The 3APA3A virus was found in the wild in Moscow, between
12th and 14th of October 1994.
The virus uses a complex infection method that seems also to
be a completely new one. Like other boot sector viruses,
3APA3A infects the boot sectors of diskettes. However, on
hard disks the virus infects the DOS core file IO.SYS. The
diskette boot sector infection mechanism is like that of
many other boot-sector viruses, but the hard disk infection
method is unique. Because of this, the virus is deemed to
belong to a new virus class, known as "kernel infectors".
The viruse's size is 1024 bytes (i.e., 2 sectors). On a
diskette, the first half of the viruse's code is stored in
the boot sector. The original diskette boot sector and the
second half of the viruse's code are stored at the very end
of the diskette's root directory. This means that when the
virus infects a diskette, it also overwrites the last two
sectors in the root directory.
When a computer is booted from an infected diskette, the
virus tries to infect the first file in the root directory
of the active DOS partition (this file being usually
IO.SYS). The virus begins by making a copy of the IO.SYS
file, after which it infects the original file. After the
infection, the root directory contains two IO.SYS entries.
The first is not shown in a directory listing, however,
because the virus sets its volume-label bit. The directory
entries point to the two IO.SYS files. The first, infected
IO.SYS is located in its customary place at the beginning of
the root directory. It contains the viruse's code, 1024
bytes, in its beginning, but is not otherwise changed. The
second IO.SYS directory entry points to the copy of the
original IO.SYS file, which is located at the end of the
partition. The copy is not infected.
When DOS is started during the computer's next boot-up, the
infected IO.SYS is executed and the virus loads itself into
memory like any other boot sector virus. It will then infect
all non-write protected diskettes that are used in the
computer.
Infected hard disks carry the label "IO SYS". The label can
be seen with the DIR and LABEL commands. This label cannot
be changed even with the LABEL command.
Since the 3APA3A virus is located in the IO.SYS file, it
cannot be removed with the command FDISK /MBR. FDISK /MBR
replaces the MBR and DOS boot sectors, so it can be used for
removing a great many boot sector viruses. With 3APA3A it is
quite ineffective, however. The command SYS C: isn't very
useful, either. It only modifies/removes the uninfected copy
of IO.SYS the virus has placed at the end of the active DOS
partition.
The 3APA3A virus is mildly polymorphic - the boot sectors of
infected diskettes vary slightly. Only the string 'MSDOS
5.0' is visible at the beginning and, obviously, the 55AA
marker is present at the very end of the boot sector.
The virus contains the message "B BOOT CEKTOPE 3APA3A!"
(which means "IN BOOT SECTOR - INFECTION!") The message
string is encrypted, and cannot be seen even in memory. In
August, the virus displays its message during every computer
boot-up.
The 3APA3A virus does not contain destructive routines.
Because of a bug, the virus frequently hangs 386/486
computers. 3APA3A can only infect hard disks whose active
DOS partition is bigger than 10.6 MB.
