%%File: VIRS0721.TXT %%Name/Aliases: Stealth B, STB, AMSES, Stealth.B, Stelboo %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Floppy disk boot sector., Hard disk partition table. %%Features: Stealth, Memory resident; TSR. %%Damage: Corrupts floppy disk boot sector, Corrupts boot sector %%Size: 512 bytes, six sectors %%See Also: %%Notes: The virus code is six sectors in length. It infect 360k and 1.2m floppies by formatting an extra track and placing 5 sectors of virus code followed by the original boot sector. On 720k and 1.44m floppies, however, it uses the last cluster, head 1, to store the code and boot sector, and mark these sectors as bad to protect them. On the hard drive it uses track 0, head 0, sectors 2-7 to store the additional sectors. The virus "stealths" the infected boot sector on floppies and the infected MBR by returning an image of the stored original on disk reads. The other six sectors are stealthed on the hard drive by returning a buffer full of nulls. On floppies, however, these six sectors are not stealthed. The virus reserves 4k of memory. Thus, on a 640k machine, running chkdsk will report 651,264 bytes rather than the normal 655,360 bytes and using debug to dump the word at 0000:0413h one will find the value 27Ch (as bytes this will appear as 7C 02). Running chkdsk on an infected 3.5 inch floppy (720k or 1.44m) will also report 3072 bytes in bad clusters. Stealth.B does not contain any intentionally damaging code, but has been reported as wreaking havoc with some memory managers. interferes with the operation of Microsoft Windows. Starting Windows with the virus resident will simply return you to the DOS prompt and leave the system unstable. If Windows is set to 32 bit access the following message from Windows will appear: "The Microsoft Windows 32-bit disk driver (WDCTRL) cannot be loaded. There is unrecognizable disk software installed on this computer. "The address that MS-DOS uses to communicate with the hard disk has been changed. Some software, such as disk-caching software, changes this address. "If you aren't running such software, you should run a virus-detection program to make sure there is no virus on your computer. "To continue starting Windows without using the 32-bit disk driver, press any key." Pressing a key leaves you back at the DOS prompt. This will have an obvious impact on today's Windows-dependant environments. The virus evidently originated in the United States, in southern Florida.Alternately, Stealth.B could be a forerunner of Stealth, or they may have a common ancestor. The virus is also called STB, AMSES, and Stelboo.