Classification

Category :

Malware

Type :

Virus

Aliases :

Junkie, Malmo

Summary

The Junkie virus was circulated through European BBSs at the end of May 1994. It travelled in a file called HV-PSPTC.ZIP. According to the description, the file was supposed to contain a program which would make it possible to install illegal copies of the Pacific Strike-game directly from the hard disk instead of from diskettes. The packet's content, PSPATCH.COM, contained only the Junkie virus, however.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Junkie is a Swedish multipartite virus. It infects hard disk MBRs and COM files. When an infected file is executed in a computer for the first time, the virus overwrites the hard disk's MBR with its own code but does nothing else. During its next execution, the virus goes resident in memory and infects all accessed COM files. Junkie is a fast infector.

Junkie also infects boot sectors of all floppies used in the machine, and is capable of spreading further when the machine is booted up from such a diskette. 360KB and 2.88MB diskettes are not infected.

Infected COM files grow by approximately 1035 bytes. Since the virus infects all accessed COM files, it corrupts files which are structurally EXEs but happen to have the extension COM. The virus code is doubly encrypted. The following message is hidden under the second encryption layer:

Dr White - Sweden 1994
 Junkie Virus - Written in Malmo...M01D

Dr White has also written another Swedish virus called Desperado.

The Junkie virus can be noticed by the decrease of available memory in the system. Some programs also display the message "Program too big to fit in memory" when they are executed.

TECHNICAL INFO: Junkie patches floppy boot sectors and HD MBS from offset 98 to 127. The virus code itself is contained in two sectors, 0,0,4-5 on HD and on the last track (40 or 80), side 1, sectors 8-9 on floppies. Junkie does not relocate nor store the original sector anywhere. In COM files, the virus will append itself at the end of the file, with a length of 1027 to 1042 bytes.

Junkie is a selective fast infector (not all files will be infected on opening, just some). Junkie will not infect COM files shorter than about 5000 bytes. However, Junkie will sometimes infect files with other extensions, such as CO_, COW etc.

When active, Junkie will decrease the base memory by three kilos. Also, INT 1Ch will be hooked and QEMM will complain about and will not load high programs requiring this handler.

F-Secure anti-virus products are able to detect and disinfect the Junkie virus in both files and boot sectors.