BackFont-896 Virus

Virus Name: BackFont-896 Aliases: V Status: Rare Discovery: June, 1993 Symptoms: .EXE file growth; DOS CHKDSK file allocation errors; decrease in system and available free memory; System display font may be altered Origin: Unknown Eff Length: 896 Bytes Type Code: PRhE - Parasitic Resident .EXE Infector Detection Method: ViruScan, F-Prot, NAV, AVTK, IBMAV, ChAV, Sweep, NAVDX, VAlert, PCScan, NShld, AVTK/N, LProt, Sweep/N, NProt, IBMAV/N, NAV/N, Innoc Removal Instructions: Delete infected files General Comments: The BackFont-896 virus was received in June, 1993. Its origin or point of isolation is unknown. BackFont-896 is based on the Badsec virus, and is a memory resident infector of .EXE programs. It has some stealth characteristics. When the first BackFont-896 infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 928 bytes. Interrupt 21 will be hooked by the virus in memory. Once the BackFont-896 virus is memory resident, it will infect .EXE programs when they are executed or opened for any reason. Infected programs will have a file length increase of 896 bytes, though the file length increase will be hidden by the virus when it is memory resident. The virus will be located at the end of the program, and the file's date and time in the DOS disk directory listing will not be altered. No text strings are visible within the viral code in infected programs. The DOS CHKDSK program will indicate file allocation errors on all infected programs when the virus is memory resident. The virus may also alter the system display font. See: Badsec