Threat Description

3APA3A

Details

Aliases:3APA3A, Zaraza
Category:Malware
Type:Virus
Platform: W32

Summary



The 3APA3A virus was found in the wild in Moscow, between12th and 14th of October 1994.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



The virus uses a complex infection method that seems also to be a completely new one. Like other boot sector viruses, 3APA3A infects the boot sectors of diskettes. However, on hard disks the virus infects the DOS core file IO.SYS. The diskette boot sector infection mechanism is like that of many other boot-sector viruses, but the hard disk infection method is unique. Because of this, the virus is deemed to belong to a new virus class, known as "kernel infectors". The viruse's size is 1024 bytes (i.e., 2 sectors). On a diskette, the first half of the viruse's code is stored in the boot sector. The original diskette boot sector and the second half of the viruse's code are stored at the very end of the diskette's root directory. This means that when the virus infects a diskette, it also overwrites the last two sectors in the root directory.

When a computer is booted from an infected diskette, the virus tries to infect the first file in the root directory of the active DOS partition (this file being usually IO.SYS). The virus begins by making a copy of the IO.SYS file, after which it infects the original file. After the infection, the root directory contains two IO.SYS entries.The first is not shown in a directory listing, however,because the virus sets its volume-label bit. The directoryentries point to the two IO.SYS files. The first, infectedIO.SYS is located in its customary place at the beginning ofthe root directory. It contains the viruse's code, 1024bytes, in its beginning, but is not otherwise changed. Thesecond IO.SYS directory entry points to the copy of theoriginal IO.SYS file, which is located at the end of thepartition. The copy is not infected.

When DOS is started during the computer's next boot-up, theinfected IO.SYS is executed and the virus loads itself intomemory like any other boot sector virus. It will then infectall non-write protected diskettes that are used in thecomputer.

Infected hard disks carry the label "IO SYS". The label canbe seen with the DIR and LABEL commands. This label cannotbe changed even with the LABEL command.

Since the 3APA3A virus is located in the IO.SYS file, itcannot be removed with the command FDISK /MBR. FDISK /MBRreplaces the MBR and DOS boot sectors, so it can be used forremoving a great many boot sector viruses. With 3APA3A it isquite ineffective, however. The command SYS C: isn't veryuseful, either. It only modifies/removes the uninfected copyof IO.SYS the virus has placed at the end of the active DOSpartition.

The 3APA3A virus is mildly polymorphic - the boot sectors ofinfected diskettes vary slightly. Only the string 'MSDOS5.0' is visible at the beginning and, obviously, the 55AAmarker is present at the very end of the boot sector.

The virus contains the message "B BOOT CEKTOPE 3APA3A!"(which means "IN BOOT SECTOR - INFECTION!") The messagestring is encrypted, and cannot be seen even in memory. InAugust, the virus displays its message during every computerboot-up.

The 3APA3A virus does not contain destructive routines.

Because of a bug, the virus frequently hangs 386/486computers. 3APA3A can only infect hard disks whose activeDOS partition is bigger than 10.6 MB.





Technical Details: Igor G. Muttik, MIG@lt.phys.msu.su


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More