McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• B1

• Stone.i

Characteristics

NYB is a memory resident Master Boot Record (MBR)/Boot Sector infector. It is a "Stealth" virus. MBR/Boot Sector viruses are some of the most successful viruses. They are fairly easy to write, and they take control of the computer at a low level.

The first time a system is booted from a diskette infected with the NYB virus, NYB will become memory resident at the top of system memory but below the 640K boundary. Also at this time, the virus will infect the MBR. Once NYB is memory resident, it will infect diskettes when they are accessed on the infected system.

On double density 5.25" diskettes, the original boot sector will have been relocated to sector 11. On high density 5.25" diskettes, the original boot sector will have been relocated to sector 28. In both cases, these sectors are the last sector of the root directory of the diskette, any files whose directory entries were in these sectors will be lost.

NYB uses stealth techniques to avoid detection on the system hard disk as well as on diskettes. If you suspect that you have the NYB virus, power off the system and reboot from a clean write-protected diskette, then check the system hard disk for the virus.

Additional Comments:
The NYB virus was received in January, 1995 after having been reported by several organizations in the United States for two months. NYB is a stealth boot virus which infects diskette boot sectors as well as the hard disk master boot sector (partition table). The first time a system is booted from a diskette infected with the NYB virus, NYB will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program from DOS 5.0, will have decreased by 1,024 bytes. Also at this time, the virus will infect the system hard disk master boot sector, containing the partition table, if it was not previously infected. Once NYB is memory resident, it will infect diskettes when they are accessed on the infected system. On double density 5.25" diskettes, the original boot sector will have been relocated to sector 11. On high density 5.25" diskettes, the original boot sector will have been relocated to sector 28. In both cases, these sectors are the last sector of the root directory of the diskette, so any files whose directory entries were in these sectors will be lost. NYB does not contain any messages which are displayed on boot. Infected systems may experience intermitant seek errors upon disk accesses.

The reason that NYB is considered a stealth virus is that while it can be detected in memory when resident, it cannot be detected when resident on the system hard disk or diskettes. If you have reason to believe that you have the NYB virus, power off the system and reboot from a clean write-protected diskette and then check the system hard disk for the virus.

Do not use "FDisk /MBR" to remove this virus on Windows NT systems. Use AV software as a primary method of removing this virus.

Once the system hard disk has been disinfected, diskettes should be checked for the virus, and disinfected by using AV software or the DOS SYS command. Alternatively copy the contents of the diskette to a clean, uninfected diskette and overwrite the original diskette with the DOS Format /U command.

Symptoms

Total system memory, as indicated by the DOS CKDSK program, decreases by 1,024 bytes. NYB does not contain any messages which are displayed on boot. Infected systems may experience intermittent seek errors upon disk accesses.

Method of Infection

The only way to infect a computer with an MBR/Boot Sector infector is to attempt to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred. Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

Removal

Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.

To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type
BOOTSCAN C: /BOOT /CLEAN /NOMEM

Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean

Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.

This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• B1

• Stone.i

Characteristics

Characteristics -

NYB is a memory resident Master Boot Record (MBR)/Boot Sector infector. It is a "Stealth" virus. MBR/Boot Sector viruses are some of the most successful viruses. They are fairly easy to write, and they take control of the computer at a low level.

The first time a system is booted from a diskette infected with the NYB virus, NYB will become memory resident at the top of system memory but below the 640K boundary. Also at this time, the virus will infect the MBR. Once NYB is memory resident, it will infect diskettes when they are accessed on the infected system.

On double density 5.25" diskettes, the original boot sector will have been relocated to sector 11. On high density 5.25" diskettes, the original boot sector will have been relocated to sector 28. In both cases, these sectors are the last sector of the root directory of the diskette, any files whose directory entries were in these sectors will be lost.

NYB uses stealth techniques to avoid detection on the system hard disk as well as on diskettes. If you suspect that you have the NYB virus, power off the system and reboot from a clean write-protected diskette, then check the system hard disk for the virus.

Additional Comments:
The NYB virus was received in January, 1995 after having been reported by several organizations in the United States for two months. NYB is a stealth boot virus which infects diskette boot sectors as well as the hard disk master boot sector (partition table). The first time a system is booted from a diskette infected with the NYB virus, NYB will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program from DOS 5.0, will have decreased by 1,024 bytes. Also at this time, the virus will infect the system hard disk master boot sector, containing the partition table, if it was not previously infected. Once NYB is memory resident, it will infect diskettes when they are accessed on the infected system. On double density 5.25" diskettes, the original boot sector will have been relocated to sector 11. On high density 5.25" diskettes, the original boot sector will have been relocated to sector 28. In both cases, these sectors are the last sector of the root directory of the diskette, so any files whose directory entries were in these sectors will be lost. NYB does not contain any messages which are displayed on boot. Infected systems may experience intermitant seek errors upon disk accesses.

The reason that NYB is considered a stealth virus is that while it can be detected in memory when resident, it cannot be detected when resident on the system hard disk or diskettes. If you have reason to believe that you have the NYB virus, power off the system and reboot from a clean write-protected diskette and then check the system hard disk for the virus.

Do not use "FDisk /MBR" to remove this virus on Windows NT systems. Use AV software as a primary method of removing this virus.

Once the system hard disk has been disinfected, diskettes should be checked for the virus, and disinfected by using AV software or the DOS SYS command. Alternatively copy the contents of the diskette to a clean, uninfected diskette and overwrite the original diskette with the DOS Format /U command.

Symptoms

Symptoms -

Total system memory, as indicated by the DOS CKDSK program, decreases by 1,024 bytes. NYB does not contain any messages which are displayed on boot. Infected systems may experience intermittent seek errors upon disk accesses.

Method of Infection

Method of Infection -

The only way to infect a computer with an MBR/Boot Sector infector is to attempt to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred. Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

Removal -

Removal -

Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.

To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type
BOOTSCAN C: /BOOT /CLEAN /NOMEM

Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean

Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.

This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.

Variants

Variants -

N/A