F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Junkie





NAME:Junkie
ALIAS:Malmo
ORIGIN:Sweden
SIZE:1035
TYPE:Resident Boot sectors MBR COM-files
REPAIR:Yes

The Junkie virus was circulated through European BBSs at the end of May 1994. It travelled in a file called HV-PSPTC.ZIP. According to the description, the file was supposed to contain a program which would make it possible to install illegal copies of the Pacific Strike-game directly from the hard disk instead of from diskettes. The packet's content, PSPATCH.COM, contained only the Junkie virus, however.

Junkie is a Swedish multipartite virus. It infects hard disk MBRs and COM files. When an infected file is executed in a computer for the first time, the virus overwrites the hard disk's MBR with its own code but does nothing else. During its next execution, the virus goes resident in memory and infects all accessed COM files. Junkie is a fast infector.

Junkie also infects boot sectors of all floppies used in the machine, and is capable of spreading further when the machine is booted up from such a diskette. 360KB and 2.88MB diskettes are not infected.

Infected COM files grow by approximately 1035 bytes. Since the virus infects all accessed COM files, it corrupts files which are structurally EXEs but happen to have the extension COM. The virus code is doubly encrypted. The following message is hidden under the second encryption layer: 

        Dr White - Sweden 1994
        Junkie Virus - Written in Malmo...M01D

Dr White has also written another Swedish virus called Desperado.

The Junkie virus can be noticed by the decrease of available memory in the system. Some programs also display the message "Program too big to fit in memory" when they are executed.

TECHNICAL INFO: Junkie patches floppy boot sectors and HD MBS from offset 98 to 127. The virus code itself is contained in two sectors, 0,0,4-5 on HD and on the last track (40 or 80), side 1, sectors 8-9 on floppies. Junkie does not relocate nor store the original sector anywhere. In COM files, the virus will append itself at the end of the file, with a length of 1027 to 1042 bytes.

Junkie is a selective fast infector (not all files will be infected on opening, just some). Junkie will not infect COM files shorter than about 5000 bytes. However, Junkie will sometimes infect files with other extensions, such as CO_, COW etc.

When active, Junkie will decrease the base memory by three kilos. Also, INT 1Ch will be hooked and QEMM will complain about and will not load high programs requiring this handler.

F-Secure anti-virus products are able to detect and disinfect the Junkie virus in both files and boot sectors.

[Analysis: Mikko Hypponen, F-Secure]