V82 Virus


 Virus Name:  V82 
 Aliases:    
 V Status:    Rare 
 Discovered:  October, 1991 
 Symptoms:    .COM file growth; .EXE file alternation; decrease in total 
              system and available free memory 
 Origin:      Bulgaria 
 Eff Length:  2,000 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, Sweep, F-Prot, NAV, NAVDX, AVTK, 
                    NShld, Sweep/N, AVTK/N, NProt, NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The V82 virus was received from Europe in October, 1991.  The 
       submitter indicated that the submitted file was originally from 
       Bulgaria.  V82 is a memory resident infector of .COM and .EXE 
       programs, and will infect COMMAND.COM.  Some .EXE programs will be 
       internally altered, but not actually contain a replicating copy 
       of the virus. 
 
       The first time a program infected with V82 is executed, the V82 
       virus will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary.  Total system and available 
       free memory, as indicated by the DOS CHKDSK program, will have 
       decreased by 8,192 bytes.  Interrupt 12's return will not have been 
       moved.  Interrupt 2A will be hooked by the virus in memory.  It will 
       also install a 48 byte portion in low system memory. 
 
       Once memory resident, V82 will either infect or alter .COM and .EXE 
       programs, including COMMAND.COM, when they are executed. 
 
       In the case of .COM programs over 2,000 bytes in length, they will 
       be infected with the virus being located at the end of the infected 
       file.  These .COM programs may become infected many times as the 
       virus does not recognize the already infected file when it is later 
       executed by the system user.  .COM files increase in size by 2,000 
       bytes with each infection of the virus on the file.  V82 does not 
       infect or alter .COM files smaller than 2,000 bytes. 
 
       .EXE programs will only be infected by the virus when the file is 
       fairly large, and will usually not have any file length increase as 
       the virus will overwrite part of the host program.  In most .EXE 
       files, however, the virus will not actually infect the file but will 
       overwrite a portion of the program containing 00h characters, thus 
       altering it.  This code may actually be a trojan if it is executed 
       by the host program. 
 
       It is unknown what V82 does besides replicate. 
 
       See:   Phoenix   Phoenix 2000

Show viruses from discovered during that infect .

Main Page