-----------------------------------------------------------------------------
 WildList Notes - (c)1995 Joe Wells - c1jwells@watson.ibm - wildlist@aol.com
-----------------------------------------------------------------------------

Virus Name:  Joshi.A

Aliases:     [none]

Infects:     MBR on first hard drive. DOS boot sector on floppy disks.

Disk Size:   8 sector.

Location:    MBR or boot sector. Original MBR is stored at cylinder 0, 
             sector 9, head 0. On floppy disks in  an "extra track" at 
             cylinder 40 or 80. 

Memory Size: 6k.

Location:    The virus reserves 6k of memory by modifying the available
             memory word at 40:13.

Special:     The virus is full stealth. Intercepts [CTRL] [ALT] [DEL].

Effects:     Prints message below and waits for user input.

Trigger:     Booting on January 5th of any year.

Messages:    'Type "Happy Birthday Joshi"' is displayed on a cyan 
             background in 40 column mode.

Bugs:        Several. The virus assumes color video support. The virus 
             can multiply infect a system, making it unbootable. The 
             virus uses an "extra track" in the middle of the usable data 
             space on 720k diskettes.

Origin:      India.

Notes:       The virus uses advances stealthing by intercepting more 
             interrupt 13h function calls than any other boot viruses 
             (except Frankenstein).

             However, it does not stealth the extra sectors of its own 
             code. Thus, by examining the second and third physical 
             sectors of an infected hard drive, the message above can be 
             seen, even if the virus is in memory.

             The virus intercepts the use of [CTRL] [ALT] [DEL] to perform
             a warm reboot and attempts to emulate a system restart, while 
             staying active in memory. It does this by restoring the 
             interrupt vector table, which it stored at bootup, and 
             issuing an interrupt 19h. This works on many systems, but 
             crashes others.

             Also, the virus prevents using this three-finger method to 
             escape from its triggered event. To continue from the 
             "Birthday" screen, the user must type the requested phrase 
             verbatim.
