Tiso Virus


 Virus Name:  Tiso 
 Aliases:    
 V Status:    New 
 Discovery:   August, 1993 
 Symptoms:    .COM file growth; 
              decrease in total system & available free memory 
 Origin:      Italy 
 Eff Length:  846 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  AVTK, Sweep, ViruScan, F-Prot, NAV, PCScan, 
                    NAVDX, VAlert, ChAV, 
                    AVTK/N, Sweep/N, NShld, Innoc, NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Tiso virus was received in August, 1993, and is originally from 
       Italy.  Tiso is a memory resident infector of .COM programs, 
       including COMMAND.COM. 
 
       When the first Tiso infected program is executed, the Tiso virus will 
       infect the copy of COMMAND.COM located in the C: drive root 
       directory.  It does not become memory resident until later when the 
       system is booted from the system hard disk and the infected 
       COMMAND.COM.  When Tiso is memory resident, it will resident at the 
       top of system memory but below the 640K DOS boundary, moving 
       interrupt 12's return.  Total system and available free memory, as 
       indicated by the DOS CHKDSK program, will have decreased by 1,024 
       bytes.  Interrupts 08 and 24 will be hooked by Tiso in memory. 
 
       Once the Tiso virus is memory resident, it will infect .COM programs, 
       including COMMAND.COM, when they are executed.  Infected programs 
       will have a file length increase of 846 bytes with the virus being 
       located at the end of the file.  The program's date and time in the 
       DOS disk directory listing will not be altered.  No text strings are 
       visible within the viral code in Tiso infected programs. 
 
       It is unknown what Tiso does besides replicate. 
 
       Known variant(s) of Tiso are: 
       Tiso.1279: Received in May, 1994, Tiso.1279 is a 1,279 byte 
                  variant of the Tiso virus described above.  Unlike the 
                  original virus, this variant is multi-partite, infecting 
                  the system hard disk master boot sector (partition table 
                  sector), in addition to .COM and .EXE files.  When the 
                  first infected program is executed, the virus will infect 
                  the system hard disk master boot sector.  The virus does 
                  not become memory resident, however, until the system is 
                  booted from the infected system hard disk.  The virus's 
                  size in memory is 2,048 bytes at the top of system 
                  memory, but below the 640K DOS boundary.  Interrupt 12's 
                  return will be moved, and interrupt 21 will be hooked by 
                  the virus in memory.  Once the virus is memory resident, 
                  it will infect .COM and .EXE programs, including 
                  COMMAND.COM, when they are executed.  Infected programs 
                  will have a file length increase of 1,279 bytes with the 
                  virus being located at the end of the file.  The program's 
                  date and time in the DOS disk directory listing will not 
                  be altered.  No text strings are visible within the viral 
                  code.  It is unknown what this variant does besides 
                  replicate. 
                  Origin:  Italy  May, 1994.

Show viruses from discovered during that infect .

Main Page