Animus Virus


 Virus Name:  Animus 
 Aliases:     Animus-7360, Cookie-7360 
 V Status:    Rare 
 Discovery:   April, 1992 
 Symptoms:    .COM & .EXE file growth; switches files and file names; 
              unexpected accesses to the C: drive; program execution 
              errors; TSR; file date/time change 
 Origin:      Unknown 
 Eff Length:  7,360 Bytes 
 Type Code:   PRsAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  AVTK, F-Prot, ViruScan, Sweep, NAV, 
                    IBMAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, Innoc, AVTK/N, NAV/N, NProt, IBMAV/N, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Animus, Animus-7360, or Cookie-7360 virus was submitted in 
       April, 1992.  Its origin or point of isolation is unknown.  Animus 
       is a memory resident infector of .COM and .EXE programs. Advanced 
       infections may result in COMMAND.COM being infected. 
 
       The first time a program infected with the Animus virus is 
       executed, the Animus virus will install itself memory resident as 
       a low system memory TSR, hooking interrupts 22 and 24.  Available 
       free memory may decrease by as much as 70K.  Also at this time, 
       the virus will infect two .COM programs other than COMMAND.COM 
       which are located in the current directory. 
 
       Once the Animus virus is memory resident, it will infect two .COM 
       programs each time an infected program is executed.  Infected 
       programs will have a file length increase of 7,360 bytes with the 
       virus being located at the beginning of the file.  The program's 
       date and time in the DOS disk directory listing will be 
       9-13-91 10:30a.  The following text strings can be found in all 
       Animus infected programs: 
 
               "COMMAND.COM" 
               "Animus.id" 
               "comExe" 
               "Animus.exe" 
 
       Animus is a malicious virus.  As the system infection of Animus 
       progresses, the virus will switch various file names so that what 
       the directory indicates is the file name no longer matches the 
       contents of the file.  This process occurs with both executable 
       programs and data files.  As a result, the user may not execute the 
       program that they are attempting to run, and unpredicatable results 
       occur.  Animus does not avoid switching another file with 
       COMMAND.COM, so unexpected warm reboots or shelling of the command 
       interpretor may occur.  The switching of file names results in 
       programs with the .EXE extension possibly being infected, and all 
       files on infected systems must be tested to determine if they 
       contain the virus.  Once the infected programs are disinfected, the 
       actual contents of the files must be determined and renamed to their 
       proper names. 
 
       Known variant(s) of Animus are: 
       Animus-7392: Animus-7392 is a later version of the Animus virus. 
                    It adds 7,392 bytes to the .COM programs it infects. 
                    Infected programs will have their file date and time in 
                    the DOS disk directory listing altered to 
                    9-13-91 10:31a.  Instead of switching file names, this 
                    variant will start infecting .EXE programs once all of 
                    the .COM programs in the current directory have been 
                    infected.  Infected .EXE programs also increase in size 
                    by 7,392 bytes with the virus being located at the 
                    beginning of the file.  After all of the programs in 
                    the current directory have become infected, it will 
                    start infecting programs located on the C: drive.

Show viruses from discovered during that infect .

Main Page