Susan Virus

Virus Name: Susan Aliases: V Status: Rare Discovered: April, 1993 Symptoms: .EXE file corruption; program execution failure; files deleted; TSR; file date/time set to "62" Origin: Mexico Eff Length: 571 Bytes (Overwriting) Type Code: ORsE - Overwriting Resident .EXE Infector Detection Method: AVTK, F-Prot, Sweep, ViruScan, NAV, PCScan, IBMAV, NAVDX, VAlert, ChAV, AVTK/N, NShld, Sweep/N, NAV/N, IBMAV/N, LProt, NProt, Innoc Removal Instructions: Delete infected files General Comments: The Susan virus was submitted from Mexico in April, 1993. Susan is a memory resident infector of .EXE programs which only infects programs on Sundays, and then only in a very limited manner. When the first Susan infected program is executed, the Susan virus will become memory resident as a low system memory TSR of 832 bytes. Interrupt 2F will be hooked by Susan in memory. Once Susan is memory resident, and the user issues a DOS DIR command with no command line arguments (ie. simply "DIR" at the DOS prompt) on any Sunday, the virus will then infect the first .EXE program in the current directory. .EXE programs will not be reinfected, and the infection does not spread past the first .EXE program in any directory. Susan infected programs will have the first 571 bytes overwritten by the Susan virus' code. The file's date and time in the DOS disk directory listing will appear to be unaltered, but the seconds field will have been set to "62". The following text strings can be found within the viral code in all Susan infected programs: "Susan" "*.* *.EXE" "DIR" "????????EXE" "Bad command or file name" After fifteen infections of the Susan virus have occurred, this virus will activate. At this time, the virus will start deleting all of the files in the current directory when a user attempts to execute an infected program.