Soldier Virus


 Virus Name:  Soldier 
 Aliases:     Soldier.1480, Macaroni 
 V Status:    New 
 Discovered:  January, 1996 
 Symptoms:    .COM & .EXE growth; file date/time seconds = "28"; 
              decrease in available free memory 
 Origin:      Unknown 
 Eff Length:  1,480 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  IBMAV, ViruScan, NAV, F-Prot, NAVDX, AVTK, PCScan, 
                    ChAV, 
                    IBMAV/N, NShld, NAV/N, AVTK/N, Innoc 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Soldier, Soldier.1480 or Macaroni, virus was received in 
       January, 1996.  Its origin is unknown, though it may be from 
       Sweden.  Soldier is a memory resident stealth virus which infects 
       .COM and .EXE files, including COMMAND.COM. 
 
       When the first Soldier infected program is executed, this virus 
       will install itself memory resident at the top of system memory 
       but below the 640K DOS boundary, not moving interrupt 12's return. 
       Available free memory, as indicated by the DOS CHKDSK program from 
       DOS 5.0, will have decreased by 1,536 bytes.  Interrupts 1C and 21 
       will be hooked by the virus in memory. 
 
       Once the Soldier virus is memory resident, it will infect .COM and 
       .EXE files, other than extremely small ones, when they are executed, 
       or opened, but not when copied.  It will also infect one file in 
       the target directory whenever a DOS DIR command is issued.  Files 
       infected with the Soldier virus will have a file length increase of 
       1,480 bytes, though this file length increase will be hidden when 
       the virus is memory resident.  The program's date and time in the 
       DOS disk directory listing will not appear to be altered, though the 
       seconds field will have been set to "28".  The following text 
       strings are visible within the viral code: 
 
           "Soldier BOB - (c)jan-94 by A:N:O:I" 
           "Programmed by Macaroni Ted" 
           "Soldier BOB - Made in Sweden." 
           "*.com *.exe" 
 
       Programs infected with this virus will also contain a list of the 
       executable .COM and .EXE files in the directory at the time of 
       infection within the viral code in infected programs. 
 
       When the Soldier virus is memory resident, extremely small .COM 
       and .EXE files may appear to have grown to almost 64K bytes.  This 
       occurs because the virus sets the seconds field to "28" on these 
       files, but doesn't actually infect them.

Show viruses from discovered during that infect .

Main Page