View Single Post
Old 27th April 2009, 11:35 AM   #1
Mario
Special Guest
 
Mario's Avatar
 
Join Date: Dec 2008
Location: @home
Posts: 627
Exclamation Junkie virus. (Ahhh, to be infected again.)

Name: Junkie (Boot.Malmo)
Type: Virus

Junkie is a virus that infects .com files, the DOS boot sector on floppy disks, and the master boot record (MBR) on the first physical hard disk (drive 80h, drive C). The file form of Junkie does not become memory resident. It simply checks the MBR or floppy-disk boot sector for infection. If the sector is not infected, the virus infects the drive and returns control to the infected host file. The file form of the virus also contains code to target and remove from memory the antivirus TSR (VSafe), which shipped with MS-DOS 6.x. The virus code is two sectors in length and reserves 3 KB of memory. Thus, on a computer with 640 KB of memory, MEM would report 637 KB and CHKDSK would report 652,288 bytes of free memory.

The virus body is stored and encrypted on two sectors, starting at side 0, cylinder 0, sector 4 of the hard drive.

When the system is booted from an infected drive, Junkie loads into the top of memory and decrypts itself. From memory the virus infects .com files as they are executed or loaded. It contains code to bypass virus monitoring software.

Infected files grow by a variable length just over 1 KB. Since Junkie has neither intermediate nor advanced stealth capability, file growth is clearly visible. File times and dates are not changed.

Junkie contains two messages, which are encrypted along with the virus body and thus not visible in files or disk sectors. They are, however visible in memory:

Dr White - Sweden 1994
Junkie Virus - Written in Malmo

The virus decryptor is not polymorphic. It contains four variable data bytes. These variables are two words: one represents the location to start decryption; the other is a variable key.
Mario is offline   Reply With Quote