SillyC Virus
Virus Name: SillyC
Aliases: SillyC.144
V Status: New
Discovered: July, 1995
Symptoms: .COM file growth; file date/time changes
Origin: Unknown
Eff Length: 144 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: F-Prot, AVTK, VAlert, NAV, NAVDX, Sweep, ViruScan,
IBMAV, PCScan, ChAV,
AVTK/N, Sweep/N, NShld, NAV/N, IBMAV/N, NProt, Innoc 4.0+
Removal Instructions: Delete infected files
General Comments:
The SillyC or SillyC.144 virus was received in July, 1995, accompanied
by several variants of this virus. They are non-resident, direct
action .COM infectors. They don't appear to do anything besides
replicate.
When a SillyC infected program is executed, this virus will infect
all of the .COM files located in the current directory, including
COMMAND.COM. Infected .COM files will have a file length increase
of 144 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing will
have been updated to the current system date and time when infection
occurred. The following text string is visible within the viral code
in all infected files:
"*.com"
Additionally, a "V" can be found in the fourth byte of all infected
files.
Known variant(s) of SillyC are:
SillyC.106: Received in January, 1996, this is a 106 byte
variant of the SillyC virus which infects one file located in
the current directory, regardless of file extension, when an
infected program is executed. Infected files may be of any
type, but will be infected as though they are a .COM file. These
files will have a file length increase of 106 bytes with the
virus being located at the end of the file. The program's date
and time in the DOS disk directory listing will have been updated
to the current system date and time when infection occurred.
The following text string is visible within the viral code:
"*.*"
Origin: Unknown January, 1996.
SillyC.113: Received in January, 1996, this is a 113 byte
variant of the SillyC virus which infects one file located in
the current directory, regardless of file extension, when an
infected program is executed. Infected files may be of any
type, but will be infected as though they are a .COM file. These
files will have a file length increase of 113 bytes with the
virus being located at the end of the file. The program's date
and time in the DOS disk directory listing will have been updated
to the current system date and time when infection occurred.
The following text string is visible within the viral code:
"*.*"
Origin: Unknown January, 1996.
SillyC.122: Received in July, 1995, this is a 122 byte
variant of the SillyC virus which infects all of the .COM
files in the current directory when an infected program is
executed. Infected files will have a file length increase of
122 bytes with the virus being located at the beginning of the
file. The program's date and time in the DOS disk directory
listing will have been updated to the current system date and
time when infection occurred. The following text string is
visible within the viral code:
"*.COM"
Origin: Unknown July, 1995.
SillyC.155: Also received in July, 1995, this is a 155 byte
variant which infects one .COM file located in the current
directory when an infected file is executed. Infected files
will have a file length increase of 155 to 171 bytes as this
variant first pads the host file's length so that it will be
a multiple of 16, then adds 155 bytes of viral code. The virus
will be located at the end of the file. The program's date and
time in the DOS disk directory listing will have been updated
to the current system date and time when infection occurred.
The following text string is visible within the viral code:
"*.c*
A dollar sign ("$") can be found in the fourth byte of all
infected files. System hangs frequently occur when infected
programs are executed.
Origin: Unknown July, 1995.
SillyC.162.B: Received in January, 1996, this is a 162 byte
variant of the SillyC virus. It infects the first .COM file
in the current directory when an infected file is executed.
This variant will reinfect the files if they were previously
infected. Programs infected with SillyC.162.B will have a file
length increase of 162 bytes for each infection on the file with
the virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will have been
updated to the current system date and time when infection
occurred. The following text string is visible within the
viral code:
"*.COM"
Origin: Unknown January, 1996.
SillyC.166.A: Also received in July, 1995, this is a 166 byte
variant of the SillyC virus. It infects the first four (4) .COM
files in the current directory when an infected file is executed.
This variant will reinfect the files if they were previously
infected. Programs infected with SillyC.166.A will have a file
length increase of 166 bytes for each infection on the file with
the virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will have been
updated to the current system date and time when infection
occurred. The following text strings are visible within the
viral code:
"t%ZR"
"ZRRR"
"*.com RR"
Origin: Unknown July, 1995.
SillyC.179: Received in January, 1996, this is a 179 byte
variant which infects one .COM file located in the current
directory when an infected program is executed. It does not
reinfect previously infected files. Programs infected with this
variant will have a file length increase of 179 bytes with the
virus being located at the end of the file. The program's date
and time in the DOS disk directory listing will have been updated
to the current system date and time when infection occurred. The
following text string is visible within the viral code:
"*.COM"
Origin: Unknown January, 1996.
SillyC.190.A: Also received in July, 1995, this is a 190 byte
variant of the SillyC virus. It infects the first .COM file
in the current directory when an infected file is executed.
This variant will reinfect the files if they were previously
infected. Programs infected with SillyC.190.A will have a file
length increase of 190 bytes for each infection on the file with
the virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will have been
updated to the current system date and time when infection
occurred. The following text strings are visible within the
viral code:
"*.COM"
"Required system component"
System hangs and/or beeping may occur when infected programs are
executed.
Origin: Unknown July, 1995.
SillyC.190.B: Also received in July, 1995, this is a 190 byte
variant which infects one .COM file located in the current
directory when an infected program is executed. It does not
reinfect previously infected files. Programs infected with this
variant will have a file length increase of 190 bytes with the
virus being located at the end of the file. The program's date
and time in the DOS disk directory listing will have been updated
to the current system date and time when infection occurred. The
following text string is visible within the viral code:
"*.COM"
Origin: Unknown July, 1995.
SillyC.207.B: Also received in July, 1995, this is a 207 byte
variant of the SillyC virus. It infects the first three .COM
files in the current directory when an infected file is executed.
This variant will reinfect the files if they were previously
infected. Programs infected with SillyC.207.B will have a file
length increase of 207 bytes for each infection on the file with
the virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will have been
updated to the current system date and time when infection
occurred. The following text strings are visible within the
viral code:
"*.COM .."
"Devastator/PHOBIA Lame virus #3"
System hangs and/or beeping may occur when infected programs are
executed.
Origin: Unknown July, 1995.
SillyC.264: Also received in July, 1995, this is a 264 byte
variant which infects all of the .COM files located in the
current directory when an infected program is executed. It does
not reinfect previously infected files. Programs infected with
this variant will have a file length increase of 264 bytes with
the virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will not be
altered. The following text string is visible within the viral
code:
"*.com"
Origin: Unknown July, 1995.
SillyC.292: Also received in July, 1995, this is a 292 byte
variant which infects all of the .COM files located in the
current directory when an infected program is executed. It does
not reinfect previously infected files. Programs infected with
this variant will have a file length increase of 292 bytes with
the virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will not be
altered. The following text strings are visible within the
viral code:
"*.COM .."
"The Rabbit Virus By: Corrupt Of Death Row!!"
Origin: Unknown July, 1995.
SillyC.302: Also received in July, 1995, this is a 302 byte
variant which infects one .COM file located in the current
directory when an infected program is executed. It does not
reinfect previously infected files. Programs infected with this
variant will have a file length increase of 302 bytes with the
virus being located at the end of the file. The program's date
and time in the DOS disk directory listing will have been updated
to the current system date and time when infection occurred. The
following text string is visible within the viral code:
"*.com"
Origin: Unknown July, 1995.
SillyC.331: Also received in July, 1995, this is a 331 byte
variant which infects all of the .COM files located in the
current directory when an infected program is executed. It does
not reinfect previously infected files. Programs infected with
this variant will have a file length increase of 331 bytes with
the virus being located at the beginning of the file. The
program's date and time in the DOS disk directory listing will
have been updated to the current system date and time when
infection occurred. No text strings are visible within the viral
code.
Origin: Unknown July, 1995.
SillyC.343: Also received in July, 1995, this is a 343 byte
variant which infects all of the .COM files located in the
current directory when an infected program is executed. It does
not reinfect previously infected files. Programs infected with
this variant will have a file length increase of 343 bytes with
the virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will have been
updated to the current system date and time when infection
occurred. No text strings are visible within the viral code.
Origin: Unknown July, 1995.
SillyC.468: Also received in July, 1995, this is a 468 byte
variant which infects all of the .COM files located in the
current directory when an infected program is executed. It does
not reinfect previously infected files. Programs infected with
this variant will have a file length increase of 468 bytes with
the virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will not be
altered. The following text strings are visible within the
viral code:
"????????COM"
"*.COM"
"COMMAND.COM"
This variant does not infect COMMAND.COM.
Origin: Unknown July, 1995.
SillyC.563: Also received in July, 1995, this is a 563 byte
variant which infects one .COM file located in the current
directory when an infected program is executed. It does not
reinfect previously infected files. Programs infected with this
variant will have a file length increase of 563 bytes with the
virus being located at the end of the file. The program's date
and time in the DOS disk directory listing will have been updated
to the current system date and time when infection occurred. The
following text strings are visible within the viral code:
"*.GG"
"coGG"
"AL"
Origin: Unknown July, 1995.
SillyC.626: Also received in July, 1995, this is a 626 byte
variant of the SillyC virus. It infects all of the .COM files
in the current directory when an infected file is executed.
This variant will reinfect previously infected files. Programs
Programs infected with SillyC.626 will have a file length
increase of 626 bytes for each infection on the file with
the virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will not be
altered. No text strings are visible within the viral code.
System hangs frequently occur when infected programs are
executed.
Origin: Unknown July, 1995.
SillyC.657: Also received in July, 1995, this is a 657 byte
variant which infects one .COM file located in the current
directory when an infected program is executed. It does not
reinfect previously infected files. Programs infected with this
variant will have a file length increase of 657 bytes with the
virus being located at the end of the file. The program's date
and time in the DOS disk directory listing will have been updated
to the current system date and time when infection occurred. No
text strings are visible within the viral code.
Origin: Unknown July, 1995.