Xandu Virus
Virus Name: Xandu
Aliases:
V Status: New
Discovery: December, 1994
Symptoms: .EXE file growth;
decrease in available free memory
Origin: Unknown
Eff Length: 2,385 Bytes
Type Code: PRhE - Parasitic Resident .EXE Infector
Detection Method: AVTK, Sweep, NAV, NAVDX, VAlert, IBMAV, ViruScan,
PCScan,
Sweep/N, AVTK/N, NAV/N, IBMAV/N, NShld
Removal Instructions: Delete infected files
General Comments:
The Xandu virus was received in December, 1994. Its origin or point
of isolation is unknown. Xandu is a memory resident infector of
.EXE files, though it doesn't infect most .EXE files, or files under
versions of DOS below 5.0.
When the first Xandu infected program is executed, this virus will
install itself memory resident at the top of system memory but below
the 640K DOS boundary, not moving interrupt 12's return. Available
free memory, as indicated by the DOS CHKDSK program from DOS 5.0,
will have decreased by 5,264 bytes. Interrupt 21 will be hooked by
the virus in memory.
Once the Xandu virus is memory resident, it may infect .EXE files
when they are executed. Infected programs will have a file length
increase of 2,385 bytes with the virus being located at the end of
the file. The program's date and time in the DOS disk directory
listing will not be altered. The following text strings are
encrypted within the Xandu viral code:
"XANDU Virus ! (C) 1993 By MTZ - Italy !"
"