Threat Description

LZR

Details

Aliases: LZR
Category: Malware
Type: Virus
Platform: W32

Summary



LZR is a destructive virus which is common in different parts of the world.



Removal



F-Secure anti-virus products are able to disinfect the LZR virus. This virus can also be disinfected manually by cold-booting the infected machine from a boot diskette with MS-DOS 5 or 6.

The FDISK utility should be copied to the boot diskette beforehand. After booting the machine, test that all hard disk partitions are visible with DIR command.

If you receive an error message like "Invalid drive specification", do not try to use FDISK to remove the virus. If all partitions can be seen then the command FDISK /MBR will overwrite the virus in the master boot record.

After a succesful disinfection the machine can be booted normally again. Floppy disks can be disinfected manually by SYSing them on a clean machine.



Technical Details



On October the 10th of 1994 in Helsinki, Finland a large amount of preformatted, infected diskettes was imported to the country. Since only about ten percent of the diskettes were infected, the virus slipped through the importer's virus checks. A number of diskettes was sold before the virus was noticed.

LZR infects the boot sectors of diskettes and the main boot records of hard disks. The virus crosses to the hard disk if a computer is booted while an infected diskette is in drive A. The virus does not infect computers during every boot-up, however, but only randomly. This makes it quite slow to spread. Once the virus has infected the hard disk, it infects practically all non-write protected diskettes used in the computer.

When LZR is resident in memory, it decreases the amount of available DOS memory by 8 kilobytes. LZR damages 3.5" HD diskettes when it tries to infect them. It does not identify this diskette type correctly, and copies the second sector of its own code, together with the original boot sector, straight to the middle of the diskette. The viruse's original purpose is to copy them to the diskette's end. The overwritten area is cylinder 39, sectors 8 and 9. If this one-kilobyte area contains data, it is lost.

LZR contains two separate activation routines. Every time a disk operation is made, the virus has a 1/65536 chance of activating. If this happens, the virus overwrites all data on the computer's first hard disk.

The second activation mechanism is connected to disk writes. Every time the hard disk is written to, the virus has a 1/256 chance of activating. When this activation routine is executed, the virus corrupts one byte in the computer's write buffer. This way, it steadily corrupts the data on the hard disk. Damaged files can not be located afterwards - and in most cases, the corrupted files have already made it to the backup copies.

There is no sure way to find out how long the virus has been corrupting the system. The LZR virus is therefore very dangerous.





Description Created: Mikko Hypponen, F-Secure


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More