Oxana Virus


 Virus Name:  Oxana 
 Aliases:    
 V Status:    Rare 
 Discovered:  February, 1993 
 Symptoms:    .EXE file growth; file date/time seconds set to 62; 
              decrease in total system & available free memory 
 Origin:      USSR 
 Eff Length:  1,670 Bytes 
 Type Code:   PRhE - Parasitic Resident .EXE Infector 
 Detection Method:  Sweep, AVTK, F-Prot, ViruScan, IBMAV, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    Sweep/N, NShld, AVTK/N, NAV/N, NProt, IBMAV/N, Innoc, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Oxana virus was submitted in February, 1993, and is originally 
       from the USSR.  Oxana is a memory resident infector of .EXE programs. 
       It contains within its viral code a long message in Russian. 
 
       When the first Oxana infected program is executed, the Oxana virus 
       will install itself memory resident at the top of system memory but 
       below the 640K DOS boundary, hooking interrupt 21.  Total system and 
       available free memory, as indicated by the DOS CHKDSK program, will 
       have decreased by 4,112 bytes.  Interrupt 12's return will not be 
       moved. 
 
       Once the Oxana virus is memory resident, it will infect .EXE files 
       when they are executed or opened for any reason.  Infected programs 
       will have a file length increase of 1,670 bytes with the virus being 
       located at the end of the file.  The program's date and time in the 
       DOS disk directory listing will not appear to be altered, though the 
       seconds field will have been set to 62.  Besides the above mentioned 
       message in Russian, the following text string is encrypted within the 
       viral code: 
 
               "MSDOS3" 
 
       It is unknown what Oxana may do besides replicate. 
 
       Known variant(s) of Oxana are: 
       Oxana.1719: Oxana.1719 is a 1,719 byte variant of the Oxana virus 
               described above.  Its size in memory is 4,096 bytes, hooking 
               interrupt 21.  Once resident, it infects .EXE programs when 
               they are executed.  Infected programs will have a file length 
               increase of 1,719 bytes with the virus being located at the 
               end of the file.  The program's date and time in the DOS disk 
               directory listing will not appear to be altered, though the 
               seconds field will have been set to '62'.  With the virus 
               memory resident, each time an infected program is executed, 
               this virus will draw a graphic rectange in the center of the 
               display containing some cyrillic characters and 6 boxes.  If 
               a character is typed in each box followed by hitting the 
               return key, the program will continue execution. 
               Origin:  USSR  July 1994.

Show viruses from discovered during that infect .

Main Page