LZR is a destructive virus which is common in different
parts of the world.
On October the 10th of 1994 in Helsinki, Finland a large
amount of preformatted, infected diskettes was imported to the
country. Since only about ten percent of the diskettes were
infected, the virus slipped through the importer's virus checks.
A number of diskettes was sold before the virus was noticed.
LZR infects the boot sectors of diskettes and the main boot
records of hard disks. The virus crosses to the hard disk if
a computer is booted while an infected diskette is in drive
A. The virus does not infect computers during every boot-up,
however, but only randomly. This makes it quite slow to
spread. Once the virus has infected the hard disk, it
infects practically all non-write protected diskettes used
in the computer.
When LZR is resident in memory, it decreases the amount of
available DOS memory by 8 kilobytes. LZR damages 3.5" HD
diskettes when it tries to infect them. It does not identify
this diskette type correctly, and copies the second sector
of its own code, together with the original boot sector,
straight to the middle of the diskette. The viruse's
original purpose is to copy them to the diskette's end. The
overwritten area is cylinder 39, sectors 8 and 9. If this
one-kilobyte area contains data, it is lost.
LZR contains two separate activation routines. Every time a
disk operation is made, the virus has a 1/65536 chance of
activating. If this happens, the virus overwrites all data
on the computer's first hard disk.
The second activation mechanism is connected to disk writes.
Every time the hard disk is written to, the virus has a
1/256 chance of activating. When this activation routine is
executed, the virus corrupts one byte in the computer's
write buffer. This way, it steadily corrupts the data on the
hard disk. Damaged files can not be located afterwards - and
in most cases, the corrupted files have already made it to
the backup copies.
There is no sure way to find out how long the virus has been
corrupting the system. The LZR virus is therefore very
dangerous.
F-Secure anti-virus products are able to disinfect the LZR virus.
This virus can also be disinfected manually by cold-booting the
infected machine from a boot diskette with MS-DOS 5 or 6. The FDISK
utility should be copied to the boot diskette beforehand. After
booting the machine, test that all hard disk partitions are visible
with DIR command. If you receive an error message like "Invalid drive
specification", do not try to use FDISK to remove the virus. If
all partitions can be seen then the command FDISK /MBR will
overwrite the virus in the master boot record. After a succesful
disinfection the machine can be booted normally again. Floppy
disks can be disinfected manually by SYSing them on a clean
machine.
![](/images/pixel.gif"){kind=tracking}
