Xpeh Virus
Virus Name: Xpeh
Aliases: 4-B
V Status: Rare
Discovery: May, 1992
Symptoms: .COM & .EXE growth; decrease in total system & available free
memory; system hangs
Origin: Unknown
Eff Length: 4,016 Bytes
Type Code: PRhA - Parasitic Resident .COM & .EXE Infector
Detection Method: Sweep, F-Prot, NAV, AVTK, NAVDX, VAlert, PCScan,
IBMAV, ViruScan, ChAV,
NShld, LProt, NShld, Sweep/N, NProt, AVTK/N, NAV/N,
IBMAV/N, Innoc
Removal Instructions: Delete infected files
General Comments:
The Xpeh, or 4-B, virus was submitted in May, 1992. Its origin or
point of isolation is unknown. Xpeh is a memory resident infector
of .COM and .EXE programs, but not COMMAND.COM.
The first time a program infected with the Xpeh virus is executed,
this virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary. It does not move interrupt
12's return. Total system and available free memory, as indicated
by the DOS CHKDSK program, will have decreased by 4,032 bytes. The
virus will have hooked interrupts 1C and 21.
Once the Xpeh virus is memory resident, it will infect .COM and
.EXE programs, other than COMMAND.COM, when they are executed or
opened for any reason. Infected programs will have a file length
increase of 4,016 bytes with the virus being located at the end of
the file. The program's date and time in the DOS disk directory
listing will not be altered. No text strings are visible within the
viral code of Xpeh infected programs.
Systems infected with the Xpeh virus may experience frequent system
hangs when attempting to execute programs.
It is unknown if Xpeh contains any damage potential.
Known variant(s) of Xpeh are:
Xpeh-3600: Based on the Xpeh virus described above, this
variant's size in memory is 3,600 bytes. Like Xpeh,
it hooks interrupts 1C and 21. Xpeh-3600 adds 3,600
to 3,615 bytes to the .COM and .EXE programs it
infects. There will be no visible change to the
program's date and time in the DOS disk directory
listing. No text strings are visible within the viral
code in infected programs.
Origin: Eastern Europe August, 1992.
Xpeh-3840: A 3,840 byte variant of the Xpeh virus, Xpeh-3840's
size in memory is 4,080 bytes. Like other members of
the Xpeh group, this variant hooks interrupts 1C and 21.
Infected .COM and .EXE programs will have a file length
increase of 3,840 bytes with the virus being located
at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered.
Two text strings are visible within the viral code in
infected programs:
"execombak"
"lextxt"
Origin: Eastern Europe August, 1992.
Xpeh-4048: A 4,048 byte variant of the Xpeh virus, Xpeh-4048's
installs itself memory resident at the top of system
memory, using approximately 4K. Like other members of
the Xpeh group, this variant hooks interrupts 1C and 21.
Infected .COM and .EXE programs will have a file length
increase of 4,048 bytes with the virus being located
at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered.
No text strings are visible in the viral code in infected
programs. System hangs may occur when infected programs
are executed.
Origin: Eastern Europe August, 1992.
Xpeh-B: Functionally equivalent to the original Xpeh virus, this
variant has one bytes which differs.
Origin: Unknown May, 1992.