Sunday-2 Virus


 Virus Name:  Sunday-2 
 Aliases:     Datarape 2.2 
 V Status:    Rare 
 Discovered:  August, 1991 
 Symptoms:    .COM & .EXE growth; decrease in total system & available 
              memory; file allocation errors; message; system hang 
 Origin:      Canada 
 Eff Length:  2,877 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, IBMAV, NAVDX, VAlert, 
                    NAV, Sweep, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, 
                    IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Sunday-2 virus was isolated in Canada in August, 1991.  Sunday-2 
       is a memory resident generic file infector.  It will infect .COM, 
       .EXE, and overlay files when they are executed or opened.  This virus 
       is based on the Jerusalem and Sunday viruses. 
 
       The first time a program infected with Sunday-2 is executed, Sunday-2 
       will become memory resident at the top of system memory, but below 
       the 640K DOS boundary.  Total system and available free memory, as 
       indicated by the DOS CHKDSK program, will decrease by 5,888 bytes. 
       Interrupts 21, 22, and 27 will be hooked by Sunday-2.  At this time, 
       Sunday-2 will infect COMMAND.COM. 
 
       After Sunday-2 is memory resident, it will infect .COM, .EXE, and 
       overlay files when they are executed or opened for any reason. 
       Sunday-2 will be located at the end of infected files.  .COM files 
       will have a file length increase of 2,877 bytes.  .EXE files will 
       have a file length increase of 2,877 to 2,891 bytes.  System users 
       will not see the file length increase on infected files in the DOS 
       disk directory when Sunday-2 is memory resident as the virus adjusts 
       the directory information when it is displayed. 
 
       Sunday-2 activates on Sundays when the first infected program is 
       executed.  The following message will be displayed, and the system 
       will be hung: 
 
               "It's Sunday. Why are you working? 
                Take the day off compliments of RABID" 
 
       This message cannot be seen in infected files as the virus is 
       encrypted. 
 
       The Sunday-2 virus submitted also contains code to perform a disk 
       format on Sunday, however this code has several bugs and is not 
       functional. 
 
       Systems infected with Sunday-2 will notice file allocation errors 
       being detected by the DOS CHKDSK program.  These errors occur when 
       Sunday-2 is memory resident as the disk directory and file allocation 
       table will not appear to match when checked by the DOS CHKDSK 
       program. 
 
       Known variant(s) of Sunday-2 are: 
       Sunday-2B: Functionally equivalent to the original virus, this 
                  is a minor variant. 
                  Origin:  Unknown  July, 1992. 
 
       See:   Basilisk   Jerusalem   Sunday

Show viruses from discovered during that infect .

Main Page