VCS Virus
Virus Name: VCS
Aliases: Virus Construction Set
V Status: Rare
Discovered: May, 1991
Symptoms: .COM file growth; message; autoexec.bat & config.sys replaced
Origin: Germany
Eff Length: 1,077 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: F-Prot, ViruScan, Sweep, AVTK, ChAV,
NAV, IBMAV, NAVDX, VAlert, PCScan,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
NAV/N, IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The VCS, or Virus Construction Set, was submitted in May, 1991. It
is originally from Germany. VCS is a program which creates variants
of a 1,077 byte non-resident direct action .COM infector.
When the VCS program is executed, it will prompt the user in German
for the number of generations before the virus will activate, and
for the name of a text file which includes the message for the virus.
The VCS program will then create a program named VIRUS.COM which
will be a live virus generated to the user's specification. The
virus is encrypted so that the text message input by the user is
not visible.
When the VIRUS.COM program is executed, the VCS-generated 1,077
byte virus will infect from one to three .COM programs in the
current directory. If COMMAND.COM exists in the current directory,
it may become infected. Infected programs will increase in size
by 1,077 bytes with the virus being located at the end of the
infected file. There will be no change in the program's date and
time in the DOS disk directory.
VCS-generated viruses will activate after the number of generations
which was specified by the user. At the time of activation, the
virus will replace AUTOEXEC.BAT and CONFIG.SYS located in the C:
drive root directory. If these files did not previously exist, it
will create them. The new AUTOEXEC.BAT and CONFIG.SYS files will
be 512 byte files which contain the message text originally
specified during the virus' creation using VCS.
Known VCS generated viruses are:
DarkSide: DarkSide is a non-resident, direct action infector of
.COM programs, including COMMAND.COM. It will infect all
of the .COM programs in the current directory when an
infected program is executed. Infected programs will
have a file length increase of 1,077 bytes with the virus
being located at the end of the file. The following text
strings are encrypted within the viral code:
"Welcome to the DarkSide of the Realm!"
"We all heed a certain call, our minds cannot control,"
"drawn from deep within our hearts and deep within our"
"souls."
"c:\autoexec.bat"
"c:\config.sys"
Origin: Unknown November, 1992.
Paranoimia: Paranoimia is a non-resident, direct action infector
of .COM programs, including COMMAND.COM. It will infect one
or two .COM programs in the current directory when an
infected program is executed. Infected programs will
have a file length increase of 1,077 bytes with the virus
being located at the end of the file. The following text
strings are encrypted within the viral code:
"You have just been infected with the Paranoimia Virus!!!"
"If you have gotten this,
then the odds are that you pirated"
"software you shouldn't have..."
"Might as well press now..."
"c:\autoexec.bat c:\config.sys"
As with other VCS generated viruses, this virus may
overwrite the AUTOEXEC.BAT and CONFIG.SYS files located in
the C: drive root directory.
Origin: Unknown September, 1993.
VCS-Post: A non-resident, direct action infector of .COM
programs, including COMMAND.COM. It will infect
several .COM programs in the current directory each time
an infected program is executed. Infected programs will
have a file length increase of 1,077 bytes with the virus
being located at the end of the file. It also overwrites
the C: drive root directory's AUTOEXEC.BAT and
CONFIG.SYS files with the following text, which is also
displayed whenever an infected program is executed:
"