
 Virus Name:  Joshi 
 Aliases:     Happy Birthday Joshi, Stealth Virus 
 V Status:    Common 
 Discovered:  June, 1990 
 Symptoms:    BSC, machine hangs and message 
 Origin:      India 
 Eff Length:  N/A 
 Type Code:   BRX - Resident Boot Sector/Partition Table Infector 
 Detection Method:  ViruScan V64+, Pro-Scan 1.4+ 
 Removal Instructions:  CleanUp V66+, Pro-Scan 1.4+, RmJoshi, 
              or Low-Level Format Harddisk and DOS SYS floppies 
 General Comments: 
       The Joshi Virus was isolated in India in June 1990.  At the time it was 
       isolated, it was reported to be widespread in India as well as 
       portions of the continent of Africa.  Joshi is a memory resident 
       boot sector infector of 5.25" diskettes.  It will also infect 
       hard disks, though in the case of hard disks it infects the partition 
       table or master boot sector rather than the boot sector (sector 0). 
 
       After a system has been booted from a Joshi-infected diskette, the 
       virus will be resident in memory.  Joshi takes up approximately 
       6K of system memory, and infected systems will show that total 
       system memory is 6K less than is installed if the DOS CHKDSK program 
       is run. 
 
       Joshi has some similarities to two other boot sector infectors. 
       Like the Stoned virus, it infects the partition table of hard disks. 
       Similar to the Brain virus's method of redirecting all attempts to 
       read the boot sector to the original boot sector, Joshi does this with 
       the partition table. 
 
       On January 5th of any year, the Joshi virus activates.  At that 
       time, the virus will hang the system while displaying the message: 
 
             "type Happy Birthday Joshi" 
 
       If the system user then types "Happy Birthday Joshi", the system 
       will again be usable. 
 
       This virus may be recognized on infected systems by powering off 
       the system and then booting from a known-clean write-protected 
       DOS diskette.  Using a sector editor or viewer to look at the 
       boot sector of suspect diskettes, if the first two bytes of the 
       boot sector are hex EB 1F, then the disk is infected.  The EB 1F 
       is a jump instruction to the rest of the viral  code. The remainder 
       of the virus is stored on track 41, sectors 1 thru 5 on 360K 
       5.25 inch Diskettes.  For 1.2M 5.25 inch diskettes, the viral code 
       is located at track 81, sectors 1 thru 5. 
 
       To determine if a system's hard disk is infected, you must look at 
       the hard disk's partition table.  If the first two bytes of the 
       partition table are EB 1F hex, then the hard disk is infected.  The 
       remainder of the virus can be found at track 0, sectors 2 thru 6. 
       The original partition table will be a track 0, sector 9. 
 
       The Joshi virus can be removed from an infected system by first 
       powering off the system, and then booting from a known-clean, write- 
       protected master DOS diskette.  If the system has a hard disk, the 
       hard disk should have data and program files backed up, and the 
       disk must be low-level formatted.  As of July 15, 1990, there are 
       no known utilities which can disinfect the partition table of the 
       hard disk when it is infected with Joshi.  Diskettes are easier to 
       remove Joshi from, the DOS SYS command can be used, or a program 
       such as MDisk from McAfee Associates, though this will leave the 
       viral code in an inexecutable state on track 41. 
 
 

//Following not originally in this file

======= Computer Virus Catalog 1.2: Joshi Virus (25-July-1992) =======
Entry...............: Joshi Virus
Alias(es)...........: Joshua Virus
Virus Strain........: ----
Virus detected when.: ?
              where.: India, Germany
Classification......: Master Bootsector and Bootsector Virus, 
                         memory resident, stealth
Length of Virus.....: 4 KByte
--------------------- Preconditions ----------------------------------
Operating System(s).: MS-DOS
Version/Release.....: any
Computer model(s)...: IBM - PC, XT, AT, upward and compatibles
--------------------- Attributes -------------------------------------
Easy Identification.: CHKDSK will report 6KB memory less than 
                         installed.
                      On hard disks, the Master Bootsector contains
                         EB 1F 90 as first Bytes; at end of sector 3
                         and beginning of sector 4 on track 0, string
                         "Type Happy Birthday Joshi" can be found.
Type of infection...: Hard disk: Master Bootsector will be infected;
                         the original Master-Bootsector will be saved
                         in sector 9. The virus resides on track 0,
                         sectors 1-8.
                      Floppy-Disk: Bootsector will be infected; the
                         original Bootsector will be saved on additio-
                         nal track 40/80 in sector 9. Virus resides 
                         on track 40/80 in sectors 2 to 6. On 720 kB
                         diskettes, virus will overwrite original 
                         data on track 40.
Infection Trigger...: Actions: Read, write, verify track 0/sector 1
Storage Media affected: Any hard disk, any floppy
Infection targets:..: Hard disk Master Bootrecord; Floppy Bootrecord
Interrupts hooked...: INT 8, INT 9, INT 13h, INT 21h
Interrupts used.....: INT 8, INT 9, INT 10H, INT 13h, INT 19h
Damage..............: Permanent damage: on 720 kByte floppies, 
                         original data on track 40 will be overwrit-
                         ten during infection.
                      Transient damage: virus displays message 
                         "Type Happy Birthday Joshi".
Damage Trigger......: On January 5th, a DOS call (INT 21h) of any
                        of the following functions
                        - 48h (memory allocation)
                        - 49h (free allocated memory block)
                        - 4Ah (resize allocated memory block)
                        - 2Ah (get date)
                        - 2Bh (set date)
                        - 2Ch (get time)
                        - 2Dh (set time)
Particularities.....: 1) Joshi prevents being overwritten by the
                         STONED-virus
                      2) With Hercules graphic cards, problems may 
                         occur as JOSHI does not save Hercules screen 
                         memory.
--------------------- Agents -----------------------------------------
Countermeasures.....: According to their documentation, many antivirus
                         products claim to recognise/eradicate virus.
-ditto- successful..: Tested: Dr.Solomon's Toolkit 4.15,
                         Fridrik Skulason's F-PROT 2.04a,
                         H&B-EDV Antivir-IV 4.03 and McAfee Scan93.
Standard means......: 1) Reboot from clean bootdisk.
                      2) Use SYS-Command to reinstall BOOT sector on
                         floppies.
                      3) Use FDISK /MBR to reinstall Master-BOOT
                         sector on Harddisk (MS-DOS 5.0 only).
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center Hamburg, Univ Hamburg, Germany
Classification by...: Torsten Dargers, Ulf Heinemann
Documentation by....: Torsten Dargers, Ulf Heinemann
Date................: 26-June-1992
===================== End of JOSHI Virus =============================