Joshi

This virus may be recognized on infected systems by powering off the system and then booting from a known-clean, write-protected DOS diskette. Using a sector editor or viewer to look at the boot sector of suspect diskettes, if the first two bytes of the boot sector are hex EB 1F, then the diskette is infected. The EB 1F is a jump instruction to the rest of the viral code. The remainder of the virus is stored on track 40, sectors1 through 5 on 360K 5.25 inch diskettes. For 1.2M 5.25 inch diskettes, the viral code is located at track 80, sectors 1 through 5. It will also be located on the last track of 3.5 inch diskettes.

Additional Comments:
The Joshi virus was isolated in India in June 1990. At the time it was isolated, it was reported to be widespread in India as well as portions of the continent of Africa. Joshi is a memory resident boot sector infector of diskettes and the hard disk master boot sector (partition table). After a system has been booted from a Joshi-infected diskette, the virus will be resident in memory. Joshi takes up approximately 6K of system memory, and infected systems will show that total system memory is 6K less than is installed if the DOS CHKDSK program is run. Joshi has some similarities to two other boot sector infectors. Like the Stoned virus, it infects the master boot sector of hard disks. Similar to the Brain virus's method of redirecting all attempts to read the boot sector to the original boot sector, Joshi does this with the master boot sector. On January 5th of any year, the Joshi virus activates. At that time, the virus will hang the system while displaying the message: "type Happy Birthday Joshi" If the system user then types "Happy Birthday Joshi", the system will again be usable. This virus may be recognized on infected systems by powering off the system and then booting from a known-clean, write-protected DOS diskette. Using a sector editor or viewer to look at the boot sector of suspect diskettes, if the first two bytes of the boot sector are hex EB 1F, then the disk is infected. The EB 1F is a jump instruction to the rest of the viral code. The remainder of the virus is stored on track 40, sectors 1 through 5 on 360K 5.25 inch Diskettes. For 1.2M 5.25 inch diskettes, the viral code is located at track 80, sectors 1 through 5. It will also be located on the last track of 3.5" diskettes. To determine if a system's hard disk is infected, you must look at the hard disk's master boot sector. If the first two bytes of the master boot sector are EB 1F hex, then the hard disk is infected. The remainder of the virus can be found at cylinder 0, side 0, sectors 2 through 6. The original master boot sector will be located at cylinder 0, side 0, sector 9. The Joshi virus can be manually removed from an infected system by first powering off the system, and then booting from a known-clean, write-protected master DOS diskette. If the system has a hard disk, the hard disk should have data and program files backed up, and the original master boot sector copied back to cylinder 0, side 0, sector 1 from sector 9. Diskettes are easier to remove Joshi from, the DOS SYS command can be used. There are also several disinfector programs available. Systems infected with Joshi may experience problems when attempting to access programs or data files on write protected diskettes. Known variant(s) of Joshi are:

type Happy Birthday Joshi

If you type Happy Birthday Joshi, the system will function as normal. If you do not do as instructed, the system will hang.

An infected system may experience problems when accessing files on write protected diskettes. CHKDSK will indicate a decrease in memory of 6K.

The only way to infect a computer with an MBR/Boot Sector infector is to attempt to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred. Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.

To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type
BOOTSCAN C: /BOOT /CLEAN /NOMEM

Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean

Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.

This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.

Joshi-B
Joshi-A