FRISK Software International


Summary of NYB
Alias:B1, Stoned.i
Infectable objects: Boot sectors
 
Jump to:
Brief description
Technical description

Brief Description

The NYB virus is a reasonably simple diskette and Master Boot Record infector. It is only able to infect a hard disk when you try to boot the machine from an infected diskette. At this time B1 infects the Main Boot Record, and after that it will go resident to high DOS memory during every boot-up from the hard disk.

Once NYB gets resident to memory, it will infect practically all non-writeprotected diskettes used in the machine. NYB will allocate 1kB of DOS base memory. NYB is a stealth virus, so the changes made to MBR are not visible as long as the virus is resident.

Every time a floppy disk is accessed, there is a 1/512 chance that the virus activates. Virus then sends the floppy drive head repeatedly from track 0 sector 0 to track 255, sector 62. On standard floppy drives, such areas do not exist.

On some floppy drives there are no validity checking on these values, and so the floppy head might get hit against the stopper again and again. This might cause some physical damage to the floppy drive, but only if the routine is allowed to continue for some time. We've yet to see an actual case where this would have caused real damage to the floppy drive.

There is also another activation routine, which went unnoticed by virus researchers for a long time. The virus will crash the machine, if the hard disk is written to when the hour and minute fields of the system clock are zero (ie. right after midnight). Thanks to Paul Talbot (ptww@aol.com) for pointing this out.

NYB has no text strings. While infecting, it will corrupt some diskettes seriously.

NYB is very common all over the world.

F-PROT used to detect NYB as B1, but the virus was renamed in February 1996 (F-PROT 2.22).




[Analysis: Mikko Hypponen, F-Secure]
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is