Sword Virus

Virus Name: Sword Aliases: V Status: New Discovered: January, 1995 Symptoms: .COM & .EXE growth; decrease in available free memory; file time changes; programs may disappear Origin: Unknown Eff Length: 794 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: F-Prot, AVTK, IBMAV, Sweep, ViruScan, NAVDX, VAlert, NAV, PCScan, ChAV, AVTK/N, Sweep/N, NShld, IBMAV/N, NProt, NAV/N, Innoc 4.0+ Removal Instructions: Delete infected files General Comments: The Sword virus was received in January, 1995. Its origin or point of isolation is unknown. Sword is a memory resident infector of .COM and .EXE files, including COMMAND.COM. When the first Sword infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, hooking interrupt 21. Total system memory as indicated by the DOS CHKDSK program from DOS 5.0, will not be altered while available free memory will have decreased by 1,100 bytes. Once the Sword virus is memory resident, it will infect .COM and .EXE programs when they are executed. Infected programs will have a file length increase of 794 bytes with the virus being located at the end of the file. The program's date will not be altered in the DOS disk directory listing, but the file time may be altered. The following text string is visible within the viral code in all infected programs: "The POWER of my SWORD!!!" Systems infected with the Sword virus may find that some executable programs will appear to have disappeared from the disk directory. These programs will still, however, be on the disk, with the hidden attribute set. Known variant(s) of Sword: Sword.B: Received in January, 1995, Sword.B is a minor variant of the Sword virus. It has four bytes which differ. Origin: Unknown January, 1995.