Atas II Virus

Virus Name: Atas II Aliases: Atas-3321 V Status: Rare Discovery: January, 1993 Symptoms: .COM file growth; decrease in total system & available free memory; file allocation errors; system hangs Origin: Poland Eff Length: 3,321 Bytes Type Code: PRtCK - Parasitic Resident .COM Infector Detection Method: AVTK, Sweep, F-Prot, ViruScan, NAVDX, VAlert, IBMAV, NAV, PCScan, ChAV, Sweep/N, Innoc, NShld, AVTK/N, IBMAV/N, NAV/N, LProt Removal Instructions: Delete infected files General Comments: The Atas II, or Atas-3321, virus was submitted in January, 1993, and is originally from Poland. Atas II is a memory resident infector of .COM programs, including COMMAND.COM. It is a semi-stealth virus as it hides the file length increase on infected programs when the virus is memory resident. When the first Atas II infected program is executed, the Atas II virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 10,240 bytes. Interrupts 08, 10, 16, 1C, and 21 will be hooked by Atas II in memory. Once the Atas II virus is memory resident, it will infect .COM programs, including COMMAND.COM, when they are executed. Infected programs will have a file length increase of 3,321 bytes, though the file length increase will be hidden when the virus is resident in memory. The virus will be located at the end of infected files, and the program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the Atas II viral code: "bye <ò> music" "letters" "display Bye-Bye" "========.===" "ATAS Corporation.(B)1992,V1 Created in the Kiev by ATAS." Systems infected with the Atas II will experience file allocation errors being detected on all infected programs by the DOS CHKDSK program when it is executed with the virus memory resident. It is unknown what else Atas may do. See: Atas