Sybille Virus


 Virus Name:  Sybille 
 Aliases:     Sybille.853 
 V Status:    New 
 Discovered:  January, 1995 
 Symptoms:    .EXE file growth; decrease in available free memory 
 Origin:      Unknown 
 Eff Length:  853 - 867 Bytes 
 Type Code:   PRhE - Parasitic Resident .EXE Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, ViruScan, Sweep, NAV, PCScan, 
                    NAVDX, ChAV, 
                    IBMAV/N, NShld, Sweep/N, NProt, NAV/N, AVTK/N, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Sybille or Sybille.853 virus was received in January, 1995.  Its 
       origin or point of isolation is unknown.  Sybille is a memory 
       resident infector of .EXE files. 
 
       When the first Sybille infected program is executed, this virus will 
       install itself memory resident at the top of system memory but below 
       the 640K DOS boundary, not moving interrupt 12's return.  Available 
       free memory, as indicated by the DOS CHKDSK program from DOS 5.0, 
       will have decreased by approximately 912 bytes.  Interrupts 21 and 
       2F will be hooked by the virus in memory. 
 
       Once the Sybille virus is memory resident, it may infect .EXE files 
       when they are executed.  Infected .EXE files will have a file length 
       increase of 853 to 867 bytes with the virus being located at the 
       end of the file.  The file's date and time in the DOS disk directory 
       listing will not be altered.  The following text strings are visible 
       within the viral code: 
 
               "@:\AUTOEXEC.BAT @echo off" 
               "echo Looking for Sibylle..." 
               "goto b" 
 
       It is unknown what the Sybille virus may do besides replicate. 
 
       Known variant(s) of Sybille are: 
       Sybille.1200: Received in May, 1995, Sybille.1200 is a 1,200 
           byte variant of the Sybille virus described above.  Its size 
           in memory is 2,400 bytes, hooking interrupts 21 and 2F.  It 
           may, but does not always, infect .EXE files when they are 
           executed.  Infected files will have a file length increase of 
           1,200 to 1,214 bytes with the virus being located at the end 
           of the file.  The program's date and time in the DOS disk 
           directory listing will not be altered.  The following text 
           strings are encrypted within the viral code: 
               "FUCKING CRACKER - DIE !!!" 
               "(P) 1992 BY AZTECH.INC" 
               "\\*.* ???????????" 
           Origin:  Unknown  May, 1995.

Show viruses from discovered during that infect .

Main Page