SillyCR Virus


 Virus Name:  SillyCR 
 Aliases:     SillyCR.131 
 V Status:    New 
 Discovered:  July, 1995 
 Symptoms:    .COM file growth; file date/time changes 
 Origin:      Unknown 
 Eff Length:  131 Bytes 
 Type Code:   PRaCK - Parasitic Resident .COM Infector 
 Detection Method:  F-Prot, AVTK, VAlert, ViruScan, NAV, NAVDX, Sweep, 
                    IBMAV, PCScan, ChAV, 
                    AVTK/N, Sweep/N, NShld, NAV/N, AVTK/N, IBMAV/N, NProt, 
                    Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The SillyCR or SillyCR.131 virus was received in July, 1995, along 
       with five variants of this virus.  Their origin or point of isolation 
       is unknown.  SillyCR is a memory resident parasitic virus which 
       infects .COM programs, possibly including COMMAND.COM. 
 
       When the first SillyCR infected program is executed, this virus will 
       install itself memory resident in a hole in allocated system memory, 
       hooking interrupt 21.  Total system and available free memory, as 
       indicated by the DOS CHKDSK program, will not be altered. 
 
       Once the SillyCR virus is memory resident, it will infect .COM 
       programs when they are executed.  Infected programs will have a file 
       length increase of 131 bytes with the virus being located at the 
       end of the file.  The program's date and time in the DOS disk 
       directory listing will have been updated to the current system date 
       and time when infection occurred.  No text strings are visible within 
       the viral code in infected files. 
 
       The SillyCR virus doesn't appear to anything besides replicate. 
 
       Known variant(s) of SillyCR are: 
       SillyCR.76: Received in July, 1995, SillyCR.76 is a 76 byte 
           variant of the SillyCR virus described above.  Once memory 
           resident, it may infect .COM files when they are opened or 
           copied.  Infected .COM files will have a file length increase 
           of 76 bytes with the virus being located at the beginning of 
           the file.  The program's date and time in the DOS disk directory 
           listing will not be altered.  The following text string can 
           be found at the beginning of all infected files: 
           "VV" 
           Origin:  Unknown  July, 1995. 
       SillyCR.122: Received in July, 1995, SillyCR.122 is an 122 byte 
           variant of the SillyCR virus described above.  The SillyCR.122 
           virus becomes memory resident as a low system memory TSR of 
           65,120 bytes, hooking interrupts 21 and FB.  Once memory 
           resident, it infects .COM files when they are executed, adding 
           122 bytes to the file length.  The virus will be located at the 
           beginning of the file.  The program's date and time in the DOS 
           disk directory listing will have been updated to the current 
           system date and time when infection occurred.  No text strings 
           are visible within the viral code.  Execution of .EXE files with 
           the virus memory resident will result in a system hang. 
           Origin:  Unknown  July, 1995. 
       SillyCR.239: Received in July, 1995, SillyCR.239 is a 239 byte 
           variant of the SillyCR virus described above.  Once memory 
           resident, it infects .COM files when they are executed, adding 
           239 bytes to the file length.  The virus will be located at the 
           beginning of the file.  The program's date and time in the DOS 
           disk directory listing will have been updated to the current 
           system date and time when infection occurred.  No text strings 
           are visible within the viral code. 
           Origin:  Unknown  July, 1995. 
       SillyCR.240: Received in July, 1995, SillyCR.240 is a 240 byte 
           variant of the SillyCR virus described above.  Once memory 
           resident, it infects .COM files when they are executed, adding 
           240 bytes to the file length.  The virus will be located at the 
           beginning of the file.  The program's date and time in the DOS 
           disk directory listing will have been updated to the current 
           system date and time when infection occurred.  No text strings 
           are visible within the viral code. 
           Origin:  Unknown  July, 1995. 
       SillyCR.261: Received in July, 1995, SillyCR.261 is a 261 byte 
           variant of the SillyCR virus described above.  It becomes memory 
           resident at the top of system memory but below the 640K DOS 
           boundary, not moving interrupt 12's return, hooking interrupt 21. 
           Available system memory, as indicated by the DOS CHKDSK program 
           from DOS 5.0, will have decreased by 264 bytes.  Once resident, 
           this variant infects .COM programs when they are executed. 
           Infected programs will have a file length increase of 261 bytes 
           with the virus being located at the end of the file.  The 
           program's date and time in the DOS disk directory listing will 
           have been updated to the current system date and time when 
           infection occurred.  No text strings are visible within the viral 
           code. 
           Origin:  Unknown  July, 1995. 
       SillyCR.264: Received in July, 1995, SillyCR.264 is a 264 byte 
           variant of the SillyCR virus described above.  It becomes memory 
           resident at the top of system memory but below the 640K DOS 
           boundary, not moving interrupt 12's return, hooking interrupt 21. 
           Available system memory, as indicated by the DOS CHKDSK program 
           from DOS 5.0, will have decreased by 272 bytes.  Once resident, 
           this variant infects .COM programs when they are executed. 
           Infected programs will have a file length increase of 264 bytes 
           with the virus being located at the end of the file.  The 
           program's date and time in the DOS disk directory listing will 
           have been updated to the current system date and time when 
           infection occurred.  No text strings are visible within the viral 
           code. 
           Origin:  Unknown  July, 1995. 
       SillyCR.357: Received in July, 1995, SillyCR.357 is a 357 byte 
           variant of the SillyCR virus described above.  It becomes memory 
           resident in allocated system memory, hooking interrupt 21.  Once 
           resident, this variant infects .COM programs when they are 
           executed.  Infected programs will have a file length increase of 
           357 bytes with the virus being located at the end of the file. 
           The program's date and time in the DOS disk directory listing 
           will have been updated to the current system date and time when 
           infection occurred.  No text strings are visible within the viral 
           code. 
           Origin:  Unknown  July, 1995. 
       SillyCR.403: Received in July, 1995, SillyCR.403 is a 403 byte 
           variant of the SillyCR virus described above.  It becomes memory 
           resident in at the top of system memory but below the 640K DOS 
           boundary, not moving interrupt 12's return.  Available free 
           memory, as indicated by the DOS CHKDSK program from DOS 5.0, will 
           have decreased by 528 bytes.  Interrupt 21 will be hooked by the 
           virus in memory.  Once resident, this variant infects .COM 
           programs when they are executed.  Infected programs will have a 
           file length increase of 403 to 414 bytes with the virus being 
           located at the end of the file.  The program's date and time in 
           the DOS disk directory listing will not be altered.  No text 
           strings are visible within the viral code. 
           Origin:  Unknown  July, 1995.

Show viruses from discovered during that infect .

Main Page