Spyer Virus


 Virus Name:  Spyer 
 Aliases:     Faust, Spyer-B, Spyer-C 
 V Status:    Rare 
 Discovered:  November, 1990 
 Symptoms:    TSR; .COM & .EXE growth; system hangs 
 Origin:      Taiwan 
 Eff Length:  1,181 Bytes 
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, F-Prot, Sweep, NAV, AVTK, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Spyer virus was isolated in November, 1990 in Taiwan.  This 
       virus is a memory resident infector of .COM and .EXE files.  It 
       does not infect COMMAND.COM. 
 
       The first time a program infected with the Spyer virus is executed, 
       the Spyer virus will install itself memory resident as a 1,760 byte 
       low system memory TSR.  Interrupts 21 and 22 will be hooked by the 
       virus. 
 
       Once the virus is memory resident, the virus will attempt to infect 
       the next program that is executed.  If the program is already 
       infected with the Spyer virus, the system will become hung.  If the 
       program was not already infected, Spyer will infect it and then 
       hang the system. 
 
       Infected .COM files will always increase in length by 1,181 bytes. 
       EXE files infected with Spyer will have a file length increase 
       between 1,181 and 1,195 bytes.  In both cases, the virus will be 
       located at the end of the infected file.  Infected files will also 
       always have the following hex character sequence at the end of 
       file: "CBDFD9DE848484". 
 
       The Spyer virus, in its present form, is not expected to ever be a 
       serious problem.  Since it always hangs the system when the next 
       program is executed after becoming memory resident, it is simply 
       too obvious that something is wrong. 
 
       Known variant(s) of Spyer are: 
       Spyer-B: Similar to the original Spyer, this variant was 
                isolated from the NCSA virus collection received in 
                September, 1991.  Its origin or original source is 
                unknown.  Spyer-B is similar to Spyer, with the exception 
                that it only hooks interrupt 21.  Infected .COM programs 
                will hang the system when executed, but infected .EXE 
                programs usually will not.  Infected programs will have 
                the same hex character sequence at the end of the 
                infected file.  Some anti-viral programs which detect 
                Spyer will miss this variant on some infected .COM files. 
       Spyer-C: Very similar to the original Spyer, this variant has 
                no user noteable differences.  It was also isolated from 
                the NCSA virus collection received in September, 1991, 
                and its origin or source is unknown.

Show viruses from discovered during that infect .

Main Page