422 Overwriting Virus

Virus Name: 422 Overwriting Aliases: V Status: Rare Discovery: March, 1993 Symptoms: .COM files corrupted; file date/time changes; TSR; DOS DIR command output not correct; programs fail to function Origin: Unknown Eff Length: 422 Bytes Overwriting Type Code: PRsC - Overwriting Resident .COM Infector Detection Method: F-Prot, Sweep, AVTK, ViruScan, IBMAV, NAV, NAVDX, VAlert, PCScan, ChAV, Sweep/N, NShld, AVTK/N, NProt, IBMAV/N, NAV/N, Innoc, LProt Removal Instructions: Delete infected files General Comments: The 422 Overwriting virus was submitted in March, 1993. Its origin or point of isolation is unknown. 422 Overwriting is a memory resident overwriting virus which infects .COM programs, but not COMMAND.COM. When the first 422 Overwriting infected program is executed, this virus will install itself memory resident as a low system memory TSR of approximately 1,120 bytes. Interrupt 21 will be hooked by the virus in memory. Once the 422 Overwriting virus is memory resident, it will infect one .COM program each time a DOS DIR command is executed. The command output of the DOS DIR command will also be affected, usually with one .COM file name being repeated multiple times. Programs infected with the 422 Overwriting virus will not have any file length increase as the virus will overwrite 422 bytes located somewhere in the middle of the host file. The one exception is that files which were originally smaller than the virus itself will become over 65K bytes in size after infection. The file's date and time in the DOS disk directory will have been updated to the current system date and time when infection occurred. No text strings are visible within the viral code. Programs infected with the 422 Overwriting virus will not function properly when executed.