Black Monday Virus

Virus Name: Black Monday Aliases: Borderline, Monday V Status: Rare Discovery: September, 1990 Symptoms: .COM & .EXE file growth; TSR; file timestamp changes; system hangs Origin: Kuala Lumpur, Malaysia Eff Length: 1,055 Bytes Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, NAV, AVTK, F-Prot, Sweep, IBMAV, NAVDX, VAlert, PCScan, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Black Monday virus was isolated in Fiji in September, 1990. It is reported to be widespread in Fiji and other locations in the Far East and Asia. This virus is a memory resident generic infector of .COM and .EXE files, including COMMAND.COM. The first time a program infected with the Black Monday virus is executed, the virus will install itself memory resident as a low system memory TSR of 2,048 bytes. Interrupt 21 will be hooked by the virus. Once the virus is memory resident, any program which is executed will become infected with the Black Monday virus. .COM files will increase in length by 1,055 bytes with the virus's code located at the end of the infected files. .EXE files will also increase in length by 1,055 bytes with the virus's code added to the end of the file. This virus does not infect .EXE files multiple times. The virus does not hide the change in file length when the directory is displayed, though a directory display will indicated that the infected file's date/timestamp have been updated to the system date and time when the file was infected. The following text string can be found in all infected files near the beginning of the virus's code: "Black Monday 2/3/90 KV KL MAL" Black Monday activates after 240 programs have been executed, at which time it will attempt to format a portion of the system hard disk. Known variant(s) of Black Monday are: Black Monday-B: Functionally identical to Black Monday, this variant has six bytes which differ. While .COM files still increase in size by 1,055 bytes, .EXE files will increase in size by 1,055 to 1,069 bytes. Black Monday-C: Isolated in Malaysia in November, 1991, Black Monday-C appears to be an earlier variant of this virus. Like Black Monday-B, .COM files will have a file size increase of 1,055 bytes while .EXE files will have a file size increase of 1,055 - 1,069 bytes. Unlike the other variants of Black Monday, this variant will not become memory resident when a .COM file is executed. It will also frequently hang the system when an uninfected .COM file is executed, and the .COM file will not become infected. Infected files will also have had their file date and time in the DOS disk directory updated to the current system date and time when infection occurred. Borderline: Borderline is a smaller variant of the Black Monday virus which will only infect .COM files, including COMMAND.COM. Infected programs will increase in size by 781 bytes with the virus being located at the end of the infected file. The program's date and time in the DOS disk directory will have been updated to the current system date and time. Previously infected files may become reinfected by this variant, adding 781 bytes for each reinfection. This variant's memory resident TSR is also 2,048 bytes in size, and hooks interrupts 08 and 21. It is unknown if it does anything besides replicate. Origin: Unknown January, 1992.