Qpis Virus

Virus Name: Qpis Aliases: Qpis.2931 V Status: New Discovery: January, 1996 Symptoms: .COM & .EXE growth; decrease in available free memory; unexpected errors on DOS DIR commands Origin: Unknown Eff Length: 2,931 - 2,947 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: F-Prot, AVTK, IBMAV, NAV, NAVDX, ChAV, ViruScan 2.54+, Innoc, AVTK/N, IBMAV/N, NAV/N, NShld 2.33+ Removal Instructions: Delete infected files General Comments: The Qpis virus was received in January, 1996. Its origin or point of isolation is unknown. Qpis is a memory resident infector of .COM and .EXE files, including COMMAND.COM. It only infects files located in the drive root directory. When the first Qpis infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Available free memory, as indicated by the DOS CHKDSK program from DOS 5.0, will have decreased by 4,098 bytes. Interrupts 13 and 21 will be hooked by the virus in memory. Once the Qpis virus is memory resident, it will infect .COM and .EXE files located in the root directory, including COMMAND.COM, when they are executed or opened, but not when copied. Infected .COM files will have a file length increase of 2,931 bytes while .EXE files will increase in size by 2,937 to 2,947 bytes. In both cases, the virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are visible within the viral code: ".EXE" ".exe" ".COM" ".com" This virus will interfer with the functioning of the DOS DIR command, resulting in possible errors such as "Parameter format not correct" and "Too many parameters"