TBug-634 Virus

Virus Name: TBug-634 Aliases: Andr-634 V Status: New Discovered: September, 1993 Symptoms: .COM & .EXE file growth; file date/time changes; decrease in total system & available free memory Origin: Unknown Eff Length: 634 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: F-Prot, Sweep, ViruScan, IBMAV, AVTK, NAV, NAVDX, VAlert, PCScan, ChAV, Sweep/N, NShld, NProt, AVTK/N, IBMAV/N, Innoc, NAV/N, LProt Removal Instructions: Delete infected files General Comments: The TBug-634 virus was submitted in September, 1993. Its origin or point of isolation is unknown. TBug-634 is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. When the first TBug-634 infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 640 bytes. Interrupt 21 will be hooked by TBug-634 in memory. Once the TBug-634 virus is memory resident, it will infect .COM and .EXE programs when they are executed. Infected programs will have a file length increase of 634 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will have been updated to the current system date and time when infection occurred. The following text string can be found near the end of all infected files: "TbUg" TBug-634 uses a mechanism similar to that employed by the Vacsina virus for infecting .EXE programs. As a result, some anti-viral programs employing scanning technologies may detect this virus as a variant of the Vacsina virus.