There are 3 variants:
- Virus.DOS.Bios.2048 (A, B and C)
When the virus is loaded into memory, it hooks INT 9, 1Ch and 21h to infect any executable that is run by writing itself at the beginning of the file, and to place the original code of the host program to the end of the file. Files that are smaller than the virus itself are ignored.
The virus behaves stealthy so that there is no observable size change in current section.
After a system reset, even the virus is loaded into memory again, files that are infected in the previous sections will no longer hide their infection size, but those files to be infected in current section only.
Files infected by the virus in current section will encounter an allocation error on CHKDSK, while those which are infected in previous sections would no longer cause this error.
The virus might activate by tracking keyboard input and/or depending the timer hooked.
The following table shows the memory usage of the variants.
|Variant||Memory usage in bytes|
|Bios.2048 (A and B)||8,336|
There is no relationship between the virus and the term BIOS (Basic Input Output System).
For some infected EXE files, if they are run when the virus is not already in memory, the system would crash.
Bios.2048.a and 2048.b contain the internal text string:
Bios.2048.c contains the internal text strings:
We are PRO Version 1.0 Producted by Mr.Watshira Sae-eu KMIT-NB Date Dec 28,1990 See U Next Version. BIOS SOIB 12281972279182211
Description of the Bios virus, Online VSUM