Veronika Virus

Virus Name: Veronika Aliases: V Status: New Discovered: July, 1994 Symptoms: .COM & .EXE growth; DOS CHKDSK file allocation errors; decrease in total system & available free memory; file date/time seconds = "42" Origin: Unkown Eff Length: 1,549 Bytes Type Code: PRhA - Parasitic Resident .COM & .EXE Infector Detection Method: F-Prot, AVTK, Sweep, ViruScan, IBMAV, NAV, NAVDX, VAlert, PCScan, AVTK/N, Sweep/N, NProt, IBMAV/N, NShld, NAV/N Removal Instructions: Delete infected files General Comments: The Veronika virus was received in July, 1994. Its origin or point of isolation is unknown. Veronika is a memory resident steath type virus which infects .COM and .EXE files, but not COMMAND.COM. When the first Veronika infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 2,128 bytes. Interrupt 21 will be hooked by the virus in memory. Once memory resident, the Veronika virus will infect .COM and .EXE programs when they are executed. .EXE programs may also be infected when they are opened for any reason. Infected programs will have a file length increase of 1,549 bytes, though the file length increase will be hidden by the virus when it is memory resident. The file's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been set to "42". The following text string can be found at the end of all infected files: "Veronika P." The following additional text strings are encrypted within the viral code: "EXECOM" "Pctihomg" The DOS CHKDSK program will indicate file allocation errors on all infected programs when Veronika is memory resident.