FRISK Software International


Summary of Junkie
Infectable objects: Hard disk MBRs and COM files, Boot sectors of floppies
Discovered: 1 May 1994
 
Jump to:
Brief description
Technical description

Brief Description
The Junkie virus was circulated through European BBSs at the end of May 1994. It travelled in a file called HV-PSPTC.ZIP. According to the description, the file was supposed to contain a program which would make it possible to install illegal copies of the Pacific Strike-game directly from the hard disk instead of from diskettes. The packet's content, PSPATCH.COM, contained only the Junkie virus, however


Technical Description
Junkie is a Swedish multipartite virus. It infects hard disk MBRs and COM files. When an infected file is executed in a computer for the first time, the virus overwrites the hard disk's MBR with its own code but does nothing else. During its next execution, the virus goes resident in memory and infects all accessed COM files. Junkie is a fast infector.

Junkie also infects boot sectors of all floppies used in the machine, and is capable of spreading further when the machine is booted up from such a diskette. 360KB and 2.88MB diskettes are not infected.

Infected COM files grow by approximately 1035 bytes. Since the virus infects all accessed COM files, it corrupts files which are structurally EXEs but happen to have the extension COM. The virus code is doubly encrypted. The following message is hidden under the second encryption layer:

        Dr White - Sweden 1994
        Junkie Virus - Written in Malmo...M01D
Dr White has also written another Swedish virus called Desperado.

The Junkie virus can be noticed by the decrease of available memory in the system. Some programs also display the message "Program too big to fit in memory" when they are executed.

TECHNICAL INFO: Junkie patches floppy boot sectors and HD MBS from offset 98 to 127. The virus code itself is contained in two sectors, 0,0,4-5 on HD and on the last track (40 or 80), side 1, sectors 8-9 on floppies. Junkie does not relocate nor store the original sector anywhere. In COM files, the virus will append itself at the end of the file, with a length of 1027 to 1042 bytes.

Junkie is a selective fast infector (not all files will be infected on opening, just some). Junkie will not infect COM files shorter than about 5000 bytes. However, Junkie will sometimes infect files with other extensions, such as CO_, COW etc.

When active, Junkie will decrease the base memory by three kilos. Also, INT 1Ch will be hooked and QEMM will complain about and will not load high programs requiring this handler.


[Analysis: Mikko Hypponen, F-Secure]
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is