McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

WXYC is a memory resident, Master Boot Record (MBR)/Boot Sector infecting virus. It infects diskette boot sectors and the system hard disk MBR. It appears to be related to the Stoned virus.

The first time the system is booted from a WXYC infected diskette, the WXYC virus becomes memory resident at the top of system memory but below the 640K DOS boundary. Interrupt 12's return is moved. Also at this time, the virus infects the system hard disk's MBR. The WXYC virus saves the original MBR at Side 0, Cylinder 0, Sector 3.

Once the WXYC virus is memory resident, it infects the boot sector of any non-write protected diskettes accessed on the system.

On 360K 5.25" diskettes, the virus saves the original boot sector at Sector 11. On 1.2M 5.25" diskettes, the virus saves the original boot sector at Sector 28. In both cases, this is the last sector of the root directory, and any file directory entries originally in these sectors is lost.

Additional Comments:
The WXYC virus was submitted in October, 1992. WXYC is a memory resident infector of diskette boot sectors and the system hard disk master boot sector (partition table). It appears to be related to the Stoned virus. The first time the system is booted from a WXYC infected diskette, the WXYC virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 2,048 bytes. Also at this time, the virus will infect the system hard disk's master boot sector if it was not previously infected. The WXYC virus saves the original master boot sector at Side 0, Cylinder 0, Sector 3. Once the WXYC virus is memory resident, it will infect the boot sector of any non-write protected diskettes accessed on the system. On 360K 5.25" diskettes, the virus will save the original boot sector at Sector 11. On 1.2M 5.25" diskettes, the virus saves the original boot sector at Sector 28. In both cases, this is the last sector of the root directory, and any file directory entries originally in these sectors will be lost. The following text can be found within the viral code on infected hard disks and diskettes: "JAM WXYC" "WXYC rules this roost"

Symptoms

The following text is found within the viral code on infected hard disks and diskettes:

"JAM WXYC" "WXYC rules this roost"

Total system and available free memory decreases by 2,048 bytes.

Method of Infection

The only way to infect a computer with an MBR/Boot Sector infector is to attempt to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred. Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

Removal

Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.

To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type
BOOTSCAN C: /BOOT /CLEAN /NOMEM

Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean

Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.

This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

WXYC is a memory resident, Master Boot Record (MBR)/Boot Sector infecting virus. It infects diskette boot sectors and the system hard disk MBR. It appears to be related to the Stoned virus.

The first time the system is booted from a WXYC infected diskette, the WXYC virus becomes memory resident at the top of system memory but below the 640K DOS boundary. Interrupt 12's return is moved. Also at this time, the virus infects the system hard disk's MBR. The WXYC virus saves the original MBR at Side 0, Cylinder 0, Sector 3.

Once the WXYC virus is memory resident, it infects the boot sector of any non-write protected diskettes accessed on the system.

On 360K 5.25" diskettes, the virus saves the original boot sector at Sector 11. On 1.2M 5.25" diskettes, the virus saves the original boot sector at Sector 28. In both cases, this is the last sector of the root directory, and any file directory entries originally in these sectors is lost.

Additional Comments:
The WXYC virus was submitted in October, 1992. WXYC is a memory resident infector of diskette boot sectors and the system hard disk master boot sector (partition table). It appears to be related to the Stoned virus. The first time the system is booted from a WXYC infected diskette, the WXYC virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 2,048 bytes. Also at this time, the virus will infect the system hard disk's master boot sector if it was not previously infected. The WXYC virus saves the original master boot sector at Side 0, Cylinder 0, Sector 3. Once the WXYC virus is memory resident, it will infect the boot sector of any non-write protected diskettes accessed on the system. On 360K 5.25" diskettes, the virus will save the original boot sector at Sector 11. On 1.2M 5.25" diskettes, the virus saves the original boot sector at Sector 28. In both cases, this is the last sector of the root directory, and any file directory entries originally in these sectors will be lost. The following text can be found within the viral code on infected hard disks and diskettes: "JAM WXYC" "WXYC rules this roost"

Symptoms

Symptoms -

The following text is found within the viral code on infected hard disks and diskettes:

"JAM WXYC" "WXYC rules this roost"

Total system and available free memory decreases by 2,048 bytes.

Method of Infection

Method of Infection -

The only way to infect a computer with an MBR/Boot Sector infector is to attempt to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred. Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

Removal -

Removal -

Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.

To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type
BOOTSCAN C: /BOOT /CLEAN /NOMEM

Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean

Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.

This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.

Variants

Variants -

N/A