Soupy Virus

Virus Name: Soupy Aliases: V Status: Rare Discovered: January, 1993 Symptoms: .COM file growth; TSR; message; system hangs Origin: United States Eff Length: 1,072 Bytes Type Code: PRC - Parasitic Resident .COM Infector Detection Method: ViruScan, F-Prot, AVTK, Sweep, ChAV, NAV, IBMAV, NAVDX, VAlert, PCScan, NShld, Sweep/N, NAV/N, AVTK/N, NProt, IBMAV/N, Innoc, LProt Removal Instructions: Delete infected files General Comments: The Soupy virus was submitted in January, 1993, and is from the United States. Soupy is a non-resident, direct action infector of .COM programs, but not COMMAND.COM. In the case of advanced infections, it may install a portion of itself memory resident in order to facilitate the activation mechanism in the virus. When a program infected with the Soupy virus is executed, the Soupy virus will infect one .COM file located in the current directory, as well as update a counter within the viral code. Programs infected with the Soupy virus will have a file length increase of 1,072 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The Soupy virus activates once the counter within the viral code has reached 11, indicating the 11th generation of the virus has been reached. At this time, the virus will install a portion of itself in memory of 736 bytes, hooking interrupt 08. Once the memory resident portion of the virus has been installed, it will display the following messages one at a time every three minutes: "Unsuspecting user, 12 o'clock!" "Get ready... 'cause... THERE'S A VIRUS IN YOUR SOUP!" "From the guys that brought you Lythyum, Radyum, and VioLite comes:" "The Soupy Virus, (k) 1992 VG Enterprises, 216/513/602/904/703" "By The Attitude Adjuster & AccuPunk!" "Hurry! Hire an Anti-Virus Professional! Increase Wallet Space!" "...hmmm, ya' know, I think I''ll halt now..." Once the last message above is displayed, the system will be halted or hung. The above messages are encrypted within the Soupy viral code, as are the following additional text strings: "[Soupy] The Attitude Adjuster & AccuPunk, VG 08/23/92 to 12/02/92" "*.COM" "Bad command or file name" Known variant(s) of Soupy are: Soupy-Death: Based on the Soupy virus described above, this variant adds 1,001 bytes to the .COM programs it infects. Like Soupy, it installs a 720 byte portion of its viral code memory resident after an 11th generation infection has been executed. In the case of Soupy-Death, the virus hooks interrupt 9. Once resident, Soupy-Death waits for the user to press CTRL-ALT-DEL, and then will clear the screen and display a message in color. The following text strings are encrypted within the Soupy-Death virus: "Your PC has lapsed into a higher state of being..." "D E A T H!!" "Please, feel free to cold boot," "as nothing has been damaged," "it was only a near death" "experience" "Your PC should meditate more often," "cuz with all the evil viruses" "flowing around neurospace" "we wouldn't want this" "to become a real" "D E A T H" "[Death] The Attitude Adjuster, VG, 12/02/92" "*.COM" "Bad command or file name" Origin: United States January 1993.