Classification

Category :

Malware

Type :

Virus

Aliases :

Gwar

Summary

Gwar is a boot virus that infects MBR of hard disks and floppy boot records. The virus is one sector long. It is partially encrypted. Gwar is a stealth and resident virus.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The system is infected after booting from an infected floppy or after executing COM or EXE file infected by Messev.3158 virus that acts as a dropper for Gwar. Before infecting the hard disk with the Gwar the Messev.3158 tries to delete Windows 95 floppy device driver HSFLOP.PDR, but there's an error in the virus and this never happens. Floppy boot records are infected by the virus on first access to them.

When infecting hard disks the virus (or a dropper) copies the original MBR to 0/0/2 (h/t/s) and since then all logical hard disks become inaccessible when booting from a system diskette. To disinfect the virus the original MBR should be copied back to 0/0/1 (h/t/s).

On bootup the virus copies itself to interrupt table area 0020:0000, decrypts its payload part, checks current date and if it is the 2nd of May the payload is activated. First the virus blocks the keyboard and outputs blinking text:

'Gwar virus v1.3, (c) 1998 by T-2000 / Invaders'

Then it starts to incrementally write 8 sector-long areas containing a part of virus body (from the message offset) to track 1/head 2 and printing the screen's contents on every write operation.

If the date is not May 2nd, the virus copies Int 13h handler address (that points to BIOS at startup) to 0000:01F8 (Int FEh) and uses Int FEh for disk access since then. This trick allows the virus to evade resident behaviour blockers and to perform its stealth procedure. Then the virus loads the original MBR to 0000:7C00 and passes control to it.

The Int FEh stealth procedure of Gwar virus substitutes the infected MBR with the original one located at 0/0/2 (h/t/s), so the infection is not seen when the virus is in memory.