AZUSA Virus (15-July-1991)
Entry...............: AZUSA Virus
Alias(es)...........: ---
Virus Strain........: ---
Virus detected when.: January 1991 (?)
              where.: Ohio, USA 
Classification......: Resident Boot sector and Partition Table Infector
Length of Virus.....: 1024 Bytes in memory, 1 sector (400 h) on media
--------------------- Preconditions -----------------------------------
Operating System(s).: MS-DOS
Version/Release.....: 2.xx upward
Computer model(s)...: IBM-PC, XT, AT and compatibles
--------------------- Attributes --------------------------------------
Easy Identification.: 1) Reduction of available memory by 1,024 bytes:
                         CHKDSK returns 654,336 bytes total memory in-
                         stead of 655,360 bytes on 640k machines.
                      2) "E9 8B 00" are first three bytes of infected 
                         boot record or partition table.
Scanner Signature...: "E9 8B 00" at 00h on boot sector/partition table
Type of infection...: Virus is extremely virulent and will infect hard 
                         disk even if partition table cannot be found
                         (cannot boot thereafter).
                      Hard disk: virus replaces absolute sector 1
                         (partition code & table) with itself, main-
                         taining table data in internal location.
                      Floppy: Virus attempts to infect all floppies 
                         previously uninfected; original boot record 
                         is stored at track 28h head 1 sector 8 
                         regardless of floppy size.
Infection Trigger...: Booting an infected system
Interrupts hooked...: --- 
Damage..............: Permanent Damage: Data lost; COM1&LPT1 "hidden"
                         1)Data lost: as virus overwrites 1 sector on
                           floppies, previously stored data are lost;
                           on disk, partition table is overwritten but
                           old table data are stored inside virus.
                         2)COM1 & LPT1 "hidden": after approx.20h re-
                           boots, virus zeroes pointers to COM1 & LPT1
                           thus making those devices unaccessible.
                         3)Virus may cause boot failure on machines 
                           with security programs in place. 
                      Transient Damage: Reduction of available memory
                         by 1,024 Bytes.
Damage Trigger......: After approx. 20h reboots, COM1 & LPT1 become in-
                      accessible as pointers are zeroed. 
Particularities.....: 1) Virus does not use stealth techniques (neither
                         evasive measures nor encryption). 
                      2) Odd coding techniques and lack of understand-
                         ing of floppy disk characteristics indicate 
                         self-taught writer/experimenter. 
Similarities........: ---
--------------------- Agents -----------------------------------------
Countermeasures.....: Reload floppy boot sector; use partition table
                      data maintained inside virus to reconstruct 
                      original partition table.
Countermeasures successful: Detection: SCAN v75, DISKSECURE
Standard means......: ---
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Klaus Brunnstein
Documentation by....: A.Padgett Peterson, Computer Network Security,
                                          Orlando/Florida
Date................: 18-April-1991
Information source..: A.Padgett Peterson

.