XPH Virus


 Virus Name:  XPH 
 Aliases:     XPH-1100 
 V Status:    New 
 Discovery:   May, 1993 
 Symptoms:    .COM & .EXE growth; system hangs; 
              decrease in total system & available free memory 
 Origin:      Unknown 
 Eff Length:  1,100 - 1,114 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, AVTK, Sweep, IBMAV, NAV, NAVDX, VAlert, 
                    ViruScan, PCScan, ChAV, 
                    NShld, Sweep/N, NAV/N, AVTK/N, NProt, IBMAV/N, Innoc, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The XPH, or XPH-1100, virus was submitted in May, 1993.  Its origin 
       or point of isolation is unknown.  XPH is a memory resident infector 
       of .COM and .EXE programs, including COMMAND.COM. 
 
       When the first XPH infected program is executed, this virus will 
       install itself memory resident at the top of system memory but 
       below the 640K DOS boundary, not moving interrupt 12's return.  Total 
       system and available free memory, as indicated by the DOS CHKDSK 
       program, will have decreased by 1,168 bytes.  Interrupt 12 will be 
       hooked by XPH, but will be mapped to low available free memory.  Also 
       at this time, the virus will infect COMMAND.COM if it was not 
       previously infected. 
 
       Once the XPH virus is memory resident, it will infect .COM and .EXE 
       programs when they are executed or opened for any reason.  Infected 
       .COM programs will have a file length increase of 1,100 bytes.  .EXE 
       programs will have a file length increase of 1,100 to 1,114 bytes. 
       In both cases the virus will be located at the end of the file, and 
       the program's date and time in the DOS disk directory listing will 
       not be altered.  The following text strings are visible within the 
       viral code in all XPH infected programs: 
 
               "XPH" 
               "ASCECLHVSRVINWI" 
 
       The second text string above occurs very close to the end of 
       infected files. 
 
       Systems infected with the XPH virus may experience system hangs when 
       the user attempts to execute programs.  It is unknown what other 
       capabilities are programmed within this virus. 
 
       Known variant(s) of XPH are: 
       XPH-1029: A later version of the XPH virus described above, this 
                 variant's size in memory is 1,088 bytes, hooking interrupt 
                 21.  Infected .COM files increase in size by 1,029 bytes, 
                 while infected .EXE files increase in size by 1,029 to 
                 1,043 bytes.  The virus will be located at the end of 
                 infected files, and the program's date and time in the DOS 
                 disk directory listing will not be altered.  The text 
                 strings from the original virus also occur in this variant, 
                 as do system hangs when some programs are executed. 
                 Origin:  Unknown  May, 1993. 
       XPH.1032: Based on the XPH virus descibed above, this variant's 
                 size in memory is 1,088 bytes, hooking interrupt 21. 
                 Infected .COM files increase in size by 1,032 bytes, while 
                 infected .EXE files increase in size by 1,032 to 1,046 
                 bytes.  The virus will be located at the end of infected 
                 files, and the program's date and time in the DOS disk 
                 directory listing will not be altered.  The text strings 
                 from the original virus also occur in this variant. 
                 Origin:  Unknown  May, 1995. 
       XPH.2012: Received in February, 1995, XPH.2012 is a 2,012 byte 
                 variant of the XPH virus.  Its size in memory is 2,112 
                 bytes, hooking interrupt 21.  It infects .COM and .EXE 
                 files when they are executed or opened, but not when 
                 copied.  Infected files increase in size by 2,012 to 2,049 
                 bytes with the virus being located at the end of the file. 
                 The file's date and time in the DOS disk directory listing 
                 will not be altered.  The following text string is encrypted 
                 within the viral code: 
                 "(C) 08/09/93 by McAfee Associates.ASCECLHVSPF-ACPRVINWI" 
                 Origin:  Unknown  February, 1995. 
       XPH.DR&ET: Received in August, 1994, XPH.DR&ET is a 1,710 byte 
                 variant of the XPH virus.  Its size in memory is 1,776 
                 bytes, hooking interrupt 21.  It infects .COM and .EXE 
                 files when they are executed or opened, but not when 
                 copied.  Infected .COM files increase in size by 1,710 
                 bytes, while infected .EXE files increase in size by 1,710 
                 to 1,724 bytes.  The virus will be located at the end of 
                 infected files, and the program's date and time in the DOS 
                 disk directory listing will not be altered.  The following 
                 text string is usually encrypted within the viral code, 
                 though they may be visible within some infected programs: 
                 "(c) 23.5.3945 / DR & ETASCECLHVSPF-ACPRVINWI " 
                 System hangs may occur when some infected programs are 
                 executed. 
                 Origin:  Unknown  August, 1994.

Show viruses from discovered during that infect .

Main Page