Twister Virus


 Virus Name:  Twister 
 Aliases:     Twister.451 
 V Status:    New 
 Discovered:  July, 1994 
 Symptoms:    .COM file growth; file date/time changes; 
              decrease in total system & available free memory 
 Origin:      Unknown 
 Eff Length:  451 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  F-Prot, AVTK, ViruScan, IBMAV, Sweep, NAV, 
                    NAVDX, VAlert, 
                    NProt, AVTK/N, NShld, Sweep/N, IBMAV/N, NAV/N 
 Removal Instructions:  Delete hidden infected files 
 
 General Comments: 
       The Twister or Twister.451 virus was received in July, 1994.  Its 
       origin or point of isolation is unknown.  Twister is a memory resident 
       infector of .COM programs, including COMMAND.COM. 
 
       When the first Twister infected program is executed, this virus will 
       install itself memory resident at the top of system memory but below 
       the 640K DOS boundary, not moving interrupt 12's return.  Total system 
       and available free memory, as indicated by the DOS CHKDSK program, 
       will have decreased by 1,408 bytes.  Interrupt 21 will be hooked by 
       the virus in memory. 
 
       Once memory resident, Twister will infect .COM programs when they are 
       executed.  Infected programs will have a file length increase of 451 
       bytes with the virus being located at the beginning of the file.  The 
       following text string is visible within the viral code: 
 
               "Twister (c) 1992" 
 
       The Twister virus is unable to determine when it has previously 
       infected a file, as a result .COM programs will be reinfected by the 
       virus, adding an additional 451 bytes.  Once a program has been 
       reinfected, viral code can be found at both the beginning and the end 
       of the file. 
 
       Known variant(s) of Twister are: 
       Twister.863: Received in July, 1994, Twister.863 is an 863 byte 
                  variant of the Twister virus described above.  Its size 
                  in memory is 2,208 bytes, hooking interrupt 21.  This 
                  variant infects .COM programs, including COMMAND.COM, when 
                  they are executed.  Like the original virus, it cannot 
                  recognize prior infections of itself on files, so it will 
                  reinfect previously infected programs.  Programs infected 
                  with Twister.863 will have a file length increase of 863 
                  bytes for each infection present on a file.  The virus 
                  will be located at the beginning of the file, as well as 
                  the end of the file in the case of reinfected files.  The 
                  program's date and time in the DOS disk directory listing 
                  will have been updated to the current system date and time 
                  when infection occurred.  The following text string can be 
                  found within the viral code: 
                  "Twister (c) 1992" 
                  Unlike the original virus, this version of the virus will 
                  prevent the user from viewing the viral code within infected 
                  files when the virus is memory resident. 
                  Origin:  Unknown  July, 1994. 
       Twister.1015: Received in July, 1994, Twister.1015 is an 1,015 
                  byte variant of the Twister virus described above.  Its 
                  size in memory is 2,528 bytes, hooking interrupts 21 and 
                  24.  This variant infects .COM programs, including 
                  COMMAND.COM, when they are executed.  Like the original 
                  virus, it cannot recognize prior infections of itself on 
                  files, so it will reinfect previously infected programs. 
                  Programs infected with Twister.1015 will have a file length 
                  increase of 1,015 bytes for each infection present on a 
                  file.  The virus will be located at the beginning of the 
                  file, as well as the end of the file in the case of 
                  reinfected files.  The program's date and time in the DOS 
                  disk directory listing will have been updated to the 
                  current system date and time when infection occurred. 
                  The following text strings can be found within the viral 
                  code: 
                  "Twister (c) 1992" 
                  "C:\COMMAND.COM" 
                  This variant of the virus adds the ability to infect the 
                  copy of COMMAND.COM located in the C: drive root directory 
                  when the first infected program is executed.  Twister and 
                  Twister.863 did not have this ability. 
                  Origin:  Unknown  July, 1994. 
       Twister.1767: Received in July, 1994, Twister.1767 is based on 
                  Twister.1015.  Its size in memory is 4,032 bytes, hooking 
                  interrupts 08, 09, 10, 1C, and 21.  This variant infects 
                  .COM programs, including COMMAND.COM, when they are 
                  executed.  Like the original virus, it cannot recognize 
                  prior infections of itself on files, so it will reinfect 
                  previously infected programs.  Programs infected with 
                  Twister.1767 will have a file length increase of 1,767 
                  bytes for each infection present on a file.  The virus will 
                  be located at the beginning of the file, as well as the end 
                  of the file in the case of reinfected files.  The program's 
                  date and time in the DOS disk directory listing will have 
                  been updated to the current system date and time when 
                  infection occurred.  The following text strings can be 
                  found within the viral code: 
                  "Twister" 
                  "C:\COMMAND.COM" 
                  "We are demons to some, angels to others" 
                  "So Far... So Good... So What?" 
                  "Children of the Damned" 
                  "Time heals all wounds" 
                  After the virus has been memory resident for some time, 
                  it may starting scrolling the display from left to right, 
                  typing out text on the display.  Like Twister.1015, this 
                  variant infects the copy of COMMAND.COM located in the C: 
                  drive root directory when the first infected program is 
                  executed. 
                  Origin:  Unknown  July, 1994.

Show viruses from discovered during that infect .

Main Page