Osiris Virus

Virus Name: Osiris Aliases: V Status: Rare Discovered: July, 1994 Symptoms: .COM file growth; TSR; file date/time changes; program executed not what user attempted to execute Origin: Unknown Eff Length: 299 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: F-Prot, IBMAV, AVTK, ViruScan, Sweep, NAV, NAVDX, VAlert, ChAV, AVTK/N, Sweep/N, NProt, Innoc, NShld, IBMAV/N, NAV/N Removal Instructions: Delete infected files General Comments: The Osiris virus was received in July, 1994. Its origin or point of isolation is unknown. Osiris is a memory resident, direct action infector of .COM files, including COMMAND.COM. When the first Osiris infected program is executed, the Osiris virus will infect one .COM file located in the current directory, as well as install a 3,664 byte TSR. The Osiris virus' TSR hooks interrupts 22 and 24. It is used by the virus for purposes other than replication. Once the Osiris virus is memory resident, execution of an infected program may result in the infection of a previously uninfected .COM file in the current directory. If the first five .COM files in the current directory are already infected, the virus will not infect another file in the directory. Programs infected with the Osiris virus will have a file length increase of 299 bytes with the virus being located at the beginning of the file. The program's date and time in the DOS disk directory listing will have been updated to the current system date and time when infection occurred. One text string is visible within the viral code in all infected programs: "*.COM" The Osiris virus sometimes interfers with the user executing .COM programs. When the user executes an infected .COM program, the virus may instead execute the program it is infecting instead.