%%File: VIRS0823.TXT
%%Name/Aliases: WINSTART
%%Platform: PC/MS-DOS
%%Type: Companion program., 
%%Disk Location: 
%%Features: Memory resident; TSR.
%%Damage: No damage, only replicates.
%%Size: 297 bytes long, BAT file
%%See Also: 
%%Notes: 
The following notes are extracted from VB, June 1995:

WINSTART is memory resident, BAT file infector.The installation routine 
is similar to BATMAN ( first memory resident BAT virus). The body of the 
virus is found in a file named WINSTART.BAT which 297 bytes long. The 
file contains the  4 lines of text, followed by binary data. These 4 
lines give a good insight to the method of operation, and they are:
        @ECHO     OFF
         :s%r#
          COPY %0.BAT     C: \ Q.COM> NUL
         C : \ Q
When WINSTART.BAT file is executed, the virus  disables echoing. Then 
copies itself into Q.COM that is placed at root directory of the derive 
C:, and Q.COM is executed. After the text, the first byte of the binary 
data is 1Ah, which is 'end-of-file'. Thus, the Q.COM is ended  and 
control is returned to BAT. 
The Q.COM is a copy of WINSTART.BAT so it contains identical data, but 
they  are interpreted as Intel instruction codes. So the line '   :s%r# 
' will  insure that control is passed to binary part of the virus. The 
binary  will  install the memory resident portion of WINSTART into 
system memory. The virus hooks Int 2Fh  and uses the Int 2Fh routines 
for its installation in high memory. Finally, C: \ Q.COM is renamed to 
C: \ WINSTART.BAT , the C: \ Q.COM is deltated, then the C: \ 
WINSTART.BAT is given the attributes of  read only and its terminated.

The memory resident copy will infect floppy disk. The manner of 
infection is similar to above(i.e. Int 2Fh handler  is employed). 
Infection takes place only when 2 conditions are met:
1) The current drive is A: or B:
2) The is more 50% full.
 If it decides to go ahead and infect the floppy disk , then DOS error 
messages are suppressed via Int 24h.

The recommended method for disinfection is to delete WINSTART.BAT file.