Anti-Pascal II Virus


 Virus Name:  Anti-Pascal II 
 Aliases:     Anti-Pascal 400, AP-400 
 V Status:    Research 
 Discovery:   June, 1990 
 Symptoms:    .COM growth; .BAK, .BAT and .PAS file deletion; boot sector 
              alteration on hard disk 
 Origin:      Bulgaria 
 Isolated:    Sofia, Bulgaria 
 Eff Length:  400 Bytes 
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector 
 Detection Method:  ViruScan, NAV, AVTK, F-Prot, Sweep, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Anti-Pascal II virus, or AP-400, was isolated in Sofia, Bulgaria 
       in June 1990 by Vesselin Bontchev.  It is one of five viruses or 
       variants in the Anti-Pascal family.  Two of the earlier variants, 
       Anti-Pascal (AP-605) and AP-529, are documented under the name 
       "Anti-Pascal".  The variants listed under Anti-Pascal II have been 
       separated due to some of their characteristics differing from the 
       605 byte and 529 byte viruses. 
 
       The Anti-Pascal II virus is a generic .COM file infector, including 
       COMMAND.COM.  While this virus is not memory resident, when it is in 
       the process of infecting files, interrupt 21 will be hooked. 
 
       The first time a program infected with the Anti-Pascal II virus is 
       executed on a system, the virus will attempt to infect one .COM 
       file in the root directory of each drive accessible on the system. 
       Files are only infected if their length is at least 2,048 bytes, and 
       the resulting infected file will be less than 64K in length.  Since 
       COMMAND.COM is usually the first .COM file on a drive, it will 
       immediately become infected.  One additional .COM file will also be 
       infected on the current drive.  The mechanism used to infect the 
       file is to write the virus's code to the end of the file.  A jump is 
       used to execute the virus's code before the original program is 
       executed.  Infected files do not have their date/time stamps in the 
       directory updated to the system date and time when the infection 
       occurred. 
 
       If the Anti-Pascal virus cannot find a .COM file to infect on a 
       given drive, or two .COM files to infect on the current drive, it 
       will check for the existence of .BAK, .PAS, or .BAT files.  If 
       found, these files will be deleted.  These deletions only occur in 
       root directories and on the current drive's current directory. 
       Since each root directory (as well as the current directory) will 
       typically not have all of its .COM files infected at the same time, 
       the deletions will occur on different drives and directories at 
       different times. 
 
       Symptoms of infection of the Anti-Pascal II virus include file 
       length increases of 400 bytes, unexpected disk access to drives 
       other than the current drive, and disappearing .BAK, .PAS, and .BAT 
       files.  One other symptom of an Anti-Pascal II infection is that the 
       hard disk's boot sector will be slightly altered by the virus. 
       Anti-viral programs which CRC-check the boot sector will indicate 
       that a boot sector infection may have occurred.  The boot sector 
       alteration does not contain a live virus, but will throw the system 
       user off into thinking their problem is from a boot sector virus 
       instead of a file infector, and if the disk was a bootable disk, it 
       will now be unbootable. 
 
       The Anti-Pascal II virus and its variants indicated below are not 
       believed to have been publicly released.  As such, they have been 
       classified as "Research Viruses". 
 
       Known variant(s) of Anti-Pascal II are: 
       AP-440: Very similar to the 400 byte version of the Anti-Pascal II 
               virus, the major characteristic change is that this variant 
               has a length of 440 bytes.  The boot sector is no longer 
               altered by the virus.  This variant is an intermediary 
               between AP-480 and the 400 byte version documented above. 
       AP-440B: Based on AP-440, this variant's major difference is that 
               it will infect two .COM programs in the current directory, and 
               one in the current directory of each of the other drives 
               accessible on the system when an infected program is executed. 
               Origin:  Unknown  January, 1992. 
       AP-480: Similar to the Anti-Pascal II virus, this variant is the 
               version which is 480 bytes in length.  It does not delete 
               .BAT files, but only .BAK and .PAS.  This variant is the 
               latest variant of the Anti-Pascal II grouping. 
       AP-480B: Based on AP-480, this variant's major difference is that 
               it will infect two programs in the current drive's current 
               directory, and one program in the current directory of all 
               other drives accessible on the system, each time an infected 
               program is executed. 
               Origin:  Unknown  January, 1992. 
 
       See:   Anti-Pascal

Show viruses from discovered during that infect .

Main Page