Reverse.A Virus

Virus Name: Reverse.A Aliases: Spider V Status: New Discovery: July, 1994 Symptoms: .COM & .EXE growth; decrease in total system & available free memory Origin: Unknown Eff Length: 950 - 962 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: F-Prot, AVTK, IBMAV, ViruScan, Sweep, NAV, NAVDX, VAlert, PCScan, ChAV, NProt, AVTK/N, NShld, Sweep/N, IBMAV/N, NAV/N, LProt, Innoc 4.0+ Removal Instructions: Delete infected files General Comments: The Reverse.A virus was received in July, 1994. Its origin or point of isolation is unknown. Reverse.A is a memory resident virus which infects .COM and .EXE programs, including COMMAND.COM. It is a fast file infector, spreading quickly on infected systems. When the first Reverse.A infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 992 bytes. Interrupt 21 will be hooked by the virus in memory. Once memory resident, this virus infects .COM and .EXE programs, including COMMAND.COM, when they are executed or opened. It does not infect very small files. Programs infected with Reverse.A will have a file length increase of 950 to 962 bytes with the virus being located at the end of the file. In the case of COMMAND.COM, the virus will overwrite a portion of the hex 00 area of the file, so there will be no file length increase on infection. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the viral code: "Red Spider Virus created by Garfield from Zielowa Gora in Feb 1993" "moc.dnammocexe.niamcn" It is unknown what Reverse.A does besides replicate.