Mardi Bros Virus

Virus Name: Mardi Bros Aliases: V Status: Rare Discovered: July, 1990 Symptoms: BSC; volume label change; decrease in system and free memory Origin: France Eff Length: N/A Type Code: FR - Floppy Boot Sector Infector Detection Method: ViruScan, F-Prot, NAV, Sweep, AVTK, IBMAV, NAVDX, Valert, PCScan, ChAV Removal Instructions: M-Disk, or DOS SYS command General Comments: The Mardi Bros virus was isolated in July 1990 in France. This virus is a memory resident infector of floppy disk boot sectors. It does not infect hard disk boot sectors or master boot sectors. When a system is booted from a diskette infected with the Mardi Bros virus, the virus will install itself memory resident. It resides in 7,168 bytes above the top of memory, but below the 640K DOS Boundary. The decrease in system and free memory can be seen using the DOS CHKDSK command, or several other memory mapping utilities. Mardi Bros will infect any non-write protected diskette which is exposed to the system. Infected diskettes can be easily identified as their volume label will be changed to "Mardi Bros". The CHKDSK program will show the following for the diskette's Volume label information: "Volume Mardi Bros created ira 0, 1980 12:00a" While the infected boot sector on the diskette will have the DOS messages still remaining, it will also include the following phrase near the end: "Sudah ada vaksin" It is unknown if Mardi Bros is destructive, it appears to do nothing but spread. Mardi Bros can be removed from infected diskettes by first powering off the system and rebooting from a known clean write protected DOS master diskette. The DOS SYS command should then be used to replace the infected diskette's boot sector. Alternately, MDisk can be used following the power-down and reboot.