McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• BFD-452

Characteristics

BFD is a stealth, memory resident, multi-partite virus. It infects the hard disk boot sector, diskette boot sectors and .EXE files.

Upon infection, this virus infects the current drive's boot sector if the current drive is a floppy drive. It accesses the C: drive, though the C: drive's boot sector, it does not become infected. Also at this time, the virus becomes memory resident at the top of system memory but below the 640K DOS boundary. BFD can also become memory resident by booting from an infected diskette. The same memory allocation occurs.

Once the BFD virus is memory resident, it infects .EXE files as they are executed or opened, as well as diskette boot sectors when a non-write protected diskette is accessed.

When the BFD virus infects diskettes, it overwrites the boot sector. The boot sector is missing the usual DOS error messages. In the case of high density 5.25" system diskettes, attempts to boot from the diskette after infection fail, resulting in a hung system.

Additional Comments:
The BFD virus was isolated in the United States in July, 1992. This virus is a memory resident multi-partite virus which infects diskette boot sectors and .EXE programs. It should be considered a stealth virus as infected programs do not have any file length increase but execute properly, and it will infect files on open. It spreads very quickly. The first time a program infected with the BFD virus is executed, this virus will infect the current drive's boot sector if the current drive is a floppy drive. It will also access the C: drive, though the C: drive's boot sector will not become infected. Also at this time, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 2,048 bytes. Interrupt 13 will be hooked by BFD in memory. The user should note that BFD can also become memory resident by booting from an infected diskette. The same memory allocation will occur. Once the BFD virus is memory resident, it will infect .EXE programs when they are executed or opened, as well as diskette boot sectors when a non-write protected diskette is accessed. Infected .EXE programs will have no file length increase regardless of whether the virus is memory resident. The BFD virus infects programs by writing its viral code to the .EXE header area of the file. Infected programs will not have any change in file date and time in the DOS disk directory listing. No text strings occur within the viral code in infected programs. When the BFD virus infects diskettes, it overwrites the boot sector. The boot sector will be missing the usual DOS error messages. In the case of high density 5.25" system disks, attempts to boot from the diskette after infection will fail, resulting in a hung system. BFD doesn't appear to do anything besides replicate. Known variant(s) of BFD are:

Symptoms

Total system and available free memory decreases by 2,048 bytes. Infected .EXE files have no file length increase. The BFD virus infects files by writing its viral code to the .EXE header area of the file. Infected files do not have any change in file date and time in the DOS disk directory listing.

No text strings occur within the viral code in infected files.

Method of Infection

Multi-partite viruses have two main routes of infection; either as a Master Boot Record/Boot Sector Virus or as a File Infecting Virus.

Most infections occur when a computer attempts to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred.

Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

The second route of infection is by receiving an infected file through a multitude of sources including: floppy diskettes, downloads through an online service, network, modem connections, etc. Once the infected file is executed, the virus may activate.

Removal

-

Variants

Variants

• BFD-B

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• BFD-452

Characteristics

Characteristics -

BFD is a stealth, memory resident, multi-partite virus. It infects the hard disk boot sector, diskette boot sectors and .EXE files.

Upon infection, this virus infects the current drive's boot sector if the current drive is a floppy drive. It accesses the C: drive, though the C: drive's boot sector, it does not become infected. Also at this time, the virus becomes memory resident at the top of system memory but below the 640K DOS boundary. BFD can also become memory resident by booting from an infected diskette. The same memory allocation occurs.

Once the BFD virus is memory resident, it infects .EXE files as they are executed or opened, as well as diskette boot sectors when a non-write protected diskette is accessed.

When the BFD virus infects diskettes, it overwrites the boot sector. The boot sector is missing the usual DOS error messages. In the case of high density 5.25" system diskettes, attempts to boot from the diskette after infection fail, resulting in a hung system.

Additional Comments:
The BFD virus was isolated in the United States in July, 1992. This virus is a memory resident multi-partite virus which infects diskette boot sectors and .EXE programs. It should be considered a stealth virus as infected programs do not have any file length increase but execute properly, and it will infect files on open. It spreads very quickly. The first time a program infected with the BFD virus is executed, this virus will infect the current drive's boot sector if the current drive is a floppy drive. It will also access the C: drive, though the C: drive's boot sector will not become infected. Also at this time, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 2,048 bytes. Interrupt 13 will be hooked by BFD in memory. The user should note that BFD can also become memory resident by booting from an infected diskette. The same memory allocation will occur. Once the BFD virus is memory resident, it will infect .EXE programs when they are executed or opened, as well as diskette boot sectors when a non-write protected diskette is accessed. Infected .EXE programs will have no file length increase regardless of whether the virus is memory resident. The BFD virus infects programs by writing its viral code to the .EXE header area of the file. Infected programs will not have any change in file date and time in the DOS disk directory listing. No text strings occur within the viral code in infected programs. When the BFD virus infects diskettes, it overwrites the boot sector. The boot sector will be missing the usual DOS error messages. In the case of high density 5.25" system disks, attempts to boot from the diskette after infection will fail, resulting in a hung system. BFD doesn't appear to do anything besides replicate. Known variant(s) of BFD are:

Symptoms

Symptoms -

Total system and available free memory decreases by 2,048 bytes. Infected .EXE files have no file length increase. The BFD virus infects files by writing its viral code to the .EXE header area of the file. Infected files do not have any change in file date and time in the DOS disk directory listing.

No text strings occur within the viral code in infected files.

Method of Infection

Method of Infection -

Multi-partite viruses have two main routes of infection; either as a Master Boot Record/Boot Sector Virus or as a File Infecting Virus.

Most infections occur when a computer attempts to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred.

Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

The second route of infection is by receiving an infected file through a multitude of sources including: floppy diskettes, downloads through an online service, network, modem connections, etc. Once the infected file is executed, the virus may activate.

Removal -

Removal -

-

Variants

Variants -

• BFD-B