DelCmos is a typical boot sector virus. It is only able to infect a hard disk when you try to boot the machine with an infected diskette in drive A:. At this time the virus infects the Master Boot Record (MBR) of the hard drive, and after that it will go resident to high DOS memory during every boot-up from the hard disk. Once the virus gets resident to memory, it will infect practicly all non-write- protected diskettes used in the machine.
DelCmos allocates two kilobytes of memory while it is active. This can be seen as a decrease in the total amount of DOS memory - it drops from 640kB to 638kB. DelCmos assumes that the machine has full 640kB of DOS memory. This is not always the case, as some systems reserve a kilobyte or two for internal BIOS needs. In this case, DelCmos will just crash the machine every time it's booted after the infection.
DelCmos also assumes the A: drive of the machine to be a 3.5" HD (1.44MB) drive. If it's a 5.25" drive or a 3.5" DD or ED drive, floppies may be corrupted during infection. They can be fixed with the FIXBOOT program.
DelCmos.A contains a routine to overwrite the CMOS SETUP information. DelCmos.B has this activation routine removed; it does nothing except spreads.
DelCmos.A is known to be in the wild in the USA. DelCmos.B was reported to be in the wild in Spain in January 1996.
Disinfection & Removal
Description Created: Mikko Hypponen, F-Secure