Bljec Virus
Virus Name: Bljec
Aliases: Bljec3, Bljec3B, Bljec4, Bljec4B, Bljec5, Bljec5B, Bljec6,
Bljec6B, Bljec7, Bljec7B, Bljec7C, Bljec8, Bljec8B, Bljec9,
Bljec9B
V Status: Rare
Discovery: May, 1991
Symptoms: .COM file growth; system hangs; file date/time changes;
Write fault errors on device PRN; boot failures
Origin: Europe
Eff Length: 231 - 374 Bytes
Type Code: PNC - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan, AVTK, F-Prot, Sweep, NAV,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
NAV/N, IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The first Bljec virus was received from Europe in May, 1991. In
September, 1991, six other variants were received, four of them
from Italy. Bljec is actually a family of viruses. All of the
viruses are non-resident infectors of .COM programs. With the
exception of Bljec3 and Bljec4, they do not typically infect
COMMAND.COM. Bljec viruses mark infected files by checking for
two NOP instructions (9090h) at the very beginning of the file.
The description below applies to Bljec6, with the differences for
the other variants indicated later in this entry.
When a program infected with Bljec6 is executed, the virus will
search the current drive and directory for three .COM programs to
infect. Infected programs will increase in size by 276 bytes, the
virus being located at the beginning of the infected file. The
infected program's date and time in the disk directory will be
updated to the system date and time when infection occurred.
Programs infected with Bljec6 may hang the system when they are
executed, or they may simply refuse to function properly.
Known variant(s) of Bljec are:
Bljec3: Probably the earliest known member of this family,
Bljec3 infects the first four .COM files in the current
directory whenever an infected program is executed. If
these first four .COM files are already infected, it will
not infect other .COM files in the directory. Infected
programs increase in size by 231 bytes with the virus
being located at the beginning of the infected file. The
infected program's date and time in the disk directory
will have been updated to the current system date and time
when infection occurred. A symptom of an infection by
Bljec3 is that the user may receive the following message
when an infected program is executed:
"Write fault error writing device PRN"
It is unknown what Bljec3 was attempting to write to the
system printer. Attempts to boot from a diskette with
COMMAND.COM infected will result in a system hang.
This particular sample of Bljec3 was received from Italy
in September, 1991.
Bljec3B: Received in January, 1992, Bljec3B is a 236 byte
variant of the Bljec3 virus described above.
Origin: Unknown, January, 1992.
Bljec4: Received from the NCSA in September, 1991, Bljec4 is
similar to Bljec3. It infects the first four .COM files
in the current directory when an infected program is
executed. Following the infection of the programs, a
system hang will usually occur. Programs infected with
Bljec4 will increase in size by 247 bytes with the virus
being located at the beginning of the infected file.
Infected programs will also have had their file date and
time in the DOS disk directory updated to the current
system date and time when infection occurred. Attempts to
boot from a diskette with an infected COMMAND.COM will
result in a system hang occurring.
Bljec4B: Received in May, 1992, Bljec4B is a 252 byte variant
of the Bljec4 virus described above.
Origin: Unknown May, 1992.
Bljec5: Received from the NCSA in September 1991, Bljec5 is
similar to Bljec4. Its major difference is that the
increase in file length on infected files is 267 bytes.
Bljec5B: Received in January, 1992, Bljec5B is a 272 byte
variant of Bljec5.
Origin: Unknown, January, 1992.
Bljec6: See description above, this variant is 276 bytes in
length.
Bljec6B: Received in May, 1992, Bljec6B is a 281 byte variant
of the Bljec6 virus described above.
Origin: Unknown May, 1992.
Bljec7: Received from Italy in September, 1991, Bljec7 will
infect the third, fifth, and sixth .COM files in the
current directory when an infected program is executed.
If these .COM files are already infected, nothing more
will become infected. Programs infected with Bljec7
increase in size by 287 bytes with the virus being located
at the end of the infected file. The file's date and time
in the DOS disk directory will have been updated to the
current system date and time when infection occurred. Like
Bljec3, write fault errors on device PRN may be experienced
when infected programs are executed.
Bljec7B: Bljec7B was received in January, 1992. It is a 292
byte variant of Bljec7.
Origin: Unknown, January, 1992.
Bljec7C: Bljec7C was received in April, 1992. It is a 440 byte
variant of Bljec7. This variant will infect no more than
three .COM programs in any directory, and resets the system
clock to 2-27-1989 when an infected program is executed.
Infected programs will contain the following text strings:
"Digital F/X Virus - Created on 2/5/92 by Phoney Phreak"
"*?.com"
System hangs may frequently occur when infected programs
are executed.
Origin: Unknown, April, 1992.
Bljec8: Bljec8 was received from Italy in September, 1991. It
is similar to Bljec7, with the exception that the file
length increase is 358 bytes, and there will be no change
in the date and time in the DOS disk directory for infected
files.
Bljec8B: Received in May, 1992, Bljec8B is a 363 byte variant
of the Bljec8 virus described above. The file's time in the
DOS disk directory listing will have been updated.
Origin: Unknown May, 1992.
Bljec9: Similar to Bljec8, this variant was also received from
Italy in September, 1991. Its file length increase is 369
bytes, and no change in the infected file's date and time
in the DOS disk directory occurs. Unlike Bljec8, it will
not usually infect programs when the current directory is
not the root directory.
Bljec9B: Similar to Bljec9, Bljec9B is a 374 byte variant.
Origin: Unknown, January, 1992.
Bljec-XYZ: Based on the Bljec virus, this variant adds 441 bytes
to the .COM programs it infects. It contains the text
strings:
"Virus 1.0 - Buddy and Chloe 5/27/89"
"?*.com"
"XYZ Virus 1.0 - 5/27/89"
Origin: Unknown, January, 1993.
Bljec-235: Based on the Bljec virus, this variant adds 235 bytes
to the .COM programs and .BAT files it infects. It contains
the text string:
"?????.???"
Origin: Unknown, November, 1993.
Bljec-284: Based on the Bljec virus, this variant adds 284 bytes
to the .COM programs it infects. It contains the text string:
"*.com *.exe *.ovl *.sys"
System hangs frequently occur when infected programs are
executed.
Origin: Unknown, November, 1993.
See: Sad