McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Bath

• Square

Characteristics

The Boot-437 virus was first listed as "In The Wild" on The WildList in March 1994. Since the first reports, the virus became common throughout the world, but is now only occasionally reported in some European countries. However, like many other boot viruses - the number of new incidents reported are growing fewer each year.

Upon booting from an infected diskette, Boot-437 (detected by VirusScan 95 as "Bath"), installs itself to memory and to the hard drive boot record.

Boot-437 does not employ any payload - it simply replicates. When this virus replicates to a diskette, the user may notice a considerable delay before the disk read/write operation completes. The user may also notice an undue amount of drive-head read/write activity when attempting to access write-protected diskettes - almost like the diskette is corrupt. In each case, delays are due to the virus attempting to replicate.

Boot-437 does not employ read-stealth characteristics. If the user attempts to view the hard drive's boot record, the true boot record would be what the user is shown, albeit an infected boot record. The virus saves the original uninfected boot record to physical cylinder, side and head 0,0,6.

Boot-437 infects boot sectors in diskettes and the boot record in hard drives. Upon loading into memory, this virus will reduce the top of DOS memory by 2K. As an example, on v6.20 DOS-based computer, [where there is originally 640K conventional memory available], the memory reduction will result in showing 587,664 bytes available, rather than 589,712. Please note different computers may display different amounts of conventional memory available, depending on configuration.

Upon booting an infected computer where DOS is the operating system, the virus loads and stays resident in memory. Like most memory-resident boot viruses running under DOS, Boot-437 intercepts calls to Int13h, redirecting the call to its own code. When the virus is in memory - when it is able to intercept calls to Int13h - virtually any diskette access will result in its infection.

Upon booting an infected computer where Windows 95 is the operating system, the virus will load itself into memory. However, because Windows 95 uses a specialized 32-bit filesystem driver, the virus is unable to replicate to other diskettes - even under a Windows DOS box. The short reason for this is due to Windows 95s' specialized 32-bit disk driver. Once Windows 95 completes startup (more accurately, once VMM32.SYS loads), calls to Int13h are not made in the same fashion as DOS thus, while the virus still resides on the hard drive's master boot record, the virus is unable to replicate.

The following points should be noted:

1) Post-infection of a Windows 95 system, upon restarting Windows 95, the user may see the following Performance Warning:

The message indicates a change to the Int13h address - at least the Int13h address that was last being pointed to, as recorded by Windows 95. The message would appear when there is a change to the Int13h address, regardless of whether there was truly a physical change to the boot record or not.

The message can be indicative of a virus, however there are other valid reasons why it might appear (disk compression software, disk encryption software, etc). The performance warning message box will appear only once. Upon the next system restart the system, the message will not appear. If you see the message, and did not expect to, it is best to investigate the reason behind it immediately.

2) While this specific variant does not have a [working] dangerous payload, other boot viruses might (for example, Michelangelo). As noted above, while Windows 95 effectively stops the virus from replicating, upon boot, the virus is still able to load. Viruses with payloads that are programmed to activate at the time of boot will in fact activate (for example, Michelangelo) regardless of the operating system installed to the hard drive. Before the operating system ever loads, the virus has the potential to cause damage. If you suspect a boot virus, do not rely on Windows 32-bit filesystem drivers to stop the payload from activating.

3) The Windows 95 32-bit disk driver can be disabled. In doing so, the system is placed in "DOS compatibility mode". Once in DOS compatibility mode, there are calls to Int13h. This means - in theory - the virus may once again have the ability to replicate. In the case of Boot-437, the virus in fact will replicate in DOS compatibility mode (but only if Window 95 is in compatibility mode).

Symptoms

Method of Infection

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Bath

• Square

Characteristics

Characteristics -

The Boot-437 virus was first listed as "In The Wild" on The WildList in March 1994. Since the first reports, the virus became common throughout the world, but is now only occasionally reported in some European countries. However, like many other boot viruses - the number of new incidents reported are growing fewer each year.

Upon booting from an infected diskette, Boot-437 (detected by VirusScan 95 as "Bath"), installs itself to memory and to the hard drive boot record.

Boot-437 does not employ any payload - it simply replicates. When this virus replicates to a diskette, the user may notice a considerable delay before the disk read/write operation completes. The user may also notice an undue amount of drive-head read/write activity when attempting to access write-protected diskettes - almost like the diskette is corrupt. In each case, delays are due to the virus attempting to replicate.

Boot-437 does not employ read-stealth characteristics. If the user attempts to view the hard drive's boot record, the true boot record would be what the user is shown, albeit an infected boot record. The virus saves the original uninfected boot record to physical cylinder, side and head 0,0,6.

Boot-437 infects boot sectors in diskettes and the boot record in hard drives. Upon loading into memory, this virus will reduce the top of DOS memory by 2K. As an example, on v6.20 DOS-based computer, [where there is originally 640K conventional memory available], the memory reduction will result in showing 587,664 bytes available, rather than 589,712. Please note different computers may display different amounts of conventional memory available, depending on configuration.

Upon booting an infected computer where DOS is the operating system, the virus loads and stays resident in memory. Like most memory-resident boot viruses running under DOS, Boot-437 intercepts calls to Int13h, redirecting the call to its own code. When the virus is in memory - when it is able to intercept calls to Int13h - virtually any diskette access will result in its infection.

Upon booting an infected computer where Windows 95 is the operating system, the virus will load itself into memory. However, because Windows 95 uses a specialized 32-bit filesystem driver, the virus is unable to replicate to other diskettes - even under a Windows DOS box. The short reason for this is due to Windows 95s' specialized 32-bit disk driver. Once Windows 95 completes startup (more accurately, once VMM32.SYS loads), calls to Int13h are not made in the same fashion as DOS thus, while the virus still resides on the hard drive's master boot record, the virus is unable to replicate.

The following points should be noted:

1) Post-infection of a Windows 95 system, upon restarting Windows 95, the user may see the following Performance Warning:

The message indicates a change to the Int13h address - at least the Int13h address that was last being pointed to, as recorded by Windows 95. The message would appear when there is a change to the Int13h address, regardless of whether there was truly a physical change to the boot record or not.

The message can be indicative of a virus, however there are other valid reasons why it might appear (disk compression software, disk encryption software, etc). The performance warning message box will appear only once. Upon the next system restart the system, the message will not appear. If you see the message, and did not expect to, it is best to investigate the reason behind it immediately.

2) While this specific variant does not have a [working] dangerous payload, other boot viruses might (for example, Michelangelo). As noted above, while Windows 95 effectively stops the virus from replicating, upon boot, the virus is still able to load. Viruses with payloads that are programmed to activate at the time of boot will in fact activate (for example, Michelangelo) regardless of the operating system installed to the hard drive. Before the operating system ever loads, the virus has the potential to cause damage. If you suspect a boot virus, do not rely on Windows 32-bit filesystem drivers to stop the payload from activating.

3) The Windows 95 32-bit disk driver can be disabled. In doing so, the system is placed in "DOS compatibility mode". Once in DOS compatibility mode, there are calls to Int13h. This means - in theory - the virus may once again have the ability to replicate. In the case of Boot-437, the virus in fact will replicate in DOS compatibility mode (but only if Window 95 is in compatibility mode).

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants -

N/A