Vampiro Virus


 Virus Name:  Vampiro 
 Aliases:     Vampiro.1000.A 
 V Status:    New 
 Discovered:  July, 1995 
 Symptoms:    .COM file growth 
 Origin:      Unknown 
 Eff Length:  1,000 Bytes 
 Type Code:   PNC - Parasitic Non-Resident .COM Infector 
 Detection Method: AVTK, VAlert, ViruScan, Sweep, NAV, NAVDX, 
                   IBMAV, F-Prot, ChAV, 
                   NShld, Sweep/N, NAV/N, IBMAV/N, AVTK/N, Innoc 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Vampiro or Vampiro.1000.A virus was received in July, 1995, 
       along with one variant.  Their origin or point of isolation is 
       unknown.  Vampiro is a non-resident, direct action infector of 
       .COM files, but not COMMAND.COM. 
 
       When a program infected with the Vampiro virus is executed, this 
       virus will infect one .COM file located in a subdirectory.  It does 
       not infect .COM files located in a root directory, nor does it 
       infect COMMAND.COM. 
 
       Programs infected with the Vampiro virus will have a file length 
       increase of 1,000 bytes with the virus being located at the end of 
       the file.  The program's date and time in the DOS disk directory 
       listing will not be altered.  The following text strings are 
       visible within the viral code in all infected files: 
 
           "???????????" 
           "Zarathustra & Drako les comunican que llego la hora de ir 
            a dormir. Shh!" 
           "Vampiro Virus." 
           "*.* . .. *.COM chklist.ms" 
           "COMMAND.COM all XRAY, memory allocation error." 
           "Cannot uninstall XRAY, it has not been installed." 
 
       This virus may interfer with the functionality of Microsoft Anti- 
       Virus since "chklist.ms" is one of its files. 
 
       Known variant(s) of Vampiro are: 
       Vampiro.1000.B: Also received in July, 1995, this is a variant 
           of the Vampiro virus described above.  It also adds 1,000 bytes 
           to the .COM files it infects, and does not infect files located 
           in a root directory.  The following text strings are visible 
           within the viral code: 
           "???????????" 
           "Zarathustra & Drako les comunican que llego la hora de ir 
            a dormir. Shh!" 
           "Vampiro Virus." 
           "*.* . .. ............... *.C?M chklist.ms anti-vir.dat" 
           "COMMAND.COM" 
           Origin:  Unknown  July, 1995. 
       Vampiro.1623: Received in January, 1996, this is a 1,623 byte 
           memory resident version of the Vampiro virus described above. 
           It becomes memory resident at the top of system memory but below 
           the 640K DOS boundary, hooking interrupt 21.  Available free 
           memory, as indicated by the DOS CHKDSK program from DOS 5.0, 
           will have decreased by 3,296 bytes.  Once resident, this variant 
           will infect .COM and .EXE files, but not COMMAND.COM, when they 
           are executed.  Infected files will have a file length increase 
           of 1,623 bytes with the virus being located at the end of the 
           file.  The file length increase will be hidden when the virus 
           is memory resident.  The program's date and time in the DOS disk 
           directory listing will not appear to be altered, though the 
           seconds field will have been set to "58".  The following text 
           strings are encrypted within the viral code: 
           "CHKLIST.MS ANTI-VIR.DAT TBF-SCANCHKDSKCOMMAND.COM" 
           "NO NO NO!! Que hace todavia despierto?!?!" 
           "Drako & Zarathustra le OBLIGAN a dormir." 
           "Que sea la ultima vez, ok?!?! En caso contrario, morira.. 
            JAJAJAJAJAJA" 
           "Vampiro 2.4 Version de Batalla - (C) Digital Anarchy 
            Viral Development" 
           Origin:  Unknown  January, 1996.

Show viruses from discovered during that infect .

Main Page