The 3APA3A virus was found in the wild in Moscow, between 12th and 14th of October 1994.
Disinfection & Removal
The virus uses a complex infection method that seems also to be a completely new one. Like other boot sector viruses, 3APA3A infects the boot sectors of diskettes. However, on hard disks the virus infects the DOS core file IO.SYS. The diskette boot sector infection mechanism is like that of many other boot-sector viruses, but the hard disk infection method is unique. Because of this, the virus is deemed to belong to a new virus class, known as "kernel infectors". The viruse's size is 1024 bytes (i.e., 2 sectors). On a diskette, the first half of the viruse's code is stored in the boot sector. The original diskette boot sector and the second half of the viruse's code are stored at the very end of the diskette's root directory. This means that when the virus infects a diskette, it also overwrites the last two sectors in the root directory.
When a computer is booted from an infected diskette, the virus tries to infect the first file in the root directory of the active DOS partition (this file being usually IO.SYS). The virus begins by making a copy of the IO.SYS file, after which it infects the original file. After the infection, the root directory contains two IO.SYS entries. The first is not shown in a directory listing, however, because the virus sets its volume-label bit. The directory entries point to the two IO.SYS files. The first, infected IO.SYS is located in its customary place at the beginning of the root directory. It contains the viruse's code, 1024 bytes, in its beginning, but is not otherwise changed. The second IO.SYS directory entry points to the copy of the original IO.SYS file, which is located at the end of the partition. The copy is not infected.
When DOS is started during the computer's next boot-up, the infected IO.SYS is executed and the virus loads itself into memory like any other boot sector virus. It will then infect all non-write protected diskettes that are used in the computer.
Infected hard disks carry the label "IO SYS". The label can be seen with the DIR and LABEL commands. This label cannot be changed even with the LABEL command.
Since the 3APA3A virus is located in the IO.SYS file, it cannot be removed with the command FDISK /MBR. FDISK /MBR replaces the MBR and DOS boot sectors, so it can be used for removing a great many boot sector viruses. With 3APA3A it is quite ineffective, however. The command SYS C: isn't very useful, either. It only modifies/removes the uninfected copy of IO.SYS the virus has placed at the end of the active DOS partition.
The 3APA3A virus is mildly polymorphic - the boot sectors of infected diskettes vary slightly. Only the string 'MSDOS 5.0' is visible at the beginning and, obviously, the 55AA marker is present at the very end of the boot sector.
The virus contains the message "B BOOT CEKTOPE 3APA3A!" (which means "IN BOOT SECTOR - INFECTION!") The message string is encrypted, and cannot be seen even in memory. In August, the virus displays its message during every computer boot-up.
The 3APA3A virus does not contain destructive routines.
Because of a bug, the virus frequently hangs 386/486 computers. 3APA3A can only infect hard disks whose active DOS partition is bigger than 10.6 MB.
Technical Details: Igor G. Muttik, MIG@lt.phys.msu.su