, drops the 
                        Keydrop boot virus.

Show viruses from discovered during that infect .

Main Page