CW>little info on the Junkie Virus
Hope it helps a bit:
> VSUMX 9612
Junkie
Virus Name: Junkie
Aliases:
V Status: Common
Discovered: July, 1994
Symptoms: .COM & .EXE growth; MBR & Boot Sector altered;
decrease in total system & available free memory
Origin: Sweden
Eff Length: 1,030 - 1,042 Bytes
Type Code: PRtCKBX - Parasitic Resident .COM, MBR, & Boot Sector Infector
Detection Method: F-Prot, AVTK, IBMAV, ViruScan, Sweep, NAV, NAVBoot,
VAlert, PCScan, ChAV,
AVTK/N, Sweep/N, NShld, Innoc, IBMAV/N, NProt, NAV/N,
LProt
Removal Instructions: Delete infected files, Replace MBR, DOS SYS on system
diskettes
General Comments:
The Junkie virus was received in July, 1994. It appears to be from
Sweden. Junkie is a memory resident multi-partite virus which
infects diskette boot sectors, the system hard disk master boot
sector (containing the partition table), and .COM files, including
COMMAND.COM. As of August, 1994, confirmed public domain infections
have been reported in the United States, Canada, Belgium,
The Netherlands, and Spain.
When the first Junkie infected program is executed, this virus will
infect the system hard disk master boot sector. The virus doesn't
become memory resident nor infect programs at this time. Later,
when the system is booted from the system hard disk, the Junkie
virus becomes memory resident at the top of system memory but below
the 640K DOS boundary, moving interrupt 12's return. Total system
and available free memory, as indicated by the DOS CHKDSK program,
ill
have decreased by 3,072 bytes. Interrupts 1C and 21 will be hooked
by the virus in memory.
Once the Junkie virus is memory resident, it will infect .COM
programs, including COMMAND.COM, when they are executed or opened for
any reason. Programs infected with the Junkie virus will have a file
length increase of 1,030 to 1,042 bytes with the virus being located
at the end of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text strings are
encrypted within the viral code in all Junkie infected programs:
"Dr White - Sweden 1994"
"Junkie Virus - Written in Malmo...M01D"
The Junkie virus infects diskette boot sectors when they are accessed.
The virus will write a copy of itself the last track of the diskette,
and then alter the boot sector to point to this code. On high density
5 1/4 inch diskettes, the viral code will be located on Cylinder 79,
Side 1, Sectors 8 and 9.
It is unknown what Junkie does besides replicate.
>TBAV v7.07
Information about the Junkie virus.
This virus is known to infect boot sectors, but unknown variants may infect
other items as well.
This virus has been reported to be 'in the wild'.
Cleaning information:
Before cleaning or restoring, it is HIGHLY RECOMMENDED to boot from a
clean,
write-protected system diskette first! This is necessary to ensure that no
viruses are active in memory, and to reduce the risk that you execute an
infected file by accident.
You need to restore the original DOS bootsector and/or system files. Enter
'SYS C:' on the DOS command line.
You also need to check and clean all your diskettes! Otherwise the virus
will return sooner or later! You can clean the diskettes with the 'TbUtil
-immunize' command.
As new variants of existing viruses appear almost daily, it is possible
that you will encounter a variant of this virus which will still be
identified by our scanner, but behaves differently than described above.
The
information above is therefore intended as a basic guideline.
>F-Prot 2.26
Name: Junkie
Origin: Sweden
Size: 1035
Type: Resident Boot COM-files
Repair: Yes
The Junkie virus was circulated through European BBSs at the end
of May 1994. It travelled in a file called HV-PSPTC.ZIP.
According to the description, the file was supposed to contain a
program which would make it possible to install illegal copies of
the Pacific Strike-game directly from the hard disk instead of
from diskettes. The packet's content, PSPATCH.COM, contained only
the Junkie virus, however.
Junkie is a Swedish multipartite virus. It infects hard disk MBRs
and COM files. When an infected file is executed in a computer
for the first time, the virus overwrites the hard disk's MBR with
its own code but does nothing else. During its next execution,
the virus goes resident in memory and infects all executed COM
files.
Junkie also infects boot sectors of all floppies used in the
machine, and is capable of spreading further when the machine
is booted up from such a diskette. 360KB and 2.88MB diskettes
are not infected.
Infected COM files grow by approximately 1035 bytes. Since the
virus infects all executed COM files, it corrupts files which are
structurally EXEs but happen to have the extension COM. The virus
code is doubly encrypted. The following message is hidden under
the second encryption layer:
Dr White - Sweden 1994
Junkie Virus - Written in Malmo...M01D
Dr White has also written another Swedish virus called Desperado.
The Junkie virus can be noticed by the decrease of available
memory in the system. Some programs also display the message
"Program too big to fit in memory" when they are executed.
TECHNICAL INFO:
Junkie patches floppy boot sectors and HD MBS from offset 98 to 127. The
virus code itself is contained in two sectors, 0,0,4-5 on HD and on the
last track (40 or 80), side 1, sectors 8-9 on floppies. Junkie does not
relocate nor store the original sector anywhere. In COM files, the virus
will append itself at the end of the file, with a length of 1027 to 1042
bytes.
Junkie is a selective fast infector (not all files will be infected on
opening, just some). Junkie will not infect COM files shorter than about
5000 bytes.
When active, Junkie will decrease the base memory by three kilos.
Also, INT 1Ch will be hooked and QEMM will complain about and
will not load high programs requiring this handler.
F-PROT is able to detect and disinfect the Junkie virus in both
files and boot sectors.
[Analysis: Mikko Hypponen, Data Fellows Ltd's F-PROT Professional Support]
Copyright (c) 1989-1997, Frisk Software International
---
---------------
* Origin: (2:2435/708.11)
|