VComm Virus

Virus Name: VComm Aliases: 637, Vienna 637 V Status: Rare Discovered: December, 1989 Symptoms: .EXE growth; TSR; write failures Origin: Poland Eff Length: 637 - 1,149 Bytes Type Code: PRaE - Parasitic Resident .EXE Infector Detection Method: F-Prot, ViruScan, AVTK, NAV, Sweep, IBMAV, NAVDX, VAlert, PCScan, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: F-Prot, or delete infected files General Comments: The VComm virus is of Polish origin, first isolated in December, 1989. The virus is a .EXE file infector. When an infected file is run, the virus will attempt to infect one .EXE file in the current directory. It will also infect the memory resident version of the system's command interpreter. When VComm infects a file, it first pads the file so that the files length is a multiple of 512 bytes, then it adds its 637 bytes of virus code to the end of the file, so the file length increase is between 637 and 1,149 bytes. The file's date and time in the DOS disk directory listing will not be altered. The memory resident portion of the virus intercepts any disk writes that are attempted, and changes them into disk reads. Known variant(s) of VComm are: VComm.633: A 633 byte variant of the VComm virus described above, this variant adds 633 to 1,145 bytes to the .EXE programs it infected. The virus will be located at the end of the file and the file's date and time in the DOS disk directory listing will not be altered. One text string is visible within the viral code: "-DWD" Systems hangs may occur when programs are executed with the virus memory resident. Origin: Unknown July, 1994.