Category: Malware

Type: Virus

Aliases: Gwar


Gwar is a boot virus that infects MBR of hard disks and floppy boot records. The virus is one sector long. It is partially encrypted. Gwar is a stealth and resident virus.


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

The system is infected after booting from an infected floppy or after executing COM or EXE file infected by Messev.3158 virus that acts as a dropper for Gwar. Before infecting the hard disk with the Gwar the Messev.3158 tries to delete Windows 95 floppy device driver HSFLOP.PDR, but there's an error in the virus and this never happens. Floppy boot records are infected by the virus on first access to them.

When infecting hard disks the virus (or a dropper) copies the original MBR to 0/0/2 (h/t/s) and since then all logical hard disks become inaccessible when booting from a system diskette. To disinfect the virus the original MBR should be copied back to 0/0/1 (h/t/s).

On bootup the virus copies itself to interrupt table area 0020:0000, decrypts its payload part, checks current date and if it is the 2nd of May the payload is activated. First the virus blocks the keyboard and outputs blinking text:

'Gwar virus v1.3, (c) 1998 by T-2000 / Invaders'

Then it starts to incrementally write 8 sector-long areas containing a part of virus body (from the message offset) to track 1/head 2 and printing the screen's contents on every write operation.

If the date is not May 2nd, the virus copies Int 13h handler address (that points to BIOS at startup) to 0000:01F8 (Int FEh) and uses Int FEh for disk access since then. This trick allows the virus to evade resident behaviour blockers and to perform its stealth procedure. Then the virus loads the original MBR to 0000:7C00 and passes control to it.

The Int FEh stealth procedure of Gwar virus substitutes the infected MBR with the original one located at 0/0/2 (h/t/s), so the infection is not seen when the virus is in memory.