Ultra Virus


 Virus Name:  Ultra 
 Aliases:     Ultra.5700 
 V Status:    In the wild 
 Discovered:  July, 1996 
 Symptoms:    .COM & .EXE growth; DOS CHKDSK file allocation errors; 
              decrease in available free memory 
 Origin:      India 
 Eff Length:  5,700 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  AVTK, IBMAV, ViruScan, NAV, NAVDX, ChAV, 
                    Innoc, AVTK/N, IBMAV/N, NShld, NAV/N 
 Removal Instructions:  Delete infected Files 
 
 General Comments: 
       The Ultra virus was received in July, 1996, and is reported to be 
       "in the wild".  This virus appears to be from India.  Ultra is a 
       memory resident stealth virus which infects .COM and .EXE files, 
       including COMMAND.COM. 
 
       When the first Ultra infected program is executed, this virus will 
       install itself memory resident at the top of system memory but below 
       the 640K DOS boundary, not moving interrupt 12's return.  Available 
       free memory, as indicated by the DOS CHKDSK program from DOS 5.0, 
       will have decreased by 6,720 bytes.  Interrupts 21, 22, 2B, and 2C 
       will be hooked by the virus in memory. 
 
       Once the Ultra virus is memory resident, it will infect .COM files 
       as well as .EXE files over 64K in size when they are executed. 
       Infected files will have a file length increase of 5,700 bytes, 
       though this file length increase will be hidden by the virus when 
       it is memory resident.  The virus will be located at the end of the 
       file.  The program's date and time in the DOS disk directory listing 
       will not appear to be altered.  The following text strings can be 
       found within the viral code: 
 
           "Ultra Violent S.T. - ONE (India)" 
           "Created by V.S." 
           "Since the beginning of time," 
           "When from the big bang," 
           "The mighty earth was born;" 
           "Since that first cry of newborn man" 
           "Amidst a brilliant dawn, twas proclaimed by the Talented 
            Sadist Amidst great laughter, ridicule and scorn..." 
           "That though a dark star may forever glow, Tis from light that 
            light shalt dawn" 
           "Quoted from the ST Book of Surrealistic madness - T.Sad, 
            V.Sad & Sadistic T" 
           "EXE COM C CPP ASM PAS FOR BAS COB CBL PRG DOC TXT LET WK1 WP 
            PCX BMP TIF GIF XLS DBF WRI BAK SAM PM4 PM5 PAK WK3 XLC CDR 
            FLI ARC ZIP DXF EPS FXP FRM DBT WMF CGM main()" 
           "SEGMENT" 
           "begin" 
           "end." 
           "Fortran Runtime Module Err" 
           "10 END" 
           "COBOL LINKE" 
           "RETURN" 
           "COMSPEC=" 
 
       These text strings are not visible within infected files when the 
       virus is memory resident as the virus disinfects programs as they 
       are read into memory.  The DOS CHKDSK program, when executed with 
       the virus memory resident, will indicate file allocation errors on 
       all infected files.

Show viruses from discovered during that infect .

Main Page