Arriba Virus


 Virus Name:  Arriba 
 Aliases:     1590 
 V Status:    Rare 
 Discovery:   December, 1992 
 Symptoms:    .COM & .EXE growth; system hangs 
 Origin:      Unknown 
 Eff Length:  1,590 Bytes 
 Type Code:   PRaA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  AVTK, F-Prot, ViruScan, Sweep, IBMAV, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    Sweep/N, NShld, Innoc, NProt, AVTK/N, IBMAV/N, 
                    LProt, NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Arriba virus was isolated in December, 1992.  Its origin is 
       unknown, and the virus may actually have been written in 1991. 
       Arriba is a memory resident infector of .COM and .EXE programs, 
       but not COMMAND.COM. 
 
       When the first Arriba infected program is executed, the Arriba 
       virus will install itself memory resident in available free system 
       memory at 9000, hooking interrupts 21 and 24.  Total system and 
       available free memory, as indicated by the DOS CHKDSK program, will 
       not be altered. 
 
       Once the Arriba virus is memory resident, it will infect .COM and 
       .EXE programs when they are executed.  Infected programs will have 
       a file length increase of 1,590 bytes.  In the case of .COM programs, 
       the virus will be located at the beginning of the file.  In .EXE 
       programs, the virus will be located at the end of the file.  The 
       program's date and time in the DOS disk directory listing will not 
       be altered.  No text strings are visible within the viral code. 
 
       It is unknown what Arriba does besides replicate.

Show viruses from discovered during that infect .

Main Page