Antipode Virus

Virus Name: Antipode Aliases: Antipode.802 V Status: New Discovery: April, 1995 Symptoms: .COM file growth; .EXE file size decrease; system hangs; decrease in available free memory; file date/time seconds = "02" Origin: Australia Eff Length: 802 Bytes Type Code: PRhC - Parasitic Resident .COM Infector Detection Method: F-Prot, NAV, AVTK, Sweep, NAVDX, VAlert, ViruScan, IBMAV, PCScan, ChAV, Sweep/N, NShld, NAV/N, AVTK/N, IBMAV/N, NProt, Innoc 4.0+ Removal Instructions: Delete infected files General Comments: The Antipode virus was received from Australia in April, 1995. This virus is a memory resident stealth virus which infects .COM files, but not COMMAND.COM. When the first Antipode infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total available free memory, as indicated by the DOS 5.0 CHKDSK program, will have decreased by approximately 1,632 bytes. Interrupt 21 will be hooked by the virus in memory. Once the Antipode virus is memory resident, it will infect .COM files, but not COMMAND.COM, when they are executed or opened. Infected programs will have a file length increase of 802 bytes, though this file length increase will not be visible in a DOS disk directory listing when the virus is memory resident. The virus will be located at the end of the file. The file's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been set to "02". The folowing text string is encrypted within the viral code: "COMcomTBSCAN.EXE[Antipode 1.0] by Automag/VLAD" While the Antipode virus is memory resident, the file length for some .EXE programs will appear to have decreased by 802 bytes in a DOS disk directory listing while others will show the correct file length. System hangs may occur when the system user attempts to copy infected files.