%%File: VIRS0616.TXT %%Name/Aliases: Peanut %%Platform: PC/MS-DOS %%Type: Multipartite., %%Disk Location: Hard disk partition table., Floppy disk boot sector., COM application. %%Features: Stealth, Any file start with "M" is not infected. %%Damage: No damage, only replicates. %%Size: The virus code is 444 byte. , The body is appended to end of COM file. , Patches the beginning of files with "M". %%See Also: %%Notes: The virus is transmitted to the PC by booting from an infected floppy disk and its designed to propagate. Its first action is determine whether the hard disk is infected. If the disk is clean, then the virus copies the MBS to sector 2, head 0,track 0, and installs itself in the MBS location. When this task is completed the virus loads the original MBS of the hard disk (not the boot sector of the floppy). This action gives the illusion that the user has booted from the hard disk and a person may not realize that a floppy disk was used in the booting the system just because it was left in A drive. By now the virus has installed its own Int 13h handler and its ready to propagate. The infection process starts when the user executes a file. When the file is loaded by reading sectors, Peanut starts its second task which is to identify file marker and type. If a file starts with an "M ", the virus identifies the file as an EXE file and installs its own Int 21h handler and remaps the original Int 21h into Int B9h. The file will not be infected and normal processing will resume. If the file does not start with an "M", then Peanut assume its a COM file. In this instant, the virus will paths its beginning with an "M" followed by jump to the end of file. It appends the rest of the code to the file end. The virus stores the first four byte of the original COM file for patching back later, also it preserves the time and date of the file and intercepts Int 24h from now on. On an infected PC, all floppy reads are intercepted. The boot sector are overwritten by Peanut and the disk will infected (for infected floppy disks, it will be re-infected).For write-protected disk, the user is lead to believe that every thing is OK, since, the user will not receive any critical error message. This virus has stealth characteristic; all reads to MBS are intercepted and the original MBS is returned . Any write to MBS are ignored without notifying the user. So far, this virus seams to have no payload other than replication. For disinfection, the VB recommended the following procedure: Under clean system conditions, use the FDISK/MBR command to install the original MBS. Infected files should be identified and removed.