Protipus Virus

Virus Name: Protipus Aliases: V Status: Rare Discovery: September, 1993 Symptoms: .EXE files of 5,472 bytes; Hidden .EXE files; file date/time changes Origin: Unknown Eff Length: 5,472 Bytes Type Code: SNE - Spawning or Companion .EXE Infector Detection Method: F-Prot, ViruScan, IBMAV, Sweep, AVTK, NAV, NAVDX, VAlert, NShld, Sweep/N, NProt, AVTK/N, IBMAV/N, NAV/N Removal Instructions: Delete infected files General Comments: The Protipus virus was submitted in September, 1993. Protipus is a non-resident, direct action infector of .EXE files which uses a technique similar to spawning or companion viruses. When a program infected with the Protipus virus is executed, this virus will infect one .EXE file located in the current directory. First, the virus renames the original .EXE file so that the last character of the base file name is now a "V". The hidden attribute is then set so that the altered file name will not appear in a DOS disk directory listing. The virus then creates a 5,472 byte .EXE file with the original .EXE's file name. This 5,472 byte file contains the Protipus viral code and will have the current system date and time. The following text strings can be found within the 5,472 byte Protipus .EXE files: "Sei stato contagiato dal Protipus virex!!!!" "Conficius said: 'Arrangietes'" ".exe" Disinfection of the Protipus virus from infected systems is fairly straight-forward. The system user should match the hidden original .EXE files which have altered file names to the 5,472 byte .EXE files. The 5,472 byte viral files should then be deleted, and then the original .EXE file renamed to the correct name. Lastly, the hidden attribute should be reset so that the file appears in the DOS disk directory listing.