Junkie

When initial infection is in the form of a file infecting virus, Junkie infects the MBR or floppy boot sector, disables VSafe (an anti-virus terminate-and-stay-resident program (TSR), which is included with MS-DOS 6.X) and loads itself at Side 0, Cylinder 0, Sectors 4 and 5. The virus does not become memory resident, or infect files at this time. Later when the system is booted from the system hard disk, the Junkie virus becomes memory resident at the top of system memory but below the 640K DOS boundary, moving interrupt 12's returns. Once memory resident, Junkie begins infecting .COM files as they are executed, and corrupts .COM files.

The Junkie virus infects diskette boot sectors as they are accessed. The virus will write a copy of itself to the last track of the diskette, and then alter the boot sector to point to this code. On high density 5.25 inch diskettes, the viral code will be located on Cylinder 79, Side 1, Sectors 8 and 9.

Additional Comments:
The Junkie virus was received in July, 1994. It appears to be from Sweden. Junkie is a memory resident multi-partite virus which infects diskette boot sectors, the system hard disk master boot sector (containing the partition table), and .COM files, including COMMAND.COM. As of August, 1994, confirmed public domain infections have been reported in the United States, Canada, Belgium, The Netherlands, and Spain. When the first Junkie infected program is executed, this virus will infect the system hard disk master boot sector. The virus doesn't become memory resident nor infect programs at this time. Later, when the system is booted from the system hard disk, the Junkie virus becomes memory resident at the top of system memory but below the 640K DOS boundary, moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 3,072 bytes. Interrupts 1C and 21 will be hooked by the virus in memory. Once the Junkie virus is memory resident, it will infect .COM programs, including COMMAND.COM, when they are executed or opened for any reason. Programs infected with the Junkie virus will have a file length increase of 1,030 to 1,042 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the viral code in all Junkie infected programs: "Dr White - Sweden 1994" "Junkie Virus - Written in Malmo...M01D" The Junkie virus infects diskette boot sectors when they are accessed. The virus will write a copy of itself the last track of the diskette, and then alter the boot sector to point to this code. On high density 5 1/4 inch diskettes, the viral code will be located on Cylinder 79, Side 1, Sectors 8 and 9. It is unknown what Junkie does besides replicate.

Junkie contains two encrypted messages:

"Dr White -Sweden 1994"
"Junkie Virus - Written in Malmo...MO1D"

These messages are not visible in files, but can be viewed in memory.

Multi-partite viruses have two main routes of infection; either as a Master Boot Record/Boot Sector Virus or as a File Infecting Virus.

Most infections occur when a computer attempts to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred.

Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

The second route of infection is by receiving an infected file through a multitude of sources including: floppy diskettes, downloads through an online service, network, modem connections, etc. Once the infected file is executed, the virus may activate.

Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.

To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type
BOOTSCAN C: /BOOT /CLEAN /NOMEM

Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean

Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.

This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.