Scorpio Virus

Virus Name: Scorpio Aliases: V Status: New Discovered: August, 1994 Symptoms: .COM & .EXE growth; file date = "4-16-92"; DOS CHKDSK file allocation errors; decrease in total system & available free memory Origin: Unknown Eff Length: 1,000 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: F-Prot, AVTK, IBMAV, ViruScan, Sweep, NAV, NAVDX, VAlert, AVTK/N, Sweep/N, NProt, IBMAV/N, NShld, NAV/N Removal Instructions: Delete infected files General Comments: The Scorpio virus was submitted in August, 1994. Its origin or point of isolation is unknown. Scorpio is a memory resident stealth-type virus which infects .COM and .EXE files, including COMMAND.COM. When the first Scorpio infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 1,056 bytes. Interrupts 03 and 21 will be hooked by the virus in memory. Also at this time, the virus will infect COMMAND.COM if it wasn't previously infected. Once the Scorpio virus is memory resident, it will infect .COM and .EXE programs when they are executed. Infected programs will have a file length increase of 1,000 bytes, though the file length increase will be hidden by the virus when it is memory resident. The virus will be located at the end of all infected files. The program's date in the DOS disk directory listing will have been set to "4-16-92". The following text strings are visible within the Scorpio viral code: "Plovdiv" "Scorpio" Execution of the DOS CHKDSK program with the virus memory resident will result in the indication of file allocation errors on all infected files.