Appelscha Virus

Virus Name: Appelscha Aliases: V Status: New Discovery: July, 1994 Symptoms: .COM & .EXE growth; system hangs; possible file date/time changes; decrease in total system & available free memory Origin: Unknown Eff Length: 2,161 Bytes Type Code: PRtA - Parasitic Resident .COM & .EXE Infector Detection Method: F-Prot, IBMAV, AVTK, ViruScan, Sweep, NAVDX, VAlert, NAV, AVTK/N, Sweep/N, IBMAV/N, NShld, NAV/N Removal Instructions: Delete infected files General Comments: The Appelscha virus was submitted in July, 1994. Its origin or point of isolation is unknown. Appelscha is a memory resident infector of .COM and .EXE files, but not COMMAND.COM. When the first Appelscha infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 2,480 bytes. Interrupt 21 will be hooked by the virus in memory. Once the Appelscha virus is memory resident, it will infect .COM and .EXE files when they are executed. Infected files will have a file length increase of 2,161 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text string is encrypted within the viral code: "Appelscha" The Appelscha virus will occassionally reinfect a previously infected file, adding an additional 2,161 bytes to the file's length. System hangs may occur when infected programs are executed. The virus will also occassionally change the file date and time in the DOS disk directory listing when it infects or reinfects files.