Plovdiv 1.1 Virus

Virus Name: Plovdiv 1.1 Aliases: SX V Status: Rare Discovered: November, 1991 Symptoms: .COM file growth; file allocation errors; program error messages Origin: Poland Eff Length: 800 Bytes Type Code: PRCK - Parasitic Resident .COM Infector Detection Method: ViruScan, Sweep, AVTK, F-Prot, ChAV, NAV, IBMAV, NAVDX, VAlert, PCScan, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Plovdiv 1.1 virus was received in November, 1991. It is originally from Poland. Plovdiv 1.1 is a memory resident infector of .COM files, including COMMAND.COM. The first time a program infected with Plovdiv 1.1 is executed, Plovdiv 1.1 will install itself memory resident in the DOS System Data area in memory. It will hook interrupts 1E, 21, and 22. There will be no change in total system and available free memory as indicated by the DOS CHKDSK program. After the Plovdiv 1.1 virus has become memory resident, it will infect one .COM file in the current directory each time any program is executed, a DIR command is performed, or a .BAT file is executed. It will also infect .COM files if they are opened for any reason. Programs infected with Plovdiv 1.1 will have a file length increase of 800 bytes, though the file length increase will be hidden when the virus is memory resident. The virus will be located at the beginning of infected files. There will be no change to the file's date and time in a DOS directory listing. The following text strings will appear within the viral code in infected files: "*.com" "(C)Damage inc.Ver 1.1,Plovdiv,1991" Symptoms of a Plovdiv 1.1 infection are that the DOS CHKDSK program will indicate file allocation errors on all infected files if it is executed with the virus memory resident. Programs which expect command line input may also return error messages and fail to function properly. It is unknown if Plovdiv 1.1 does anything besides replicate. See: Plovdiv 1.3