Protecto Virus


 Virus Name:  Protecto 
 Aliases:     Protect, Protecto-1157 
 V Status:    Rare 
 Discovery:   July, 1992 
 Symptoms:    .COM & .EXE program growth; decrease in total system & 
              available free memory; system hangs; programs fail to 
              execute properly 
 Origin:      USSR 
 Eff Length:  1,157 Bytes 
 Type Code:   PRtAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, Sweep, ViruScan, IBMAV, AVTK, NAVDX, 
                    NAV, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Protecto, or Protecto-1157, virus was submitted in July, 1992. 
       It is reported to be from the USSR.  Protecto is a memory 
       resident infector of .COM and .EXE programs, including COMMAND.COM. 
 
       When the first Protecto infected program is executed, Protecto 
       will install itself memory resident at the top of system memory, 
       but below the 640K DOS boundary, moving interrupt 12's return. 
       Total system and available free memory, as indicated by the DOS 
       CHKDSK program, will have decreased by 2,064 bytes.  Interrupts 
       1C and 21 will be hooked by Protecto in memory. 
 
       Once the Protecto virus is memory resident, it will infect .COM 
       and .EXE programs, including COMMAND.COM, when they are executed. 
       Infected programs will have a file length increase of 1,157 bytes 
       with the virus being located at the end of the file.  The program's 
       date and time in the DOS disk directory listing will not be 
       altered.  The following text strings can be found in all Protecto 
       infected programs: 
 
               "File protection" 
               "File not found" 
               "masm.exe" 
 
       System infected with Protecto may experience system hangs when 
       programs larger than 64K are executed. 
 
       Known variant(s) of Protecto are: 
       Protecto-1196: Functionally similar to the Protecto virus 
                      described above.  The major differences are that 
                      interrupts 1C, 21, and 24 are hooked by the virus, 
                      and that infected programs increase in size by 
                      1,196 bytes.  The following text strings can be 
                      found in all Protecto-1196 infected programs: 
                      "sl.exe" 
                      "File protection" 
                      "File not found" 
                      Origin:  USSR  October, 1992. 
       Protecto-1323: Functionally similar to the Protecto virus 
                      described above.  The major differences are that 
                      interrupts 1C, 21, and 24 are hooked by the virus, 
                      and that infected programs increase in size by 
                      1,323 bytes.  The following text strings can be 
                      found in all Protecto-1323 infected programs: 
                      "c.exe" 
                      "File protection" 
                      "File not found" 
                      Origin:  USSR  November, 1993. 
       Protecto-1355: Functionally similar to the Protecto virus 
                      described above.  The major differences are that 
                      interrupts 1C, 21, and 24 are hooked by the virus, 
                      and that infected programs increase in size by 
                      1,355 bytes.  The following text strings can be 
                      found in all Protecto-1355 infected programs: 
                      "c.exe" 
                      "File protection" 
                      "File not found" 
                      Origin:  USSR  July, 1992. 
 
       See:   CPSU-2535

Show viruses from discovered during that infect .

Main Page