Avalanche Virus


 Virus Name:  Avalanche 
 Aliases:     Avalanche.2818 
 V Status:    New 
 Discovery:   July, 1995 
 Symptoms:    .COM & .EXE growth; DOS CHKDSK file allocation errors; 
              decrease in available free memory; 
              may delete some anti-viral programs when executed; 
              file date/time years altered 
 Origin:      Germany 
 Eff Length:  2,818 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method: NAV, NAVDX, ViruScan, IBMAV, VAlert, AVTK, F-Prot, 
                   ChAV, 
                   AVTK/N, NAV/N, IBMAV/N, NShld, Innoc 
 Removal Instructions: Delete infected files 
 
 General Comments: 
       The Avalanche or Avalanche.2818 virus was received in July, 1995, 
       and appears to be from Germany.  Avalanche is a memory resident 
       stealth virus which infects .COM and .EXE files, including 
       COMMAND.COM. 
 
       When the first Avalanche infected program is executed, this virus 
       will install itself memory resident at the top of system memory 
       but below the 640K DOS boundary, not moving interrupt 12's return. 
       Available free memory, as indicated by the DOS CHKDSK program from 
       DOS 5.0, will have decreased by 3,456 bytes.  Interrupts 13 and 21 
       will be hooked by the virus in memory. 
 
       Once the Avalanche virus is memory resident, it will infect .COM and 
       .EXE files, including COMMAND.COM, when they are executed.  Infected 
       files will have a file length increase of 2,818 bytes, though this 
       file length increase will be hidden by the virus when it is memory 
       resident.  The virus will be located at the end of the file.  The 
       program's date and time in the DOS disk directory listing will not 
       appear to be altered, though the year field will have been altered 
       by 100 years.  The following text strings are encrypted within the 
       viral code: 
 
           "AVALANCHE/Germany '94...Metal Junkie greets Neurobasher" 
           "*.com" 
           "F-PR TBAV SCAN MSAV CPAV TBME TBFI TBSC VIRS TBDR" 
 
       With this virus memory resident, if the system user attempts to 
       execute any program starting with one of the four character strings 
       indicated in the last text string above, the virus will delete the 
       program from disk.  Attempts to view infected files with the virus 
       memory resident will result in an uninfected copy of the program 
       being displayed.  The DOS CHKDSK program will indicate file 
       allocation errors on all infected files. 
 
       Known variant(s) of Avalanche are: 
       Avalanche.2831: Also received in July, 1995, this is a 2,831 
           byte variant of the Avalanche virus described above.  Its size 
           in memory is 3,472 bytes, hooking interrupts 13 and 21.  It 
           adds 2,831 bytes to the .COM and .EXE files it infects, 
           including COMMAND.COM.  Like the original virus, it is a full 
           stealth virus.  The same text strings are encrypted within the 
           viral code as in the original virus.  This variant also deletes 
           some anti-viral programs when the user attempts to execute 
           them with the virus memory resident. 
           Origin: Germany  July, 1995.

Show viruses from discovered during that infect .

Main Page