Skater Virus
Virus Name: Skater
Aliases: Skater-1021, Tonya
V Status: Rare
Discovered: January, 1993
Symptoms: .COM file growth; TSR; message
Origin: Australia
Eff Length: 1,021 Bytes
Type Code: PRsCK - Parasitic Resident .COM Infector
Detection Method: ViruScan, AVTK, F-Prot, IBMAV, Sweep,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, AVTK/N, Sweep/N, NAV/N, IBMAV/N, Innoc 4.0+
Removal Instructions: Delete infected files
General Comments:
The Skater, Skater-1021, or Tonya, virus was discovered in
Australia in January, 1993. Skater is a memory resident infector
of .COM programs, including COMMAND.COM.
When the first Skater infected program is executed, the Skater
virus will install itself memory resident as a low system memory
TSR of 2,416 bytes. It will hook interrupts 10 and 21. Some
memory mapping utilities may indicate the virus in memory as an
increase in the size of the in memory copy of the command inter-
pretor, showing a size increase of up to approximately 2,500 bytes.
Once memory resident, the Skater virus will infect .COM programs,
including COMMAND.COM, when they are executed or opened. Infected
programs will have a file length increase of 1,021 bytes with the
virus being located at the end of the file. The program's date and
time in the DOS disk directory listing will not be altered. The
following text strings are encrypted within the Skater viral code:
"I love Tonya Harding. The best womens Figure Skater in history."
"Now Tonya, Do that triple axle and kick Kristi Yamaguchi's arse"
"- Australian Parasite -"
The first two text strings may be displayed by the virus as a
message whenever a program attempts to set the system video mode
to text mode, 80 by 25.
Known variant(s) of Skater are:
Skater.571: A smaller version of the virus described above, this
variant becomes memory resident at the top of system
memory but below the 640K DOS boundary, hooking
interrupts 10 and 21. Available free memory, as
indicated by the DOS CHKDSK program from DOS 5.0, will
have decreased by 1,184 bytes. Once resident, it
will infect .COM programs, including COMMAND.COM, when
they are executed. Infected programs will have a file
length increase of 571 bytes with the virus being
located at the end of the file. The program's date and
time in the DOS disk directory listing will not be
altered. The following text string is encrypted within
the viral code:
"RIP Patsy Cline 8th September 1932 - 6th March 1963"
Origin: Unknown January, 1996.
Skater.664: A smaller version of the virus described above, this
variant becomes memory resident at the top of system
memory but below the 640K DOS boundary, hooking
interrupt 21. Total available free memory, as indicated
by the DOS CHKDSK program from DOS 6.0, will have
decreased by 1,456 bytes. Once resident, Skater.664
will infect .COM programs, including COMMAND.COM, when
they are executed. Infected programs will have a file
length increase of 664 bytes with the virus being
located at the end of the file.
Origin: Unknown January, 1995.
Skater.673: A smaller version of the virus described above, this
variant becomes memory resident at the top of system
memory but below the 640K DOS boundary, hooking
interrupt 21. Total available free memory, as indicated
by the DOS CHKDSK program from DOS 6.0, will have
decreased by 1,488 bytes. Once resident, Skater.673
will infect .COM programs, including COMMAND.COM, when
they are executed or opened, but not when copied.
Infected programs will have a file length increase of
673 bytes with the virus being located at the end of the
file. The file's date and time in the DOS disk directory
listing will not be altered.
Origin: Unknown February, 1995.
Skater.697: A smaller version of the virus described above, this
variant becomes memory resident at the top of system
memory but below the 640K DOS boundary, hooking
interrupts 10 and 21. Available free memory, as
indicated by the DOS CHKDSK program from DOS 5.0, will
have decreased by 1,792 bytes. Once resident, it
will infect .COM programs, but not COMMAND.COM, when
they are executed. Infected programs will have a file
length increase of 697 bytes with the virus being
located at the end of the file. The file's date and
time in the DOS disk directory listing will not be
altered. The following text string is encrypted within
the viral code:
"RIP Patsy Cline 8th September 1932 - 6th March 1963"
Origin: Unknown January, 1996.
Skater.714: A smaller version of the virus described above, this
variant becomes memory resident in allocated system
memory at 0040, hooking interrupt 21. There will be no
change to total system and available free memory. Once
resident, Skater.714 will infect .COM programs, including
COMMAND.COM, when they are executed. Infected programs
will have a file length increase of 714 bytes with the
virus being located at the end of the file. The file's
date and time in the DOS disk directory listing will not
be altered. System hangs frequently occur when the virus
attempts to infect files.
Origin: Unknown January, 1995.
Skater-977: A smaller version of the virus described above, this
variant becomes memory resident at the top of system
memory but below the 640K DOS boundary, hooking
interrupts 10 and 21. Total system and available free
memory, as indicated by the DOS CHKDSK program, will
have decreased by 2,016 bytes. Once resident, Skater-977
will infect .COM programs, including COMMAND.COM, when
they are executed or opened. Infected programs will have
a file length increase of 977 bytes with the virus being
located at the end of the file. Skater-977 activates
in the same manner as the original virus, and displays
the same message.
Origin: Australia January, 1993.