padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) (04/27/91)
Recently, one of our users brought a laptop in for screening. The AIRCOP boot sector infector was found on two of the 3 1/2 utility disks furnished with the machine & we have reason to believe that the virus was on the disk prior to the utility files. The disks are professionally labeled MS-DOS V4.01 utility/diag printed by CAF Computer Corp. under license from MircroSoft Corp. The virus appears to conform to published reports and contains the "RED STATE" message in encrypted form. The virus also appears to expect 360k floppies since the location the original boot sector is stored in would be in the middle of any larger capacity disk. Since the disk conforms to most Microsoft boot sector specifications, automatic routines may not pick it up however SCAN v66 and later will detect it as should any routine looking for memory size information manipulation. The virus when active does not employ any stealth and will take 1k bytes from the top of memory. Infected disks may be identified by the lack of the normal error messages in the boot sector except for the ASCII "NON-SYSTEM" found at the end of the boot sector just prior to the MS signature.