Content
Filler
- Type
- Virus
- SubType
- Boot
- Discovery Date
- Length
- Unknown
- Minimum DAT
- 4002 (12/02/1998)
- Updated DAT
- 4002 (12/02/1998)
- Minimum Engine
- 5.1.00
- Description Added
- 11/30/1998
- Description Modified
- 11/30/1998 12:00 AM (PT)
Tab Navigation
Characteristics
Filler is a stealth, memory resident, Master Boot Record (MBR)/Boot Sector infecting virus.
Upon infection, the Filler virus becomes memory resident at the top of system memory but below the 640K DOS boundary. The system hard disk's MBR is infected at this time.
Once the Filler virus is memory resident, it infects non-write protected diskettes exposed to the system. The infection of the diskette usually occurs when the boot sector is accessed for some reason. The Filler virus writes a copy of itself to the last track of the diskette which is not normally accessible by DOS. It also stores the original boot sector on this track. The virus then alters the boot sector to point to the viral code.
It is not known what Filler does besides replicate.
Additional Comments:
The Filler virus was submitted in January, 1992. It was originally
reported in the public domain in Hungary in 1991. Filler is a
memory resident infector of diskette boot sectors and the hard disk
master boot sector (partition table). Filler is a stealth virus,
when it is memory resident, anti-viral programs will not be able to
detect its infection of the hard disk master boot sector, and will
have difficulty detecting its presence on diskette boot sectors.
When the system is booted from a Filler infected diskette, the
Filler virus will install itself memory resident at the top of
system memory but below the 640K DOS boundary. Total system memory
will not decrease, but available free memory as indicated by the
DOS CHKDSK program will have decreased by 8,192 bytes. The system
hard disk's master boot sector will be infected at this time, if it
was not previously infected with Filler.
Once the Filler virus is memory resident, it will infect non-write
protected diskettes exposed to the system. The infection of the
diskette usually occurs when the boot sector is accessed for some
reason. The Filler virus will write a copy of itself to the last
track of the diskette which is not normally accessable by DOS. It
will also store the original boot sector on this track. The virus
then alters the boot sector to point to the viral code.
The Filler virus is a stealth virus. When it is memory resident,
scanning infected diskettes will not detect the presence of the
Filler virus when using scanning technology. CRC-type checking
programs may be able to determine that the boot sector has been
altered. In the case of the hard disk master boot sector, if Filler
is memory resident, neither CRC-type checking or scanning programs
will be able to determine the Filler virus's presence. If you
suspect you have a Filler virus infection, power down your system
and then reboot from a known uninfected, write protected system
diskette, and then check the system with anti-viral software.
It is unknown what Filler might do besides replicate.
Symptoms
Total system memory does not decrease, but available free memory as indicated by the DOS CHKDSK program decreases by 8,192 bytes.
Method of Infection
The only way to infect a computer with an MBR/Boot Sector infector is to attempt to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred. Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.
Removal
Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.
To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type
BOOTSCAN C: /BOOT /CLEAN /NOMEM
Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean
Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.
This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
Filler is a stealth, memory resident, Master Boot Record (MBR)/Boot Sector infecting virus.
Upon infection, the Filler virus becomes memory resident at the top of system memory but below the 640K DOS boundary. The system hard disk's MBR is infected at this time.
Once the Filler virus is memory resident, it infects non-write protected diskettes exposed to the system. The infection of the diskette usually occurs when the boot sector is accessed for some reason. The Filler virus writes a copy of itself to the last track of the diskette which is not normally accessible by DOS. It also stores the original boot sector on this track. The virus then alters the boot sector to point to the viral code.
It is not known what Filler does besides replicate.
Additional Comments:
The Filler virus was submitted in January, 1992. It was originally
reported in the public domain in Hungary in 1991. Filler is a
memory resident infector of diskette boot sectors and the hard disk
master boot sector (partition table). Filler is a stealth virus,
when it is memory resident, anti-viral programs will not be able to
detect its infection of the hard disk master boot sector, and will
have difficulty detecting its presence on diskette boot sectors.
When the system is booted from a Filler infected diskette, the
Filler virus will install itself memory resident at the top of
system memory but below the 640K DOS boundary. Total system memory
will not decrease, but available free memory as indicated by the
DOS CHKDSK program will have decreased by 8,192 bytes. The system
hard disk's master boot sector will be infected at this time, if it
was not previously infected with Filler.
Once the Filler virus is memory resident, it will infect non-write
protected diskettes exposed to the system. The infection of the
diskette usually occurs when the boot sector is accessed for some
reason. The Filler virus will write a copy of itself to the last
track of the diskette which is not normally accessable by DOS. It
will also store the original boot sector on this track. The virus
then alters the boot sector to point to the viral code.
The Filler virus is a stealth virus. When it is memory resident,
scanning infected diskettes will not detect the presence of the
Filler virus when using scanning technology. CRC-type checking
programs may be able to determine that the boot sector has been
altered. In the case of the hard disk master boot sector, if Filler
is memory resident, neither CRC-type checking or scanning programs
will be able to determine the Filler virus's presence. If you
suspect you have a Filler virus infection, power down your system
and then reboot from a known uninfected, write protected system
diskette, and then check the system with anti-viral software.
It is unknown what Filler might do besides replicate.
Symptoms
Symptoms -
Total system memory does not decrease, but available free memory as indicated by the DOS CHKDSK program decreases by 8,192 bytes.
Method of Infection
Method of Infection -
The only way to infect a computer with an MBR/Boot Sector infector is to attempt to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred. Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.
Removal -
Removal -
Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.
To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type
BOOTSCAN C: /BOOT /CLEAN /NOMEM
Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean
Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.
This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.
Variants
Variants -
N/A
