Urfydus Virus


 Virus Name:  Urfydus 
 Aliases:    
 V Status:    Rare 
 Discovered:  May, 1992 
 Symptoms:    .COM & .EXE growth; TSR 
 Origin:      Italy 
 Eff Length:  2,638 - 2,653 Bytes 
 Type Code:   PRsAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, F-Prot, Sweep, IBMAV, ChAV, 
                    AVTK, NAV, NAVDX, VAlert, PCScan, 
                    NShld, Sweep/N, AVTK/N, NAV/N, IBMAV/N, Innoc, LProt 
 Removal Instructions:  Delete infected Files 
 
 General Comments: 
       The Urfydus virus was isolated in Italy in May, 1992.  This virus 
       is a memory resident infector of .COM and .EXE programs, including 
       COMMAND.COM, but not very small .COM and .EXE programs.  Its name 
       is italian, and translates to "Nasty" in english. 
 
       The first time a program infected with Urfydus is executed, this 
       virus will install itself memory resident as a low system memory 
       TSR of 3,152 bytes, hooking interrupts 21, CC, and F8. 
 
       Once Urfydus is memory resident, it will infect .COM and .EXE 
       programs when they are executed.  If the user attempts to execute 
       a program from a write protected diskette, the virus will attempt 
       to infect the program, resulting in the system hanging while it 
       attempts to write to the write protected diskette. 
 
       Programs infected with Urfydus will have a file length increase 
       of 2,638 to 2,653 bytes.  The virus will be located at the end 
       of the infected file.  The program's date and time in the DOS 
       disk directory listing will not have been altered.  The following 
       text string can be found within the viral code in all infected 
       programs: 
 
               "C:\SYSTEM\COMMAND.COM MMAND.COM" 
 
       It is unknown what Urfydus does besides replicate.

Show viruses from discovered during that infect .

Main Page