AT144 Virus


 Virus Name:  AT144 
 Aliases:     144 
 V Status:    Rare 
 Discovery:   June, 1991 
 Symptoms:    .COM file growth; file date/time changes; system hangs on 
              8086/8088 processor based systems 
 Origin:      Europe 
 Eff Length:  144 Bytes 
 Type Code:   PRfbCK - Parasitic Resident .COM  Infector 
 Detection Method:  ViruScan, F-Prot, Sweep, AVTK, IBMAV, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, 
                    IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The AT144 virus was discovered in Europe in June, 1991.  AT144 is 
       a memory resident infector of .COM programs, including COMMAND.COM. 
       It will only replicate and function on AT class machines.  On XT 
       class machines, the virus will simply hang the system. 
 
       The first time a program infected with AT144 is executed, AT144 
       will install itself memory resident in available free system memory, 
       with a portion of the virus residing in memory above the 640K DOS 
       boundary.  There will be no change in total system and available free 
       memory as indicated by the DOS CHKDSK program.  Interrupts 91, 93, 
       94, 95, 97, 98, 9A, 9B, 9C, 9D, 9E, 9F, A0, A1, A2, A6, A7, A9, AA, 
       AB, and AF will be hooked by the virus in low available free 
       memory. 
 
       Once AT144 is memory resident, it will infect .COM programs when 
       they are executed.  If COMMAND.COM is executed, it will become 
       infected.  Infected .COM programs will increase in size by 144 bytes 
       with the virus being located at the end of the infected file. 
       Infected files will also have had their file date and time in the 
       DOS disk directory updated to the current system date and time 
       when infection occurred. 
 
       AT144 does not do anything besides replicate. 
 
       An earlier "version" of this virus was also received, but it does 
       not replicate. 
 
       Known variant(s) of AT144 are: 
       AT108: Similar to the AT144 virus, this variant becomes memory 
              resident in a "hole" in low system memory, hooking interrupt 
              21.  Once resident, it infects .COM programs when they are 
              executed.  Infected programs will have a file length increase 
              of 108 bytes with the virus being located at the beginning 
              of the file.  The program's date and time in the DOS disk 
              directory listing will have been updated to the current 
              system date and time when infection occurred. 
              Origin:  Unknown  October, 1992. 
       AT114: Similar to the AT144 virus, this variant becomes memory 
              resident in a "hole" in low system memory, hooking interrupt 
              21.  Once resident, it infects .COM and .EXE programs when 
              they are executed.  Infected programs will have a file length 
              increase of 114 bytes with the virus being located at the 
              beginning of the file.  The remainder of the file will be 
              overwritten with hex "FF" characters.  The program's date and 
              time in the DOS disk directory listing will have been updated 
              to the current system date and time when infection occurred. 
              Frequent system hangs occur on infected systems, as well as 
              boot failures once COMMAND.COM becomes infected. 
              Origin:  Unknown  October, 1992. 
       AT118: Similar to the AT144 virus, this variant becomes memory 
              resident in a "hole" in low system memory, hooking interrupt 
              21.  Once resident, it infects .COM programs when they are 
              executed.  Infected programs will have a file length increase 
              of 118 bytes with the virus being located at the beginning 
              of the file.  The program's date and time in the DOS disk 
              directory listing will have been updated to the current 
              system date and time when infection occurred. 
              Origin:  Unknown  October, 1992. 
       AT122: Similar to the AT144 virus, this variant becomes memory 
              resident in a "hole" in low system memory, hooking interrupt 
              21.  Once resident, it infects .COM programs when they are 
              executed.  Infected programs will have a file length increase 
              of 122 bytes with the virus being located at the beginning 
              of the file.  The program's date and time in the DOS disk 
              directory listing will have been updated to the current 
              system date and time when infection occurred. 
              Origin:  Unknown  October, 1992. 
       AT140: Similar to the AT144 virus, this variant becomes memory 
              resident in a "hole" in low system memory, hooking interrupt 
              21.  Once resident, it infects .COM programs when they are 
              executed.  Infected programs will have a file length increase 
              of 140 bytes with the virus being located at the end of the 
              file.  The program's date and time in the DOS disk directory 
              listing will have been updated to the current system date and 
              time when infection occurred. 
              Origin:  Unknown  October, 1992. 
       AT149: Similar to the AT144 virus, this variant adds 149 bytes 
              to the .COM programs it infects. 
              Origin:  Unknown  January, 1992.

Show viruses from discovered during that infect .

Main Page