LZR

On October the 10th of 1994 in Helsinki, Finland a large amount of preformatted, infected diskettes was imported to the country. Since only about ten percent of the diskettes were infected, the virus slipped through the importer's virus checks. A number of diskettes was sold before the virus was noticed.

LZR infects the boot sectors of diskettes and the main boot records of hard disks. The virus crosses to the hard disk if a computer is booted while an infected diskette is in drive A. The virus does not infect computers during every boot-up, however, but only randomly. This makes it quite slow to spread. Once the virus has infected the hard disk, it infects practically all non-write protected diskettes used in the computer.

When LZR is resident in memory, it decreases the amount of available DOS memory by 8 kilobytes. LZR damages 3.5" HD diskettes when it tries to infect them. It does not identify this diskette type correctly, and copies the second sector of its own code, together with the original boot sector, straight to the middle of the diskette. The viruse's original purpose is to copy them to the diskette's end. The overwritten area is cylinder 39, sectors 8 and 9. If this one-kilobyte area contains data, it is lost.

LZR contains two separate activation routines. Every time a disk operation is made, the virus has a 1/65536 chance of activating. If this happens, the virus overwrites all data on the computer's first hard disk.

The second activation mechanism is connected to disk writes. Every time the hard disk is written to, the virus has a 1/256 chance of activating. When this activation routine is executed, the virus corrupts one byte in the computer's write buffer. This way, it steadily corrupts the data on the hard disk. Damaged files can not be located afterwards - and in most cases, the corrupted files have already made it to the backup copies.

There is no sure way to find out how long the virus has been corrupting the system. The LZR virus is therefore very dangerous.