Threat description




Gwar is a boot virus that infects MBR of hard disks and floppy boot records. The virus is one sector long. It is partially encrypted. Gwar is a stealth and resident virus.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The system is infected after booting from an infected floppy or after executing COM or EXE file infected by Messev.3158 virus that acts as a dropper for Gwar. Before infecting the hard disk with the Gwar the Messev.3158 tries to delete Windows 95 floppy device driver HSFLOP.PDR, but there's an error in the virus and this never happens. Floppy boot records are infected by the virus on first access to them.

When infecting hard disks the virus (or a dropper) copies the original MBR to 0/0/2 (h/t/s) and since then all logical hard disks become inaccessible when booting from a system diskette. To disinfect the virus the original MBR should be copied back to 0/0/1 (h/t/s).

On bootup the virus copies itself to interrupt table area 0020:0000, decrypts its payload part, checks current date and if it is the 2nd of May the payload is activated. First the virus blocks the keyboard and outputs blinking text:

'Gwar virus v1.3, (c) 1998 by T-2000 / Invaders'

Then it starts to incrementally write 8 sector-long areas containing a part of virus body (from the message offset) to track 1/head 2 and printing the screen's contents on every write operation.

If the date is not May 2nd, the virus copies Int 13h handler address (that points to BIOS at startup) to 0000:01F8 (Int FEh) and uses Int FEh for disk access since then. This trick allows the virus to evade resident behaviour blockers and to perform its stealth procedure. Then the virus loads the original MBR to 0000:7C00 and passes control to it.

The Int FEh stealth procedure of Gwar virus substitutes the infected MBR with the original one located at 0/0/2 (h/t/s), so the infection is not seen when the virus is in memory.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info