Xuxa Virus
Virus Name: Xuxa
Aliases: Xuxa.1413
V Status: Rare
Discovery: March, 1992
Symptoms: .COM file growth; TSR; order of programs in directory altered;
music
Origin: Argentina
Eff Length: 1,413 Bytes
Type Code: PRsC - Parasitic Resident .COM Infector
Detection Method: ViruScan, F-Prot, AVTK, Sweep, ChAV,
IBMAV, NAV, NAVDX, VAlert, PCScan,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N,
IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The Xuxa virus was submitted in March, 1992. It was originally
isolated in Argentina. Xuxa is a memory resident infector of .COM
programs. It does not infect COMMAND.COM.
The first time a program infected with Xuxa is executed, this virus
will install itself memory resident as a low system memory TSR of
1,728 bytes. Interrupts 1C and 21 will be hooked by Xuxa in
memory.
After the Xuxa virus has become memory resident, it will infect .COM
programs when they are executed. Infected programs will have a file
length increase of 1,413 bytes. The virus will be located at the
beginning of the program. The file's date and time in the DOS disk
directory listing will not be altered. Two text strings appear in
the viral code in all infected programs:
"COMMANDCOM"
"$$TMP.COM"
Systems infected with the Xuxa virus may notice that infected
programs will no longer be in their original position in the DOS
disk directory listing. They will appear towards the end of the
directory, or in the position where the entry occurred for a file
the user has recently deleted.
The Xuxa virus will play music between 5:00PM and 6:00PM. The
tune is the theme song from the children's TV show "El show de
Xuxa" which is broadcast in Argentina during this time period.
Known variant(s) of Xuxa are:
Xuxa.1096: Received in January, 1996, this is a 1,096 byte
variant of the Xuxa virus described above. Its size in memory
is 2,720 bytes, hooking interrupt 21. Once memory resident, it
infects .COM files, but not COMMAND.COM, when they are executed.
It will also infect the copy of FORMAT.COM located in the C:
drive root directory if it was not previously infected at the
time it becomes memory resident. Infected files will have a
file length increase of 1,061 bytes with the virus being located
at the end of the file. The program's date and time in the DOS
disk directory listing will not be altered. The following text
strings are encrypted within the viral code:
"Si no viste el Show de Xuxa por T.V, ni en vivo..."
"ahora podes verlo en tu PC!. - XOU DA XUXA 1.2"
"By Leviathan."
"C:\DOS\FORMAT.COM"
"CHKLIST.MS ANTI-VIR.DAT COMMAND.COM"
"C:\DOS\ANTI-VIR.DAT"
Origin: Unknown January, 1996.
Xuxa-1405: Discovered in Argentina in June, 1992, Xuxa-1405 is
a slightly smaller version of the Xuxa virus described above.
It adds 1,405 bytes to the end of the .COM programs it infects.
The virus will be located at the beginning of infected files.
Its memory resident TSR is 1,712 bytes in size, and hooks
interrupts 1C and 21.
Origin: Argentina June, 1992.
Xuxa.1656: Received in January, 1996, this is a 1,656 byte
variant of the Xuxa virus described above. Its size in memory
is 3,760 bytes, hooking interrupt 21. Once memory resident, it
infects some .COM and .EXE files, but not COMMAND.COM, when they
are executed. Infected files will have a file length increase of
1,656 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will not appear to be altered, though the seconds field will
have been set to "38". The following text strings are encrypted
within the viral code:
"Xuxa Park 1.0"
"By Hades"
"Y luchemos para que todos los ninos delmundo tengan derecho a
sonar, a sonar"
"porigual"
"TBSCASOLTOOCPF-CHKIBM CHKLIST.MS ANTI-VIR.DAT CHKLIST.CPS
COMSPEC=COMMANDS"
"A:CHKLIST.CPS"
Origin: Unknown January, 1996.
Xuxa-B: Functionally similar to the original Xuxa virus, this
is a very minor variant.
Origin: Argentina July, 1992.
See: Anti-D