ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ VIRUS REPORT ³ ³ Italian Virus ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Synonyms: Bouncing Ball, Vera Cruz, Ping-Pong, Bouncing Dot, Missouri virus. Date of Origin: March, 1988. Host Machine: PC compatibles. Original version won't infect 80286 or 80386 computers or hard disks. Host Files: Remains resident. Infects boot sector on any disk with at least two sectors per cluster. OnScreen Symptoms: A bouncing ball or dot may appear on the screen upon activation. Increase in Size of Infected Files: n/a. Nature of Damage: Affects system run-time operation. Corrupts or overwrites boot sector. Does no apparent damage. Detected by: Scanv56+, F-Prot, IBM Scan. Removed by: CleanUp, MDisk, F-Prot, or DOS SYS command. Scan Code: 8E D8 A1 13 04 2D 02 00 A3 13 04 B1 06 D3 E0 2D C0 07 8E C0 BE 00 7C 8B FE B9 00. You can also search at offset 07CH for C7 06 4C 00 D0 7C 8C 0E 4E 00. Description of Operation: This is a boot sector virus. Some forms infect only floppies, others will also infect the boot sector of hard disks. This virus consists of a boot sector and 1 cluster (2 sectors used) marked as bad in the first copy of the FAT. The first of these sectors contains the rest of the virus, and the second contains the original boot sector. It infects all disks which have at least two sectors per cluster, and it occupies 2K of memory. When this virus activates (randomly) a bouncing dot/bouncing diamond (ASCII 4) /bouncing smiley face (ASCII 2) appears on the screen and can only be removed through reboot. The virus can be triggered by a disk access, should one occur during a one second window that occurs about every half hour. When triggered, the dot bounces off the edges of the screen, and passes through any text, with replacement after it. Sometime, this doesn't work properly, the bouncing character interacts with the characters on the screen, and screen displays are messed up. Infected diskettes have 1K in bad sectors, infected hard disks have 2K (and other numbers of bad sectors are possible). No known intentional damage. Unintentional damage - the two copies of the FAT are left different; DOS might not like this. Attempts to infect diskettes slows them down, and some computers won't read floppies, due to time-outs. No other damage is done. Recovery: Recover by powering down the system, and then using a write-protected DOS disk to boot. Use the SYS command from the floppy to attempt to re-create a good boot sector. Alternatively, use the program MD. ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º This document was adapted from the book "Computer Viruses", º º which is copyright and distributed by the National Computer º º Security Association. It contains information compiled from º º many sources. To the best of our knowledge, all information º º presented here is accurate. º º º º Please send any updates or corrections to the NCSA, Suite 309, º º 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS º º and upload the information: (202) 364-1304. Or call us voice at º º (202) 364-8252. This version was produced May 22, 1990. º º º º The NCSA is a non-profit organization dedicated to improving º º computer security. Membership in the association is just $45 per º º year. Copies of the book "Computer Viruses", which provides º º detailed information on over 145 viruses, can be obtained from º º the NCSA. Member price: $44; non-member price: $55. º º º º The document is copyright (c) 1990 NCSA. º º º º This document may be distributed in any format, providing º º this message is not removed or altered. º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ  Downloaded From P-80 International Information Systems 304-744-2253