ARCV-n Virus
Virus Name: ARCV-n
Aliases: ARCV-4
V Status: Rare
Discovery: October, 1992
Symptoms: .COM & .EXE file growth
Origin: Manchester, England
Eff Length: 664 Bytes
Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector
Detection Method: AVTK, F-Prot, ViruScan, Sweep, IBMAV, NAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, NProt, AVTK/N, NAV/N, IBMAV/N, Innoc,
LProt
Removal Instructions: Delete infected files
General Comments:
The ARCV-n series of viruses were received from England in October
and November, 1992. These viruses are parasitic infectors of .COM
and/or .EXE files, and some will infect COMMAND.COM. The ARCV-4
virus is described below, with the other members of the series
included below under "Known members". The three earliest members,
ARCV-1, ARCV-2, and ARCV-3, appear to have been generated with
PS-MPC.
The ARCV-4 virus was received in October, 1992, from Manchester,
England. ARCV-4 is a non-resident infector of .COM and .EXE
programs, including COMMAND.COM.
When a program infected with the ARCV-4 virus is executed, this
virus will infect three programs located in the current directory,
with preference given to .EXE programs over .COM programs. Infected
programs will have a file length increase of 664 bytes with the
virus being located at the end of the file. The program's date and
time in the DOS disk directory listing will not be altered. The
following text strings can be found within the viral code in all
ARCV-4 infected programs:
"[ARCV-4] Apache Warrior, ARCV Pres."
"*.exe *.com"
"So Who`s the Best Then?"
"Oh Well Sorry But The ARCV Are The Best!"
"Well Your in Favor with Us then."
It is unknown what ARCV-4 does besides replicate.
Known members of the ARCV-n series of viruses are:
ARCV-1: Received in October, 1992, ARCV-1 is an 826 byte
non-resident direct action infector of .COM and .EXE
programs, but not COMMAND.COM. It infects one program
in the current directory each time an infected program
is executed, with preference given to .EXE programs.
Infected programs will have a file length increase of 826
bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory
listing will not be altered. The following text strings are
encrypted within infected programs:
"Long Live The ARCV. MUFC for the League!"
"(c) Apache Warrior, ARCV Pres. 92"
"Welcome to the REAL World. And the ARCV 1 Virus!"
"[ARCV-1] Apache Warrior, ARCV Pres."
"*.exe *.com"
Origin: Manchester, England October, 1992.
ARCV-2: Received in October, 1992, ARCV-2 is an 692 byte
non-resident direct action infector of .EXE programs. It
infects one program in the current directory each time an
infected program is executed. Infected programs will have
a file length increase of 692 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered. The
following text strings are encrypted within infected
programs:
"*.exe .. [ARCV-2] Apache Warrior, ARCV. Pres."
"Help.. Help.. I`Sinking........"
Origin: Manchester, England October, 1992.
ARCV-3: Received in October, 1992, ARCV-3 is an 657 byte
non-resident direct action infector of .COM programs,
including COMMAND.COM. It infects four programs in the
current directory each time an infected program is executed.
Infected programs will have a file length increase of 657
bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory
listing will not be altered. The following text strings are
encrypted within infected programs:
"[ARCV-3] Apache Warrior."
"Yo.."
"I`ve Just Found a Virus.. Opps.. Sorry I`m the Virus."
"Well let me introduce myself.."
"I am ARCV-3 Virus, by Apache Warrior."
"Long Live The ARCV and Whats an Hard ECU?"
"Vote Yes to the Best Vote ARCV.."
"*.com .."
Origin: Manchester, England October, 1992.
ARCV-5: Received in November, 1992, ARCV-5 is an 475 byte
non-resident direct action infector of .COM programs,
including COMMAND.COM. It infects one .COM program in the
current directory each time an infected program is executed.
Infected programs will have a file length increase of 475
bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory
listing will not be altered. The following text strings are
encrypted within infected programs:
"[ARCV-5] Apache Warrior, ARCV Pres"
"SU*.COM"
Origin: England November, 1992.
ARCV-6: Received in November, 1992, ARCV-6 is an 335 byte
non-resident direct action infector of .COM programs,
including COMMAND.COM. It infects one .COM program in the
current directory each time an infected program is executed.
Infected programs will have a file length increase of 335
bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory
listing will not be altered. The following text strings are
encrypted within infected programs:
"[ARCV-6] Apache *.com"
"????????COM"
Origin: England November, 1992.
ARCV-7: Received in November, 1992, ARCV-7 is an 541 byte
non-resident direct action infector of .EXE programs. It
infects one .EXE program in the current directory each time
an infected program is executed. Infected programs will have
a file length increase of 541 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered. The
following text strings are encrypted within infected
programs:
"[ARCV-7] Apache ARCV. *.exe"
"????????EXE"
Origin: England November, 1992.
ARCV-8: Received in November, 1992, ARCV-8 is an 679 byte
non-resident direct action infector of .EXE programs. It
infects one .EXE program in the current directory each time
an infected program is executed. Infected programs will have
a file length increase of 679 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered. The
following text strings are encrypted within infected
programs:
"Naughty, Naughty... ARCV Productions Ltd."
"[ARCV-8] *.exe"
"????????EXE"
Origin: England November, 1992.
ARCV-9: Received in November, 1992, ARCV-9 is an 745 byte
memory resident infector of .EXE programs. When the first
infected program is executed, ARCV-9 will install itself
memory resident at the top of system memory, hooking
interrupt 21. Total system and available free memory, as
indicated by the DOS CHKDSK program, will have decreased by
2,048 bytes. Once ARCV-9 is memory resident, it will infect
.COM programs other than COMMAND.COM when they are executed.
Infected programs will have a file length increase of 745
bytes with the virus being located at the end of the file.
The file length increase will be hidden when the virus is
memory resident. The program's date and time in the DOS
disk directory listing will not be altered. The following
text strings are encrypted within infected programs:
"[ARCV-9] Apache Warrior. *.com"
"????????COM"
Origin: England November, 1992.
ARCV-10: Received in January, 1993, ARCV-10 is an 827 byte
memory resident infector of .COM and .EXE programs, including
COMMAND.COM. When the first infected program is executed,
ARCV-10 will install itself memory resident at the top of
system memory, hooking interrupt 21. Total system and
available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 1,648 bytes. Once ARCV-10
is memory resident, it will infect .COM and .EXE programs
when they are executed or opened for any reason. Infected
programs will have a file length increase of 827 bytes with
the virus being located at the end of the file. The file
length increase will not be hidden. The program's date and
time in the DOS disk directory listing will not be altered.
The following text strings are encrypted within infected
programs:
"[ARCV-10]"
"Apache Warrior"
"Well its finally here The -= ARCV =-"
"Welcome To our New Members.........."
The last two text strings may be displayed as a message by
the virus. Write protect errors will occur when the virus
is memory resident and the user attempts to execute a program
from a write-protected diskette.
Origin: England January, 1993.
ARCV-10B: Functionally similar to the ARCV-10 virus, this variant
has been altered to avoid detection by some anti-viral
programs familiar with ARCV-10.
Origin: England March, 1993.
See: PS-MPC