The 3APA3A virus was found in the wild in Moscow, between 12th and 14th of October 1994.


Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Find out more
Knowledge Base

Find the latest advice in our Community Knowledge Base.

Product Manual

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

The virus uses a complex infection method that seems also to be a completely new one. Like other boot sector viruses, 3APA3A infects the boot sectors of diskettes. However, on hard disks the virus infects the DOS core file IO.SYS.

The diskette boot sector infection mechanism is like that of many other boot-sector viruses, but the hard disk infection method is unique. Because of this, the virus is deemed to belong to a new virus class, known as "kernel infectors".

The viruse's size is 1024 bytes (i.e., 2 sectors). On a diskette, the first half of the virus's code is stored in the boot sector. The original diskette boot sector and the second half of the virus's code are stored at the very end of the diskette's root directory. This means that when the virus infects a diskette, it also overwrites the last two sectors in the root directory.

When a computer is booted from an infected diskette, the virus tries to infect the first file in the root directory of the active DOS partition (this file being usually IO.SYS). The virus begins by making a copy of the IO.SYS file, after which it infects the original file. After the infection, the root directory contains two IO.SYS entries.

The first is not shown in a directory listing, however, because the virus sets its volume-label bit. The directory entries point to the two IO.SYS files. The first, infected IO.SYS is located in its customary place at the beginning of the root directory. It contains the virus's code, 1024bytes, in its beginning, but is not otherwise changed. The second IO.SYS directory entry points to the copy of the original IO.SYS file, which is located at the end of the partition. The copy is not infected.

When DOS is started during the computer's next boot-up, the infected IO.SYS is executed and the virus loads itself into memory like any other boot sector virus. It will then infect all non-write protected diskettes that are used in the computer.

Infected hard disks carry the label "IO SYS". The label can be seen with the DIR and LABEL commands. This label cannot be changed even with the LABEL command.

Since the 3APA3A virus is located in the IO.SYS file, itcannot be removed with the command FDISK /MBR. FDISK /MBR replaces the MBR and DOS boot sectors, so it can be used for removing a great many boot sector viruses. With 3APA3A it is quite ineffective, however. The command SYS C: isn't very useful, either. It only modifies/removes the uninfected copy of IO.SYS the virus has placed at the end of the active DOS partition.

The 3APA3A virus is mildly polymorphic - the boot sectors of infected diskettes vary slightly. Only the string 'MSDOS5.0' is visible at the beginning and, obviously, the 55AAmarker is present at the very end of the boot sector.

The virus contains the message "B BOOT CEKTOPE 3APA3A!"(which means "IN BOOT SECTOR - INFECTION!") The message string is encrypted, and cannot be seen even in memory. In August, the virus displays its message during every computer boot-up.

The 3APA3A virus does not contain destructive routines.

Because of a bug, the virus frequently hangs 386/486computers. 3APA3A can only infect hard disks whose active DOS partition is bigger than 10.6 MB.

Date Created: -

Date Last Modified: -