Benoit Virus

Virus Name: Benoit Aliases: V Status: Rare Discovery: June, 1993 Symptoms: .EXE file growth; system hangs may occur decrease in total system & available free memory; DOS CHKDSK file allocation errors Origin: England Eff Length: 1,183 Bytes Type Code: PRhE - Parasitic Resident .EXE Infector Detection Method: F-Prot, AVTK, Sweep, ViruScan, IBMAV, NAV, NAVDX, VAlert, PCScan, ChAV, Sweep/N, NShld, AVTK/N, NProt, NAV/N, Innoc, IBMAV/N, LProt Removal Instructions: Delete infected files General Comments: The Benoit virus was submitted in June, 1993. It is one of the viruses written by the ARCv virus writing group from England. Benoit is a memory resident stealth virus which infects .EXE programs. When the first Benoit infected program is executed, the Benoit virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, hooking interrupt 21. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 2,048 bytes. Interrupt 12's return will not be moved. Once the Benoit virus is memory resident, it will infect .EXE programs when they are executed or opened for any reason. Infected programs will have a file length increase of 1,183 bytes with the virus being located at the end of the file. The file length increase, however, will not be visible when the virus is memory resident. The file's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will be set to "62". The following text strings are encrypted within the Benoit viral code: "[BENOIT] ICE-9" "Made in Engalnd" "Release 5th November 1992 (c) 1992 ICE-9." "Dedicated to BenoŚt B. Mandelbrot G" England is spelled as above in the viral code, it isn't a typo. Some anti-viral programs may hang when executed with the Benoit virus memory resident.