Quasar Virus

Virus Name: Quasar Aliases: V Status: New Discovery: July, 1995 Symptoms: .COM & .EXE corruption; TSR; "Cannot execute" on large .EXE; programs fail to function properly; file date/time year altered Origin: Unknown Eff Length: 523 Bytes Type Code: ORsA - Overwriting Resident .COM & .EXE Infector Detection Method: VAlert, AVTK, NAV, NAVDX, IBMAV, ViruScan, F-Prot, PCScan, ChAV, NAV/N, IBMAV/N, NShld, AVTK/N, Innoc 4.0+ Removal Instructions: Delete infected files General Comments: The Quasar or Quasar.523 virus was received in July, 1995. Its origin or point of isolation is unknown. Quasar is a memory resident overwriting virus which permanently corrupts the programs it infects. When the first Quasar infected program is executed, this program will install itself memory resident as a low system memory TSR of approximately 1,312 bytes. Interrupt 21 will be hooked by the virus in memory. Once the Quasar virus is memory resident, it will infect .COM and .EXE files when they are executed. Programs infected with the Quasar virus will have 523 bytes in the middle of the program overwritten with the viral code. Additionally, a jump instruction will have overwritten the first few bytes of the program pointing to the viral code. This virus infects both .COM and .EXE files as though they are .EXE files, so infected .EXE files will not start with the normal "MZ" characters. The file's date and time in the DOS disk directory listing will not appear to be altered, though the date time year will have been altered. No text strings are visible within the viral code. Programs infected with the Quasar virus will no longer function properly, usually returning the user to the DOS prompt when executed. Execution of .EXE files over 64K will result in the message "Cannot execute" followed by the file name being displayed.