Attack Virus


 Virus Name:  Attack 
 Aliases:     Attack-1501, Cuban   
 V Status:    Rare 
 Discovery:   April, 1992 
 Symptoms:    .COM file growth; TSR; "Not enough memory" errors 
 Origin:      Cuba 
 Eff Length:  1,501 Bytes 
 Type Code:   PRsC - Parasitic Resident .COM  Infector 
 Detection Method:  F-Prot, Sweep, ViruScan, AVTK, NAVDX, VAlert, 
                    IBMAV, NAV, PCScan, ChAV, 
                    NShld, Sweep/N, Innoc, NProt, AVTK/N, IBMAV/N, 
                    LProt, NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Attack, or Attack-1501, virus was received in April, 1992 
       from Cuba.  This virus is a memory resident parasitic infector 
       of .COM programs, but not COMMAND.COM.  There is also an earlier 
       version of the virus, described below, which is an overwriting 
       virus. 
 
       The first time a program infected with the Attack virus is 
       executed, this virus will install itself memory resident as a low 
       system memory TSR of 3,552 bytes.  It hooks interrupts 13, 21, and 
       F8. 
 
       Once the Attack virus is memory resident, it will infect two .COM 
       programs located in the current directory any time a program is 
       executed or a DOS DIR command is performed.  Programs infected with 
       the Attack virus will typically have a file length increase of 
       1,501 bytes.  The exception is that if the original .COM program 
       was smaller than 1,173 bytes, the program once infected will have 
       a length of 2,684 bytes.  The file's date and time in the DOS disk 
       directory listing will not be altered. 
 
       The following text strings can be found in all Attack infected 
       files: 
 
               "The Terminator Attack Now" 
               "????????COM" 
               "*.COM COMMAND.COM ERROR IN DEBBUG" 
 
       Systems infected with the Attack virus may notice that some 
       programs will no longer function properly, resulting in a 
       "Not enough memory" error message when they are executed. 
 
       Known variant(s) of Attack are: 
       Attack-918: An earlier version of the Attack virus, this 
                   variant installs a 1.2K TSR when it becomes memory 
                   resident.  Once it is memory resident, it will infect 
                   two .COM programs located in the current directory 
                   whenever any program is executed or a DOS DIR command 
                   is performed.  Infected programs will have the first 
                   918 bytes of the host program overwritten by the 
                   Attack-918 viral code.  Infected programs will fail 
                   to execute properly, and must be replaced from clean, 
                   uninfected backups. 
                   Origin:  Cuba  April, 1992.

Show viruses from discovered during that infect .

Main Page