USSR 2144 Virus

Virus Name: USSR 2144 Aliases: V2144, 2144, USSR 2144-B V Status: Rare Discovered: December, 1990 Symptoms: .COM & .EXE growth; decrease in total system and available memory Origin: USSR Eff Length: 2,144 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV, NAVDX, VAlert, PCScan, ChAV, NShld, LProt, Sweep/N, NProt, AVTK/N, NAV/N, IBMAV/N, Innoc Removal Instructions: Delete infected files General Comments: The USSR 2144 virus was submitted in December, 1990, and is from the USSR. This virus is a memory resident infector of .COM and .EXE files, including COMMAND.COM. When the first program infected with the USSR 2144 virus is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. The DOS CHKDSK program will indicate memory values that show 4,608 bytes less total system memory and available free memory than expected. This virus does not move the interrupt 12 return. The virus also directly alters the interrupt page in memory so that some interrupts will now execute the virus's code. After USSR 2144 is memory resident, and program which was originally greater in length than 2K that is executed or opened for reason will become infected by the virus. Infected .COM programs will increase in length by 2,144 bytes. .EXE programs will increase in length by 2,144 to 2,159 bytes. In both cases, the virus will be located at the end of infected files. Infected files will not have their date and time in the disk directory altered, and this virus does not hide the change in file length of infected files. It is unknown if USSR 2144 does anything besides replicate. Known variant(s) of USSR 2144 are: USSR 2144-B: Received in March, 1991, this variant is functionally equivalent to the original virus. The virus' encryption has been slightly modified.