Virus Name: NYB
V Status: Common
Discovered: January, 1995
Symptoms: BSC; disk seek errors;
decrease in total system and available free memory
Eff Length: N/A
Type Code: BRtX - Resident Boot Sector & Master Boot Sector Infector
Detection Method: F-Prot, AVTK, IBMAV, ViruScan, Sweep, NAV,
NAVDX, VAlert, PCScan, ChAV
Removal Instructions: DOS SYS on system diskettes; F-Disk /MBR on hard disk
The NYB virus was received in January, 1995 after having been reported
by several organizations in the United States for two months. NYB
is a stealth boot virus which infects diskette boot sectors as well
as the hard disk master boot sector (partition table).
The first time a system is booted from a diskette infected with
the NYB virus, NYB will install itself memory resident at the
top of system memory but below the 640K DOS boundary. Total system
and available free memory, as indicated by the DOS CHKDSK program
from DOS 5.0, will have decreased by 1,024 bytes. Also at this time,
the virus will infect the system hard disk master boot sector,
containing the partition table, if it was not previously infected.
Once NYB is memory resident, it will infect diskettes when they
are accessed on the infected system. On double density 5.25"
diskettes, the original boot sector will have been relocated to
sector 11. On high density 5.25" diskettes, the original boot
sector will have been relocated to sector 28. In both cases, these
sectors are the last sector of the root directory of the diskette, so
any files whose directory entries were in these sectors will be lost.
NYB does not contain any messages which are displayed on boot.
Infected systems may experience intermitant seek errors upon disk
The reason that NYB is considered a stealth virus is that while
it can be detected in memory when resident, it cannot be detected
when resident on the system hard disk or diskettes. If you have
reason to believe that you have the NYB virus, power off the system
and reboot from a clean write-protected diskette and then check the
system hard disk for the virus. If the virus is found, it can be
removed by using the F-Disk /MBR command or copying the original
master boot sector back to Side 0, Cylinder 0, Sector 1. Once the
system hard disk has been disinfected, diskettes should be checked
for the virus, and disinfected by using either the DOS SYS command
on system diskettes or copying the contents of the diskette to a
clean, uninfected diskette and overwritting the original diskette
with the DOS Format /U command.