Taiwan 4 Virus


 Virus Name:  Taiwan 4 
 Aliases:     2576, Anticad 5 
 V Status:    Common 
 Discovered:  October, 1990 
 Symptoms:    TSR; .COM & .EXE file growth; system slowdown 
 Isolated:    United States and Thailand 
 Origin:      Taiwan 
 Eff Length:  2,576 Bytes 
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, Sweep, NAVDX, VAlert, 
                    IBMAV, NAV, PCScan, ChAV, 
                    NShld, Sweep/N, LProt, Innoc, NProt, IBMAV/N, 
                    AVTK/N, NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Taiwan 4, or 2576, virus was isolated in October, 1990.  While 
       one copy of this virus was submitted by a user of Excalibur! who 
       indicated that it had been received from a download of AutoCad from 
       another BBS, a second copy was submitted to John McAfee from 
       Thailand on approximately the same date.  This virus appears to have 
       originated in Taiwan, and is based on the Taiwan 3 virus.  It is a 
       memory resident infector of .COM and .EXE files, but will not infect 
       COMMAND.COM. 
 
       When a program infected with the Taiwan 4 virus is executed, the 
       virus will check to see if it is already memory resident.  If the 
       virus isn't already in memory, the virus will install itself memory 
       resident as a low system memory TSR of 2,832 bytes.  Interrupts 08 
       and 21 will be hooked by the virus. 
 
       After the virus is resident, the virus will start to slow down 
       the system gradually.  After approximately 30 minutes, it will have 
       slowed the system down by approximately 30 percent. 
 
       Any .COM or .EXE file executed with Taiwan 4 active in memory will 
       become infected.  Infected programs will have their file length 
       increased by 2,576 bytes for .COM files, and 2,576 - 2,590 bytes 
       for .EXE files.  The virus is located at the beginning of .COM 
       files, and the end of .EXE files.  The following text message can 
       be found in all infected programs: 
 
               "To Whom see this: Shit! As you can see this document, 
                you may know what this program is. But I must tell you: 
                DO NOT TRY to WRITE ANY ANTI-PROGRAM to THIS VIRUS. 
                This is a test-program, the real dangerous code will 
                implement on November. I use MASM to generate varius 
                virus easily and you must use DEBUG against my virus 
                hardly, this is foolish. Save your time until next month. 
                OK? Your Sincerely, ABT Group., Oct 13th, 1989 at FCU." 
 
       Another text string that can be found in all infected programs is: 
       "ACAD.EXECOMMAND.COM".

Show viruses from discovered during that infect .

Main Page