382 Recovery Virus


 Virus Name:  382 Recovery 
 Aliases:     382, Recovery, 382 Recovery.1 
 V Status:    Viron 
 Discovery:   July, 1990 
 Symptoms:    First 382 bytes of .COM files overwritten; system hangs; 
              spurious characters on system display; disk drive spinning; 
              boot failures 
 Origin:      Taiwan 
 Eff Length:  N/A 
 Type Code:   ONAK - Overwriting Non-Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, AVTK, NAV, F-Prot, Sweep, IBMAV, NAVDX, 
                    VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, 
                    IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The 382 Recovery virus was isolated in July 1990 in Taiwan.  It is 
       a non-resident generic infector of .COM and .EXE files, including 
       COMMAND.COM. 
 
       Each time a program infected with the 382 Recovery virus is 
       executed, the virus will check the current directory for a .COM 
       file that has not been infected with the virus.  If it finds an 
       uninfected .COM file, it will infect it.  If the original file was 
       less than 382 bytes in length, the infected file will now be 382 
       bytes in length.  Files which were originally greater than 382 bytes 
       in length will not show any increase in length.  Infected files 
       always have the first 382 bytes of the file overwritten to contain 
       the virus's code. 
 
       Once all .COM files in the current directory are infected, the next 
       time an infected .COM file is executed the virus will rename all 
       .EXE files to .COM files.  These renamed files, however, may or may 
       not later become infected. 
 
       Symptoms of the 382 Recovery virus being present on a file are that 
       the program will not execute properly.  In some cases, the program 
       will hang upon execution, requiring the system to be rebooted.  In 
       other cases, spurious characters will appear on the system display 
       and the program will not run.  Lastly, the system may do nothing but 
       leave the disk drive spinning, requiring the system to be powered 
       off and rebooted. 
 
       Occasionally, the 382 Recovery virus will corrupt IO.SYS, one of 
       the hidden system files.  Once this corruption has occurred, attempts 
       to boot from the infected disk will fail. 
 
       Since the first 382 bytes of infected files have been overwritten, 
       the infected files cannot be recovered.  The original 382 bytes of 
       the file are permanently lost.  Infected files should be deleted or 
       erased and replaced with backup copies known to be free of infection. 
 
       Known variant(s) of 382 Recovery are: 
       382 Recovery.1: A minor variant of 382 Recovery which is 
                       functionally equivalent to the original virus.  This 
                       variant differs by only one byte. 
 
       See:  Burger

Show viruses from discovered during that infect .

Main Page