44 lines
2.0 KiB
Plaintext
44 lines
2.0 KiB
Plaintext
Virus Name: DA'BOYS
|
|
Aliases: DALLAS COWBOYS
|
|
V Status: New, Research
|
|
Discovery: January, 1994
|
|
Symptoms: Possible diskette access problems; BSC; Infected disks fail to
|
|
boot on 8088 or 8086 processors; No COM4.
|
|
Origin: USA
|
|
Eff Length: 251 Bytes
|
|
Type Code: BORaX - Resident Overwriting Boot Sector and Master Boot Sector
|
|
Infector
|
|
Detection Method: None
|
|
Removal Instructions: DOS SYS
|
|
|
|
General Comments:
|
|
|
|
The DA'BOYS virus will only work with DOS 5 or DOS 6+ with an 80186 or
|
|
better processor. Unlike other boot sector infectors, the DA'BOYS
|
|
virus overwrites or rewrites the DOS boot sector. It does not make a
|
|
copy or move the boot sector to another sector. It will infect all
|
|
American DOS 5 or DOS 6 boot sectors. It will infect disks in drive
|
|
A: or B: It works with 360K, 720K, 1.2M, 1.44M or 2.88M disks.
|
|
|
|
When a disk is booted with the DA'BOYS virus, it will load itself into
|
|
a "hole" in lower DOS memory. CHKDSK will not show a decrease in
|
|
available memory. INT 12 will not be moved. The DA'BOYS virus code
|
|
is written in the "Non-System disk or disk error Replace and press
|
|
any key when ready" string. But it will display the above message by
|
|
using the code found on the hard disk DOS boot sector. It will then
|
|
infect the DOS boot sector (not the partition table) of the hard disk
|
|
and overwrite the "Non-System ... " text string with it's code.
|
|
|
|
The DA'BOYS virus does not damage any data. It disables COM4. The
|
|
text string "DA'BOYS" appears in the virus code but is not displayed.
|
|
|
|
The DA'BOYS virus has a companion virus that it works with. The
|
|
GOLD-BUG virus is also a boot sector infector. It is possible to have
|
|
a diskette with two boot sector viruses. GOLD-BUG hides the presence
|
|
of the DA'BOYS virus from the Windows 3.1 startup routine. GOLD-BUG
|
|
removes the DA'BOYS virus from the INT 13 chain at the start of
|
|
Windows and restores it when Windows ends.
|
|
|
|
It can be removed from diskettes and hard disks with the DOS SYS
|
|
command.
|