Split Second Virus

Virus Name: Split Second Aliases: Split Second.1135 V Status: New Discovered: December, 1994 Symptoms: .COM file growth; system hangs may occur when .EXE files executed Origin: Unknown, Possibly Australia Eff Length: 1,135 Bytes Type Code: PRaCK - Parasitic Resident .COM Infector Detection Method: F-Prot, AVTK, IBMAV, Sweep, ViruScan, NAV, NAVDX, VAlert, PCScan, ChAV, NProt, AVTK/N, Sweep/N, IBMAV/N, NAV/N, NShld, Innoc 5.0+ Removal Instructions: Delete infected files General Comments: The Split Second or Split Second.1135 virus was received in December, 1994. Its origin is unknown, though it may be from Australia. This virus is a memory resident infector of .COM files, including COMMAND.COM. A later version of this virus, Split Second.1149, was also received at this time. When the first Split Second infected program is executed, this virus will install itself memory resident in a hole in allocated system memory. Interrupt 21 will be hooked by the virus in memory. Once memory resident, this virus will infect .COM programs when they are executed. Infected .COM programs will have a file length increase of 1,135 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the viral code: "COMEXEOV" "3D, polymorphic, realtime, 50 frame per second DNA" "AKA Split Second" "Bi Australian Parasite [AIH]" Execution of an .EXE file with the virus memory resident will usually result in a system hang. Known variant(s) of Split Second are: Split Second.1033: Received in February, 1995, this variant is a memory resident, fast infector version of the virus described above. It infects .COM and .EXE files, including COMMAND.COM. It becomes memory resident at the top of system memory but below the 640K DOS boundary, hooking interrupt 21. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 1,360 bytes. Once resident, this variant infects .COM and .EXE programs when they are executed or opened. Infected .COM programs increase in size by 1,033 bytes while .EXE files increase in size by 1,033 to 1,049 bytes. The virus will be located at the end of the file. The file's date and time in the DOS disk directory listing will not be altered. The following text string is encrypted within the viral code: "COMEXEOV" Origin: Unknown February, 1995. Split Second.1035: Received in February, 1995, this variant is a memory resident, fast infector version of the virus described above. It infects .COM and .EXE files, including COMMAND.COM. It becomes memory resident at the top of system memory but below the 640K DOS boundary, hooking interrupt 21. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 1,168 bytes. Once resident, this variant infects .COM and .EXE programs when they are executed or opened. Infected .COM programs increase in size by 1,035 bytes while .EXE files increase in size by 1,035 to 1,051 bytes. The virus will be located at the end of the file. The file's date and time in the DOS disk directory listing will not be altered. The following text string is encrypted within the viral code: "COMEXEXTPOV" Origin: Unknown February, 1995. Split Second.1120: Received in January, 1996, this is a 1,120 byte variant of the Split Second virus described above. It adds 1,120 bytes to the .COM files it infects with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the viral code: "COMEXEOV" "3D, polymorphic, realtime, 50 frame per second DNA" "AKA Split Second" "Bi Australian Parasite [AIH]" Execution of .EXE files with the virus memory resident will result in a system hang occurring. Origin: Unknown, Possibly Australia January, 1996. Split Second.1149: Received in December, 1994, this variant is a memory resident, fast infector version of the virus described above. It infects .COM and .EXE files, including COMMAND.COM. It becomes memory resident at the top of system memory but below the 640K DOS boundary, hooking interrupt 21. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 1,392 bytes. Once resident, this variant infects .COM and .EXE programs when they are executed or opened. Infected .COM programs increase in size by 1,149 bytes while .EXE files increase in size by 1,149 to 1,168 bytes. .EXE files may also be reinfected by the virus, adding an additional 1,168 bytes with each reinfection. In the case of both .COM and .EXE files, the virus will be located at the end of the file. The file's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the viral code: "COMEXEOV" "3D, polymorphic, realtime, 50 frames per second DNA" "AKA Split Second" "By D�rk ����r [AIH]" Origin: Unknown December, 1994.