Ash Virus
Virus Name: Ash
Aliases:
V Status: Rare
Discovery: July, 1992
Symptoms: .COM file growth; file date/time changes
Origin: Unknown
Eff Length: 280 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: AVTK, Sweep, ViruScan, F-Prot, IBMAV,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, NProt, AVTK/N, NAV/N, IBMAV/N, LProt,
Innoc
Removal Instructions: Delete infected files
General Comments:
The Ash virus was submitted in July, 1992. Ash is a non-resident,
direct action infector of .COM programs, including COMMAND.COM.
Its origin or point of isolation is unknown.
When a program infected with the Ash virus is executed, the Ash
virus will infect all of the .COM programs located in the current
directory. Infected programs will have a file length increase
of 280 bytes with the virus being located at the end of the
infected file. The program's date and time in the DOS disk
directory listing will have been updated to the current system
date and time when infection occurred. One text string is visible
within the Ash viral code in infected programs:
"*.COM"
Ash doesn't do anything besides replicate.
Known variant(s) of Ash are:
Ash.270: Received in August, 1994, Ash.270 is a 270 byte variant
of the Ash virus described above. It infects all of the
.COM files in the current directory, including COMMAND.COM,
when an infected program is executed. Infected files will
increase in size by 270 bytes with the virus being located
at the end of the file. The program's date and time in the
DOS disk directory listing will have been updated to the
current system date and time when infection occurred. The
following text string can be found within the viral code:
"*.COM"
Origin: Unknown August, 1994.
Ash.441: Received in August, 1994, Ash.441 is a 441 byte variant
of the Ash virus described above. It infects all of the
.COM files in the current directory, including COMMAND.COM,
when an infected program is executed. Infected files will
increase in size by 441 bytes with the virus being located
at the end of the file. The program's date and time in the
DOS disk directory listing will have been updated to the
current system date and time when infection occurred. The
following text strings can be found within the viral code:
"*.COM"
"Naked Truth!"
"Hi-Tech Assasins - Ready To Take On The World"
"// DEATH TO ALL - PEACE AT LAST //"
"The Unforgiven / Immortal Riot"
Origin: Sweden August, 1994.
Ash.449: Received in August, 1994, Ash.449 is a 449 byte variant
of the Ash virus described above. It infects all of the
.COM files in the current directory, including COMMAND.COM,
when an infected program is executed. Infected files will
increase in size by 449 bytes with the virus being located
at the end of the file. The program's date and time in the
DOS disk directory listing will have been updated to the
current system date and time when infection occurred. The
following text strings can be found within the viral code:
"*.COM"
"Naked Truth!"
"Hi-Tech Assasins - Ready To Take On The World"
"// DEATH TO ALL - PEACE AT LAST //"
"The Unforgiven / Immortal Riot"
Origin: Sweden August, 1994.
Ash.451: Received in August, 1994, Ash.451 is a 451 byte variant
of the Ash virus described above. It infects all of the
.COM files in the current directory, including COMMAND.COM,
when an infected program is executed. Infected files will
increase in size by 451 bytes with the virus being located
at the end of the file. The program's date and time in the
DOS disk directory listing will have been updated to the
current system date and time when infection occurred. The
following text strings can be found within the viral code:
"*.COM"
"Naked Truth!"
"Hi-Tech Assasins - Ready To Take On The World"
"// DEATH TO ALL - PEACE AT LAST //"
"The Unforgiven / Immortal Riot"
Origin: Sweden August, 1994.
Ash.546: Received in August, 1994, Ash.546 is a 546 byte variant
of the Ash virus described above. It installs itself memory
resident at the top of system memory but below the 640K DOS
boundary, when the first infected program is executed. Total
system and available free memory, as indicated by the DOS
CHKDSK program, will have decreased by 976 bytes. Interrupt
21 will be hooked by the virus in memory. Ash.546 infects
.COM files when they are executed. Infected files will
increase in size by 546 bytes with the virus being located at
the end of the file. The program's date and time in the DOS
disk directory listing will not be altered. The following
text string is encrypted within the viral code:
"V.C.M-MEGABUG"
The Ash.546 virus activates on December 28th of any year when
the first infected program is executed. At this time, the
virus will overwrite the file allocation table on the system
hard disk.
Origin: Unknown August, 1994.
Ash.546.B: Based on the Ash.546 variant, this variant has four
bytes which have been altered.
Origin: Unknown December, 1994.
Ash.737: Received in August, 1994, Ash.737 is a 737 byte variant
of the Ash virus described above. It installs itself memory
resident as a low system memory TSR of 6,192 bytes when the
first infected program is executed, hooking interrupt 08. It
infects one .COM file in the current directory when an
infected program is executed. Infected files will increase
in size by 737 bytes with the virus being located at the end
of the file. The program's date and time in the DOS disk
directory listing will have been updated to the current
system date and time when infection occurred. The following
text strings are encrypted within the viral code:
"Bad command or file name"
"C:\COMMAND.COM C:\COMMAND.COM *.COM .."
Infected programs, when executed, may hang the system or
display the message "Bad command or file name". The virus
may also replace the copy of COMMAND.COM located in the C:
drive root directory with a 745 byte hidden file which
contains a copy of the viral code.
Origin: Unknown August, 1994.
See: Green Joker VCM