Tolbuhin Virus
Virus Name: Tolbuhin
Aliases: Sk1, Tolbuhin-1147
V Status: Rare
Discovery: August, 1992
Symptoms: .COM file growth; file date/time changes; system hangs
Origin: Unknown
Eff Length: 1,147 Bytes
Type Code: PRhC - Parasitic Resident .COM Infector
Detection Method: ViruScan, AVTK, Sweep, IBMAV, F-Prot,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, LProt, Innoc, NProt, IBMAV/N,
AVTK/N, NAV/N
Removal Instructions: Delete infected files
General Comments:
The Tolbuhin, or Sk1, virus was received in August, 1992. Its
origin or point of isolation is unknown. Tolbuhin is a memory
resident infector of .COM programs, but not COMMAND.COM.
When the first Tolbuhin infected program is executed, the
Tolbuhin virus will become memory resident at the top of system
memory but below the 640K DOS boundary. Total system and available
free memory, as indicated by the DOS CHKDSK program, will have
decreased by 2,048 bytes. Interrupts 20 and 21 will be hooked by
Tolbuhin. The virus may also infect one .COM program located in the
current directory at this time.
Once Tolbuhin is memory resident, it will infect .COM programs
when they are executed. Infected programs will have a file
length increase of 1,147 bytes with the virus being located at
the end of the file. The program's date and time in the DOS disk
directory listing will have been updated to the current system
date and time when infection occurred. The following text
strings can be found in all programs infected with the Tolbuhin
virus:
"Virus in memory !!!"
"Created 21.I.1990 - PMG\OTME - Tolbuhin"
"*.com"
"????????COM"
"COMMAND"
System hangs frequently occur when the virus infects programs. It
also contains some destructive code.
Known variant(s) of Tolbuhin are:
Tolbuhin-626: Based on the Tolbuhin virus, this variant's size
in memory is also 2,048 bytes. It hooks interrupts
13, and 21. Infected programs will have a file
length increase of 626 bytes with the virus being
located at the end of the file. The program's date
and time in the DOS disk directory listing will have
been updated to the current system date and time
when infection occurred. The following text strings
can be found within the viral code in infected files:
"Virus in memory !!!"
"*.com"
"SK9"
The text string "SK" will also be found starting in the
fourth byte of all infected programs.
Origin: Unknown August, 1993.
Tolbuhin-992: Based on the Tolbuhin virus, this variant's size
in memory is also 2,048 bytes. It hooks interrupts
13, 20, and 21. Infected programs will have a file
length increase of 992 bytes with the virus being
located at the end of the file. The program's date
and time in the DOS disk directory listing will have
been updated to the current system date and time
when infection occurred. The following text strings
can be found within the viral code in infected files:
"Virus in memory !!!"
"Created 21.I.1990 - PMG\OTME - Tolbuhin"
"*.com"
"COMMAND"
Origin: Bulgaria November, 1992.
Tolbuhin-1004: Based on the Tolbuhin virus, this variant's size
in memory is also 2,048 bytes. It hooks interrupts
13, 20, and 21. Infected programs will have a file
length increase of 1,004 bytes with the virus being
located at the end of the file. The program's date
and time in the DOS disk directory listing will have
been updated to the current system date and time
when infection occurred. The following text strings
can be found within the viral code in infected files:
"*.com"
"COMMAND"
Origin: Bulgaria November, 1992.