Crazyboot | |
---|---|
Type | Boot sector virus |
Creator | |
Date Discovered | 1995.05 |
Place of Origin | |
Source Language | |
Platform | DOS |
Infection Length | |
Reported Costs |
Crazyboot is a boot sector virus from 1995. Because of the time of its release, it called attention to the workings of boot sector viruses during the era of Windows.
Behavior
When a disk infected with Crazyboot is booted, the virus becomes memory resident, taking up 3072 bytes in memory just below the DOS 640k boundary. It infects the hard disk's master boot record, and keeps the original copy at Track 0, Cylinder 0, sector 4. Any disk accessed will be infected with the virus, however, this will only work on DOS, as Windows uses different interrupts to access disks. After 8,995 disk read operations, the virus displays this message: "Don't PLAY with the PC ! Otherwise you will get in ‘DEEP,DEEP’ trouble !. Crazy Boot Ver. 1.0"
The message only appears in DOS. If the computer is running Windows 95 or 98, the screen will go blank and the computer will freeze. Crazyboot then enters an infinite loop, which requires the user to restart the computer to break out of. The loop is tight enough that Ctrl+Alt+Del will not work. The user essentially has to pull the plug.
The virus has some stealth capabilities. When the user tries to view the master boot record, the virus will show the original stored at 0,0,4. However, it is difficult to manually restore the sector, as it is not saved in a contiguous format. In addition, the new master boot record does not contain valid partition table information, so the first time the user boots from a clean disk, the hard drive will not be accessible. The user must boot from it a second time.
Sources
McAfee Antivirus, Crazy_Boot. 1999.08.10