V1024 Virus


 Virus Name:  V1024 
 Aliases:     Dark Avenger III, Stealth Virus, Diamond, 1024 
 V Status:    Rare 
 Discovered:  May, 1990 
 Symptoms:    TSR; decrease in available free memory 
 Origin:      Bulgaria 
 Eff Length:  1,024 Bytes 
 Type Code:   PRA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, NAV, AVTK, F-Prot, Sweep, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The V1024, or Dark Avenger III, virus was discovered in Bulgaria in 
       April 1990 by Daniel Kalchev.  V1024 is a memory resident generic 
       infector of .COM and .EXE files.  It is believed to have been 
       written by the same person that wrote Dark Avenger and V2000.  This 
       virus may actually be an earlier version of the Dark Avenger virus, 
       it has many of the same characteristics, though it does not infect 
       all files when they are opened for any reason. 
 
       The first time a program infected with V1024 is executed, the virus 
       will install itself memory resident.  At this time, it checks to 
       see if several interrupts are being monitored, including interrupts 
       1 and 3.  If interrupts 1 and 3 are monitored, V1024 allow the 
       current program to run, but any subsequent program executed will 
       hang the system and V1024 will not replicate.  When V1024 is memory 
       resident, infected systems will experience a decrease in free 
       memory by 1,072 bytes.  Total system memory will not have changed. 
       The virus will have remapped several interrupts by altering their 
       location in the interrupt map page in memory.  These interrupts 
       will now be controlled by V1024. 
 
       After V1024 becomes memory resident, the virus will infect any 
       program executed which is greater in length than 1,024 bytes.  Both 
       .COM and .EXE files are infected, COMMAND.COM is not infected. 
       Infected files increase in length by 1,024 bytes, though this 
       increase will not appear if the virus is present in memory and a 
       DIR listing is done. 
 
       V1024 infected files can be identified by a text string which 
       appears very close to the end of infected files.  The text string 
       is: '7106286813'. 
 
       V1024 does not appear contain any activation date. 
 
       Known variant(s) of V1024 are: 
       Diamond: Similar to V1024, Diamond's main difference is that it 
                becomes memory resident at the top of system memory but 
                below the 640K DOS boundary.  Total system memory, and 
                available free memory, as measured by the DOS ChkDsk 
                program will decrease by 1,072 bytes.  Interrupts 08 and 
                21 will be hooked by the virus. 
       Diamond-B: Similar to Diamond, this variant has been slightly 
                  altered to avoid detection by some anti-viral programs. 
 
       See:   Alfa   Dark Avenger   Diamond   V651   V2000   Ah   Damage

Show viruses from discovered during that infect .

Main Page