Yog Virus

Virus Name: Yog Aliases: Yog.794 V Status: New Discovered: February, 1995 Symptoms: .COM file growth; file date/time changes; decrease in available free memory Origin: Unknown Eff Length: 794 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: F-Prot, ViruScan, IBMAV, AVTK, Sweep, NAV, NAVDX, PCScan, ChAV, NShld, Innoc, IBMAV/N, AVTK/N, Sweep/N, NAV/N Removal Instructions: Delete infected files General Comments: The Yog virus was received in February, 1995. Its origin or point of isolation is unknown. Yog is a memory resident infector of .COM files, including COMMAND.COM. When the first Yog infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total available memory, as indicated by the DOS CHKDSK program from DOS 5.0, will have decreased by approximately 1,104 bytes. Interrupt 21 will be hooked by the virus in memory. Once the Yog virus is memory resident, it will infect all of the .COM files in the current directory when any uninfected .COM file is executed. Programs infected with the Yog virus will have a file length increase of 794 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will have been updated to the current system date and time when infection occurred. The following text strings are encrypted within the viral code: "*.COM *.EXE" "Ha! Jsem virus Yog-Sothoth a mam te rad.Kdyz budes hodnej, nezaenu ti hned formatovat hardisk.Ale treba az za chvili. Ha, ha, ha...!" It is unknown what the Yog virus does besides replicate.