Virus Name: X-2
Aliases:
V Status: Rare
Discovery: October, 1992
Symptoms: .EXE file growth; decrease in total system & available free
memory; system hangs; file date/time seconds set to "60"
Origin: England
Eff Length: 795 Bytes
Type Code: PRhE - Parasitic Resident .EXE Infector
Detection Method: ViruScan, AVTK, F-Prot, Sweep, PCScan,
IBMAV, NAV, NAVDX, VAlert, ChAV,
NShld, Sweep/N, Innoc, AVTK/N, NProt, IBMAV/N, NAV/N,
LProt
Removal Instructions: Delete infected files
General Comments:
The X-2 virus was received from Manchester, England, in October,
1992. X-2 is a memory resident infector of .EXE programs and
employs some stealth techniques to avoid detection.
The first time a program infected with the X-2 virus is executed,
this virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary. Total system and available
free memory, as measured by the DOS CHKDSK program, will have
decreased by 3,008 bytes. Interrupt 21 will be hooked by X-2 in
memory.
Once the X-2 virus is memory resident, it will infect .EXE programs
when they are executed. Infected programs will have a file length
increase of 795 bytes, though the file length increase will be
hidden when X-2 is memory resident. The virus will be located at
the end of the infected file. The seconds field in the file's
time in the DOS disk directory listing will have been set to "60".
The following text strings are encrypted within the viral code:
"[X-2] ICE-9, -- Made in England."
"Hi I'am called X-2, get my name right!"
"Look out for the X-3 twins."
Systems infected with X-2 will experience the DOS CHKDSK program
finding file allocation errors on all infected .EXE programs when
X-2 is memory resident. Additionally, execution of some anti-viral
programs with the virus in memory will result in a system hang.
Known variant(s) of X-2 are:
X-1: An earlier variant of the X-2 virus, X-1 is a non-resident
direct action infector of .EXE programs. It infects one .EXE
program in the current directory each time an infected program
is executed. A system hang will then occur. Infected programs
will have a file length increase of 568 to 578 bytes with the
virus being located at the end of the file. The file's date
and time in the DOS disk directory listing will not be altered.
X-1 activates on March 5th of any year, at which time execution
of an infected program will result in the display of the
following message and a system hang:
" ICE-9 Presents
In Association with
The ARcV
[X-1]
Michelangelo activates
-< TOMORROW >-"
This text is encrypted within the viral code, and is not visible
in infected programs.
X-1B: A minor variant of the X-1 variant described above, this
variant adds 572 to 586 bytes to the .EXE programs it infects.
It contains the same encrypted text messages as the X-1 variant,
and its effect and date of activation are also the same as X-1.
Origin: England March, 1993.
X-3B: A later variant of the X-2 virus, X-3B is a memory resident
infector of .COM and .EXE programs, including COMMAND.COM. Its
size in memory is 2,048 bytes, hooking interrupt 21. Once
resident, X-3B will infect programs when they are executed,
adding 1,060 bytes to the file's size. The file length increase,
however, will be hidden when the virus is memory resident. The
program's date and time in the DOS disk directory listing will
not be altered. X-3B is unable to distinquish when it has
previously infected a program, so program reinfections will
occur, adding an additional 1,060 bytes with each reinfection.
The following text strings are encrypted with the X-3B viral
code:
"[X-3b] ICE-9 (c) 1992 ICE-9 Written Out 1992"
"Look out 4 future releases"
"THE TWINS"
"[X-3a] & [X-3b]"
"ARE ON YOUR PC"
"ICE-9"
Systems infected with X-3B may experience frequent system
hangs when the virus is memory resident. The DOS CHKDSK
program will also detect file allocation errors on infected
programs when X-3B is memory resident.
Origin: England March, 1993.
|