%%File: VIRS0094.TXT %%Name/Aliases: 3APA3A, Zaraza %%Platform: PC/MS-DOS %%Type: Multipartite., %%Disk Location: Floppy disk boot sector., IO.SYS of hard dick( %%Features: Encrypted (in Russian), Memory resident; TSR., Stealth, Polymorphic, Infects disk ³ 16MB, only %%Damage: Deletes or moves files., Display message during August of any year. %%Size: 1024 byte long, written in two 512 byte sectors., Adds the attribute " VOLUME " to IO.SYS on hard disk. %%See Also: %%Notes: The following notes are extracted from VB Nov. 1994. This virus was cultivated in Russia, the word 3APA3A means " infection " in Russian and its pronounced "ZARAZA". The text is encrypted in Russian, but Anglicized.It can be displayed using standard DOS display driver. The virus code is 1024 byte long and consists of 512 sectors. The first sector contains the virus installation code and the floppy disk infection routines. The second part contains hard disk infection routine and it is placed on the boot sector of floppy disk!. The virus is capable of recognizing itself on floppy disks and hard disk. On hard disk, it checks the first root directory entry for VOLUME attribute. On floppy disk, It looks to its own ID-byte ( i.e. compares the byte at the offset 21h with the value of 2Eh). The virus intercepts Int 13h. Hard disks are infected when an infected floppy disk is loaded. The virus decrypts itself, then passes the controls to the second sector of the virus code which contains hard disk infection routine. This infection routine reads the first boot sector of the hard disk and checks its size. If the size is less than 16 MB, no infection occurs. Otherwise, it calculates the address of the first sector, reads it, then checks the attributes of the first entry. In DOS, this entry is the IO.SYS file. If VOLUME is not listed as one of the attributes, then the virus starts its infection process. ZARAZA places a copy of IO.SYS in 3rd entry but written to the last cluster of the hard disk. Then, it overwrites the first entry (the original IO.SYS) with its own routine and adds the VOLUME attributes. The result of this manipulation is that the virus resides in memory and it avoids detection. The triggering mechanism is the system date. When loading from an infected disk, during the month of "AUGUST" , the following message is displayed: B BOOT CEKTOPE - 3APA3A The message means " There is an infection in the boot sector ". Removal of the virus from a hard disk is difficult. The standard DOS utilities such as SYS, LABEL are not capable of removing the virus and reconstructing the root directory. The use of specialist software is recommended. A scanner with routines that checks files via absolute access must be used. A second method is using a sector editor to reverse the change and re-construct the original root directory.