Athens Virus


 Virus Name:  Athens 
 Aliases:    
 V Status:    Rare 
 Discovery:   May, 1992 
 Symptoms:    .COM & .EXE growth; "General Failure error reading drive" 
              messages 
 Origin:      Athens, Greece 
 Eff Length:  1,463 Bytes 
 Type Code:   PRfAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, F-Prot, Sweep, NAV, IBMAV, AVTK, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, Innoc, NProt, AVTK/N, LProt, NAV/N, 
                    IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Athens virus was discovered in Athens, Greece, in May, 1992. 
       This virus is a memory resident stealth virus which infects .COM 
       and .EXE programs, including COMMAND.COM. 
 
       When the first program infected with the Athens virus is executed, 
       this virus will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary, though the memory is not 
       reserved.  Total system and available free memory will not be 
       altered.  If COMMAND.COM was not previously infected, it will 
       be infected at this time.  No change in file length will be visible. 
 
       Once the Athens virus is memory resident, it will infect .COM and 
       .EXE programs when they are executed or opened for any reason. 
       Infected programs will have a file length increase of 1,463 bytes, 
       with the virus being located at the end of the infected file.  The 
       file length increase will be hidden by the virus when it is 
       memory resident.  The file's date and time in the DOS disk directory 
       listing will not be altered. 
 
       The following text string is encrypted within the viral code in 
       infected programs: 
 
               "TROJECTOR II,(c) Armagedon Utilities, Athens 1992" 
 
       Systems infected with the Athens virus may experience general 
       failure errors when attempting to execute programs on diskettes, 
       requiring an Abort, Retry, Ignore, or Fail response. 
 
       It is unknown if Athens does anything besides replicate. 
 
       Trojector: Probably an earlier version of the Athens virus 
                  described above, Trojector's size in memory is 
                  3,776 bytes, hooking interrupt 21.  It infects .COM and 
                  .EXE programs, including COMMAND.COM, when they are 
                  executed or opened with the virus memory resident. 
                  Infected programs will have a file length increase of 
                  1,561 bytes, though the length increase will not be 
                  visible when Trojector is memory resident.  The virus 
                  will be located at the end of the infected program. 
                  The following text strings are encrypted within the 
                  viral code: 
                  "TROJECTOR ]I[,(c) Armagedon Utilities, Athens 1992," 
                  "Greetings to Vesselin" 
                  Systems infected with Trojector may experience system 
                  hangs when infected .COM programs are executed, as well 
                  as the DOS CHKDSK program indicating errors on disks 
                  regardless of whether the virus is memory resident. 
                  Origin:  Greece  August, 1992. 
       Trojector-B: Similar to Trojector, Trojector-B has been altered 
                  to avoid detection by some anti-viral scanning programs. 
                  Origin:  Unknown  January, 1994.

Show viruses from discovered during that infect .

Main Page