NYB

Classification

Malware

Virus

-

NYB, B1, Stoned.i

Summary

The NYB virus is a reasonably simple diskette and Master Boot Record infector. It is only able to infect a hard disk when you try to boot the machine from an infected diskette. At this time B1 infects the Main Boot Record, and after that it will go resident to high DOS memory during every boot-up from the hard disk.

Once NYB gets resident to memory, it will infect practically all non-writeprotected diskettes used in the machine. NYB will allocate 1kB of DOS base memory. NYB is a stealth virus, so the changes made to MBR are not visible as long as the virus is resident.

Every time a floppy disk is accessed, there is a 1/512 chance that the virus activates. Virus then sends the floppy drive head repeatedly from track 0 sector 0 to track 255, sector 62. On standard floppy drives, such areas do not exist.

On some floppy drives there are no validity checking on these values, and so the floppy head might get hit against the stopper again and again. This might cause some physical damage to the floppy drive, but only if the routine is allowed to continue for some time. We've yet to see an actual case where this would have caused real damage to the floppy drive.

There is also another activation routine, which went unnoticed by virus researchers for a long time. The virus will crash the machine, if the hard disk is written to when the hour and minute fields of the system clock are zero (ie. right after midnight). Thanks to Paul Talbot (ptww@aol.com) for pointing this out.

NYB has no text strings. While infecting, it will corrupt some diskettes seriously.

NYB is very common all over the world.

F-PROT used to detect NYB as B1, but the virus was renamed in February 1996 (F-PROT 2.22).

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

N/A