| Alias: | P-Check |
| Strain: | Parity_Boot Virus Strain |
| detected when: | April 1992 |
| where: | |
| Classification: | System (bootsector/partition table (MBR)) virus, stealth |
| Length: | Length on medium: 512 Bytes (=1 sector) |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | |
| Computer model(s): | IBM PC and compatibles |
| Caroname: | Parity_Boot.A |
Attributes | |
| Easy identification: | Memory decreased by 1 kBytes after infection; no plain text in bootsector or MBR, like "Non system disk..." or "Bad partition....". |
Type of Infection: | Boot sectors and partition table of media. |
| Infection Technique: | |
| Infection Trigger: | Booting from an infected disk will infect the hard disk; from this time, all read accesses to the boot sector of any physical drive will infect the medium in this drive. |
| Storage Media affected: | |
| Interrupts hooked: | INT 09, INT 13. |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient/Permanent damage: Some built-in mechanism simulates a parity error message on the screen after 1 hour of opera- tion plus an additional hour for each infec- tion: the more infections, the longer till the parity check display. The parity error simulation switches to 40 x 25 mode, displays 'PARITY CHECK' and then halts the processor. Virus constantly garbles the INT01&INT03 entries, so that debug will not work; this is not tied to a trigger. |
| Damage Trigger: | The internal timer tick (not the CMOS clock) is used for timing. Trigger= 1+n hours after boot up (n=number of infections since booting). |
| Particularities: | 1) Message text "PARITY CHECK" is constantly encrypted with key 55h. 2) In summer 1993, virus (variant B) is "in the wild" in Germany. |
| Similarities: | Parity_Boot Virus Strain: variants B,C |
Agents | |
| Countermeasures: | Up-to-date antiviral products, e.g. McAfee Scan, Skulason F-PROT, Dr.Solomon FindViru. Remark: invoking Scan or F-PROT after another scanner having detected and deleted this virus may result in a "false positive" diagnosis as both scanners scan also DOS buffers (where virus would NOT reside) which may not be cleared by the AV product used before. Removal: SYS on floppies; FDISK /MBR (DOS 5.0) |
| Standard means: | |
Acknowledgements | |
| Location: | Micro-BIT Virus Center, Univ Karlsruhe, Germany |
| Classification by: | Christoph Fischer (Klaus Brunnstein, VTC) |
| Documentation by: | Christoph Fischer Klaus Brunnstein (VTC, update) |
| Date: | April-1992 (original entry: P-Check) 31-July-1993 (update) |
| Information Source: | reverse analysis of virus code |