Junkie virus (PC)
Fridrik Skulason
>I recently read something about a new, advanced virus called "Junkie",
>but don't have any details about it. Can anyone enlighten? Thanks.
the virus is new, but not very advanced, or remarkable in any way..it is
1027 bytes long, and encrypted with a simple "xor with constant" ... it was
easy to add detection/disinfection of it, but I didn't bother to analyse it
in detail.
- -frisk
Vesselin Bontchev
> I recently read something about a new, advanced virus called "Junkie",
> but don't have any details about it. Can anyone enlighten? Thanks.
It is not advance at all. A lame variably encrypted multi-partite COM
and MBR infector. Here is the information about it I got from Zvi
Netiv.
Regards,
Vesselin
- -----------------------------------------------------------------------
VIRUS DATA SHEET: JUNKIE. From: Zvi Netiv, 17 June 1994
- -----------------------------------------------------------------------
A new virus was found, named Junkie. The ViruSample was isolated in the
North Jordan valley, where it probably got on infected mice software.
Junkie seems to be the first multipartite virus with full dual infection
mechanisms. It is a memory resident COM, as well as boot and master boot
infector.
The virus contains the following encrypted code: "Dr White - Sweden 1994
Junkie Virus - Written in Malmo ... M01D". Similar text appears in the
Desperado virus, relating to the same writer, "Dr White".
Infection mechanism: Junkie will go resident after booting from a floppy
with an infected boot sector, or from the HD, if the MBS is infected.
Junkie will not become resident if running an infected file, but the HD
MBS will become infected, if it wasn't yet. Once the virus is resident
in memory, it will infect COM files on execution, including COMMAND.COM,
and the boot sector of floppies - only in drive A - when addressed.
Damage: Junkie patches floppy boot sectors and HD MBS from offset 98 to
127. The virus code itself is contained in two sectors, 0,0,4-5 on HD
and on the last track (40 or 80), side 1, sectors 8-9 on floppies.
Junkie does not relocate nor store the original sector anywhere. In COM
files, the virus will append itself at the end of the file, with a
length of 1027 to 1042 bytes. Junkie does not verify that the victim
is a real COM, thus EXE files with a COM extension (4DOS.COM, NDOS.COM)
will become infected and may hang the computer if run. The virus code is
encrypted. Junkie does not use stealth and it is a selective fast
infector (not all files will be infected on opening, just some). Junkie
will infect COM files longer than about 5 Kbyte only. As far as we could
see from the code, Junkie has no payload.
Other symptoms: when active, Junkie will decrease the base memory by
three kbytes, by modifying INT 12h's return. Also, INT 1Ch (timer) will
be hooked, Qemm will complain about and will not load high programs
requiring this handler.
Detection: 3 kbyte memory stealing is detected on booting, the decoy
test will disclose memory resident viral activity, the virus will be
sampled (9224 bytes sample) and the master boot sector will indicate it
was changed. Furthermore, if a virus scan is attempted with IVSCAN, or
an integrity check with IVB, piggybacking will be sensed and the scan
will be halted.
Removal: first, the HD MBS should be repaired with a generic tool
(FDISK/MBR, ResQdisk, IVSCAN/B etc.) and the machine should be rebooted.
When Junkie is not resident the files can then be repaired by IVSCAN or
IVB. Files that were secured with InVircible from former versions will
be fully restored with the generic recovery mode.
Zvi Netiv,
author InVircible
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bont...@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany