McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Fish Boot

Characteristics

Chinese Fish is a memory resident, Master Boot Record (MBR)/Boot Sector infecting virus.

Upon infection, this virus becomes memory resident in available free memory. Also at this time, the virus infects the system's hard disk MBR.

The Chinese Fish virus infects the system hard disk's MBR by first writing a copy of the virus starting at Side 0, Cylinder 0 Sector 8. The viral code is two sectors long. The original sector is then copied to Side 0, Cylinder 0, Sector 10. The virus then infects the sector located at Side 0, Cylinder 0, Sector 1.

Once Chinese Fish is memory resident, it infects any non-write protected diskette which is accessed on the system. On double density 5.25 inch diskettes, the original boot sector is located at Side 0, Cylinder 39, Sector 3. The Chinese Fish virus code is located in the original boot sector location, as well as at Side 0, Cylinder 39, Sectors 1 and 2. On high density 5.25 inch diskettes, the original boot sector is located at Side 0, Cylinder 79, Sector 3, with the virus code being located in the original boot sector location and Side 0, Cylinder 79, Sectors 1 and 2.

Additional Comments:
The Fish Boot virus was isolated in the Eastern United States in March 1992. The virus appears to originally be from Taiwan. Fish Boot is a memory resident infector of diskette boot sectors and the hard disk master boot sector (partition table). The first time the system is booted with a diskette infected with the Fish Boot virus, this virus will install itself memory resident in available free memory. Also at this time, the virus will infect the system's hard disk master boot sector. The Fish Boot virus infects the system hard disk's master boot sector by first writing a copy of the virus starting at Side 0, Cylinder 0 Sector 8. The viral code is two sectors long. The original master boot sector is then copied to Side 0, Cylinder 0, Sector 10. The virus then infects the master boot sector located at Side 0, Cylinder 0, Sector 1. Once Fish Boot is memory resident, it will infect any non-write protected diskette which is accessed on the system. On double density 5.25 inch diskettes, the original boot sector will be located at Side 0, Cylinder 39, Sector 3. The Fish Boot virus code will be located in the original boot sector location, as well as at Side 0, Cylinder 39, Sectors 1 and 2. On high density 5.25 inch diskettes, the original boot sector will be located at Side 0, Cylinder 79, Sector 3, with the virus code being located in the original boot sector location and Side 0, Cylinder 79, Sectors 1 and 2. Systems infected with the Fish Boot virus will notice that some programs will no longer function properly, hanging the system when they execute. At other times, the following message may be displayed: "Hello! I am FISH, please don't kill me. Congratulation 80th year of the Republic Of China Building, Fish will help to kill stone Written by Fish in NTIT. TAIWAIN 80.10.18" This message can be found on infected disks within the viral code that is located outside of the original boot sector or master boot sector location.

Symptoms

Users of infected systems may notice that some files no longer function properly, hanging the system as they are executed. At other times, the following message may be displayed:

"Hello! I am FISH, please don't kill me. Congratulation 80th year of the Republic Of China Building, Fish will help to kill stone Written by Fish in NTIT. TAIWAIN 80.10.18"

This message can be found on infected diskettes within the viral code that is located outside of the original boot sector.

Method of Infection

The only way to infect a computer with an MBR/Boot Sector infector is to attempt to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred. Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

Removal

Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.

To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type
BOOTSCAN C: /BOOT /CLEAN /NOMEM

Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean

Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.

This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Fish Boot

Characteristics

Characteristics -

Chinese Fish is a memory resident, Master Boot Record (MBR)/Boot Sector infecting virus.

Upon infection, this virus becomes memory resident in available free memory. Also at this time, the virus infects the system's hard disk MBR.

The Chinese Fish virus infects the system hard disk's MBR by first writing a copy of the virus starting at Side 0, Cylinder 0 Sector 8. The viral code is two sectors long. The original sector is then copied to Side 0, Cylinder 0, Sector 10. The virus then infects the sector located at Side 0, Cylinder 0, Sector 1.

Once Chinese Fish is memory resident, it infects any non-write protected diskette which is accessed on the system. On double density 5.25 inch diskettes, the original boot sector is located at Side 0, Cylinder 39, Sector 3. The Chinese Fish virus code is located in the original boot sector location, as well as at Side 0, Cylinder 39, Sectors 1 and 2. On high density 5.25 inch diskettes, the original boot sector is located at Side 0, Cylinder 79, Sector 3, with the virus code being located in the original boot sector location and Side 0, Cylinder 79, Sectors 1 and 2.

Additional Comments:
The Fish Boot virus was isolated in the Eastern United States in March 1992. The virus appears to originally be from Taiwan. Fish Boot is a memory resident infector of diskette boot sectors and the hard disk master boot sector (partition table). The first time the system is booted with a diskette infected with the Fish Boot virus, this virus will install itself memory resident in available free memory. Also at this time, the virus will infect the system's hard disk master boot sector. The Fish Boot virus infects the system hard disk's master boot sector by first writing a copy of the virus starting at Side 0, Cylinder 0 Sector 8. The viral code is two sectors long. The original master boot sector is then copied to Side 0, Cylinder 0, Sector 10. The virus then infects the master boot sector located at Side 0, Cylinder 0, Sector 1. Once Fish Boot is memory resident, it will infect any non-write protected diskette which is accessed on the system. On double density 5.25 inch diskettes, the original boot sector will be located at Side 0, Cylinder 39, Sector 3. The Fish Boot virus code will be located in the original boot sector location, as well as at Side 0, Cylinder 39, Sectors 1 and 2. On high density 5.25 inch diskettes, the original boot sector will be located at Side 0, Cylinder 79, Sector 3, with the virus code being located in the original boot sector location and Side 0, Cylinder 79, Sectors 1 and 2. Systems infected with the Fish Boot virus will notice that some programs will no longer function properly, hanging the system when they execute. At other times, the following message may be displayed: "Hello! I am FISH, please don't kill me. Congratulation 80th year of the Republic Of China Building, Fish will help to kill stone Written by Fish in NTIT. TAIWAIN 80.10.18" This message can be found on infected disks within the viral code that is located outside of the original boot sector or master boot sector location.

Symptoms

Symptoms -

Users of infected systems may notice that some files no longer function properly, hanging the system as they are executed. At other times, the following message may be displayed:

"Hello! I am FISH, please don't kill me. Congratulation 80th year of the Republic Of China Building, Fish will help to kill stone Written by Fish in NTIT. TAIWAIN 80.10.18"

This message can be found on infected diskettes within the viral code that is located outside of the original boot sector.

Method of Infection

Method of Infection -

The only way to infect a computer with an MBR/Boot Sector infector is to attempt to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred. Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

Removal -

Removal -

Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.

To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type
BOOTSCAN C: /BOOT /CLEAN /NOMEM

Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean

Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.

This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.

Variants

Variants -

N/A