Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Urkel

Urkel

Updated:
13 February 2007
Also Known As:
Nwait

Urkel is a virus that occupies 1K at the top of memory (640K mark). Any memory indicator shows the machine to have 1K less than it should. One way to verify that a computer is infected is to run DOS CHKDSK or MEM. The computer most likely has about 638K to 639K if the system is infected.

Urkel encrypts both its body and side 0, track 0, sector 1 of the hard disk. It places its viral code, encrypted, in side 0, track 0, sector 5. As it is a full stealthing virus, viewing side 0, track 0, sector 1 with a sector editor while the virus is in memory displays a clean and original copy of that sector.

When a system is booted from an infected floppy, the virus infects the hard drive and then redirects the boot process to the hard drive. In this way, users may not even know they attempted to boot from an infected diskette. All subsequent boots from infected floppy disks display the appropriate messages and actions (either a non-system disk error or a normal floppy boot process).

As the virus encrypts the entire first sector, which includes the partition table, booting from a clean floppy disk renders the hard drive inaccessible. Users have also reported problems formatting floppy disks while the virus is memory resident.

Urkel has no known intentional destructive abilities. It triggers on the hour and prints Urkel on the screen.