USSR 1049 Virus

Virus Name: USSR 1049 Aliases: RCE-1049, 1049 V Status: Rare Discovered: December, 1990 Symptoms: .COM & .EXE growth; system hangs; decrease in total system and available free memory Origin: USSR Eff Length: 1,049 Bytes Type Code: PRhA - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, AVTK, F-Prot, Sweep, ChAV, NAV, IBMAV, NAVDX, VAlert, PCScan, NShld, LProt, Sweep/N, Innoc, AVTK/N, IBMAV/N, NAV/N, NProt Removal Instructions: Delete infected files General Comments: The USSR 1049 virus was received in December, 1990. It originated in the USSR. This virus is a memory resident infector of .COM and .EXE files, and does not infect COMMAND.COM. When the first program infected with USSR 1049 is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. This memory will be 1,056 bytes in size and is reserved. The interrupt 12 return is not moved. Interrupt 21 will be hooked by the virus. After USSR 1049 is memory resident, the virus will infect .COM and .EXE files when they are executed. The virus, however, will not infect very small .EXE files. Infected files will increase in size by 1,051 to 1,064 bytes, the virus will be located at the end of the infected program. USSR 1049 is unusual in that it contains some code to support a deactivation code via a special interrupt 21 call that will stop the virus from infecting files. This code may have been used by the author when developing the virus to stop it from infecting programs. Systems infected with the USSR 1049 virus may experience system hangs when attempting to execute .EXE programs. These hangs occasionally occur when the virus infects .EXE program, though the program being infected will actually be infected. USSR 1049 does not do anything besides replicate. See: Alfa