The system is infected after booting from an infected floppy or
after executing COM or EXE file infected by Messev.3158 virus
that acts as a dropper for Gwar. Before infecting the hard disk
with the Gwar the Messev.3158 tries to delete Windows 95 floppy
device driver HSFLOP.PDR, but there's an error in the virus and
this never happens. Floppy boot records are infected by the virus
on first access to them.
When infecting hard disks the virus (or a dropper) copies the
original MBR to 0/0/2 (h/t/s) and since then all logical hard
disks become inaccessible when booting from a system diskette. To
disinfect the virus the original MBR should be copied back to
On bootup the virus copies itself to interrupt table area
0020:0000, decrypts its payload part, checks current date and if
it is the 2nd of May the payload is activated. First the virus
blocks the keyboard and outputs blinking text:
'Gwar virus v1.3, (c) 1998 by T-2000 / Invaders'
Then it starts to incrementally write 8 sector-long areas
containing a part of virus body (from the message offset) to
track 1/head 2 and printing the screen's contents on every write
If the date is not May 2nd, the virus copies Int 13h handler
address (that points to BIOS at startup) to 0000:01F8 (Int FEh)
and uses Int FEh for disk access since then. This trick allows
the virus to evade resident behaviour blockers and to perform its
stealth procedure. Then the virus loads the original MBR to
0000:7C00 and passes control to it.
The Int FEh stealth procedure of Gwar virus substitutes the
infected MBR with the original one located at 0/0/2 (h/t/s), so
the infection is not seen when the virus is in memory.
[Analysis: Alexey Podrezov, Szor Peter; F-Secure, 1998]