-----------------------------------------------------------------------------
 WildList Notes - (c)1995 Joe Wells - c1jwells@watson.ibm - wildlist@aol.com
-----------------------------------------------------------------------------

Virus Name:  Stealth Boot.B

Aliases:     AMSES, STB, stelboo 

             [Note: The Quox virus is also called "Stealth".]

Infects:     MBR on first hard drive. DOS boot sector on floppy disks.

Disk Size:   6 sector.

Location:    MBR or boot sector. The remaining 5 sectors of virus code, 
             followed by the original MBR or boot sector are stored as 
             follows. Sectors 2-7 of cylinder 0, head 0 on the hard drive 
             are used. On 360k and 1.2m floppies, an extra track is 
             formatted and the virus code is placed therein. But, on 720k
             and 1.44m floppies, the last cylinder, head one, is used and 
             this area is marked in the FAT as being bad. Running Chkdsk 
             on an infected 3.5 inch floppy will report 3072 bytes in bad 
             clusters.

Memory Size: The virus reserves 4k of memory by decreasing the available
             memory word at 40:13. On a 640k system the value will be 
             changed from 280h to 27Ch. Chkdsk will report 651264 bytes 
             of memory free.

Location:    In 4k reserved at top of conventional memory.

Special:     The virus is full stealth. On an infected hard disk, sectors 
             2 - 7 are also stealthed. When an attempt is made to read 
             these sectors, the virus returns a zero-filled buffer. On 
             floppies however, the additional sectors are not stealthed.

Effects:     [none]

Trigger:     [none]

Messages:    [none]

Bugs:        The virus interferes with some memory managers. Attempts to 
             start Microsoft Windows on an infected system will return 
             the user to the DOS prompt and leave the system unstable.

Origin:      Evidently the University of Miami, in Miami, Florida.

Notes:       The virus appears to be based on the printed source code for 
             the "Stealth" boot virus described in "The Little Black Book 
             of Viruses", by Mark Ludwig. I describe the similarities and 
             differences between these two viruses in the article titled
             "Stealth.B: Invisible Fire" in the July, 1994 issue of Virus 
             Bulletin.
