Arusiek Virus


 Virus Name:  Arusiek 
 Aliases:    
 V Status:    Rare 
 Discovery:   May, 1993 
 Symptoms:    .COM & .EXE growth; 
              decrease in total system & available free memory 
 Origin:      Morocco 
 Eff Length:  817 Bytes 
 Type Code:   PRhA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  IBMAV, ViruScan, AVTK, F-Prot, Sweep, 
                    NAV, NAVDX, VAlert, ChAV, 
                    Sweep/N, NShld, AVTK/N, NProt, NAV/N, IBMAV/N, Innoc, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Arusiek virus was received in May, 1993, and is from Morocco. 
       Arusiek is a memory resident infector of .COM and .EXE programs, 
       but not COMMAND.COM. 
 
       When the first Arusiek infected program is executed, the Arusiek 
       virus will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary, hooking interrupt 21. 
       Total system and available free memory, as indicated by the 
       DOS CHKDSK program, will have decreased by 1,088 bytes.  Interrupt 
       12's return will not be moved. 
 
       Once the Arusiek virus is memory resident, it will infect .COM and 
       .EXE programs when they are executed or opened for any reason. 
       Infected programs will have a file length increase of 817 bytes with 
       the virus being located at the end of the file.  The program's date 
       and time in the DOS disk directory listing will not be altered. 
       The following text strings are visible within the viral code in all 
       Arusiek infected programs: 
 
               "MKS" 
               "NAV" 
               "CLEAN" 
               "COMMAND" 
               "Mum3" 
 
       It is unknown what Arusiek does besides replicate. 
 
       Known variant(s) of Arusiek are: 
       Arusiek.692: Received in January, 1995, Arusiek.692 is a 692 
               byte variant of the Arusiek virus described above.  Its 
               size in memory is approximately 800 bytes, hooking interrupt 
               21.  Like the original virus, it infects .COM and .EXE files 
               when they are executed, opened, or copied.  Infected files 
               have a file length increase of 692 bytes with the virus 
               being located at the end of the file.  The program's date 
               and time in the DOS disk directory listing will not be 
               altered.  The following text string can be found within the 
               viral code in all Arusiek.692 infected programs: 
               "KOMAR" 
               Origin:  Unknown  January, 1995.

Show viruses from discovered during that infect .

Main Page