Vice Virus

Virus Name: Vice Aliases: Vice.1197 V Status: New Discovered: January, 1996 Symptoms: .COM & .EXE growth; file date/time year decade = "5"; decrease in available free memory Origin: Unknown Eff Length: 1,197 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: F-Prot, AVTK, IBMAV, PCScan, ChAV, NAV, NAVDX, ViruScan, AVTK/N, IBMAV/N, NAV/N, NShld, Innoc Removal Instructions: Delete infected files General Comments: The Vice virus was received in January, 1996. Its origin or point of isolation is unknown. Vice is a memory resident, stealth, fast infector of .COM and .EXE files, including COMMAND.COM. When the first Vice infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Available free memory will have decreased by approximately 1,520 bytes. Interrupts 08 and 21 will be hooked by the virus in memory. Once the Vice virus is memory resident, it will infect .COM and .EXE files, including COMMAND.COM, when they are executed, opened, or copied. Infected files will have a file length increase of 1,197 bytes, though the file length increase will be hidden when the virus is memory resident. The virus will be located at the end of the file. The program's date/time year's decade in the DOS disk directory listing will have been changed to "5". The following text strings are encrypted within the viral code: "Vice_V1.0S-MA(C).smartc*.* chklist.*" "\PCB\MAIN\USERS." "\PCB\DL01\TRSI3PTG.ZIP" "HaCKMaSTER" The DOS CHKDSK program from DOS 5.0 will not function when this virus is memory resident, attempts to execute this program will result in the message "Cannot execute CHKDSK.EXE" being displayed on the system display.