Plumbum Virus
Virus Name: Plumbum
Aliases: Plumbum-A
V Status: Rare
Discovered: December, 1992
Symptoms: .COM file growth; file date month changed
Origin: Poland
Eff Length: 534 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: F-Prot, Sweep, AVTK, IBMAV, PCScan,
ViruScan, NAV, NAVDX, VAlert,
LProt, Sweep/N, NShld, NProt, AVTK/N, NAV/N, IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The Plumbum, or Plumbum-A, virus was submitted in December, 1992,
along with seven variants of the virus. The Plumbum family of
viruses is from Poland, and are based on the W13 virus.
When a program infected with one of the Plumbum viruses is executed,
the Plumbum virus will infect one .COM program located in the
current directory. Infected programs will have a file length
increase of 534 bytes with the virus being located at the end of the
file. The program's date in the DOS disk directory listing will be
altered, the month in the date having been set to "13". The
following text can be found within the viral code in all Plumbum
infected programs:
"\????????.COM"
"????????COM"
"osoftyright Microsoftyright Microsoftyright"
"Microsoftyright Microsoftyright Microsoft 1988"
Plumbum doesn't appear to do anything besides replicate.
Known variant(s) of the Plumbum virus are:
Plumbum-B: A 534 byte variant, Plumbum-B changes the month in
the file date of infected files to "14". The text
strings contained within the viral code are:
"\????????.COM"
"????????COM"
"Plumbum Plumbum Plumbum Plumbum Plumbum Plumbum"
"Plumbum Plumbum Plumbum Plumbum Plumbum !!"
Origin: Poland December, 1992.
Plumbum-C: A 543 byte variant, Plumbum-C infects one .COM
program each time an infected program is executed.
Infected programs will have a file length increase of
543 bytes with the virus being located at the end of the
file. The program's date in the DOS disk directory
listing will have been altered, the month field having
been set to "15". The following text strings can be
found within the viral code:
"\????????.COM"
"????????COM"
"osoftyright Microsoftyright Microsoftyright"
"Microsoftyright Microsoftyright Microsoft 1988"
Origin: Poland December, 1992.
Plumbum-D: A 450 byte variant, Plumbum-D infects one .COM
program each time an infected program is executing, adding
450 bytes to the file length. Infected programs will have
the file date's month in the DOS disk directory set to
"15". The following text strings can be found within the
viral code:
"\????????.COM"
"????????COM"
Origin: Poland December, 1992.
Plumbum-E: Similar to the Plumbum-D variant, this variant also
adds 450 bytes to the programs it infects. The file
date in the DOS disk directory will be altered so that
the month is "15", and the day field may also be altered.
It contains the same text strings as Plumbum-D.
Origin: Poland December, 1992.
Plumbum-F: Similar to the Plumbum virus, this variant also
adds 534 bytes to the .COM programs it infects and sets
the month in the DOS disk directory file date to "13".
The following text strings can be found within the viral
code in infected programs:
"\????????.COM"
"????????COM"
"osoftyright Microsoftyright Microsoftyright"
"Microsoftyright 141$FLuofyright Microsoft 1988"
Origin: Poland December, 1992.
Plumbum-M1: A 679 byte variant of Plumbum, Plumbum-M1 sets the
file date's month in the DOS disk directory listing to
"15". The following text strings can be found within the
viral code in infected programs:
"\????????.COM"
"????????COM"
"BE CAREFULL!!!"
"IN YOUR COMPUTER IS ONE POWERFULL CREEPER!!!"
"Hey you! You are lucky! YOU HAVE ME!!!"
"written in WARSAW (c) Plumbum"
Origin: Poland December, 1992.
Plumbum-M2: A 518 byte variant of Plumbum, Plumbum-M2 sets the
file date's month in the DOS disk directory listing to
"15". The following text strings can be found within the
viral code in infected programs:
"\????????.COM"
"????????COM"
"BE CAREFULL!!!"
"Hey you! You are lucky! YOU HAVE ME!!!"
"written in WARSAW (c) Plumbum"
Origin: Poland December, 1992.
See: W13