X-2 Virus


 Virus Name:  X-2 
 Aliases:    
 V Status:    Rare 
 Discovery:   October, 1992 
 Symptoms:    .EXE file growth; decrease in total system & available free 
              memory; system hangs; file date/time seconds set to "60" 
 Origin:      England 
 Eff Length:  795  Bytes 
 Type Code:   PRhE - Parasitic Resident .EXE Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, Sweep, PCScan, 
                    IBMAV, NAV, NAVDX, VAlert, ChAV, 
                    NShld, Sweep/N, Innoc, AVTK/N, NProt, IBMAV/N, NAV/N, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The X-2 virus was received from Manchester, England, in October, 
       1992.  X-2 is a memory resident infector of .EXE programs and 
       employs some stealth techniques to avoid detection. 
 
       The first time a program infected with the X-2 virus is executed, 
       this virus will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary.  Total system and available 
       free memory, as measured by the DOS CHKDSK program, will have 
       decreased by 3,008 bytes.  Interrupt 21 will be hooked by X-2 in 
       memory. 
 
       Once the X-2 virus is memory resident, it will infect .EXE programs 
       when they are executed.  Infected programs will have a file length 
       increase of 795 bytes, though the file length increase will be 
       hidden when X-2 is memory resident.  The virus will be located at 
       the end of the infected file.  The seconds field in the file's 
       time in the DOS disk directory listing will have been set to "60". 
       The following text strings are encrypted within the viral code: 
 
               "[X-2] ICE-9, -- Made in England." 
               "Hi I'am called X-2, get my name right!" 
               "Look out for the X-3 twins." 
 
       Systems infected with X-2 will experience the DOS CHKDSK program 
       finding file allocation errors on all infected .EXE programs when 
       X-2 is memory resident.  Additionally, execution of some anti-viral 
       programs with the virus in memory will result in a system hang. 
 
       Known variant(s) of X-2 are: 
       X-1: An earlier variant of the X-2 virus, X-1 is a non-resident 
            direct action infector of .EXE programs.  It infects one .EXE 
            program in the current directory each time an infected program 
            is executed.  A system hang will then occur.  Infected programs 
            will have a file length increase of 568 to 578 bytes with the 
            virus being located at the end of the file.  The file's date 
            and time in the DOS disk directory listing will not be altered. 
            X-1 activates on March 5th of any year, at which time execution 
            of an infected program will result in the display of the 
            following message and a system hang: 
            "         ICE-9 Presents 
                    In Association with 
                         The  ARcV 
                           [X-1] 
 
                   Michelangelo activates 
                      -< TOMORROW >-" 
            This text is encrypted within the viral code, and is not visible 
            in infected programs.     
       X-1B: A minor variant of the X-1 variant described above, this 
            variant adds 572 to 586 bytes to the .EXE programs it infects. 
            It contains the same encrypted text messages as the X-1 variant, 
            and its effect and date of activation are also the same as X-1. 
            Origin:  England  March, 1993. 
       X-3B: A later variant of the X-2 virus, X-3B is a memory resident 
            infector of .COM and .EXE programs, including COMMAND.COM.  Its 
            size in memory is 2,048 bytes, hooking interrupt 21.  Once 
            resident, X-3B will infect programs when they are executed, 
            adding 1,060 bytes to the file's size.  The file length increase, 
            however, will be hidden when the virus is memory resident.  The 
            program's date and time in the DOS disk directory listing will 
            not be altered.  X-3B is unable to distinquish when it has 
            previously infected a program, so program reinfections will 
            occur, adding an additional 1,060 bytes with each reinfection. 
            The following text strings are encrypted with the X-3B viral 
            code: 
                   "[X-3b] ICE-9 (c) 1992 ICE-9 Written Out 1992" 
                   "Look out 4 future releases" 
                   "THE TWINS" 
                   "[X-3a] & [X-3b]" 
                   "ARE ON YOUR PC" 
                   "ICE-9" 
            Systems infected with X-3B may experience frequent system 
            hangs when the virus is memory resident.  The DOS CHKDSK 
            program will also detect file allocation errors on infected 
            programs when X-3B is memory resident. 
            Origin:  England  March, 1993. 

Show viruses from discovered during that infect .

Main Page