padgett%tccslr.dnet@uvs1.mmc.orl.com (Padgett Peterson) (03/08/91)
[Ed. Thanks for the quick work, Padgett!]
Virus Name: AZUSA
Aliases:
V Status: New
Discovery: January, 1991 (?)
Symptoms: Computer is not able to talk to COM1 or LPT1 ports, missing
memory, extra floppy disk activity. May cause boot failure
on machines with security programs in place.
Origin:
Eff. Length: 1k at TOM
Type Code: BXRt (infects boot sector of floppy, partition table of
fixed disk, goes resident at TOM)
Detection Method: SCAN v75, DISKSECURE, E9 8B 00 are first three bytes of
infected boot record or partition table, 1k missing at TOM (640k
PC returns 654336 bytes total memory instead of 655360).
Removal Instructions: Reload boot record on floppy, Use partition table
data maintained inside virus to reconstruct partition table.
General Comments: Virus is extremely virulent and will infect hard disk
even if partition table cannot be found (cannot boot thereafter).
Will then attempt to infect all floppies not previously infected.
On floppy, original boot record is stored at track 28h head 1
sector 8 reguardless of floppy size (may overwrite data). Will
corrupt any data stored at this location. After approximately
20h reboots will "lose" COM1 and LPT1 by zeroing pointers in
data table. On fixed disk, virus will replace absolute sector
one (partition code & table) with itself, maintaing table data
in proper location internally. Virus does not have any evasive
measures or encryption code.
Opinion: Odd coding techniques and lack of understanding of floppy disk
characteristics indicate self-taught writer/experimenter,
possibly more than one or written at different times, possibly
foreign, with good theoretical background.