Python Virus

Virus Name: Python Aliases: V Status: New Discovery: December, 1994 Symptoms: .COM & .EXE growth; file date/time seconds = "40"; decrease in total system & available free memory; DOS CHKDSK file allocation errors Origin: Unknown Eff Length: 1,142 - 1,603 Bytes (Approx) Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: AVTK, Sweep, F-Prot, NAV, NAVDX, VAlert, ViruScan, Sweep/N, AVTK/N, NShld, NAV/N, NProt Removal Instructions: Delete infected files General Comments: The Python virus was received in December, 1994. Its origin or point of isolation is unknown. Python is a polymorphic stealth virus which infects .COM and .EXE files, including COMMAND.COM. When the first Python infected program is executed, this virus may install itself memory resident at the top of system memory but below the 640K DOS boundary. It does not always install itself memory resident, and the system user may have to execute an infected program several times in order for the virus to become memory resident. When resident, total system and available free memory, as indicated by the DOS CHKDSK program from DOS 3.3, will have decreased by 1,264 bytes. Memory mapping utilities will not indicate that any interrupts are hooked by this area of memory. Once the Python virus is memory resident, it will infect .COM and .EXE programs when they are executed. Infected programs will have a file length increase of approximately 1,142 to 1,603 bytes with the virus being located at the end of the file. The file length increase, however, is hidden by the virus when memory resident. The program's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been set to "40". The following text string is encrypted within the viral code: "PYTHON" Execution of the DOS CHKDSK program with the Python virus memory resident will result in file allocation errors being indicated on all infected files.